Boomerang Attack on Step-Reduced SHA-512

Abstract: Abstract. SHA-2 (SHA-224, SHA-256, SHA-384 and SHA-512) is hash function family issued by the National Institute of Standards and Technology (NIST) in 2002 and is widely used all over the world. In this work, we analyze the security of SHA-512 with respect to boomerang attack. Boomerang distinguisher on SHA-512 compression function reduced to 48 steps is proposed, with a practical complexity of 2 51 . A practical example of the distinguisher for 48-step SHA-512 is also given. As far as we know, it is the best … Show more

“…Recently, Eichlseder et al [9] demonstrated how to extend these attacks to get semi-free-start collisions for SHA-512 reduced to 38 steps with practical complexity. Furthermore, second-order differential collisions for SHA-512 up to 48 steps with practical complexity have been shown by Yu et al [27]. We want to note that all these practical collision attacks on SHA-512 are also applicable to its truncated variants.…”

“…Starting from the ground-breaking results of Wang et al [25,26], the search techniques used for practical collisions have been significantly improved, hitting their current peak in the attacks on SHA-256 [2,19] and SHA-512 [9,27]. In spite of all achieved improvements, the top-level attack strategy has remained essentially the same.…”

“…4.1. Then, to complete the characteristic, we first search for a valid solution for the dense part of the middle steps (A i and E i in steps [13][14][15][16], and E i in steps [17][18][19][20][21][22][23][24][25][26][27], and finally fix the corresponding message words W i in steps 13-17, which determines the complete state, including the dense differences in the prepended steps and IV.…”

Analysis of SHA-512/224 and SHA-512/256

“…Recently, Eichlseder et al [9] demonstrated how to extend these attacks to get semi-free-start collisions for SHA-512 reduced to 38 steps with practical complexity. Furthermore, second-order differential collisions for SHA-512 up to 48 steps with practical complexity have been shown by Yu et al [27]. We want to note that all these practical collision attacks on SHA-512 are also applicable to its truncated variants.…”

“…Starting from the ground-breaking results of Wang et al [25,26], the search techniques used for practical collisions have been significantly improved, hitting their current peak in the attacks on SHA-256 [2,19] and SHA-512 [9,27]. In spite of all achieved improvements, the top-level attack strategy has remained essentially the same.…”

“…4.1. Then, to complete the characteristic, we first search for a valid solution for the dense part of the middle steps (A i and E i in steps [13][14][15][16], and E i in steps [17][18][19][20][21][22][23][24][25][26][27], and finally fix the corresponding message words W i in steps 13-17, which determines the complete state, including the dense differences in the prepended steps and IV.…”

Analysis of SHA-512/224 and SHA-512/256

New Records in Collision Attacks on SHA-2

Security vulnerabilities of the Mexican digital invoices by internet