Finding Near-Optimum Message Scheduling Settings for SHA-256 Variants Using Genetic Algorithms

Transcription

1 Finding Near-Opimum essage Scheduling Seings for SHA-256 Varians Using Geneic Algorihms CHU-HSING LIN, CHEN-YU LEE 2, KRISHNA. KAVI 3, DENG-JYI CHEN 2, YI-SHIUNG YEH 2 Deparmen of Compuer Science Tunghai Universiy Taichung 407, Taiwan 2 Deparmen of Compuer Science Naional Chiao-Tung Universiy 00 Ta-Hsueh Road, HsinChu, 30050, Taiwan 3 Deparmen of Compuer Science and Engineering Universiy of Norh Texas One-way hash funcions play an imporan role in modern crypography. ausiewicz e al. proved ha he message scheduling is essenial for he securiy of SHA-256 by showing ha i is possible o find collisions wih complexiy 2 64 hash operaions for a varian wihou i. In his aricle, we firs proposed he conjecure ha message scheduling of SHA algorihm has higher securiy complexiy (or finess value in Geneic algorihm) if each message word (W ) involves more message blocks ( i ) in each round. We found some evidence suppors he conjecure. Consider he securiy of SHA-0 and SHA-. Since Chabaud and Joux shown ha SHA- is more secure han SHA-0. Furher, Wang found collisions in full SHA-0 and SHA- hash operaions wih complexiies less han 2 39 and 2 69, respecively. We found i is consisen from he viewpoin of message blocks (erms) involved in each message word. I clearly shown ha he number of erms involved in SHA- is more han ha in SHA-0, aking W 27 as an example, 4 and 6, respecively. Based on he conjecure we proposed a new view of complexiy for SHA-256-XOR funcions, a varian of SHA-256, by couning he erms involved in each equaion, insead of analyzing he probabiliy of finding collisions wihin SHA-256-XOR hash funcion. Our experimens shown ha he parameer se in each equaion of message schedule is crucial o securiy finess. We applied geneic algorihms o find he near-opimal message schedule parameer ses ha enhance he complexiy 4 imes for SHA- and.5 imes for SHA-256-XOR, respecively, when compared o original SHA- and SHA-256-XOR funcions. The analysis would be ineresing for designers on he securiy of modular-addiion-free hash funcion which is good for hardware implemenaion wih lower gae coun. And he found message schedule parameer ses would be a good reference for furher improvemen of SHA funcions. Keywords: geneic algorihms, crypography, secure hash algorihm. INTRODUCTION Crypographic hash funcions play an imporan role in modern crypography. They are widely used in a variey of applicaions such as password proecion, secure proocols, and digial signaures. The hash funcion uses a sring of arbirary lengh as is inpu, and creaes a fixed-lengh sring as is oupu. A hash value is ofen called a daa fingerprin or message diges.

