Branching Heuristics in Differential Collision Search with Applications to SHA-512.

In this work, we present practical semi-free-start collisions for SHA-512 on up to 38 (out of 80) steps with complexity 2(40.5). The best previously published result was on 24 steps. The attack is based on extending local collisions as proposed by Mendel et al. in their Eurocrypt 2013 attack on SHA-256. However, for SHA-512, the search space is too large for direct application of these techniques. We achieve our result by improving the branching heuristic of the guess-and-determine approach to find differential characteristics and conforming message pairs. Experiments show that for smaller problems like 27 steps of SHA-512, the heuristic can also speed up the collision search by a factor of 2(20).