Converting Meet-in-the-Middle Preimage Attack into

Pseudo Collision Attack: Application to SHA-2

Ji Li
1
, Takanori Isobe
2
, and Kyoji Shibutani
2
1
Sony China Research Laboratory, China
[email protected]
2
Sony Corporation, Japan
{Takanori.Isobe,Kyoji.Shibutani}@jp.sony.com
Abstract. In this paper, we present a new technique to construct a collision attack from a par-
ticular preimage attack which is called a partial target preimage attack. Since most of the recent
meet-in-the-middle preimage attacks can be regarded as the partial target preimage attack, a colli-
sion attack is derived from the meet-in-the-middle preimage attack. By using our technique, pseudo
collisions of the 43-step reduced SHA-256 and the 46-step reduced SHA-512 can be obtained with
complexities of 2
126
and 2
254.5
, respectively. As far as we know, our results are the best pseudo
collision attacks on both SHA-256 and SHA-512 in literature. Moreover, we show that our pseudo
collision attacks can be extended to 52 and 57 steps of SHA-256 and SHA-512, respectively, by
combined with the recent preimage attacks on SHA-2 by bicliques. Furthermore, since the proposed
technique is quite simple, it can be directly applied to other hash functions. We apply our algorithm
to several hash functions including Skein and BLAKE, which are the SHA-3 nalists. We present not
only the best pseudo collision attacks on SHA-2 family, but also a new insight of relation between
a meet-in-the-middle preimage attack and a pseudo collision attack.
Keywords: hash function, narrow-pipe, SHA-2, Skein, BLAKE, meet-in-the-middle attack, preim-
age attack, pseudo collision attack
1 Introduction
Cryptographic hash functions play a central role in the modern cryptography. A secure hash
function, which produces a xed length hash value from an arbitrary length message, is required
to satisfy at least three security properties: preimage resistance, second preimage resistance and
collision resistance.
While there has not been a generic method to convert a collision attack into a preimage
attack, it has been known that the preimage attack that can nd at least two distinct preimages
from the same target can be directly converted into a collision attack. However, the converted
collision attack is often not ecient due to that the birthday bound of a collision attack (2
n/2
)
is far lower than the generic bound of the preimage attack (2
n
), where n is the bit size of the
hash value. Thus, it is left as open question that how to convert an ecient preimage attack
into an ecient collision attack. In the case of the reduced SHA-256 regarding the number of
attacked rounds, a preimage attack, covering 43 steps [4], is much better than the best known
collision attack, with only 27 steps [17]. Moreover, basically, a collision attack and a preimage
attack require quite dierent techniques. In other words, in general, the techniques used for the
collision attack do not work well for a preimage attack, and vice versa. In fact, most of the recent
collision attacks are based on a dierential attack [32, 31], in contrast to that most of the recent
preimage attacks are based on a meet-in-the-middle (MITM) attack [2]. Though converting the
dierential collision attack to a (pseudo) preimage attack was discussed in [8], there is no generic
way to construct a collision attack from a MITM preimage attack.
In this paper, we give a generic method to convert a particular preimage attack into a collision
attack. By using our technique, an ecient collision attack which works faster than a generic
collision attack can be constructed from a partial target preimage attack even if the complexity
of the preimage attack is more than the birthday bound (2
n/2
). Our method is especially t
for converting a MITM preimage attack into a pseudo collision attack, since most of the recent
MITM preimage attacks can be considered as the partial target preimage attack as long as its
matching point is located in the end of the compression function. We rst apply our algorithm
to SHA-256 and SHA-512 and show the best pseudo collision attacks on them in literature.
Specically, pseudo collisions of the 43-step (out of 64-step) reduced SHA-256 and the 46-step
(out of 80-step) reduced SHA-512 can be derived faster than a generic attack. Combined with
the recent preimage attacks on SHA-2 [14], these attacks are extended to the 52-step and 57-
step reduced SHA-256 and SHA-512, respectively. Then we show some other applications of our
conversion techniques including a pseudo collision attack on the 37-round reduced Skein-512
and pseudo collision attacks on the 4-round reduced BLAKE-256/512 without the initialization
function. While it seems hard to extend our pseudo collision attacks to collision attacks, the
proposed conversion technique is a generic, and thus it is expected to be widely used for security
evaluations of hash functions.
This paper is organized as follows. Some security notions and a meet-in-the-middle preimage
attack are introduced in Section 2. Section 3 introduces our approach for constructing a pseudo
collision attack. Then, applications of our technique to SHA-256 and SHA-512 are presented in
Section 4. The result on Skein is described in Section 5. Finally, we conclude in Section 6.
2 Preliminaries
In this section, we rst give security notions used throughout this paper, then briey refer a
meet-in-the-middle (MITM) preimage attack.
2.1 Security Notions
Let f be a compression function which outputs an n-bit chaining variable h
i
from an n-bit
input chaining variable h
i1
and a k-bit input message m
i
, i.e., h
i
= f(h
i1
, m
i
). Similarly,
let H be an iterated hash function consisting of f, which produces an n-bit hash value d
from an initial value IV (= h
0
) and an arbitrary length message M, i.e., d = H(IV, M) =
f( f(f(IV, m
1
), m
2
), , m
t
), where pad(M) = (m
1
|m
2
| |m
t
) and pad denotes a padding
function. This type of hash function, in which the size of an intermediate chaining variable is the
same as that of a hash value, is called a narrow-pipe hash function. On the other hand, a hash
function having a larger internal state size is called a wide-pipe hash function, i.e., the size of a
nal hash value is smaller than that of a chaining variable. We use the terminology introduced
in [15] for a collision attack and a pseudo (or free-start) collision attack on hash functions as
follows.
Denition 1 (Collision attack). Given IV , nd (M, M

) such that M = M

and H(IV, M)
= H(IV, M

).
Denition 2 (Free-start or pseudo collision attack). Find (IV , IV

, M, M

) such that
H(IV, M) = H(IV

, M

) and (IV, M) = (IV

, M

).
Additionally, we give several denitions for (pseudo) preimage attacks on hash functions and
(pseudo) preimage attacks on compression functions.
Denition 3 (Preimage attack). Given IV and d(= H(IV, M)), nd M

such that H(IV,

M

) = d.
Denition 4 (Pseudo preimage attack). Given d(= H(IV, M)), nd (IV

, M

) such that
H(IV

, M

) = d.
2
x
y
z
z
1
z
2
(forward process) (backward process)
matching point
f
f
1 f
2
m
m
1
m
2
n-bit n-bit
k-bit
w-bit
Fig. 1. Meet-in-the-middle preimage attack
Denition 5 ((t-bit) partial target preimage attack). Given IV and t-bit partial target
of d(= H(IV, M)), nd M

such that t-bit of d

(= H(IV, M

)) is the same as the t-bit of d at

the same position, and the other part of d

is randomly obtained.
Denition 6 (Preimage attack on compression function). Given h
i1
and h
i
(= f(h
i1
,
m
i
)), nd m

i
such that f(h
i1
, m

i
) = h
i
.
Denition 7 (Pseudo preimage attack on compression function). Given h
i
(= f(h
i1
,
m
i
)), nd (h

i1
, m

i
) such that f(h

i1
, m

i
) = h
i
.
Denition 8 ((t-bit) partial target preimage attack on compression function). Given
h
i1
and t-bit partial target of h
i
(= f(h
i1
, m
i
)), nd m

i
such that t-bit of h

i
(= f(h
i1
, m

i
)) is
the same as the t-bit of h
i
at the same position, and the other part of h

i
is randomly obtained.
Denition 9 ((t-bit) pseudo partial target preimage attack on compression func-
tion). Given t-bit partial target of h
i
(= f(h
i1
, m
i
)), nd (h

