Analysis of SHA512/224 and SHA512/256
 12 Citations
 1.5k Downloads
Abstract
In 2012, NIST standardized SHA512/224 and SHA512/256, two truncated variants of SHA512, in FIPS 1804. These two hash functions are faster than SHA224 and SHA256 on 64bit platforms, while maintaining the same hash size and claimed security level. So far, no thirdparty analysis of SHA512/224 or SHA512/256 has been published. In this work, we examine the collision resistance of stepreduced versions of SHA512/224 and SHA512/256 by using differential cryptanalysis in combination with sophisticated search tools. We are able to generate practical examples of freestart collisions for 44step SHA512/224 and 43step SHA512/256. Thus, the truncation performed by these variants on their larger state allows us to attack several more rounds compared to the untruncated family members. In addition, we improve upon the best published collisions for 24step SHA512 and present practical collisions for 27 steps of SHA512/224, SHA512/256, and SHA512.
Keywords
Hash functions Cryptanalysis Collisions Freestart collisions SHA512/224 SHA512/256 SHA512 SHA21 Introduction
The SHA2 family of hash functions is standardized by NIST as part of the Secure Hash Standard in FIPS 1804 [21]. This standard is not superseded by the upcoming SHA3 standard. Rather, the SHA3 hash functions supplement the SHA2 family. Thus, it is likely that the SHA2 family will remain as ubiquitously deployed in the foreseeable future as it is now. Therefore, the continuous application of stateoftheart cryptanalytic techniques for quantifying the security margin of hash functions of the SHA2 family is of significant practical importance.
In this work, we focus on the two most recent members of the SHA2 family, SHA512/224 and SHA512/256. As already observed by Gueron et al. [10], using truncated SHA512 variants like SHA512/256 gives a significant performance advantage over SHA256 on 64bit platforms due to the doubled input block size. At the same time, the shorter 256bit hash values are more economic, compatible with existing applications, and offer the same security level as SHA256. In addition, the resulting chopMD [5] structure of SHA512/224 and SHA512/256 with is widepipe structure provides cryptographic benefits over the standard MerkleDamgård [7, 20] structure by prohibiting generic attacks like Joux’ multicollision attack [12], Kelsey and Kohno’s herding and Nostradamus attacks [13], and Kelsey and Schneier’s second preimages for long messages [14].
Best published collision attacks on the SHA512 family.
Hash size  Type  Steps  Complexity  Reference 

all  collision  24/80  practical  
collision  27/80  practical  Sect. 4.3  
semifreestart collision  38/80  practical  [9]  
semifreestart collision  39/80  practical  Sect. 4.1  
512  freestart collision  57/80  \(2^{255.5}\)  [17] 
384  freestart collision  40/80  \(2^{183}\)  [17] 
256  freestart collision \(^{\varvec{*}}\)  43/80  practical  Sect. 4.2 
224  freestart collision \(^{\varvec{*}}\)  44/80  practical  Sect. 4.2 
Related Work. No dedicated cryptanalysis of SHA512/224 or SHA512/256 has been published so far. However, there is a number of results targeting SHA512. The security of SHA512 against preimage attacks was first studied by Aoki et al. [1]. They presented MITM preimage attacks on 46 steps of the hash function. This was later extended to 50 steps by Khovratovich et al. [15]. However, due to the widepipe structure of SHA512/224 and SHA512/256, these attacks do not carry over to SHA512/224 and SHA512/256.
The currently best known practical collision attack on the SHA512 hash function is for 24 steps. It was published independently by Indesteege et al. [11] and by Sanadhya and Sarkar [23]. Both attacks are trivial extensions of the attack strategy of Nikolić and Biryukov [22] which applies to both SHA256 and SHA512. Recently, Eichlseder et al. [9] demonstrated how to extend these attacks to get semifreestart collisions for SHA512 reduced to 38 steps with practical complexity. Furthermore, secondorder differential collisions for SHA512 up to 48 steps with practical complexity have been shown by Yu et al. [27]. We want to note that all these practical collision attacks on SHA512 are also applicable to its truncated variants.
