Colliding Message Pairs for 23 and 24-step SHA-512

Recently, Indesteege et al. [1] had described attacks against 23 and 24-step SHA-512 at SAC ’08. Their attacks are based on the differential path by Nikolić and Biryukov [2]. The reported complexities are 2 and 2 calls to the respective step reduced SHA-512 hash function. They provided colliding message pairs for 23-step SHA-512 but did not provide a colliding message pair for 24-step SHA-512. In this note we provide a colliding message pair for 23-step SHA-512 and the first colliding message pair for 24-step SHA-512. Our attacks use the differential path first described by Sanadhya and Sarkar at ACISP ’08 [3]. The complexities of our attacks are 2 and 2 calls to the respective step reduced SHA-512 hash function. Complete details of the attacks will be provided in an extended version of this note. 1 Colliding Message Pairs In [4], 23 and 24-step SHA-256 attacks are described. Similar attacks will also work for 23 and 24-step SHA-512. Complete details of these attacks will be provided later. For notation see [4]. A set of suitable values of δ2, α, λ, μ and γ for the 23-step SHA-512 collision is the following. δ2 = 0x600000000237, α = 0x7201b90f9f8df85e, λ = 0x3e000007ffdc9, μ = 0x43fffff800001 and γ = 0x1. Values of the constants for 24-step SHA-512 collision is the following. δ1 = 0x200000000008, δ2 = 0x600000000237, α = 0x7201b90f9f8df85e, λ = 0x3e000007ffdc9, μ = 0x45fffff800009, γ = 0x1. The colliding message pairs are provided in Table 1 and Table 2 next. ⋆ This author is supported by the Ministry of Information Technology, Govt. of India. Table 1. Colliding message pair for 23-step SHA-512 with standard IV. W1 0-3 b9fa6fc4729ca55c 8718310e1b3590e1 1d3d530cb075b721 99166b30ecbdd705 4-7 27ed55b66c090b62 754b2163ff6feec5 6685f40fd8ab08f8 590c1c0522f6fdfd 8-11 b947bb4013b688c1 d9d72ca8ab1cac04 69d0e120220d4edc 30a2e93aeef24e3f 12-15 84e76299718478b9 f11ae711647763e5 d621d2687946e862 0ee57069123ecc8b W2 0-3 b9fa6fc4729ca55c 8718310e1b3590e1 1d3d530cb075b721 99166b30ecbdd705 4-7 27ed55b66c090b62 754b2163ff6feec5 6685f40fd8ab08f8 590c1c0522f6fdfd 8-11 b947bb4013b688c2 d9d72ca8ab1cac03 69d0e120220d4edc 30a3493aeef25076 12-15 84e76299718478b9 f11ae711647763e5 d621d2687946e862 0ee57069123ecc8b Table 2. Colliding message pair for 24-step SHA-512 with standard IV. W1 0-3 dedb689cfc766965 c7b8e064ff720f7c c136883560348c9c 3747df7d0cf47678 4-7 855e17555cfedc5f 88566babccaa63e9 5dda9777938b73cd b17b00574a4e4216 8-11 86f3ff48fd12ea19 cd15c6f8d6da38ce 5e2c6b7b0411e70b 36ed67e93a794e66 12-15 1b65e96b02767821 04d0950089db6c68 5bc9b9673e38eff3 b05d879ad024d3fa W2 0-3 dedb689cfc766965 c7b8e064ff720f7c c136883560348c9c 3747df7d0cf47678 4-7 855e17555cfedc5f 88566babccaa63e9 5dda9777938b73cd b17b00574a4e4216 8-11 86f3ff48fd12ea19 cd15c6f8d6da38ce 5e2c6b7b0411e70c 36ed67e93a794e65 12-15 1b66096b02767829 04d0f50089db6e9f 5bc9b9673e38eff3 b05d879ad024d3fa