i1
, m

i
) such that t-bit of h

i
(=
f(h

i1
, m

i
)) is the same as the t-bit of h
i
at the same position, and the other part of h

i
is
randomly obtained.
2.2 Meet-in-the-Middle Preimage Attack
The basic concept of the MITM preimage attack was introduced in [22, 16]. Since then, the MITM
preimage attacks have been drastically improved and applied to several hash functions [2, 28, 27,
3, 13, 4, 10]. Also, the techniques for the MITM preimage attacks on hash functions have been
extended to the attacks on several block ciphers [7, 12].
As shown in Fig. 1,
3
in the MITM preimage attack on a compression function, the com-
pression function f is assumed to be divided into two sub-functions: f
1
(forward process) and
f
2
(backward process) so that the w-bit matching point z calculated by f
1
does not depend
on m
2
which is some message bits of m, and z calculated by f
2
does not depend on m
1
which
is other message bits of m. Such m
1
and m
2
are called neutral bits of f
2
and f
1
, respectively.
Then, the MITM preimage attack nds a preimage m

such that f(x, m

) = y from a given x
and y(= f(x, m)) as follows.
Step 1. Choose a random m except for m
1
and m
2
.
Step 2. For all possible m
1
, calculate w-bit z
1
(= f
1
(x, m
1
)), and add a pair of (z
(i)
1
, m
(i)
1
) to a
list, where (1 i 2
|m
1
|
), and | | denotes the bit size of .
Step 3. For all possible m
2
, calculate w-bit z
2
(= f
1
2
(xy, m
2
)), and add a pair of (z
(j)
2
, m
(j)
2
)
to a list, where (1 j 2
|m
2
|
).
Step 4. Compare two lists to nd pairs satisfying z
(p)
1
= z
(q)
2
. If such pair is found, then check
if the other bits of the matching point derived from m
(p)
1
and m
(q)
2
are the same value.
3
Here, we show the MITM preimage attack on Davies-Meyer mode as an example. MITM preimage attacks on
other modes like Matyas-Meyer-Oseas mode can be performed in a similar way.
3
Step 5. If the other parts are also the same, then outputs such m including m
(p)
1
and m
(q)
2
.
Otherwise, go back to Step 1 and repeat the computation.
From Steps 2 and 3, we have 2
|m
1
|
and 2
|m
2
|
values of w-bit z
1
and z
2
, i.e., we have 2
|m
1
|+|m
2
|
values of (z
1
z
2
). Since the probability of (z
1
z
2
= 0) is 2
w
, we have 2
|m
1
|+|m
2
|
2
w
pairs such
that z
1
= z
2
in Step 4. Thus, by repeating this algorithm about 2
nw
2
(|m
1
|+|m
2
|)
2
w
times, we
expect to obtain a desired preimage. The required computation for the one process from Step 1
to 5 is at most max(2
|m
1
|
, 2
|m
2
|
) calls of the compression function. Thus, the total computation
to nd a preimage of the compression function is about 2
n
2
(|m
1
|+|m
2
|)
max(2
|m
1
|
, 2
|m
2
|
).
4
For a narrow-pipe hash function, by replacing x and y by IV and d, this MITM preimage
attack on a compression function can be directly converted into a preimage attack on a hash
function. However, for an attack on a hash function, some of the message bits related to the
padding bits are required to be controlled by the attacker to set appropriate padding data.
3 Method to Convert Preimage Attack into Collision Attack
In this section, we present how to eciently convert a particular preimage attack into a pseudo
collision attack. First, we introduce a generic technique to construct a pseudo collision attack
from a partial target preimage attack. Then, we introduce the MITM preimage attack whose
matching point is located at the end of the compression function. We show that such class of
the MITM preimage attack is regarded as the partial target preimage attack. Finally, we show
that a pseudo collision attack can be eciently constructed from the MITM preimage attack
whose matching point is at the end by showing how to eciently obtain many partial target
preimages.
3.1 Generic Conversion of Partial Target Preimage Attack into Collision Attack
We consider the oracle A that can nd a t-bit partial target preimage with a complexity of 2
s
.
Also, A is assumed to return dierent M

for each call. Obviously, we can construct a collision

attack with a complexity of 2
s
2
(nt)/2
by iteratively calling A as follows.
Set t-bit random data as d

Call A with the parameter IV and d

in 2
(nt)/2
times
After this procedure, we have 2
(nt)/2
of (nt)-bit random data, and thus there exists a colliding
data with a high probability. Once the colliding data are found, we have a collision of the hash
function since the rest of the hash value d

is xed. The total complexity is 2

(nt)/2
2
s
. The
memory requirement can be reduced to the memory requirement of nding a partial target
preimage by using memory free birthday attack [29, 21]. This conversion itself can be applied to
not only a narrow-pipe hash but also a wide-pipe hash, since the required complexity depends
only on the size of the digest. The basic concept of this attack that xes t-bit of the target with
the complexity of 2
s
has been used to nd a collision of (new) FORK-256 in [22] and a collision
and a second preimage of LUX in [33]. However, the method does not work if the partial target
preimage attack is not ecient, i.e., (s t/2). In this case, the required complexity in total will
be higher than 2
n/2
.
3.2 Meet-in-the-Middle Attack with Matching Point in Last Step
We consider a similar model explained in Section 2.2. The dierence from the model shown in
Fig. 1 is that the matching point is restricted to be in the last step as shown in Fig. 2. In this
4
The estimated complexity does not contain the size of the matching point w. However, as discussed in [10], if
w is extremely small like w = 1, the total complexity is dominated by the recomputations in Step 4 which is
ignored in our estimation. Thus, in our evaluation, we assume that w is suciently large.
4
x
y
z
z
1
z
2
starting state
S
(forward process)
(backward process)
matching point
f
f
1
f
2
m
m
1
m
2
n-bit n-bit
k-bit
w-bit
Fig. 2. MITM preimage attack with the matching point in the last step
scenario, the MITM pseudo preimage attack on a compression function nds a preimage m

and
a random x

such that f(x

, m

) = y from a given y(= f(x, m)) as follows.

Step 1. Choose a random m except for m
1
and m
2
, and a random starting state S.
Step 2. For all possible m
1
, calculate w-bit z
1
(= f
1
(S, m
1
)), and add a pair of (z
(i)
1
, m
(i)
1
) to a
list, where (1 i 2
|m
1
|
).
Step 3. For all possible m
2
, calculate w-bit z
2
(= f
1
2
(S, m
2
)), and add a pair of (z
(j)
2
, m
(j)
2
) to
a list, where (1 j 2
|m
2
|
).
Step 4. Compare two lists to nd pairs satisfying that z
(p)
1
z
(q)
2
equals the t-bit of y. If such
pair is found, then check if the XORed other bits of the matching point derived from m
(p)
1
and m
(q)
2
is the same as the rest of y.
Step 5. If the XORed other bits are also the same as y, then output such m including m
(p)
1
and
m
(q)
2
, and x

calculated from the data of the matching point. Otherwise, go back to Step 1
and repeat the computation.
Note that, this attack basically cannot obtain a preimage from the given x unlike the attack
described in Section 2.2, since x

