Collisions for Step-Reduced SHA 256 Ivica Nikolić, Alex Biryukov University of Luxembourg.

Slides:



Advertisements
Similar presentations
Chapter 17 Multivariable Calculus.
Advertisements

More on Decoders and Muxes
1 The 2-to-4 decoder is a block which decodes the 2-bit binary inputs and produces four output All but one outputs are zero One output corresponding to.
CDA 3100 Recitation Week 10.
Announcements:Questions? This week: Discrete Logs, Diffie-Hellman, ElGamal Discrete Logs, Diffie-Hellman, ElGamal Hash Functions and SHA-1 Hash Functions.
Functions of Several Variables Copyright © Cengage Learning. All rights reserved.
Standardized Test Practice
EXAMPLE 3 Solve an equation by factoring Solve 2x 2 + 8x = 0. 2x 2 + 8x = 0 2x(x + 4) = 0 2x = 0 x = 0 or x + 4 = 0 or x = – 4 ANSWER The solutions of.
6.4 Factoring and Solving Polynomial Equations. Review of Factoring 2 nd Degree Polynomials x 2 + 9x + 20 = (x+5)(x+4) x x + 30 = (x-6)(x-5) 3x.
4.2 Graphing linear equations Objective: Graph a linear equation using a table of values.
4.6 Solve Exponential and Logarithmic Equations
Block ciphers 2 Session 4. Contents Linear cryptanalysis Differential cryptanalysis 2/48.
Solving Quadratic Equations by Factoring
Elimination Day 2. When the two equations don’t have an opposite, what do you have to do? 1.
Hashing Algorithms: Basic Concepts and SHA-2 CSCI 5857: Encoding and Encryption.
1 2-Hardware Design Basics of Embedded Processors (cont.)
Which is equivalent to x 15 ? a. (x 3 )(x 5 ) b. (x 3 ) 5 c. (3x)(5x) d. (x 2 )(x 4 )/x 21.
Linear Equations in Two Variables A Linear Equation in Two Variables is any equation that can be written in the form where A and B are not both zero.
3.1 You should be able to solve one-step equations using algebra. Solve for x.
§ 3.6 Solving Quadratic Equations by Factoring. Martin-Gay, Developmental Mathematics 2 Zero Factor Theorem Quadratic Equations Can be written in the.
7.3 Solving Equations Using Quadratic Techniques Objectives: 1.Write expressions in quadratic form. 2.Use quadratic techniques to solve equations.
5-5 Solving Quadratic Equations Objectives:  Solve quadratic equations.
Solve x 2 +3x – 5 = 11 xx2x2 +3x-5X 2 +3x-5High/ Low L.
Sec 3.1 Polynomials and Their Graphs (std MA 6.0) Objectives: To determine left and right end behavior of a polynomial. To find the zeros of a polynomial.
Differential equations. Many applications of mathematics involve two variables and a relation between them is required. This relation is often expressed.
6.1 - Polynomials. Monomial Monomial – 1 term Monomial – 1 term; a variable.
Chapter 7 The Laplace Transform
2.1 – Linear and Quadratic Equations Linear Equations.
CS 151: Digital Design Chapter 4: Arithmetic Functions and Circuits
Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 2.3 Hash Functions.
SECONDARY ONE 6.1a Using Substitution to Solve a System.
Differential Equations Linear Equations with Variable Coefficients.
Liz Balsam Advisor: Bahman Kalantari.  Term coined by Dr. Kalantari  Polynomial + graph  Definition: the art and science of visualization in the approximation.
Table of Contents Definitions of Monomials, Polynomials and Degrees Adding and Subtracting Polynomials Multiplying Monomials Dividing by Monomials Multiplying.
Dan Boneh Collision resistance The Merkle-Damgard Paradigm Online Cryptography Course Dan Boneh.
Table of Contents Solving Quadratic Equations – The Discriminant The Discriminant is the expression found under the radical symbol in the quadratic formula.
Algebra Math 8 May A brain teaser Think of a number. Add three. Find the square of the result. Subtract nine. Divide by the original number. Subtract.
Domain: a set of first elements in a relation (all of the x values). These are also called the independent variable. Range: The second elements in a relation.
Find the area of these rectangles x cm 2x + 1 cm x + 2 cm 8 cm 5cm 2cm 21 cm 3 cm 6 cm x cm 10 cm 2 2x 2 + x cm 2 or x(2x + 1) cm 2 8x + 16 cm 2 or 8(x.
Objective: Use factoring to solve quadratic equations. Standard(s) being met: 2.8 Algebra and Functions.
Elimination Method - Systems. Elimination Method  With the elimination method, you create like terms that add to zero.
Multiplying with exponents
Given Slope & y-Intercept
SLOPE FIELDS & EULER’S METHOD
1(1)5 + 5(1)4(2x) + 10(1)3(2x)2 + 10(1)2(2x)3 + 5(1)(2x)4 + 1(2x)5
Using Variable Domain Functions
Differential Equations
Solving Equations by Factoring
The SHA Family of Hash Functions: Recent Results
2.4 & 2.5 Absolute Value Inequalities and Equations
How to Break MD5 and Other Hash Functions
A quadratic equation is written in the Standard Form,
Solving Equations by Factoring and Problem Solving
Algebra.
Use power series to solve the differential equation. {image}
Implicit Differentiation
Factor and Solve Polynomial Equations Lesson 2.4
1-5 Absolute Value Equations
Algebra 1 Section 13.6.
Homework 1: Electrical System
LINGO LAB 3/4.
Rates that Change Based on another Rate Changing
Differential Equations
Chapter 6 Network Flow Models.
Algebra 1 Section 12.1.
5.3 Polynomial Functions By Willis Tang.
Use power series to solve the differential equation. y ' = 7xy
Representing Boolean Functions
2.5 The Chain Rule.
Message Modification for Step on SHA-0
Presentation transcript:

Collisions for Step-Reduced SHA 256 Ivica Nikolić, Alex Biryukov University of Luxembourg

Outline  Short description of SHA-256  Difference between SHA-1 and SHA-2  Technique for finding collisions for SHA-256  20-step reduced SHA-256  21-step reduced SHA-256  23-step reduced SHA-256  25-step reduced SHA-256  Conclusions

Short description of SHA-256  Merkle-Damgard construction (compression function) Input: 512-bits message block bits chaining value Output: 256-bits chaining value  64 steps

Difference between SHA-1 and SHA-2  Number of internal variables  Additional functions - ∑ 0, ∑ 1  Message expansion W i = W i-3 + W i-8 + W i-14 + W i-16 W i = σ 1 (W i-2 )+ W i-7 + σ 0 (W i-15 )+ W i-16 One step of the compression function Message expansion

Difference between SHA-1 and SHA-2 Limit the influence of the new innovations  Additional functions (∑ 0, ∑ 1 ) Find fixed points, i.e. ∑(x)=x. If x,y are fixed points then ∑(x)- ∑(y)=x-y, i.e. ∑ preserves difference.  Message expansion Expanded words don’t use words with differences.

Technique for finding collisions for SHA-256 General technique  Introduce perturbation  Use as less differences as possible to correct the perturbation in the following 8 steps  After the perturbation is gone don’t allow any other new perturbations

Technique for finding collisions for SHA-256  Perturbation in step i  Correct in the following 8 steps  Require the differences for A and E as shown in the table  Get system of equations with the respect to δi and A i or E i  Solve the system ΔAΔAΔBΔBΔCΔCΔDΔDΔEΔEΔFΔFΔGΔGΔHΔHΔWΔW i i δ1δ1 i δ2δ2 i δ3δ3 i i i i i δ4δ4 i

Technique for finding collisions for SHA-256 From the definition of SHA-256, we have Δ A i+4 - Δ E i+4 = Δ∑ 0 (A i+3 ) + ΔMaj i+3 (ΔA i+3, ΔB i+3,ΔC i+3 )-ΔD i+3 Δ E i+4 = Δ∑ 1 (E i+3 ) +ΔChi i+3 (ΔE i+3,ΔF i+3,ΔG i+3 )+ΔH i+3 +ΔD i+3 +ΔW i+3 From the condition for step i+3, we have ΔD i+3 = 0, ΔH i+3 = 0, Δ∑ 0 (A i+3 ) = 0, Δ∑ 1 (E i+3 ) =0. We require ΔA i+4 = 0, Δ E i+4 = 0. So we deduce: ΔMaj i+3 (0,0,1)= 0 ΔW i+3 =- ΔCh i+3 (0,-1,1) Solution: A i+3 =A i+2 δ 3 =-ΔCh i+3 (0,-1,1) ΔAΔAΔBΔBΔCΔCΔDΔDΔEΔEΔFΔFΔGΔGΔHΔHΔWΔW i δ3δ3 i Example – step i+4

Technique for finding collisions for SHA-256 Solution of the system of equations A i-1 = A i+1 = A i+2 = A i+3 A i+1 =-1 E i+3 = E i+4 E i+6 = 0 E i+7 =-1 δ 1 =-1-ΔCh i+1 (1,0,0)- Δ∑ 1 (E i+1 ) δ 2 = Δ∑ 1 (E i+2 ) -ΔCh i+2 (-1,1,0) δ 3 =-ΔCh i+3 (0,-1,1) δ 4 =-1 Unsolved equation (no degrees of freedom left) ΔCh i+3 (0,0,-1)=-1 It holds with probability 1/3.

20-step reduced SHA-256 W x 1x 2x 3x 4x 5 x 6 x 7 x 8 x 9 x 10 x 11 x 12 x 13 x 14 x 15x 16xx xx 17xx x x 18xxxx xxx 19xxxx xx x 20xxxxx xxxxx 21xxxx xxxxx x 22xxxxx xxxxxxx x Collision  Perturbation in W 5.  Corrections in W 6, W 7, W 8, W 13.  Message expansion after the step 13 doesn’t use any of these words  Complexity = 1/3

21-step reduced SHA-256 W x 7x 8x 9x x 15 16xx 17 18xx 19 20xx 21xx 22xxxx Collision  Perturbation in W 6.  Corrections in W 7, W 8, W 9, W 14.  Message expansion uses W 9, W 14.  Additional equation is introduced: Δ σ 1 (W 14 ) + Δ W 9 = 0, where Δ W 14 =-1.  Total complexity is 2 19.

23-step reduced SHA-256 W x 10 x 11 x 12 x x 17 x 18 xx 19 xx 20 xx 21 xx 22 xx Semi-free start collision  Perturbation in W 9.  Corrections in W 10, W 11, W 12. W 17 is extended word, so it is not possible to control it directly.  Message expansion uses W 9, W 10, W 11, W 12.  In the original differential path there is no difference in W 16. We have to slightly change our differential path. New system of equations is introduced and solved.  In order to control W 17  Additional equations are introduced in order to keep the differences zero after the last step of the path.  Total complexity is 2 21.

25-step reduced SHA-256 W x 10 x 11 x 12 x x 17 x 18 xx 19 xx 20 xx 21 xx 22 xx Semi-free start near collision with Hamming distance of 17 bits  Extend semi-free start collision for 23-step reduced SHA-256.  Minimize the Hamming distance of the introduced differences for A and E registers.  Total complexity is 2 34.

Conclusions  Technique applicable to SHA-224, SHA-384, and SHA-512.  No real treat for the security of SHA-2.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.