2 Definiion [] (Collision-free hash funcion) A collision-free hash funcion H uses a message of arbirary lengh as is inpu, and produces a fixed-lengh message diges when i saisfies he following condiions: The descripion of H() is publicly known and i is easy o implemen Pre-image resisan: Given message diges y, i is difficul o find a message such ha H() = y. Second pre-image resisan: Given and is image H(), i is difficul o find anoher such ha H() = H( ). (Srong) Collision Resisance: I is difficul o find wo disinc messages and such ha H() = H( ). The Secure Hash Algorihm (SHA) is a series of crypographic hash funcions published by he US Naional Insiue of Sandards and Technology (NIST). NIST proposed he SHA-0 as a Federal Informaion Processing Sandard Publicaion (FIPS PUB) 80 in 993 [2]. In 995, NIST announced a revised version, he SHA-, in FIPS PUB 80- [3] as a sandard o replace he SHA-0. In 200, he NIST published SHA-2 as FIPS PUB 80-2 [4], which consised of four algorihms: SHA-, SHA-256, SHA-384, and SHA-52. Table liss he characerisics of he five SHA-2 algorihms. Algorihm essage Size (bis) Table. SHA algorihms Block Size (bis) Word Size (bis) essage Diges Size (bis) Securiy SHA- < SHA-224 < SHA-256 < SHA-384 < SHA-52 < The erm securiy in his able means ha a birhday aack [] [Remark ] on a message diges of size n produces a collision wih a facor of approximaely 2 n/2. Recen sudies have proposed exensions based on SHA. For example, RAR- SHA-256 [7] [Remark ] is composed of he SHA-256 compression funcion, and is faser han SHA-256 when implemened in parallel. SHACAL and SHACAL-2 [8][9] are block ciphers ha are based on SHA- and SHA-256, respecively, and which were submied o he New European Schemes for Signaures, Inegriy, and Encrypion projec in Yoshida and Biryukov replaced all arihmeic addiions wih XOR operaions in SHA-256, naming i SHA-256-XOR, and found ha SHA-2-XOR has a pseudo-collision resisance weakness up o 34 rounds [0]. A birhday aack [] [2] is a ype of crypographic aack based on he birhday problem in probabiliy heory. Given a funcion f, he aack aemps o find wo differen inpus x, x 2 such ha f(x ) = f(x 2 ). Such a pair (x, x 2 ) is called a collision inpu. The birhday aack on a message diges of size n produces a collision afer rying

3 .2 SHA-92, SHA-224, SHA-256, SHA-384, SHA-448, and SHA-52 are approximaely 2 80, 2 96, 2 2, 2 28, 2 92, 2 224, and 2 256, respecively, and are lised in Table. any researchers have ried o develop a crypanalyic mehod wih a lower complexiy han he birhday aack. In 998, Chabaud and Joux announced a mehod for finding he SHA-0 collisions [9]. They reduced his complexiy o 2 6 using a differenial crypanalysis echnique, bu hey could no successfully apply i o SHA-. This resul implied ha SHA- is more secure han SHA-0. In early 2005, Rijmen and Oswald applied he same mehod o find collisions in SHA- [3]. They examined message scheduling in SHA-0 and SHA-, and proved ha he complexiy associaed wih finding collisions in a reduced version of SHA- (wih 53 rounds insead of 80 rounds) was less han Wang, Yin, and Yu found collisions wih a complexiy of 2 69 in he full 80-sep SHA- [4]. In 200, Grechnikov announced he pracical collision aack on he 73-sep SHA- based on an auomaed approach [26]. NIST announced ha SHA- will be used unil 200, a which ime i will be replaced by SHA-2. Since 2004, several auhors have repored on collisions for SHA-256. Gilber and Handschuh repored a 9-round local collision wih a complexiy of 2 66 using differenial pah analysis [5]. endel e al. laer reduced his complexiy o 2 39 [6]. Nikolić and Biryukov realized 2-sep collisions for SHA-256 using a nonlinear differenial pah analysis wih a complexiy of 2 9 [7]. In 2008, Sanadhya and Sarkar found a local collision wih 24-sep SHA-256 and SHA-52 wih and calls, respecively [8], and his was he firs ime ha a colliding message pair for 24-sep SHA-52 was provided. In 2009, Indeseege e al. found collisions on he 24-sep SHA-256 and SHA-52 wih calls and 2 53 calls, respecively, and a local collision on 3-sep SHA-256 wih 2 32 [24]. Also in 2009, Aoki e al. presened full preimage aacks on up o 43-sep SHA-256 and SHA-52 wih he ime complexiies of and compression funcion operaions for full preimages, respecively [25]. Since 20, endel e al. have presened a collision on 27-sep SHA-256 and a semi-free-sar collision on 32-sep SHA-256 wih pracical complexiy [27]. Biryukov e al. presened a second-order differenial collision for he SHA-256 compression funcion on 47 ou of 64 seps, which have pracical complexiy based on a recangle/boomerang approach [28]. Almos all of he currenly known crypanalyses of SHA have aemped o find collisions on a differenial pah. However, he design of each componen such as algorihms for message scheduling and hash loop body and he funcion parameers, affecs he possibiliy ha a pah for collisions (using differenial pah crypanalysis) will be found. A fairly large body of lieraure exiss regarding mehods of improving hash algorihms. However, here is a surprising lack of informaion regarding he design and selecion of funcion parameers. This paper addresses his deficiency. The purpose of he research presened in his aricle is o examine he relaionship beween he securiy of a hash funcion and is funcion parameers. In his regard, wo issues ha need o be resolved are (a) how o assess he securiy finess of a given se of funcion parameers, and (b) how o find he opimal funcion parameer se. Specifically, his paper proposes a novel view of complexiy (hence securiy finess) of SHA-2-XOR funcions proposed in [0], by couning he erms involved in each equa- n / 2 2 n 2 inpu values. Under he birhday aack, he securiy of SHA-,

