Advances in Cryptology – ASIACRYPT 2009

Volume 5912 of the series Lecture Notes in Computer Science pp 578-597

Preimages for Step-Reduced SHA-2

  • Kazumaro AokiAffiliated withNTT Information Sharing Platform Laboratories, NTT Corporation
  • , Jian GuoAffiliated withDivision of Mathematical Sciences, School of Physical and Mathematical Sciences, Nanyang Technological University
  • , Krystian MatusiewiczAffiliated withDepartment of Mathematics, Technical University of Denmark
  • , Yu SasakiAffiliated withNTT Information Sharing Platform Laboratories, NTT CorporationUniversity of Electro-Communications
  • , Lei WangAffiliated withUniversity of Electro-Communications


In this paper, we present preimage attacks on up to 43-step SHA-256 (around 67% of the total 64 steps) and 46-step SHA-512 (around 57.5% of the total 80 steps), which significantly increases the number of attacked steps compared to the best previously published preimage attack working for 24 steps. The time complexities are 2251.9, 2509 for finding pseudo-preimages and 2254.9, 2511.5 compression function operations for full preimages. The memory requirements are modest, around 26 words for 43-step SHA-256 and 46-step SHA-512. The pseudo-preimage attack also applies to 43-step SHA-224 and SHA-384. Our attack is a meet-in-the-middle attack that uses a range of novel techniques to split the function into two independent parts that can be computed separately and then matched in a birthday-style phase.


SHA-256 SHA-512 hash preimage attack meet-in-the-middle