International Association for Cryptologic Research (IACR)
Abstract
In this work, we present practical semi-free-start collisions for SHA-512 on up to 38 (out of 80) steps with complexity 240.5. The best previously published result was on 24 steps. The attack is based on extending local collisions as proposed by Mendel et al. in their Eurocrypt 2013 attack on SHA-256. However, for SHA-512, the search space is too large for direct application of these techniques. We achieve our result by improving the branching heuristic of the guess-and-determine approach to find differential characteristics and
conforming message pairs. Experiments show that for smaller problems like 27 steps of SHA-512, the heuristic can also speed up the
collision search by a factor of 220