49 min read

How SHA-2 and SHA-3 Would Break: Merkle-Damgard Collisions, Length Extension, and the Sponge's Algebraic Frontier

SHA-2 and SHA-3 have never broken, yet each construction already dictates how it would fall -- collisions, length extension, and the sponge algebraic frontier.

Permalink

1. Two Hashes, Two Deaths

Here is something you can say about a machine before it has ever failed: which way it will fall. A structural engineer knows a bridge sways before it buckles and buckles before it snaps, because the failure mode is written into the truss, not painted onto the surface. Cryptographic hash functions are the same. We can already describe, mechanically and in detail, how SHA-2 and SHA-3 would break -- even though nobody has ever broken either one, and the two descriptions have almost nothing in common.

The two functions NIST standardized as the Secure Hash Standard and the SHA-3 Standard [1, 2] sit underneath an enormous amount of modern security: certificate chains, signed software updates, commitment schemes, the proof-of-work in a blockchain. They advertise the same guarantee. For a 256-bit digest, finding any two inputs that hash to the same value should cost about 21282^{128} attempts. That number is easy to say and hard to feel. 21283.4×10382^{128} \approx 3.4 \times 10^{38}, a 39-digit count -- far more than every grain of sand on Earth, yet far fewer than the atoms that make up the Earth. It is an enormous human-scale number that is still dwarfed by atomic-scale ones.

Collision resistance

A hash function is collision resistant if it is computationally infeasible to find two distinct inputs m1m2m_1 \neq m_2 with H(m1)=H(m2)H(m_1) = H(m_2). It is the strongest of the standard hash guarantees, and the one that differential cryptanalysis attacks head-on.

That 21282^{128} figure is not a design target so much as a ceiling imposed by arithmetic. Feed roughly 2n/22^{n/2} random messages into any nn-bit hash and, by the birthday paradox, two of them almost certainly collide. So 21282^{128} is simply the generic cost of a birthday search against a 256-bit digest -- the number every genuine attack has to beat to count as a break [1].

Birthday bound

For an ideal nn-bit hash, a collision can always be found in about 2n/22^{n/2} evaluations by the birthday paradox, and a preimage in about 2n2^{n}. These generic costs -- 21282^{128} and 22562^{256} for a 256-bit digest -- are the definitional security targets any structural attack must beat.

Now the strange part. SHA-256 and SHA3-256 keep that identical promise using almost none of the same parts. SHA-2 iterates a small compression function from a fixed starting value, folding the message in one block at a time -- the Merkle-Damgard design. SHA-3 does something else entirely: it stirs the message into a large public permutation and squeezes the digest back out -- the sponge. Two constructions, one guarantee.

And because the constructions differ, their deaths differ. A Merkle-Damgard hash does not die at its digest size; it dies when a carefully chosen difference in the input threads through the compression function and cancels at the output -- the method that felled MD5 and SHA-1. It also leaks: given a digest, you can often extend the message without knowing it. The sponge has neither trait. It hands an attacker a different target: the algebra of its one nonlinear step, chi, which has algebraic degree just two.

That is the whole argument in one sentence, and the rest of this article is its proof. One boundary before we begin.

To see why each death is pre-written, we have to go back to the 1989 bargain that made iterated hashing trustworthy in the first place -- and to the two debts it quietly signed on SHA-2's behalf.

2. The Merkle-Damgard Bargain of 1989

In 1989 two people, an ocean apart and unaware of each other, answered the same question the same way -- and in doing so pre-wrote how SHA-2 would one day die. Ralph Merkle and Ivan Damgard each presented the result at CRYPTO 1989 [3, 4].

The question was practical and deep at once: how do you hash a message of arbitrary length using only a fixed-size building block, and then prove the result is as hard to collide as that block? Their answer is the scaffolding under nearly every hash you have ever used.

Merkle-Damgard construction

A method for turning a fixed-input-length compression function ff into a hash on arbitrary-length messages. Pad the message and split it into blocks M1,M2,,MtM_1, M_2, \ldots, M_t; starting from a fixed initialization value H0=IVH_0 = IV, compute Hi=f(Hi1,Mi)H_i = f(H_{i-1}, M_i); output the final HtH_t as the digest. Merkle and Damgard each proved that if ff is collision resistant, so is the whole hash.

The shape of the compression function they had in mind, and the one every hash in the SHA line uses, is Davies-Meyer.

Davies-Meyer compression function

A way to build a compression function from a block cipher EE: treat the message block as the key and the chaining value as the plaintext, then feed the input back in, Hi=EMi(Hi1)Hi1H_i = E_{M_i}(H_{i-1}) \oplus H_{i-1}. The final XOR -- the "feed-forward" -- is what makes the function hard to invert; without it, an attacker could run the cipher backward from a chaining value.

Ctrl + scroll to zoom
The Merkle-Damgard chain. Each compression call folds in one message block; the digest that comes out is literally the final chaining value, which is the seed of both structural debts.

The proof is the reason the world trusted this design for two decades, and it is worth seeing rather than taking on faith -- because both of SHA-2's structural debts fall directly out of it.

That reduction is a genuine gift -- it lets designers focus all their effort on one small function -- but it comes with two debts written into the same clause.

The first debt: all of the hash's collision resistance now concentrates in ff. An attacker cannot collide SHA-256 without colliding its 64-step compression function, so that function is the entire battlefield. Everything a would-be attacker does, and everything the last thirty-five years of cryptanalysis has done, targets exactly that object [5].

The second debt is subtler and, for a practitioner, more immediately dangerous. Look again at the chain: the digest that comes out is the final chaining value -- the complete internal state at the end of the computation. Nothing is hidden.

Length extension

Given only H(m)H(m) and the length of mm -- but not mm itself -- an attacker can compute H(mpady)H(m \,\|\, \text{pad} \,\|\, y) for a suffix yy of their choosing. Because the digest is the full internal state, the attacker simply resumes the iteration from it, appends the "glue" padding, and continues hashing. This works against any plain Merkle-Damgard hash, including SHA-256.

The strengthening step -- appending the message length before the final block -- is what makes the collision proof go through, closing the length-mismatch case above. The Davies-Meyer feed-forward and the length padding are two separate load-bearing details. The feed-forward stops an attacker running the block cipher backward from a chaining value; the length padding stops trivial collisions between messages of different lengths. Remove either and the reduction fails. But it does nothing to hide the state -- so it fixes the first debt's proof without touching the second debt at all.

Merkle-Damgard signs two debts at once: all collision resistance concentrates in one small function, and the digest is the whole internal state. The first is where the hash can be collided; the second is why it leaks.

A construction that concentrates all its collision resistance in one small function is only ever as safe as that function is hard to collide. For fifteen years, nobody could touch it. Then the mathematics of differences arrived, and MD5 fell in minutes.

3. How a Merkle-Damgard Hash Actually Dies

The break, when it came, did not come from brute force. It came from the arithmetic of differences -- and once you see it, you cannot un-see why SHA-2 is built the way it is.

The idea starts with a question no birthday search ever asks: what if we do not treat the hash as a black box, but push a specific, carefully chosen difference between two messages through its internals and watch where the difference travels? If we can arrange for the difference to appear, ripple through a few steps, and then cancel itself out exactly at the output, the two messages collide -- and we never paid the 2n/22^{n/2} birthday toll.

