Abstract
This paper studies the security of SHA-256, SHA-384 and SHA-512 against collision attacks and provides some insight into the security properties of the basic building blocks of the structure. It is concluded that neither Chabaud and Joux’s attack, nor Dobbertin-style attacks apply. Differential and linear attacks also don’t apply on the underlying structure. However we show that slightly simplified versions of the hash functions are surprisingly weak : whenever symmetric constants and initialization values are used throughout the computations, and modular additions are replaced by exclusive or operations, symmetric messages hash to symmetric digests. Therefore the complexity of collision search on these modified hash functions potentially becomes as low as one wishes.
This work is based on the result of an evaluation requested by the Japanese CRYPTREC project: http://www.ipa.go.jp/security/enc/CRYPTREC/index-e.html
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
Biham, E., Dunkelmann, O., Keller, N.: Rectangle Attacks on 49-Round SHACAL-1. In: FSE 2003, Pre-proceedings of the conference, pp. 39–48 (2003)
Black, J., Rogaway, P., Shrimpton, T.: Black-Box Analysis of the Block-Cipher- Based Hash-Function Constructions from PGV. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 320–335. Springer, Heidelberg (2002)
den Boer, B., Bosselaers, A.: An attack on the last two rounds of MD4. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 194–203. Springer, Heidelberg (1992)
Chabaud, F., Joux, A.: Differential Collisions in SHA-0. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 56–71. Springer, Heidelberg (1998)
Damgård, I.B.: A design principle for hash functions. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 416–427. Springer, Heidelberg (1990)
Debaert, C., Gilbert, H.: The RIPEMDL and RIPEMDR Improved Variants of MD4 are not Collision Free. In: Matsui, M. (ed.) FSE 2001. LNCS, vol. 2355, p. 52. Springer, Heidelberg (2002)
Dobbertin, H.: Cryptanalysis of MD4. Journal of Cryptology 11(4) (1998) Springer-Verlag
Dobbertin, H.: Cryptanalysis of MD5 Compress. Presented at the rump session of Eurocrypt 1996 (May 14, 1996)
Dobbertin, H.: The status of MD5 after a recent attack. CryptoBytes 2(2) (1996)
Dobbertin, H.: RIPEMD with two round compress function is not collision-free. Journal of Cryptology 10(1) (1997) Springer-Verlag
Dobbertin, H., Bosselaers, A., Preneel, B.: RIPEMD-160: a strengthened version of RIPEM (April 1999), http.esat.kuleuven.ac.be/pub/COSIC/bossselae/ripemd
Handschuh, H., Knudsen, L., Robshaw, M.: Analysis of SHA-1 in encryption mode. In: Naccache, D. (ed.) CT-RSA 2001. LNCS, vol. 2020, pp. 70–83. Springer, Heidelberg (2001)
Handschuh, H., Naccache, D.: SHACAL: A Family of Block Ciphers Submission to the NESSIE project (2002), Available from http://www.crytponessie.org
National Institute of Standards and Technology (NIST) FIPS Publication 180-1: secure Hash Standard (April 1994)
National Institute of Standards and Technology (NIST), FIPS 180-2 (2002), http://csrc.nist.gov/encryption/tkhash.html
National Institute of Standards and Technology (NIST) FIPS Publication 197: Advanced Encryption Standard, AES (2001)
van Oorschot, P.C., Wiener, M.J.: Parallel Collision Search with Cryptanalytic Applications. Journal of Cryptology 12(1) (1999) Springer-Verlag
Preneel, B., Govaerts, R., Vandewalle, J.: Differential cryptanalysis of hash functions based on block ciphers. In: Proc. 1st ACM Conference on Computer and Communications Security, pp. 183–188 (1993)
Bosselaers, A., Preneel, B. (eds.) In: RIPE 1992. LNCS, vol. 1007, Springer, Heidelberg (1995)
Rivest, R.L.: The MD4 message digest algorithm. In: Menezes, A., Vanstone, S.A. (eds.) CRYPTO 1990. LNCS, vol. 537, pp. 303–311. Springer, Heidelberg (1991)
Rivest, R.L.: RFC1321: The MD5 message digest algorithm, M.I.T. Laboratory for Computer Science and RSA Data Security, Inc. (April 1992)
Saarinen, M.-J.O.: Cryptanalysis of Block Ciphers Based on SHA-1 and MD5. In: FSE 2003, Pre-proceedings of the conference, pp. 39–48 (2003)
Vaudenay, S.: On the need for multipermutations: Cryptanalysis of MD4 and SAFER. In: Preneel, B. (ed.) FSE 1994. LNCS, vol. 1008, pp. 286–297. Springer, Heidelberg (1995)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2004 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Gilbert, H., Handschuh, H. (2004). Security Analysis of SHA-256 and Sisters. In: Matsui, M., Zuccherato, R.J. (eds) Selected Areas in Cryptography. SAC 2003. Lecture Notes in Computer Science, vol 3006. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-24654-1_13
Download citation
DOI: https://doi.org/10.1007/978-3-540-24654-1_13
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-21370-3
Online ISBN: 978-3-540-24654-1
eBook Packages: Springer Book Archive