Collisions and Other Non-random Properties for Step-Reduced SHA-256

  • Sebastiaan Indesteege
  • Florian Mendel
  • Bart Preneel
  • Christian Rechberger
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5381)


We study the security of step-reduced but otherwise unmodified SHA-256. We show the first collision attacks on SHA-256 reduced to 23 and 24 steps with complexities 218 and 228.5, respectively. We give example colliding message pairs for 23-step and 24-step SHA-256. The best previous, recently obtained result was a collision attack for up to 22 steps. We extend our attacks to 23 and 24-step reduced SHA-512 with respective complexities of 244.9 and 253.0. Additionally, we show non-random behaviour of the SHA-256 compression function in the form of free-start near-collisions for up to 31 steps, which is 6 more steps than the recently obtained non-random behaviour in the form of a semi-free-start near-collision. Even though this represents a step forwards in terms of cryptanalytic techniques, the results do not threaten the security of applications using SHA-256.


SHA-256 SHA-512 hash functions collisions semi-free-start collisions free-start collisions free-start near-collisions 


  1. 1.
    Chabaud, F., Joux, A.: Differential collisions in SHA-0. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 56–71. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  2. 2.
    Gilbert, H., Handschuh, H.: Security Analysis of SHA-256 and Sisters. In: Matsui, M., Zuccherato, R.J. (eds.) SAC 2003. LNCS, vol. 3006, pp. 175–193. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  3. 3.
    Hawkes, P., Paddon, M., Rose, G.G.: On corrective patterns for the SHA-2 family. Cryptology ePrint Archive, Report 2004/2007 (August 2004)
  4. 4.
    Hölbl, M., Rechberger, C., Welzer, T.: Searching for messages conforming to arbitrary sets of conditions in SHA-256. In: Lucks, S., Sadeghi, A.-R., Wolf, C. (eds.) WEWoRC 2007. LNCS, vol. 4945, pp. 28–38. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  5. 5.
    Lai, X., Massey, J.L.: Hash functions based on block ciphers. In: Rueppel, R.A. (ed.) EUROCRYPT 1992. LNCS, vol. 658, pp. 55–70. Springer, Heidelberg (1993)CrossRefGoogle Scholar
  6. 6.
    Lipmaa, H., Moriai, S.: Efficient algorithms for computing differential properties of addition. In: Matsui, M. (ed.) FSE 2001. LNCS, vol. 2355, pp. 336–350. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  7. 7.
    Lipmaa, H., Wallén, J., Dumas, P.: On the additive differential probability of exclusive-or. In: Roy, B., Meier, W. (eds.) FSE 2004. LNCS, vol. 3017, pp. 317–331. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  8. 8.
    Matusiewicz, K., Pieprzyk, J., Pramstaller, N., Rechberger, C., Rijmen, V.: Analysis of simplified variants of SHA-256. In: Proceedings of WEWoRC 2005, LNI P-74, pp. 123–134 (2005)Google Scholar
  9. 9.
    Mendel, F., Pramstaller, N., Rechberger, C., Rijmen, V.: Analysis of step-reduced SHA-256. In: Robshaw, M.J.B. (ed.) FSE 2006. LNCS, vol. 4047, pp. 126–143. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  10. 10.
    Nikolić, I., Biryukov, A.: Collisions for step-reduced SHA-256. In: Nyberg, K. (ed.) FSE 2008. LNCS, vol. 5086, pp. 1–15. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  11. 11.
    National Institute of Standards and Technology (NIST). FIPS-180-2: Secure Hash Standard (August 2002),
  12. 12.
    Pramstaller, N., Rechberger, C., Rijmen, V.: Preliminary Analysis of the SHA-256 Message Expansion. In: NIST - First Cryptographic Hash Workshop, October 31-November 1 (2005)Google Scholar
  13. 13.
    Sanadhya, S.K., Sarkar, P.: New local collisions for the SHA-2 hash family. In: Nam, K.-H., Rhee, G. (eds.) ICISC 2007. LNCS, vol. 4817, pp. 193–205. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  14. 14.
    Sanadhya, S.K., Sarkar, P.: 22-step collisions for SHA-2. arXiv e-print archive, arXiv:0803.1220v1 (March 2008),
  15. 15.
    Sanadhya, S.K., Sarkar, P.: Attacking reduced round SHA-256. In: Bellovin, S.M., Gennaro, R., Keromytis, A.D., Yung, M. (eds.) ACNS 2008. LNCS, vol. 5037, pp. 130–143. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  16. 16.
    Sanadhya, S.K., Sarkar, P.: Non-linear reduced round attacks against SHA-2 hash family. In: Mu, Y., Susilo, W., Seberry, J. (eds.) ACISP 2008. LNCS, vol. 5107, pp. 254–266. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  17. 17.
    Yoshida, H., Biryukov, A.: Analysis of a SHA-256 variant. In: Preneel, B., Tavares, S. (eds.) SAC 2005. LNCS, vol. 3897, pp. 245–260. Springer, Heidelberg (2006)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • Sebastiaan Indesteege
    • 1
    • 2
  • Florian Mendel
    • 3
  • Bart Preneel
    • 1
    • 2
  • Christian Rechberger
    • 3
  1. 1.Department of Electrical Engineering ESAT/SCD-COSICKatholieke UniversiteitHeverleeBelgium
  2. 2.Interdisciplinary Institute for BroadBand Technology (IBBT)Belgium
  3. 3.Institute for Applied Information Processing and CommunicationsGrazAustria

Personalised recommendations