4 ion, insead of analyzing he probabiliy of finding collisions wihin an SHA-256-XOR hash funcion. Our experimens have shown ha he parameer se in each equaion of a message schedule plays an imporan role in securiy finess, bu i is very hard o find he opimum parameer values. We apply geneic algorihms o find he opimal message schedule parameer ses ha enhance he complexiy 4 imes for SHA- and.5 imes for SHA-256-XOR, when compared o original SHA- and SHA-256-XOR funcions. The analysis resuls would be ineresing for designers who are ineresed in he securiy of modular addiion free hash funcions, which are good for hardware implemenaion wih lower gae couns. oreover, he found message schedule parameer ses would be a good reference for furher improvemen of SHA funcions. The remainder of his paper is organized as follows. Secion 2 briefly inroduces SHA-, SHA-256, and geneic algorihms. Secion 3 proposes our securiy evaluaion crierion for SHA message scheduling, and finds he bes parameer ses for SHA- using a brue force approach. Secion 4 applies i o find he nearly opimal se for SHA-256-XOR and describes he experimenal resuls. Secion 5 discusses he resuls and concludes he paper. Table 2 liss he nomenclaure used hroughou he paper. Table 2. Legends Symbol Definiion essage wih arbirary lengh as he inpu of a hash funcion. W The h message word. m The number of oupu words. n The lengh of one word. l The lengh of he inpu message, l =. ROTL {i} () Lef-roaion operaion for i bis. r The value of m n, r = m n. H() The hash funcion H() wih inpu. {, A, B, C, D} The parameer se of W equaion in message scheduling. SHR {i} () Righ-shif operaion for i bis. (i) essage block i wih a size of 52 bis. (i) j The j h word of he i h message block. n j n j indicaes message word j doing n-biwise roaion 2. RELATED WORKS 2. Overview of SHA- and SHA-256 Algorihms SHA- [4] akes a message wih a lengh of l bis, where 0 l < 2 64, as he inpu, and oupus a 60-bi hash value. The hash funcion parses he padded message ino 52-bi blocks. Each block passes an 80-round compression funcion and oupus a 60-bi hash value. SHA- processing involves he following 3 seps:

5 Sep : Padding message: pad he inpu message making i a muliple of 52 bis. Sep 2: Parsing he padded message: parse he padded message ino N 52-bi blocks, (), (2),, (N). Each block (i) is divided ino sixeen 32-bi words, 0 (i), (i),, 5 (i). Sep 3: essage scheduling for each message block (i). The message words, {W }: ROTL i,0 5 W W W W, () where ROTL {i} indicaes lef roaion operaion by i bis. essage expansions are performed for 80 rounds. Algorihm defines hese seps in deail. Table 3 summarizes he Boolean funcion f ha appeared in he SHA- sep funcion. Algorihm SHA- sep funcion : FOR = o 80 2: e = d 3: d = c 4: c = ROTL 30 (b ) 5: b = a 6: a = ROTL 5 (a ) + f (b, c, d ) + e + K + W 7: End FOR Table 3. Boolean funcion used in SHA- Round Boolean funcion f (x, y, z) 0 20 (x y) (x z) 2 40 x y z 4 60 (x y) (x z) (y z) 6 80 x y z SHA-256 akes a message wih a lengh of l bis, where 0 l < 2 64, as he inpu, and oupus a 256-bi hash value. The hash funcion parses he padded message ino 52-bi blocks. Each block passes a 64-round compression funcion and oupus a 256-bi hash value. The SHA-256 conains seps ha are similar o SHA-, excep ha i ses differen iniial values and consans, and uses differen funcions. The following is a descripion of he message block processing sep. Sep 3: essage scheduling for each message block (i).