Florian Chabaud and Antoine Joux built the first working version of this against SHA-0 at CRYPTO 1998 [6]. Their tools were two ideas that still organize the whole subject.

Local collision

A low-weight input difference that creates a small perturbation over a handful of steps and then cancels itself, leaving the internal state unchanged afterward. Chaining local collisions along a message is how an attacker assembles a full collision out of small, controllable pieces.

Differential characteristic

A step-by-step trail specifying the exact difference between two computations at every point in the compression function, chosen so the trail begins with a message difference and ends in zero difference at the output. The probability that a random conforming message pair follows the trail governs the attack's cost.

By chaining local collisions along a differential characteristic so the total difference vanished at the output, Chabaud and Joux drove the estimated cost of a SHA-0 collision down to roughly 2612^{61} -- comfortably below the 2802^{80} birthday wall for a 160-bit digest [6]. It was an estimate, not a produced collision, but it was the first real crack in the black box.

Then Xiaoyun Wang turned the estimate into a scalpel. In 2004 and 2005, Wang, with Hongbo Yu and Yiqun Lisa Yin, announced results that stunned the field: full, practical collisions for MD5 -- Rivest's 1992 design [7] -- and a collision attack on the full SHA-1 [8], well below its birthday bound [9, 10]. The engine had two new parts. First, a hand-built nonlinear path through the hard early steps of the compression function, spliced onto a cheap linear trail for the rest. Second, and decisive:

Message modification

A technique that satisfies the early, high-probability conditions of a differential characteristic deterministically, by directly adjusting message words rather than hoping a random pair happens to comply. It moves the expensive part of the search from the beginning of the trail to its cheaper tail, collapsing the total cost.

Ctrl + scroll to zoom
Wang-style differential collision cryptanalysis as a pipeline. Message modification is the step that makes the early conditions nearly free, which is why the whole search collapses.

Why does modifying the message help so much? The answer is specific enough to work through, and it is exactly the mechanism the earlier hashes handed the attacker for free.

The consequence reset every intuition about hash security. Full MD5, whose 128-bit digest nominally promised 2642^{64} collision work, collapsed to seconds on a PC [9]. Full SHA-1, nominally 2802^{80}, fell to an estimated 2692^{69} -- a real break of the design, years before anyone spent the compute to exhibit an actual colliding pair [10].

A Merkle-Damgard hash does not die at its digest size. It dies when a differential characteristic plus message modification threads its compression function -- deterministically through the early steps, cheaply through the tail. Collision resistance was never really about the number of output bits; it was always about whether a path exists through ff.

Those hand-built attacks were later paid out in full, practical collisions -- SHAttered in 2017 and SHAmbles in 2020 -- but those belong to the deployment story, not this one. SHAttered (Stevens, Karpman, Bursztein, Albertini, and Markov) produced the first identical-prefix SHA-1 collision at about 263.12^{63.1} [11]; SHAmbles (Gaetan Leurent and Thomas Peyrin, correcting a common misattribution to Marc Stevens) produced the first chosen-prefix SHA-1 collision at about 263.42^{63.4} and forged a PGP key [12, 13]. Both are evidence that the differential method pays out end to end; the empirical sibling article tells their story.

This is the pivotal fact of the whole subject. So the real question becomes: can that same scalpel reach SHA-2? The answer forced cryptography down two roads at once.

4. Two Lineages Diverge

Start with the cleanest evidence in the whole story that patching a weak compression function only buys time. SHA-0, standardized in 1993, had a linear message expansion; it was withdrawn in 1995 and replaced by SHA-1, whose entire difference from SHA-0 was a single one-bit rotation added to that expansion. That one rotation held for about a decade. Then a Wang-style path walked straight through it [10]. A one-operation fix delayed the break; it did not prevent it.

This is the pattern to internalize: "just add a round" or "just add a rotation" hardens a Davies-Meyer compression function against yesterday's specific path, not against the method. Incremental patches to a lightly-mixed function buy years, not safety -- which is exactly why SHA-2 needed a qualitatively heavier schedule and SHA-3 needed a different construction altogether.

The full six-generation lineage reads as a slow-motion argument, each break motivating the next design.

Hash familyYearKey design ideaBest collision resultStatus
MD41990Merkle-Damgard + Davies-Meyer, 128-bit, 48 stepsfull collisions (Dobbertin 1996 [14]; Wang 2005)historical [9]
MD51992MD4 hardened: 64 steps, per-step constantspractical full collisions (Wang-Yu 2005)historical [7, 9]
SHA-01993160-bit, linear message expansion (no rotation)261\approx 2^{61} (Chabaud-Joux 1998)withdrawn 1995 [6]
SHA-11995SHA-0 plus one-bit rotation, 80 steps269\approx 2^{69} (Wang 2005); demonstrated 2017superseded [10, 8]
SHA-22001bigger state, nonlinear carry-laden schedule, 64/80 steps39/64 steps (reduced-round), full unbrokenactive [1, 15]
SHA-3 / Keccak2012/2015sponge over Keccak-f[1600], 24 rounds, hidden capacity6/24 rounds (reduced-round), full unbrokenactive [2, 16]
Ctrl + scroll to zoom
Thirty-five years of defense and offense running in parallel. Each cryptanalytic advance on the lower track motivated a design decision on the upper one.

By 2005 the field had a decision to make, and it split into two philosophies. The first response was to harden the same construction. SHA-2, standardized in 2001 and still the workhorse, kept Merkle-Damgard and Davies-Meyer but gave the compression function a much larger state, a heavier message schedule, and modular-addition mixing designed to starve differential paths [1]. That is the road we return to in the next section, because it worked.

The second response was more radical. Stung by the 2004-2005 breaks, NIST announced the SHA-3 competition on November 2, 2007, and ran it until October 2, 2012, explicitly seeking a hash that would fail differently from the Merkle-Damgard family -- so that a single new cryptanalytic idea could not bring down every standardized hash at once [17]. The winner was Keccak, a sponge built on a large public permutation, designed from the start so that its hidden capacity removes length extension by construction [16].

The subtle and load-bearing point is what NIST did not do. It did not retire SHA-2.

Two lineages, two answers to the same failure. But an answer is only as good as the attack it survives -- so why has SHA-2 held for more than two decades, and what exactly did the sponge change?

5. Why SHA-2 Held, and What the Sponge Changed

Two structural facts define the present. The first is that the same message-modification machinery that broke MD5 and SHA-1 stalls on SHA-2 -- and the reason is one design choice. The second is that the sponge removed the debts a differential attack needs, and put something entirely different in their place.

Why the scalpel stalls on SHA-2

Recall the mechanism from the last section: message modification is cheap only because, in the early steps, each message word is a free variable entering the state at exactly one place. Break that "one free word per early step" structure and the trick loses its edge. SHA-2 breaks it on purpose.

