Paper 2016/374

Analysis of SHA-512/224 and SHA-512/256

Christoph Dobraunig, Maria Eichlseder, and Florian Mendel

Abstract

In 2012, NIST standardized SHA-512/224 and SHA-512/256, two truncated variants of SHA-512, in FIPS 180-4. These two hash functions are faster than SHA-224 and SHA-256 on 64-bit platforms, while maintaining the same hash size and claimed security level. So far, no third-party analysis of SHA-512/224 or SHA-512/256 has been published. In this work, we examine the collision resistance of step-reduced versions of SHA-512/224 and SHA-512/256 by using differential cryptanalysis in combination with sophisticated search tools. We are able to generate practical examples of free-start collisions for 44-step SHA-512/224 and 43-step SHA-512/256. Thus, the truncation performed by these variants on their larger state allows us to attack several more rounds compared to the untruncated family members. In addition, we improve upon the best published collisions for 24-step SHA-512 and present practical collisions for 27 steps of SHA-512/224, SHA-512/256, and SHA-512.

Metadata
Available format(s)
PDF
Category
Secret-key cryptography
Publication info
A major revision of an IACR publication in ASIACRYPT 2015
Keywords
hash functionscryptanalysiscollisionsfree-start collisionsSHA-512224SHA-512256SHA-512SHA-2
Contact author(s)
maria eichlseder @ iaik tugraz at
History
2016-04-14: received
Short URL
https://ia.cr/2016/374
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2016/374,
      author = {Christoph Dobraunig and Maria Eichlseder and Florian Mendel},
      title = {Analysis of SHA-512/224 and SHA-512/256},
      howpublished = {Cryptology ePrint Archive, Paper 2016/374},
      year = {2016},
      note = {\url{https://eprint.iacr.org/2016/374}},
      url = {https://eprint.iacr.org/2016/374}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.