6 The message words, {W }: 0 i, , x ROTL x ROTL x SHR x x ROTL x ROTL x SHR x (3) where SHR {i} indicaes righ shif operaion by i bis. essage expansions are performed for 64 rounds. Algorihm 2 defines hese seps in deail. Table 4 summarizes he Boolean funcion f used in each round. (2) Algorihm 2 SHA-256 sep funcion : FOR = o 64 2: T = h + f (e ) + f 3 (e,f,g ) + K + W 3: T 2 = f 2 (a ) + f 4 (a,b,c ) 4: h = g 5: g = f 6: f = e 7: e = d + T 8: d = c 9: d = c 0: c = b : b = a 2: a = T + T 2 3: End FOR Table 4. Boolean funcion used in SHA-256 Boolean funcion f f (x) = ROTL (2) (x) ROTL (3) (x) ROTL (22) (x) f 2 (x) = ROTL (6) (x) ROTL () (x) ROTL (25) (x) f 3 (x) = (x y) (x z) f 4 (x) = (x y) (x z) (y z) 2.2 Geneic Algorihm The geneic algorihm is he mos popular ype of evoluionary algorihm ha use echniques inspired by evoluionary biology. As saed by John H. Holland in 975, The geneic algorihm has a wide scope of applicaions, including economics, engineering, machine learning, genome biology, game heory, neural neworks, eceera [23]. A geneic algorihm provides a highly efficien mehod for ensuring convergence

7 o near-opimal or opimal soluions. Figure shows he seps of he geneic algorihm, which are described as follows: () Iniializaion of populaion. (2) Choice of a finess funcion and evaluaion of he finess value of each individual in he populaion. (3) Selecion of beer ranked par o be reproduced. (4) Breeding new generaion s populaion by crossover and muaion. (5) Replacemen of he wors ranked par of he populaion wih he new generaion s populaion. (6) Repeaing his generaional process unil he erminaion condiion has been reached. Fig.. Flowchar of geneic algorihm The Geneic Algorihm Uiliy Library (GAUL) developed by AI Foundry [22] is a flexible programming library designed o aid in he developmen of applicaions ha use geneic or evoluionary algorihms. I provides daa srucures and funcions for handling and manipulaing he daa required for serial and parallel evoluionary algorihms. GAUL is an open-source programming library, which was released under he GNU General Public License. I is designed o assis in he developmen of code ha requires evoluionary algorihms. 3. SHA ESSAGE SCHEDULING EVALUATION CRITERION This secion proposes an evaluaion crierion of SHA message scheduling. The number of erms involved in he message schedule is reaed as an evaluaion crierion of SHA message scheduling. This sudy uses SHA-0 and SHA- as examples o show ha SHA- is more secure han SHA-0 by comparing heir message scheduling equa-

