Improving Local Collisions:

New Attacks on Reduced SHA-256

Florian Mendel, Tomislav Nad, Martin Schläffer

IAIK, Graz University of Technology, Austria

[email protected]

Abstract. In this paper, we focus on the construction of semi-free-start

collisions for SHA-256, and show how to turn them into collisions. We
present a collision attack on 28 steps of the hash function with practical
complexity. Using a two-block approach we are able to turn a semi-free-
start collision into a collision for 31 steps with a complexity of at most
265.5 . The main improvement of our work is to extend the size of the
local collisions used in these attacks. To construct differential character-
istics and confirming message pairs for longer local collisions, we had to
improve the search strategy of our automated search tool. To test the
limits of our techniques we present a semi-free-start collision for 38 steps.

Keywords: hash functions, SHA-2, cryptanalysis, collisions, semi-free-

start collisions, differential characteristics, automatic search tool

1 Introduction

Since 2005, many collision attacks have been shown for commonly used and stan-
dardized hash functions. In particular, the collision attacks of Wang et al. [19,20]
on MD5 and SHA-1 have convinced many cryptographers that these widely de-
ployed hash functions can no longer be considered secure. As a consequence,
NIST has proposed the transition from SHA-1 to the SHA-2 family. Many com-
panies and organization follow this advice and migrate to SHA-2. Additionally,
SHA-2 is faster on many platforms than the recently chosen winner of the SHA-3
competition [16]. Hence, NIST explicitly recommends both, SHA-2 and SHA-3.
Therefore, the cryptanalysis of SHA-2 is still of high interest.
In the last few years several cryptanalytic results have been published for
SHA-256. The security of SHA-256 against preimage attacks was first studied
by Isobe and Shibutani in [6]. They have presented a preimage attack on 24
out of 64 steps. This was improved by Aoki et al. to 43 steps in [1] and later
extended to 45 steps by Khovratovich et al. in [7]. In [10] Li et al. have shown
how a particular preimage attack can be used to construct a free-start collision
attack for 52 steps of SHA-256. All attacks are only slightly faster than the
generic attack which has a complexity of 2256 for preimages and 2128 for free-
start collisions. Furthermore, second-order differential collisions for SHA-256 up
to 47 steps with practical complexity have been shown in [2, 8].
T. Johansson and P. Nguyen (Eds.): EUROCRYPT 2013, LNCS 7881, pp. 262–278, 2013.
The original publication is available at http://www.springerlink.com/

c International Association for Cryptologic Research 2013
 Improving Local Collisions: New Attacks on Reduced SHA-256 263

In [17] Nikolić and Biryukov, studied the security of SHA-256 with respect to
collision attacks. They found a differential characteristic resulting in a collision
attack for 23 steps of SHA-256. Later this approach was extended to a collision
attack on 24 steps [5, 18]. All these results use rather simple local collisions
spanning over 9 steps, which are constructed mostly manually or using basic
cryptanalytic tools. However, as pointed out in [5] it is unlikely that this approach
can be extended beyond 24 steps.
Recently, Mendel et al. proposed a technique to use local collisions spanning
over a higher number of steps. The main improvement is to use an automated
search tool to construct the differential characteristics and to find confirming
message pairs. Using local collisions spanning over more than 9 steps, a collision
attack on 27 steps and a semi-free-start collision attack on 32 steps of SHA-256
has been shown. Both attacks have practical complexity. Currently, these are
the best collision attacks on SHA-256 with practical complexity.
In this paper, we improve upon these collision attacks on SHA-256. We
present collisions for the hash function on up to 31 out of 64 steps with complex-
ity of at most 265.5 , and semi-free-start collisions on 38 steps with complexity of
237 . We get these attacks by extending the size of the local collision to up to 18
steps. Furthermore, we try to ensure that the first message words do not contain
any differences. This way, we can convert most of our semi-free-start collision
attacks into collision attacks on the hash function.
The remainder of this paper is structured as follows. A description of the
hash function is given in Sect. 2. A high-level overview of our attacks is given
in Sect. 3. In Sect. 4 we show how we construct local collisions spanning over a
higher number of steps. We show how to construct the differential characteristics
in Sect. 5. In Sect. 6 we present our results and show how to turn (some of) the
semi-free-start collision into collisions. Finally, we conclude in Sect. 7.

2 Description of SHA-256
SHA-256 is an iterated hash function that pads and processes the input message
using t 512-bit message blocks mj . The 256-bit hash value is computed using
the compression function f :
h0 = IV
hj+1 = f (hj , mj ) for 0 ≤ j < t
hash = ht
In the following, we briefly describe the compression function f of SHA-256.
It basically consists of two parts: the message expansion and the state update
transformation. A more detailed description of SHA-256 is given in [15].

2.1 Message Expansion

The message expansion of SHA-256 splits the 512-bit message block into 16
words Mi , i = 0, . . . , 15, and expands them into 64 expanded message words Wi
264 Florian Mendel, Tomislav Nad, Martin Schläffer

as follows:

Mi 0 ≤ i < 16
Wi =
σ1 (Wi−2 ) + Wi−7 + σ0 (Wi−15 ) + Wi−16 16 ≤ i < 64

The functions σ0 (x) and σ1 (x) are given by

σ0 (x) = (x ≫ 7) ⊕ (x ≫ 18) ⊕ (x  3)
σ1 (x) = (x ≫ 17) ⊕ (x ≫ 19) ⊕ (x  10)

2.2 State Update Transformation

We use the alternative description of the SHA-256 state update given in [13],
which is illustrated in Fig. 1.