will be randomly derived. Thus, this attack is considered as

a pseudo preimage attack on a compression function. However, for a narrow-pipe hash, it has
been known that a pseudo preimage attack on a compression function can be converted into a
preimage attack on a hash function assuming that the attacker can set valid padding bits [19,
10]. The estimated complexity to nd a desired pseudo preimage is the same as that presented
in Section 2.2, i.e., 2
n
2
(|m
1
|+|m
2
|)
max(2
|m
1
|
, 2
|m
2
|
).
3.3 Conversion of MITM Preimage Attack into Pseudo Collision Attack
If we can construct the MITM pseudo preimage attack whose matching point is located at
the end of the compression function, we can control part of the output variables as explained
in the previous subsection. In other words, the MITM pseudo preimage attack described in
the previous subsection can be regarded as the pseudo partial target preimage attack on a
compression function. For the MITM preimage attack, at least 2
t/2
computations are required
to derive a preimage of an t-bit partial target. Thus, the directly converted pseudo collision
attack will at least have the complexity of 2
(nt)/2+t/2
= 2
n/2
, that is not an ecient pseudo
collision attack.
In order to overcome this problem, we exploit extra freedom of a neutral word after nding
a partial target preimage. For example, in the case of t = 10 and |m
1
| = |m
2
| = 8 (> t/2), we
can nd 2
6
(= 2
8+8
/2
10
) 10-bit partial target preimages with the complexity of 2
8
. It essentially
means that a 10-bit partial target preimage is found with the complexity of 2
2
(= 2
8
/2
6
) <
2
5
(= 2
10/2
). When t w, the required complexity to nd a partial target preimage from a given
t-bit partial target is estimated as
2
t(|m
1
|+|m
2
|)
max(2
|m
1
|
, 2
|m
2
|
),
5
M
1
M

1
M
2
M
2
IV

IV

CV CV
CV CV
CF CF
CF CF
digest
digest
Pseudo Collision of CF
Pseudo Collision of Hash Function
Satisfy the padding issue
Fig. 3. Multi-block pseudo collision
where recall that w denotes the bit size of the matching point. In particular, s < t/2, which is the
condition for a successful attack as mentioned in Section 3.1, holds when min(|m
1
|, |m
2
|) > t/2,
where recall that 2
s
represents the required complexity to nd a t-bit partial target preimage.
Therefore, if we can move the matching point of the MITM attack to the end of the compression
function and there is enough freedom in neutral words, we can construct an ecient pseudo
collision attack on a compression function.
Moreover, for a narrow-pipe hash function, it has been known that a (pseudo) collision
attack on a compression function can be directly converted to a (pseudo) collision attack on a
hash function by appending another message block illustrated in Fig. 3, which is called multi-
block message technique. By using the multi-block message technique, an attacker can append
arbitrary messages. Thus, unlike the conversion to a (pseudo) preimage attack on a hash function,
for the conversion to a pseudo collision attack on a hash function, there is no restriction on
controllability of message bits for a MITM pseudo preimage attack on a compression function.
This will relax conditions on the position of the matching point for the MITM pseudo preimage
attack on a compression function, and thus may allow us to attack larger number of steps. Note
that, for a wide-pipe hash function, even though a (pseudo) collision attack on a compression
function can not be directly converted to a (pseudo) collision attack on a hash function by using
multi-block message, we still can convert a MITM pseudo preimage attack on a hash function
to a pseudo collision attack on a hash function since the conversion of a partial target preimage
attack into a collision attack is generic.
4 Pseudo Collision Attacks on SHA-2
In this section, we apply our conversion technique to SHA-2. At rst, we briey describe the
algorithm of SHA-2. Then, we review the previous collision attacks on SHA-2. After that, we
introduce the known MITM preimage attack on the 43-step SHA-256 presented in [4]. After we
modify these results in order to t our conversion technique, i.e., moving the matching point to
the end of the compression function, we show the pseudo collision attack on the 43-step SHA-
256. Moreover, we present the pseudo collision attack on the 46-step SHA-512 based on the
MITM preimage attack on the 46-step SHA-512 [4]. Furthermore, pseudo collision attacks on
the 40-step reduced SHA-224 and SHA-384 are demonstrated as well. Finally, we discuss pseudo
collision attacks based on the recent MITM preimage attacks [14], which signicantly improve
the results of [4] in terms of the number of attacked steps by using bicliques. These results on
SHA-2 are summarized in Table 1.
6
Table 1. Summary of collision attacks on the reduced SHA-2
algorithm type of attack steps complexity based attack paper
SHA-256
collision 24 2
28.5
- [11]
collision 27 (practical) - [17]
semi-free-start-collision
1
24 2
17
- [11]
semi-free-start-collision
1
32 (practical) - [17]
pseudo-near-collision 31 2
32
- [11]
pseudo collision 42 2
123
[4] Our (Section 4.7)
pseudo collision 43 2
126
[4] Our (Section 4.4)
pseudo collision 45 2
126.5
[14] Our (Section 4.9)
pseudo collision 52 2
127.5
[14] Our (Section 4.9)
SHA-224 pseudo collision 40 2
110
[4] Our (Section 4.8)
SHA-512
collision 24 2
28.5
- [11]
pseudo collision 42 2
244
[4] Our (Section 4.7)
pseudo collision 46 2
254.5
[4] Our (Section 4.6)
pseudo collision 50 2
254.5
[14] Our (Section 4.9)
pseudo collision 57 2
255.5
[14] Our (Section 4.9)
SHA-384 pseudo collision 40 2
183
[4] Our (Section 4.8)
1: semi-free-start-collision attack nds (IV

, M, M

) such that H(IV

, M) = H(IV

, M

)
and M = M

.
4.1 Description of SHA-2
While our target is both SHA-256 and SHA-512, we only explain the structure of SHA-256,
since SHA-512 is structurally equivalent to SHA-256 except for the number of steps, the amount
of rotations and the word size. The compression function of SHA-256 consists of a message
expansion function and a state update function. The message expansion function expands a
512-bit message block into 64 32-bit message words (W
0
, , W
63
) as follows:
W
i
=

M
i
(0 i < 16),

1
(W
i2
) +W
i7
+
0
(W
i15
) +W
i16
(16 i < 64),
where the functions
0
(X) and
1
(X) are dened by

0
(X) = (X 7) (X 18) (X 3),

1
(X) = (X 17) (X 19) (X 10).
The state update function updates eight 32-bit chaining variables, A, B, , G, H in 64 steps as
follows:
T
1
= H
i
+
1
(E
i
) +Ch(E
i
, F
i
, G
i
) +K
i
+W
i
,
T
2
=
0
(A
i
) +Maj(A
i
, B
i
, C
i
),
A
i+1
= T
1
+T
2
, B
i+1
= A
i
, C
i+1
= B
i
, D
i+1
= C
i
,
E
i+1
= D
i
+T
1
, F
i+1
= E
i
, G
i+1
= F
i
, H
i+1
= G
i
,
where K
i
is the i-th step constant and the functions Ch, Maj,
0
and
1
are given as follows:
Ch(X, Y, Z) = XY XZ,
Maj(X, Y, Z) = XY Y Z XZ,

0
(X) = (X 2) (X 13) (X 22),

1
(X) = (X 6) (X 11) (X 25).
After 64 steps, a feed-forward process is executed with initial state variables by using word-wise
addition modulo 2
32
.
7
4.2 Known Collision Attacks on SHA-2
The rst collision attack on reduced SHA-256 was presented in [18] which is a 19-step near col-
lision attack. Since then, the collision attacks on SHA-2 have been improved [20, 23, 25, 24, 26,
11, 17]. The previously published best collision attacks in terms of the number of attacked steps
are the 27 steps on SHA-256 [17] and the 24 steps on SHA-512 [11, 25]. A non-random prop-
erty, which is a second-order dierential collision, of the 47-step reduced SHA-256 compression
function was reported in [6].
4.3 Known MITM Preimage Attack on 43-step SHA-256 [4]
The MITM preimage attack on the 43-step SHA-256 presented in [4] uses the 33-step two chunks
W
j
, . . . , W
j+32
including the 4-step initial structure (IS), the 2-step partial xing (PF), the 7-
step partial matching (PM) and the 1-step indirect partial matching (IPM). In the following,
we review the details of these techniques.
33-step Two Chunks with the 4-step IS. The message words of length 33 is divided into
two chunks as {W
j
, . . . , W
j+14
, W
j+18
} and {W
j+15
, W
j+16
, W
j+17
, W
j+19
, . . . , W
j+32
}. Using
message compensation technique [4], the rst chunk and the second chunk are independent from
W
j+15
and W
j+18
, respectively. In particular, the following constraints ensure the above message
words to be neutral words with respect to each chunk;
W
j+17
=
1
(W
j+15
), W
j+19
=
2
1
(W
j+15
), W
j+21
=
3
1
(W
j+15
),
W
j+22
= W
z+5
, W
j+23
=
4
1
(W
j+15
), W
j+24
= 2
1
(W
j+15
),
W
j+25
=
5
1
(W
j+15
),
(1)
where
2
1
(X) means
1

