Journal of Cryptology

, Volume 27, Issue 2, pp 183–209 | Cite as

Improved Practical Attacks on Round-Reduced Keccak

  • Itai DinurEmail author
  • Orr Dunkelman
  • Adi Shamir


The Keccak hash function is the winner of NIST’s SHA-3 competition, and so far it showed remarkable resistance against practical collision finding attacks: After several years of cryptanalysis and a lot of effort, the largest number of Keccak rounds for which actual collisions were found was only 2. In this paper, we develop improved collision finding techniques which enable us to double this number. More precisely, we can now find within a few minutes on a single PC actual collisions in the standard Keccak-224 and Keccak-256, where the only modification is to reduce their number of rounds to 4. When we apply our techniques to 5-round Keccak, we can get in a few days near collisions, where the Hamming distance is 5 in the case of Keccak-224 and 10 in the case of Keccak-256. Our new attack combines differential and algebraic techniques, and uses the fact that each round of Keccak is only a quadratic mapping in order to efficiently find pairs of messages which follow a high probability differential characteristic. Since full Keccak has 24 rounds, our attack does not threaten the security of the hash function.

Key words

Cryptanalysis SHA-3 Keccak Collision Near-collision Practical attack 



The second author was supported in part by the Israel Science Foundation through grant No. 827/12.


  1. [1]
    M.R. Albrecht, C. Cid, Algebraic techniques in differential cryptanalysis, in Dunkelman [13], pp. 193–208 Google Scholar
  2. [2]
    J.-P. Aumasson, W. Meier, Zero-sum distinguishers for reduced Keccak-f and for the core functions of Luffa and Hamsi. NIST mailing list, 2009 Google Scholar
  3. [3]
    D.J. Bernstein, Second preimages for 6 (7? (8??)) rounds of Keccak? NIST mailing list, 2010 Google Scholar
  4. [4]
    G. Bertoni, J. Daemen, M. Peeters, G. Van Assche, Sponge functions. Presented at the ECRYPT Hash Workshop, 2007 Google Scholar
  5. [5]
    G. Bertoni, J. Daemen, M. Peeters, G. Van Assche, The Keccak SHA-3 submission. Submission to NIST (Round 3), 2011 Google Scholar
  6. [6]
    C. Boura, A. Canteaut, Zero-sum distinguishers for iterated permutations and application to Keccak-f and Hamsi-256, in Selected Areas in Cryptography, ed. by A. Biryukov, G. Gong, D.R. Stinson. Lecture Notes in Computer Science, vol. 6544 (Springer, Berlin, 2010), pp. 1–17 CrossRefGoogle Scholar
  7. [7]
    C. Boura, A. Canteaut, C. De Cannière, Higher-order differential properties of Keccak and Luffa, in FSE, ed. by A. Joux. Lecture Notes in Computer Science, vol. 6733 (Springer, Berlin, 2011), pp. 252–269 Google Scholar
  8. [8]
    A. Canteaut (ed.), Fast Software Encryption—19th International Workshop, FSE 2012, Washington, DC, USA, March 19–21, 2012. Lecture Notes in Computer Science, vol. 7549 (Springer, Berlin, 2012), Revised selected papers zbMATHGoogle Scholar
  9. [9]
    J. Daemen, G. Van Assche, Differential propagation analysis of Keccak, in Canteaut [8], pp. 422–441 Google Scholar
  10. [10]
    J. Daemen, V. Rijmen, Plateau characteristics. IET Inf. Secur. 1(1), 11–17 (2007) CrossRefGoogle Scholar
  11. [11]
    M. Duan, X. Lai, Improved zero-sum distinguisher for full round Keccak-f permutation. Cryptology ePrint Archive, Report 2011/023, 2011 Google Scholar
  12. [12]
    A. Duc, J. Guo, T. Peyrin, L. Wei, Unaligned rebound attack: application to Keccak, in Canteaut [8], pp. 402–421 Google Scholar
  13. [13]
    O. Dunkelman (ed.), Fast Software Encryption, 16th International Workshop, FSE 2009, Leuven, Belgium, February 22–25, 2009. Lecture Notes in Computer Science, vol. 5665 (Springer, Berlin, 2009), Revised selected papers zbMATHGoogle Scholar
  14. [14]
    D. Khovratovich, Cryptanalysis of hash functions with structures, in Selected Areas in Cryptography, ed. by M.J. Jacobson Jr., V. Rijmen, R. Safavi-Naini. Lecture Notes in Computer Science, vol. 5867 (Springer, Berlin, 2009), pp. 108–125 CrossRefGoogle Scholar
  15. [15]
    D. Khovratovich, A. Biryukov, I. Nikolic, Speeding up collision search for byte-oriented hash functions, in CT-RSA, ed. by M. Fischlin. Lecture Notes in Computer Science, vol. 5473 (Springer, Berlin, 2009), pp. 164–181 Google Scholar
  16. [16]
    F. Mendel, C. Rechberger, M. Schläffer, S.S. Thomsen, The rebound attack: cryptanalysis of reduced Whirlpool and Grøstl, in Dunkelman [13], pp. 260–276 Google Scholar
  17. [17]
    P. Morawiecki, M. Srebrny, A SAT-based preimage analysis of reduced KECCAK hash functions. Cryptology ePrint Archive, Report 2010/285, 2010 Google Scholar
  18. [18]
    M. Naya-Plasencia, A. Röck, W. Meier, Practical analysis of reduced-round Keccak, in Progress in Cryptology—INDOCRYPT 2011, ed. by D.J. Bernstein, S. Chatterjee. Lecture Notes in Computers Science, vol. 7107 (Springer, Heidelberg, 2011) Google Scholar
  19. [19]
    The Keccak team, Keccak crunchy crypto collision and pre-image contest, 2011 Google Scholar

Copyright information

© International Association for Cryptologic Research 2012

Authors and Affiliations

  1. 1.Computer Science DepartmentThe Weizmann InstituteRehovotIsrael
  2. 2.Computer Science DepartmentUniversity of HaifaHaifaIsrael

Personalised recommendations