Near-Collision Attack on the Compression Function of Dynamic SHA2

In this paper, we present a near-collision attack on the compression functions of Dynamic SHA2 for all the output sizes. For the Dynamic SHA2-224/256, the complexity is about 2 operations and for the Dynamic SHA2-384/512, the complexity is about 2. 1 Description of Dynamic SHA2 The Dynamic SHA-2 [1] is an iteration cryptographic hash function family which is built with the design components from SHA-2 family [2]. It provides the message digests of 224, 256, 384 and 512 bits. The fundamental building block of Dynamic SHA2-256 (Dynamic SHA2-512) is the compression function that takes 256-bit (512-bit) chaining value and 512-bit (1024-bit) message block and outputs a new 256-bit (512-bit) chaining value. For our purpose attack, we only describe the compression function of Dynamic SHA2 which includes three iterative parts. The first part includes only one round and mixs all the message words one time; the second iterative part includes 9 blank rounds and no message words are mixed, so it has no effect on our attack and we can neglect to describe it; and the third part includes 7 rounds and mixs the message words 7 times. The compression function of the Dynamic SHA2 can be described are as follows: 1. Input the 512-bit (resp. 1024-bit) messageW = (w0, w1, ..., w15), and initialize the eight chaining variables (a, b, c, d, e, f , g, h) with the (i− 1) hash value (a0, b0, c0, d0, e0, f0, g0, h0). 2. Step update: – The first iterative part COMP (a, b, c, d, e, f, g, h, w0, w1, w2, w3, w4, w5, w6, w7, 0) COMP (a, b, c, d, e, f, g, h, w8, w9, w10, w11, w12, w13, w14, w15, 0) – The second iterative part (No message words are mixed, we neglect to describe it). ? Supported by 973 Project(No.2007CB807902), 863 Project(No.2006AA01Z420) and the National Natural Science Foundation of China(NSFC Grant No.60803125)