In MD5 and SHA-1 the message schedule is essentially a permutation (and, later, a linear expansion) of the input words -- clean and separable. SHA-2's schedule is neither. From step 16 onward, each expanded word is built by

Wt=σ1(Wt2)+Wt7+σ0(Wt15)+Wt16(mod232)W_t = \sigma_1(W_{t-2}) + W_{t-7} + \sigma_0(W_{t-15}) + W_{t-16} \pmod{2^{32}}

where σ0\sigma_0 and σ1\sigma_1 are XORs of rotations and a shift, and the additions are modular [1]. Those modular additions couple the words through carries: changing one bit of one word can ripple through carry chains into many others. The clean, separable structure that let an attacker solve each early condition by inverting a single word update is gone. Now solving one sufficient condition perturbs others, and the conditions can no longer be discharged by independent single-word inversion.

That carry-laden coupling is the structural reason the hand construction that felled MD5 and SHA-1 cannot be driven through SHA-2 by hand at all -- which is why the modern realization of the attack is an automated SAT/SMT solver managing the entangled condition system, and why even that tooling, in the record-holders' own words, "has reached the bottleneck" around 39 of 64 steps [15]. We return to that number in the next section. For now the point is qualitative: SHA-2 held because it made the compression function's internals too coupled for the differential scalpel to carve cleanly.

What the sponge deleted

Keccak does not try to win the differential arms race. It changes the board.

Sponge construction

A hash built from a single large public permutation ff over a state of b=r+cb = r + c bits. To absorb, split the padded message into rr-bit blocks and, for each, XOR it into the first rr bits of the state and apply ff. To squeeze, read out rr bits at a time, applying ff between reads, until enough digest bits are produced. Keccak uses f=f = Keccak-f[1600], a 1600-bit permutation of 24 rounds.

Rate and capacity

The sponge state of bb bits is split into a rate of rr bits and a capacity of cc bits, with b=r+cb = r + c. The message is XORed only into the rate, and the digest is read only from the rate. The capacity is never touched directly by input or output -- it is the hidden reservoir that carries security across the permutation calls.

Ctrl + scroll to zoom
The Keccak sponge. The message is XORed into the rate and the digest is read from the rate; the capacity is never absorbed from the input nor squeezed to the output. That single fact removes length extension.

Two debts vanish at once. Because the capacity is never emitted, the digest is not the full internal state -- so no attacker can resume the computation from it. Length extension is gone by construction, not by patch [19]. And because there is no keyed compression function -- just one fixed public permutation -- there is no keyed object to push a differential characteristic through to force a hash collision directly the way Wang did. The entire Merkle-Damgard attack surface is simply absent.

So what is left to attack? The permutation's algebra. And that turns on the single nonlinear step inside Keccak-f.

Ctrl + scroll to zoom
One round of Keccak-f. Four of the five steps are linear; only chi is nonlinear, and its algebraic degree is just 2. Everything about the sponge's algebraic exposure follows from that.
Algebraic degree (ANF)

Every Boolean function can be written uniquely as a sum (XOR) of monomials over GF(2) -- its algebraic normal form. Its algebraic degree is the size of the largest monomial. An affine map (only single-variable terms) has degree 1; an AND of two input bits has degree 2. Low degree is a weakness: it makes a function vulnerable to higher-order-differential and cube techniques.

Chi (the only nonlinear step)

Chi is the single nonlinear step of Keccak-f. Along each 5-bit row it computes yi=xi((¬xi+1)xi+2)y_i = x_i \oplus ((\lnot\, x_{i+1}) \land x_{i+2}). Each output bit contains exactly one AND of two state bits, so chi has algebraic degree exactly 2. The other four steps of a round -- theta, rho, pi, iota -- are all linear or affine.

Here is the load-bearing fact of the sponge's exposure, and it is worth deriving rather than asserting, because one word in it does real work.

One round is the composition R=ιχπρθR = \iota \circ \chi \circ \pi \circ \rho \circ \theta. Four of those five steps are affine, degree 1; only chi is nonlinear, degree 2. Composing a degree-2 map with affine maps leaves the degree at 2, so a single round has deg(R)=2\deg(R) = 2.

Now use the composition bound for Boolean functions, deg(fg)deg(f)deg(g)\deg(f \circ g) \le \deg(f) \cdot \deg(g), across rr rounds: deg(R2)22=4\deg(R^2) \le 2 \cdot 2 = 4, deg(R3)24=8\deg(R^3) \le 2 \cdot 4 = 8, and in general each extra round multiplies the bound by at most 2. The degree doubles per round:

1    2    4    8        2r,sodeg(Keccak-fr)2r.1 \;\to\; 2 \;\to\; 4 \;\to\; 8 \;\to\; \cdots \;\to\; 2^r, \qquad \text{so} \qquad \deg(\text{Keccak-}f^{\,r}) \le 2^r.

You can watch chi's degree-2 structure force a higher-order derivative to vanish directly. A degree-dd function summed (XORed) over any affine cube of dimension d+1d+1 gives zero, so summing degree-2 chi over any 3-dimensional cube must vanish.

JavaScript Chi is degree 2, so a 3-cube sum vanishes (illustrative structural demo)
// chi on a 5-bit row: y[i] = x[i] XOR ((NOT x[i+1]) AND x[i+2]), indices mod 5.
function chi(x) {
let y = 0;
for (let i = 0; i < 5; i++) {
  const xi  = (x >> i) & 1;
  const xi1 = (x >> ((i + 1) % 5)) & 1;
  const xi2 = (x >> ((i + 2) % 5)) & 1;
  const bit = xi ^ ((xi1 ^ 1) & xi2);   // one AND term => algebraic degree 2
  y |= (bit << i);
}
return y;
}

// A degree-d function has a vanishing (d+1)-th order derivative:
// summing it over ANY affine cube of dimension d+1 gives 0.
// chi has degree 2, so summing over ANY 3-dimensional cube must XOR to 0.
function sumOverCube(base, d1, d2, d3) {
let acc = 0;
for (let m = 0; m < 8; m++) {
  let x = base;
  if (m & 1) x ^= d1;
  if (m & 2) x ^= d2;
  if (m & 4) x ^= d3;
  acc ^= chi(x);
}
return acc;
}

console.log("chi(0b10110)          =", chi(0b10110));
console.log("3-cube sum (should 0) =", sumOverCube(0b00000, 0b00001, 0b00010, 0b00100));
console.log("3-cube sum (should 0) =", sumOverCube(0b10101, 0b00011, 0b01100, 0b10000));

Press Run to execute.

One honesty note keeps this from overclaiming. The bound deg2r\deg \le 2^r is the elementary degree-doubling law, and it is only informative at low round counts. Keccak-f acts on 1600 bits, where any permutation has degree at most 1599; 2r2^r already exceeds 1599 at r=11r = 11, so the elementary bound says nothing about the full 24 rounds. The full-round result in Section 8 -- a zero-sum partition of size 215902^{1590} -- rests instead on the tighter degree bound of Boura, Canteaut, and De Canniere, which stays below the state size even at 24 rounds [20]. The elementary law is what caps the cube attack at a handful of rounds; the refined bound is what lets the zero-sum reach all 24. Keep them separate and the whole SHA-3 frontier stays legible.

Now the two constructions can be laid side by side.