Additionally, Li et al. showed in [17] that particular preimage attacks on SHA512 can also be used to construct freestart collision attacks for the stepreduced hash function and its truncated variants. They show a freestart collision for 57step SHA512 and 40step SHA384. Both attacks are only slightly faster than the respective generic attacks.
Outline. The remainder of the paper is organized as follows. We describe the design of the SHA2 family in Sect. 2. Then, we briefly explain our attack strategy and discuss the choice of suitable starting points for our attacks in Sect. 3. The actual attacks on stepreduced SHA512/224 and SHA512/256 are presented in Sect. 4.
2 Description of SHA512 and Other SHA2 Variants
The SHA2 family of hash functions is specified by NIST as part of the Secure Hash Standard (SHS) [21]. The standard defines two main algorithms, SHA256 and SHA512, with truncated variants SHA224 (based on SHA256) and SHA512/224, SHA512/256, and SHA384 (based on SHA512). In addition, NIST defines a general truncation procedure for arbitrary output lengths up to 512 bits. Below, we first describe SHA512, followed by its truncated variants SHA512/224 and SHA512/256 that this paper is focused on. Finally, the main differences to SHA256 and SHA224 are briefly discussed.
In the following, we briefly describe the compression function f of SHA512. It basically consists of two parts: the message expansion and the state update transformation. A more detailed description of SHA512 is given by NIST [21].
We use \(+\) (or \(\)) to denote addition (or subtraction) modulo \(2^{64}\); \(\oplus \) (or \(\wedge \)) is bitwise exclusiveor (or bitwise and) of 64bit words, and \(\ggg n\) (or \(\gg n\)) denotes rotateright (or shiftright) by n bits.
SHA512/256 and SHA512/224. These truncated variants of SHA512 differ only in their initial values and a final truncation to 256 or 224 bits, respectively. The rest of the algorithmic description remains exactly the same. The message digest of SHA512/256 is obtained by omitting the output words \(E_{79}+E_{1}\), \(E_{78}+E_{2}\), \(E_{77}+E_{3}\), and \(E_{76}+E_{4}\) of the last compression function call. SHA512/224 additionally omits the 32 least significant bits of \(A_{76}+A_{4}\).

The wordsize is 32 instead of 64 bits.

IV and \(K_i\) are the 32 most significant bits of the respective SHA512 value.

The step function is applied 64 instead of 80 times.

The linear functions \(\sigma _0, \sigma _1, \varSigma _0\) and \(\varSigma _1\) use different rotation values.
SHA224 is a truncated variant of SHA256 with different IV, in which the output word \(E_{60} + E_{4}\) is omitted.
3 Attack Strategy
Starting from the groundbreaking results of Wang et al. [25, 26], the search techniques used for practical collisions have been significantly improved, hitting their current peak in the attacks on SHA256 [2, 19] and SHA512 [9, 27]. In spite of all achieved improvements, the toplevel attack strategy has remained essentially the same. At first, a suitable starting point for the search must be determined to define the search space and hopefully make the ensuing search process feasible. The search itself usually involves two phases: The search for a suitable differential characteristic, and the message modification phase to determine a collisionproducing message pair for this characteristic. The search for this characteristic and message pair can either be done by hand or, for more complex functions like SHA2, using an automatic search tool. We use a heuristic search tool based on a guessanddetermine strategy, which we briefly describe in Sect. 3.1. Afterwards, we discuss the choice of suitable starting points in Sect. 3.2.
3.1 GuessandDetermine Search Tool
To search for differential characteristics and colliding message pairs, we use an automatic search tool, which implements a configurable heuristic guessanddetermine search strategy. Roughly, the tool is partitioned into two separate, but closely interacting parts: The representation of the analyzed cryptographic primitive and the search procedure.
