A combinatorial analysis of recent attacks on step reduced SHA-2 family
- First Online:
- Received:
- Accepted:
DOI: 10.1007/s12095-009-0011-5
- Cite this article as:
- Sanadhya, S.K. & Sarkar, P. Cryptogr. Commun. (2009) 1: 135. doi:10.1007/s12095-009-0011-5
- 178 Downloads
Abstract
We perform a combinatorial analysis of the SHA-2 compression function. This analysis explains in a unified way the recent attacks against reduced round SHA-2. We start with a general class of local collisions and show that the previously used local collision by Nikolić and Biryukov (NB) and Sanadhya and Sarkar (SS) are special cases. The study also clarifies several advantages of the SS local collision over the NB local collision. Deterministic constructions of up to 22-round SHA-2 collisions are described using the SS local collision and up to 21-round SHA-2 collisions are described using the NB local collision. For 23 and 24-round SHA-2, we describe a general strategy and then apply the SS local collision to this strategy. The resulting attacks are faster than those proposed by Indesteege et al using the NB local collision. We provide colliding message pairs for 22, 23 and 24-round SHA-2. Although these attacks improve upon the existing reduced round SHA-256 attacks, they do not threaten the security of the full SHA-2 family.^{1}
Keywords
SHA-2 family Reduced round collisions CryptanalysisMathematics Subject Classifications (2000)
94A60 Cryptography1 Introduction
Collision resistant hash functions (CRHF) are of great practical importance in cryptography. Consequently, over the years, a lot of effort has been expended in the design and analysis of such functions. The most famous families of CRHFs are the SHA-families standardized by NIST [21] of USA and are based on the iterative Merkle-Damgård (MD) [3, 12] type of hash functions designed by Rivest.
A CRHF maps arbitrarily long strings to short fixed length strings. Consequently, collisions are bound to exist. Cryptanalysis of a CRHF consists of finding one such collision for the given CRHF. Since the description of function is given, one needs to carefully analyse the structure of the function in order to determine a collision. This necessitates a detailed combinatorial study of the function. One approach is to linearize the function by replacing all non-linear components with their best linear approximation. Finding a collision for such a linearized function is easy, but, the collision holds for the original function only probabilistically. One then has to look for methods to increase the probability. Alternatively, one could work directly with the nonlinear function itself. This makes the analysis more difficult, but the probability of a collision is much higher.
Cryptanalysis of the MD-family and the SHA-family has been extensively studied with major successes coming at infrequent intervals. The first major success was the cryptanalysis of MD4 by Dobbertin [4, 5] which led to the exhibition of an actual colliding message pair. This was followed by partial attacks on MD5 with full cryptanalysis of MD5 and other hash functions coming recently [23, 25]. The NIST standard SHA-1 family was theoretically cryptanalysed in [24] (though, till date, a colliding message pair for SHA-1 remains to be found). Earlier, partial cryptanalysis of SHA-0 was done in [1, 2]. Following the works in [24, 25], there have been attacks [9, 22] on MD5 with improved time complexities and/or providing collisions of structured messages.
The SHA-2 family consists of two main hash functions, SHA-256 and SHA-512, and their truncated versions SHA-224 and SHA-384. In view of the existing attacks, the only surviving family in the NIST standard is the SHA-2 family. Consequently, it is of interest to analyse the SHA-2 family. Cryptanalysis of the SHA-2 family has recently gained momentum due to the important work of Nikolić and Biryukov [13]. Prior work on finding collisions for step reduced SHA-256 was done in [10, 11] and [16]. These earlier works used local collisions valid for the linearized version of SHA-256 from [6] and [15]. On the other hand, the work [13] used a local collision which is valid for the actual SHA-256.
The authors in [13] developed techniques to handle nonlinear functions and the message expansion of SHA-2 to obtain collisions for up to 21-round SHA-256. The 21-round attack of [13] succeeded with probability 2^{ − 19}. Very recently, Indesteege et al [7] have developed attacks against 23 and 24-round SHA-2 family. They utilize the local collision from [13] in these attacks. Following the work of [13] and partly in parallel to [7], we have published several papers [14, 18, 19, 20] on finding SHA-2 collisions for up to 24 steps with time complexities better than those obtained in [7]. The current work subsumes our previous works and provides a unified combinatorial analysis of the attacks. More details are given below.
Our contributions
We take a general approach to the analysis of SHA-2 family. The set of all possible 9-round local collisions using additive differentials are analysed using a general and unified framework. Simplification of the expressions are done in a systematic manner which lead us to the local collisions from [13] and [20] as special cases. We will call these NB and SS local collisions respectively.
Summary of results against reduced SHA-2 family
Work | Hash function | Steps | Effort | Local collision utilized | Attack type | Example provided | |
---|---|---|---|---|---|---|---|
Prob. | Calls | ||||||
SHA-256 | 18 | ^{a} | GH [6] | Linear | Yes | ||
[16] | SHA-256 | 18 | ^{b} | SS_{5} [15] | Linear | Yes | |
[13] | SHA-256 | 20 | \(\frac{1}{3}\) | NB [13] | Non-linear | Yes | |
21 | 2^{ − 19} | NB [13] | Non-linear | Yes | |||
[20] | SHA-256/SHA-512 | 18,20 | 1 | 1 | SS [20] | Non-linear | Yes |
SHA-256 | 21 | 2^{ − 15} | SS [20] | Non-linear | Yes | ||
[18] | SHA-256/SHA-512 | 21 | 1 | 1 | SS [20] | Non-linear | Yes |
[7] | SHA-256 | 23 | 2^{18} | NB [13] | Non-linear | Yes | |
24 | 2^{28.5} | NB [13] | Non-linear | Yes | |||
SHA-512 | 23 | 2^{44.9} | NB [13] | Non-linear | Yes | ||
24 | 2^{53} | NB [13] | Non-linear | No | |||
This work | SHA-256/SHA-512 | 22 | 1 | 1 | SS [20] | Non-linear | Yes |
SHA-256 | 23 | 2^{11.5} | SS [20] | Non-linear | Yes | ||
24 | 2^{28.5} | SS [20] | Non-linear | Yes | |||
24 | 2^{15.5}^{c} | SS [20] | Non-linear | No | |||
SHA-512 | 23 | 2^{16.5} | SS [20] | Non-linear | Yes | ||
24 | 2^{32.5} | SS [20] | Non-linear | Yes | |||
24 | 2^{22.5}^{d} | SS [20] | Non-linear | No |
We highlight the case of 23 and 24-round SHA-512 attacks from Table 1. These are considerably improved in comparison to the existing attack of [7]. While [7] describes these attacks with reported complexities of 2^{44.9} and 2^{53} calls to the corresponding functions, our attacks have complexities 2^{16.5} and 2^{32.5} calls. In fact, the improvement in the time complexity of the 24-round SHA-512 attack allows us to provide the first message pair which collides for 24-round SHA-512.
Chronology of recent attacks on SHA-2
Nikolić and Biryukov [13] started the analysis of SHA-2 using nonlinear differentials and attacked up to 21-round SHA-256. Our work was motivated by theirs. We generalize their technique and use a different local collision with certain advantages over the NB local collision. Also, we extend the number of rounds that can be attacked to 24.
- 1.
Our work [14, 08-Mar-2008] provided the first example of colliding message pairs for 22-round SHA-2.
- 2.
The version [8, 08-Apr-2008] provided the first examples of colliding message pairs for 23 and 24-round SHA-256.
- 3.
Our report [17, 12-Jun-2008] provided examples of colliding message pairs for 23 and 24-round SHA-256 with improved time complexities.
- 4.
The version [8, 14-Jul-2008] provided the first examples of colliding message pairs for 23-round SHA-512 and a theoretical attack on 24-round SHA-512 with reported time complexity of 2^{53} calls to the compression function.