1
(X).
These two chunks include the 4-step IS, which essentially exchanges the order of the words
W
i
and W
i+3
by exploiting the absorption property of the function Ch. After the swapping, the
nal output after the step (i +3) still keeps unchanged. Here, W
j+18
is moved to the rst chunk
and W
j+15
, W
j+16
and W
j+17
are moved to the second chunk.
In the forward direction, a state value of p
j+33
= A
j+33
|| . . . ||H
j+33
can be computed in-
dependently of the rst chunk. In the backward direction, a state value of p
j
= A
j
|| . . . ||H
j
can be computed independently of the second chunk. Note that the 33-step two-chunk is valid
regardless of the choice of j for j > 0.
7-step PM. In the backward computation, A
j
can be computed from p
j+7
without knowing
{W
j
, , W
j+6
} for any j as used in [13].
2-step PF. PF is a technique to enhance PM by xing a part of a neutral word. The equation
for H
j1
is as follows:

H
j1
= A
j

0
(B
j
) Maj(B
j
, C
j
, D
j
)
1
(F
j
)
Ch(F
j
, G
j
, H
j
) K
j1
W
j1
,
W
j1
= W
j+15

1
(W
j+13
) W
j+8
+
0
(W
j
).
If we x the lower bits of W
j+15
, which is assumed to be a neutral word for the other chunk,
the lower bits of H
j1
can be computed without using the value of the higher (32 ) bits of
W
j+15
. Furthermore, the equation for H
j2
is expressed as follows:

H
j2
= A
j1

0
(B
j1
) Maj(B
j1
, C
j1
, D
j1
)
1
(F
j1
)
Ch(F
j1
, G
j1
, H
j1
) K
j2
W
j2
,
W
j2
= W
j+14

1
(W
j+12
) W
j+7
+
0
(W
j1
).
8
The lower ( 18) bits of H
j2
can be computed if we can obtain the lower bits of Ch(F
j1
,
G
j1
, H
j1
) and the lower ( 18) bits of
0
(W
j1
). Note that these values can be computed
by using only the lower bits of W
j+15
. Thus, when we x the lower bits of W
j+15
, the lower
( 18) bits of H
j2
can be computed without knowing the higher (32 ) bits of W
j+15
.
Therefore, by combining the 7-step PM with the 2-step PF, 9 steps can be skipped in the
backward computation.
1-step IPM. For the forward computation, A
j+34
can be expressed as a sum of two independent
functions
F
,
F
of each neutral word as follows;

A
j+34
=
0
(A
j+33
) +Maj(A
j+33
, B
j+33
, C
j+33
) +H
j+33
+
1
(A
j+33
)
+Ch(A
j+33
, B
j+33
, C
j+33
) +K
j+33
+W
j+33
,
W
j+33
=
1
(W
j+31
) +W
j+26
+
0
(W
j+18
) +W
j+17
,
A
j+34
=
F
(W
j+15
) +
F
(W
j+18
).
Then, we can compute
F
(W
j+15
) and
F
(W
j+18
) independently. It is equivalent to move the
computation of
F
(W
j+18
) to the backward chunk. In this case,
F
(W
j+18
) =
0
(W
j+18
).
Attack Overview. These techniques enable us to construct the 43 (= 33 + 7 + 2 + 1)-step
attack on SHA-256. Here, we have the freedom of choice of j as long as 36 steps (W
j2
to W
j+34
)
is located sequentially.
For the actual attack in [4], j is chosen as j = 3, because W
13
, W
14
and W
15
can be freely
chosen to satisfy the message padding rule. The matching state is the lower 4 bits of A
37
. In
addition, the number of xed bits for PF is chosen as = 23. Then, neutral words of W
18
and
W
21
have 5- and 4-bit freedom degrees, respectively. As a result, a pseudo preimage is found
with the complexity of 2
251.9
. After that, pseudo preimages are converted into a preimage with
the complexity of 2
254.9
. See [4] for more details about this attack.
4.4 Pseudo Collision Attack on 43-step SHA-256
As discussed in Section 3.3, to convert a MITM preimage attack into a pseudo collision attack,
the matching point is located into the end of the compression function, i.e., the addition of the
feed-forward. As mentioned in section 4.3, the matching point of the 43-step MITM preimage
attack is selected at the state after the step 37 (j = 3) due to the padding bits.
However, for a (pseudo) collision attack, we do not need to control message words for satisfy-
ing the padding rules, since we can generate correct padding by simply adding another message
block as discussed in Section 3.3. It means that the last block of a compression function is used
only for satisfying the padding condition in the collision attack when pseudo collision can be
found before the last compression function as shown in Fig. 3. As a result, for a (pseudo) collision
attack, we can move the matching point to the state after the step 43 (j = 9) that is the end of
the compression function.
5
Let a 256-bit output of the compression function be CV = {Z
A
|| ||Z
H
}, where each word
is 32 bits. For j = 9, W
24
and W
27
are neutral words, and the matching point is the lower 4 bits
of A
43
(= A
0
Z
A
).
In order to construct the pseudo collision attack, we give the ecient method to obtain 4-bit
partial target preimages by using the MITM technique [4]. Figure 4 shows the overview of the
43-step pseudo collision attack.
9
Partial Matching Partial Fixing Initial Structure Indirect Partial Matching
Matching
First Chunk Second Chunk
CV
Fixed
0 10 20 24 27 30 40
: variables not depending on W
24
: variables depending on both W
24
and W
27
: variables that can be expressed as a sum module 2
32
of W
24
and W
27
: variables not depending on W
27
: a few bits of variables depending only on W
27
Fig. 4. 43-step pseudo collision attack on SHA-256
Attack Procedure.
1. Choose the lower 4 bits of Z
A
, which are target values.
2. Randomly choose the value of p
25
and message W
25
. Randomly x the lower 23 bits of W
24
.
Then we can nd 2
5
values of W
24
on average from 9 free bits that correctly construct the
4-step initial structure and store them in the table T
W
.
3. Randomly choose message words not related to the initial structure and the neutral words,
i.e., W
19
, W
20
, W
21
, W
22
, W
23
and W
29
(called an initial conguration).
4. For all 2
5
possible W
24
in T
W
, compute W
26
, W
28
, W
30
, W
31
, W
32
, W
33
and W
34
following
Eq. (1). Compute forward and nd
F
(W
24
). Then, store the pairs (W
24
,
F
(W
24
)) in a list
L
F
.
5. For all 2
4
possible values (the lower 4 bits) of W
27
, compute backward and nd
F
(W
27
) and
the lower 4 bits of A
0
. Then, store the pairs (W
27
, Z
A
A
0

