Improved Practical Attacks on Round-Reduced Keccak

The Keccak hash function is the winner of NIST’s SHA-3 competition, and so far it showed remarkable resistance against practical collision finding attacks: After several years of cryptanalysis and a lot of effort, the largest number of Keccak rounds for which actual collisions were found was only 2. In this paper, we develop improved collision finding techniques which enable us to double this number. More precisely, we can now find within a few minutes on a single PC actual collisions in the standard Keccak-224 and Keccak-256, where the only modification is to reduce their number of rounds to 4. When we apply our techniques to 5-round Keccak, we can get in a few days near collisions, where the Hamming distance is 5 in the case of Keccak-224 and 10 in the case of Keccak-256. Our new attack combines differential and algebraic techniques, and uses the fact that each round of Keccak is only a quadratic mapping in order to efficiently find pairs of messages which follow a high probability differential characteristic. Since full Keccak has 24 rounds, our attack does not threaten the security of the hash function.

[1]  Marian Srebrny,et al.  A SAT-based preimage analysis of reduced Keccak hash functions , 2013, Inf. Process. Lett..

[2]  Sanjit Chatterjee,et al.  Progress in Cryptology - INDOCRYPT 2011 - 12th International Conference on Cryptology in India, Chennai, India, December 11-14, 2011. Proceedings , 2011, INDOCRYPT.

[3]  Vincent Rijmen,et al.  Plateau Characteristics and AES , 2007 .

[4]  Anne Canteaut Fast software encryption : 19th international workshop, FSE 2012, Washington, DC, USA, March 19-21, 2012 : revised selected papers , 2012 .

[5]  Joan Daemen,et al.  Differential Propagation Analysis of Keccak , 2012, FSE.

[6]  Dmitry Khovratovich,et al.  Cryptanalysis of Hash Functions with Structures , 2009, Selected Areas in Cryptography.

[7]  Orr Dunkelman Fast Software Encryption, 16th International Workshop, FSE 2009, Leuven, Belgium, February 22-25, 2009, Revised Selected Papers , 2009, FSE.

[8]  Vincent Rijmen,et al.  Plateau characteristics , 2007, IET Inf. Secur..

[9]  Thomas Peyrin,et al.  Unaligned Rebound Attack: Application to Keccak , 2012, FSE.

[10]  Anne Canteaut,et al.  Higher-Order Differential Properties of Keccak and Luffa , 2011, FSE.

[11]  Xuejia Lai,et al.  Improved zero-sum distinguisher for full round Keccak-f permutation , 2011, IACR Cryptol. ePrint Arch..

[12]  Anne Canteaut,et al.  Zero-Sum Distinguishers for Iterated Permutations and Application to Keccak-f and Hamsi-256 , 2010, Selected Areas in Cryptography.

[13]  María Naya-Plasencia,et al.  Practical Analysis of Reduced-Round Keccak , 2011, INDOCRYPT.

[14]  Aggelos Kiayias,et al.  Polynomial Reconstruction Based Cryptography , 2001, Selected Areas in Cryptography.

[15]  Martin R. Albrecht,et al.  Algebraic Techniques in Differential Cryptanalysis , 2009, IACR Cryptol. ePrint Arch..

[16]  Alex Biryukov,et al.  Speeding up Collision Search for Byte-Oriented Hash Functions , 2009, CT-RSA.

[17]  Florian Mendel,et al.  The Rebound Attack: Cryptanalysis of Reduced Whirlpool and Grøstl , 2009, FSE.