Ai−1 Ai−2 Ai−3 Ai−4 Ei−1 Ei−2 Ei−3 Ei−4

−
Σ0 + Σ1
Ki
MAJ

IF Wi

Ai Ai−1 Ai−2 Ai−3 Ei Ei−1 Ei−2 Ei−3

Fig. 1. The state update transformation of SHA-256.

The state update transformation starts from the previous 256-bit chaining value
hj = (A−4 , . . . , A−1 , E−4 , . . . , E−1 ) which is updated by applying the step func-
tions 64 times. In each step i = 0, . . . , 63 the expanded 32-bit word Wi is used
to compute the two state variables Ei and Ai as follows:

Ei = Ai−4 + Ei−4 + Σ1 (Ei−1 ) + IF(Ei−1 , Ei−2 , Ei−3 ) + Ki + Wi

Ai = Ei − Ai−4 + Σ0 (Ai−1 ) + MAJ(Ai−1 , Ai−2 , Ai−3 ).

For the definition of the step constants Ki we refer to [15]. The bitwise Boolean
functions IF and MAJ used in each step are defined by

IF(x, y, z) = xy ⊕ xz ⊕ z
MAJ(x, y, z) = xy ⊕ yz ⊕ xz,
 Improving Local Collisions: New Attacks on Reduced SHA-256 265

and the linear functions Σ0 and Σ1 are defined as follows:

Σ0 (x) = (x ≫ 2) ⊕ (x ≫ 13) ⊕ (x ≫ 22)

Σ1 (x) = (x ≫ 6) ⊕ (x ≫ 11) ⊕ (x ≫ 25).

After the last step of the state update transformation, the previous chaining
value is added to the output of the state update (Davies-Meyer construction).
The result is the chaining value hj+1 for the next message block mj+1 .

3 Basic Attack Strategy

In this section, we give a high-level overview of our collision attacks on SHA-256.

We first construct semi-free-start collisions for SHA-256 based on a local collision
and then turn these collisions on the compression function into collisions on the
hash function. This is possible if enough message words can be chosen freely at
the input of the compression function. The main difficulty lies in the construction
of semi-free-start collisions which offer enough free message words to turn them
into collisions.

3.1 Constructing Local Collisions

If the local collision starts at step n, we get n free message words at the beginning
of a differential characteristic. In this case message words W0 , . . . , Wn−1 do not
contain any differences. Hence, they can be chosen (almost) freely to match the
initial value or the chaining value of the first block [5]. Note that in some cases,
a few bits of these message words may be needed to fulfill conditions in the
message expansion.
For our collision attack on 28 steps, we need a local collision with t = 11
steps which starts in step n = 8 and ends in step 18 (see Fig. 2). For our attack
on 31 steps, we use a local collision with t = 14 steps which starts in step n = 5
and ends in step 18 (see Fig. 2). Although, these local collision spans over fewer
words in Ei (t − 4 words) and Ai (t − 8 words), a lot of freedom is still needed
to fulfill all the conditions imposed by the differential characteristic.
Therefore, we use local collisions which are sparse, especially in steps greater
than 16. Since the message difference has the largest influence, we aim for a small
number of message words which contain differences (see Sect. 4). Additionally,
we try to keep the number of differences in the later words of Ai and Ei low.
This significantly reduces the search space and improves the running time of our
automatic search algorithm (see Sect. 5).

3.2 Turning Semi-free-start Collisions into Collisions

In SHA-256 a semi-free-start collision can easily be turned into a collision, if

the first 8 message words can be chosen freely. In this case, we can choose the 8
message words to match the 8 words of the initial value [5]. We use this approach
266 Florian Mendel, Tomislav Nad, Martin Schläffer

-4 -4
(A) (E)
-3
-2 IV (A) IV (E) -3
-2 h1 h1
-1 -1
0 0
1 1
2 2
3 3
4 4
5 5
6
m0 6
7
8
7
8
m1
9 9
10 10
11 11
12 12
t = 14
13 t = 11 13
14 14
15 15
16 16
17 17
18 18
19 19
20 20
21 21
22 22
23
24 Ai Ei Wi 23
24 Ai Ei Wi
25 25
26 26
27 27
0 28
1 (A) (E) 29
2
3
h1 h1 30
0
1 (A) (E)
2
3
h2 h2

Fig. 2. Two approaches to construct collisions for SHA-256. The left approach
uses 8 free message words to turn a semi-free-start collision on 28 steps into a
collision on the hash function. The right approach uses random first blocks to
increase the freedom and thus, the size of the local collision.

in our collision attack on 28 steps of SHA-256 (see Fig. 2). However, by attacking
a higher number of steps a lot of freedom is needed for message modification, in
particular after step 15. Therefore, we aim for local collisions resulting in only a
few conditions after step 15, which limits the size of the local collision.
However, to get an attack on a higher number of steps, we need to increase
the size of the local collision. This is possible by using a 2-block approach. In
this case, we need less free message words at the beginning of the compression
function. More specifically, by using an unbalanced meet-in-the-middle approach
and computing 2k random first blocks, we only need 256 − k free message bits
to match the previous chaining value. If the complexity of finding a confirming
message pair for the semi-free-start collision is 2x , the total complexity of this
approach will be max(2k , 2x · 2128−k ). We use this approach in our attack on 31
steps of SHA-256 (see Fig. 2). We construct the local collision such that the first
5 message words can be chosen freely.