8 ions. 3. Local Collision A local collision appearing on all he SHA families is a collision wihin inermediae seps of he hash funcion [4]. The saring poin for hash funcion collision aacks is a local collision. Local collisions are found using linear approximaions of Boolean funcions ha are used in various rounds in message scheduling (and oher condiions as defined in [4]). The firs observaion is ha SHA-0 has a 6-sep local collision ha can sar a any sep i. The differenial pah is a sequence of grouped local collisions wih possible overlaps [20]. Wang [4] ried o find a se of saring seps for each local collision o consruc such a pah. The disurbance vecor is applied o saisfy he recursion defined by he message expansion. Once a local collision is found, an aemp is made o consider he message expansion and oher non-linear designs o find a collision for he full hash funcion. For SHA-0, 3 vecors are found successfully for hree condiions in [4]. However, i is more complicaed o find a good disurbance vecor due o he large search space on SHA-, and he probabiliy of n inerleaved local collision complexiies increases exponenially wih n for SHA-256 [6]. endel provides an approach for collision searches as follows [6]: () Idenify local collisions in each round of ransformaion. (2) Search for disurbance vecors ha need o saisfy some addiional properies. (3) Build he difference vecor by inerleaving he local collisions. (4) The complexiy of he collision search is relaed o he characerisic wihin hese inerleaved local collisions. (5) Adjusing message bis for he chosen characerisic reduces he compuaional cos for he collision search. The issue ha arises is how o reduce he number of local collisions in an expansion process. Our sudy applies a geneic approach o find he opimal parameer se of he SHA family message expansion funcion based on he evaluaion crierion wih he lowes number of local collisions. 3.2 Local Collision in SHA-0 and SHA- In [9], i is poined ou ha SHA- is safer han SHA-0 because of a single biwise roaion in SHA- ha affecs he local collisions exising in SHA-0. Table 5 shows he SHA-0 and SHA- equaions. Table 5. SHA-0, SHA-, and SHA-256-XOR equaions Algorihm SHA-0 i Equaion,0 5 W ,6 79

9 SHA- SHA-256-X OR i,0 5 ROTL ,6 79 i 0 W 2 7 W 6 The following are examples ha compare he erms involved in W 27 in boh SHA-0 and SHA-, and ha in W 20 in SHA-256-XOR where j n (or W j n ) indicaes ha he message block j (or inermediae message word W j ) undergoes an n-biwise lef roaion. Each message word W is obained by recursively compuing oher words wih lower indices and being replaced by message blocks unil 5. Figure 2 represens he number of erms involved in full SHA-0, SHA-, and SHA-256-XOR. [SHA-0] W 27 = W 24 W 9 W 3 W = (W 2 W 6 W 0 W 8 ) W 9 W 3 W = = erms are involved. [SHA-] W 27 = W 24 W 9 W 3 W = 2 2 (W 2 W 6 W 2 0 W 2 8 ) W 9 W 3 W = = erms are involved. [SHA-256-XOR] W 20 = 0 (W 8 ) W 3 (W 5 ) W 4 = 7 8 W 8 W 7 W 3 W 7 5 W 9 5 W 4 = 4 (W 4 W 25 4 W 7 9 W 24 W 26 W 7 6 W W 9 W W 5 W 0 W W 3 W 3 W 2 ) (W 4 W 4 W 9 W W W W 4 W 9 W W 5 W 0 W W 3 9 W 3 W 2 ) W 5 W 3 W 4 = 2 W 4 W 32 4 W 4 9 W 3 W W 4 0 W W 4 W W W W 0 W W 3 W 3 W 2 W 4 W W 9 W W W 0 W 4 W 4 W 9 W W W W 3 W 3 W 2 W W 5 W 4

10 = erms are involved. Fig. 2. Comparison of he number of erms involved in each W in message scheduling for SHA-0, SHA- and SHA Lee s Conjecure ausiewicz e al. proved ha he funcions ( and ) or he message expansion are essenial for he securiy of SHA-256 by showing ha i is possible o find collisions wih a complexiy of 2 64 hash operaions for a varian wihou hem [29]. We proposed ha message scheduling of he SHA algorihm has higher securiy complexiy (or finess) if each message word (W ) involves more message blocks ( i ) in each round. Chabaud and Joux showed ha SHA- is more secure han SHA-0 [9]. Furhermore, Wang found collisions in full SHA-0 and SHA- hash operaions wih complexiies less han 2 39 [20] and 2 69 [4], respecively. Consider he analyses of he erms involved in each message block. Figure 2 clearly shows ha he number of erms involved in SHA- is more han ha in SHA-0, aking W 27 as an example (4 > 6). Therefore, SHA- has a higher securiy complexiy (hence securiy finess) han SHA-0. In his paper, we use he erm securiy finess o evaluae he securiy of each possible W in message scheduling. 3.4 The Bes Seing of essage Scheduling Equaion in SHA-