- 5.
Our paper [19] provides example of a colliding message pair for 23-round SHA-512 with improved time complexity; and the first example of a colliding message pair for 24-round SHA-512 (also with improved time complexity).
2 Preliminaries
Message words: \(W_i \in \{0,1\}^{n}\), \(W^{\prime}_i \in \{0,1\}^{n}\); n is 32 for SHA-256 and 64 for SHA-512.
Colliding message pair: {W_{0}, W_{1}, W_{2}, ...W_{15}} and {\(W^{\prime}_0\), \(W^{\prime}_1\), \(W^{\prime}_2\), ...\(W^{\prime}_{15}\)}.
Expanded message pair: {W_{0}, W_{1}, W_{2}, ...W_{N − 1}} and {\(W^{\prime}_0\), \(W^{\prime}_1\), \(W^{\prime}_2\), ...\(W^{\prime}_{N-1}\)}. The number of steps N is 64 for SHA-256 and 80 for SHA-512.
The internal registers for the two messages at step i: REG_{i} = {a_{i}, ..., h_{i}} and \({\rm{REG}}^{\prime}_i = \{a^{\prime}_i, \ldots, h^{\prime}_i\}\).
ROTR^{k}(x): Right rotation of an n-bit string x by k bits.
SHR^{k}(x): Right shift of an n-bit string x by k bits.
⊕: bitwise XOR;
+ , −: addition and subtraction modulo 2^{n}.
δX = X^{′} − X where X is an n-bit quantity.
2.1 SHA-2 compression function
The complete description of the SHA-2 hash family can be found in [21]. In this work, we will need only the compression function. A description is given below.
The input to the compression function consists of 8 n-bit registers and a message block which consists of 16 n-bit words. The output consists of 8 n-bit words. For the first message block, the values of the input registers are given by 8 fixed n-bit words called the initialization vector and for later message blocks, these values are the output of the previous invocation of the compression function.
The final output of the compression function is (a_{ − 1} + a_{N − 1},...,h_{ − 1} + h_{N − 1}). Adding the initial values (a_{ − 1},...,h_{ − 1}) to the output of the final application of the round function is called feed-forward.
Reduced Round SHA-2
The value of N is fixed by the specification [21]. For the purpose of analysis, one may work with a lower value of N. In this paper, we will work with N up to 24. Everything else of the compression function, including the feed-forward, remain the same. Actually, we will not have to bother about the feed-forward, since we will be obtaining collisions for several steps of the round function itself.
2.2 Cross dependence equation (CDE)
The following result can be used to set registers to specific values.
Proposition 1
Suppose that (a_{i − 1},...,h_{i − 1}) are known and α and β are any two n-bit words. Then it is possible to choose W_{i}such that either a_{i} = α or e_{i} = β. In general, however, using only W_{i}, it is not possible to simultaneously set both a_{i}to α and e_{i} to β.
Proof
Note, however, that using W_{i}, we cannot simultaneously set the values of both a_{i} and e_{i}. □
Even though we cannot use Proposition 1 to simultaneously set the values of a_{i} and e_{i}, there is a way out. This way is given by the CDE. Suppose, the values of a_{i − 3},...,a_{i} have already become fixed, but, a_{i − 4} is still free. Then by choosing a suitable value for a_{i − 4} we can attain any desired value for e_{i}. Now, using Proposition 1, we can use W_{i − 4} to set a_{i − 4} to the required value. So, in effect, we can use W_{i − 4} to set e_{i} to any desired value. This is something nice (from a cryptanalytic point of view) and unexpected and we use this feature extensively.
2.3 Differential properties of σ_{1}
For the analysis of 23 and 24-round SHA-2, we will need to consider the differential properties of σ_{1} with respect to modular addition. The particular property that we require is discussed in this section.
SHA-256
Consider the distribution of δ = σ_{1}(W) − σ_{1}(W − 1) as W ranges over all 2^{32} values. This distribution is highly skewed and was mentioned in Section 7.1 in [20]. Later, it has been independently observed in [7] that δ takes only 6181 values and there are several values of δ which occur for more than 2^{29} or more values of W.
Some examples of high frequency values of δ = σ_{1}(W) − σ_{1}(W − 1) for SHA-256
δ | \(\textsf {freq}_{\delta}\) | δ | \(\textsf {freq}_{\delta}\) |
---|---|---|---|
ffff6000 | 2^{29} + 2^{26} + 2^{25} | 0000a000 | 2^{29} + 2^{26} + 2^{25} |
ffffa000 | 2^{29} + 2^{26} | 00006000 | 2^{29} + 2^{26} |
ff006001 | 2^{16} | ff005fff | 2^{16} |
Note
Interestingly, we have observed that if \(\textsf {freq}_{\delta}\) is greater than 2^{16}, then δ is always even.
SHA-512
Some examples of high frequency values of δ = σ_{1}(W) − σ_{1}(W − 1) for SHA-512
δ | \(\textsf {freq}_{\mbox{o}}\) | \(\textsf {freq}_{\delta}\) | δ | \(\textsf {freq}_{\mbox{o}}\) | \(\textsf {freq}_{\delta}\) |
---|---|---|---|---|---|
200000000008 | 4795491 | 2^{61.5} | 8e000000003a9 | 22 | 2^{43.5} |
ffffdffffffffff8 | 4793201 | 2^{61.5} | fff26000000000c9 | 22 | 2^{43.5} |
1ffffffffff8 | 4792982 | 2^{61.5} | 600000000237 | 18 | 2^{43.5} |
3 A general non-linear differential path
In this section, we present a description of a general differential path. This description is given in terms of several variables w,x,y and z and the message differences δW_{i},...,δW_{i + 8}. The values of the δW’s are obtained in terms of w,x,y and z so that the differential path holds. Starting from this general description, we obtain conditions to simplify the expression for the variables and the δW’s. This leads to the analysis of special cases of the general differential path.
The process of moving from the general to the specific is done in several steps. First, we simplify the expressions for the variables and the δW’s. Next, we try to set as many of the δW’s to zero as possible. To this end, we obtain conditions for δW_{i + 4},...,δW_{i + 7} to be set to zero. These lead to two special cases for the differential path which can be used to find reduced round collisions.
General 9-round nonlinear local collision for SHA-256
Differential Path | |||||||||
---|---|---|---|---|---|---|---|---|---|
Step i | δW_{i} | δa_{i} | δb_{i} | δc_{i} | δd_{i} | δe_{i} | δf_{i} | δg_{i} | δh_{i} |
i − 1 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
i | w | w | 0 | 0 | 0 | w | 0 | 0 | 0 |
i + 1 | δW_{i + 1} | 0 | w | 0 | 0 | x | w | 0 | 0 |
i + 2 | δW_{i + 2} | 0 | 0 | w | 0 | y | x | w | 0 |
i + 3 | δW_{i + 3} | 0 | 0 | 0 | w | z | y | x | w |
i + 4 | δW_{i + 4} | 0 | 0 | 0 | 0 | w | z | y | x |
i + 5 | δW_{i + 5} | 0 | 0 | 0 | 0 | 0 | w | z | y |
i + 6 | δW_{i + 6} | 0 | 0 | 0 | 0 | 0 | 0 | w | z |
i + 7 | δW_{i + 7} | 0 | 0 | 0 | 0 | 0 | 0 | 0 | w |
i + 8 | δW_{i + 8} | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
Message Word Differences | |||||||||
δW_{i} = w; | |||||||||
\(\delta W_{i+1} = x-\delta\Sigma_1^i(w)-\delta f_{IF}^i(w,0,0)\); | |||||||||
\(\delta W_{i+2} = y-\delta\Sigma_1^{i+1}(x)-\delta f_{IF}^{i+1}(x,w,0)\); | |||||||||
\(\delta W_{i+3} = z-\delta\Sigma_1^{i+2}(y)-\delta f_{IF}^{i+2}(y,x,w)\); | |||||||||
\(\delta W_{i+4} = -w-\delta\Sigma_1^{i+3}(z)-\delta f_{IF}^{i+3}(z,y,x)\); | |||||||||
\(\delta W_{i+5} = -x-\delta\Sigma_1^{i+4}(w)-\delta f_{IF}^{i+4}(w,z,y)\); | |||||||||
\(\delta W_{i+6} = -y-\delta f_{IF}^{i+5}(0,w,z)\); | |||||||||
\(\delta W_{i+7} = -z-\delta f_{IF}^{i+6}(0,0,w)\); | |||||||||
δW_{i + 8} = − w. |
The important thing to note about the differential path shown in Table 4 is that it puts no restrictions on the actual message words W_{i},...,W_{i + 8}. Starting at any value for the registers a_{i} to h_{i}, and using any given non-zero w, and any W_{i},...,W_{i + 8}, we simply run the compression function step-by-step and define the words x,y,z, the respective δW_{i}s and consequently the respective \(W_i^{\prime}\)s. All the steps are deterministic and hence with probability one, we obtain \(W_i^{\prime}\)s which collide with W_{i}s. This gives rise to a local collision.
