Evaluate the security margins of SHA-512, SHA-256 and DHA-256 against the boomerang attack

Abstract

For an n-bit random permutation, there are three types of boomerang distinguishers, denoted as Type I, II and III, with generic complexities 2ⁿ, 2^n/3 and 2^n/2 respectively. In this paper, we try to evaluate the security margins of three hash functions namely SHA-512, SHA-256 and DHA-256 against the boomerang attack. Firstly, we give a boomerang attack on 48-step SHA-512 with a practical complexity of 2⁵¹. The correctness of this attack is verified by providing a Type III boomerang quartet. Then, we extend the existing differential characteristics of the three hash functions to more rounds. We deduce the sufficient conditions and give thorough evaluations to the security margins as follows: Type I boomerang method can attack 54-step SHA-512, 51-step SHA-256 and 46-step DHA-256 with complexities 2⁴⁸⁰, 2²¹⁸ and 2²³⁶ respectively. Type II boomerang method can attack 51-step SHA-512, 49-step SHA-256 and 43-step DHA-256 with complexities 2^158.50, 2^72.91 and 2^74.50 respectively. Type III boomerang method can attack 52-step SHA-512, 50-step SHA-256 and 44-step DHA-256 with complexities 2^223.80, 2^123.63 and 2^99.85 respectively.

摘要

创新点

本文研究了飞去来器方法对 SHA-512, SHA-256 和 DHA-256 三种哈希函数的攻击效率。 首次给出了对 48 轮 SHA-512 的实际飞去来器攻击结果, 攻击复杂度为$2^{51}$。 通过扩展现有的查分路径, 证明:

1. I

   型飞去来器方法可以攻击 54 轮 SHA-512, 51 轮 SHA-256 和 46 轮 DHA-256。 攻击复杂度分别为$2^{480}$, $2^{218}$和$2^{236}$。

2. II

   型飞去来器方法可以攻击 51 轮 SHA-512, 49 轮 SHA-256 和 43 轮 DHA-256。 攻击复杂度分别为$2^{158.50}$, $2^{72.91}$和$2^{74.50}$。

3. III

   型飞去来器方法可以攻击 52 轮 SHA-512, 50 轮 SHA-256 和 44 轮 DHA-256。 攻击复杂度分别为$2^{223.80}$, $2^{123.63}$和$2^{99.85}$。

References

1. 1

   Wang X Y, Yu H B. How to break MD5 and other hash functions. In: Proceedings of 24th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Aarhus, 2005. 19–35

2. 2

   Wang X Y, Yin Y L, Yu H B. Finding collisions in the full SHA-1. In: Proceedings of 25th Annual International Cryptology Conference, Santa Barbara, 2005. 17–36

3. 3

   Kayser R F. Announcing request for candidate algorithm nominations for a new cryptographic hash algorithm (SHA-3) family. Federal Register, 2007, 72: 62

4. 4

   Isobe T, Shibutani K. Preimage attacks on reduced Tiger and SHA-2. In: Proceedings of 16th International Workshop on Fast Software Encryption, Leuven, 2009. 139–155

5. 5

   Guo J, Ling S, Rechberger C, et al. Advanced meet-in-the-middle preimage attacks: first results on full Tiger, and improved results on MD4 and SHA-2. In: Proceedings of 16th International Conference on the Theory and Application of Cryptology and Information Security, Singapore, 2010. 56–75

6. 6

   Khovratovich D, Rechberger C, Savelieva A. Bicliques for preimages: attacks on Skein-512 and the SHA-2 Family. In: Proceedings of 19th International Workshop on Fast Software Encryption, Washington, DC, 2012. 244–263

7. 7

   Mendel F, Pramstaller N, Rechberger C, et al. Analysis of step-reduced SHA-256. In: Proceedings of 13th International Workshop on Fast Software Encryption, Graz, 2006. 126–143

8. 8

   Sanadhya S K, Sarkar P. New collision attacks against up to 24-step SHA-2. In: Proceedings of 9th International Conference on Cryptology in India, Kharagpur, 2008. 91–103

9. 9

   Nikolic I, Biryukov A. Collisions for step-reduced SHA-256. In: Proceedings of 15th International Workshop on Fast Software Encryption, Lausanne, 2008. 1–15

10. 10

    Indesteege S, Mendel F, Preneel B, et al. Collisions and other non-random properties for step-reduced SHA-256. In: Proceedings of 15th International Workshop on Selected Areas in Cryptography, Sackville, 2008. 276–293

