Paper 2008/130

Analysis of Step-Reduced SHA-256

Florian Mendel, Norbert Pramstaller, Christian Rechberger, and Vincent Rijmen


This is the first article analyzing the security of SHA-256 against fast collision search which considers the recent attacks by Wang et al. We show the limits of applying techniques known so far to SHA-256. Next we introduce a new type of perturbation vector which circumvents the identified limits. This new technique is then applied to the unmodified SHA-256. Exploiting the combination of Boolean functions and modular addition together with the newly developed technique allows us to derive collision-producing characteristics for step-reduced SHA-256, which was not possible before. Although our results do not threaten the security of SHA-256, we show that the low probability of a single local collision may give rise to a false sense of security.

Note: In Appendix C, this version gives the correct (shifted) characteristic. In Appendix D, this version corrects a 32-bit word in Table 10, and adapts some terms to a more standard nomenclature. Thanks to Somitra Kumar Sanadhyaand and Hongbo Yu for helping us to spot those errors.

Available format(s)
Publication info
Published elsewhere. Fast Software Encryption (FSE) 2006. pp 126-143
Contact author(s)
christian rechberger @ iaik tugraz at
2008-03-25: received
Short URL
Creative Commons Attribution


      author = {Florian Mendel and Norbert Pramstaller and Christian Rechberger and Vincent Rijmen},
      title = {Analysis of Step-Reduced SHA-256},
      howpublished = {Cryptology ePrint Archive, Paper 2008/130},
      year = {2008},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.