Note
We have defined δX = X^{′} − X and so δW_{i} = w means \(W_i^{\prime}=W_i+w\); if we had defined δX to be X − X^{′}, then \(W_i^{\prime}\) would have been W_{i} − w. Consequently, without loss of generality one can assume w > 0.
3.1 Simplifications
The differential path by itself is not useful for obtaining longer round collisions. To do this, we need to simplify the expressions and obtain conditions. The idea behind the simplifications is to obtain conditions which are easy to satisfy and which ensure that the differential path holds. These conditions are obtained in terms of values of the variables w,x,y and z as well as values of the different a and e registers. The registers can then be set to appropriate values using Proposition 1. The simplification is done using several rules which are actually sufficient conditions. The rules and their consequences are described below.
Simplifying δΣ_{0}
There is only one occurrence of Σ_{0} in all the expressions and that is in the expression for x. In both SHA-256 and SHA-512, Σ_{0} is a linear function which is invariant only on 0 and − 1. Note that \(-1={\tt ffffffff}\) for SHA-256 and \(-1={\tt ffffffffffffffff}\) for SHA-512. Since \(\delta\Sigma_0^i(w)=\Sigma_0(a_i+w)-\Sigma_0(a_i)\) an easy way to satisfy this is to ensure that both a_{i} and a_{i} + w are either 0 or − 1.
Rule 1
Ensure that \(\delta\Sigma_0^i(w)=w\) by putting w = 1 and a_{i} = − 1.
Simplifying Majority
If two of the inputs are equal, then the output of f_{MAJ}() is equal to this input. Based on this observation, we have the following rule.
Rule 2
Simplify each occurrence of f_{MAJ} by making two of the inputs equal.
- 1.
Set a_{i − 1} = a_{i − 2} which implies x = − w;
- 2.
set a_{i − 1} = a_{i} + w, a_{i} = a_{i − 2} which implies that x = − 2w;
- 3.
set a_{i − 2} = a_{i} + w, a_{i} = a_{i − 1} which also implies that x = − 2w.
Different cases for (w,x,y,z)
(I) | (w, − w,0,0) |
(II) | (w, − w,0, − w) |
(III) | (w, − w, − w,0) |
(IV) | (w, − w, − w, − w) |
(V) | (w, − 2w,0,0) |
(VI) | (w, − 2w,0, − w) |
(VII) | (w, − 2w, − w,0) |
(VIII) | (w, − 2w, − w, − w) |
Result of applying Rules 1 and 2
Case | a_{i − 2} | a_{i − 1} | a_{i} | a_{i + 1} | a_{i + 2} | e_{i + 2} | e_{i + 1} |
---|---|---|---|---|---|---|---|
I | α | α | − 1 | α | α | − Σ_{0}(α) + α | 1 + a_{i − 3} |
II(a) | \(\phantom{-}0\) | \(\phantom{-}0\) | − 1 | \(\phantom{-}0\) | − 1 | − 1 | 1 + a_{i − 3} |
II(b) | − 1 | − 1 | − 1 | − 1 | \(\phantom{-}0\) | \(\phantom{-}1\) | 1 + a_{i − 3} |
III(a) | − 1 | − 1 | − 1 | \(\phantom{-}0\) | \(\phantom{-}0\) | \(\phantom{-}0\) | 2 + a_{i − 3} |
III(b) | \(\phantom{-}0\) | \(\phantom{-}0\) | − 1 | − 1 | − 1 | \(\phantom{-}1\) | a_{i − 3} |
IV(a) | − 1 | − 1 | − 1 | \(\phantom{-}0\) | − 1 | − 1 | 2 + a_{i − 3} |
IV(b) | \(\phantom{-}0\) | \(\phantom{-}0\) | − 1 | − 1 | \(\phantom{-}0\) | \(\phantom{-}2\) | a_{i − 3} |
V(a) | − 1 | \(\phantom{-}0\) | − 1 | \(\phantom{-}0\) | \(\phantom{-}0\) | − 1 | 2 + a_{i − 3} |
V(b) | \(\phantom{-}0\) | − 1 | − 1 | − 1 | − 1 | \(\phantom{-}1\) | 1 + a_{i − 3} |
VI(a) | − 1 | \(\phantom{-}0\) | − 1 | \(\phantom{-}0\) | − 1 | − 2 | 2 + a_{i − 3} |
VI(b) | \(\phantom{-}0\) | − 1 | − 1 | − 1 | \(\phantom{-}0\) | \(\phantom{-}2\) | 1 + a_{i − 3} |
VII(a) | − 1 | \(\phantom{-}0\) | − 1 | − 1 | − 1 | \(\phantom{-}0\) | 1 + a_{i − 3} |
VII(b) | \(\phantom{-}0\) | − 1 | − 1 | \(\phantom{-}0\) | \(\phantom{-}0\) | \(\phantom{-}1\) | 2 + a_{i − 3} |
VIII(a) | − 1 | \(\phantom{-}0\) | − 1 | − 1 | \(\phantom{-}0\) | \(\phantom{-}1\) | 1 + a_{i − 3} |
VIII(b) | \(\phantom{-}0\) | − 1 | − 1 | \(\phantom{-}0\) | − 1 | − 1 | 2 + a_{i − 3} |
These sufficient conditions specify certain values for the registers (a_{i − 2},a_{i − 1},a_{i},a_{i + 1},a_{i + 2}) and (e_{i + 1},e_{i + 2}). Actually, the conditions on the a-register values are independent and the conditions on the e-register values are obtained from these values using the CDE. Using Proposition 1, it is possible to set the values of (W_{i − 2},...,W_{i + 2}) to ensure that the (a_{i − 2},...,a_{i + 2}) obtain the required values. Consequently, we can ensure that any of the cases in Table 6 can be made to hold with probability one.
3.2 Simplifying δW_{i + 4} to δW_{i + 7}
- 1.
If z = 0, then e_{i + 3} can be either 0 or − 1.
- 2.
If z = − w, then we choose e_{i + 3} = 0 if w = 1; and e_{i + 3} = − 1 if w = − 1.
