## Abstract

The Keccak hash function is the winner of the SHA-3 competition (2008–2012) and became the SHA-3 standard of NIST in 2015. In this paper, we focus on practical collision attacks against round-reduced SHA-3 and some Keccak variants. Following the framework developed by Dinur et al. at FSE 2012 where 4-round collisions were found by combining 3-round differential trails and 1-round connectors, we extend the connectors to up to three rounds and hence achieve collision attacks for up to 6 rounds. The extension is possible thanks to the large degree of freedom of the wide internal state. By linearizing S-boxes of the first round, the problem of finding solutions of 2-round connectors is converted to that of solving a system of linear equations. When linearization is applied to the first two rounds, 3-round connectors become possible. However, due to the quick reduction in the degree of freedom caused by linearization, the connector succeeds only when the 3-round differential trails satisfy some additional conditions. We develop dedicated strategies for searching differential trails and find that such special differential trails indeed exist. To summarize, we obtain the first real collisions on six instances, including three round-reduced instances of SHA-3, namely 5-round SHAKE128, SHA3-224 and SHA3-256, and three instances of Keccak contest, namely Keccak[1440, 160, 5, 160], Keccak[640, 160, 5, 160] and Keccak[1440, 160, 6, 160], improving the number of practically attacked rounds by two. It is remarked that the work here is still far from threatening the security of the full 24-round SHA-3 family.

## Keywords

Cryptanalysis Hash function SHA-3 Keccak Collision Linearization Differential GPU## Notes

### Acknowledgements

This research is supported by the National Research Foundation, Prime Minister’s Office, Singapore, under its Strategic Capability Research Centres Funding Initiative, NTU under research grants M4080456 and M4082123, and Ministry of Education Singapore under Grant M4012049. Guohong Liao is partially supported by the National Natural Science Foundation of China (Grant No. 61572028). Guozhen Liu is partially supported by the State Scholarship Fund (No. 201706230141) organized by China Scholarship Council. Meicheng Liu is partially supported by the National Natural Science Foundation of China (Grant No. 61672516). Kexin Qiao and Ling Song are partially supported by the National Natural Science Foundation of China (Grant Nos. 61802399, 61802400, 61732021 and 61772519), the Youth Innovation Promotion Association CAS, and Chinese Major Program of National Cryptography Development Foundation (Grant No. MMJJ20180102).