3.3 Searching for Differential Characteristics and Message Pairs

A differential attack usually consists of two main steps: constructing a differ-

ential characteristic and finding a confirming message pair. Unfortunately, both
steps are difficult and depend highly on the hash function under attack. For
 Improving Local Collisions: New Attacks on Reduced SHA-256 267

our collision attacks on SHA-2 we proceed according to the following high-level

overview:

– Find a differential characteristic

1. Choose (sparse) message difference
2. Determine sparse part of the differential characteristic
3. Determine dense part of the differential characteristic
– Find a confirming message pair
4. Use message modification in dense part of the characteristic
5. Perform random trials in sparse part of the characteristic
6. Use free message words to match the initial value (optional)

To search for differential characteristics and confirming message pairs, we use

the same approach and automatic search tool as in [13]. However, the selection
of starting points for the search (message words which contain differences) and
the search strategy have been improved. We try to minimize both, the number
of message words which contain differences and the conditions on the expanded
message words (see Sect. 4). This allows us to construct sparser differential
characteristics and increases the freedom in the message words.
We start the search by first constructing a differential characteristic for the
message expansion. Next, we guess on the last few state words of the local
collision to keep the differential characteristic sparse towards the end. This im-
proved guessing strategy is essential for our attack to work. Finally, we continue
the search to find a confirming message pair.

4 Determining Message Words with Differences

In this section, we show how to construct local collisions, which result in a (semi-
free-start) collision attack on a high number of rounds. The previously best
results on SHA-256 have been published by Mendel et al. in [13]. Using a local
collision on t = 11 steps with differences in 5 message words they have shown
a collision for 27 steps of the SHA-256 hash function with practical complexity.
Additionally, a local collision on t = 16 steps with differences in 8 expanded
message words has been used to construct semi-free-start collisions on 32 steps
of SHA-256. To improve on these attacks, we need to increase the length t of the
local collision, while still keeping the part without differences large.

4.1 Constructing Local Collisions in SHA-256

Compared to previous attacks [5, 13, 17, 18], we are able to find differential char-
acteristics over a much larger number of steps in the state update of SHA-256
(see Sect. 5). This allows us to increase the size t of the local collision. However,
for large values of t the complexity of a local collision increases significantly. The
larger the value of t, the more freedom is needed to find a confirming message
pair. Since we additionally need free message words to turn a semi-free-start
collision into a collision, we need to reduce the complexity of the local collision.
268 Florian Mendel, Tomislav Nad, Martin Schläffer

Table 1. Message word differences and message word conditions for the attacks
on 28 steps (left), 31 steps (middle) and 38 steps (right) steps of SHA-256. Rows
show the individual steps of the message expansion to compute Wi . Columns
(and highlighted rows) show those expanded message words which contain a
difference. An occurrence of a message word in the message expansion equation
is denoted by ’x’. For all rows which are not highlighted but contain an ’x’, the
message differences must cancel.

Wi 8 9 13 16 18 Wi 5 6 7 8 9 16 18 Wi 7 8 10 15 23 24
0 0 0
1 1 1
2 2 2
3 3 3
4 4 4
5 5 x 5
6 6 x 6
7 7 x 7 x
8 x 8 x 8 x
9 x 9 x 9
10 10 10 x
11 11 11
12 12 12
13 x 13 13
14 14 14
15 15 15 x
16 x x 16 x x 16
17 17 17 x x
18 x x 18 x x 18
19 19 19
20 x x 20 x x 20
21 21 x x 21
22 22 x x 22 x x
23 x x 23 x x x 23 x x x
24 x x 24 x x 24 x x
25 x x 25 x x 25 x x
26 26 26 x x
27 27 27
28 28
29 29
30 30 x x
31 x x
32
33
34
35
36
37
 Improving Local Collisions: New Attacks on Reduced SHA-256 269

This is possible be reducing the number of message words which contain dif-
ferences. The freedom of every message word which does not contain a difference
can be used more easily for message modification. Additionally, we require that
the expanded message words cancel each other, such that we get a high number
of steps which do not contain any differences at all. This cancellation of mes-
sage word differences results in conditions on the message expansion, and fewer
message words with differences result in fewer conditions.
To find good candidates for local collisions and message word differences, we
first need to determine the initial constraints. To turn a semi-free-start collision
into a collision attack, we need to have no differences in the first (ideally 8)
message words. Furthermore, we consider only local collisions with t > 9 which
result in (semi-free-start) collision attacks on more than 27 steps. We prefer
local collisions with small values of t and which result in fewer conditions on the
expanded message words. In particular, we try to avoid many conditions (and
thus, message words with differences) after step 16 since they are more difficult
to fulfill.

4.2 Candidates of Good Local Collisions

For each candidate of t, we identify those message words which must have differ-
ences such that the differential characteristic holds for a large number of steps.
Then, we minimize the number of conditions on the expanded message and the
number of message words with differences. Using this strategy, we get many
possible candidates for good local collisions. For the three candidates shown in
Table 1 we are able to construct differential characteristics (see Sect. 5) and
present collision and semi-free-start collision attacks (see Sect. 6).
The first local collision in Table 1 spans over t = 11 steps (step 8-18) and
results in a collision on 28 steps of SHA-256. The local collision has differences in
only 5 message words (W8 , W9 , W13 , W16 , W18 ) and we get 4 conditions in step
20, 23, 24, and 25 of the message expansion. The first 8 message words do not
contain any differences and therefore, we can turn a semi-free-start collision into
a real collision for SHA-256.
To extend the collision attacks on SHA-256 to more steps, we drop the con-
dition that the first 8 message words should have no differences. If only the 5
first message words contain no differences, we can still get an attack below the
birthday bound using a 2-block approach (see Sect. 3). We get a local collision
spanning over t = 14 steps (step 5-18) with differences in only 7 expanded mes-
sage words (W5 , . . . , W9 , W16 , W18 ) which results in a collision attack on 31 steps
of SHA-256. We get 6 conditions in step 20–25 of the message expansion (see
Table 1).
Finally, if we only search for local collisions which result in a semi-free-start
collision, we can extend the number of steps to attack even further. Using a local
collision spanning over t = 18 steps with differences in only 6 expanded message
words (W7 , W8 , W10 , W15 , W23 , W24 ) we can get an attack on up to 38 steps of
SHA-256. We get conditions in 6 steps of the message expansion (see Table 1).
270 Florian Mendel, Tomislav Nad, Martin Schläffer

