Self-Differential Cryptanalysis of Up to 5 Rounds of SHA-3

On October 2-nd 2012 NIST announced its selection of the Keccak scheme as the new SHA-3 hash standard. In this paper we present the first published collision finding attacks on reduced-round versions of Keccak-384 and Keccak-512, providing actual collisions for 3-round versions, and describing attacks which are much faster than birthday attacks for 4-round Keccak-384. For Keccak-256, we increase the number of rounds which can be attacked to 5. All these results are based on a new type of self-differential attack, which makes it possible to map a large number of Keccak inputs into a relatively small subset of possible outputs with a surprisingly large probability, which makes it easier to find random collisions in this subset.

[1]  Gregor Leander,et al.  A Cryptanalysis of PRINTcipher: The Invariant Subspace Attack , 2011, CRYPTO.

[2]  Thomas Peyrin,et al.  Unaligned Rebound Attack: Application to Keccak , 2012, FSE.

[3]  Alex Biryukov,et al.  Slide Attacks , 1999, FSE.

[4]  Joan Daemen,et al.  Differential Propagation Analysis of Keccak , 2012, FSE.

[5]  Guido Bertoni,et al.  On the Indifferentiability of the Sponge Construction , 2008, EUROCRYPT.

[6]  Thomas Peyrin,et al.  Improved Differential Attacks for ECHO and Grostl , 2010, IACR Cryptol. ePrint Arch..

[7]  Marian Srebrny,et al.  Rotational Cryptanalysis of Round-Reduced Keccak , 2013, FSE.

[8]  Yvo Desmedt,et al.  Complementation-Like and Cyclic Properties of AES Round Functions , 2004, AES Conference.

[9]  Orr Dunkelman,et al.  Another Look at Complementation Properties , 2010, FSE.

[10]  Adi Shamir,et al.  New Attacks on Keccak-224 and Keccak-256 , 2012, FSE.

[11]  Eli Biham,et al.  New types of cryptanalytic attacks using related keys , 1994, Journal of Cryptology.

[12]  Donald Ervin Knuth,et al.  The Art of Computer Programming, Volume II: Seminumerical Algorithms , 1970 .

[13]  Paul C. van Oorschot,et al.  Improving Implementable Meet-in-the-Middle Attacks by Orders of Magnitude , 1996, CRYPTO.

[14]  Xuejia Lai,et al.  Improved zero-sum distinguisher for full round Keccak-f permutation , 2011, IACR Cryptol. ePrint Arch..

[15]  David Thomas,et al.  The Art in Computer Programming , 2001 .

[16]  María Naya-Plasencia,et al.  Practical Analysis of Reduced-Round Keccak , 2011, INDOCRYPT.

[17]  Anne Canteaut,et al.  Zero-Sum Distinguishers for Iterated Permutations and Application to Keccak-f and Hamsi-256 , 2010, Selected Areas in Cryptography.

[18]  John Kelsey,et al.  Third-Round Report of the SHA-3 Cryptographic Hash Algorithm Competition , 2012 .

[19]  Anne Canteaut Fast software encryption : 19th international workshop, FSE 2012, Washington, DC, USA, March 19-21, 2012 : revised selected papers , 2012 .

[20]  Carlo Harpes,et al.  Partitioning Cryptanalysis , 1997, FSE.