TY - GEN
T1 - The First Practical Collision for 31-Step SHA-256
AU - Li, Yingxin
AU - Liu, Fukang
AU - Wang, Gaoli
AU - Dong, Xiaoyang
AU - Sun, Siwei
N1 - Publisher Copyright:
© International Association for Cryptologic Research 2025.
PY - 2025
Y1 - 2025
N2 - SHA-256 is a hash function standardized by NIST and has been widely deployed in real-world applications, e.g., Bitcoin. Recently, an improved collision attack on 31-step SHA-256 was proposed by Li-Liu-Wang at EUROCRYPT 2024, whose time and memory complexity are 249.8 and 248, respectively. Such a result indicates that we are close to a practical collision attack on 31-step SHA-256, and that the current bottleneck is the memory complexity. To overcome such an obstacle, we develop a novel memory-efficient attack in this paper, which allows us to find the first practical colliding message pair for 31-step SHA-256 in only 1.2 h with 64 threads and negligible memory. This technique is general and Li-Liu-Wang’s collision attack on 31-step SHA-512 can also be significantly improved, i.e., the time and memory complexity can be improved by a factor of 220.9 and 242.1, respectively. Although we have set a new record in the practical collision attack on SHA-256, which improves the previous best practical attack published at EUROCRYPT 2013 by 3 steps, the attack is still far from threatening the security of SHA-256 since it has 64 steps in total. On the other hand, our new attack shows that nearly half of full SHA-256 can be practically cracked now, and it should be viewed as a major progress in the cryptanalysis of SHA-256 since 2013.
AB - SHA-256 is a hash function standardized by NIST and has been widely deployed in real-world applications, e.g., Bitcoin. Recently, an improved collision attack on 31-step SHA-256 was proposed by Li-Liu-Wang at EUROCRYPT 2024, whose time and memory complexity are 249.8 and 248, respectively. Such a result indicates that we are close to a practical collision attack on 31-step SHA-256, and that the current bottleneck is the memory complexity. To overcome such an obstacle, we develop a novel memory-efficient attack in this paper, which allows us to find the first practical colliding message pair for 31-step SHA-256 in only 1.2 h with 64 threads and negligible memory. This technique is general and Li-Liu-Wang’s collision attack on 31-step SHA-512 can also be significantly improved, i.e., the time and memory complexity can be improved by a factor of 220.9 and 242.1, respectively. Although we have set a new record in the practical collision attack on SHA-256, which improves the previous best practical attack published at EUROCRYPT 2013 by 3 steps, the attack is still far from threatening the security of SHA-256 since it has 64 steps in total. On the other hand, our new attack shows that nearly half of full SHA-256 can be practically cracked now, and it should be viewed as a major progress in the cryptanalysis of SHA-256 since 2013.
KW - SHA-256
KW - SHA-512
KW - meet-in-the-middle technique
KW - practical collisions
UR - https://www.scopus.com/pages/publications/85213327149
U2 - 10.1007/978-981-96-0941-3_8
DO - 10.1007/978-981-96-0941-3_8
M3 - 会议稿件
AN - SCOPUS:85213327149
SN - 9789819609406
T3 - Lecture Notes in Computer Science
SP - 237
EP - 266
BT - Advances in Cryptology – ASIACRYPT 2024 - 30th International Conference on the Theory and Application of Cryptology and Information Security, Proceedings
A2 - Chung, Kai-Min
A2 - Sasaki, Yu
PB - Springer Science and Business Media Deutschland GmbH
T2 - 30th Annual International Conference on the Theory and Application of Cryptology and Information Security, ASIACRYPT 2024
Y2 - 9 December 2024 through 13 December 2024
ER -