5 Finding Differential Characteristics

After the message words which contain differences are fixed, we need to find a
differential characteristic. Due to the increased complexity of SHA-2 compared
to other members of the MD4 family, finding good (high probability) differential
characteristics by hand is almost impossible. We use the techniques developed
by Mendel et al. which have been applied in several attacks on ARX-based hash
functions [11–14]. Using an automated search tool, complex nonlinear differen-
tial characteristics can be found. Additionally, the tool can be used for solving
nonlinear equations involving conditions on state and message words (i.e. for
message modification).

5.1 Automated Search for Differential Characteristics

The basic idea of the search algorithm is to pick and guess previously unrestricted
bits. After each guess, the information due to these restrictions is propagated to
other bits. If an inconsistency occurs, the algorithm backtracks to an earlier state
of the search and tries to correct it. Similar to [13], we denote these three parts
of the search by decision (guessing), deduction (propagation), and backtracking
(correction). Then, the search algorithm proceeds as follows:

Let U be a set of bits. Repeat the following until U is empty:

Decision (Guessing)
1. Pick randomly (or according to some heuristic) a bit in U .
2. Impose new constraints on this bit.
Deduction (Propagation)
3. Propagate the new information to other variables and equations as de-
scribed in [13].
4. If an inconsistency is detected start backtracking, else continue with step
1.
Backtracking (Correction)
5. Try a different choice for the decision bit.
6. If all choices result in an inconsistency, mark the bit as critical.
7. Jump back until the critical bit can be resolved.
8. Continue with step 1.

In the deduction, we use generalized conditions on bits [4] to propagate infor-

mation. A generalized condition takes all 16 possible conditions on a pair of bits
into account. Table 2 lists these conditions and introduces a notation for them.
We also use generalized conditions to represent the differential characteristics
in the remainder of this paper. During the search, we propagate information
and backtrack as proposed in [13]. Similar to [13], we additionally consider lin-
ear conditions on two related bits (Xj ⊕ Xk = {0, 1}) during the search for a
confirming message pair.
The main difficulty in finding a long differential characteristic lies in the fine-
tuning of the search algorithm. There are a lot of variations possible which can
 Improving Local Collisions: New Attacks on Reduced SHA-256 271

Table 2. Notation for all generalized conditions on a pair of bits [4].

(Xi , Xi ∗ ) (0, 0) (1, 0) (0, 1) (1, 1) (Xi , Xi∗ ) (0, 0) (1, 0) (0, 1) (1, 1)
? X X X X 3 X X - -
- X - - X 5 X - X -
x - X X - 7 X X X -
0 X - - - A - X - X
u - X - - B X X - X
n - - X - C - - X X
1 - - - X D X - X X
# - - - - E - X X X

decide whether the search succeeds or fails. The main improvement compared
to [13] results from an improved decision (guessing) part of the search algorithm.
Instead of randomly choosing bits from the whole set of unrestricted bits, we
split the set in specific sub-sets. These sub-sets are chosen such that the resulting
differential characteristic gets sparser and the search terminates faster. We cover
these improvements which led to the new results on SHA-256 in the following
section.

5.2 Improved Decision Strategy for SHA-256

Note that already the starting point has a large influence on the efficiency of
finding a differential characteristic. In the case of our attacks on SHA-256, we
have chosen a starting point where the local collision is not so long and only
a few message words contain differences. This significantly reduces the search
space for the automatic search tool. To further improve the efficiency of the
tool, we reduce the search space further by separating the search into 3 stages,
compared to two stages in [13].
In each stage, we define a different set of unrestricted bits in Ui . This way,
we can control the order in which we guess bits. For the local collisions given in
the previous section, the best strategy is to first search for a differential charac-
teristic in the message expansion. Then, we continue by searching for a sparse
characteristic in the state update and finally, we search for a confirming message
pair. The stages are executed sequentially but we dynamically switch between
them if a contradiction occurs. If necessary, we try to correct contradictions
by backtracking into the previous stages and continue the search from there.
Additionally, we restart the search from scratch after a certain amount of incon-
sistencies occurred. This terminates search branches for which it is unlikely that
a solution can be found. The three stages can be summarized as follows:

Stage 1: We first search for a consistent differential characteristic in the mes-

sage expansion. Hence, we only add unconstrained bits ’?’ or ’x’ of Wi to the
set U1 . Furthermore, we try to reduce the number of conditions after step
15 in the message expansion. In this case, it is more likely to find confirming
message pairs in the last stage of the search. To get a sparser characteristic
272 Florian Mendel, Tomislav Nad, Martin Schläffer

in this area, we pick decision bits more often from the last few steps of the
message expansion.
Stage 2: Once we have found a differential characteristic for the message ex-
pansion, we continue with searching for a differential characteristic in the
state update. We add all unconstrained bits ’?’ or ’x’ of A and E to the
set U2 . Note that we pick decision bits more often from A, since this results
in sparser characteristics for A. Similar to Stage 1, experiments have shown
that in this case, confirming message pairs are easier to find in the last stage.
Stage 3: In the last stage, we search for confirming inputs. We only pick decision
bits ’-’ which are constraint by linear two-bit conditions, similar as in [13].
This ensures that those bits which influence a lot of other bits are guessed
first. Additionally, at least all bits influenced by two-bit conditions propagate
as well. This way, inconsistent characteristics can be detected earlier and
valid solutions are found faster.

