Branching Heuristics in Differential Collision Search with Applications to SHA-512

  • Maria EichlsederEmail author
  • Florian Mendel
  • Martin Schläffer
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8540)


In this work, we present practical semi-free-start collisions for SHA-512 on up to 38 (out of 80) steps with complexity \(2^{40.5}\). The best previously published result was on 24 steps. The attack is based on extending local collisions as proposed by Mendel et al. in their Eurocrypt 2013 attack on SHA-256. However, for SHA-512, the search space is too large for direct application of these techniques. We achieve our result by improving the branching heuristic of the guess-and-determine approach to find differential characteristics and conforming message pairs. Experiments show that for smaller problems like 27 steps of SHA-512, the heuristic can also speed up the collision search by a factor of \(2^{20}\).


Hash functions Cryptanalysis SHA-512 Collision attack Guess-and-determine attack Branching heuristic 



The work has been supported in part by the Secure Information Technology Center-Austria (A-SIT), by the Austrian Government through the research program FIT-IT Trust in IT Systems (Project SePAG, Project Number 835919), and by the European Commission through the FP7 Joint Technology Initiatives (Call ARTEMIS-2012-1, Project Arrowhead, Grant Agreement Number 332987).


  1. 1.
    Aoki, K., Guo, J., Matusiewicz, K., Sasaki, Y., Wang, L.: Preimages for step-reduced SHA-2. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 578–597. Springer, Heidelberg (2009) CrossRefGoogle Scholar
  2. 2.
    Bernstein, D.J., Lange, T.: eBASH: ECRYPT benchmarking of all submitted hashes, January 2011.
  3. 3.
    Buro, M., Kleine-Büning, H.: Report on a SAT competition. Bull. Eur. Assoc. Theor. Comput. Sci. 49, 143–151 (1993)zbMATHGoogle Scholar
  4. 4.
    Canteaut, A. (ed.): FSE 2012. LNCS, vol. 7549. Springer, Heidelberg (2012) zbMATHGoogle Scholar
  5. 5.
    Cramer, R. (ed.): EUROCRYPT 2005. LNCS, vol. 3494. Springer, Heidelberg (2005) zbMATHGoogle Scholar
  6. 6.
    Davis, M., Logemann, G., Loveland, D.W.: A machine program for theorem-proving. Commun. ACM 5(7), 394–397 (1962)CrossRefzbMATHMathSciNetGoogle Scholar
  7. 7.
    De Cannière, C., Rechberger, C.: Finding SHA-1 characteristics: general results and applications. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, pp. 1–20. Springer, Heidelberg (2006) CrossRefGoogle Scholar
  8. 8.
    Eén, N., Sörensson, N.: An extensible SAT-solver. In: Giunchiglia and Tacchella [11], pp. 502–518Google Scholar
  9. 9.
    Eichlseder, M., Mendel, F., Nad, T., Rijmen, V., Schläffer, M.: Linear propagation in efficient guess-and-determine attacks. In: Budaghyan, L., Helleseth, T., Parker, M. G. (eds.) WCC (2013).
  10. 10.
    Freeman, J.W.: Improvements to propositional satisfiability search algorithms. Ph.D. thesis, Departement of computer and Information science, University of Pennsylvania, Philadelphia (1995)Google Scholar
  11. 11.
    Giunchiglia, E., Tacchella, A. (eds.): SAT 2003. LNCS, vol. 2919. Springer, Heidelberg (2004) zbMATHGoogle Scholar
  12. 12.
    Goldberg, E.I., Novikov, Y.: BerkMin: a fast and robust SAT-solver. In: DATE, pp. 142–149. IEEE Computer Society (2002)Google Scholar
  13. 13.
    Herbstritt, M., Becker, B.: Conflict-based selection of branching rules. In: Giunchiglia and Tacchella [11], pp. 441–451Google Scholar
  14. 14.
    Heule, M., van Maaren, H.: March_dl: adding adaptive heuristics and a new branching strategy. JSAT 2(1–4), 47–59 (2006)zbMATHGoogle Scholar
  15. 15.
    Heule, M., van Maaren, H.: Look-ahead based SAT solvers. In: Biere, A., van Heule, M., Maaren, H., Walsh, T. (eds.) Handbook of Satisfiability. Frontiers in Artificial Intelligence and Applications, vol. 185, pp. 155–184. IOS Press, Amsterdam (2009)Google Scholar
  16. 16.
    Indesteege, S., Mendel, F., Preneel, B., Rechberger, C.: Collisions and other non-random properties for step-reduced SHA-256. In: Avanzi, R.M., Keliher, L., Sica, F. (eds.) SAC 2008. LNCS, vol. 5381, pp. 276–293. Springer, Heidelberg (2009) CrossRefGoogle Scholar
  17. 17.
    Jeroslow, R.G., Wang, J.: Solving propositional satisfiability problems. Ann. Math. Artif. Intell. 1, 167–187 (1990)CrossRefzbMATHGoogle Scholar
  18. 18.
    Johansson, T., Nguyen, P.Q. (eds.): EUROCRYPT 2013. LNCS, vol. 7881. Springer, Heidelberg (2013) zbMATHGoogle Scholar
  19. 19.
    Khovratovich, D., Rechberger, C., Savelieva, A.: Bicliques for preimages: attacks on Skein-512 and the SHA-2 family. In: Canteaut [4], pp. 244–263Google Scholar
