Strict Avalanche Criterion of SHA-256 and Sub-Function-Removed Variants

Round 1

Reviewer 1 Report

Comments and Suggestions for Authors

The authors evaluated the statistical property of the SHA-256 compression function and its variants concerning the strict avalanche criterion by computer experiments. The variants are the SHA-256 compression function (1) with the message schedule replaced with simple iteration of the message, (2) with one of the subfunctions (Choose, Majority, Sigma₀, and Sigma₁) removed, (3) without round constants, and (4) with addition modulo 2³² replaced with bitwise XOR.

There has been little work only on the statistical properties of cryptographic primitives because cryptography researchers widely and firmly believe that the statistical properties of a well-designed cryptographic primitive, such as hash functions and block ciphers, have little impact on its security. The results included in the submission only support the belief.

The reviewer does not support acceptance for publication as a journal paper.

Author Response

Comment: There has been little work only on the statistical properties of cryptographic primitives because cryptography researchers widely and firmly believe that the statistical properties of a well-designed cryptographic primitive, such as hash functions and block ciphers, have little impact on its security. The results included in the submission only support the belief.

Response: Based on this critique, we realized a need to better communicate how this work is motivated in the literature. We have since added a related works section, which should better communicate this point. While there are certainly good reasons to believe that a well-designed hash function has strong defenses against statistical attacks, we do not believe this attack vector should be ignored. We show in this paper that specific sub-function provide strong diffusive effects. Targeting attacks to partially negate the effects of these sub-functions could certainly have an impact on the overall diffusion of the hash function, and therefore overall collision resistance.

Reviewer 2 Report

Comments and Suggestions for Authors

This manuscript investigates the Strict Avalanche Criterion (SAC) of SHA-256 by analyzing how its individual sub-functions contribute to overall diffusion, a key property affecting the hash function's collision resistance. The authors first evaluate the diffusion of the entire SHA-256 compression function, confirming it meets the SAC by the 23rd round. They then explore how diffusion is affected by systematically removing sub-functions such as the message scheduler, CHOOSE, MAJORITY, Σ0, Σ1, K constants, and integer addition. The study reveals that while removing the message scheduler does not significantly impact diffusion, removing the CHOOSE function, integer addition, or Σ1 results in a slower convergence to the SAC, suggesting these components are crucial for achieving optimal diffusion. The findings highlight that these sub-functions are critical in maintaining SHA-256's resistance to collision attacks. The paper's methodology includes modifying the SHA-256 algorithm to isolate the effects of these sub-functions, using dependency matrices to measure SAC compliance across 64 compression rounds. The results suggest avenues for targeted cryptanalysis that focus on the identified weaker components. However, major revisions are needed before it can be finally accepted.

 

1.    The authors measured the SAC but did not discuss in detail the precision standard for "close to 50%." When Webster and Tavares introduced SAC, they did not specify a precise range for "close to 50%." This paper considers any result within 50% ± 0.5 as meeting the SAC standard. However, this criterion might be too broad, especially given the demands of modern cryptanalysis. It is recommended that the authors conduct a more in-depth analysis and explore whether a stricter or more appropriate precision standard should be applied. Additionally, the practical impact of this standard on the success rate of attacks should be discussed.

2.    Although the paper experimentally tests the effects of various sub-functions, the theoretical analysis of the specific roles of these functions within SHA-256 is somewhat lacking. In particular, for functions like CHOOSE and Σ1, which contribute significantly to SAC, further explanation is needed to clarify why these functions influence SHA-256's diffusion properties more than others.

3.    This manuscript primarily focuses on theoretical analysis and experimental results but lacks a comparison of performance in practical application scenarios. For example, how do the computational costs and time complexity of cryptanalysis compare in real-world attacks? How do SHA-256 variants, with certain sub-functions removed, impact the overall security and performance of the system? It is suggested that the authors add a section specifically discussing the practical performance and potential risks of these variants in different application contexts, supported by concrete data or case studies.

Author Response

Comment 1: The authors measured the SAC but did not discuss in detail the precision standard for "close to 50%." When Webster and Tavares introduced SAC, they did not specify a precise range for "close to 50%." This paper considers any result within 50% ± 0.5 as meeting the SAC standard. However, this criterion might be too broad, especially given the demands of modern cryptanalysis. It is recommended that the authors conduct a more in-depth analysis and explore whether a stricter or more appropriate precision standard should be applied. Additionally, the practical impact of this standard on the success rate of attacks should be discussed.