Summary of simplifying conditions for δW_{i + 4} and δW_{i + 5}
δW | Condition(s) | Value of δW |
---|---|---|
δW_{i + 4} | z = 0, e_{i + 3} = 0 | − w − x |
z = 0, e_{i + 3} = − 1 | − w − y | |
w = 1, z = − w, e_{i + 3} = 0 | e_{i + 1} − e_{i + 2} + y | |
δW_{i + 5} | w = 1, e_{i + 4} = − 1 | − w − x − y + e_{i + 3} − e_{i + 2} |
Summary of simplifying conditions for δW_{i + 6} and δW_{i + 7}
δW | Condition(s) | Value of δW |
---|---|---|
δW_{i + 6} | e_{i + 5} = 0 | − y − z |
e_{i + 5} = − 1 | − y − w | |
δW_{i + 7} | e_{i + 6} = 0 | − w − z |
e_{i + 6} = − 1 | − z |
4 Obtaining up to 22-round collisions
The basic idea is the following. Choose a suitable value for i and place the local collision from Steps i to i + 8. By placing we mean the following. Ensure that δW_{0},...,δW_{i − 1} are all zeros and introduce the required differences in δW_{i},...,δW_{i + 8}. This creates a collision from Steps i to i + 8. Ensure that there are no further disturbances by setting δW_{i + 9} to δW_{15} to be zero. This works well if we are interested in up to 16-round collisions.
Message expansion from W_{16} to W_{23}
δW_{16} = δσ_{1}(δW_{14}) + δW_{9} + δσ_{0}(δW_{1}) + δW_{0} |
δW_{17} = δσ_{1}(δW_{15}) + δW_{10} + δσ_{0}(δW_{2}) + δW_{1} |
δW_{18} = δσ_{1}(δW_{16}) + δW_{11} + δσ_{0}(δW_{3}) + δW_{2} |
δW_{19} = δσ_{1}(δW_{17}) + δW_{12} + δσ_{0}(δW_{4}) + δW_{3} |
δW_{20} = δσ_{1}(δW_{18}) + δW_{13} + δσ_{0}(δW_{5}) + δW_{4} |
δW_{21} = δσ_{1}(δW_{19}) + δW_{14} + δσ_{0}(δW_{6}) + δW_{5} |
δW_{22} = δσ_{1}(δW_{20}) + δW_{15} + δσ_{0}(δW_{7}) + δW_{6} |
δW_{23} = δσ_{1}(δW_{21}) + δW_{16} + δσ_{0}(δW_{8}) + δW_{7} |
18-Round Collisions
Deterministic 18-round collisions are easy to obtain by setting i = 3 (i.e., the local collision spans from i = 3 to i + 8 = 11). So, we necessarily have δW_{j} = 0 for j = 0,1,2,12,13,14,15.
Additionally, we need to ensure that δW_{16} = δW_{17} = 0. From Table 9, we see that in the expression for δW_{16} the only possible non-zero term is δW_{9} = δW_{i + 6}. Similarly, in the expression for δW_{16}, the only possible non-zero term is δW_{10} = δW_{i + 7}. By ensuring that δW_{i + 6} = δW_{i + 7} = 0, we will obtain δW_{16} = δW_{17} = 0. But, ensuring δW_{i + 6} = δW_{i + 7} = 0 can be easily done by setting a suitable condition from Table 8. For example, if y = z = 0, then the setting e_{i + 5} = 0 and e_{i + 6} = − 1 ensures δW_{i + 6} = δW_{i + 7} = 0 for any choice of w. Using Proposition 1, the required values of e_{i + 5} and e_{i + 6} can be achieved by setting W_{i + 5} and W_{i + 6} to appropriate values. As a net result, we obtain deterministic 18-round collisions for any value of w.
20-Round Collisions
Set i = 5, i.e., the local collision spans from i = 5 to i + 8 = 13, so that δW_{j} = 0 for j = 0,...,4,14,15. We need to ensure that δW_{16} = ⋯ = δW_{19} = 0. From Table 9, we see that this can be achieved by setting δW_{9} = δW_{10} = δW_{11} = δW_{12} = 0.
Conditions for setting δW_{i + 4} = δW_{i + 5} = 0
Case | w | x | y | z | e_{i + 2} | e_{i + 3} | e_{i + 4} | Extra condition |
---|---|---|---|---|---|---|---|---|
A | 1 | − 1 | \(\phantom{-}0\) | 0 | 0 | \(\phantom{0}\phantom{-.}0\) | − 1 | Case I |
B | 1 | − 1 | − 1 | 0 | 1 | \(\phantom{0}\phantom{-.}0\) | − 1 | Case III (b) |
C | 1 | − 2 | − 1 | 0 | 1 | \(\phantom{0}\phantom{-.}0\) | − 1 | Case VII (b) |
D | 1 | − 1 | − 1 | 0 | 0 | − 1 | − 1 | Case III (a) |
E | 1 | − 2 | \(\phantom{-}0\) | 0 | 1 | − 1 | − 1 | Case V (b) |
F | 1 | − 2 | − 1 | 0 | 1 | − 1 | − 1 | Case VII (b) |
Conditions for setting δW_{i + 4} = δW_{i + 5} = δW_{i + 6} = δW_{i + 7} = 0
A row of Table 10 |
AND |
(e_{i + 5} = 0 and y = − z) or (e_{i + 5} = − 1 and y = − w) |
AND |
e_{i + 6} = − 1. |
Note
Tables 10 and 11 show that it is possible to deterministically set all the four δWs to zero in Case (A) which is the NB local collision. Consequently, it is possible to obtain deterministic 20-round collision using this local collision. This was not done in [13] but was later mentioned in [20].
21-Round Collisions
Set i = 6, i.e., the local collision spans from i = 6 to i + 8 = 14. We need to ensure that δW_{16} = ⋯ = δW_{20} = 0. As in the case of 20-round collision, we set δW_{i + 4} = δW_{i + 5} = δW_{i + 6} = δW_{i + 7} = 0 by a suitable set of conditions given by Table 11. So, we have δW_{j} = 0 for j = 0,...,5,10,11,12,13,15. From Table 9, we see that if we can now achieve δW_{16} = 0, then we will have achieved the condition δW_{16} = ⋯ = δW_{20} = 0.
In the case of row D, we have δW_{9} = − e_{7} + e_{6} + 2; whereas for row A, we get δW_{9} = − 1. It is possible to deterministically satisfy the case for row D. However, row A (which is the NB local collision) cannot be used in the attack. This is due to the fact that there does not exist any word X such that σ_{0}(X) − σ_{0}(X − 1) = − 1 either for SHA-256 or for SHA-512.
Since i = 6, the row of Table 6 corresponding to row D of Table 10 ensure that a_{4}, a_{5}, a_{6}, a_{7}, a_{8} and e_{8} are all fixed to particular values. Using CDE, we can now use a_{3} to set e_{7} to any specific value and then use a_{2} to set e_{6} to any specific value.
The overall strategy is now the following. Choose arbitrary values for W_{14} and W_{15} and compute δ_{1} = δσ_{1}(δW_{14}) and δ_{2} = δσ_{1}(δW_{15}), where δW_{14} = δW_{15} = − w. Now set δW_{9} = − δ_{1} and W_{10} = − δ_{2} using W_{3} and W_{4} to set a_{3} and a_{4} and hence, using CDE to set e_{7} and e_{8} to desired values. This can be done deterministically.
We have sketched two ways of achieving deterministic 21-round collisions. In one case, the local collision spans from Step 6 to Step 14 and in the second case, the local collision spans from Step 7 to Step 15. For the first case, only the SS local collision can be used, while in the second case, both the SS and the NB local collisions can be used. The fact that the NB local collision can be used to obtain deterministic 21-round collisions was not mentioned in [13]; it was mentioned in [18].
The sketches above can be developed into detailed algorithms. We do not describe these algorithms. This is because below we describe in details a similar algorithm for constructing deterministic 22-round collisions.
