Practical Collision Attacks against Round-Reduced SHA-3

  • Jian Guo
  • Guohong Liao
  • Guozhen Liu
  • Meicheng Liu
  • Kexin Qiao
  • Ling SongEmail author


The Keccak hash function is the winner of the SHA-3 competition (2008–2012) and became the SHA-3 standard of NIST in 2015. In this paper, we focus on practical collision attacks against round-reduced SHA-3 and some Keccak variants. Following the framework developed by Dinur et al. at FSE 2012 where 4-round collisions were found by combining 3-round differential trails and 1-round connectors, we extend the connectors to up to three rounds and hence achieve collision attacks for up to 6 rounds. The extension is possible thanks to the large degree of freedom of the wide internal state. By linearizing S-boxes of the first round, the problem of finding solutions of 2-round connectors is converted to that of solving a system of linear equations. When linearization is applied to the first two rounds, 3-round connectors become possible. However, due to the quick reduction in the degree of freedom caused by linearization, the connector succeeds only when the 3-round differential trails satisfy some additional conditions. We develop dedicated strategies for searching differential trails and find that such special differential trails indeed exist. To summarize, we obtain the first real collisions on six instances, including three round-reduced instances of SHA-3, namely 5-round SHAKE128, SHA3-224 and SHA3-256, and three instances of Keccak contest, namely Keccak[1440, 160, 5, 160], Keccak[640, 160, 5, 160] and Keccak[1440, 160, 6, 160], improving the number of practically attacked rounds by two. It is remarked that the work here is still far from threatening the security of the full 24-round SHA-3 family.


Cryptanalysis Hash function SHA-3 Keccak Collision Linearization Differential GPU 



This research is supported by the National Research Foundation, Prime Minister’s Office, Singapore, under its Strategic Capability Research Centres Funding Initiative, NTU under research grants M4080456 and M4082123, and Ministry of Education Singapore under Grant M4012049. Guohong Liao is partially supported by the National Natural Science Foundation of China (Grant No. 61572028). Guozhen Liu is partially supported by the State Scholarship Fund (No. 201706230141) organized by China Scholarship Council. Meicheng Liu is partially supported by the National Natural Science Foundation of China (Grant No. 61672516). Kexin Qiao and Ling Song are partially supported by the National Natural Science Foundation of China (Grant Nos. 61802399, 61802400, 61732021 and 61772519), the Youth Innovation Promotion Association CAS, and Chinese Major Program of National Cryptography Development Foundation (Grant No. MMJJ20180102).