Note that after Stage 3 finishes, we already get a confirming message pair which
results in a semi-free-start collision. The corresponding differential characteristics
for 28, 31 and 38 steps of SHA-256, including bits marked with linear conditions
on two bits are given in Table 3, 4 and 5. Note that for SHA-2, the characteristics
are in general too complex to list all conditions (including non-linear conditions
on two or more bits). Therefore, all our characteristics are verified by providing
conforming message pairs in the appendix.

6 Finding Confirming Message Pairs

In this section, we present our results and show how to turn (some of) the semi-
free-start collision into collisions on the hash function. To confirm our claims,
we present confirming message pairs for those steps of our attacks which have
practical complexity.

6.1 Collision for 28 Steps of SHA-256

Using the starting point given in Table 1 and the search strategy described in
Sect. 5, we can find a semi-free-start collision for 28 steps of SHA-256. Finding the
differential characteristic took about 5 hours on a single cpu, which is equivalent
to about 236.3 SHA-256 evaluations using the current version of OpenSSL as a
reference point.
Since we can (almost) freely choose the first 8 message words, this semi-free-
start collision can be turned into a collision on the hash function with almost
no cost. The confirming message pair is given in Table 6 and the according
differential characteristic is given in Table 3.

6.2 Collision for 31 Steps of SHA-256

Using the starting point given in Table 1, we can find a semi-free-start collision
on 31 steps of SHA-256, where the first 5 message words can be chosen freely.
 Improving Local Collisions: New Attacks on Reduced SHA-256 273

Table 3. Differential characteristic for the collision attack on SHA-256 reduced

to 28 steps. Bits with gray background have at least one additional condition.
i ∇Ai ∇Ei ∇Wi
-4 -------------------------------- --------------------------------
-3 -------------------------------- --------------------------------
-2 -------------------------------- --------------------------------
-1 -------------------------------- --------------------------------
0 -------------------------------- -------------------------------- --------------------------------
1 -------------------------------- -------------------------------- --------------------------------
2 -------------------------------- -------------------------------- --------------------------------
3 -------------------------------- -------------------------------- --------------------------------
4 -------------------------------- -------------------------------- --------------------------------
5 -------------------------------- -------------------------------- --------------------------------
6 ------------------------1------- -------------0----------00------ --------------------------------
7 ------------------------1------- ----------1--1-10-------11--1--- --------------------------------
8 -0uu-nuu-u-uu-nnn-uu---nu-n----- -0uu-1nu-uun-u-0uu-n0---nnu11--- nnnu----n-nn-u-u-n-n----n-n-----
9 -0-------n--u----------n1------- -1-1011-u1u0--0nn-0-u-n0010uu-0- 11--un1-un0nn--110-11u01uunnu---
10 nnnnnn----u-u--------u--u--uu--- 0n010n1011101011n011u1110n0nu01u --------------------------------
11 -1----------------------1------- -n-1un1-n111000n10n0110n10001-u0 --------------------------------
12 -1----------------------1------- 0011n111n00u0n11u0uu10110uu10-00 --------------------------------
13 -------------------------------- 000100010n011nuuuuuuuu1n11011101 ------n--n----------n--1n--n----
14 -------------------------------- 11-00u--0un0u000-00-u0nn-nnnu-0- ---1----------------------------
15 -------------------------------- -----1---10-11001011-00--0001--- --------------------------------
16 -------------------------------- -----1---01-1-------0-00-1111--- 1----u---0uun-----10un01uun-n---
17 -------------------------------- -------------------------------- --------------------------------
18 -------------------------------- -------------------------------- -----n----n-n------1-n01n-n-u---
19 -------------------------------- -------------------------------- --------------------------------
20 -------------------------------- -------------------------------- --------------------------------
21 -------------------------------- -------------------------------- --------------------------------
22 -------------------------------- -------------------------------- --------------------------------
23 -------------------------------- -------------------------------- --------------------------------
24 -------------------------------- -------------------------------- --------------------------------
25 -------------------------------- -------------------------------- --------------------------------
26 -------------------------------- -------------------------------- --------------------------------
27 -------------------------------- -------------------------------- --------------------------------

Finding the differential characteristic and confirming message pair for the semi-
free-start collision took about 21 hours on a single CPU, which is equivalent
to about 238.4 SHA-256 evaluations. The resulting differential characteristic is
given in Table 4. To demonstrate that we can indeed choose the 5 first message
words, we have set the last 5 chaining words to 0 (see Table 7).
In the characteristic on 31 steps, we have no differences in the first 5 message
words. Using a single semi-free-start collision and a two-block approach, we can
construct a collision for the SHA-256 hash function reduced to 31 steps with a
complexity of about 299.5 compression function evaluations. We start this part
of the attack with the differential characteristic given in Table 4 and continue
as follows:
1. Use the automatic tool to determine all expanded message words and state
variables in steps 5–12. This also determines the state words E1 –E4 and
A−3 –A4 . Note that this step of the attack takes only seconds and does not
contribute to the final attack complexity.
2. Compute 296 arbitrary first message blocks to fulfill the 96 conditions on the
chaining input A−3 –A−1 . This step of the attack has a complexity of about
296 SHA-256 evaluations and also determines the expanded message words
W0 –W4 .
274 Florian Mendel, Tomislav Nad, Martin Schläffer