Representation. The tool internally represents differences at bit level, allowing to store all possible stages from a completely unrestricted bit over signed differences down to exact values. Thus, the same tool can be used in the search for a characteristic and in the search for a message pair. The conditions are grouped in words representing the internal variables of the hash function. These words can then be connected with any operations (typically bitwise functions or modular additions) to define the hash function.

Guess: Pick a bit and guess its value (e.g., no difference, or a specific assignment).

Determine: The previous guess influences other connected bit conditions. Determine these effects, which might result in further refinement of other bit conditions, or a contradiction.

Backtrack: If a contradiction is detected, resolve this conflict by undoing previous guesses and replacing them with other choices.
This simple approach alone is not sufficient to go through the whole search space, so numerous refinements have been proposed to finetune this method. These include the detection of twobit conditions [18], backtracking strategies, and a lookahead approach to guide the search [9]. Additionally, SHA2specific heuristics and strategies [18, 19] have been proposed, deciding which parts of the state to guess with higher priority.
3.2 Finding Starting Points for SHA2
Local Collisions. All our results are based on “local collisions” in the message expansion: by carefully selecting (expanded) message words in the middle steps so that the differences can cancel out in as many consecutive steps as possible in the forward and backward expansion, i.e., the first and last few expanded message words contain no differences. The t middle steps with differences can induce differences in the \(A_i\) and \(E_i\) words. However, the \(W_i\) words can be used to achieve zero difference in the last 4 of the t words \(E_i\), and in the last 8 of the t words \(A_i\). This is necessary to obtain words with zero difference in the very last 4 steps of the state update and thus in the output chaining value.
As an example, the starting point for the 27step collisions for SHA256 [18] allows differences in expanded message words \(W_7, W_8, W_{12}, W_{15}\), and \(W_{17}\), as well as state words \(E_7, \ldots , E_{13}\) and \(A_7, \ldots , A_{10}\). The exact bitwise signed differences are chosen during the search such that any potential differences in \(W_{19}, W_{22}, W_{23}, W_{24}\), as well as \(E_{14}, \ldots , E_{17}\) and \(A_{10}, \ldots , A_{13}\) cancel out. The resulting starting point is illustrated in Fig. 3a. We show in Sect. 4.3 how the same starting point can be used for SHA512.
The semifreestart collision starting point covering the most steps so far is for 38 steps of SHA256 [19] and SHA512 [9], with a local collision spanning \(t=18\) steps. Considering the large number of steps, the number of expanded message words with differences and cancellations is remarkably low: only 6 words with differences, and 6 words imposing cancellation conditions.
SemiFreeStart Collisions and Collisions. The discussed starting points are targeted to find semifreestart collisions, that is, different messages \(m, m'\) and an IV \(h_0\) such that \(f(h_0, m) = f(h_0, m')\). However, they can also be used for hash function collisions with the original IV \(h_0\) by trading the freedom of the IV for freedom in the message words.
In order to find hash function collisions, the first few message words \(W_i\) must retain sufficient freedom (i.e., they should not be constrained by conditions from the message expansion for cancelling differences) to allow to match the correct IV value. Ideally, this means that the first 8 message words \(W_0, \ldots , W_7\) are free of any conditions (no differences, but also not constrained by conditions from other message words connected via the message expansion). If the \(W_i\) differences are sparse enough overall, it can also be sufficient to have at least 5 words \(W_0, \ldots , W_4\) free of conditions by providing the remaining freedom with a twoblock approach [19].
The starting points of Fig. 3a and 3b both have at least 7 message words free of differences in the beginning. However, the local collision shown in Fig. 3b spans over \(t=19\) steps. Thus, the first message words are constrained by many conditions, leaving not enough freedom to match the correct IV. In contrast, the 11step local collision shown in Fig. 3a provides enough freedom in the first 7 message words to be used in a singleblock collision attack [18].