0
(W
27
)) in a list L
B
.
6. If a match is found, i.e.,
F
(W
24
) = Z
A
A
0

0
(W
27
), then compute two group of states
A
43
, B
43
, , H
43
and A
0
, B
0
, , H
0
with corresponding W
24
and W
27
, respectively. Then
obtain 2
5
(= 2
9
/2
4
) CV whose 4-bit are xed, i.e., the lower 4 bits of Z
A
, and store these in
a List L
1
.
7. Repeat (3)-(6) 2
121
times with dierent values of the initial conguration.
After the above procedures, we obtain 2
126
(= 2
5
2
121
) pairs whose 4 bits are xed.
6
Thus, there
exists a colliding pair with a high probability, because of the equation of (2
126
= 2
(2564)/2
).
Evaluation. We assume that the complexity for the 1-step function and the 1-step message
expansion is 1/43 compression function operation of the 43-step SHA-256. As estimated in [10],
the complexity of Step 2 in the presented attack is 2
9
, and that of Steps 3-6 is 2
4.878
, which
is the complexity for nding 2
5
4-bit partial target preimages. Thus, whole complexity of the
pseudo collision attack on the 43-step SHA-256 is estimated as 2
126
2
9
+ (2
121
2
4.878
).
4.5 Known MITM Preimage Attack on 46-step SHA-512 [4]
The MITM preimage attack on the 46-step SHA-512 presented in [4] uses the 31-step two chunk
W
j
, . . . , W
j+30
including the 2-step IS, the 8-step PF for W
j1
, . . . , W
j6
and W
j+31
,W
j+32
and
the 7-step PM. In this attack, we can choose j as long as 39 step (W
j6
to W
j+32
) are located
5
It is also pointed out in [10] as the matching point can be rotated to the end of the compression function
6
It is noted that we need a slightly more than 2
121
times repeated experiments to get 2
126
pairs that will achieve
a probability higher than 2
1
. However the dierence is so small that we ignore it here.
10
sequentially. For the actual attack in [10], j is chosen as j = 6 to satisfy the padding rule. Then,
the neutral words W
21
and W
22
have 4 and 3-bit freedom degrees, respectively, and the bit size of
the matching point is 3. Thus, a preimage of the 46-step SHA-512 is found with the complexity
of 2
511.5
. See [4] for more details about this attack.
4.6 Pseudo Collision Attack on 46-step SHA-512
Similarly to the attack on the reduced SHA-256, we can move the matching point to the end
of the compression function, because the padding issue can be avoided by using multi-block
message technique in the pseudo collision attack. In the case of SHA-512, since the bit size of
the matching point is 3, we utilize the 3-bit partial target preimages for the attack. Then, the
complexity of the attack is estimated as 2
254.5
= (2
(5123)/2
).
4.7 Pseudo Collision Attacks on 42-step SHA-256 and 42-step SHA-512
We consider pseudo collision attacks on smaller number of rounds of SHA-2 in order to save
the time complexity. For the 42-step reduced SHA-256, we can use 10 bits of freedom in both
directions to nd a 10-bit partial target preimage as discussed in Section 5.4 of [4]. This implies
that a 10-bit partial target preimage is obtained with the complexity 1 (< 2
5
). Thus, a pseudo
collision is found with the complexity of 2
123
(= 2
(25610)/2
2
10
/2
10
). Similarly to this, for the
42-step reduced SHA-512, we can use 24 bits of freedom in both directions to nd a 24-bit partial
target preimage as discussed in Section 6.5 of [4]. Therefore, a pseudo collision of the 42-step
reduced SHA-512 is found with the complexity of 2
244
(= 2
(51224)/2
2
24
/2
24
).
4.8 Pseudo Collision Attacks on Reduced SHA-224 and SHA-384
The pseudo collision attack on the 43-step SHA-256 described in Section 4.4 is applicable to
the 43-step SHA-224 in the similar manner. However, we can not use the multi-block message
technique straightforwardly, because the pseudo collision attack on SHA-224 needs to be done in
the last compression function whose output Z
H
is disregarded. Thus, due to the padding issue,
we can mount only pseudo collision attack on a compression function of 43-step, not a hash
function. The estimated complexity is 2
110
for this attack.
However, the smaller number of rounds of SHA-224 hash function can be attacked by using
another MITM attack. The 40-step SHA-224 hash function can be attacked by using the same
two chunks for the 43-step preimage attack on SHA-256 in [4], i.e., the case of j = 3. The 7-step
partial matching for backward computation are replaced by the 4-step one. Then the message
words W
13
, W
14
and W
15
are left as free message words to satisfy the padding rule. Instead
of the lower 4 bits of Z
A
, we use the lower 4 bits of Z
D
as the target value. Here, we need
additional one step: when nding matches at the lower 4 bits of A
37
, we compute forward from
the matching point to the end of the compression function (40-th step) by using these values
that are computed forward from the starting point. Since A
37
= D
40
= D
0
Z
D
for the 40-step
SHA-224, the lower 4 bits of Z
D
will keep unaected by the additional step. Thus, we can still get
a partial target preimage. It can be converted into a pseudo collision attack on a hash function,
because we can set W
13
, W
14
and W
15
to follow the padding rule.
The detail of the attack procedure is as follows.
1. Choose the lower 4 bits of Z
D
, which are target values.
2. Randomly choose the value of p
19
and message W
19
. Randomly x the lower 23 bits of W
18
.
Then we can nd 2
5
values of W
18
on average from 9 free bits that correctly construct the
4-step initial structure and store them in the table T
W
.
11
3. Randomly choose message words not related to the initial structure and the neutral words,
i.e., W
13
, W
14
, W
15
, W
16
, W
17
, W
23
(called an initial conguration [4]).
4. For all 2
5
possible W
18
in T
W
, compute W
20
, W
22
, W
24
, W
25
, W
26
, W
27
, W
28
following Eq, (1).
Compute forward and nd
F
(W
18
). Store the pairs (W
18
,
F
(W
18
)) in a list L
F
.
5. For all 2
4
possible values (the lower 4 bits) of W
21
, compute backward and nd
F
(W
21
) and
the lower 4 bits of A
37
(= D
40
= Z
D
D
0
). Store the pairs (W
21
, Z
D
D
0