Response 1: This is an excellent point, we originally, arbitrarily chose 50% ± 0.5, as it “seemed close to 50%”. In hindsight, this is a poor justification. We reformat all statements dealing with “reaching the target of ∼50%”. After careful consideration, we chose to use a binomial test with confidence level 99% to determine a “close to 50%” if the confidence interval contains 50%, the function exhibits the SAC, else we are not confident that the function exhibits the SAC. This modification had large ramifications on the results of the paper. Instead of claiming that SHA-256 exhibits the SAC, we now claim it fails the SAC but exhibits the Avalanche Effect. Similarly, instead of claiming that any sub-function variants pass the SAC, we compare the SAC data results to the data of the unmodified compression function. Specifically, we compare the rounds at which the minimum and maximum SAC data of the functions plateau. We then discuss how by reaching a similar plateau level at different rounds, certain variants are less diffusive than others.

 

Comment 2: Although the paper experimentally tests the effects of various sub-functions, the theoretical analysis of the specific roles of these functions within SHA-256 is somewhat lacking. In particular, for functions like CHOOSE and Σ1, which contribute significantly to SAC, further explanation is needed to clarify why these functions influence SHA-256's diffusion properties more than others.

Response 2: While this is absolutely an important and interesting question, we believe it to be out of scope of this paper. An analysis of the causative elements of diffusion in the CHOOSE, Σ1, and Integer Addition sub functions will be an important future undertaking. We append a Future Works section to the Discussion section of our paper to expand on this point.

 

Comment 3: This manuscript primarily focuses on theoretical analysis and experimental results but lacks a comparison of performance in practical application scenarios. For example, how do the computational costs and time complexity of cryptanalysis compare in real-world attacks? How do SHA-256 variants, with certain sub-functions removed, impact the overall security and performance of the system? It is suggested that the authors add a section specifically discussing the practical performance and potential risks of these variants in different application contexts, supported by concrete data or case studies.

Response 3: This comment helped identify the need for additional clarity in explaining our motivations as to the purpose of the sub-function removed variants. The variants are meant as stepping stones in understanding the weaknesses of the sub-functions, specifically how these weaknesses affect diffusion and collision resistance. The variants are not meant for practical security purposes, and thus we view measuring the impact on overall security and performance unnecessary. In order to better communicate the purpose of these variants, in an added Related Works subsection, we reference other work which include variant functions and discuss their uses in cryptanalysis. We also modify the Our Contribution subsection, connecting this idea.

Reviewer 3 Report

Comments and Suggestions for Authors

The authors raise a very interesting topic related to security, which results directly from cryptographic issues. The authors clearly show in the introduction the reasons why they took up the subject. The chapter in which the authors indicate precisely and specifically what their contribution to the field presented in this article is worth noting.

Then follows the description of the method supported by appropriate drawings that help in the perception of the idea.

Although the idea itself is interesting, the article presented by the authors gives the impression of being incomplete.

The topic that the authors took up is quite well embedded in the literature. Therefore, the authors should definitely add a chapter on Related Works, where they will show the research of other teams, refer to them and show how their solution should go further or is better.

It should also be noted here that the literature included by the authors gives the impression of a superficial study of the state of the art and needs to be supplemented. The discussion seems rather trivial and laconic. The conclusions are also quite obvious.

Author Response

Comment: The topic that the authors took up is quite well embedded in the literature. Therefore, the authors should definitely add a chapter on Related Works, where they will show the research of other teams, refer to them and show how their solution should go further or is better.

It should also be noted here that the literature included by the authors gives the impression of a superficial study of the state of the art and needs to be supplemented. The discussion seems rather trivial and laconic. The conclusions are also quite obvious.

Response: We find this critique very important. The properties of collision resistance and diffusion of SHA256 had been the subject of much study, yet we spent little time in the paper discussing related works. For this reason, we add a Related Works subsection in the beginning of the article.  We also reformat our Discussion and Conclusion sections.

Round 2

Reviewer 1 Report

Comments and Suggestions for Authors

The authors revised and augmented the submission. However, they still only discuss the statistical properties of the SHA-256 compression function in terms of the strict avalanche criterion. The reviewer is afraid that the contribution of the submission will not attract interest among researchers in cryptography. The reviewer does not support acceptance.

Reviewer 2 Report

Comments and Suggestions for Authors

The authors have satisfactorily modified their manuscript according to my previous criticisms. Therefore, I recommend the publication of this manuscript.

Reviewer 3 Report

Comments and Suggestions for Authors

thank you, the authors answered my questions