4 Collision Attacks for Truncated SHA512 Variants
The hash functions SHA512/224 and SHA512/256 differ from SHA512 in their IV and a final processing step, which truncates the 512bit state to 224 or 256 bits, respectively. Consequently, the semifreestart collisions demonstrated for SHA512 [9] are also valid for these truncated versions (since the IV is nonstandard anyway in this attack scenario). In this section, we first improve these results by providing 39step semifreestart collisions for SHA512 and its variants. We then extend this result to freestart collisions for 43step SHA512/256 and 44step SHA512/224. By freestart collisions, we mean two messages \(m, m'\) and two IVs \(h_0, h_0'\) such that the hash values of m (under IV \(h_0\)) and \(m'\) (under IV \(h_0'\)) collide. Note that freestart collisions are not equivalent to collisions of the compression function for truncated SHA2 versions, since the truncated output bits of the last compression function call may contain differences. Additionally, we present collisions for 27 steps of SHA512, SHA512/224, and SHA512/256.
4.1 Semifreestart Collisions
We use the 39step starting point from Fig. 3b. Previous work showed that sparse differences particularly in the \(A_i\) words are essential for the success probability of the message modification phase. For this reason, we additionally require that in 6 words between \(A_{8}\) and \(A_{18}\), namely \(A_{11}, A_{12}, A_{13}, A_{14}, A_{15}\), and \(A_{17}\), differences also cancel out. The five consecutive zerodifference words in \(A_i\) also force \(E_{15}\) to zero difference. These additional requirements are already marked in Fig. 3b (hatched area).
The first task for the search procedure with the solving tool is to fix a suitable signed characteristic. Compared to the previously published 38step SHA512 semifreestart collision [9], the local collision for our starting point spans 19 steps (compared to previously 18) and has 9 (previously 6) active expanded message words. Cancellations are also required in 9 (previously 6) expanded message words. This increases the necessity for very sparse differences in \(A_i\) and \(W_i\) in steps 16–26. For this reason, we require a singlebit difference in \(W_{26}, W_{17}\) and \(A_{18}\), and very low Hamming weights for the other words. We finally found a characteristic with at most two active bits in almost all words of \(A_i\) and \(W_i\) (except \(A_{9}, A_{10}, W_{11}, W_{12}\)).
After the characteristic is fixed, we need to find a complying message pair. We start by guessing the dense parts in \(A_i\) and \(E_i\), hoping that the sparser conditions in the later steps are fulfilled probabilistically. Since the dense parts are already almost fully determined by the characteristics and the sparse parts pose only so few conditions, a message pair is easily found. The result is a semifreestart collision valid for all SHA512 variants. We give an example in Appendix A in Table 4a.
4.2 FreeStart Collisions
Freestart collisions are a generalization of semifreestart collisions, so the 39step results obtained in the previous section give a first result for SHA512/224 and SHA512/256. However, we can take advantage of the truncated output bits to add several more steps. If we add another step in the beginning or in the end, the existing difference pattern remains unchanged, but there will be differences in the word \(W_0\) (computable via backward expansion, which includes \(W_{i+9} = W_{9}\), the previous \(W_{8}\) from Fig. 3b) or in the new word \(W_{39}\) (via the normal forward expansion, which includes \(W_{3915} = W_{24}\)), respectively. These, in turn, can imply differences in \(E_{4}\) or in \(A_{39}\) and \(E_{39}\), which translates to differences in the IV (turning semifreestart into freestart results, and included in the hash value via the feedforward) or directly in the compression function output, respectively.
The advantage of adding steps in the beginning is that it is possible to limit the additional differences in the state update words to E, and keep A free of new differences. Any differences in \(E_{1}, \ldots , E_{4}\) will be added to the compression function output with the final feedforward, but the corresponding words of the result are truncated, so the hash outputs still collide.
