14

I was looking a Wikipedia article on SHA-2, and the "Comparison of SHA functions" table seems to indicate that SHA-2 is less secure than SHA-1.

enter image description here

Is this true, or is the table wrong / misleading?

What does $2^{28.5}$ mean for SHA-256 compared to $2^{60}$ for SHA-1 (table in SHA-1 article says $2^{53}$)? How does it relate to MD5 article, which says:

The security of the MD5 hash function is severely compromised. A collision attack exists that can find collisions within seconds on a computer with a 2.6 GHz Pentium 4 processor (complexity of $2^{24.1}$)

Assuming that no collisions have been found for the SHA-2 family, does that still mean it takes less work to find a collision than SHA-1? Or do these numbers ($2^{28.5}$, $2^{60}$, $2^{53}$, $2^{24.1}$) mean different things?

If the table is wrong, how should it be corrected?

Paŭlo Ebermann
  • 22,656
  • 7
  • 79
  • 117
Luke
  • 339
  • 1
  • 9
  • 2
    The :24 is probably referring to a version reduced to 24 rounds. – CodesInChaos May 20 '13 at 23:01
  • 5
    I corrected the table to say "None (For a 24-round variant: $2^{28.5}$)". Thanks for finding this. – Paŭlo Ebermann May 21 '13 at 04:23
  • @PaŭloEbermann: Nit-pick, but if reduced round attacks are relevant, if found at least one against 2 round Keccak: http://naya.plasencia.free.fr/Maria/papers/Keccak_differential.pdf – Henrick Hellström May 21 '13 at 08:39
  • 1
    @HenrickHellström So you are saying we should simply write "None" here, or that we should add the attacks for Keccak too? I wanted to do a minimal change which still is correct. – Paŭlo Ebermann May 21 '13 at 09:12
  • @PaŭloEbermann: I think reduced round attacks might be mentioned in this context, if the number of rounds attacks start to move up beyond some comfort limit. Otherwise mentioning them might just obscure the fact that there are logically reduced round attacks against any algorithm with multiple rounds (because after all that's why multiple rounds were made part of the design to begin with). – Henrick Hellström May 21 '13 at 09:25
  • 1
    @Paŭlo Ebermann: What about a separate column for the best reduced-round attacks? – fgrieu May 21 '13 at 11:13
  • It looks like someone did remove the mention of the reduced-round attack altogether. For introducing another column, either simply do it or discuss it on the Wikipedia article's talk page – comments to this question are not the right location to discuss it. (Sorry, I kind of started it.) – Paŭlo Ebermann May 21 '13 at 12:56

1 Answers1

19

No. The wikipedia article is in my honest opinion misrepresenting this article on a reduced round attack on the SHA-2 family of hashes.

Although these attacks improve upon the existing reduced round SHA-2 attacks, they do not threaten the security of the full SHA-2 family.

In other words, no collisions have been found in any of the SHA-2 hashes.

The numbers that the are shown in the table mean different things for SHA-1 and SHA-2. In the case of SHA-1, the theoretical attack finds a collision in the actual SHA-1 algorithm. In the case of SHA-2, the collision is found in a modified algorithm with only 24 of the normal 64/80 rounds. In practice, this means that the best collision attack against SHA-256 still has the theoretical upper bound of $2^{128}$ complexity, and the best collision attack against SHA-512 a $2^{256}$ complexity.

Henrick Hellström
  • 10,406
  • 1
  • 30
  • 58