Supplementary material


  1. 1.
    J.-P. Aumasson, W. Meier. Zero-sum distinguishers for reduced Keccak-f and for the core functions of Luffa and Hamsi. rump session of Cryptographic Hardware and Embedded Systems-CHES, 2009 (2009)Google Scholar
  2. 2.
    G. Bertoni, J. Daemen, M. Peeters, G. Van Assche. Keccak crunchy crypto collision and pre-image contest.
  3. 3.
    G. Bertoni, J. Daemen, M. Peeters, G. Van Assche. Cryptographic sponge functions. Submission to NIST (Round 3) (2011).
  4. 4.
    G. Bertoni, J. Daemen, M. Peeters, G. Van Assche. The Keccak reference., January (2011). Version 3.0
  5. 5.
    G. Bertoni, J. Daemen, M. Peeters, G. Van Assche. KeccakTools., (2015)
  6. 6.
    A. Canteaut, editor. in Fast Software Encryption—19th International Workshop, FSE 2012, Washington, DC, USA, March 19-21, 2012. Revised Selected Papers, volume 7549 of Lecture Notes in Computer Science ( Springer, 2012)Google Scholar
  7. 7.
    P.-L. Cayrel, G. Hoffmann, M. Schneider. GPU implementation of the Keccak hash function family. in International Conference on Information Security and Assurance, (Springer, 2011), pp. 33–42Google Scholar
  8. 8.
    J. Daemen. Cipher and Hash Function Design Strategies Based on Linear and Differential Cryptanalysis. Ph.D. thesis, Doctoral Dissertation, March 1995, KU Leuven (1995)Google Scholar
  9. 9.
    J. Daemen, G. V. Assche. Differential propagation analysis of Keccak. in Canteaut [6], pp. 422–441Google Scholar
  10. 10.
    I. Dinur, O. Dunkelman, A. Shamir. New attacks on Keccak-224 and Keccak-256. in Canteaut [6], pp. 442–461Google Scholar
  11. 11.
    I. Dinur, O. Dunkelman, A. Shamir. Collision attacks on up to 5 rounds of SHA-3 using generalized internal differentials. in S. Moriai, editor, Fast Software Encryption—20th International Workshop, FSE 2013, Singapore, March 11–13, 2013. Revised Selected Papers, volume 8424 of Lecture Notes in Computer Science, (Springer, 2013), pp. 219–240Google Scholar
  12. 12.
    I. Dinur, O. Dunkelman, A. Shamir. Improved practical attacks on round-reduced Keccak. J. Cryptol. 27(2), 183–209 (2014)MathSciNetCrossRefzbMATHGoogle Scholar
  13. 13.
    I. Dinur, P. Morawiecki, J. Pieprzyk, M. Srebrny, M. Straus. Cube attacks and cube-attack-like cryptanalysis on the round-reduced Keccak sponge function. in E. Oswald, M. Fischlin, editors, Advances in Cryptology—EUROCRYPT 2015, Sofia, Bulgaria, April 26–30, 2015, Proceedings, Part I, volume 9056 of LNCS, (Springer, 2015), pp. 733–761Google Scholar
  14. 14.
    A. Duc, J. Guo, T. Peyrin, L. Wei. Unaligned rebound attack: application to Keccak. in Canteaut [6], pp. 402–421Google Scholar
  15. 15.
    J. Guo, J. Jean, I. Nikolic, K. Qiao, Y. Sasaki, S. M. Sim. Invariant subspace attack against Midori64 and the resistance criteria for S-box designs. IACR Trans. Symmetric Cryptol. 2016(1), 33–56 (2016)Google Scholar
  16. 16.
    J. Guo, M. Liu, L. Song. Linear structures: applications to cryptanalysis of round-reduced Keccak. in J. H. Cheon, T. Takagi, editors, Advances in Cryptology—ASIACRYPT 2016, Hanoi, Vietnam, December 4–8, 2016, Proceedings, Part I, volume 10031 of LNCS, (2016), pp. 249–274Google Scholar
  17. 17.
    J. Jean, I. Nikolic. Internal differential boomerangs: practical analysis of the round-reduced Keccak-f permutation. In G. Leander, editor, Fast Software Encryption—FSE 2015, Istanbul, Turkey, March 8–11, 2015, Revised Selected Papers, volume 9054 of LNCS, (Springer, 2015), pp. 537–556Google Scholar
  18. 18.
    S. Kölbl, F. Mendel, T. Nad, M. Schläffer. Differential cryptanalysis of Keccak variants. in M. Stam, editor, Cryptography and Coding—14th IMA International Conference, IMACC 2013, Oxford, UK, December 17–19, 2013. Proceedings, volume 8308 of Lecture Notes in Computer Science, (Springer, 2013), pp. 141–157Google Scholar
  19. 19.
    S. Mella, J. Daemen, G. V. Assche. New techniques for trail bounds and application to differential trails in Keccak. IACR Trans. Symmetric Cryptol. 2017(1), 329–357 (2017)Google Scholar
  20. 20.
    G. S. Murthy. Optimal loop unrolling for GPGPU programs. Ph.D. thesis, The Ohio State University (2009)Google Scholar
  21. 21.
    M. Naya-Plasencia, A. Röck, W. Meier. Practical analysis of reduced-round Keccak. in D. J. Bernstein, S. Chatterjee, editors, Progress in Cryptology—INDOCRYPT 2011—12th International Conference on Cryptology in India, Chennai, India, December 11–14, 2011. Proceedings, volume 7107 of Lecture Notes in Computer Science, (Springer, 2011), pp. 236–254Google Scholar
  22. 22.
    NIST. SHA-3 Competition., 2007–2012
  23. 23.
    C. Nvidia. CUDA C programming guide. Nvidia Corporation, 120(18) (2011)Google Scholar
  24. 24.
    K. Qiao, L. Song, M. Liu, J. Guo. New collision attacks on round-reduced Keccak. in J. Coron, J. B. Nielsen, editors, Advances in Cryptology—EUROCRYPT 2017—36th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Paris, France, April 30–May 4, 2017, Proceedings, Part III, volume 10212 of Lecture Notes in Computer Science, (2017), pp. 216–243Google Scholar
  25. 25.
    G. Sevestre. Implementation of Keccak hash function in tree hashing mode on Nvidia GPU (2010)Google Scholar
  26. 26.
    L. Song, G. Liao, J. Guo. Non-full sbox linearization: applications to collision attacks on round-reduced Keccak. in J. Katz, H. Shacham, editors, Advances in Cryptology—CRYPTO 2017—37th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 20–24, 2017, Proceedings, Part II, volume 10402 of Lecture Notes in Computer Science, (Springer, 2017), pp. 428–451Google Scholar
  27. 27.
    The U.S. National Institute of Standards and Technology. SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions . Federal Information Processing Standard, FIPS 202, 5th August (2015)Google Scholar
  28. 28.
    V. Volkov. Better performance at lower occupancy. in Proceedings of the GPU technology conference, GTC, volume 10. San Jose, CA (2010)Google Scholar

Copyright information

© International Association for Cryptologic Research 2019

Authors and Affiliations

  • Jian Guo
    • 2
  • Guohong Liao
    • 3
  • Guozhen Liu
    • 1
    • 2
  • Meicheng Liu
    • 6
  • Kexin Qiao
    • 5
  • Ling Song
    • 2
    • 4
    • 6
    Email author
  1. 1.School of Cyber SecurityShanghai Jiao Tong UniversityShanghaiChina
  2. 2.Division of Mathematical Sciences, School of Physical and Mathematical SciencesNanyang Technological UniversitySingaporeSingapore
  3. 3.South China Normal UniversityGuangzhouChina
  4. 4.Strategic Centre for Research in Privacy-Preserving Technologies and SystemsNanyang Technological UniversitySingaporeSingapore
  5. 5.Beijing Unionpay Card Technology Co., Ltd.BeijingChina
  6. 6.State Key Laboratory of Information Security, Institute of Information EngineeringChinese Academy of SciencesBeijingChina

Personalised recommendations