11 The message scheduling equaion in SHA- can be generalized as ROTL i,0 5 W W W W,6 A B C D 79 (4) The bes four variables are produced by he brue force (or exhausive) approach, and he values found are {A, B, C, D} = {, 2,, 6}. The bes complexiy occurs in round 60 when 22 erms are involved. The modified equaion is ROTL i,0 5 W W W W, (5) and called opsha- [2]. Figure 3 compares he number of erms involved in SHA- and opsha-. Fig. 3. Comparison of he number of erms involved in each W in message scheduling for SHA- and SHA--OPT 4. IPROVING SHA-256-XOR VIA GENETIC ALGORITHS 4. Specialized GA for SHA-256-XOR To find opimum parameers, he message scheduling equaion in SHA-256-XOR can be generalized as i,0 5 0 A B C D 63 W W W W,6 (6)

12 7 8 3 and 0 x ROTL x ROTL x SHR x x ROTL x ROTL x SHR x (3) Consider wo operaions, ROTL and SHR. A biwise roaion operaion, ROTL, is a circular shif operaion ha is a permuaion of he enries in a uple where he las elemen becomes he firs elemen and all of he oher elemens are shifed. The shif operaion, SHR n (x), which ses 0 as he firs elemen, does no influence he experimenal resuls because SHR n (x) and ROTR n (x) produce differen resuls. Based on his assumpion, he generalized form is modified o x ROTL x ROTL x 7 9 x ROTL x ROTL x (7) In he previous secion, he opimal values are calculaed using he brue force approach in opsha-. To find he opimum parameers using he brue force approach for SHA-256-XOR, we would need o es 2 64 possible combinaions of {A, B, C, D} for each round (6 63), and o perform up o operaions in he whole experimen. We applied geneic algorihm operaors of recombinaion and perurbaion o reduce he number of infeasible soluions needed o find he near opimal variable se {A, B, C, D}. The design of he GA involves some main componens: geneic represenaion, populaion iniializaion, finess funcion, selecion scheme, crossover, and muaion. Each componen is described as follows, and he parameers used wih GAUL are lised in Table 6: Geneic represenaion: The genes represen he inpu variables, A, B, C, D,, of he generalized SHA-256-XOR, and each chromosome represens a possible soluion. In he simulaion, he lengh of each chromosome is 5. Populaion iniializaion: Each chromosome presens a poenial soluion for he problem in geneic algorihms. The iniial populaion is randomly generaed and he size is se o 500. Finess Funcion: The finess funcion couns he number of erms in he equaion for W. Afer he process of selecion, crossover, and muaion, he opimal chromosome indicaes he maximum number of erms involved in he equaions. F() = # of differen erms involved in W equaion (8) Selecion Scheme: Selecion is a geneic operaor ha chooses a chromosome from he curren generaion s populaion for inclusion in he nex generaion s populaion. We adop he binary ournamen selecion based on he finess value in he simulaion. Crossover and uaion: Crossover enables geneic algorihms o exrac he bes genes from differen individuals, and o produce poenially superior children. The muaion operaion randomly modifies he gene o preven he