DimensionSHA-2 (SHA-256)SHA-3 (SHA3-256 / SHAKE256)
ConstructionMerkle-Damgard + Davies-MeyerKeccak sponge over Keccak-f[1600]
Full-function rounds/steps64 steps24 rounds
Leading structural avenuedifferential collision search (single)algebraic frontier + internal-differential (two)
Best structural collision reach39/64 SFS; \approx 31/64 from-IV6/24 (SHAKE256); 5/24 (SHA3-384)
Length extensionyes (structural; digest is the full state)no (capacity hidden)
Generic collision target21282^{128}21282^{128}

SHA-2 keeps the differential attack surface and the length-extension debt. The sponge trades both away for an algebraic surface whose degree grows only as 2r2^r. The two functions do not sit on one strength axis, a bigger lock on the same door -- they expose different attack surfaces, so they would die different deaths. Construction, not digest size, selects the failure mode.

So the two constructions hand an attacker two different problems: thread a carry-laden differential path through 64 steps, or break the low-degree algebra of 24 rounds. How far has anyone actually gotten on each?

6. The Best Published Attacks, With Margins

Here is the scoreboard. After thirty-five years of cryptanalysis, where exactly does the deepest published structural attack stop on each function, and how far is that from the full thing? This is the article's quantitative core, and it comes with a reading rule that matters more than any single number.

The yardstick never changes. A structural break must beat the generic birthday cost of 2n/22^{n/2} on the full function. On full SHA-256 and full SHA3-256, no published attack does; the best-known collision attack on either full function is still the generic one at 21282^{128} [15, 21]. Every record below is progress on the method, measured against a full function that remains untouched.

The SHA-2 record board

Against SHA-2, one avenue has all the reach: automated differential characteristic search -- the mechanized descendant of Wang's hand construction, driven by SAT and SMT solvers and steered by mixed-integer linear programming. Reading its records needs one distinction.

Semi-free-start collision

Attack models differ in how much freedom the attacker has over the chaining value. A from-IV collision uses the real fixed initialization value and is a true hash collision. A semi-free-start (SFS) collision lets the attacker choose the single chaining value both messages share. A free-start (FS) collision lets the attacker also choose a difference in the chaining value. SFS and FS are weaker attacker goals -- progress markers on the compression function, not full-hash collisions.

The current records, all practical (a real colliding pair verified on a PC, not merely a sub-birthday estimate), come from Mendel, Nad, and Schlaffer in 2013 and from Li, Liu, and Wang in 2024 [22, 15]:

FunctionModelBest reachPractical?Untouched marginSource
SHA-256from-IV31 / 64 stepsyes33 stepsMendel-Nad-Schlaffer 2013 [22]
SHA-256semi-free-start39 / 64 stepsyes25 stepsLi-Liu-Wang 2024 [15]
SHA-224free-start40 / 64 stepsyes (prior best 21102^{110})24 stepsLi-Liu-Wang 2024 [15]
SHA-512semi-free-start28 practical / 31 theoretic of 80yes49+ stepsLi-Liu-Wang 2024 [15]
SHA3-384collision5 / 24 roundsyes19 roundsZhang-Hou-Liu 2024 [23]
SHAKE256collision6 / 24 roundsyes18 roundsZhang-Hou-Liu 2024 [23]
Keccak (keyed)key recovery9 / 24 rounds6-round practicallargeDinur et al. 2015 [21]
Keccak-fzero-sum distinguisher24 / 24 roundsstructural setnone, but no breakBoura-Canteaut-De Canniere 2011 [20]

The 2024 paper set three firsts at once: the first practical semi-free-start collision for 39-step SHA-256 (improving the decade-old 38-step SFS record), the first practical free-start collision for 40-step SHA-224 where the prior best was a theoretic attack at time complexity 21102^{110}, and practical and theoretic collisions for reduced SHA-512 [15]. Impressive -- and then the same authors say where the road ends.

"The current advanced tool to search for SHA-2 characteristics has reached the bottleneck." -- Li, Liu, and Wang, on why the attack cannot climb past about 39 of 64 steps [15]

The modular-addition diffusion from Section 5 is exactly what makes longer characteristics effectively unfindable with today's encodings. The three record numbers for the same function are not a contradiction -- they are three different attacker games. From-IV is a true collision on the real hash. Semi-free-start hands the attacker the shared chaining value. Free-start additionally hands them a chosen difference in it. Each added freedom buys a few more steps of reach, which is why SHA-256 shows 31 (from-IV), 39 (SFS), and its sibling SHA-224 shows 40 (FS). The from-IV number is the one that measures the real hash.

The SHA-3 record board

The sponge side has three attacks rather than one, and the next section is devoted to why they disagree about what "progress" means.

For the scoreboard, the reduced-round facts are these. Cube and cube-like algebraic attacks reach up to 9 of the 24 rounds in keyed Keccak modes, with the 6-round attacks fully practical on a desktop [21]. Internal-differential collision cryptanalysis holds the actual collision records: 5 of 24 rounds for SHA3-384 and 6 of 24 for SHAKE256 [23]. And a zero-sum distinguisher reaches all 24 rounds of the permutation while producing no collision at all [20] -- the row we unpack next.

The team that set the deepest keyed reach stated the bottom line directly.

"The security margin of Keccak remains large." -- Dinur, Morawiecki, Pieprzyk, Srebrny, and Straus, whose cube-attack-like cryptanalysis reached the deepest keyed rounds [21]

Now state the margins plainly, because they are the number a practitioner actually needs. For SHA-256, the deepest collision result leaves roughly 25 of 64 steps untouched in the semi-free-start model and about 33 untouched from the real IV. For a Keccak collision, roughly 18 of 24 rounds remain untouched. Those are not narrow escapes; they are the bulk of each function.

JavaScript Cube-attack toy: a cube sum linearizes the key, plus a margin reader (illustrative)
// A toy keyed function of public bits p0,p1 and secret key bits k0,k1.
// Algebraic degree 2 -- the product (p0 AND p1) is the only quadratic term.
function f(p0, p1, k0, k1) {
return ((p0 & p1) ^ (p1 & k0) ^ (p0 & k1) ^ k0) & 1;
}

// Cube over the single public variable p0: XOR f over p0 in {0,1}.
// The resulting "superpoly" is LINEAR in the key -- it equals p1 XOR k1.
function cubeSumOverP0(p1, k0, k1) {
return f(0, p1, k0, k1) ^ f(1, p1, k0, k1);
}

// The attacker cannot see the key. Say the hidden key is:
const K0 = 1, K1 = 0;

// Query with p1 = 0 and sum the cube: the quadratic term dies and k1 falls out.
const recovered = cubeSumOverP0(0, K0, K1);
console.log("cube superpoly at p1=0 recovers k1 =", recovered, "(true k1 =", K1, ")");

// The same reading discipline for any reduced-round headline:
function margin(reached, total, unit) {
return "reached " + reached + "/" + total + " " + unit +
       "  ->  " + (total - reached) + " " + unit + " still untouched";
}
console.log(margin(39, 64, "SHA-256 steps"));
console.log(margin(6, 24, "SHAKE256 rounds"));

Press Run to execute.

One number on the SHA-3 side hides an argument, though. The deepest result of all -- the zero-sum -- reaches every one of Keccak's 24 rounds, and still breaks nothing. To see why, look at the three rival attacks on the sponge side by side.