0
(W
27
)) in a
list L
B
.
6. If a match is found, i.e.,
F
(W
24
) = Z
D
D
0

0
(W
27
), then compute forward to get
the states A
40
, B
40
, , H
40
with corresponding W
24
and W
27
, respectively. D
40
will keep
unaected in this step. Then obtain 2
5
(= 2
9
/2
4
) CV whose 4 bits are xed, i.e., the lower
4 bits of Z
D
, and store these in a List.
7. Repeat (3)-(6) 2
105
times with dierent values of the initial conguration.
The complexity of the attack is estimated as 2
110
.
Similarly, the pseudo collision attack on the 46-step SHA-512 hash function described in 4.6
can also be applied to the 46-step SHA-384 compression function with the complexity of 2
190.5
=
(2
(3843)/2
). For a pseudo collision attack on the reduced SHA-384 hash function, we use the 43-
step preimage attack on SHA-384 [4]. Combining the result in [4] with our conversion technique, a
pseudo collision attack on the 40-step SHA-384 hash function can be constructed. The matching
bit is 18 when chosen parameter of partial matching as = 27. The complexity of the pseudo
collision attack on the 40-step SHA-384 is estimated as 2
(38418)/2
= 2
183
. These 40-step pseudo
collision attacks give examples that the matching point is not at but near the end of compression
function. That is compatible to solve padding problem.
4.9 Application to Other Results of SHA-2
Recently, the MITM preimage attacks on the reduced SHA-2 are improved by using bicliques
technique which is considered as generalized initial structure [14]. This technique enables us to
construct longer initial structures than those of the attacks [4]. In the following, let us consider
pseudo collision attacks based on [14].
For SHA-256, the 36-step two independent chunks including the 6-step IS based on bicliques
are constructed. Combining the 2-step PM with the 7-step PM and the 1-step IPM, the MITM
preimage attack on the 45-step SHA-2 is derived. In this attack, both neutral words have 3-bit
freedom degrees, and the matching point is 4-bit. Since our conversion technique does not need
to consider the padding issue, the matching point can be moved to the end of the compression
function similar to the 43-step attack. Then, we can convert it into the 45-step pseudo collision
attack on SHA-256 with the complexity of 2
126.5
(= 2
(2563)/2
)
7
. Similarly, we can construct the
50-step pseudo collision attack on SHA-512 based on the 50-step MITM preimage attack [14].
In this attack, both neutral words have 3-bit freedom degrees, and the bit size of the matching
point is 3. Thus, the complexity of the attack is estimated as 2
254.5
(= 2
(5123)/2
).
In addition, [14] showed pseudo preimage attacks on the 52-step SHA-256 and the 57-step
SHA-512. For the setting of a pseudo preimage attack, the cost of converting a pseudo preimage
to a preimage is omitted. Thus, larger number of rounds can be attacked. Note that in these
attacks, the amount of freedom degrees for both neutral words are only 1-bit, and the bit
size of the matching point is 1. In order to construct a pseudo collision attack by using our
conversion technique, it is sucient to obtain a pseudo preimage on a compression function, i.e.,
a preimage on a hash function is not needed. Therefore, the above explained pseudo preimage
attacks can also be converted into pseudo collision attacks in a similar way. The complexities of
7
Our attack uses only 3 bits for the matching and nd 3-bit partial target preimages, because this setting is
optimal with respect to the time complexity.
12
the pseudo collision attacks on the 52-step SHA-256 and the 57-step SHA-512 are estimated as
2
127.5
(= 2
(2561)/2
) and 2
255.5
(= 2
(5121)/2
), respectively.
5 Application to Skein
In this section, we show pseudo collision attacks on the reduced Skein-512 [9] based on the
preimage attacks presented in [14].
5.1 Description of Skein
Skein is built from the tweakable block cipher Threesh E
K,T
(P), where K, T and P denote a
key, a tweak and a plaintext message, respectively. The compression function F(CV, T, M) of
Skein outputs the next chaining variable as F(CV, T, M) = E
CV,T
(M) M, where CV is the
previous chaining variable and M is an input message block.
Threesh-512 supports a 512-bit block and a 512-bit key, and operates on 64-bit words. The
subkey K
s
= (K
s
0
, K
s
1
, . . . , K
s
7
) injected every four rounds is generated from the secret key K =
K[0], K[1], . . . , K[7] as follows:
K
s
j
= K[(s +j) mod 9], (0 j 4); K
s
5
= K[(s + 5) mod 9] +T[s mod 3];
K
s
6
= K[(s + 6) mod 9] +T[(s + 1) mod 3]; K
s
7
= K[(s + 7) mod 9] +s,
where s denotes a round counter, T[0] and T[1] denote tweak words, T[2] = T[0] + T[1], and
K[8] = C
240