Table 4. Differential characteristic for the collision attack on SHA-256 reduced

to 31 steps. Bits with gray background have at least one additional condition.
i ∇Ai ∇Ei ∇Wi
-4 -------------------------------- --------------------------------
-3 -------------------------------- --------------------------------
-2 -------------------------------- --------------------------------
-1 -------------------------------- --------------------------------
0 -------------------------------- -------------------------------- --------------------------------
1 -------------------------------- -------------------------------- --------------------------------
2 -------------------------------- -------------------------------- --------------------------------
3 ------------------------------0- -0----------------0------------- --------------------------------
4 ------------------------------00 -1---------1-----01---1-0--0--10 --------------------------------
5 -nnn-n-n-11----n--nu-1-------0n- 0nnnn1uu-0-1101n-1nu--0-11-1-0n1 u---uunu-------n---n----------n-
6 unnnn-------------------------0- n-n10111n--u11u00n10u1n-nn1n-1uu nn1-n---nu-nn--1u--0-un0--n0-nn-
7 -------------------n--------n-0u 101u0nn10-11011u-n111n110un1-nnn 00nn0n101-n1nnn1u0nn-n011u-1n0--
8 -------------------------------- 1-uu11110--0u10110n-10101010-0n0 0001u0001-000nuuun1n01nn-01nuuuu
9 -------------------------------- 101100uu111111nu111001--011110nn -----1---------un---0-----11un--
10 ----------------u------------u-- 1-00u1101001101un00--0001--u1n00 ---0--------------------------1-
11 -------------------------------- 010100u0nu1uuuuuu1001000000n1u10 --------------------------------
12 -------------------------------- 111nuuuuuuuuuuuuu001111101100n00 --------------------------------
13 -------------------------------- ---101-11-1-----1----------0-0-- --------------------------------
14 -------------------------------- ---100---0011111u-------1----u-- --------------------------------
15 -------------------------------- ----------------0------------0-- --------------------------------
16 -------------------------------- ----------------1------------1-- -------------unnnunnnnnnnnnnnn--
17 -------------------------------- -------------------------------- --------------------------------
18 -------------------------------- -------------------------------- ----------------n------------n--
19 -------------------------------- -------------------------------- --------------------------------
20 -------------------------------- -------------------------------- --------------------------------
21 -------------------------------- -------------------------------- --------------------------------
22 -------------------------------- -------------------------------- --------------------------------
23 -------------------------------- -------------------------------- --------------------------------
24 -------------------------------- -------------------------------- --------------------------------
25 -------------------------------- -------------------------------- --------------------------------
26 -------------------------------- -------------------------------- --------------------------------
27 -------------------------------- -------------------------------- --------------------------------
28 -------------------------------- -------------------------------- --------------------------------
29 -------------------------------- -------------------------------- --------------------------------
30 -------------------------------- -------------------------------- --------------------------------

3. At this point, the chaining value and the message words W0 –W12 are chosen.
Next, we use the freedom in the message words W13 –W15 to fulfill the con-
ditions on E13 –E15 and W16 , W18 . However, this step of the attack succeeds
only with a probability of about 1/12 (verified experimentally) since we have
just not enough freedom in W13 –W15 . If this step fails then we go back to
step 2.
To summarize, we can find a 2-block collision for SHA-256 reduced to 31 steps
with a complexity of about 12 · 296 ≈ 299.5 SHA-256 evaluations. Note that the
complexity of the attack can be improved significantly by using a meet-in-the-
middle approach.
Instead of computing only one solution in the first step of the attack, we
compute ` solutions and save them in a list L. In step 2 of the attack where we
compute an arbitrary first message blocks, we check for a match in the list L.
By increasing the size ` of the list, we can reduce the number of first message
blocks that we need to compute by a factor of 1/`.
The main question is how many entries in L can be computed in our attack.
Using our unoptimized code we have already found ` > 219.5 different solutions
 Improving Local Collisions: New Attacks on Reduced SHA-256 275

Table 5. Differential characteristic for the semi-free-start collision attack on

SHA-256 reduced to 38 steps. Bits with gray background have at least one ad-
ditional condition.
i ∇Ai ∇Ei ∇Wi
-4 -------------------------------- --------------------------------
-3 -------------------------------- --------------------------------
-2 -------------------------------- --------------------------------
-1 -------------------------------- --------------------------------
0 -------------------------------- -------------------------------- --------------------------------
1 -------------------------------- -------------------------------- --------------------------------
2 -------------------------------- -------------------------------- --------------------------------
3 -------------------------------- -------------------------------- --------------------------------
4 -------------------------------- -------------------------------- --------------------------------
5 -------------------------------- --------------------1----1------ --------------------------------
6 -------------------------------- 1--00--1-------1-10111---0-1--0- --------------------------------
7 -n----u-n-u---u-------n-nn------ nu-11-0uuun101-uuuuuuu1u-u-1--01 --nnnnn--nn--un----nuuu-nn------
8 ----nn-n--n--un-uu-u-u-u-n------ n01nn-1n10000-1u1uuunu00n0-nn0n1 0000011011101--1100nuuuuuuuuuu00
9 u---u-n--nuuu---n-uuu--u-------n 000n00u10001n101nu0u000111-u11un --------------------------------
10 -------------------------------- 00unn00110n1001u11u-101u111u0uun --------unnnnnnnu---------------
11 -------------------------------- 1u1-11u11-n01n100n10u1-11u100011 ------1-------------------------
12 -------------------------------- 0uu1u1u0u1uu1n01nn111u011n-01010 ----------1-----01--------------
13 -------------------------------- n0010uu01-00n1-01n0nu10u10-1-nuu ----------------0--------------1
14 -------------------------------- 101-110-1-0010-10--111-010---100 --------------------------------
15 ----u----------n---------------- 0-1-u01----00--n-00----10----111 -----------------------------u--
16 -----------------------------u-- ----n-n1---01-un11------nuu-nu01 --------------------------------
17 -------------------------------- -0--n-1---0nnnnn-nuu1---011-1-un --------------------------------
18 -------------------------------- ----0-1---00000--000--1011101100 --------------------------------
19 -------------------------------- 0---u-00nuuuuuuu0001--0011011011 --------------------------------
20 -------------------------------- 1--1--11100111---1--0unnnnnnnn0- --------------------------------
21 -------------------------------- ----1---11111111-----000000000-- --------------------------------
22 -------------------------------- ---------------------111111111-- --------------------------------
23 -------------------------------- -------------------------------- ----n---------un----------------
24 -------------------------------- -------------------------------- -----------------------------n--
25 -------------------------------- -------------------------------- --------------------------------
26 -------------------------------- -------------------------------- --------------------------------
27 -------------------------------- -------------------------------- --------------------------------
28 -------------------------------- -------------------------------- --------------------------------
29 -------------------------------- -------------------------------- --------------------------------
30 -------------------------------- -------------------------------- --------------------------------
31 -------------------------------- -------------------------------- --------------------------------
32 -------------------------------- -------------------------------- --------------------------------
33 -------------------------------- -------------------------------- --------------------------------
34 -------------------------------- -------------------------------- --------------------------------
35 -------------------------------- -------------------------------- --------------------------------
36 -------------------------------- -------------------------------- --------------------------------
37 -------------------------------- -------------------------------- --------------------------------