13 falling of all soluions ino a local opimum, and exends he search space. In he simulaion, we adop he one-poin crossover wih a raio 0.9, and a single-poin muaion wih a raio 0.. Table 6. Geneic algorihm parameers. Parameer Value Library GAUL Populaion size 500 Number of chromosomes Lengh of each chromosome 5 Evoluionary mode GA_SCHEE_DARWIN Eliism mode GA_ELITIS_PARENTS_SU RVIVE Crossover raio 0.9 uaion raio 0. Finess funcion # of erms involved in W equaion 4.2 Experimen resuls Table 7 liss 0 generaions of he simulaion resuls for {A, B, C, D}. The simulaion requires heavy compuaional imes for each. Appendix A liss more of our experimenal resuls. We have no generaed opimum parameers for addiional rounds because of he compuaional requiremens. However, we believe ha we have demonsraed he basis of our conribuion, which is a possible approach for he selecion of opimal message scheduling parameers and he analysis of he securiy finess. The values for he 5 variables converge afer 42 generaions. I appears ha he approximae opimal values are {A, B, C, D} = {4,,, 6}. Thus, he bes equaion for W of SHA-256-XOR, named opsha-256-xor, should be i, W W W W,6 (9) Figure 4 compares SHA-256-XOR wih opsha-256-xor by showing clearly ha opsha-256-xor is indeed more secure han SHA-256. Table 7. The las 0 generaions of he simulaion Generaion A B C D Finess

14 Fig. 4. Comparison of he number of erms involved in each W in message scheduling for SHA-256-XOR and opsha-256-xor Wih regards o he performance, Figure 5 compares he running ime for each W (6 30) in brue force and geneic algorihms. We have no ye been able o complee he simulaion for every W. The laer iems in he experimen will consume addiional ime because he equaion is a recursive funcion.

15 Fig. 5. Comparison of he running ime in W beween geneic algorihm and brue force 5. CONCLUSIONS Since is inroducion in 993, he secure hash funcion family has become an imporan sandard in crypography. This paper proposes a novel view of complexiy (and hence securiy finess) by couning he number of erms involved in each equaion, insead of analyzing he probabiliy of finding collisions wihin hash funcions. This sudy idenified he near opimal versions, opsha- and opsha-256-xor, using brue force and geneic approaches of SHA- and SHA-256-XOR, respecively, and he laer was found o be more compuaionally efficien. This analysis would be ineresing for designers ineresing in he securiy of modular addiion free hash funcions, which are good for hardware implemenaion wih lower gae couns. Furhermore, he obained message schedule parameer ses will be a good reference for furher improvemen of SHA funcions. Finally, we again review he equaions of SHA-256-XOR (Table 8). In our fuure sudies, we aim o combine hese new variables {E, F, G, H} wih {A, B, C, D} o enhance he algorihm using geneic algorihms. Furhermore, his approach can be applied o oher SHA-2-XOR family members o deermine he relaionship beween he erms involved and he complexiy (or securiy finess). Table 8. Generalized SHA-256-XOR wih more variables Algorihm Equaion Generalized SHA-256-XOR wih more varia- i,0 5 0 A B C D,6 63