7. The SHA-3 Fork the Thesis Holds Open

SHA-2's story has one protagonist: differential collision search, with no rival of comparable reach. SHA-3's story has three, and they disagree about what the word "reach" even means. Pretending that one of them is the SHA-3 break would misrepresent the field, so this section keeps the fork open.

Method A: cube and cube-like attacks

The cube attack, introduced by Itai Dinur and Adi Shamir in 2009, is the avenue the title of this article names the algebraic frontier, because it exploits the low degree that chi keeps small at low round counts [24].

Cube attack

An algebraic attack that treats each output bit as an unknown low-degree polynomial over GF(2) in the public and secret input bits. Summing the output over a cube -- all 2k2^{k} assignments of kk chosen public variables -- cancels every term that does not contain all kk cube variables, leaving a lower-degree "superpoly." Choose the cube so the superpoly is linear in the secret bits, collect enough such equations, and solve for the key.

The method is provably successful on random low-degree polynomials whenever the number of public variables exceeds d+logdnd + \log_d n, and it runs in about 2d1n+n22^{d-1} n + n^2 bit operations for degree dd over nn secret variables [24].

Against Keccak, Dinur, Morawiecki, Pieprzyk, Srebrny, and Straus reached up to 9 of the 24 rounds faster than exhaustive search, with the 6-round attacks fully practical [21]. But note precisely what it threatens: key recovery or forgery in keyed Keccak modes -- not a plain hash collision. The cube round counts come from keyed Keccak variants such as message authentication codes and the Keyak authenticated-encryption scheme, whose nominal round count is 12. In those modes a secret key exists to recover. Standard SHA3-256 hashing has no key, so the cube attack does not by itself produce a hash collision -- it is the deepest algebraic reach, in a different attack model. And because the degree doubles each round, the cube needed grows astronomically past a handful of rounds, which is exactly why it stalls at 9.

Method B: zero-sum distinguishers

Take the same low-degree property but drop the key, and you get a statement about the raw permutation. Christina Boura, Anne Canteaut, and Christophe De Canniere used a refined bound on the degree of iterated permutations to build zero-sum partitions of size 215902^{1590} for the full 24-round Keccak-f [20].

This is the deepest structural reach anyone has into Keccak -- it touches every round -- and it is also the least usable result in the subject. It distinguishes the permutation from an ideal one; it yields no collision, no preimage, nothing against the hash. Hold that paradox; the next section is built on it.

Method C: internal-differential collisions

The record-holders work differently again -- and they are the avenue that produces the property that actually matters for a hash.

Internal-differential cryptanalysis

Instead of a difference between two separate messages, an internal-differential attack exploits a difference within a single state -- for example, between translated copies of the state under Keccak's internal symmetry. Inputs that respect the symmetry are squeezed into a small subset of possible outputs, so a birthday search confined to that small subset finds collisions far below the usual 2n/22^{n/2} cost.

The line runs from Thomas Peyrin's generalized internal differentials in 2010, through Dinur, Dunkelman, and Shamir -- who produced actual collisions for 3-round Keccak, a 4-round Keccak-384 attack 2452^{45} times faster than birthday, and collisions on 5 rounds of Keccak-256 [25] -- to Zhongyi Zhang, Chengan Hou, and Meicheng Liu, whose "probabilistic linearization" extended the records to 5 rounds of SHA3-384 and 6 of SHAKE256 [23]. This is the only avenue that delivers real collisions on the standardized instances.

Now put the three side by side. The decisive column is not "how many rounds" but "what property."

DimensionCube / cube-likeZero-sum higher-order diff.Internal-differential collisions
Property threatenedkeyed-mode key recovery / forgerypermutation distinguisher (not a break)actual hash collisions
Best round reach9 / 24 (keyed)24 / 24 (full permutation)6 / 24 (SHAKE256), 5 / 24 (SHA3-384)
Practical demoyes, 6-roundstructural (215902^{1590} sets)yes, actual collisions to 3-5 rounds
Modelkeyed (MAC / AE)keyless permutationkeyless hash / XOF
What limits itdegree doubles per round (deg2r\deg \le 2^r)capacity hides the permutation outputcharacteristic decays with rounds
Structural motivationdirect: low-degree chidirect: the degree boundindirect: Keccak internal symmetry
Source[24, 21][20][25, 23]

Third-party cryptanalysis of all three families is tracked publicly by the designers [26]. That middle row -- 24 rounds reached, nothing broken -- is not an accident of today's tooling. It is a provable wall, and understanding why forces us to the theoretical limits.

8. The Ideal, the Bounds, and the Distinguisher Trap

Begin with the middle row from the last table, because it is the strangest fact in the subject. A zero-sum partition of size 215902^{1590} reaches all 24 rounds of Keccak-f -- the deepest structural property anyone has ever proved about it -- and it yields no collision, no preimage, nothing usable against the hash [20]. How can the deepest result reach the whole function and still break nothing?

First, the wall that neither function's attackers have crossed. On the full SHA-256 and full SHA3-256, no published structural attack beats 21282^{128} for a collision or 22562^{256} for a preimage. Best-known equals generic on both, so the "beat the birthday bound" gap is not merely large -- it is open and uncrossed. Nobody has closed any of it on either full function [1, 2]. Everything in Section 6 is reduced-round evidence about how far away the break is.

Now the answer to the zero-sum paradox, which is a proof, not a hope.

Zero-sum distinguisher

A structured set of inputs whose images under the permutation XOR to zero and whose preimages also XOR to zero. Because Keccak-f has bounded algebraic degree forward and a low-degree inverse backward, one can build such a set straight through the permutation. It distinguishes Keccak-f from an ideal random permutation, and does nothing else.

Indifferentiability

A construction built on an ideal primitive is indifferentiable from a random oracle if no efficient distinguisher can tell them apart, even when the distinguisher is allowed to query the underlying primitive directly. It is the strong security notion for hash constructions: it certifies that the construction adds no exploitable structure of its own on top of the primitive.

Bertoni, Daemen, Peeters, and Van Assche proved in 2008 that a sponge calling a random permutation is indifferentiable from a random oracle: the success probability of any generic attack is at most its success probability against a true random oracle plus N2/2c1N^2/2^{c-1}, where NN is the number of queries to the permutation and cc is the capacity [27, 19].

The strength of the claim is the clause "even when the distinguisher can query the permutation directly" -- a simulator can answer those permutation queries consistently with random-oracle outputs up to about 2c/22^{c/2} work. Below 2c/22^{c/2} in the hidden capacity, nothing separates the sponge from an ideal object.

That is what disarms the zero-sum. A zero-sum partition is a structural distinguisher of the permutation f alone -- a global property of how f maps XOR structure. The indifferentiability theorem runs in exactly one direction: any attack on the sponge F implies a distinguisher on f, but not the converse. Having a distinguisher on f does not hand you an attack on F. In the designers' own words:

"The existence of a structural distinguisher for f does not necessarily imply an attack or weakness in F." -- Bertoni, Daemen, Peeters, and Van Assche, on why a permutation property need not be a hash break [19]

Concretely, a collision requires steering the rate bits of two different messages so that their squeezed outputs coincide across the hidden capacity. The zero-sum gives an attacker no such steering: it certifies a global XOR property of the permutation, not a way to aim two chosen inputs at one output through the capacity. So it lies outside the class of exploitable structure that indifferentiability rules out, and a distinguisher whose success probability is zero below 2c/22^{c/2}, in the designers' phrase, "forms no threat" [19].