11. 11

    Mendel F, Nad T, Schläffer M. Finding SHA-2 characteristics: searching through a minefield of contradictions. In: Proceedings of 17th International Conference on the Theory and Application of Cryptology and Information Security, Seoul, 2011. 288–307

12. 12

    Mendel F, Nad T, Schläffer M. Improving local collisions: new attacks on reduced SHA-256. In: Proceedings of 32nd Annual International Conference on the Theory and Applications of Cryptographic Techniques, Athens, 2013. 262–278

13. 13

    Lee J, Chang D, Kim H, et al. A new 256-bit hash function DHA-256: enhancing the security of SHA-256. In: Proceedings of Cryptographic Hash Workshop Hosted by NIST, 2005. https://cse.sc.edu/~buell/csce557/NIST SHA/ChangD DHA256.pdf

14. 14

    Wagner D. The boomerang attack. In: Proceedings of 6th International Workshop on Fast Software Encryption, Rome, 1999. 156–170

15. 15

    Kelsey J, Kohno T, Schneier B. Amplified boomerang attacks against reduced-round MARS and Serpent. In: Proceedings of 7th International Workshop on Fast Software Encryption, New York, 2000. 75–93

16. 16

    Biham E, Dunkelman O, Keller N. The rectangle attack—rectangling the Serpent. In: Proceeding of International Conference on the Theory and Application of Cryptographic Techniques, Innsbruck, 2001. 340–357

17. 17

    Biham E, Dunkelman O, Keller N. Related-Key boomerang and rectangle attacks. In: Proceedings of 24th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Aarhus, 2005. 507–525

18. 18

    Biryukov A, Nikolic I, Roy A. Boomerang attacks on BLAKE-32. In: Proceedings of 18th International Workshop on Fast Software Encryption, Lyngby, 2011. 218–237

19. 19

    Lamberger M, Mendel F. Higher-order differential attack on reduced SHA-256. IACR Cryptology ePrint Archive. 2011. 37. https://eprint.iacr.org/2011/037.pdf

20. 20

    Biryukov A, Lamberger M, Mendel F, et al. Second-order differential collisions for reduced SHA-256. In: Proceedings of 17th International Conference on the Theory and Application of Cryptology and Information Security, Seoul, 2011. 270–287

21. 21

    Mendel F, Nad T. Boomerang distinguisher for the SIMD-512 compression function. In: Proceedings of 12th International Conference on Cryptology in India, Chennai, 2011. 255–269

22. 22

    Sasaki Y, Wang L. Distinguishers beyond three rounds of the RIPEMD-128/-160 compression functions. In: Proceedings of 10th International Conference on Applied Cryptography and Network Security, Singapore, 2012. 275–292

23. 23

    Sasaki Y, Wang L, Takasaki Y, et al. Boomerang distinguishers for full HAS-160 compression function. In: Proceedings of 7th International Workshop on Security, Fukuoka, 2012. 156–169

24. 24

    Leurent G, Roy A. Boomerang attacks on hash function using auxiliary differentials. In: Proceedings of the Cryptographers’ Track at the RSA Conference, San Francisco, 2012. 215–230

25. 25

    Yu H B, Chen J Z, Wang X Y. The boomerang attacks on the round-reduced Skein-512. In: Proceedings of 19th International Conference on Selected Areas in Cryptography, Windsor, 2012. 287–303

26. 26

    Kircanski A, Shen Y Z, Wang G L, et al. Boomerang and slide-rotational analysis of the SM3 hash function. In: Proceedings of 19th International Conference on Selected Areas in Cryptography, Windsor, 2012. 304–320

27. 27

    Bai D X, Yu H B, Wang G L, et al. Improved boomerang attacks on SM3. In: Proceedings of 18th Australasian Conference on Information Security and Privacy, Brisbane, 2013. 251–266

28. 28

    Bai D X, Yu H B, Wang G L, et al. Improved boomerang attacks on round-reduced SM3 and keyed permutation of BLAKE-256. IET Inf Secur, 2015, 9: 167–178

29. 29

    AlTawy R, Kircanski A, Youssef A M. Second order collision for the 42-step reduced DHA-256 hash function. Inf Process Lett, 2013, 113: 764–770

30. 30

    Menezes A, van Oorschot P C, Vanstone S A. Handbook of Applied Cryptography. CRC Press, 1996

31. 31

    US Department of Commerce. National Bureau of Standards, Secure Hash Algorithm, FIPS PUB 180-3. 2008

32. 32

    Wagner D. A generalized birthday problem. In: Proceedings of 22nd Annual International Cryptology Conference, Santa Barbara, 2002. 288–303