Zero-Sum Distinguishers for Iterated Permutations and Application to Keccak-f and Hamsi-256

The zero-sum distinguishers introduced by Aumasson and Meier are investigated. First, the minimal size of a zero-sum is established. Then, we analyze the impacts of the linear and the nonlinear layers in an iterated permutation on the construction of zero-sum partitions. Finally, these techniques are applied to the KECCAK-f permutation and to Hamsi-256. We exhibit several zero-sum partitions for 20 rounds (out of 24) of KECCAK-f and some zero-sum partitions of size 219 and 210 for the finalization permutation in Hamsi-256.

[1]  O. Antoine,et al.  Theory of Error-correcting Codes , 2022 .

[2]  Kasteelpark Arenberg,et al.  The Hash Function Hamsi , 2008 .

[3]  Anne Canteaut,et al.  A New Algorithm for Finding Minimum-Weight Words in a Linear Code: Application to McEliece’s Cryptosystem and to Narrow-Sense BCH Codes of Length , 1998 .

[4]  F. Chabaud,et al.  A New Algorithm for Finding Minimum-Weight Words in a Linear Code: Application to Primitive Narrow-Sense BCH Codes of Length~511 , 1995 .

[5]  Xuejia Lai Higher Order Derivatives and Differential Cryptanalysis , 1994 .

[6]  Mihir Bellare,et al.  A New Paradigm for Collision-Free Hashing: Incrementality at Reduced Cost , 1997, EUROCRYPT.

[7]  Vincent Rijmen,et al.  The Block Cipher Square , 1997, FSE.

[8]  Vincent Rijmen,et al.  Known-Key Distinguishers for Some Block Ciphers , 2007, ASIACRYPT.

[9]  David A. Wagner,et al.  A Generalized Birthday Problem , 2002, CRYPTO.

[10]  Matthieu Finiasz,et al.  Security Bounds for the Design of Code-Based Cryptosystems , 2009, ASIACRYPT.

[11]  Andries E. Brouwer,et al.  A sharpening of the Johnson bound for binary linear codes and the nonexistence of linear codes with preparata parameters , 1993, Des. Codes Cryptogr..

[12]  Claude Carlet,et al.  Codes, Bent Functions and Permutations Suitable For DES-like Cryptosystems , 1998, Des. Codes Cryptogr..

[13]  Lars R. Knudsen,et al.  Truncated and Higher Order Differentials , 1994, FSE.

[14]  Thomas Peyrin,et al.  Distinguishers for the Compression Function and Output Transformation of Hamsi-256 , 2010, ACISP.

[15]  David A. Wagner,et al.  Integral Cryptanalysis , 2002, FSE.

[16]  Guido Bertoni,et al.  Keccak sponge function family main document , 2009 .

[17]  Anne Canteaut,et al.  Degree of Composition of Highly Nonlinear Functions and Applications to Higher Order Differential Cryptanalysis , 2002, EUROCRYPT.