Cryptanalysis of Dynamic SHA(2)

  • Jean-Philippe Aumasson
  • Orr Dunkelman
  • Sebastiaan Indesteege
  • Bart Preneel
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5867)


In this paper, we analyze the hash functions Dynamic SHA and Dynamic SHA2, which have been selected as first round candidates in the NIST hash function competition. These hash functions rely heavily on data-dependent rotations, similar to certain block ciphers, e.g., RC5. Our analysis suggests that in the case of hash functions, where the attacker has more control over the rotations, this approach is less favorable than in block ciphers. We present practical, or close to practical, collision attacks on both Dynamic SHA and Dynamic SHA2. Moreover, we present a preimage attack on Dynamic SHA that is faster than exhaustive search.


Dynamic SHA Dynamic SHA2 SHA-3 candidate hash function collision attack 


  1. 1.
    Kelsey, J., Schneier, B.: Second preimages on n-bit hash functions for much less than 2n work. In: [15], pp. 474–490Google Scholar
  2. 2.
    Kelsey, J., Kohno, T.: Herding hash functions and the Nostradamus attack. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 183–200. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  3. 3.
    Wang, X., Yu, H.: How to break MD5 and other hash functions. In: [15], pp. 19–35Google Scholar
  4. 4.
    De Cannière, C., Rechberger, C.: Finding SHA-1 characteristics: General results and applications. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, pp. 1–20. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  5. 5.
    Stevens, M., Lenstra, A.K., de Weger, B.: Chosen-prefix collisions for MD5 and colliding X.509 certificates for different identities. In: Naor, M. (ed.) EUROCRYPT 2007. LNCS, vol. 4515, pp. 1–22. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  6. 6.
    National Institute of Standards and Technology. Cryptographic hash algorithm competition,
  7. 7.
    Rivest, R.L.: The RC5 encryption algorithm. In: Preneel, B. (ed.) FSE 1994. LNCS, vol. 1008, pp. 86–96. Springer, Heidelberg (1995)Google Scholar
  8. 8.
    Rivest, R.L., Robshaw, M.J.B., Yin, Y.L.: RC6 as the AES. In: AES Candidate Conference, pp. 337–342 (2000)Google Scholar
  9. 9.
    Mendel, F., Pramstaller, N., Rechberger, C.: Improved collision attack on the hash function proposed at PKC 1998. In: Rhee, M.S., Lee, B. (eds.) ICISC 2006. LNCS, vol. 4296, pp. 8–21. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  10. 10.
    Shin, S.U., Rhee, K.H., Ryu, D., Lee, S.: A new hash function based on MDx-family and its application to MAC. In: Imai, H., Zheng, Y. (eds.) PKC 1998. LNCS, vol. 1431, pp. 234–246. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  11. 11.
    Xu, Z.: Dynamic SHA. Submission to NIST (2008)Google Scholar
  12. 12.
    Xu, Z.: Dynamic SHA2. Submission to NIST (2008)Google Scholar
  13. 13.
    De Cannière, C., Rechberger, C.: Preimages for reduced SHA-0 and SHA-1. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 179–202. Springer, Heidelberg (2008)Google Scholar
  14. 14.
    Klimov, A., Shamir, A.: Cryptographic applications of t-functions. In: Matsui, M., Zuccherato, R.J. (eds.) SAC 2003. LNCS, vol. 3006, pp. 248–261. Springer, Heidelberg (2004)Google Scholar
  15. 15.
    Cramer, R. (ed.): EUROCRYPT 2005. LNCS, vol. 3494. Springer, Heidelberg (2005)zbMATHGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • Jean-Philippe Aumasson
    • 1
  • Orr Dunkelman
    • 2
  • Sebastiaan Indesteege
    • 3
    • 4
  • Bart Preneel
    • 3
    • 4
  1. 1.FHNWWindischSwitzerland
  2. 2.École Normale SupérieureINRIA, CNRSParisFrance
  3. 3.Department of Electrical Engineering ESAT/COSICKatholieke Universiteit LeuvenBelgium
  4. 4.Interdisciplinary Institute for BroadBand Technology (IBBT)Belgium

Personalised recommendations