Cryptology ePrint Archive: Report 2008/130

Analysis of Step-Reduced SHA-256

Florian Mendel and Norbert Pramstaller and Christian Rechberger and Vincent Rijmen

Abstract: This is the first article analyzing the security of SHA-256 against fast collision search which considers the recent attacks by Wang et al. We show the limits of applying techniques known so far to SHA-256. Next we introduce a new type of perturbation vector which circumvents the identified limits. This new technique is then applied to the unmodified SHA-256. Exploiting the combination of Boolean functions and modular addition together with the newly developed technique allows us to derive collision-producing characteristics for step-reduced SHA-256, which was not possible before. Although our results do not threaten the security of SHA-256, we show that the low probability of a single local collision may give rise to a false sense of security.

Category / Keywords:

Publication Info: Fast Software Encryption (FSE) 2006. pp 126-143

Date: received 23 Mar 2008, last revised 24 Mar 2008

Contact author: christian rechberger at iaik tugraz at

Available formats: Postscript (PS) | Compressed Postscript (PS.GZ) | PDF | BibTeX Citation

Note: In Appendix C, this version gives the correct (shifted) characteristic. In Appendix D, this version corrects a 32-bit word in Table 10, and adapts some terms to a more standard nomenclature. Thanks to Somitra Kumar Sanadhyaand and Hongbo Yu for helping us to spot those errors.

Version: 20080325:122235 (All versions of this report)

Discussion forum: Show discussion | Start new discussion