A permutation distinguisher is not a hash break. "Reaches all 24 rounds" and "produces a collision" are provably different statements, separated by the capacity's 2c/22^{c/2} indifferentiability margin -- not merely by the current state of tooling. Depth of reach into the permutation is not nearness to a break of the hash. The capacity stands between them by design, and the standing between is a theorem.

Two more limits complete the picture, one on each construction. On the sponge side, the full-round zero-sum exists only because of the refined degree bound, not the elementary one. Recall from Section 5 that the elementary law deg2r\deg \le 2^r goes vacuous by round 11 against a 1600-bit state. The 24-round zero-sum instead rests on Boura, Canteaut, and De Canniere's tighter bound for permutations whose nonlinear layer is parallel small S-boxes, which stays below the state size all the way to round 24 [20]. The elementary law caps the cube attack; the refined law powers the distinguisher. On the Merkle-Damgard side, length extension is not a bug that a better implementation could remove -- it is a provable inevitability of the untruncated construction. Because the SHA-2 digest is the whole final chaining value, anyone with H(m)H(m) and m|m| can resume the iteration, full stop [5]. The only cures are to stop emitting the whole state (the sponge), hide enough of it (sufficient truncation), or wrap the hash (HMAC).

So the limits cut both ways. The sponge is closer to the ideal object -- indifferentiable up to the capacity, no length extension -- while SHA-2 is closer to the ideal margin in practice, with the bulk of its steps untouched by any differential path. Neither is anywhere near falling. One scope marker remains, because readers always ask about it.

The limits leave exactly one question standing: if neither function is close to falling, where would the next round of progress even come from?

9. Where the Next Round Would Come From

If either function is ever broken, the break will arrive through one of a small, nameable set of open problems. Naming them turns you from spectator into forecaster.

Ctrl + scroll to zoom
The offense tree. Each branch stalls at a known point; the one crossing that would matter most -- turning a full-permutation distinguisher into a collision -- is exactly the one the capacity provably guards.

OP-1: Can differential characteristic search push SHA-256 past about 40 steps? The full-function margin depends entirely on how far this single leading avenue can climb, and the 2024 record paper reports the tooling "has reached the bottleneck" -- modular-addition diffusion makes longer characteristics effectively unfindable with current encodings. Whether that is a fundamental barrier or an artifact of today's solvers is itself open [15].

OP-2: Can any SHA-3 avenue close the roughly 18-round gap to a full-Keccak collision? The best collision reach is 6 of 24 rounds, and the two leading avenues advance a round or two per decade, neither clearly out-reaching the other on its target property [23, 21].

OP-3: Is there any structural attack that beats the birthday bound on either full family? This is the break -- and today the answer is a clean no. Best-known equals generic on both full functions; everything else in this article is reduced-round evidence about how far away this remains [1, 2].

OP-4: Why is the permutation-distinguisher / hash-collision divide so hard to cross? The deepest reach into Keccak-f, the 24-round zero-sum, currently yields nothing usable against the hash. Section 8 argued the reason is structural: indifferentiability makes the capacity a genuine barrier, not merely a reduction nobody has found yet [20, 27].

None of this is the same as a proof of security. What cryptographers have proved are reductions -- collision resistance reduces to the compression function, sponge security reduces to the capacity -- plus the absence of any known attack that beats generic. "No known structural attack" is a strong empirical statement after thirty-five years of trying, but it is not "proven unbreakable." Honesty about that gap is part of taking the subject seriously.

None of these problems is close to solved -- which is exactly why the practical answer to "what should I ship?" is calm and specific.

10. What the Margins Mean on Monday Morning

So: should you change anything you shipped last week? Almost certainly not -- but there is exactly one structural gotcha worth ten minutes of your attention.

Start with the reassurance. Both full functions are sound for their advertised properties. Every record in Section 6 is reduced-round; 39 of 64 steps of SHA-256 and 6 of 24 rounds of SHAKE256 do not threaten the full functions, which remain safe for collision, preimage, and second-preimage resistance [15, 23]. Nothing in this article is a reason to rip out SHA-256.

The one gotcha is length extension, and it is a property of the construction, not a defect to be patched. If you ever compute a keyed digest as H(secretmessage)H(\text{secret} \,\|\, \text{message}) with a plain Merkle-Damgard hash and treat it as a MAC, an attacker who sees that digest can forge a valid one for a longer message without knowing the secret.

HMAC

A construction that turns any iterated hash into a keyed message authentication code by nesting two hash calls, roughly H((kopad)H((kipad)m))H((k \oplus opad) \,\|\, H((k \oplus ipad) \,\|\, m)). The outer keyed hash means an attacker never sees a raw H(secret)H(\text{secret} \,\|\, \cdots) digest to extend, which is why HMAC defeats length extension even over SHA-256.

The decision guide fits in one table.

Your needUseWhy it works
Keyed integrity / a MACHMAC over SHA-2the outer keyed hash hides the extensible state [28]
A drop-in SHA-2 that resists extensionSHA-512/256truncation hides 256 state bits, more than enough [1]
Length-extension immunity by constructionSHA-3 or SHAKEthe capacity is never emitted, so there is no state to resume [2]
What to avoidplain SHA-256(secret then message) as a MACthe digest is the full state, so it is forgeable

The mechanism is worth seeing once, because it explains why "just hash the secret with the message" fails.

Ctrl + scroll to zoom
Length extension as a resumable state. Because a plain Merkle-Damgard digest is the whole internal state, the attacker restarts from it and keeps hashing, never needing the secret.
JavaScript Length extension as resumable state (illustrative, not bit-exact SHA-256)
// A toy Merkle-Damgard hash where the state IS the digest.
// This shows the STRUCTURE of length extension, not real SHA-256 output.
function compress(state, ch) {
// stand-in mixing; a real f is Davies-Meyer over a block cipher
return (((state << 5) ^ (state >>> 2) ^ ch) >>> 0);
}
function hash(state, message) {
for (let i = 0; i < message.length; i++) {
  state = compress(state, message.charCodeAt(i));
}
return state >>> 0;
}

const IV = 0x9e3779b9;

// Defender hashes a secret-prefixed message and publishes only the digest.
const secretPrefixed = "SECRET-user=guest";
const digest = hash(IV, secretPrefixed);

// Attacker never learns the secret, but the digest IS the state,
// so they resume from it and append a chosen suffix.
const suffix = "&admin=true";
const forged = hash(digest, suffix);

// In a real hash the attacker also splices in the glue padding,
// producing H(m || pad || suffix). Here (no padding) it lands exactly:
const legitimate = hash(IV, secretPrefixed + suffix);

console.log("forged   =", forged);
console.log("expected =", legitimate);
console.log("match    =", forged === legitimate);

Press Run to execute.

A worked forgery for SHA-256 and SHA-512 is exactly what the hash_extender tool automates [29]. But truncation is where the naive intuition "any truncation stops extension" quietly fails, and SHA-224 is the trap.