For the search procedure with the solving tool, we fixed the signed differences of steps 12–30 to the same values as the 39step SHA512 semifreestart collision of Sect. 4.1. Then, to complete the characteristic, we first search for a valid solution for the dense part of the middle steps (\(A_i\) and \(E_i\) in steps 13–16, and \(E_i\) in steps 17–27), and finally fix the corresponding message words \(W_i\) in steps 13–17, which determines the complete state, including the dense differences in the prepended steps and IV.
The search only takes seconds on a standard computer; an example for a freestart collision is given in Appendix A in Table 3a.
FreeStart Collisions for 44Step SHA512/224. A very similar strategy can be employed to extend the previous 43step freestart collision by another step for SHA512/224. Prepending an additional step shifts the difference of previous word \(E_{1}\) to \(E_0\), which in turn requires a cancellation in \(A_0\) and a difference in \(A_{4}\), as illustrated in Fig. 4b. However, only the least significant 32 bits of the corresponding compression function output word are truncated. Furthermore, this output word is computed from \(A_{4}\) via modular addition, so even differences only in the lower 32 bits can possibly cause differences in the untruncated output bits.
Fortunately, the underlying characteristic of signed differences as used for the 39step SHA512 semifreestart collision is well compatible with our constraints: The difference in \(A_{4}\) needs to cancel that in \(W_4\) in a modular addition (via \(E_0\), by Eqs. (3) and (2) or Fig. 2, since all other involved words have zero difference). This difference of \(W_4\), in turn, is dictated by that in \(W_{13}\) (by the update rule for \(W_{20}\), where again all other involved words have zero difference). None of these equalities involves any of the bitwise functions \(\sigma , \varSigma \), MAJ or IF. Thus, the modular difference in \(A_{4}\) must be the same as that in \(W_{13}\), which is already fixed by the underlying characteristic to a modular difference of \(+32\). Written as bitwise differences, this will translate to a singlebit difference (in the sixth least significant bit) with probability \(\frac{1}{2}\) (which does not carry over to the untruncated bits of the final output with overwhelming probability). Indeed, the example for a freestart collision given in Appendix A in Table 2a only displays this singlebit difference in \(A_{4}\) (and no carries in the output bits).
4.3 Collisions
So far, the best practical collisions found for SHA512 are those for 24 steps, proposed independently by Sanadhya and Sarkar [23] and Indesteege et al. [11], together with 24step collisions for SHA256. While the results for SHA256 have since been improved to 27 [18], 28 [19] (both practical), and finally 31 steps [19] (theoretical attack with almost practical complexity), no such improvements have been proposed for SHA512 so far. The main reason for this seems to be the doubling in state size from SHA256 to SHA512; this larger search space increases the difficulty of the problem for the search tools.
Starting Point for SHA512. Since the message expansion is essentially the same for all SHA2 variants (except for different word sizes and rotation values, of course), the SHA256 starting points can theoretically also be used for SHA512. However, the resulting search complexity is different. For our results, we used the 27step starting point (based on a local collision over the \(t=11\) steps 7–17), as illustrated in Fig. 3a. Just as the 39step semifreestart starting point (Fig. 3b), it requires that differences cancel in E in 4 of the t steps (\(E_{14}, \ldots , E_{17}\)) and in A in the 4 previous steps (\(A_{10}, \ldots , A_{13}\)), as well as in several steps of the message expansion.
Finding a solution from this starting point requires significantly more effort than for SHA256. Of course, we also tried to expand our search to the closely related 28step starting point, which adds an additional step in the beginning of the 27step version. However, with the additional constraints imposed on the message expansion by this added step we could not find any suitable (reasonably sparse) characteristics.
In contrast to the results from Sect. 4.2, since the IV needs to exactly match the original IV, we were not able to take advantage of the final truncation to simplify the search process, or add additional steps. We first search a characteristic for SHA512, and then try to use it to match the different IVs for SHA512/224 and SHA512/256.