4.1 22-round collisions
First, consider the condition on δW_{17}. To simplify δW_{10} = δW_{i + 3} we need to choose both e_{i + 2} and e_{i + 2} + y to be 0 or − 1. These imply that we have to use either row A or row D of Table 10 (which respectively correspond to the NB and the SS local collisions).
So, we use row D which correspond to Case III(a) of Table 6. In this case, we see that e_{8} = e_{i + 1} = 2 + a_{i − 3} = 2 + a_{4}. We set a_{4} = − 2, so that e_{8} = 0 and δW_{10} = e_{7} + 2. Setting a_{4} to − 2 is done using W_{4} as in Proposition 1.
Algorithm to Obtain 22-Round Collisions
- 1.
W_to_set_register_A(Step i, desired_a, Current State {a_{i − 1}, b_{i − 1}, ...h_{i − 1}}) :
= (desired_a − Σ_{0}(a_{i − 1}) − f_{MAJ}(a_{i − 1},b_{i − 1},c_{i − 1}) − Σ_{1}(e_{i − 1}) − f_{IF}(e_{i − 1},f_{i − 1}, g_{i − 1}) − h_{i − 1} − K_{i})
- 2.
W_to_set_register_E(Step i, desired_e, Current State {a_{i − 1}, b_{i − 1}, ...h_{i − 1}}) :
= (desired_e − d_{i − 1} − Σ_{1}(e_{i − 1}) − f_{IF}(e_{i − 1},f_{i − 1},g_{i − 1}) − h_{i − 1} − K_{i})
Deterministic algorithm to obtain message pairs leading to collisions for 22-round SHA-2
externalW_to_set_register_A(Step i, desired_a, Current State {a_{i − 1}, b_{i − 1}, ...h_{i − 1}}) : Returns the required message W_{i} to be used in step i so that a_{i} is set to the given value. |
---|
externalW_to_set_register_E(Step i, desired_e, Current State {a_{i − 1}, b_{i − 1}, ...h_{i − 1}}) : Returns the required message W_{i} to be used in step i so that e_{i} is set to the given value. |
First Message words: |
1. Select W_{0}, W_{1}, W_{14} and W_{15} randomly. |
2. Set \(\texttt{DELTA} = \sigma_1(W_{15}) - \sigma_1(W_{15}-1)\). |
3. Run Steps 0 and 1 of hash evaluation to define {a_{1},b_{1}, ...h_{1}}. |
4. Choose W_{2} = W_to_set_register_A(2, \(\texttt{DELTA} - 1 + f_{MAJ}(-1,-2,\texttt{DELTA}-3)\), {a_{1}, b_{1}, ...h_{1}}). |
5. Run Step 2 of hash evaluation to define {a_{2},b_{2}, ...h_{2}}. |
6. Choose W_{3} = W_to_set_register_A(3, \(\texttt{DELTA}-3\), {a_{2}, b_{2}, ...h_{2}}). |
7. Run Step 3 of hash evaluation to define {a_{3},b_{3}, ...h_{3}}. |
8. Choose W_{4} = W_to_set_register_A(4, − 2, {a_{3}, b_{3}, ...h_{3}}). |
9. Run Step 4 of hash evaluation to define {a_{4},b_{4}, ...h_{4}}. |
10. Choose W_{5} = W_to_set_register_A(5, − 1, {a_{4}, b_{4}, ...h_{4}}). |
11. Run Step 5 of hash evaluation to define {a_{5},b_{5}, ...h_{5}}. |
12. Choose W_{6} = W_to_set_register_A(6, − 1, {a_{5}, b_{5}, ...h_{5}}). |
13. Run Step 6 of hash evaluation to define {a_{6},b_{6}, ...h_{6}}. |
14. Choose W_{7} = W_to_set_register_A(7, − 1, {a_{6}, b_{6}, ...h_{6}}). |
15. Run Step 7 of hash evaluation to define {a_{7},b_{7}, ...h_{7}}. |
16. Choose W_{8} = W_to_set_register_A(8, 0, {a_{7}, b_{7}, ...h_{7}}). |
17. Run Step 8 of hash evaluation to define {a_{8},b_{8}, ...h_{8}}. |
18. Choose W_{9} = W_to_set_register_A(9, 0, {a_{8}, b_{8}, ...h_{8}}). |
19. Run Step 9 of hash evaluation to define {a_{9},b_{9}, ...h_{9}}. |
20. Choose W_{10} = W_to_set_register_E(10, − 1, {a_{9}, b_{9}, ...h_{9}}). |
21. Run Step 10 of hash evaluation to define {a_{10},b_{10}, ...h_{10}}. |
22. Choose W_{11} = W_to_set_register_E(11, − 1, {a_{10}, b_{10}, ...h_{10}}). |
23. Run Step 11 of hash evaluation to define {a_{11},b_{11}, ...h_{11}}. |
24. Choose W_{12} = W_to_set_register_E(12, − 1, {a_{11}, b_{11}, ...h_{11}}). |
25. Run Step 12 of hash evaluation to define {a_{12},b_{12}, ...h_{12}}. |
26. Choose W_{13} = W_to_set_register_E(13, − 1, {a_{12}, b_{12}, ...h_{12}}). |
Second message words: |
27. Define δW_{i} = 0 for i ∈ {0,1,2,3,4,5,6,9,11,12,13,14}. |
28. Define δW_{7} = 1 and δW_{15} = − 1. |
29. Define δW_{8} = − 1 − f_{IF}(e_{7} + 1,f_{7},g_{7}) + f_{IF}(e_{7},f_{7},g_{7}) − Σ_{1}(e_{7} + 1) + Σ_{1}(e_{7}). (Refer Table 4.) |
30. Define δW_{10} = − f_{IF}(e_{9} − 1,f_{9} − 1,g_{9} + 1) + f_{IF}(e_{9},f_{9},g_{9}) − Σ_{1}(e_{9} − 1) + Σ_{1}(e_{9}). (Refer Table 4.) |
31. Compute \(W^{\prime}_i = W_i + \delta W_i\) for 0 ≤ i ≤ 15. |
A Remark on the NB Local Collision
We have mentioned that if we place the local collision from Steps 7 to 15, then row A of Table 10 cannot be used to obtain a deterministic 22-round collision. Row A corresponds to the NB local collision.
We considered the issue of whether it is possible to place the NB local collision from Steps 8 to 16 to obtain a 22-round collision (which may not be deterministic). In this case, the local collision will end at Step 16 and hence δW_{16} = − 1. Recall from Table 9, that a difference in δW_{16} will affect δW_{18}. We would like to have δW_{18} = 0 so as to ensure that there are no differences after the local collision ends. Again from Table 9 and the fact that the local collision spans Steps 8 to 16, to achieve δW_{18} = 0, we need to have δσ_{1}(δW_{16}) + δW_{11} = 0.
More generally, we considered the situation, where the NB local collision spans Steps i to (i + 8), with i ≥ 8 and we require δW_{i + 10} = 0. From Table 9, the last condition is achieved if δσ_{1}(δW_{i + 8}) + δW_{i + 3} = 0. Note that δW_{i + 8} = − 1.
For SHA-512, using the NB local collision makes achieving the condition δσ_{1}(δW_{i + 8}) + δW_{i + 3} = 0 difficult. This is because of the fact that there is a “gap” in the values of |δW_{i + 3}| and |δσ_{1}(δW_{i + 8})|. In Appendix B, we show that the probability of \(|\delta W_{i+3}|\geq 2^j\) is less than 1/2^{j − 1}; and for any 64-bit value for W_{i + 8}, \(|\sigma_1(W_{i+8})-\sigma_1(W_{i+8}-1)|\geq 2^{42}+2^{39}+2^{38}+2^{36}-2^3\). As a consequence, to achieve δσ_{1}(δW_{i + 8}) + δW_{i + 3} = 0, we need to have \(|\delta W_{i+3}|> 2^{42}\), an event which occurs with probability less than 2^{ − 41}.
