Results 1 - 10 of 18

Preimages for Step-Reduced SHA-2

by Jian Guo, Krystian Matusiewicz - ASIACRYPT
"... Abstract. In this paper, we present a preimage attack for 42 stepreduced SHA-256 with time complexity 2 251.7 and memory requirements of order 2 12. The same attack also applies to 42 step-reduced SHA-512 with time complexity 2 502.3 and memory requirements of order 2 22. Our attack is meet-in-the-m ..."
Abstract - Cited by 24 (4 self) - Add to MetaCart
Abstract. In this paper, we present a preimage attack for 42 stepreduced SHA-256 with time complexity 2 251.7 and memory requirements of order 2 12. The same attack also applies to 42 step-reduced SHA-512 with time complexity 2 502.3 and memory requirements of order 2 22. Our attack is meet-in-the-middle preimage attack. Keywords: preimage attack, SHA-256, SHA-512, meet-in-the-middle, hash function 1
(Show Context)

New Collision attacks Against Up To 24-step SHA-2,” Cryptology ePrint Archive: Report 2008/270

by Somitra Kumar Sanadhya, Palash Sarkar , 2008
"... Abstract. In this work, we provide new and improved attacks against 22, 23 and 24-step SHA-2 family using a local collision given by Sanadhya and Sarkar (SS) at ACISP ’08. The success probability of our 22-step attack is 1 for both SHA-256 and SHA-512. The computational efforts for the 23-step and 2 ..."
Abstract - Cited by 12 (0 self) - Add to MetaCart
Abstract. In this work, we provide new and improved attacks against 22, 23 and 24-step SHA-2 family using a local collision given by Sanadhya and Sarkar (SS) at ACISP ’08. The success probability of our 22-step attack is 1 for both SHA-256 and SHA-512. The computational efforts for the 23-step and 24step SHA-256 attacks are respectively 2 11.5 and 2 28.5 calls to the corresponding step reduced SHA-256. The corresponding values for the 23 and 24-step SHA-512 attack are respectively 2 16.5 and 2 32.5 calls. Using a look-up table having 2 32 (resp. 2 64) entries the computational effort for finding 24-step SHA-256 (resp. SHA-512) collisions can be reduced to 2 15.5 (resp. 2 22.5) calls. We exhibit colliding message pairs for 22, 23 and 24-step SHA-256 and SHA-512. This is the first time that a colliding message pair for 24-step SHA-512 is provided. The previous work on 23 and 24-step SHA-2 attacks is due to Indesteege et al. and utilizes the local collision presented by Nikolić and Biryukov (NB) at FSE ’08. The reported computational efforts are 2 18 and 2 28.5 for 23 and 24-step SHA-256 respectively and 2 43.9 and 2 53 for 23 and 24-step SHA-512. The previous 23 and 24-step attacks first constructed a pseudo-collision and later converted it into a collision for the reduced round SHA-2 family. We show that this two step procedure is unnecessary. Although these attacks improve upon the existing reduced round SHA-2 attacks, they do not threaten the security of the full SHA-2 family. Keywords: Cryptanalysis, SHA-2 hash family, reduced round attacks 1

Second-Order Differential Collisions for Reduced SHA- 256

by Alex Biryukov, Mario Lamberger, Florian Mendel - Eds., Advances in Cryptology—ASIACRYPT 2011 , 2011
"... Abstract. In this work, we introduce a new non-random property for hash/compression functions using the theory of higher order differen-tials. Based on this, we show a second-order differential collision for the compression function of SHA-256 reduced to 47 out of 64 steps with practical complexity. ..."
Abstract - Cited by 11 (1 self) - Add to MetaCart
Abstract. In this work, we introduce a new non-random property for hash/compression functions using the theory of higher order differen-tials. Based on this, we show a second-order differential collision for the compression function of SHA-256 reduced to 47 out of 64 steps with practical complexity. We have implemented the attack and provide an example. Our results suggest that the security margin of SHA-256 is much lower than the security margin of most of the SHA-3 finalists in this setting. The techniques employed in this attack are based on a rect-angle/boomerang approach and cover advanced search algorithms for good characteristics and message modification techniques. Our analysis also exposes flaws in all of the previously published related-key rectangle
(Show Context)

Higher-order differential attack on reduced SHA-256. Cryptology ePrint Archive, Report 2011/037

by Mario Lamberger, Florian Mendel , 2011
"... Abstract. In this work, we study the application of higher-order differential attacks on hash functions. We show a second-order differential attack on the SHA-256 compression function reduced to 46 out of 64 steps. We implemented the attack and give the result in Table 1. The best attack so far (in ..."
Abstract - Cited by 7 (0 self) - Add to MetaCart
Abstract. In this work, we study the application of higher-order differential attacks on hash functions. We show a second-order differential attack on the SHA-256 compression function reduced to 46 out of 64 steps. We implemented the attack and give the result in Table 1. The best attack so far (in a different attack model) with practical complexity was for 33 steps of the compression function. 1
(Show Context)

