International Association for Cryptologic Research

International Association
for Cryptologic Research

CryptoDB

On Corrective Patterns for the SHA-2 Family

Authors:
Philip Hawkes
Michael Paddon
Gregory G. Rose
Download:
URL: http://eprint.iacr.org/2004/207
Search ePrint
Search Google
Abstract: The Secure Hash Standard (SHS) [3] includes hashing algorithms denoted SHA-n, (n in {224, 256, 384, 512}) for producing message digests of length n. These algorithms are based on a common design, sometimes known as SHA-2, that consists of a message schedule and a register. The most successful attacks on the SHA algorithms are Chabaud-Joux differential collisions [1, 2, 4, 5, 7], which are based on finding a corrective pattern for the register. Previous analysis of the SHA-2 algoritms [4] indicated that, for all SHA-2 algorithms, the best corrective pattern has probability 2^-66. We find that the complexity of obtaining a collision is 2^39 when the register state is unknown. Of this complexity, a factor of 2^9 corresponds to conditions on the internal state that must be satisfied, and a factor of 2^30 corresponds to 30 bits of internal state that must be guessed correctly in order to generate a collision. When the register state is known (as is the case when generating a hash) then the guessed bits are known and the complexity is reduced to 2^9. The simple analysis of the message schedule in [4] determines limits on the probability of collision for SHA-2, and was sufficient at that time to conclude that the algorithms resist the attacks. In [4] the claimed complexity is compared against the birthday attack bound of 2^n/2. However, the corrective pattern can be converted into a second pre-image attack for which the complexity should be greater than 2^n. When accounting for the complexity of 2^9 per corrective pattern, the previous analysis of the message schedule yields lower bounds on the complexities 2^27 for SHA-224/256 and 2^45 for SHA-224/256. These complexities are significantly less than the 2^n bound. It is no longer certain that SHA-2 resists this attack. More detailed analysis of the message schedule is required.
BibTeX
@misc{eprint-2004-12179,
  title={On Corrective Patterns for the SHA-2 Family},
  booktitle={IACR Eprint archive},
  keywords={secret-key cryptography / SHA-256, second preimage attack},
  url={http://eprint.iacr.org/2004/207},
  note={ ggr@qualcomm.com 12652 received 22 Aug 2004},
  author={Philip Hawkes and Michael Paddon and Gregory G. Rose},
  year=2004
}