Abstract
For an n-bit random permutation, there are three types of boomerang distinguishers, denoted as Type I, II and III, with generic complexities 2n, 2n/3 and 2n/2 respectively. In this paper, we try to evaluate the security margins of three hash functions namely SHA-512, SHA-256 and DHA-256 against the boomerang attack. Firstly, we give a boomerang attack on 48-step SHA-512 with a practical complexity of 251. The correctness of this attack is verified by providing a Type III boomerang quartet. Then, we extend the existing differential characteristics of the three hash functions to more rounds. We deduce the sufficient conditions and give thorough evaluations to the security margins as follows: Type I boomerang method can attack 54-step SHA-512, 51-step SHA-256 and 46-step DHA-256 with complexities 2480, 2218 and 2236 respectively. Type II boomerang method can attack 51-step SHA-512, 49-step SHA-256 and 43-step DHA-256 with complexities 2158.50, 272.91 and 274.50 respectively. Type III boomerang method can attack 52-step SHA-512, 50-step SHA-256 and 44-step DHA-256 with complexities 2223.80, 2123.63 and 299.85 respectively.
摘要
创新点
本文研究了飞去来器方法对 SHA-512, SHA-256 和 DHA-256 三种哈希函数的攻击效率。 首次给出了对 48 轮 SHA-512 的实际飞去来器攻击结果, 攻击复杂度为$2^{51}$。 通过扩展现有的查分路径, 证明:
-
I
型飞去来器方法可以攻击 54 轮 SHA-512, 51 轮 SHA-256 和 46 轮 DHA-256。 攻击复杂度分别为$2^{480}$, $2^{218}$和$2^{236}$。
-
II
型飞去来器方法可以攻击 51 轮 SHA-512, 49 轮 SHA-256 和 43 轮 DHA-256。 攻击复杂度分别为$2^{158.50}$, $2^{72.91}$和$2^{74.50}$。
-
III
型飞去来器方法可以攻击 52 轮 SHA-512, 50 轮 SHA-256 和 44 轮 DHA-256。 攻击复杂度分别为$2^{223.80}$, $2^{123.63}$和$2^{99.85}$。
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
Wang X Y, Yu H B. How to break MD5 and other hash functions. In: Proceedings of 24th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Aarhus, 2005. 19–35
Wang X Y, Yin Y L, Yu H B. Finding collisions in the full SHA-1. In: Proceedings of 25th Annual International Cryptology Conference, Santa Barbara, 2005. 17–36
Kayser R F. Announcing request for candidate algorithm nominations for a new cryptographic hash algorithm (SHA-3) family. Federal Register, 2007, 72: 62
Isobe T, Shibutani K. Preimage attacks on reduced Tiger and SHA-2. In: Proceedings of 16th International Workshop on Fast Software Encryption, Leuven, 2009. 139–155
Guo J, Ling S, Rechberger C, et al. Advanced meet-in-the-middle preimage attacks: first results on full Tiger, and improved results on MD4 and SHA-2. In: Proceedings of 16th International Conference on the Theory and Application of Cryptology and Information Security, Singapore, 2010. 56–75
Khovratovich D, Rechberger C, Savelieva A. Bicliques for preimages: attacks on Skein-512 and the SHA-2 Family. In: Proceedings of 19th International Workshop on Fast Software Encryption, Washington, DC, 2012. 244–263
Mendel F, Pramstaller N, Rechberger C, et al. Analysis of step-reduced SHA-256. In: Proceedings of 13th International Workshop on Fast Software Encryption, Graz, 2006. 126–143
Sanadhya S K, Sarkar P. New collision attacks against up to 24-step SHA-2. In: Proceedings of 9th International Conference on Cryptology in India, Kharagpur, 2008. 91–103
Nikolic I, Biryukov A. Collisions for step-reduced SHA-256. In: Proceedings of 15th International Workshop on Fast Software Encryption, Lausanne, 2008. 1–15
Indesteege S, Mendel F, Preneel B, et al. Collisions and other non-random properties for step-reduced SHA-256. In: Proceedings of 15th International Workshop on Selected Areas in Cryptography, Sackville, 2008. 276–293
Mendel F, Nad T, Schläffer M. Finding SHA-2 characteristics: searching through a minefield of contradictions. In: Proceedings of 17th International Conference on the Theory and Application of Cryptology and Information Security, Seoul, 2011. 288–307
Mendel F, Nad T, Schläffer M. Improving local collisions: new attacks on reduced SHA-256. In: Proceedings of 32nd Annual International Conference on the Theory and Applications of Cryptographic Techniques, Athens, 2013. 262–278