A.: Bicliques for preimages: attacks on Skein–512 and the SHA-2 family. available at http://eprint.iacr.org/2011/286.pdf

by Dmitry Khovratovich, Christian Rechberger, Ra Savelieva , 2011
"... Abstract. We present the new concept of biclique as a tool for preimage attacks, which employs many powerful techniques from differential cryptanalysis of block ciphers and hash functions. The new tool has proved to be widely applicable by inspiring many authors to publish new results of the full ve ..."
Abstract - Cited by 6 (2 self) - Add to MetaCart
Abstract. We present the new concept of biclique as a tool for preimage attacks, which employs many powerful techniques from differential cryptanalysis of block ciphers and hash functions. The new tool has proved to be widely applicable by inspiring many authors to publish new results of the full versions of AES, KASUMI, IDEA, and Square. In this paper, we demonstrate how our concept results in the first cryptanalysis of the Skein hash function, and describe an attack on the SHA-2 hash function with more rounds than before.
(Show Context)

M.: Improving local collisions: New attacks on reduced SHA-256

by Florian Mendel, Tomislav Nad - Advances in Cryptology – EUROCRYPT 2013. LNCS , 2013
"... Abstract. In this paper, we focus on the construction of semi-free-start collisions for SHA-256, and show how to turn them into collisions. We present a collision attack on 28 steps of the hash function with practical complexity. Using a two-block approach we are able to turn a semi-free-start colli ..."
Abstract - Cited by 5 (3 self) - Add to MetaCart
Abstract. In this paper, we focus on the construction of semi-free-start collisions for SHA-256, and show how to turn them into collisions. We present a collision attack on 28 steps of the hash function with practical complexity. Using a two-block approach we are able to turn a semi-free-start collision into a collision for 31 steps with a complexity of at most 265.5. The main improvement of our work is to extend the size of the local collisions used in these attacks. To construct differential character-istics and confirming message pairs for longer local collisions, we had to improve the search strategy of our automated search tool. To test the limits of our techniques we present a semi-free-start collision for 38 steps.
(Show Context)

A new hash family obtained by modifying the SHA-2 family

by Somitra Kumar Sanadhya, Palash Sarkar - Proceedings of the 4th International Symposium on Information, Computer, and Communications Security , 2009
"... Abstract. In this work, we study several properties of the SHA-2 design which have been utilized in recent collision attacks against reduced round SHA-2. Small modifications to the SHA-2 design are suggested to thwart these attacks. The modified round function provides the same resistance to lineari ..."
Abstract - Cited by 3 (0 self) - Add to MetaCart
Abstract. In this work, we study several properties of the SHA-2 design which have been utilized in recent collision attacks against reduced round SHA-2. Small modifications to the SHA-2 design are suggested to thwart these attacks. The modified round function provides the same resistance to linearization attacks as the original SHA-2 round function, but, provides better resistance to non-linear attacks. Our next contribution is to introduce the general idea of “multiple feed-forward ” for the construction of cryptographic hash functions. This can provide increased resistance to the Chabaud-Joux type “perturbation-correction ” collision attacks. The idea of feed-forward is taken further by introducing the idea of feed-forward across message blocks leading to resistance against generic multi-collision attacks. The net effect of the suggested changes to the SHA-2 design has insignificant impact on the efficiency of computing the digest. 1
(Show Context)

Branching Heuristics in Differential Collision Search with Applications to SHA-512?

by Maria Eichlseder, Florian Mendel
"... Abstract. In this work, we present practical semi-free-start collisions for SHA-512 on up to 38 (out of 80) steps with complexity 240.5. The best previously published result was on 24 steps. The attack is based on extending local collisions as proposed by Mendel et al. in their Eurocrypt 2013 attack ..."
Abstract - Cited by 2 (1 self) - Add to MetaCart
Abstract. In this work, we present practical semi-free-start collisions for SHA-512 on up to 38 (out of 80) steps with complexity 240.5. The best previously published result was on 24 steps. The attack is based on extending local collisions as proposed by Mendel et al. in their Eurocrypt 2013 attack on SHA-256. However, for SHA-512, the search space is too large for direct application of these techniques. We achieve our result by improving the branching heuristic of the guess-and-determine approach to find differential characteristics and conforming message pairs. Exper-iments show that for smaller problems like 27 steps of SHA-512, the heuristic can also speed up the collision search by a factor of 220.

Preimage Attacks on 41-Step SHA-256 and 46-Step SHA-512

by Yu Sasaki, Lei Wang, Kazumaro Aoki
"... Abstract. In this paper, we propose preimage attacks on 41-step SHA-256 and 46-step SHA-512, which drastically increase the number of attacked steps compared to the best previous preimage attack working for only 24 steps. The time complexity for 41-step SHA-256 is 2 253.5 compression function operat ..."
Abstract - Cited by 1 (0 self) - Add to MetaCart
Abstract. In this paper, we propose preimage attacks on 41-step SHA-256 and 46-step SHA-512, which drastically increase the number of attacked steps compared to the best previous preimage attack working for only 24 steps. The time complexity for 41-step SHA-256 is 2 253.5 compression function operations and the memory requirement is 2 16 × 10 words. The time complexity for 46-step SHA-512 is 2 511.5 compression function operations and the memory requirement is 2 3 × 10 words. Our attack is a meet-in-the-middle attack. We first consider the application of previous meet-in-the-middle attack techniques to SHA-2. We then analyze the message expansion of SHA-2 by considering all previous techniques to find a new independent message-word partition. We first explain the attack on 40-step SHA-256 whose complexity is 2 249 to describe the ideas. We then explain how to extend the attack. 1
(Show Context)

Software implementation of SHA-3 family using AVX2

by Roberto Cabral , Julio López
"... ..."
Abstract - Add to MetaCart
Abstract not found
(Show Context)