Collisions for Step-Reduced SHA-256
In this article we find collisions for step-reduced SHA-256. We develop a differential that holds with high probability if the message satisfies certain conditions. We solve the equations that arise from the conditions. Due to the carefully chosen differential and word differences, the message expansion of SHA-256 has little effect on spreading the differences in the words. This helps us to find full collision for 21-step reduced SHA-256, semi-free start collision, i.e. collision for a different initial value, for 23-step reduced SHA-256, and semi-free start near collision (with only 15 bit difference out of 256 bits) for 25-step reduced SHA-256.
- 1.Secure Hash Standard. Federal Information Processing Starndard Publication 180-2. U.S. Department of Commerce, National Institute of Standards and Technology (NIST) (2004)Google Scholar
- 2.Gilbert, H., Handschuh, H.: Security analysis of SHA-256 and sisters. In: Matsui, M., Zuccherato, R.J. (eds.) Selected Areas in Cryptography, 2003. LNCS, vol. 3006, pp. 175–193. Springer, Heidelberg (2003)Google Scholar
- 3.Hawkes, P., Paddon, M., Rose, G.G.: On Corrective Patterns for the SHA-2 Family. Cryptology eprint Archive (August 2004), http://eprint.iacr.org/2004/207
- 5.Sanadhya, S.K., Sarkar, P.: New Local Collision for the SHA-2 Hash Family.Cryptology eprint Archive (2007), http://eprint.iacr.org/2007/352
- 6.Wang, X., Yin, Y.L., Yu, H.: Finding collisions in the full SHA-1. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 17–36. Springer, Heidelberg (2005)Google Scholar
- 7.Wang, X., Yu, H.: How to break MD5 and other hash functions. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 19–35. Springer, Heidelberg (2005)Google Scholar