7
j=0
K[j] with a constant C
240
. Each Threesh-512 round consists of four
MIX functions followed by a permutation of the eight 64-bit words. The 128-bit function MIX
processes the pairs of eight words of internal state I
0
, I
1
, . . . , I
7
after key addition.
5.2 Known Pseudo Preimage Attacks on Skein [14].
We briey review two MITM preimage attacks on Skein-512 presented in [14]: one is a preimage
attack on the 22-round reduced Skein-512 hash function starting from the 3rd round, and the
other is a preimage attack on the 37-round reduced Skein-512 compression function starting
from the 2nd round.
For the 22-round attack, the 3-dimension biclique at rounds 12-15 is obtained with the
complexity of 2
200
. Since many bicliques can be produced out of one, the cost of constructing
the bicliques is negligible in the total complexity of the attack. In this attack, we can obtain 2
3
pairs matched in 3 bits by 2
2.3
calls of the 22-round Skein-512 compression function. As a result,
a preimage of the 22-round reduced Skein is found with the complexity of 2
511.2
.
Table 2. Parameters of the (pseudo) preimage attacks on the reduced Skein-512 [14]
Parameters of the preimage attack on the 22-round Skein-512 hash function
Chunks Matching
Forward Backward Biclique Partial matching Matching bits Total matching pairs Complexity
8-11 16-19 12-15 20 24 = 3 7 I
1
30,31,53
2
3
2
2.3
Parameters of the pseudo preimage attack on the 37-round Skein-512 compression function
Chunks Matching
Forward Backward Biclique Partial matching Matching bits Total matching pairs Complexity
8-15 24-31 16-23 32 38 = 2 7 I
3
25
2 2
1.2
Considering a pseudo preimage attack on the compression function, it is natural to assume
that tweak bits T can also be controlled by the attacker. Due to additional freedom, the pseudo
13
preimage attack on the 37-round reduced Skein-512 is feasible by using the 1-dimension biclique
at rounds 16-23. In this attack, we can obtain 2 pairs matched in 1 bit by 2
1.2
calls of the 37-
round Skein-512 compression function. Consequently, a pseudo preimage of the 37-round reduced
Skein is found with the complexity of 2
511.2
.
The parameters for the preimage attacks on the 22-round and the 37-round reduced Skein-
512 hash function and compression function are summarized in Table 2. See [14] for more details
about this attack.
5.3 Pseudo Collision Attacks on Skein.
Since the matching point used in the MITM preimage attack on the 22-round reduced Skein-512
hash function [14] is located in the end of the compression function, our conversion technique
can directly convert it to the pseudo collision attack on the 22-round reduced Skein-512. In this
attack, the neutral words have 3-bit freedom degrees, and the bit size of the matching point is
3. As reported in [14], a 3-bit matching candidate can be found with the complexity of 2
2.3
/2
3
.
Thus, the complexity of the pseudo collision attack on the 22-round reduced Skein-512 hash
function is estimated as 2
253.8
(= 2
(5123)/2
2
2.3
/2
3
).
The pseudo preimage attack on the 37-round reduced Skein compression function can be
converted into a pseudo collision attack on a hash function in a similar way. The required com-
plexity for the pseudo collision attack on the 37-round reduced Skein hash function is estimated
as 2
255.7
(= 2
(5121)/2
2
1.2
/2).
6 Conclusion
In this paper, we gave a generic method to convert preimage attacks to pseudo collision attacks.
It provides a new insight to evaluate the security of hash functions. The essence of the method
is converting a partial target preimage attack to a pseudo collision attack. That is especially
compatible to meet-in-the-middle preimage attacks since it can be converted into a partial
target preimage attack if the matching point can be moved to the end of a hash function or a
compression function and enough freedom on neutral bits are left.
Using the proposed approach, we presented the best pseudo collision attacks on SHA-2 based
on the known preimage attacks, which has been left as open question. We showed pseudo collision
attacks on the 43- and 46-step reduced SHA-256 and SHA-512 based on the MITM preimage
attacks presented in [4]. Also, pseudo collision attacks on the 52- and 57-step reduced SHA-256
and SHA-512 based on the more advanced MITM preimage attacks in [14] were demonstrated.
We also applied the conversion technique to other hash functions including Skein and BLAKE
with the meet-in-the-middle preimage attacks, that showed the widely usage of this method. The
pseudo collision attacks on the 22- and 37-round reduced Skein-512 were presented. The 4-round
reduced BLAKE-256/512 without the initialization function can be attacked by the converted
pseudo collision attack (see Appendix A). Our technique can also apply to other hash functions,
such as Tiger [1]. Based on the MITM preimage attack on the full Tiger [10], we might construct
the pseudo collision attack on the full Tiger. We believe that the technique can be used for more
hash algorithms once their preimage or pseudo preimage attacks are found.
By this method, now we only can get pseudo collision attacks. It is left as future works that
how to construct collision attacks from known preimage attacks.
Acknowledgments The author would like to thank the anonymous reviewers for their helpful
comments.
14
References
1. R. J. Anderson and E. Biham, Tiger: A fast new hash function. in FSE (D. Gollmann, ed.), vol. 1039 of
Lecture Notes in Computer Science, pp. 8997, Springer, 1996.
2. K. Aoki and Y. Sasaki, Preimage attacks on one-block MD4, 63-step MD5 and more. in Selected Areas
in Cryptography (R. Avanzi, L. Keliher, and F. Sica, eds.), vol. 5381 of Lecture Notes in Computer Science,
pp. 103119, Springer, 2009.
3. K. Aoki and Y. Sasaki, Meet-in-the-middle preimage attacks against reduced SHA-0 and SHA-1. in
CRYPTO (S. Halevi, ed.), vol. 5677 of Lecture Notes in Computer Science, pp. 7089, Springer, 2009.
4. K. Aoki, J. Guo, K. Matusiewicz, Y. Sasaki, and L. Wang, Preimages for step-reduced SHA-2. in ASI-
ACRYPT (M. Matsui, ed.), vol. 5912 of Lecture Notes in Computer Science, pp. 578597, Springer, 2009.
5. J.-P. Aumasson, L. Henzen, W. Meier, and R. C.-W. Phan, SHA-3 proposal BLAKE (version 1.3). Sub-
mission to NIST, Dec. 2010. Available at http://131002.net/blake/blake.pdf.
6. A. Biryukov, M. Lamberger, F. Mendel, and I. Nikolic, Second-order dierential collisions for reduced SHA-
256. in ASIACRYPT (D. H. Lee and X. Wang, eds.), vol. 7073 of Lecture Notes in Computer Science,
pp. 270287, Springer, 2011.
7. A. Bogdanov and C. Rechberger, A 3-subset meet-in-the-middle attack: Cryptanalysis of the lightweight
block cipher KTANTAN. in Selected Areas in Cryptography (A. Biryukov, G. Gong, and D. R. Stinson,
eds.), vol. 6544 of Lecture Notes in Computer Science, pp. 229240, Springer, 2010.
8. C. D. Canni`ere and C. Rechberger, Preimages for reduced SHA-0 and SHA-1. in CRYPTO (D. Wagner,
ed.), vol. 5157 of Lecture Notes in Computer Science, pp. 179202, Springer, 2008.
9. N. Ferguson, S. Lucks, B. Schneier, D. Whiting, M. Bellare, T. Kohno, J. Callas, and J. Walker, The Skein
hash function family..
10. J. Guo, S. Ling, C. Rechberger, and H. Wang, Advanced meet-in-the-middle preimage attacks: First results
on full Tiger, and improved results on MD4 and SHA-2. in ASIACRYPT (M. Abe, ed.), vol. 6477 of Lecture
Notes in Computer Science, pp. 5675, Springer, 2010.
11. S. Indesteege, F. Mendel, B. Preneel, and C. Rechberger, Collisions and other non-random properties for
step-reduced SHA-256. in Selected Areas in Cryptography (R. Avanzi, L. Keliher, and F. Sica, eds.), vol. 5381
of Lecture Notes in Computer Science, pp. 276293, Springer, 2009.
12. T. Isobe, A single-key attack on the full GOST block cipher. in FSE (A. Joux, ed.), vol. 6733 of Lecture
Notes in Computer Science, pp. 290305, Springer, 2011.
13. T. Isobe and K. Shibutani, Preimage attacks on reduced Tiger and SHA-2. in FSE (O. Dunkelman, ed.),
vol. 5665 of Lecture Notes in Computer Science, pp. 139155, Springer, 2009.
14. D. Khovratovich, C. Rechberger, and A. Savelieva, Bicliques for preimages: Attacks on Skein-512 and the
SHA-2 family. in FSE12 (to appear), Lecture Notes in Computer Science, Springer-Verlag, 2012.
15. X. Lai and J. L. Massey, Hash function based on block ciphers. in EUROCRYPT, pp. 5570, 1992.
16. G. Leurent, MD4 is not one-way. in Fast Software Encryption (K. Nyberg, ed.), vol. 5086 of Lecture Notes
in Computer Science, pp. 412428, Springer, 2008.
17. F. Mendel, T. Nad, and M. Schl aer, Finding SHA-2 characteristics: Searching through a mineeld of
contradictions. in ASIACRYPT (D. H. Lee and X. Wang, eds.), vol. 7073 of Lecture Notes in Computer
Science, pp. 288307, Springer, 2011.
18. F. Mendel, N. Pramstaller, C. Rechberger, and V. Rijmen, Analysis of step-reduced SHA-256. in FSE
(M. J. B. Robshaw, ed.), vol. 4047 of Lecture Notes in Computer Science, pp. 126143, Springer, 2006.
19. A. J. Menezes, P. C. van Oorschot, and S. A. Vanstone, Handbook of Applied Cryptography. CRC Press, 1997.
20. I. Nikolic and A. Biryukov, Collisions for step-reduced SHA-256. in Fast Software Encryption (K. Nyberg,
ed.), vol. 5086 of Lecture Notes in Computer Science, pp. 115, Springer, 2008.
21. J.-J. Quisquater and J.-P. Delescaille, How easy is collision search? application to DES (extended summary).
in EUROCRYPT, pp. 429434, 1989.
22. M.-J. O. Saarinen, A meet-in-the-middle collision attack against the new FORK-256. in INDOCRYPT
(K. Srinathan, C. P. Rangan, and M. Yung, eds.), vol. 4859 of Lecture Notes in Computer Science, pp. 1017,
Springer, 2007.
23. S. K. Sanadhya and P. Sarkar, 22-step collisions for SHA-2. CoRR, vol. abs/0803.1220, 2008.
24. S. K. Sanadhya and P. Sarkar, Attacking reduced round SHA-256. in ACNS (S. M. Bellovin, R. Gennaro,
A. D. Keromytis, and M. Yung, eds.), vol. 5037 of Lecture Notes in Computer Science, pp. 130143, 2008.
25. S. K. Sanadhya and P. Sarkar, New collision attacks against up to 24-step SHA-2. in INDOCRYPT (D. R.
Chowdhury, V. Rijmen, and A. Das, eds.), vol. 5365 of Lecture Notes in Computer Science, pp. 91103,
Springer, 2008.
26. S. K. Sanadhya and P. Sarkar, Non-linear reduced round attacks against SHA-2 hash family. in ACISP
(Y. Mu, W. Susilo, and J. Seberry, eds.), vol. 5107 of Lecture Notes in Computer Science, pp. 254266,
Springer, 2008.
27. Y. Sasaki and K. Aoki, Finding preimages in full MD5 faster than exhaustive search. in EUROCRYPT
(A. Joux, ed.), vol. 5479 of Lecture Notes in Computer Science, pp. 134152, Springer, 2009.
15
28. Y. Sasaki and K. Aoki, Preimage attacks on 3, 4, and 5-pass HAVAL. in ASIACRYPT (J. Pieprzyk, ed.),
vol. 5350 of Lecture Notes in Computer Science, pp. 253271, Springer, 2008.
29. R. Sedgewick, T. G. Szymanski, and A. C.-C. Yao, The complexity of nding cycles in periodic functions.
SIAM J. Comput., vol. 11, no. 2, pp. 376390, 1982.
30. L. Wang, K. Ohta, and K. Sakiyama, Free-start preimages of round-reduced Blake compression function.
Rump session at ASIACRYPT 2009.
31. X. Wang, Y. L. Yin, and H. Yu, Finding collisions in the full SHA-1. in CRYPTO (V. Shoup, ed.), vol. 3621
of Lecture Notes in Computer Science, pp. 1736, Springer, 2005.
32. X. Wang and H. Yu, How to break MD5 and other hash functions. in EUROCRYPT (R. Cramer, ed.),
vol. 3494 of Lecture Notes in Computer Science, pp. 1935, Springer, 2005.
33. D. Watanabe, OFFICIAL COMMENT: LUX. NIST mailing list, 2009. Available at http://csrc.nist.
gov/groups/ST/hash/sha-3/Round1/documents/LUX Comments.pdf.
Appendix
A Application to BLAKE
We apply our technique to BLAKE hash family consisting of BLAKE-224, BLAKE-256, BLAKE-
384 and BLAKE-512 [5]. We utilize the result presented in [30] which showed a pseudo preimage
attack on the 4-round reduced BLAKE compression function without the initialization function.
While the practical impact on the attack on this reduced BLAKE compression function is
debatable, a pseudo collision on the reduced BLAKE can be directly derived by using our
conversion technique. We can nd pseudo collision of BLAKE-256 compression function for
reduced 4 rounds with the complexity of 2
112
. For BLAKE-512, the complexity is 2
224
for reduced
4 rounds compression function.
A.1 Description of BLAKE
The compression function of BLAKE-256 consists of initialization, round function and finalization.
Initialization : 8 words of chaining value h
0
, . . . , h
7
are transformed into 16 words of an initial
state v
0
, . . . , v
15
as v
i
= h
i
for 0 i 7. While v
i
(8 i 15) are obtained from the salts and
the counter, we ignore the details for the simplicity.
Round function : An initial state v is updated by 14 round functions. Each round function
includes the following steps, G
0
(v
0
, v
4
, v
8
, v
12
), G
1
(v
1
, v
5
, v
9
, v
13
), G
2
(v
2
, v
6
, v
10
, v
14
), G
3
(v
3
,
v
7
, v
11
, v
15
), G
4
(v
0
, v
5
, v
10
, v
15
), G
5
(v
1
, v
6
, v
11
, v
12
), G
6
(v
2
, v
7
, v
8
, v
13
), G
7
(v
3
, v
4
,v
7
, v
14
). The
function G
i
(a, b, c, d) is dened as:
a a +b + (m