Search Strategy. The search progresses in several stages, as illustrated in Fig. 5:
 1.Fix Signed Characteristic:
 (a)
Find Candidate Characteristic (Fig. 5a): First fix the signed differences of the message expansion W (5 words) and state update A (3 words). Since the word \(W_{17}\) poses conditions on the first few message words, whose freedom we will later need to match the IV, we focus on keeping its signed difference as sparse as possible, with only few difference bits. With much lower priority, also determine the differences in the state update words E (7 words) to complete the signed characteristic. The characteristic is very dense in E, but this only has limited influence on the success of the IV matching phase.
 (b)
Verify Dense Parts (Fig. 5b): Fully determine the values of A and E in the densest steps 7–9 to verify the validity of the candidate characteristic. If necessary, fix any remaining free bits of A and E in steps 10–11. This fully determines \(A_3, \ldots , A_{11}\), \(E_7, \ldots , E_{11}\) and \(W_{11}\).
To maneuver the search process in the large search space and detect contradictions as soon as possible, we need to apply the lookahead strategies previously employed for semifreestart collisions on SHA512 [9] in this stage (with 16 lookahead candidates per guess).
 (a)
 2.Message Modification to Match IV: Starting from the best signed characteristics of the previous stage, with the correct IV inserted, find a solution message pair step by step:
 (a)
Match IV (Fig. 5c): Fix the values in the more difficult, heavily constrained words first (\(W_{10}, W_9, W_8, W_7\)). Choosing \(W_{10}\) and \(W_9\) also determines \(A_2\) and \(A_1\) (via \(E_6\) and \(E_5\)). Together with \(W_7\), \(W_8\), and the IV, this determines all values in steps 0–11.
 (b)
Finalize Message for Sparse Parts (Fig. 5d): choosing the 4 remaining message words \(W_{12}, \ldots , W_{15}\) allows to satisfy the remaining, sparse parts of the characteristic in steps 12–26 with high probability.
Unlike the other stages, guesses are not made randomly here, but systematically wordbyword. Since most conditions are from modular additions, we always start from the least significant bits and proceed towards the more significant bits. This last stage needs to be repeated for each IV separately, which takes some hours on a single CPU per target IV.
 (a)
Notes
Acknowledgments
This research (or a part of this research) is supported by Cryptography Research and Evaluation Committee (CRYPTREC) and by the Austrian Research Promotion Agency (FFG) and the Styrian Business Promotion Agency (SFG) under grant number 836628 (SeCoS).
Supplementary material
References
 1.Aoki, K., Guo, J., Matusiewicz, K., Sasaki, Y., Wang, L.: Preimages for stepreduced SHA2. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 578–597. Springer, Heidelberg (2009) CrossRefGoogle Scholar
 2.Biryukov, A., Lamberger, M., Mendel, F., Nikolic, I.: Secondorder differential collisions for reduced SHA256. In: Lee and Wang [16], pp. 270–287Google Scholar
 3.Brassard, G. (ed.): CRYPTO 1989. LNCS, vol. 435. Springer, Heidelberg (1990) zbMATHGoogle Scholar
 4.Canteaut, A. (ed.): FSE 2012. LNCS, vol. 7549. Springer, Heidelberg (2012) zbMATHGoogle Scholar
 5.Coron, J., Dodis, Y., Malinaud, C., Puniya, P.: MerkleDamgård revisited: How to construct a hash function. In: Shoup [24], pp. 430–448Google Scholar
 6.Cramer, R. (ed.): EUROCRYPT 2005. LNCS, vol. 3494. Springer, Heidelberg (2005) zbMATHGoogle Scholar
