Branching Heuristics in Differential Collision Search with Applications to SHA-512

In this work, we present practical semi-free-start collisions for SHA-512 on up to 38 (out of 80) steps with complexity \(2^{40.5}\). The best previously published result was on 24 steps. The attack is based on extending local collisions as proposed by Mendel et al. in their Eurocrypt 2013 attack on SHA-256. However, for SHA-512, the search space is too large for direct application of these techniques. We achieve our result by improving the branching heuristic of the guess-and-determine approach to find differential characteristics and conforming message pairs. Experiments show that for smaller problems like 27 steps of SHA-512, the heuristic can also speed up the collision search by a factor of \(2^{20}\).

[1]  Jian Guo,et al.  Preimages for Step-Reduced SHA-2 , 2009, IACR Cryptol. ePrint Arch..

[2]  Elisabeth Oswald,et al.  Searching for Differential Paths in MD4 , 2006, FSE.

[3]  Niklas Sörensson,et al.  An Extensible SAT-solver , 2003, SAT.

[4]  Dmitry Khovratovich,et al.  Bicliques for Preimages: Attacks on Skein-512 and the SHA-2 family , 2012, IACR Cryptol. ePrint Arch..

[5]  Palash Sarkar,et al.  New Collision Attacks against Up to 24-Step SHA-2 , 2008, INDOCRYPT.

[6]  Phong Q. Nguyen,et al.  Advances in cryptology - EUROCRYPT 2013 : 32nd Annual International Conference on the Theory and Applications of Cryptographic Techniques Athens, Greece, May 26-30, 2013 : proceedings , 2013 .

[7]  Gaëtan Leurent,et al.  Construction of Differential Characteristics in ARX Designs Application to Skein , 2013, CRYPTO.

[8]  Chu Min Li,et al.  Heuristics Based on Unit Propagation for Satisfiability Problems , 1997, IJCAI.

[9]  Anne Canteaut Fast software encryption : 19th international workshop, FSE 2012, Washington, DC, USA, March 19-21, 2012 : revised selected papers , 2012 .

[10]  Hans van Maaren,et al.  Look-Ahead Based SAT Solvers , 2009, Handbook of Satisfiability.

[11]  Bart Preneel,et al.  Collisions and other Non-Random Properties for Step-Reduced SHA-256 , 2009, IACR Cryptol. ePrint Arch..

[12]  J. Davenport Editor , 1960 .

[13]  Alex Biryukov,et al.  Collisions for Step-Reduced SHA-256 , 2008, FSE.

[14]  Florian Mendel,et al.  Improving Local Collisions: New Attacks on Reduced SHA-256 , 2013, EUROCRYPT.

[15]  Bernd Becker,et al.  Conflict-Based Selection of Branching Rules , 2003, SAT.

[16]  Xiaoyun Wang,et al.  How to Break MD5 and Other Hash Functions , 2005, EUROCRYPT.

[17]  Hui Chen,et al.  Cryptanalysis of the Hash Functions MD4 and RIPEMD , 2005, EUROCRYPT.

[18]  Thomas Peyrin,et al.  Cryptanalysis of Full RIPEMD-128 , 2013, Journal of Cryptology.

[19]  Sharad Malik,et al.  Chaff: engineering an efficient SAT solver , 2001, Proceedings of the 38th Design Automation Conference (IEEE Cat. No.01CH37232).

[20]  Paolo Liberatore,et al.  On the complexity of choosing the branching literal in DPLL , 2000, Artif. Intell..

[21]  Marijn J. H. Heule,et al.  March_dl: Adding Adaptive Heuristics and a New Branching Strategy , 2006, J. Satisf. Boolean Model. Comput..

[22]  Donald W. Loveland,et al.  A machine program for theorem-proving , 2011, CACM.

[23]  Kyoji Shibutani,et al.  Converting Meet-In-The-Middle Preimage Attack into Pseudo Collision Attack: Application to SHA-2 , 2012, FSE.

[24]  Shay Gueron,et al.  SHA-512/256 , 2011, 2011 Eighth International Conference on Information Technology: New Generations.

[25]  Florian Mendel,et al.  Finding Collisions for Round-Reduced SM3 , 2013, CT-RSA.

[26]  Gaëtan Leurent,et al.  Analysis of Differential Attacks in ARX Constructions , 2012, ASIACRYPT.

[27]  J. Freeman Improvements to propositional satisfiability search algorithms , 1995 .

[28]  Eugene Goldberg,et al.  BerkMin: A Fast and Robust Sat-Solver , 2002, Discret. Appl. Math..

[29]  Ming Ouyang How Good Are Branching Rules in DPLL? , 1998, Discret. Appl. Math..

[30]  Armando Tacchella,et al.  Theory and Applications of Satisfiability Testing: 6th International Conference, Sat 2003, Santa Margherita Ligure, Italy, May 5-8 2003: Selected Revised Papers (Lecture Notes in Computer Science, 2919) , 2004 .

[31]  Christophe De Cannière,et al.  Finding SHA-1 Characteristics: General Results and Applications , 2006, ASIACRYPT.

[32]  Vincent Rijmen,et al.  Linear Propagation in Efficient Guess-and-Determine Attacks , 2013 .

[33]  Jinchang Wang,et al.  Solving propositional satisfiability problems , 1990, Annals of Mathematics and Artificial Intelligence.

[34]  Florian Mendel,et al.  Differential Attacks on Reduced RIPEMD-160 , 2012, ISC.

[35]  Florian Mendel,et al.  Finding SHA-2 Characteristics: Searching through a Minefield of Contradictions , 2011, ASIACRYPT.

[36]  Joao Marques-Silva,et al.  The Impact of Branching Heuristics in Propositional Satisfiability Algorithms , 1999, EPIA.

[37]  Xiaoyun Wang,et al.  Finding Collisions in the Full SHA-1 , 2005, CRYPTO.