Two smaller notes round out the practical picture. First, a naming hazard that bites developers. Ethereum's "Keccak-256" is not SHA3-256. Ethereum froze the original Keccak submission before FIPS 202 added its domain-separation padding, so the two functions append different bits before permuting and therefore produce different digests on the same input [2]. Code that assumes they are interchangeable will compute the wrong hash. This is a padding difference, not a security difference -- but it is a real bug source. Second, the quantum question again: if you are hedging against a future quantum adversary, the move is a longer digest -- SHA-384, SHA-512, or SHAKE256 at a longer output -- not a migration to a different construction, because Grover is a generic speedup that a bigger output absorbs [18].

Every one of these recommendations is a corollary of a single idea -- the construction decides the failure mode. A few common misconceptions fall out of the same idea, and they are worth clearing up directly.

11. Misconceptions the Structural View Corrects

Six questions whose honest answers are all the same idea in disguise: the construction, not the digest size, decides the failure mode.

Frequently asked questions

Did SHA-3 replace SHA-2?

No -- it supplements the SHA-2 family rather than replacing it, and NIST sees no need to migrate; the two coexist as deliberate design diversity, so a break in one construction leaves the other standing. See Section 4 [2, 18].

Does a quantum computer halve every security level?

Only for preimages, and only generically: Grover square-roots a preimage search but gives no real edge on collisions in bounded-memory models, so the hedge is a longer digest, not a new construction. See Section 8 [18].

Does any truncation stop length extension?

No -- only a truncation that hides enough state. SHA-512/256 hides 256 bits and resists it; SHA-224 hides only about 32, a weak margin rather than true immunity. See the SHA-224 truncation trap in Section 10 [1].

A reduced-round attack was announced -- is the hash nearly broken?

No. A reduced-round record measures distance to a break, not nearness to one: the deepest results reach only about 39 of SHA-256's 64 steps and 6 of Keccak's 24 rounds. See Section 6 [15, 23].

Is Ethereum's Keccak-256 the same as SHA3-256?

No. Ethereum froze the pre-FIPS-202 Keccak padding, so Keccak-256 and SHA3-256 return different digests on the same input -- same permutation, different padding. See Section 10 [2].

Is length extension a bug in SHA-2?

No -- it is a provable structural property of any untruncated Merkle-Damgard hash, removed (not patched) by HMAC, sufficient truncation, or the sponge. See Sections 2 and 10 [28, 2].

Every answer traces back to the same sentence. It is worth stating that sentence one last time, with all the evidence now behind it.

12. The Construction Writes the Obituary

We opened with a claim that should have sounded like a bluff: that we could describe, mechanically, how each of these functions would fall before either has ever fallen. Now the description is complete, and the two obituaries share nothing but a date that has not arrived.

SHA-2 would die the way MD5 and SHA-1 died -- a Wang-style differential collision threaded through its compression function, deterministic in the early steps and cheap through the tail. It survives today only because its carry-laden schedule keeps that path unfindable past about 39 of 64 steps, and it carries length extension as a structural debt from the 1989 bargain [15].

SHA-3 would die a different death entirely, on the algebra of a single degree-2 step: the cube frontier that stalls at 9 keyed rounds, and the internal-differential collisions that hold the records at 6 [23]. Its deepest known property reaches all 24 rounds and still breaks nothing, because the capacity provably stands between a permutation distinguisher and a hash collision.

And the margins are the payoff. Roughly 25 to 33 of SHA-256's 64 steps, and roughly 18 of Keccak's 24 rounds, remain entirely untouched after thirty-five years of the best cryptanalysis in the world [15, 23, 21]. The construction writes the obituary; the cryptanalysis only fills in the date, and the date is nowhere close.

The construction writes the obituary. A hash does not die at its digest size -- it dies where its construction is thinnest, and no two constructions are thin in the same place.

That is the through-line, and it hands off cleanly. How these functions have actually failed people in the field -- Flame's rogue certificate, the long death of SHA-1 in the browser -- is a different kind of story, told by the empirical sibling to this piece, "How the Hash Functions Broke in Real Life."

And it points forward: if a hash's construction predicts its structural death, the natural next question for this series is whether the same is true for the ciphers and signature schemes still to come -- whether, for every primitive, the shape of the thing already names the way it would break.

Study guide

Key terms

Merkle-Damgard construction
Iterating a compression function from a fixed IV over padded message blocks; the digest is the final chaining value.
Length extension
Computing H(m plus pad plus y) from H(m) and the length of m, without knowing m, because the digest is the full internal state.
Differential characteristic
A step-by-step trail of input-to-output differences that ends in zero difference, the backbone of a collision attack.
Message modification
Solving the early sufficient conditions of a characteristic deterministically by adjusting free message words, collapsing the search cost to the tail.
Sponge construction
Absorbing message blocks into the rate of a large permutation and squeezing the digest from the rate, keeping the capacity hidden.
Algebraic degree
The size of the largest monomial in a function's algebraic normal form; Keccak's chi has degree 2.
Zero-sum distinguisher
A structured input set whose images and preimages both XOR to zero, a property of the permutation that is not a hash break.
Indifferentiability
A proof that a construction adds no exploitable structure over its primitive, up to about 2^(c/2) in the capacity for the sponge.

Comprehension questions

  1. Why does a Merkle-Damgard hash die at a differential path rather than at its digest size?

    Because a collision of the hash reduces to a collision of the compression function, and a differential characteristic plus message modification finds one far below the birthday bound.

  2. Why is SHA-2 more resistant to message modification than MD5 or SHA-1?

    Its message schedule couples words through modular-addition carries, so solving one sufficient condition perturbs others, destroying the one-free-word-per-step structure.

  3. Why does the degree bound double per round instead of squaring?

    The composition law multiplies the degree by at most deg(R) equals 2 each round, giving 1,2,4,8 up to 2^r; squaring would grow doubly-exponentially and contradict the 2^r bound.

  4. Why is a full-round zero-sum distinguisher not a collision?

    The sponge is indifferentiable from a random oracle up to the capacity, so an attack on the sponge implies a distinguisher on the permutation but not the converse.

  5. What is the one practical gotcha the structural view flags?

    Length extension: use HMAC, SHA-512/256, or SHA-3 rather than a plain keyed Merkle-Damgard digest, and note that SHA-224 hides only about 32 bits.

