[Cryptography] SHA-256 decrypted (8 rounds)

Jon Callas jon at callas.org
Fri Nov 10 18:59:05 EST 2023 

McDair,

This is nice work, thanks for sharing it with us. No harm in using VB; it's a language.

Similar to what Michael Kjörling said, though, are you claiming anything with it beyond eight rounds of cryptanalysis.

Hash functions of this sort use an internal block cipher, and then a chaining mechanism to combine iterations of the cipher in to the actual hash function. SHA2 in all its forms uses Merkle-Damgård chaining which has issues, and so modern hash functions use different mechanisms.

However, that's not really relevant here. It's natural and expected that any sort of function will have effective cryptanalysis for some number of rounds and then no more. This is more or less what the colloquial term "avalanche" means -- that uncertainties in tracing paths collapse after a certain number of rounds.

In 2003, Gilbert and Handshuh wrote, "Security Analysis of SHA-256 and Sisters" <https://link.springer.com/content/pdf/10.1007/978-3-540-24654-1_13.pdf> and they found a 9-round differential and a separate (much better) one for 4 rounds. Note there's a total of 80 rounds.

After Wang's attacks on everything in 2004, there was another 2008 paper, "Collisions and other Non-Random Properties for Step-Reduced SHA-256" by Indesteege, Mendel, Preneel, and Rechberger, <https://eprint.iacr.org/2008/131.pdf> where they find a 23-round collision with effort 2^18, and a 24-round collision with effort 2^28.5. (Note their "steps" appear to be the same thing as G&H's "rounds" and are cited in that paper as steps.)

Presently, we generally consider SHA-2 to be a known quantity. I'll admit that all of the brain cycles I spent on it a long time ago have suffered from bitrot and I had to go skim papers to catch up. So please don't take it as an insult that I'm asking what results are, I just want the TL;DR.

It seems to me that you've bettered some of the initial cryptanalysis by getting to 8 rounds with certainty, but what does that really mean? Can you extend that out, given that you have a good differential? Can that be turned into reduced round collisions? Pre-image attacks?

Pre-image attacks would be very interesting because that not only affects signatures, but would challenge the way that Bitcoin doubles SHA-256. I'm not sure what you have, though. Moreover, eight rounds out of eighty is good news for the hash function, usually, because there's 72 rounds to go. 

I don't even know if you're presenting this as a weakness or a strength. Either way, it's nice to see, I'm just confused.

	Jon

More information about the cryptography mailing list