The above probability computation is over uniform random choices of W_{i + 8} and W_{i + 3}. In fact, this was one of the factors that had led us to focus only on the SS local collision. It was shown in [7] that the NB local collision can be used to obtain 23 and 24-round SHA-512 collision. However, the time complexities of the NB local collision attack is more than that of the SS local collision attack. This fact is possibly attributable to the “gap” in the values of |δW_{i + 3}| and |δσ_{1}(δW_{i + 8})| mentioned above.
5 A general idea for obtaining 23 and 24-round collisions
Obtaining deterministic collisions up to 22 rounds did not require the (single) local collision to extend beyond Step 15. For obtaining collisions for a greater number of rounds, we will need to start the local collision at Step 8 (or further) and hence the local collision will end at Step 16 (or further). This will require us to analyse the message expansion more carefully.
For obtaining collisions up to 22 rounds, we also needed to consider message expansion. But, we ensured that there were no differences in message words from Step 16 onwards. However, now that we consider the local collision to end at Step 16 (or further), this will necessarily mean that one or more δW_{i} (for i ≥ 16) will be non-zero. This will require a modification of the strategy followed so far. Instead of requiring δW_{i} = 0 for i ≥ 16, we will require δW_{i} = 0 for a few i’s after the local collision ends. So, supposing that the local collision ends at Step 16 and we want a 23-round collision, then δW_{16} is necessarily − w and we will require δW_{17} = ⋯ = δW_{22} = 0.
5.1 A class of local collisions
- 1.
If a_{i} = − 1 and a_{i − 1} = a_{i − 2} = α, then x = − 1.
- 2.
If a_{i + 1} = a_{i − 1}, then y = 0; if \(a_{i+1}=\overline{a_{i-1}}\), then y = − 1.
- 3.
If a_{i + 2} = a_{i + 1}, then z = 0; if \(a_{i+2}=\overline{a_{i+1}}\), then z = − 1.
Note
- 1.
If y = 0, then λ = α − Σ_{0}(α).
- 2.
If y = − 1, then \(\lambda=\alpha+\overline{\alpha}+1-\Sigma_0(\overline{\alpha})=-\Sigma_0(\overline{\alpha})\).
Values of a and e register for the δWs given by (8) to hold
Index | i − 2 | i − 1 | i | i + 1 | i + 2 | i + 3 | i + 4 | i + 5 | i + 6 |
---|---|---|---|---|---|---|---|---|---|
a | α | α | − 1 | β | β | ||||
e | γ | γ + 1 | − 1 | μ | λ | λ + y | − 1 | y | − 1 − u |
5.2 Solving (10) for y = − 1
The third equation holds with probability 1 if both λ and μ are odd.
Given that λ and μ are odd, the second equation simplifies to \(\delta_2 =-\Sigma_1(\lambda-1)+\Sigma_1(\lambda)+\overline{(\lambda-1)}\). For a given odd value of δ_{2} occurring in the distribution of σ_{1}(W) − σ_{1}(W − 1), it is possible to solve this equation for odd λ.
Given such a λ, it is easy to solve the equation \(\lambda = -\Sigma_0(\overline{\alpha})\) to obtain a suitable value of α, since Σ_{0} is an invertible mapping for both SHA-256 and SHA-512.
For the first equation, the term − f_{IF}(μ − 1,0,γ + 1) + f_{IF}(μ, − 1,γ + 1) is equal to μ, if γ is odd. This term is equal to μ − 1 if γ is even. Further, we note that − Σ_{1}(μ − 1) + Σ_{1}(μ) is always even for both SHA-256 and SHA-512. Thus taking an arbitrary odd value of γ, the first equation is in the single variable μ and can be solved easily for a given δ_{1}.
Now we provide proofs of the observations above.
Lemma 1
If y = − 1, then the third equation of (10) is satisfied for any odd λ and odd μ.
Proof
bit | 63 | ... | i | ... | j | ... | 0 |
---|---|---|---|---|---|---|---|
λ − 1 | . | ... | 1 | ... | 0 | ... | 0 |
λ | . | ... | 1 | ... | 0 | ... | 1 |
μ | . | ... | b_{1} | ... | b_{2} | ... | 1 |
f_{IF}(λ − 1,λ, μ) | . | ... | 1 | ... | b_{2} | ... | 1 |
bit | 63 | ... | i | ... | j | ... | 0 |
---|---|---|---|---|---|---|---|
λ − 1 | . | ... | 1 | ... | 0 | ... | 0 |
λ − 1 | . | ... | 1 | ... | 0 | ... | 0 |
μ − 1 | . | ... | b_{1} | ... | b_{2} | ... | 0 |
f_{IF}(λ − 1,λ − 1, μ − 1) | . | ... | 1 | ... | b_{2} | ... | 0 |
Lemma 2
Let y = − 1. For odd λ and odd μ, the second equation of (10) simplifies to\(\delta_2 =-\Sigma_1(\lambda-1)+\Sigma_1(\lambda)+\overline{(\lambda-1)}\).
Proof
bit | 63 | ... | i | ... | j | ... | 0 |
---|---|---|---|---|---|---|---|
λ | . | ... | 1 | ... | 0 | ... | 1 |
μ | . | ... | b_{1} | ... | b_{2} | ... | 1 |
− 1 | 1 | ... | 1 | ... | 1 | ... | 1 |
f_{IF}(λ,μ, − 1) | . | ... | b_{1} | ... | 1 | ... | 1 |
bit | 63 | ... | i | ... | j | ... | 0 |
---|---|---|---|---|---|---|---|
λ − 1 | . | ... | 1 | ... | 0 | ... | 0 |
μ − 1 | . | ... | b_{1} | ... | b_{2} | ... | 0 |
0 | 0 | ... | 0 | ... | 0 | ... | 0 |
f_{IF}(λ − 1, μ − 1, 0) | . | ... | b_{1} | ... | 0 | ... | 0 |
Lemma 3
Let y = − 1. For odd μ and odd γ, the first equation of (10) simplifies to δ_{1} = − 1 − Σ_{1}(μ − 1) + Σ_{1}(μ) + μ.
Proof
SHA-256
Values leading to collisions for different number of steps of SHA-256
(# rnds, i) | δ_{1} | δ_{2} | u | α | λ | γ | μ |
---|---|---|---|---|---|---|---|
(23, 8) | \(\phantom{00000000.}0\) | ff006001 | 0 | 32b308b2 | 051f9f7f | 684e62b7 | 041fff81 |
(23, 9) | 00006000 | ff006001 | 1 | 32b308b2 | 051f9f7f | 98e3923b | fbe05f81 |
(24, 10) | " | " | " | " | " | " | " |
SHA-512
It is possible to solve (10) for SHA-512 as well, although we require a different approach than SHA-256. The main difference is in solving the first and the second equations. Since now 64-bit quantities are involved, it is no longer possible to solve the first and second equations by exhaustive search. We describe a method to solve the second equation with the aid of an example.