16 bles E F 3 0 x ROTL x ROTL x SHR x G H 0 x ROTL x ROTL x SHR x REFERENCES. S. Bakhiari, R. Safavi-Naini, and J. Pieprzyk, Crypographic Hash Funcions: A Survey, Technical Repor 95-09, Universiy of Wollongong, July Secure hash sandard, FIPS PUB 80, Secure hash sandard, FIPS PUB 80-, Secure hash sandard, FIPS PUB 80-2, Secure hash sandard, FIPS PUB 80-2, Daa encrypion sandard (DES), FIPS PUB 46-3, P. Pal, P. Sarkar, PARSHA-256 A New Parallelizable Hash Funcion and a ulihreaded Implemenaion, in Proceedings of Fas Sofware Encrypion 2003 (FSE 2003), LNCS 2887, 2003, pp H. Handschuh and D. Naccache, SHACAL, NESSIE, J. Lu, J. Kim, N. Keller, and O. Dunkelman, Relaed-Key Recangle Aack on 42-Round SHACAL-2, in Proceedings of 9h Informaion Securiy Conference (ISC 2006), LNCS 476, 2006, pp H. Yoshida, A. Biryukov, Analysis of a SHA-256 Varian, in Proceedings of 2h Annual Workshop on Seleced Areas in Crypography (SAC 2005), LNCS 3897, 2005, pp D. R. Sinson, Crypography Theory and Pracice, 3 rd ed., CRC Press, B. Schneier, Applied Crypography, 4 h ed., John Wiley & Sons, Inc., V. Rijmen, E. Oswald, Updae on SHA-, in Proceedings of RSA 2005, LNCS 3376, 2005, pp X. Wang, H. Yu and Y. L. Yin, Finding Collision in he Full SHA-, in Proceedings of Crypo 05, LNCS 362, 2005, pp H. Gilber, H. Handschuh, Securiy Analysis of SHA-256 and Sisers, in Proceedings of 6h Informaion Securiy Conference (SAC 2003), LNCS 3006, 2003, pp F. endel, N. Pramsaller, C. Rechberger, V. Rijmen, Analysis of Sep-Reduced SHA-256, in Proceedings of 3h annual Fas Sofware Encrypion workshop (FSE 2006), LNCS 4047, 2006, pp I. Nikolić, A. Biryukov, Collisions for Sep-Reduced SHA-256, in Proceedings of 5 h annual Fas Sofware Encrypion workshop (FSE 2008), LNCS 5086, pp S. K. Sanadhya, P. Sarkar, "New Collision Aacks agains Up o 24-Sep SHA-2," in Proceedings of INDOCRYPT 2008, LNCS 5365, 2008, pp F. Chabaud, A. Joux, Differenial Collisions in SHA-0, in Proceedings of Crypo 98, 998, pp X. Wang, H. Yu and Y. L. Yin, Efficien Collision Search Aacks on SHA-0, in Proceedings of Crypo 05, LNCS 362, 2005, pp Y. S. Yeh, T. Y. Huang, I T. Chen, and S. C. Chou, Analyze SHA- in message

17 schedule, Journal of Discree ahemaical Sciences & Crypography, vol. 0, no., pp. -7, S. Adcock, Geneic Algorihm Uiliy Library, Available: hp://gaul.sourceforge.ne 23. J. H. Holland, Adapaion in Naural and Arificial Sysem, The Universiy of ichigan Press, S. Indeseege, F. endel, B. Preneel, and C. Rechberger, Collisions and Oher Non-random Properies for Sep-Reduced SHA-256, in Proceedings of Seleced Areas in Crypography (SAC 2008), LNCS 538, Springer-Verlag, pp , K. Aoki, J. Guo, K. ausiewicz, Y. Sasaki, and L. Wang, Preimages for Sep-Reduced SHA-2, In Proceedings of ASIACRYPT 2009, pp , E. A. Grechnikov, Collisions for 72-sep and 73-sep SHA-: Improvemens in he ehod of Characerisics, Crypology eprin Archive, Repor 200/43, Florian endel, Tomislav Nad, and arin Schläffer, "Finding SHA-2 Characerisics: Searching hrough a inefield of Conradicions," In proceedings of ASIACRYPT 20, LNCS 7073, pp , Alex Biryukov, ario Lamberger, Florian endel, and Ivica Nikolić, "Second-Order Differenial Collisions for Reduced SHA-256," In proceedings of ASIACRYPT 20, LNCS 7073, pp , Krysian ausiewicz, Josef Pieprzyk, Norber Pramsaller, Chrisian Rechberger, Vincen Rijmen, Analysis of simplified varians of SHA-256, In proceedings of Wesern European Workshop on Research in Crypology (WEWoRC 2005), LNI, P-74, pp , APPENDIX A. SHA-256-OPT TABLE The following able shows all resuls ha are generaed using geneic algorihms. We calculae opimal parameers {, A, B, C, D} for fify generaions using GAUL. The ax field is he number of erms involved in W by using {A, B, C, D} as SHA-256 s parameers in equaion. W W W W W,6 63 (A.) Table 9. All 50 generaions of he simulaion. Generaion A B C D Finess

18

19