

























Fukang Liu, Institute of Science Tokyo
Gaoli Wang, East China Normal University
Jiali Shi, Henan Polytechnic University
The SHA-2 family hash is standardized by NIST and mainly includes two variants, SHA-256 and SHA-512. Due to its widespread deployment, its security has attracted continuous attention from various parties. Although Li et al. have developed open-source SAT/SMT-based tools and proposed new memory-efficient collision attack frameworks for SHA-2 in recent two years, practical collision attacks are only achieved for 31-step SHA-256 and 29-step SHA-512, respectively. To push the limit of such an attack framework for SHA-2, we carefully investigate existing strategies to choose message differences used in 38/39-step semi-free-start collision attacks. We found that by selecting message words $(W_{4+i}, \ldots, W_{8+i}, W_{12+i}, W_{13+i}, W_{20+i}, W_{22+i})_{0\leq i \leq 3}$ to inject differences, and employing the open-source SAT/SMT-based automated tools to search for the corresponding differential characteristics, notable improvement can be achieved for practical and theoretical collision attacks. Specifically, the first practical collision attacks on 35-step SHA-256 and SHA-512 can be achieved for $i=0$, improving the best practical collision attacks on SHA-256 and SHA-512 by 4 and 6 steps, respectively. When $i\in\{1,2\}$, theoretical collision attacks on both SHA-256 and SHA-512 can reach up to 36/37 steps. We have also tried collision attack up to 38 steps by setting $i=3$, but the uncontrolled differential probability is too low to be used for effective attacks.
BibTeX
@misc{cryptoeprint:2026/1080,
author = {Yingxin Li and Fukang Liu and Gaoli Wang and Jiali Shi},
title = {Pushing the Limit of Memory-efficient Collision Attack Framework for {SHA}-2},
howpublished = {Cryptology {ePrint} Archive, Paper 2026/1080},
year = {2026},
url = {https://eprint.iacr.org/2026/1080}
}
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。