Preimages for Step-Reduced SHA-2

  • Kazumaro Aoki
  • Jian Guo
  • Krystian Matusiewicz
  • Yu Sasaki
  • Lei Wang
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5912)


In this paper, we present preimage attacks on up to 43-step SHA-256 (around 67% of the total 64 steps) and 46-step SHA-512 (around 57.5% of the total 80 steps), which significantly increases the number of attacked steps compared to the best previously published preimage attack working for 24 steps. The time complexities are 2251.9, 2509 for finding pseudo-preimages and 2254.9, 2511.5 compression function operations for full preimages. The memory requirements are modest, around 26 words for 43-step SHA-256 and 46-step SHA-512. The pseudo-preimage attack also applies to 43-step SHA-224 and SHA-384. Our attack is a meet-in-the-middle attack that uses a range of novel techniques to split the function into two independent parts that can be computed separately and then matched in a birthday-style phase.


SHA-256 SHA-512 hash preimage attack meet-in-the-middle 


  1. 1.
    U.S. Department of Commerce, National Institute of Standards and Technology: Secure Hash Standard (SHS) (Federal Information Processing Standards Publication 180-3) (2008),
  2. 2.
    Wang, X., Yin, Y.L., Yu, H.: Finding collisions in the full SHA-1. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 17–36. Springer, Heidelberg (2005)Google Scholar
  3. 3.
    U.S. Department of Commerce, National Institute of Standards and Technology: Federal Register Vol. 72(212) Friday, November 2, 2007 Notices (2007),
  4. 4.
    U.S. Department of Commerce, National Institute of Standards and Technology: NIST’s Plan for Handling Tunable Parameters. Presentation by Souradyuti Paul at The First SHA-3 Candidate Conference (February 2009),
  5. 5.
    Mendel, F., Pramstaller, N., Rechberger, C., Rijmen, V.: Analysis of step-reduced SHA-256. In: Robshaw, M.J.B. (ed.) FSE 2006. LNCS, vol. 4047, pp. 126–143. Springer, Heidelberg (2006)Google Scholar
  6. 6.
    Nikolić, I., Biryukov, A.: Collisions for step-reduced SHA-256. In: [25], pp. 1–15Google Scholar
  7. 7.
    Indesteege, S., Mendel, F., Preneel, B., Rechberger, C.: Collisions and other non-random properties for step-reduced SHA-256. In: [26], pp. 276–293Google Scholar
  8. 8.
    Sanadhya, S.K., Sarkar, P.: New collision attacks against up to 24-step SHA-2 (extended abstract). In: Rijmen, V., Das, A., Chowdhury, D.R. (eds.) INDOCRYPT 2008. LNCS, vol. 5365, pp. 91–103. Springer, Heidelberg (2008)Google Scholar
  9. 9.
    Isobe, T., Shibutani, K.: Preimage attacks on reduced Tiger and SHA-2. In: Dunkelman, O. (ed.) FSE 2009. LNCS, vol. 5665, pp. 139–155. Springer, Heidelberg (2009)Google Scholar
  10. 10.
    Yu, H., Wang, X.: Non-randomness of 39-step SHA-256 (2008),
  11. 11.
    Saarinen, M.J.O.: A meet-in-the-middle collision attack against the new FORK-256. In: Srinathan, K., Pandu Rangan, C., Yung, M. (eds.) INDOCRYPT 2007. LNCS, vol. 4859, pp. 10–17. Springer, Heidelberg (2007)Google Scholar
  12. 12.
    Leurent, G.: MD4 is not one-way. In: [25], pp. 412–428Google Scholar
  13. 13.
    Rivest, R.L.: Request for Comments 1321: The MD5 Message Digest Algorithm. The Internet Engineering Task Force (1992),
  14. 14.
    Zheng, Y., Pieprzyk, J., Seberry, J.: HAVAL — one-way hashing algorithm with variable length of output. In: Seberry, J., Zheng, Y. (eds.) AUSCRYPT 1992. LNCS, vol. 718, pp. 83–104. Springer, Heidelberg (1993)Google Scholar
  15. 15.
    Aoki, K., Sasaki, Y.: Preimage attacks on one-block MD4, 63-step MD5 and more. In: [26], pp. 103–119Google Scholar
  16. 16.
    Sasaki, Y., Aoki, K.: Finding preimages in full MD5 faster than exhaustive search. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 134–152. Springer, Heidelberg (2009)Google Scholar
  17. 17.
    Aoki, K., Sasaki, Y.: Meet-in-the-middle preimage attacks against reduced SHA-0 and SHA-1. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 70–89. Springer, Heidelberg (2009)Google Scholar
  18. 18.
    Sasaki, Y., Aoki, K.: Preimage attacks on 3, 4, and 5-pass HAVAL. In: Pieprzyk, J. (ed.) ASIACRYPT 2008. LNCS, vol. 5350, pp. 253–271. Springer, Heidelberg (2008)Google Scholar
  19. 19.
    Chang, D., Hong, S., Kang, C., Kang, J., Kim, J., Lee, C., Lee, J., Lee, J., Lee, S., Lee, Y., Lim, J., Sung, J.: ARIRANG. NIST home page:
  20. 20.
    Hong, D., Kim, W.H., Koo, B.: Preimage attack on ARIRANG. Cryptology ePrint Archive, Report 2009/147 (2009),
  21. 21.
    Menezes, A.J., van Oorschot, P.C., Vanstone, S.A.: Handbook of applied cryptography. CRC Press, Boca Raton (1997)Google Scholar
  22. 22.
    Kelsey, J., Schneier, B.: Second preimages on n-bit hash functions for much less than 2n work. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 474–490. Springer, Heidelberg (2005)Google Scholar
  23. 23.
    Sasaki, Y.: Meet-in-the-middle attacks using output truncation in 3-pass HAVAL. In: Samarati, P., Yung, M., Martinelli, F. (eds.) ISC 2009. LNCS, vol. 5735, pp. 79–94. Springer, Heidelberg (2009)Google Scholar
  24. 24.
    Joux, A.: Multicollisions in iterated hash functions. Application to cascaded constructions. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 306–316. Springer, Heidelberg (2004)Google Scholar
  25. 25.
    Nyberg, K. (ed.): FSE 2008. LNCS, vol. 5086. Springer, Heidelberg (2008)zbMATHGoogle Scholar
  26. 26.
    Avanzi, R., Keliher, L., Sica, F. (eds.): SAC 2008. LNCS, vol. 5381. Springer, Heidelberg (2009)zbMATHGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • Kazumaro Aoki
    • 1
  • Jian Guo
    • 2
  • Krystian Matusiewicz
    • 3
  • Yu Sasaki
    • 1
    • 4
  • Lei Wang
    • 4
  1. 1.NTT Information Sharing Platform LaboratoriesNTT CorporationTokyoJapan
  2. 2.Division of Mathematical Sciences, School of Physical and Mathematical SciencesNanyang Technological UniversitySingapore
  3. 3.Department of MathematicsTechnical University of DenmarkDenmark
  4. 4.University of Electro-CommunicationsTokyoJapan

Personalised recommendations