  20. 20.
    Landelle, F., Peyrin, T.: Cryptanalysis of full RIPEMD-128. In: Johansson and Nguyen [18], pp. 228–244Google Scholar
  21. 21.
    Leurent, G.: Analysis of differential attacks in ARX constructions. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 226–243. Springer, Heidelberg (2012) CrossRefGoogle Scholar
  22. 22.
    Leurent, G.: Construction of differential characteristics in ARX designs application to skein. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part I. LNCS, vol. 8042, pp. 241–258. Springer, Heidelberg (2013) CrossRefGoogle Scholar
  23. 23.
    Li, C.M., Anbulagan: Heuristics based on unit propagation for satisfiability problems. In: IJCAI, vol. 1, pp. 366–371. Morgan Kaufmann, San Francisco (1997)Google Scholar
  24. 24.
    Li, J., Isobe, T., Shibutani, K.: Converting meet-in-the-middle preimage attack into pseudo collision attack: application to SHA-2. In: Canteaut [4], pp. 264–286Google Scholar
  25. 25.
    Liberatore, P.: On the complexity of choosing the branching literal in DPLL. Artif. Intell. 116(1–2), 315–326 (2000)CrossRefzbMATHMathSciNetGoogle Scholar
  26. 26.
    Mendel, F., Nad, T., Scherz, S., Schläffer, M.: Differential attacks on reduced Ripemd-160. In: Gollmann, D., Freiling, F.C. (eds.) ISC 2012. LNCS, vol. 7483, pp. 23–38. Springer, Heidelberg (2012) CrossRefGoogle Scholar
  27. 27.
    Mendel, F., Nad, T., Schläffer, M.: Finding SHA-2 characteristics: searching through a minefield of contradictions. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 288–307. Springer, Heidelberg (2011) CrossRefGoogle Scholar
  28. 28.
    Mendel, F., Nad, T., Schläffer, M.: Finding collisions for round-reduced SM3. In: Dawson, E. (ed.) CT-RSA 2013. LNCS, vol. 7779, pp. 174–188. Springer, Heidelberg (2013) CrossRefGoogle Scholar
  29. 29.
    Mendel, F., Nad, T., Schläffer, M.: Improving local collisions: new attacks on reduced SHA-256. In: Johansson and Nguyen [18], pp. 262–278Google Scholar
  30. 30.
    Moskewicz, M.W., Madigan, C.F., Zhao, Y., Zhang, L., Malik, S.: Chaff: engineering an efficient SAT solver. In: DAC, pp. 530–535. ACM (2001)Google Scholar
  31. 31.
    National Institute of Standards and Technology. FIPS PUB 180–3: Secure Hash Standard. Federal Information Processing Standards Publication 180–3, U.S. Department of Commerce, October 2008.
  32. 32.
    National Institute of Standards and Technology. FIPS PUB 180–4: Secure Hash Standard. Federal Information Processing Standards Publication 180–4, U.S. Department of Commerce, March 2012.
  33. 33.
    National Institute of Standards and Technology. SHA-3 Selection Announcement, October 2012.
  34. 34.
    Nikolić, I., Biryukov, A.: Collisions for step-reduced SHA-256. In: Nyberg, K. (ed.) FSE 2008. LNCS, vol. 5086, pp. 1–15. Springer, Heidelberg (2008) CrossRefGoogle Scholar
  35. 35.
    Ouyang, M.: How good are branching rules in DPLL? Discrete Appl. Math. 89(1–3), 281–286 (1998)CrossRefzbMATHMathSciNetGoogle Scholar
  36. 36.
    Sanadhya, S.K., Sarkar, P.: New collision attacks against up to 24-step SHA-2. In: Chowdhury, D.R., Rijmen, V., Das, A. (eds.) INDOCRYPT 2008. LNCS, vol. 5365, pp. 91–103. Springer, Heidelberg (2008) CrossRefGoogle Scholar
  37. 37.
    Schläffer, M., Oswald, E.: Searching for differential paths in MD4. In: Robshaw, M. (ed.) FSE 2006. LNCS, vol. 4047, pp. 242–261. Springer, Heidelberg (2006) CrossRefGoogle Scholar
  38. 38.
    Shay Gueron, J.W., Johnson, S.: SHA-512/256. Cryptology ePrint Archive, Report 2010/548 (2010).
  39. 39.
    Marques-Silva, J.: The impact of branching heuristics in propositional satisfiability algorithms. In: Barahona, P., Alferes, J.J. (eds.) EPIA 1999. LNCS (LNAI), vol. 1695, pp. 62–74. Springer, Heidelberg (1999) CrossRefGoogle Scholar
  40. 40.
    Wang, X., Lai, X., Feng, D., Chen, H., Yu, X.: Cryptanalysis of the hash functions MD4 and RIPEMD. In: Cramer [5], pp. 1–18Google Scholar
  41. 41.
    Wang, X., Yin, Y.L., Yu, H.: Finding collisions in the full SHA-1. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 17–36. Springer, Heidelberg (2005) CrossRefGoogle Scholar
  42. 42.
    Wang, X., Yu, H.: How to break MD5 and other hash functions. In: Cramer [5], pp. 19–35Google Scholar

Copyright information

© International Association for Cryptologic Research 2015

Authors and Affiliations

  • Maria Eichlseder
    • 1
    Email author
  • Florian Mendel
    • 1
  • Martin Schläffer
    • 1
  1. 1.IAIKGraz University of TechnologyGrazAustria

Personalised recommendations