References

  1. National Institute of Standards and Technology (2015). FIPS 180-4: Secure Hash Standard (SHS). https://csrc.nist.gov/pubs/fips/180-4/upd1/final - The Secure Hash Standard for the SHA-2 family: 64/80-step Merkle-Damgard/Davies-Meyer compression and SHA-512/256 truncation.
  2. National Institute of Standards and Technology (2015). FIPS 202: SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions. https://csrc.nist.gov/pubs/fips/202/final - The SHA-3 standard; states that SHA-3 supplements (not supersedes) SHA-2 and defines the Keccak sponge and KECCAK-p permutation.
  3. Ralph C. Merkle (1989). One Way Hash Functions and DES. https://doi.org/10.1007/0-387-34805-0_40 - Origin of the Merkle-Damgard construction and the collision-resistance reduction to the compression function.
  4. Ivan Damgard (1989). A Design Principle for Hash Functions. https://doi.org/10.1007/0-387-34805-0_39 - The independent 1989 design principle establishing Merkle-Damgard strengthening.
  5. Alfred J. Menezes, Paul C. van Oorschot, & Scott A. Vanstone (1996). Handbook of Applied Cryptography, Chapter 9: Hash Functions and Data Integrity. https://cacr.uwaterloo.ca/hac/about/chap9.pdf - General model for iterated hash functions: the security reduction and Merkle-Damgard strengthening.
  6. Florian Chabaud & Antoine Joux (1998). Differential Collisions in SHA-0. https://link.springer.com/chapter/10.1007/BFb0055745 - First differential collision analysis of SHA-0 (about 2^61); the local-collision and differential-characteristic template.
  7. Ronald L. Rivest (1992). RFC 1321: The MD5 Message-Digest Algorithm. https://datatracker.ietf.org/doc/html/rfc1321 - The MD5 specification (Rivest, 1992): a 128-bit Merkle-Damgard hash in the MD4 lineage.
  8. Donald E. Eastlake & Paul E. Jones (2001). RFC 3174: US Secure Hash Algorithm 1 (SHA1). https://datatracker.ietf.org/doc/html/rfc3174 - The SHA-1 specification (reproducing FIPS 180-1): a 160-bit MD4-family design.
  9. Xiaoyun Wang & Hongbo Yu (2005). How to Break MD5 and Other Hash Functions. https://doi.org/10.1007/11426639_2 - Practical full MD5 collisions via hand-built differential paths and message modification.
  10. Xiaoyun Wang, Yiqun Lisa Yin, & Hongbo Yu (2005). Finding Collisions in the Full SHA-1. https://doi.org/10.1007/11535218_2 - Collision attack on the full SHA-1 (about 2^69), below its 2^80 birthday bound.
  11. Marc Stevens, Pierre Karpman, Elie Bursztein, Ange Albertini, & Yarik Markov (2017). SHAttered: The First Collision for Full SHA-1. https://shattered.io/ - SHAttered: the first identical-prefix SHA-1 collision (about 2^63.1) by Stevens, Karpman, Bursztein, Albertini, and Markov.
  12. Gaetan Leurent & Thomas Peyrin (2020). SHA-1 is a Shambles: First Chosen-Prefix Collision on SHA-1. https://eprint.iacr.org/2020/014 - SHAmbles: the first chosen-prefix SHA-1 collision (about 2^63.4) by Leurent and Peyrin, with a PGP/GnuPG forgery.
  13. Gaetan Leurent & Thomas Peyrin (2020). SHA-1 is a Shambles. https://sha-mbles.github.io/ - The SHAmbles project page: the chosen-prefix SHA-1 collision demonstration and CVE-2019-14855.
  14. Hans Dobbertin (1996). Cryptanalysis of MD4. https://doi.org/10.1007/3-540-60865-6_43 - First full collisions for MD4, an early differential break of a Merkle-Damgard/Davies-Meyer hash.
  15. Yingxin Li, Fukang Liu, & Gaoli Wang (2024). New Records in Collision Attacks on SHA-2. https://eprint.iacr.org/2024/349 - Current SHA-2 collision records (39-step SFS SHA-256, 40-step FS SHA-224, reduced SHA-512) and the 'reached the bottleneck' quote.
  16. Guido Bertoni, Joan Daemen, Michael Peeters, & Gilles Van Assche (2015). The Keccak Team. https://keccak.team/ - The Keccak/SHA-3 design site: the sponge construction, 24-round Keccak-f, and length-extension immunity by design.
  17. National Institute of Standards and Technology (2012). SHA-3 Project. https://csrc.nist.gov/projects/hash-functions/sha-3-project - SHA-3 competition timeline (2007-2012), the 2004-2005 attacks that motivated it, and Keccak named as the winner.
  18. National Institute of Standards and Technology (2015). NIST Policy on Hash Functions. https://csrc.nist.gov/projects/hash-functions/nist-policy-on-hash-functions - NIST's position that there is no need to migrate from SHA-2 to SHA-3; the quantum hedge is a longer digest, not a new construction.
  19. Guido Bertoni, Joan Daemen, Michael Peeters, & Gilles Van Assche (2011). Cryptographic Sponge Functions. https://keccak.team/sponge_duplex.html - Sponge indifferentiability bound N^2/2^(c-1), the hidden capacity, and the note that a structural distinguisher for f need not imply an attack in F.
  20. Christina Boura, Anne Canteaut, & Christophe De Canniere (2011). Higher-order Differential Properties of Keccak and Luffa. https://eprint.iacr.org/2010/589 - Zero-sum partitions of size 2^1590 for the full 24-round Keccak-f and the refined iterated-degree bound; a distinguisher, not a break.
  21. Itai Dinur, Pawel Morawiecki, Josef Pieprzyk, Marian Srebrny, & Michal Straus (2015). Cube Attacks and Cube-Attack-Like Cryptanalysis on the Round-Reduced Keccak Sponge Function. https://eprint.iacr.org/2014/736 - Cube and cube-like attacks reaching 9/24 keyed rounds (6-round practical) and the 'security margin remains large' quote.
  22. Florian Mendel, Tomislav Nad, & Martin Schlaffer (2013). Improving Local Collisions: New Attacks on Reduced SHA-256. https://doi.org/10.1007/978-3-642-38348-9_16 - Reduced-round SHA-256 collision records (31-step from-IV, 38-step semi-free-start), the decade-standing baseline.
  23. Zhongyi Zhang, Chengan Hou, & Meicheng Liu (2024). Probabilistic Linearization: Internal Differential Collisions in up to 6 Rounds of SHA-3. https://eprint.iacr.org/2024/1136 - Best reduced-round SHA-3 collision records (5-round SHA3-384, 6-round SHAKE256) via probabilistic linearization.
  24. Itai Dinur & Adi Shamir (2009). Cube Attacks on Tweakable Black Box Polynomials. https://eprint.iacr.org/2008/385 - Origin of the cube attack: the low-degree GF(2) superpoly method with its complexity and success bound.
  25. Itai Dinur, Orr Dunkelman, & Adi Shamir (2013). Collision Attacks on Up to 5 Rounds of SHA-3 Using Generalized Internal Differentials. https://eprint.iacr.org/2012/672 - Internal-differential collisions on reduced Keccak (Peyrin 2010 origin); actual collisions on 3-5 rounds.
  26. The Keccak Team (2024). Third-Party Cryptanalysis of Keccak. https://keccak.team/third_party.html - The designers' public index of third-party Keccak/SHA-3 cryptanalysis.
  27. Guido Bertoni, Joan Daemen, Michael Peeters, & Gilles Van Assche (2008). On the Indifferentiability of the Sponge Construction. https://keccak.team/files/SpongeIndifferentiability.pdf - Proof that the sponge is indifferentiable from a random oracle up to about 2^(c/2); capacity as the distinguisher-to-collision barrier.
  28. Hugo Krawczyk, Mihir Bellare, & Ran Canetti (1997). RFC 2104: HMAC: Keyed-Hashing for Message Authentication. https://datatracker.ietf.org/doc/html/rfc2104 - The HMAC specification: the nested keyed-hash construction that removes length extension.
  29. Ron Bowes (2022). hash_extender: A Length Extension Attack Tool. https://github.com/iagox86/hash_extender - A worked length-extension forgery tool for SHA-256/SHA-512 that declines SHA-224/SHA-384.