Study the function of building blocks in SHA Family

In this paper we analyse the role of some of the building blocks in SHA-256. We show that the disturbance correction strategy is applicable to the SHA-256 architecture and we prove that functions $\Sigma$, $\sigma$ are vital for the security of SHA-256 by showing that for a variant without them it is possible to find collisions with complexity 2 64 hash operations. As a step towards an analysis of the full function, we present the results of our experiments on Hamming weights of expanded messages for different variants of the message expansion and show that there exist low-weight expanded messages for XOR-linearised variants.

💡 Research Summary

The paper investigates the security contribution of two core components of SHA‑256: the large‑Sigma (Σ) and small‑sigma (σ) functions. The authors first construct a “linearised” variant of SHA‑256 in which the Σ and σ functions are replaced by simple XOR‑based operations, effectively removing the non‑linear diffusion that these functions provide. Using a disturbance‑correction technique originally developed for SHA‑1, they show that a carefully crafted differential can be propagated backwards through the 64‑round compression function, allowing a collision to be found with roughly 2⁶⁴ hash evaluations. This is dramatically lower than the 2¹⁵⁸ work factor expected for the full SHA‑256, demonstrating that Σ and σ are essential for preventing such low‑complexity attacks.

The second part of the study focuses on the message‑expansion stage. In the standard algorithm, the 16 initial 32‑bit words are expanded to 64 words using the σ₀ and σ₁ functions, which mix bits from earlier words in a non‑linear fashion. The authors replace these functions with XOR‑linear equivalents (or remove them entirely) and generate a large set of random inputs. For each input they compute the Hamming weight of the 64‑word expanded message. Their measurements reveal that the linearised variants produce significantly lower average Hamming weights, and that there exist expanded messages with extremely low weight (as low as 8–12 bits). Such low‑weight expansions are attractive to differential and linear cryptanalysis because they allow a small differential to survive many rounds without being diluted.

From these experiments the authors draw several conclusions. First, Σ and σ are not merely decorative rotations and shifts; they act as compact non‑linear S‑boxes that break linear relationships between rounds and ensure that any introduced disturbance quickly spreads throughout the state. Second, the non‑linear message‑expansion functions are crucial for preventing the existence of low‑weight expanded messages, which would otherwise give an attacker a foothold for constructing efficient collisions or pre‑image attacks. Third, removing or simplifying these building blocks reduces SHA‑256 to a structure that is vulnerable to classic differential‑cryptanalysis techniques, as evidenced by the successful application of the disturbance‑correction method.

The paper concludes by suggesting future work that extends the disturbance‑correction analysis to the full, unmodified SHA‑256 and explores quantitative models of the diffusion provided by Σ and σ. It also proposes investigating whether similar building‑block analyses can be applied to other members of the SHA family (e.g., SHA‑384, SHA‑512) to assess their resilience against linearisation attacks. Overall, the study provides concrete experimental evidence that the Σ and σ functions, together with the non‑linear message‑expansion, are indispensable for the high security level claimed by SHA‑256.