Difference between revisions of "SHA-512/384"
From The ECRYPT Hash Function Website
Npramstaller (talk | contribs) |
(→Collision Attacks) |
||
| (5 intermediate revisions by 3 users not shown) | |||
| Line 1: | Line 1: | ||
== Specification == | == Specification == | ||
| − | + | * digest size: 512 bits, truncation to 384 bits also specified | |
| − | * digest size: | + | * max. message length: < 2<sup>128</sup> bits |
| − | * max. message length: < 2<sup> | + | * compression function: 1024-bit message block, 512-bit chaining variable |
| − | * compression function: | + | * [http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf Specification: FIPS 180-2 Secure Hash Standard] |
| − | * Specification: | ||
| − | - | ||
== Cryptanalysis == | == Cryptanalysis == | ||
| Line 21: | Line 19: | ||
=== Collision Attacks === | === Collision Attacks === | ||
| + | |||
| + | <bibtex> | ||
| + | @inproceedings{iswSanadhyaS08, | ||
| + | author = {Somitra Kumar Sanadhya and Palash Sarkar}, | ||
| + | title = {Deterministic Constructions of 21-Step Collisions for the SHA-2 Hash Family}, | ||
| + | booktitle = {ISC}, | ||
| + | year = {2008}, | ||
| + | pages = {244-259}, | ||
| + | abstract = {Recently, at FSE ’08, Nikolic and Biryukov introduced a new technique for analyzing SHA-2 round function. Building on their work, but using other differential paths, we construct two different deterministic attacks against 21-step SHA-2 hash family. Since the attacks are deterministic, they are actually combinatorial constructions of collisions. There are six free words in our first construction. This gives exactly 2^192 different collisions for 21-step SHA-256 and exactly 2^384 different collisions for 21-step SHA-512. The second construction has five free words. The best previous result, due to Nikolic and Biryukov, for finding collisions for 21-step SHA-256 holds with probability 2-^19. No results on 21-step SHA-512 are previously known. Further, we provide evidence that the Nikolic-Biryukov differential path is unlikely to yield 21-step collisions for SHA-512.}, | ||
| + | url = {http://dx.doi.org/10.1007/978-3-540-85886-7_17}, | ||
| + | editor = {Tzong-Chen Wu and Chin-Laung Lei and Vincent Rijmen and Der-Tsai Lee}, | ||
| + | publisher = {Springer}, | ||
| + | series = {LNCS}, | ||
| + | volume = {5222}, | ||
| + | isbn = {978-3-540-85884-3}, | ||
| + | } | ||
| + | </bibtex> | ||
| + | |||
| + | <bibtex> | ||
| + | @inproceedings{acispSanadhyaS08, | ||
| + | author = {Somitra Kumar Sanadhya and Palash Sarkar}, | ||
| + | title = {Non-linear Reduced Round Attacks against SHA-2 Hash Family}, | ||
| + | booktitle = {ACISP}, | ||
| + | year = {2008}, | ||
| + | pages = {254-266}, | ||
| + | abstract = {Most of the attacks against (reduced) SHA-2 family in literature have used local collisions which are valid for linearized version of SHA-2 hash functions. Recently, at FSE 2008, an attack against reduced round SHA-256 was presented by Nikolic and Biryukov which used a local collision which is valid for the actual SHA-256 function. It is a 9-step local collision which starts by introducing a modular difference of 1 in the two messages. It succeeds with probability roughly 1/3. We build on the work of Nikolic and Biryukov and provide a generalized nonlinear local collision which accepts an arbitrary initial message difference. This local collision succeeds with probability 1. Using this local collision we present attacks against 18-step SHA-256 and 18-step SHA-512 with arbitrary initial difference. Both of these attacks succeed with probability 1. We then present special cases of our local collision and show two different differential paths for attacking 20-step SHA-256 and 20-step SHA-512. One of these paths is the same as presented by Nikolic and Biryukov while the other one is a new differential path. Messages following both