Values leading to collisions for different number of steps of SHA-512
(# rnds, i) | δ_{1} | δ_{2} | u | α | λ | γ | μ |
---|---|---|---|---|---|---|---|
(23, 8) | \(\phantom{000000000000}0\) | 600000000237 | 0 | 7201b90f9f8df85e | 3e000007ffdc9 | 1 | 43fffff800001 |
(23, 9) | 200000000008 | 600000000237 | 1 | 7201b90f9f8df85e | 3e000007ffdc9 | 1 | 45fffff800009 |
(24, 10) | " | " | " | " | " | " | " |
Solving the Second Equation of (10) For SHA-512
bit | 63 | ... | 50 | ... | 46 | ... | 23 | ... | 0 |
---|---|---|---|---|---|---|---|---|---|
A = Σ_{1}(λ − 1) | . | ... | \(\overline{b_3}\) | ... | \(\overline{b_2}\) | ... | \(\overline{b_1}\) | ... | . |
B = Σ_{1}(λ) | . | ... | b_{3} | ... | b_{2} | ... | b_{1} | ... | . |
A − B | . | ... | . | ... | . | ... | 1 | 0... | 0 |
δ_{2} | . | ... | . | ... | . | ... | . | ... | . |
A − B + δ_{2} | . | ... | . | ... | . | ... | . | ... | . |
Now consider the bits between 23 and 46 of (A − B). It is clear that all these bits will be equal. Further, all these bits will be equal to 1 if b_{1} = 1 due to the borrow while subtracting B from A at bit position 23. Similarly, all these bits of (A − B) will be equal to 0 if b_{1} = 0. Our choice of δ_{2} has all these bits equal to zero, hence the term (A − B + δ_{2}) will too have all these bits equal. But since this term is equal to \(\overline{(\lambda-1)}\), all these bits of (λ − 1) will also be equal. Finally, note that λ and (λ − 1) differ only in the lowest bit position, hence all the bits between 23 and 46 of λ will also be equal. In particular, we will have λ_{37} = λ_{41}, hence we have that b_{1} = 1 ⊕ λ_{37} ⊕ λ_{41} = 1.
Continuing reasoning on bit positions in this way, for any given δ_{2}, either we can solve for λ or determine that a solution does not exist. For \(\delta_2 = {\tt 600000000237}\) we obtained the solution \(\lambda = {\tt 3e000007ffdc9}\). Note that the method explained above does not require any particular structure of the bits of δ_{2}. As another example, we also solved for \(\delta_2 = {\tt 19ffffffffdd9}\) and obtained the solution as \(\lambda = {\tt 2200000800227}\).
Note
- 1.
The first equation can be solved in a similar manner for μ for a given δ_{1}.
- 2.
It is possible to design an algorithm to do the task described above. But, such an algorithm will be complicated. Since we are interested in solving for a single value of δ_{2}, we chose not to describe and implement an algorithm. The method of solving by hand is good enough.
6 Finding 23 and 24-round collisions
We show that by suitably placing a local collision of the type described in Section 5.1 and using proper values for α,γ and μ, it is possible to obtain several 23 and 24-round collisions for SHA-2. For the description below, we will be considering the SS local collision, i.e., (w,x,y,z) = (1, − 1, − 1,0).
6.1 23-round collisions
There are two options of placing the SS local collision. From Step i = 8 to Step i + 8 = 16 and from Step i = 9 to Step i + 8 = 17. This gives rise to two kinds of 23-round collisions for SHA-2.
Case i = 8
The local collision is started at i = 8 and ends at i = 16.
We have (w,x,y,z) = (1, − 1, − 1,0) and \(\beta=\overline{\alpha}\). Also, we set u = 0 and δ_{1} = 0. We need to choose a suitable value for δ_{2} which is the value of δW_{i + 3} = δW_{11}. For this case, we let δ = δ_{2}. The value of δ_{2} has to be chosen so that (10) has a solution. The time complexity of the algorithm depends on \(\textsf {freq}_{\delta}\) (see Section 2.3 for the meaning of \(\textsf {freq}_{\delta}\)) as explained below, so, one would like to choose δ such that \(\textsf {freq}_{\delta}\) is as high as possible. At the same time, we have to ensure that (10) can be solved for the particular value of δ. Our choices of δ given in the rows with (23,8) of Tables 14 and 15 have the highest value of \(\textsf {freq}_{\delta}\) for which it is possible to solve (10).
First, let us consider which register values need to be set to specific values. Since i = 8, from Table 13, we see that a_{6} to a_{10} and e_{6} to e_{14} get defined. Using CDE, the value of e_{10} is actually determined by the values of a_{6} to a_{10}. Using CDE, the values of e_{9} down to e_{6} determine the values of a_{5} down to a_{2}. So, the values of a_{2} to a_{10} and the values of e_{11} to e_{14} are fixed.
Once W_{0},W_{1} have been obtained, a collision can be constructed in a manner similar to that for the 22-round case and as shown in Table 12. The idea is to first run SHA-2 for two steps using W_{0} and W_{1}. This determines the registers (a_{1},...,h_{1}). Now, using Proposition 1, run SHA-2 step-by-step using W_{i} to set a_{i} to the desired value for 2 ≤ i ≤ 10. Then run SHA-2 step-by-step using W_{i} to set e_{i} to the desired value for 11 ≤ i ≤ 14. Finally, choose any value for W_{15}. The values of \(W_i^{\prime}\) are determined by the values of W_{i} and δW_{i} for 0 ≤ i ≤ 15. This gives a colliding message pair (W_{0},...,W_{15}) and \((W_0^{\prime},\ldots,W_{15}^{\prime})\).
Estimate of Computation Effort
The main computational effort is in solving (12) for W_{0} and W_{1} such that σ_{1}(W_{16} − 1) − σ_{1}(W_{16}) = − δ. We did not attempt an analytic solution. Instead, we tried random choices of W_{0} and W_{1} until we found a suitable W_{16}. There are \(\textsf {freq}_{\delta}\) values of W_{16} for which σ(W_{16}) − σ(W_{16} − 1) equals δ. On an average, success is obtained after \(\textsf {freq}_{\delta}\) trials. Each trial corresponds to about a single step of SHA-2 computation. So, the total cost of finding suitable W_{0} and W_{1} is about \(\frac{2^n}{\textsf {freq}_{\delta}\times 2^{4.5}}\) tries of 23-round SHA-2 computations.
SHA-256
The value of δ given in Table 14 is such that \(\textsf {freq}_{\delta}=2^{16}\). (See Table 2 in Section 2.3.) So, the complexity of finding 23-round SHA-256 collision is about 2^{11.5} tries of 23-round SHA-256 computations. A message pair colliding for 23-round SHA-256 is given in Table 18 of Appendix A.
SHA-512
In this case, we have estimates on \(\textsf {freq}_{\delta}\). (Again, see Section 2.3 for discussion on this issue.) For the particular value of δ given in Table 15, our estimate is \(\textsf {freq}_{\delta}\approx 2^{43}\). (See Table 3.) So, the effort required is about \(\frac{2^{64}}{2^{4.5}\times \textsf {freq}_{\delta}}\) = \(\frac{2^{21}}{2^{4.5}}\) = 2^{16.5} trials of 23-round SHA-512. A message pair colliding for 23-round SHA-512 is given in Table 21 of Appendix A.
Casei = 9
It is possible to place the local collision from Step 9 to Step 17 and then perform an analysis to show that it is possible to obtain 23-round collisions for both y = 0 and y = − 1. We do not provide these details, since a similar technique with an additional constraint is required for 24-round collision for which we provide complete details. An example of a collision obtained using this method is given in Table 19 of Appendix A.
6.2 24-round collisions
The SS local collision is placed from Step i = 10 to Step i + 8 = 18, i.e. (w,x,y,z) = (1, − 1, − 1,0). The message differences are as given by (8) where we choose u = 1. The values of δ_{1},δ_{2} need to be suitably chosen and then the values of λ,γ and μ can be found by solving (10) as explained in Section 5.2. From λ, we find α as explained earlier.
Since the collision ends at Step 18 and u = 1, from (8) we have δW_{17} = 1 and δW_{18} = − 1. To obtain a 24-round collision, we need to ensure δW_{19} = ⋯ = δW_{23} = 0.
