22-Step Collisions for SHA-2

22-Step Collisions for SHA-2 Somitra Kumar Sanadh y a ⋆ and P alash Sark ar Applied Statistics Unit, Indian Statistical Institute, 203, B.T. Road, Kolk ata, India 700108 . somitra r@isical.ac. in, pal ash@isical.ac. in 8 th Marc h , 2008 Abstract. I n this note, we provide the first 22-step collisions for SHA -256 and SHA -512. Detailed technique of generating these collisi ons will b e p ro vided in the next revision of this note. 1 In tro duction SHA-256 and SHA-512 are th e next generatio n hash functions designed and standardized by NIST in 2002 [1]. In this note, we p ro vide message pairs colliding for 22-step SHA-256 and 22-step SHA-512. This is the first attac k on 22-step SHA-2 family . The su ccess probabilit y of our attac k is around 2 − 5 in a verage case and around 2 − 9 in the wo rst case. Both these p robabilit y figures are exp erimen tal. Details of the attac k will b e provided in the next revision of th is note. 2 Message pairs colliding for 22-step SHA-2 T able 1. Colliding message pair f or 22-step SHA-256 with stand ard IV. These message pairs f ollo w the differen tial path giv en in T able 3. W 1 0-7 a 0263fa5 707425fb 618cd8d2 7d58f729 1eb9a964 19f88f1c 34e35071 f28d40e3 8-15 b43e29b8 1871a949 e2e01390 aaf3823e 8d41a28e 7f22ee02 7c625999 183e603f W 2 0-7 a0263fa5 707425fb 618cd8d2 7d58f729 1eb9a964 19f88f1c 34e35071 f28d40e3 8-15 b43e29b9 1871a948 defe7410 aaf5223e 8d41a28e 7f22ee02 7c625999 00000000 T able 2. Colliding message pair for 22-ste p S HA-512 w ith s tandard IV. W 1 0-3 3ffb91948b 327337 95f3c893b2 356b98 506c68760abf51 e9 fab877b7eef3aaa2 4-7 55d5b38ec3 4340cf daa006ef3f 677afa a5a01d9f1c67d9 c8 5b219ee6f447480b 8-11 52af39ff1ecfb48e 5cff9ae 5d4d60a40 db6c1a412c9 b4d4d aaf3823c2a004b1f 12-15 8d41a28b0d847693 7f212e 01c4e96937 7eeeca5c84b a3bda 1acad103aa814e0 e W 2 0-3 3ffb91948b 327337 95f3c893b2 356b98 506c68760abf51 e9 fab877b7eef3aaa2 4-7 55d5b38ec3 4340cf daa006ef3f 677afa a5a01d9f1c67d9 c8 5b219ee6f447480b 8-11 52af39ff1ecfb48f 5cff9ae 5d4d60a3f db687a412d1 b4d65 aaf3623c2a004b07 12-15 8d41a28b0d847693 7f212e 01c4e96937 7eeeca5c84b a3bda 000000000000000 0 ⋆ This author is supp orted b y the Ministry of Information T echnology , Govt. of India. T able 3. Different ial path follo wed b y the message p airs giv en in T able 1 . The differen tial path for the message pair of T able 2 is different but similar lo oking. If the register v alues f or the first m essage W 1 are d enoted by { a i , b i , . . . h i } and those for the second message W 2 are d enoted by { a ′ i , b ′ i , . . . h ′ i } , then δ X stands for X ′ − X , wher e X could b e any r egister v alue. Th e 22 steps are indexed from 0 to 21. Step δ a i δ b i δ c i δ d i δ e i δ f i δ g i δ h i 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 2 0 0 0 0 0 0 0 0 3 0 0 0 0 0 0 0 0 4 0 0 0 0 0 0 0 0 5 0 0 0 0 0 0 0 0 6 0 0 0 0 0 0 0 0 7 0 0 0 0 0 0 0 0 8 00000001 0 0 0 00000001 0 0 0 9 0 00000001 0 0 ffffffff 00000001 0 0 10 0 0 00000001 0 ffffffff ffffffff 00000001 0 11 0 0 0 00000001 0 ffffffff ffffffff 00000001 12 0 0 0 0 00000001 0 ffffffff ffffffff 13 0 0 0 0 0 00000001 0 ffffffff 14 0 0 0 0 0 0 00000001 0 15 0 0 0 0 0 0 0 00000001 16 0 0 0 0 0 0 0 0 17 0 0 0 0 0 0 0 0 18 0 0 0 0 0 0 0 0 19 0 0 0 0 0 0 0 0 20 0 0 0 0 0 0 0 0 21 0 0 0 0 0 0 0 0 References 1. Secure Hash Standard. F e der al Information Pr o c essing Standar d Public ation 180-2 . U.S. Dep art- ment of Commerce, National I nstitute of Standards and T ec hnology(NIST), 2002. Av ailable at http://csr c.nist.gov /publications/fips/fips180- 2/fips180- 2withchangenotice.pdf .