these differential paths can be found with probability 1. This improves on the previous result where the success probability of 20-step attack was 1/3. Finally, we present two differential paths for 21-step collisions for SHA-256 and SHA-512, one of which is a new path. The success probabilities of these paths for SHA-256 are roughly 2-^15 and 2^-17 which improve on the 21-step attack having probability 2^-19 reported earlier. We show examples of message pairs following all the presented differential paths for up to 21-step collisions in SHA-256. We also show first real examples of colliding message pairs for up to 20-step reduced SHA-512. }, | ||
| + | url = {http://dx.doi.org/10.1007/978-3-540-70500-0_19}, | ||
| + | editor = {Yi Mu and Willy Susilo and Jennifer Seberry}, | ||
| + | publisher = {Springer}, | ||
| + | series = {LNCS}, | ||
| + | volume = {5107}, | ||
| + | isbn = {978-3-540-69971-2}, | ||
| + | } | ||
| + | </bibtex> | ||
| + | |||
| + | <bibtex> | ||
| + | @inproceedings{sacryptGilbertH03, | ||
| + | author = {Henri Gilbert and Helena Handschuh}, | ||
| + | title = {Security Analysis of SHA-256 and Sisters}, | ||
| + | booktitle = {Selected Areas in Cryptography}, | ||
| + | year = {2003}, | ||
| + | pages = {175-193}, | ||
| + | url = {http://springerlink.metapress.com/openurl.asp?genre=article{\&}issn=0302-9743{\&}volume=3006{\&}spage=175}, | ||
| + | editor = {Mitsuru Matsui and Robert J. Zuccherato}, | ||
| + | publisher = {Springer}, | ||
| + | series = {LNCS}, | ||
| + | volume = {3006}, | ||
| + | isbn = {3-540-21370-8}, | ||
| + | abstract = {This paper studies the security of SHA-256, SHA-384 and SHA-512 against collision attacks and provides some insight into the security properties of the basic building blocks of the structure. It is concluded that neither Chabaud and Joux's attack, nor Dobbertin-style attacks apply. Differential and linear attacks also don't apply on the underlying structure. However we show that slightly simplified versions of the hash functions are surprisingly weak: whenever symmetric constants and initialization values are used throughout the computations, and modular additions are replaced by exclusive or operations, symmetric messages hash to symmetric digests. Therefore the complexity of collision search on these modified hash functions potentially becomes as low as one wishes.}, | ||
| + | } | ||
| + | </bibtex> | ||
---- | ---- | ||
Latest revision as of 14:36, 10 November 2008
Contents
1 Specification
- digest size: 512 bits, truncation to 384 bits also specified
- max. message length: < 2128 bits
- compression function: 1024-bit message block, 512-bit chaining variable
- Specification: FIPS 180-2 Secure Hash Standard
2 Cryptanalysis
2.1 Best Known Results
2.2 Generic Attacks
2.3 Collision Attacks
Somitra Kumar Sanadhya, Palash Sarkar - Deterministic Constructions of 21-Step Collisions for the SHA-2 Hash Family
- ISC 5222:244-259,2008
- http://dx.doi.org/10.1007/978-3-540-85886-7_17
BibtexAuthor : Somitra Kumar Sanadhya, Palash Sarkar
Title : Deterministic Constructions of 21-Step Collisions for the SHA-2 Hash Family
In : ISC -
Address :
Date : 2008
Somitra Kumar Sanadhya, Palash Sarkar - Non-linear Reduced Round Attacks against SHA-2 Hash Family
- ACISP 5107:254-266,2008
- http://dx.doi.org/10.1007/978-3-540-70500-0_19
BibtexAuthor : Somitra Kumar Sanadhya, Palash Sarkar
Title : Non-linear Reduced Round Attacks against SHA-2 Hash Family
In : ACISP -
Address :
Date : 2008
Henri Gilbert, Helena Handschuh - Security Analysis of SHA-256 and Sisters
- Selected Areas in Cryptography 3006:175-193,2003
- http://springerlink.metapress.com/openurl.asp?genre=article{\&}issn=0302-9743{\&}volume=3006{\&}spage=175
BibtexAuthor : Henri Gilbert, Helena Handschuh
Title : Security Analysis of SHA-256 and Sisters
In : Selected Areas in Cryptography -
Address :
Date : 2003