r
(2i)
c

r
(2i+1)
), d (d a) 16,
c c +d, b (b c) 12,
a a +b + (m

r
(2i+1)
c

r
(2i)
), d (d a) 8,
c c +d, b (b c) 7,
where permutations
r
(j) (0 j < 16) of the rst 4 rounds refer to Table 3. The functions G
0
to G
3
and G
4
to G
7
denote the column transfroms and the diagonal transforms, respectively.
Table 3. Message and Constants Permutation
i 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15

0
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15

1
14 10 4 8 9 15 13 6 1 12 0 2 11 7 5 3

2
11 8 12 0 5 2 15 13 10 14 3 6 7 1 9 4

3
7 9 3 1 13 12 11 14 2 6 5 10 4 0 15 8
16
initialization nalization
rounds
message
salt salt counter
input CV
output CV
random start value
Fig. 5. MITM preimage attack for nalization
Finalization : After the round functions, the new chaining value is extracted with the updated
state, the salt and the feed-forward of the initial chaining value as follows.
h

0
h
0
s
0
v
0
v
8
h

1
h
1
s
1
v
1
v
9
h

2
h
2
s
2
v
2
v
10
h

3
h
3
s
3
v
3
v
11
h

4
h
4
s
0
v
4
v
12
h

5
h
5
s
1
v
5
v
13
h

6
h
6
s
2
v
6
v
14
h

7
h
7
s
3
v
7
v
15
BLAKE-512 operates on 64-bit words and outputs 512 bits. The compression function of
BLAKE-512 is similar to that of BLAKE-256 except the number of rounds (16 instead of 14),
and the constants and the amount of rotation used in G functions.
A.2 Known MITM Preimage Attacks on 4-round Compression Function of
BLAKE [30].
In the setting of the pseudo preimage of the compression function presented in [30], the initial-
ization step is disregarded, and selected a random start value from the start of round functions
(the end of initialization step) as shown in Fig. 5.
Figure 6 shows the overview of the pseudo preimage attacks on the 4-round reduced BLAKE
compression function without the initialization. Let an input state of the round i be {v
i1
0
, . . . , v
i1
15
}.
In this attack, message words m
4
and m
6
are used as the neutral words, and the starting point
of the attack is the state after the column transformation of the round 3. In the forward com-
putation from the starting point, v
4
6
, v
4
14
can be computed without using m
6
. Similarly, in the
backward computation, v
0
6
can be computed without using m
4
. Therefore, stroing m
4
, v
4
6
, v
4
14
in
a list L
F
, and m
6
, v
0
6
in a list L
B
, we expect to nd matching pairs satisfying h

6
= v
0
6
v
4
6
v
4
14
.
As a result, a pseudo preimage of the 4-round reduced BLAKE without the initialization is
found with the complexity of 2
224
.
A.3 Pseudo Collision Attacks on BLAKE Compression Function.
Since the matching point of the known pseudo preimage attack is at the end of the compression
function, we can directly use it to construct a pseudo collision attack.
Attack Procedure.
1. Random choose the 7-th word words of the output value h

6
, which is the target value.
2. Random choose the values of state words and message words except of m
4
and m
6
.
3. For all 2
32
possible m
4
, compute forward and nd v
4
6
and v
4
14
. Store the pairs (m
4
, v
4
6
v
4
14
)
in a list L
F
4. For all 2
32
possible m
6
, compute forward and nd v
0
6
. Store the pairs (m
4
, h

6
v
0
6
) in a list
L
B
.
17
v
0
v
1
v
2
v
3
v
4
m
4
m
4
m
4
m
4
m
6
m
6
m
6
m
6
v
0
6
v
4
6
v
4
14
Column
Column
Column
Column
Diagonal
Diagonal
Diagonal
Diagonal
start point
: not depending on m
6
: not depending on m
4
: depending on m
4
and m
6
Fig. 6. Pseudo preimage attacks on reduced BLAKE compression function
5. Compare the value v
4
6
v
4
14
and h

6
v
0
6
in two lists L
F
and L
B
.
6. Once matching, compute states v
0
0
, v
0
1
, , v
0
15
and v
4
0
, v
4
1
, , v
4
15
. Compute output values
h

0
, h

1
, . . . , h

15
according to nalization steps and store with message words together. Then
obtain 2
32
items in which the value of h

6
are xed.
7. Repeat steps (2) - (6) 2
80
times.
We can obtain 2
112
items in which the value of h

6
are xed. A colliding pair exists with
a high probability that the other 224 bits of output values are also same. Finally, we can nd
a pseudo collision of the compression function for the 4-round reduced BLAKE-256 with the
complexity of 2
112
= 2
80
2
32
.
The attack is applicable to the reduced BLAKE-512 in a similar way, since the components
of BLAKE-512 are similar to those of BLAKE-256. In BLAKE-224, the variable h

7
is truncated
and discarded. However, the truncation does not aect our convertion, since we use h

6
as a
partial target preimage. Thus, a pseudo collision attack on the 4-round reduced BLAKE-224
without the initialization can be constructed with the complexity of 2
96
(= 2
(22432)/2
). For
BLAKE-512, in contrast to the other variants, the variable h

6
is discarded by the truncation as
well. Therefore, it is hard to straightforwardly apply our conversion to the reduced BLAKE-512,
since h

6
cannot be used as a partial target preimage.
18