for step 1 of the attack with an average cost of 225.5 . This reduces the attack
complexity to about 280 SHA-256 evaluations. However, our experiments indicate
that we can expect to find about 234 different solutions, which results in a total
attack complexity of about 265.5 SHA-256 evaluations.

6.3 Semi-Free-Start Collision for 38 steps of SHA-256

Finally, we have also improved the best semi-free-start collision attack on SHA-256.
Using the starting point given in Table 1, we can find a semi-free-start collision
for 38 steps of SHA-256. Finding the differential characteristic and the confirm-
ing message pair took about 8 hours on a single CPU. This is equivalent to about
276 Florian Mendel, Tomislav Nad, Martin Schläffer

237 SHA-256 evaluations. The differential characteristic is shown in Table 5 and

the resulting semi-free-start collision in Table 8.

7 Conclusions
In this paper, we have improved the best known collision attacks on the SHA-256
hash function from 27 to 31 steps. We focus on the construction of semi-free-start
collisions which can be turned into collisions on the hash function. Our results
are hash function collisions on 31 steps of SHA-256 with complexity 265.5 , and
semi-free-start collisions on 38 steps with complexity 237 . We have verified all
our attacks by providing practical examples whenever this was possible.
Our results were obtained by extending the size of the local collision up to 18
steps. Furthermore, we ensure that the first message words do not contain any
differences and try to reduce the number of conditions on the expanded message
words. To find differential characteristics and confirming message pairs for local
collisions spanning over more steps we have improved the efficiency of the au-
tomatic search tool used by Mendel et al. in their attacks on reduced SHA-256
in several ways. Most importantly, we have improved the search strategy to find
sparser differential characteristics by guessing primarily bits towards the end of
the local collision.

Acknowledgments
Part of this work was done while Florian Mendel was with KU Leuven. The work
has been supported in part by the Secure Information Technology Center-Austria
(A-SIT) and by the Austrian Science Fund (FWF), project TRP 251-N23.

References
1. Aoki, K., Guo, J., Matusiewicz, K., Sasaki, Y., Wang, L.: Preimages for Step-
Reduced SHA-2. In: Matsui, M. (ed.) ASIACRYPT. LNCS, vol. 5912, pp. 578–597.
Springer (2009)
2. Biryukov, A., Lamberger, M., Mendel, F., Nikolic, I.: Second-Order Differential
Collisions for Reduced SHA-256. In: Lee and Wang [9], pp. 270–287
3. Canteaut, A. (ed.): Fast Software Encryption - 19th International Workshop, FSE
2012, Washington, DC, USA, March 19-21, 2012. Revised Selected Papers, LNCS,
vol. 7549. Springer (2012)
4. De Cannière, C., Rechberger, C.: Finding SHA-1 Characteristics: General Results
and Applications. In: Lai, X., Chen, K. (eds.) ASIACRYPT. LNCS, vol. 4284, pp.
1–20. Springer (2006)
5. Indesteege, S., Mendel, F., Preneel, B., Rechberger, C.: Collisions and Other Non-
random Properties for Step-Reduced SHA-256. In: Avanzi, R.M., Keliher, L., Sica,
F. (eds.) Selected Areas in Cryptography. LNCS, vol. 5381, pp. 276–293. Springer
(2008)
6. Isobe, T., Shibutani, K.: Preimage Attacks on Reduced Tiger and SHA-2. In:
Dunkelman, O. (ed.) FSE. LNCS, vol. 5665, pp. 139–155. Springer (2009)
 Improving Local Collisions: New Attacks on Reduced SHA-256 277

