Security Analysis of SHA-256 and Sisters

  • Henri Gilbert
  • Helena Handschuh
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3006)


This paper studies the security of SHA-256, SHA-384 and SHA-512 against collision attacks and provides some insight into the security properties of the basic building blocks of the structure. It is concluded that neither Chabaud and Joux’s attack, nor Dobbertin-style attacks apply. Differential and linear attacks also don’t apply on the underlying structure. However we show that slightly simplified versions of the hash functions are surprisingly weak : whenever symmetric constants and initialization values are used throughout the computations, and modular additions are replaced by exclusive or operations, symmetric messages hash to symmetric digests. Therefore the complexity of collision search on these modified hash functions potentially becomes as low as one wishes.


Hash Function Block Cipher Round Function Message Block Corrective Pattern 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Biham, E., Dunkelmann, O., Keller, N.: Rectangle Attacks on 49-Round SHACAL-1. In: FSE 2003, Pre-proceedings of the conference, pp. 39–48 (2003)Google Scholar
  2. 2.
    Black, J., Rogaway, P., Shrimpton, T.: Black-Box Analysis of the Block-Cipher- Based Hash-Function Constructions from PGV. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 320–335. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  3. 3.
    den Boer, B., Bosselaers, A.: An attack on the last two rounds of MD4. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 194–203. Springer, Heidelberg (1992)Google Scholar
  4. 4.
    Chabaud, F., Joux, A.: Differential Collisions in SHA-0. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 56–71. Springer, Heidelberg (1998)Google Scholar
  5. 5.
    Damgård, I.B.: A design principle for hash functions. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 416–427. Springer, Heidelberg (1990)Google Scholar
  6. 6.
    Debaert, C., Gilbert, H.: The RIPEMDL and RIPEMDR Improved Variants of MD4 are not Collision Free. In: Matsui, M. (ed.) FSE 2001. LNCS, vol. 2355, p. 52. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  7. 7.
    Dobbertin, H.: Cryptanalysis of MD4. Journal of Cryptology 11(4) (1998) Springer-VerlagGoogle Scholar
  8. 8.
    Dobbertin, H.: Cryptanalysis of MD5 Compress. Presented at the rump session of Eurocrypt 1996 (May 14, 1996)Google Scholar
  9. 9.
    Dobbertin, H.: The status of MD5 after a recent attack. CryptoBytes 2(2) (1996)Google Scholar
  10. 10.
    Dobbertin, H.: RIPEMD with two round compress function is not collision-free. Journal of Cryptology 10(1) (1997) Springer-VerlagGoogle Scholar
  11. 11.
    Dobbertin, H., Bosselaers, A., Preneel, B.: RIPEMD-160: a strengthened version of RIPEM (April 1999),
  12. 12.
    Handschuh, H., Knudsen, L., Robshaw, M.: Analysis of SHA-1 in encryption mode. In: Naccache, D. (ed.) CT-RSA 2001. LNCS, vol. 2020, pp. 70–83. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  13. 13.
    Handschuh, H., Naccache, D.: SHACAL: A Family of Block Ciphers Submission to the NESSIE project (2002), Available from
  14. 14.
    National Institute of Standards and Technology (NIST) FIPS Publication 180-1: secure Hash Standard (April 1994)Google Scholar
  15. 15.
    National Institute of Standards and Technology (NIST), FIPS 180-2 (2002),
  16. 16.
    National Institute of Standards and Technology (NIST) FIPS Publication 197: Advanced Encryption Standard, AES (2001)Google Scholar
  17. 17.
    van Oorschot, P.C., Wiener, M.J.: Parallel Collision Search with Cryptanalytic Applications. Journal of Cryptology 12(1) (1999) Springer-VerlagGoogle Scholar
  18. 18.
    Preneel, B., Govaerts, R., Vandewalle, J.: Differential cryptanalysis of hash functions based on block ciphers. In: Proc. 1st ACM Conference on Computer and Communications Security, pp. 183–188 (1993)Google Scholar
  19. 19.
    Bosselaers, A., Preneel, B. (eds.) In: RIPE 1992. LNCS, vol. 1007, Springer, Heidelberg (1995)Google Scholar
  20. 20.
    Rivest, R.L.: The MD4 message digest algorithm. In: Menezes, A., Vanstone, S.A. (eds.) CRYPTO 1990. LNCS, vol. 537, pp. 303–311. Springer, Heidelberg (1991)Google Scholar
  21. 21.
    Rivest, R.L.: RFC1321: The MD5 message digest algorithm, M.I.T. Laboratory for Computer Science and RSA Data Security, Inc. (April 1992)Google Scholar
  22. 22.
    Saarinen, M.-J.O.: Cryptanalysis of Block Ciphers Based on SHA-1 and MD5. In: FSE 2003, Pre-proceedings of the conference, pp. 39–48 (2003)Google Scholar
  23. 23.
    Vaudenay, S.: On the need for multipermutations: Cryptanalysis of MD4 and SAFER. In: Preneel, B. (ed.) FSE 1994. LNCS, vol. 1008, pp. 286–297. Springer, Heidelberg (1995)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2004

Authors and Affiliations

  • Henri Gilbert
    • 1
  • Helena Handschuh
    • 2
  1. 1.France Télécom R&D, FTRD/DTL/SSRIssy-Les Moulineaux
  2. 2.GEMPLUS, Security Technologies DepartmentIssy-les-Moulineaux

Personalised recommendations