Solving (20) Using Table Look-Up
An alternative approach would be to use a pre-computed table. For each of the 2^{n} possible W_{1}s (n is the word size 32 or 64), prepare a table of entries (W_{1}, − W_{1} + σ_{0}(W_{1})) sorted on the second column. Then all solutions (if there are any) for (20) can be found by a simple look-up into the table using D. The table would have 2^{n} entries and if a proper index structure is used, then the look-up can be done very quickly. We have not implemented this method.
- 1.
Make random choices for W_{0} and a_{2},a_{3}.
- 2.
Run SHA-2 with W_{0} and determine Φ_{0}.
- 3.
From a_{3} and a_{2} determine e_{7} and e_{6} using CDE.
- 4.
- 5.
Solve (20) for W_{1} using the guess-then-determine algorithm.
- 6.
Run SHA-2 with W_{1} to define a_{1},...,h_{1}.
- 7.
- 8.
Run SHA-2 with W_{2} to define a_{2},...,h_{2}.
- 9.
- 10.
Compute W_{17} and W_{18} using (18).
- 11.
If σ_{1}(W_{17} + 1) − σ_{1}(W_{17}) = − δ_{1} and σ_{1}(W_{18} − 1) − σ_{1}(W_{18}) = δ_{2}, then return W_{0},W_{1},W_{2} and W_{3}.
Estimate of Computation Effort
Let Step 5 involve a computation of g operations, where each operation is much faster than a single step of SHA-2; by our assessment the time for each operation is around 2^{ − 4} times the cost of a single step of SHA-2. Thus, the time for Step 5 is about \(\frac{g}{2^4}\) single SHA-2 steps. Further, let the success probability of the guess-then-determine attack be p. Then Step 5 needs to be repeated roughly \(\frac{1}{p}\) times to obtain a solution.
By the choice of δ_{1}, the equality σ_{1}(W_{17} + 1) − σ_{1}(W_{17}) = − δ_{1} holds roughly with probability \(\frac{\textsf {freq}_{\delta_1}}{2^n}\) while by the choice of δ_{2} the equality σ_{1}(W_{18} − 1) − σ_{1}(W_{18}) = δ_{2} holds roughly with probability \(\frac{\textsf {freq}_{\delta_2}}{2^n}\) and we obtain success in Step 11 with roughly \(\frac{\textsf {freq}_{\delta_1}\times \textsf {freq}_{\delta_2}}{2^{2n}}\) probability. So, the entire procedure needs to be carried out around \(\frac{2^{2n}}{\textsf {freq}_{\delta_1}\times \textsf {freq}_{\delta_2}}\) times to obtain a collision.
SHA-256
We choose \(\delta_2={\tt ff006001}\) with \(\textsf {freq}_{\delta_2}=2^{16}\). Also, we choose \(\delta_1={\tt 00006000}\) so that \(-\delta_1={\tt ffffa000}\) and \(\textsf {freq}_{-\delta_1}=2^{29}+2^{26}\). (See Table 2 in Section 2.3.) (For choices of δ_{2} with higher value of \(\textsf {freq}_{\delta_2}\) there are no solutions to the second equation of (10).)
For these values of δ_{1} and δ_{2}, it is possible to solve (10) to obtain suitable λ,γ and μ, which in turn determine α. An example of these values is shown in Table 14 in the row (24,9). (The same values also hold for obtaining 23-round collision by placing a local collision from Step 9 to 17.)
The values of g, \(\textsf {freq}_{\delta_1}\) and \(\textsf {freq}_{\delta_2}\) are 2^{18}, 2^{29} and 2^{16} respectively. So, the time complexity is about 2^{28.5} 24-round SHA-256 computations. In our experiments, we found that the computation effort required to find W_{0},...,W_{3} actually turns out to be less than the estimated effort of 2^{28.5} 24-round SHA-256 computations. The value of 2^{28.5} matches the figure given in [7], but [7] does not provide the detailed analysis of their cost. A message pair colliding for 24-round SHA-256 is given in Table 20 of Appendix A.
As already explained, if (20) is solved using a table look-up, then the cost reduces to about 2^{15.5} 24-round SHA-256 computations.
SHA-512
We choose \(\delta_2={\tt 600000000237}\) with \(\textsf {freq}_{\delta_2}\approx 2^{43}\). Also, we choose \(\delta_1={\tt 200000000008}\) so that \(\textsf {freq}_{-\delta_1}\approx 2^{61.5}\). See Table 3 in Section 2.3 For these values of δ_{1} and δ_{2}, it is possible to solve (10) to obtain suitable λ,γ and μ, which in turn determine α. An example of these values is shown in the row marked (24,10) of Table 15.
Note that using a table having 2^{64} entries to solve (20) will reduce the computational effort to about 2^{22.5} trials of 24-round SHA-512.
6.3 Guess-then-determine algorithm for solving (20)
For the ease of notation, in this section we will use W instead of W_{1}.
For SHA-256
This algorithm involves guessing W[14,0] and bits c_{0},c_{1},c_{2}, which is a total of 18 bits. If the equation D = − W + σ_{0}(W) does not have any solution, then none will be returned by this algorithm; on the other hand, if there is a solution or there are more than one solutions, then all solutions will be returned. A total of 2^{18} operations are required. The time for each operation is significantly less than the time for a single SHA-256 step and by our assessment it is about 2^{ − 4} times the time for a single SHA-256 step.
Note
In [7], it has been remarked that “by guessing the least 15 bits of W_{1} the entire W_{1} can be reconstructed and with probability 2^{ − 14} it is going to be correct”. No details are provided. In particular, the guess-then-determine algorithm that we have described is not present in [7].
In our experiments with SHA-256, we found that for almost every other value of D, (20) has solutions, the number of solutions being one or two. So, for a random choice of D, we consider (20) to hold with probability p ≈ 1.
For SHA-512
We explain how the guess-then-determine attack proceeds. Suppose that we guess W[7,0]. So we know the 7 bits W[7,1] and W[6,0]. Now, consider the lowest 7 bits of D + W. We need D + W to be equal to σ_{0}(W). The term σ_{0}(W) consists of 3 quantities XOR’ed, one of which, W[7,1], is already known. The other two quantities are W[13,7] and W[14,8]. So we can compute X = W[13,7] ⊕ W[14,8] = (D + W) ⊕ W[7,1]. Now, consider the least significant bit of X. This is the XOR of W[7] and W[8]. We already know W[7], so it is possible to compute W[8]. Once W[8] is known, we can compute W[9] by considering the second least significant bit of X. Continuing this way, we can get W[14,7].
In the algorithm, we use a function GTD, which takes low order 7i bits of W as input and produces low order 7i + 7 bits of W. This function is described at the end of the figure.
This algorithm involves guessing W[7,0] and bits c_{1},c_{2}, ...c_{7}, which is a total of 15 bits. If the equation D = − W + σ_{0}(W) does not have any solution, then none will be returned by this algorithm; on the other hand, if there is a solution or there are more than one solutions, then all solutions will be returned. A total of 2^{15} operations are required. The time for each operation is significantly less than the time for a single SHA-512 step and by our assessment it is about 2^{ − 4} times the time for a single SHA-512 step.
7 Concluding remarks
The method of attack described so far cannot be meaningfully extended beyond 24 steps as already mentioned in [7]. This is due to the fact that every extra step will introduce a new condition on the previous message words. The 24-round collision already utilized the freedom in the first message word W_{0}. To have a 25-round collision by starting the local collision at Step i = 11, will introduce impossibility in ensuring that the message word difference δW_{16} = 0. This is explained below.
Perhaps more fundamentally the problem is that, we are using only a single local collision. Since the local collision is nonlinear in nature, it is difficult to combine two or more such collisions. Further progress in analysis of step-reduced SHA-256 collisions will require some method to combined more than one (linear or non-linear) local collision.
Acknowledgements
We would like to thank the reviewers for suggesting changes to improve the readability of the paper.