Lee J, Chang D, Kim H, et al. A new 256-bit hash function DHA-256: enhancing the security of SHA-256. In: Proceedings of Cryptographic Hash Workshop Hosted by NIST, 2005. https://cse.sc.edu/~buell/csce557/NIST SHA/ChangD DHA256.pdf
Wagner D. The boomerang attack. In: Proceedings of 6th International Workshop on Fast Software Encryption, Rome, 1999. 156–170
Kelsey J, Kohno T, Schneier B. Amplified boomerang attacks against reduced-round MARS and Serpent. In: Proceedings of 7th International Workshop on Fast Software Encryption, New York, 2000. 75–93
Biham E, Dunkelman O, Keller N. The rectangle attack—rectangling the Serpent. In: Proceeding of International Conference on the Theory and Application of Cryptographic Techniques, Innsbruck, 2001. 340–357
Biham E, Dunkelman O, Keller N. Related-Key boomerang and rectangle attacks. In: Proceedings of 24th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Aarhus, 2005. 507–525
Biryukov A, Nikolic I, Roy A. Boomerang attacks on BLAKE-32. In: Proceedings of 18th International Workshop on Fast Software Encryption, Lyngby, 2011. 218–237
Lamberger M, Mendel F. Higher-order differential attack on reduced SHA-256. IACR Cryptology ePrint Archive. 2011. 37. https://eprint.iacr.org/2011/037.pdf
Biryukov A, Lamberger M, Mendel F, et al. Second-order differential collisions for reduced SHA-256. In: Proceedings of 17th International Conference on the Theory and Application of Cryptology and Information Security, Seoul, 2011. 270–287
Mendel F, Nad T. Boomerang distinguisher for the SIMD-512 compression function. In: Proceedings of 12th International Conference on Cryptology in India, Chennai, 2011. 255–269
Sasaki Y, Wang L. Distinguishers beyond three rounds of the RIPEMD-128/-160 compression functions. In: Proceedings of 10th International Conference on Applied Cryptography and Network Security, Singapore, 2012. 275–292
Sasaki Y, Wang L, Takasaki Y, et al. Boomerang distinguishers for full HAS-160 compression function. In: Proceedings of 7th International Workshop on Security, Fukuoka, 2012. 156–169
Leurent G, Roy A. Boomerang attacks on hash function using auxiliary differentials. In: Proceedings of the Cryptographers’ Track at the RSA Conference, San Francisco, 2012. 215–230
Yu H B, Chen J Z, Wang X Y. The boomerang attacks on the round-reduced Skein-512. In: Proceedings of 19th International Conference on Selected Areas in Cryptography, Windsor, 2012. 287–303
Kircanski A, Shen Y Z, Wang G L, et al. Boomerang and slide-rotational analysis of the SM3 hash function. In: Proceedings of 19th International Conference on Selected Areas in Cryptography, Windsor, 2012. 304–320
Bai D X, Yu H B, Wang G L, et al. Improved boomerang attacks on SM3. In: Proceedings of 18th Australasian Conference on Information Security and Privacy, Brisbane, 2013. 251–266
Bai D X, Yu H B, Wang G L, et al. Improved boomerang attacks on round-reduced SM3 and keyed permutation of BLAKE-256. IET Inf Secur, 2015, 9: 167–178
AlTawy R, Kircanski A, Youssef A M. Second order collision for the 42-step reduced DHA-256 hash function. Inf Process Lett, 2013, 113: 764–770
Menezes A, van Oorschot P C, Vanstone S A. Handbook of Applied Cryptography. CRC Press, 1996
US Department of Commerce. National Bureau of Standards, Secure Hash Algorithm, FIPS PUB 180-3. 2008
Wagner D. A generalized birthday problem. In: Proceedings of 22nd Annual International Cryptology Conference, Santa Barbara, 2002. 288–303
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Yu, H., Hao, Y. & Bai, D. Evaluate the security margins of SHA-512, SHA-256 and DHA-256 against the boomerang attack. Sci. China Inf. Sci. 59, 052110 (2016). https://doi.org/10.1007/s11432-015-5389-4
Received:
Accepted:
Published:
DOI: https://doi.org/10.1007/s11432-015-5389-4