 7.Damgård, I.: A design principle for hash functions. In: Brassard [3], pp. 416–427Google Scholar
 8.De Cannière, C., Rechberger, C.: Finding SHA1 characteristics: general results and applications. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, pp. 1–20. Springer, Heidelberg (2006) CrossRefGoogle Scholar
 9.Eichlseder, M., Mendel, F., Schläffer, M.: Branching heuristics in differential collision search with applications to SHA512. In: Cid, C., Rechberger, C. (eds.) FSE 2014. LNCS, vol. 8540, pp. 473–488. Springer, Heidelberg (2015) Google Scholar
 10.Gueron, S., Johnson, S., Walker, J.: SHA512/256. In: Latifi, S. (ed.) Information Technology: New Generations – ITNG 2011, pp. 354–358. IEEE Computer Society (2011)Google Scholar
 11.Indesteege, S., Mendel, F., Preneel, B., Rechberger, C.: Collisions and other nonrandom properties for stepreduced SHA256. In: Avanzi, R.M., Keliher, L., Sica, F. (eds.) SAC 2008. LNCS, vol. 5381, pp. 276–293. Springer, Heidelberg (2009) CrossRefGoogle Scholar
 12.Joux, A.: Multicollisions in iterated hash functions. Application to cascaded constructions. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 306–316. Springer, Heidelberg (2004) CrossRefGoogle Scholar
 13.Kelsey, J., Kohno, T.: Herding hash functions and the nostradamus attack. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 183–200. Springer, Heidelberg (2006) CrossRefGoogle Scholar
 14.Kelsey, J., Schneier, B.: Second preimages on \(n\)bit hash functions for much less than \(2^n\) work. In: Cramer [6], pp. 474–490Google Scholar
 15.Khovratovich, D., Rechberger, C., Savelieva, A.: Bicliques for preimages: Attacks on Skein512 and the SHA2 family. In: Canteaut [4], pp. 244–263Google Scholar
 16.Lee, D.H., Wang, X. (eds.): ASIACRYPT 2011. LNCS, vol. 7073. Springer, Heidelberg (2011) zbMATHGoogle Scholar
 17.Li, J., Isobe, T., Shibutani, K.: Converting meetinthemiddle preimage attack into pseudo collision attack: Application to SHA2. In: Canteaut [4], pp. 264–286Google Scholar
 18.Mendel, F., Nad, T., Schläffer, M.: Finding SHA2 characteristics: Searching through a minefield of contradictions. In: Lee and Wang [16], pp. 288–307Google Scholar
 19.Mendel, F., Nad, T., Schläffer, M.: Improving local collisions: new attacks on reduced SHA256. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 262–278. Springer, Heidelberg (2013) CrossRefGoogle Scholar
 20.Merkle, R.C.: One way hash functions and DES. In: Brassard [3], pp. 428–446Google Scholar
 21.National Institute of Standards and Technology: FIPS PUB 180–4: Secure Hash Standard. Federal Information Processing Standards Publication 1804, U.S. Department of Commerce, March 2012. http://csrc.nist.gov/publications/fips/fips1804/fips1804.pdf
 22.Nikolić, I., Biryukov, A.: Collisions for stepreduced SHA256. In: Nyberg, K. (ed.) FSE 2008. LNCS, vol. 5086, pp. 1–15. Springer, Heidelberg (2008) CrossRefGoogle Scholar
 23.Sanadhya, S.K., Sarkar, P.: New collision attacks against up to 24step SHA2. In: Chowdhury, D.R., Rijmen, V., Das, A. (eds.) INDOCRYPT 2008. LNCS, vol. 5365, pp. 91–103. Springer, Heidelberg (2008) CrossRefGoogle Scholar
 24.Shoup, V. (ed.): CRYPTO 2005. LNCS, vol. 3621. Springer, Heidelberg (2005) zbMATHGoogle Scholar
 25.Wang, X., Yin, Y.L., Yu, H.: Finding collisions in the full SHA1. In: Shoup [24], pp. 17–36Google Scholar
 26.Wang, X., Yu, H.: How to break MD5 and other hash functions. In: Cramer [6], pp. 19–35Google Scholar
 27.Yu, H., Bai, D.: Boomerang attack on stepreduced SHA512. IACR Cryptology ePrint Archive, Report 2014/945 (2014). http://eprint.iacr.org/2014/945