Advances in Cryptology – ASIACRYPT 2009

Volume 5912 of the series Lecture Notes in Computer Science pp 578-597

Preimages for Step-Reduced SHA-2

  • Kazumaro AokiAffiliated withLancaster UniversityNTT Information Sharing Platform Laboratories, NTT Corporation
  • , Jian GuoAffiliated withLancaster UniversityDivision of Mathematical Sciences, School of Physical and Mathematical Sciences, Nanyang Technological University
  • , Krystian MatusiewiczAffiliated withLancaster UniversityDepartment of Mathematics, Technical University of Denmark
  • , Yu SasakiAffiliated withLancaster UniversityCarnegie Mellon UniversityNTT Information Sharing Platform Laboratories, NTT CorporationUniversity of Electro-Communications
  • , Lei WangAffiliated withCarnegie Mellon UniversityUniversity of Electro-Communications


In this paper, we present preimage attacks on up to 43-step SHA-256 (around 67% of the total 64 steps) and 46-step SHA-512 (around 57.5% of the total 80 steps), which significantly increases the number of attacked steps compared to the best previously published preimage attack working for 24 steps. The time complexities are 2251.9, 2509 for finding pseudo-preimages and 2254.9, 2511.5 compression function operations for full preimages. The memory requirements are modest, around 26 words for 43-step SHA-256 and 46-step SHA-512. The pseudo-preimage attack also applies to 43-step SHA-224 and SHA-384. Our attack is a meet-in-the-middle attack that uses a range of novel techniques to split the function into two independent parts that can be computed separately and then matched in a birthday-style phase.


SHA-256 SHA-512 hash preimage attack meet-in-the-middle