[148487] in cryptography@c2.net mail archive
Re: [Cryptography] Preimage Attacks on 41-Step SHA-256 and 46-Step
daemon@ATHENA.MIT.EDU (Phillip Hallam-Baker)
Tue Dec 17 13:47:46 2013
X-Original-To: cryptography@metzdowd.com
In-Reply-To: <B67796F1-8862-4525-B0A9-6FE3B82F30B8@gmail.com>
Date: Tue, 17 Dec 2013 08:12:32 -0500
From: Phillip Hallam-Baker <hallam@gmail.com>
To: Robert Hettinga <hettinga@gmail.com>
Cc: Cryptography List <cryptography@metzdowd.com>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
--===============4041063515061215857==
Content-Type: multipart/alternative; boundary=e89a8f2356bd60f7a404edbaaefd
--e89a8f2356bd60f7a404edbaaefd
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
On Mon, Dec 16, 2013 at 9:12 PM, Robert Hettinga <hettinga@gmail.com> wrote=
:
>
>
> http://www.scholr.ly/paper/2078146/preimage-attacks-on-41-step-sha-256-an=
d-46-step-sha-512
>
> Preimage Attacks on 41-Step SHA-256 and 46-Step SHA-512
>
> Abstract
>
> Abstract. In this paper, we propose preimage attacks on 41-step SHA-256
> and 46-step SHA-512, which drastically increase the number of attacked
> steps compared to the best previous preimage attack working for only 24
> steps. The time complexity for 41-step SHA-256 is 2 253.5 compression
> function operations and the memory requirement is 2 16 =D7 10 words. The =
time
> complexity for 46-step SHA-512 is 2 511.5 compression function operations
> and the memory requirement is 2 3 =D7 10 words. Our attack is a
> meet-in-the-middle attack. We first consider the application of previous
> meet-in-the-middle attack techniques to SHA-2. We then analyze the messag=
e
> expansion of SHA-2 by considering all previous techniques to find a new
> independent message-word partition. We first explain the attack on 40-ste=
p
> SHA-256 whose complexity is 2 249 to describe the ideas. We then explain
> how to extend the attack. 1
>
This is not particularly impressive or worrisome. The attack is on a reduce
strength version of the algorithm and the time complexity is 2^253.5 for
SHA256.
If this is the best that can be done, we are in good shape.
--=20
Website: http://hallambaker.com/
--e89a8f2356bd60f7a404edbaaefd
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr"><div class=3D"gmail_extra"><br><br><div class=3D"gmail_quo=
te">On Mon, Dec 16, 2013 at 9:12 PM, Robert Hettinga <span dir=3D"ltr"><=
<a href=3D"mailto:hettinga@gmail.com" target=3D"_blank">hettinga@gmail.com<=
/a>></span> wrote:<br>
<blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p=
x #ccc solid;padding-left:1ex"><br>
<a href=3D"http://www.scholr.ly/paper/2078146/preimage-attacks-on-41-step-s=
ha-256-and-46-step-sha-512" target=3D"_blank">http://www.scholr.ly/paper/20=
78146/preimage-attacks-on-41-step-sha-256-and-46-step-sha-512</a><br>
<br>
Preimage Attacks on 41-Step SHA-256 and 46-Step SHA-512<br>
<br>
Abstract<br>
<br>
Abstract. In this paper, we propose preimage attacks on 41-step SHA-256 and=
46-step SHA-512, which drastically increase the number of attacked steps c=
ompared to the best previous preimage attack working for only 24 steps. The=
time complexity for 41-step SHA-256 is 2 253.5 compression function operat=
ions and the memory requirement is 2 16 =D7 10 words. The time complexity f=
or 46-step SHA-512 is 2 511.5 compression function operations and the memor=
y requirement is 2 3 =D7 10 words. Our attack is a meet-in-the-middle attac=
k. We first consider the application of previous meet-in-the-middle attack =
techniques to SHA-2. We then analyze the message expansion of SHA-2 by cons=
idering all previous techniques to find a new independent message-word part=
ition. We first explain the attack on 40-step SHA-256 whose complexity is 2=
249 to describe the ideas. We then explain how to extend the attack. 1<br>
</blockquote><div><br></div><div><br></div><div>This is not particularly im=
pressive or worrisome. The attack is on a reduce strength version of the al=
gorithm and the time complexity is 2^253.5 for SHA256.</div><div><br></div>
<div>If this is the best that can be done, we are in good shape.</div><div>=
<br></div><div>=A0</div></div>-- <br>Website: <a href=3D"http://hallambaker=
.com/">http://hallambaker.com/</a><br>
</div></div>
--e89a8f2356bd60f7a404edbaaefd--
--===============4041063515061215857==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
--===============4041063515061215857==--
