Colliding Message Pairs for 23 and 24-step SHA-512

Colliding Message P airs for 23 and 24-step SHA-512 Somitra Kumar Sanadh ya ⋆ and P alash Sark ar Applied Statistics Unit, Indian Statistical Institute, 203, B.T. Road, Kolk ata, India 700108 . somitra r@isical.ac. in, palash@isica l.ac.in 1 st Septem b er, 200 8 Abstract. R ecently , Indesteege et al. [1] h a d describ ed attacks against 23 and 24-step SHA-512 a t SAC ’08. Their attac ks are based on th e differential path by Nikoli ´ c and Biryukov [2]. The rep orted complexities are 2 44 . 9 and 2 53 calls to the resp ectiv e step reduced SHA-512 hash func- tion. They provided colliding message pairs for 23-step SH A -512 but did not provide a colliding message pair for 24-step SHA - 51 2. In this note w e pro vide a colli ding message pair for 23-step SHA-512 and the first colliding message pair for 24-step SHA -51 2. Our attac ks u s e the differen- tial path fi rs t described by Sanadhya and Sarka r at ACISP ’08 [3 ]. The complexities of our attac ks are 2 16 . 5 and 2 34 . 5 calls to th e respective step reduced SHA-512 h a sh function. Complete details of the attacks will b e provided in an ex t e nded version of this note. 1 Colliding Message P airs In [4], 23 and 24-step S HA -256 attac ks are describ ed. Similar attac ks will also work for 23 and 24-step S HA -512. Complete details of these attac k s will b e p ro vided later. F or notation see [4 ]. A s e t of suitable v alues of δ 2 , α , λ , µ and γ for the 23-step S HA- 512 col- lision is the follo win g . δ 2 = 0x 600000000237 , α = 0x72 01b90f9f8df85e , λ = 0x3e00 0007ffdc9 , µ = 0x43ff fff800001 and γ = 0x1 . V alues of the constants for 24-step SHA-512 collision is the follo wing. δ 1 = 0x 200000000008 , δ 2 = 0x 600000000237 , α = 0x7201b 90f9f8df85e , λ = 0x3e00 0007ffdc9 , µ = 0x45 fffff800009 , γ = 0x 1 . The colliding message pairs are provided in T able 1 and T able 2 next. ⋆ This author is sup ported by the Ministry of Information T echnology , Govt. of India. T able 1. Colliding message pair for 23-step S H A-512 with standard IV. W 1 0-3 b9fa6fc472 9ca55c 8718310e1b359 0e1 1d3d530cb075b721 99166b30ecbdd7 05 4-7 27ed55b66c 090b62 754b2163ff6fe ec5 6685f40fd8ab08f8 590c1c0522f6fd fd 8-11 b947bb4013 b688c1 d9d72ca8ab1ca c04 69d0e120220d4edc 30a2e93aeef24e 3f 12-15 84e76299718478b9 f11ae711647763e 5 d621d2687946e862 0ee57069123ecc8b W 2 0-3 b9fa6fc472 9ca55c 8718310e1b359 0e1 1d3d530cb075b721 99166b30ecbdd7 05 4-7 27ed55b66c 090b62 754b2163ff6fe ec5 6685f40fd8ab08f8 590c1c0522f6fd fd 8-11 b947bb4013 b688c2 d9d72ca8ab1ca c03 69d0e120220d4edc 30a3493aeef250 76 12-15 84e76299718478b9 f11ae711647763e 5 d621d2687946e862 0ee57069123ecc8b T able 2. Colliding message pair for 24-step S H A-512 with standard IV. W 1 0-3 dedb689cfc 766965 c7b8e064ff720 f7c c136883560348c9c 3747df7d0cf476 78 4-7 855e17555c fedc5f 88566babccaa6 3e9 5dda9777938b73cd b17b00574a4e42 16 8-11 86f3ff48fd 12ea19 cd15c6f8d6da3 8ce 5e2c6b7b0411e70b 36ed67e93a794e 66 12-15 1b65e96b02767821 04d0950089db6c6 8 5bc9b9673e38eff3 b05d879ad024d3fa W 2 0-3 dedb689cfc 766965 c7b8e064ff720 f7c c136883560348c9c 3747df7d0cf476 78 4-7 855e17555c fedc5f 88566babccaa6 3e9 5dda9777938b73cd b17b00574a4e42 16 8-11 86f3ff48fd 12ea19 cd15c6f8d6da3 8ce 5e2c6b7b0411e70c 36ed67e93a794e 65 12-15 1b66096b02767829 04d0f50089db6e9 f 5bc9b9673e38eff3 b05d879ad024d3fa References 1. Sebastiaan Indesteege, Florian Mendel, Bart Preneel, and Christian R ec hb erg er. Collisi ons and other Non-Random Prop erti es for Step-Redu ced SHA- 256. T o app ear in SAC 2008 . Av ailable at http://eprin t.iacr.org/2008/131 . 2. Ivica N ik oli´ c and Alex Biryuko v. Collisions for Step-Red u ced SHA- 2 56. In Kaisa Nyb erg, editor, F ast Softwar e Encryption, 15th I nt ernational Workshop, FSE 2008, L ausanne, Switzerland, Mar ch 26-28, 2008 , volume Pre-p roceedings versio n of L e c- tur e Notes in Computer Scienc e , pages 1–16. S p ri nger, 2008. 3. Somitra Ku mar Sanadhya an d Pal ash Sark ar. Non- L in ear Reduced Roun d Attac ks Against SHA-2 Hash family . In Y i Mu and Willy Susilo, ed itors, Information Se- curity and Privacy - ACISP 2008, The 13th Austr alasian Confer enc e, Wol longong, Aus tr ali a, 7-9 July 2008, Pr o c e e dings , v olume 5107 of L e ctur e Notes i n Computer Scienc e . Sp ri nger, 2008. 4. Somitra Kumar Sanadhya and Pa lash Sark ar. Attacking Step Reduced SH A-2 F am- ily in a Unified F ramew ork. Cryptolo gy eprint Ar chive , June 2008. Av ailable at http://epr int.iacr.org/2 008 .