7. Khovratovich, D., Rechberger, C., Savelieva, A.: Bicliques for Preimages: Attacks
on Skein-512 and the SHA-2 Family. In: Canteaut [3], pp. 244–263
8. Lamberger, M., Mendel, F.: Higher-Order Differential Attack on Reduced SHA-
256. Cryptology ePrint Archive, Report 2011/037 (2011), http://eprint.iacr.
org/
9. Lee, D.H., Wang, X. (eds.): Advances in Cryptology - ASIACRYPT 2011 - 17th
International Conference on the Theory and Application of Cryptology and Infor-
mation Security, Seoul, South Korea, December 4-8, 2011. Proceedings, LNCS, vol.
7073. Springer (2011)
10. Li, J., Isobe, T., Shibutani, K.: Converting Meet-In-The-Middle Preimage Attack
into Pseudo Collision Attack: Application to SHA-2. In: Canteaut [3], pp. 264–286
11. Mendel, F., Nad, T., Scherz, S., Schläffer, M.: Differential Attacks on Reduced
RIPEMD-160. In: Gollmann, D., Freiling, F.C. (eds.) ISC. LNCS, vol. 7483, pp.
23–38. Springer (2012)
12. Mendel, F., Nad, T., Schläffer, M.: Cryptanalysis of Round-Reduced HAS-160. In:
Kim, H. (ed.) ICISC. LNCS, vol. 7259, pp. 33–47. Springer (2011)
13. Mendel, F., Nad, T., Schläffer, M.: Finding SHA-2 Characteristics: Searching
through a Minefield of Contradictions. In: Lee and Wang [9], pp. 288–307
14. Mendel, F., Nad, T., Schläffer, M.: Collision Attacks on the Reduced Dual-Stream
Hash Function RIPEMD-128. In: Canteaut [3], pp. 226–243
15. National Institute of Standards and Technology: FIPS PUB 180-3: Secure Hash
Standard. Federal Information Processing Standards Publication 180-3, U.S. De-
partment of Commerce (October 2008), available online: http://www.itl.nist.
gov/fipspubs
16. National Institute of Standards and Technology: SHA-3 Selection Announcement
(October 2012), available online: http://csrc.nist.gov/groups/ST/hash/sha-3/
sha-3_selection_announcement.pdf
17. Nikolić, I., Biryukov, A.: Collisions for Step-Reduced SHA-256. In: Nyberg, K.
(ed.) FSE. LNCS, vol. 5086, pp. 1–15. Springer (2008)
18. Sanadhya, S.K., Sarkar, P.: New Collision Attacks against Up to 24-Step SHA-2.
In: Chowdhury, D.R., Rijmen, V., Das, A. (eds.) INDOCRYPT. LNCS, vol. 5365,
pp. 91–103. Springer (2008)
19. Wang, X., Yin, Y.L., Yu, H.: Finding Collisions in the Full SHA-1. In: Shoup, V.
(ed.) CRYPTO. LNCS, vol. 3621, pp. 17–36. Springer (2005)
20. Wang, X., Yu, H.: How to Break MD5 and Other Hash Functions. In: Cramer, R.
(ed.) EUROCRYPT. LNCS, vol. 3494, pp. 19–35. Springer (2005)
278 Florian Mendel, Tomislav Nad, Martin Schläffer

A Resulting Message Pair Examples

Table 6. Example of a collision for 28 steps of SHA-256.

h0 6a09e667 bb67ae85 3c6ef372 a54ff53a 510e527f 9b05688c 1f83d9ab 5be0cd19

14c48440 b3c3277f ad69812d c3d4dffa 7eae690b 7f9fe027 832aece8 9a489458
m
1607a45c db81bdc8 8786e031 d8f22801 72b6be5e 45a2652f f3fbb17a 2ce70f52
∗ 14c48440 b3c3277f ad69812d c3d4dffa 7eae690b 7f9fe027 832aece8 9a489458
m
e6b2f4fc d759b930 8786e031 d8f22801 72b6be5e 47e26dbf f3fbb17a 2ce70f52
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
∆m
f0b550a0 0cd804f8 00000000 00000000 00000000 02400890 00000000 00000000
h1 56449b42 52e17ee1 2edbed34 a1cf3f46 e84b6d49 ac9e1cc3 61a4725a 4f245e31

Table 7. Example of a semi-free-start collision for 31 steps of SHA-256 with the

last 5 chaining variables set to 0.

h0 532f13f5 6a28c3c0 e301fab5 00000000 00000000 00000000 00000000 00000000

d55c884f faf18f34 b772b323 af46235b 3d8bd87b dd3e8271 26618488 02d189d0
m
1883a4af 4f99167b 271b11c7 81b8363d b27e389d 2155a533 8b811348 4a8da291
∗ d55c884f faf18f34 b772b323 af46235b 3d8bd87b 523f9273 eeb902ae 36ff3d98
m
108477b0 4f989677 271b11c7 81b8363d b27e389d 2155a533 8b811348 4a8da291
00000000 00000000 00000000 00000000 00000000 8f011002 c8d88626 342eb448
∆m
0807d31f 0001800c 00000000 00000000 00000000 00000000 00000000 00000000
h1 6ff5a9a7 9d014158 12938ebb dbf8dc76 29fb2c4c b48b053e 1c4377a9 e21554c1

Table 8. Example of a semi-free-start collision for 38 steps of SHA-256.

h0 ba75b4ac c3c9fd45 fce04f3a 6d620fdb 42559d01 b0a0cd10 729ca9bc b284a572

4f5267f8 8f8ec13b 22371c61 56836f2b 459501d1 8078899e 98947e61 4015ef31
m
06e98ffc 4babda4a 27809447 3bf9f3be 7b3b74e1 065f711d 6c6ead5e a1781d54
∗ 4f5267f8 8f8ec13b 22371c61 56836f2b 459501d1 8078899e 98947e61 7e73f1f1
m
06e99000 4babda4a 277f1447 3bf9f3be 7b3b74e1 065f711d 6c6ead5e a1781d50
00000000 00000000 00000000 00000000 00000000 00000000 00000000 3e661ec0
∆m
00001ffc 00000000 00ff8000 00000000 00000000 00000000 00000000 00000004
h1 9312c19e d18b19eb d9c3c91f 36c4e589 4ab410cb 692af674 72cfd427 8e5a0d0a