Collisions and Other Non-random Properties for Step-Reduced SHA-256

Authors:
Sebastiaan Indesteege;Florian Mendel;Bart Preneel;Christian Rechberger
Affiliations:
Department of Electrical Engineering ESAT/SCD-COSIC, Katholieke Universiteit, Heverlee, Belgium B---3001 and Interdisciplinary Institute for BroadBand Technology (IBBT), Belgium;Institute for Applied Information Processing and Communications, Graz, Austria A---8010;Department of Electrical Engineering ESAT/SCD-COSIC, Katholieke Universiteit, Heverlee, Belgium B---3001 and Interdisciplinary Institute for BroadBand Technology (IBBT), Belgium;Institute for Applied Information Processing and Communications, Graz, Austria A---8010
Venue:
Selected Areas in Cryptography
Year:
2009

Citing 0
Cited 7

The State of Hash Functions and the NIST SHA-3 Competition

Information Security and Cryptology
Cryptography for network security: failures, successes and challenges

MMM-ACNS'10 Proceedings of the 5th international conference on Mathematical methods, models and architectures for computer network security
The first 30 years of cryptographic hash functions and the NIST SHA-3 competition

CT-RSA'10 Proceedings of the 2010 international conference on Topics in Cryptology
Second-Order differential collisions for reduced SHA-256

ASIACRYPT'11 Proceedings of the 17th international conference on The Theory and Application of Cryptology and Information Security
Finding SHA-2 characteristics: searching through a minefield of contradictions

ASIACRYPT'11 Proceedings of the 17th international conference on The Theory and Application of Cryptology and Information Security
Bicliques for preimages: attacks on skein-512 and the SHA-2 family

FSE'12 Proceedings of the 19th international conference on Fast Software Encryption
Converting meet-in-the-middle preimage attack into pseudo collision attack: application to SHA-2

FSE'12 Proceedings of the 19th international conference on Fast Software Encryption

Quantified Score

Hi-index	0.00

Visualization

Abstract

We study the security of step-reduced but otherwise unmodified SHA-256. We show the first collision attacks on SHA-256 reduced to 23 and 24 steps with complexities 218 and 228.5, respectively. We give example colliding message pairs for 23-step and 24-step SHA-256. The best previous, recently obtained result was a collision attack for up to 22 steps. We extend our attacks to 23 and 24-step reduced SHA-512 with respective complexities of 244.9 and 253.0. Additionally, we show non-random behaviour of the SHA-256 compression function in the form of free-start near-collisions for up to 31 steps, which is 6 more steps than the recently obtained non-random behaviour in the form of a semi-free-start near-collision. Even though this represents a step forwards in terms of cryptanalytic techniques, the results do not threaten the security of applications using SHA-256.