## Supplementary material

## References

- 1.J.-P. Aumasson, W. Meier. Zero-sum distinguishers for reduced Keccak-f and for the core functions of Luffa and Hamsi.
*rump session of Cryptographic Hardware and Embedded Systems-CHES*, 2009 (2009)Google Scholar - 2.G. Bertoni, J. Daemen, M. Peeters, G. Van Assche. Keccak crunchy crypto collision and pre-image contest. http://keccak.noekeon.org/crunchy_contest.html
- 3.G. Bertoni, J. Daemen, M. Peeters, G. Van Assche. Cryptographic sponge functions.
*Submission to NIST (Round 3)*(2011). http://sponge.noekeon.org/CSF-0.1.pdf - 4.G. Bertoni, J. Daemen, M. Peeters, G. Van Assche. The Keccak reference. http://keccak.noekeon.org, January (2011). Version 3.0
- 5.G. Bertoni, J. Daemen, M. Peeters, G. Van Assche. KeccakTools. http://keccak.noekeon.org/, (2015)
- 6.A. Canteaut, editor. in
*Fast Software Encryption—19th International Workshop, FSE 2012, Washington, DC, USA, March 19-21, 2012. Revised Selected Papers*, volume 7549 of*Lecture Notes in Computer Science*( Springer, 2012)Google Scholar - 7.P.-L. Cayrel, G. Hoffmann, M. Schneider. GPU implementation of the Keccak hash function family. in
*International Conference on Information Security and Assurance*, (Springer, 2011), pp. 33–42Google Scholar - 8.J. Daemen.
*Cipher and Hash Function Design Strategies Based on Linear and Differential Cryptanalysis*. Ph.D. thesis, Doctoral Dissertation, March 1995, KU Leuven (1995)Google Scholar - 9.J. Daemen, G. V. Assche. Differential propagation analysis of Keccak. in Canteaut [6], pp. 422–441Google Scholar
- 10.I. Dinur, O. Dunkelman, A. Shamir. New attacks on Keccak-224 and Keccak-256. in Canteaut [6], pp. 442–461Google Scholar
- 11.I. Dinur, O. Dunkelman, A. Shamir. Collision attacks on up to 5 rounds of SHA-3 using generalized internal differentials. in S. Moriai, editor,
*Fast Software Encryption—20th International Workshop, FSE 2013, Singapore, March 11–13, 2013. Revised Selected Papers*, volume 8424 of*Lecture Notes in Computer Science*, (Springer, 2013), pp. 219–240Google Scholar - 12.I. Dinur, O. Dunkelman, A. Shamir. Improved practical attacks on round-reduced Keccak.
*J. Cryptol.***27**(2), 183–209 (2014)MathSciNetCrossRefzbMATHGoogle Scholar - 13.I. Dinur, P. Morawiecki, J. Pieprzyk, M. Srebrny, M. Straus. Cube attacks and cube-attack-like cryptanalysis on the round-reduced Keccak sponge function. in E. Oswald, M. Fischlin, editors,
*Advances in Cryptology—EUROCRYPT 2015, Sofia, Bulgaria, April 26–30, 2015, Proceedings, Part I*, volume 9056 of*LNCS*, (Springer, 2015), pp. 733–761Google Scholar - 14.A. Duc, J. Guo, T. Peyrin, L. Wei. Unaligned rebound attack: application to Keccak. in Canteaut [6], pp. 402–421Google Scholar
- 15.J. Guo, J. Jean, I. Nikolic, K. Qiao, Y. Sasaki, S. M. Sim. Invariant subspace attack against Midori64 and the resistance criteria for S-box designs.
*IACR Trans. Symmetric Cryptol.***2016**(1), 33–56 (2016)Google Scholar - 16.J. Guo, M. Liu, L. Song. Linear structures: applications to cryptanalysis of round-reduced Keccak. in J. H. Cheon, T. Takagi, editors,
*Advances in Cryptology—ASIACRYPT 2016, Hanoi, Vietnam, December 4–8, 2016, Proceedings, Part I*, volume 10031 of*LNCS*, (2016), pp. 249–274Google Scholar - 17.J. Jean, I. Nikolic. Internal differential boomerangs: practical analysis of the round-reduced Keccak-f permutation. In G. Leander, editor,
*Fast Software Encryption—FSE 2015, Istanbul, Turkey, March 8–11, 2015, Revised Selected Papers*, volume 9054 of*LNCS*, (Springer, 2015), pp. 537–556Google Scholar - 18.S. Kölbl, F. Mendel, T. Nad, M. Schläffer. Differential cryptanalysis of Keccak variants. in M. Stam, editor,
*Cryptography and Coding—14th IMA International Conference, IMACC 2013, Oxford, UK, December 17–19, 2013. Proceedings*, volume 8308 of*Lecture Notes in Computer Science*, (Springer, 2013), pp. 141–157Google Scholar - 19.S. Mella, J. Daemen, G. V. Assche. New techniques for trail bounds and application to differential trails in Keccak.
*IACR Trans. Symmetric Cryptol.***2017**(1), 329–357 (2017)Google Scholar - 20.G. S. Murthy.
*Optimal loop unrolling for GPGPU programs*. Ph.D. thesis, The Ohio State University (2009)Google Scholar - 21.M. Naya-Plasencia, A. Röck, W. Meier. Practical analysis of reduced-round Keccak. in D. J. Bernstein, S. Chatterjee, editors,
*Progress in Cryptology—INDOCRYPT 2011—12th International Conference on Cryptology in India, Chennai, India, December 11–14, 2011. Proceedings*, volume 7107 of*Lecture Notes in Computer Science*, (Springer, 2011), pp. 236–254Google Scholar - 22.NIST. SHA-3 Competition. http://csrc.nist.gov/groups/ST/hash/sha-3/index.html, 2007–2012
- 23.
- 24.K. Qiao, L. Song, M. Liu, J. Guo. New collision attacks on round-reduced Keccak. in J. Coron, J. B. Nielsen, editors,
*Advances in Cryptology—EUROCRYPT 2017—36th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Paris, France, April 30–May 4, 2017, Proceedings, Part III*, volume 10212 of*Lecture Notes in Computer Science*, (2017), pp. 216–243Google Scholar - 25.G. Sevestre. Implementation of Keccak hash function in tree hashing mode on Nvidia GPU (2010)Google Scholar
- 26.L. Song, G. Liao, J. Guo. Non-full sbox linearization: applications to collision attacks on round-reduced Keccak. in J. Katz, H. Shacham, editors,
*Advances in Cryptology—CRYPTO 2017—37th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 20–24, 2017, Proceedings, Part II*, volume 10402 of*Lecture Notes in Computer Science*, (Springer, 2017), pp. 428–451Google Scholar - 27.The U.S. National Institute of Standards and Technology. SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions . Federal Information Processing Standard, FIPS 202, 5th August (2015)Google Scholar
- 28.V. Volkov. Better performance at lower occupancy. in
*Proceedings of the GPU technology conference, GTC*, volume 10. San Jose, CA (2010)Google Scholar