New Collision Attacks on RoundReduced Keccak
 10 Citations
 1.9k Downloads
Abstract
In this paper, we focus on collision attacks against Keccak hash function family and some of its variants. Following the framework developed by Dinur et al. at FSE 2012 where 4round collisions were found by combining 3round differential trails and 1round connectors, we extend the connectors one round further hence achieve collision attacks for up to 5 rounds. The extension is possible thanks to the large degree of freedom of the wide internal state. By linearization of all Sboxes of the first round, the problem of finding solutions of 2round connectors are converted to that of solving a system of linear equations. However, due to the quick freedom reduction from the linearization, the system has solution only when the 3round differential trails satisfy some additional conditions. We develop a dedicated differential trail search strategy and find such special differentials indeed exist. As a result, the first practical collision attack against 5round SHAKE128 and two 5round instances of the Keccak collision challenges are found with real examples. We also give the first results against 5round Keccak224 and 6round Keccak collision challenges. It is remarked that the work here is still far from threatening the security of the full 24round Keccak family.
Keywords
Keccak SHA3 Hash function Linearization Differential1 Introduction
The Keccak [3, 5] family of hash functions has attracted intensive cryptanalysis since its submission to the SHA3 competition in 2008 [1, 9, 10, 11, 13, 14, 16, 17, 19]. In 2012, the National Institute of Standards and Technology of the U.S. selected Keccak as the winner of the SHA3 competition. The SHA3 family consists of four cryptographic hash functions of fixed digest sizes and two eXtendableOutput Functions (XOFs) named SHAKE128 and SHAKE256, each of which is based on an instance of the Keccak algorithms [18]. Keccak [r, c, d] applies sponge construction with bitrate r and capacity c to generate d bit digests from arbitrary length messages where \(d=224, 256, 384,512\) in the official SHA3 versions and \(d=160, 80\) in the Keccak Crunchy Crypto Collision and Preimage Contest [2]. Depending on the size of the internal state in \(r+c\) bits from the set \(\{200, 400, 800, 1600\}\), each of the challenge versions contains 4 variants. SHAKE128 and SHAKE256 generate digests that can be extended to any desired length. The suffixes “128” and “256” indicate the security strengths against generic attacks that these two functions support.
In this paper, we focus on collision attacks against the Keccak family, i.e., to find two different messages such that their hash digests are the same. The best previous practical collision attacks on Keccak family are on \(\mathtt{{\textsc {Keccak}}}\)224 and \(\mathtt{{\textsc {Keccak}}}\)256 reduced to 4 rounds found by Dinur et al. [10] in 2012 and later furnished in the journal version [12]. After this, theoretical results improved to 5round \(\mathtt{{\textsc {Keccak}}}\)256 [11]. However, the number of practically attacked rounds remains at 4. To promote cryptanalysis against Keccak, the Keccak design team proposed smaller variants in the Keccak challenge [2] with 160 digest size for collision attack and 80 digest size for preimage attack with each of the 4 sizes of internal states reduced to from 1 to 12 rounds. The ideal security levels of both are set to be \(2^{80}\) unit computations for collision and preimages, respectively. This is a level much lower than that of the main 4 instances of SHA3, but still beyond the reach of current computation resource one may have. The current best solutions of collision challenges are instances reduced up to 4 rounds by Dinur et al. [10] and Mendel et al. [17]. Theoretical results were found by Dinur et al. [11] against \(\mathtt{{\textsc {Keccak}}}\)256 with complexities \(2^{115}\) using generalized internal differentials. To the best of our knowledge, this remains as the only results on collision attack against Keccak reduced to 5 or more rounds up to date.
Our Contribution. We develop an algebraic and differential hybrid method to launch collision attacks on Keccak family and practically find collisions of 5round SHAKE128 and two 5round instances of the Keccak collision challenges. Theoretical results, with complexities below the birthday bound, against 5round \(\mathtt{{\textsc {Keccak}}}\)224 and 6round Keccak collision challenges are also achieved.
These results follow a crucial observation that, the Keccak Sbox can be reexpressed as linear transformations, when the input is restricted to some affine subspaces. It was already noted by Daemen et al. [3, 8] and Dinur et al. [10] that when the input and output differences are fixed, the solution set of the Keccak Sbox contains affine subspaces of dimension up to 3. In this paper, we show the maximum subspaces allowing linearization of Sbox is of dimension 2. Furthermore, all affine subspaces of dimension up to 2 allow Sbox linearization, and for those of dimension 3, six 2dimensional affine subspaces out of it could allow the linearization. With this property in mind, we enforce linearization of all Sboxes in the first round, under which the first round function of the Keccak permutation is transformed into a linear one. Combining with an invertion method of the Sbox layer of the second round, we convert the problem of finding tworound connectors into that of solving a system of linear equations. Solving the equation once will produce sufficiently many solutions so that at least one of them will follow the differential trails in the following 3 rounds or more.
A side effect of linearization of all Sboxes is quick reduction of freedom degrees, which in turn decides the existence of such tworound connectors. To solve this problem, we aim to find differential trails, which impose least possible conditions to the tworound connectors. We design a dedicated search strategy to find suitable differential trails of up to 4 rounds. Implementation confirmed the correctness of this idea, and found real examples of collisions for 5round SHAKE128 and two instances of challenge versions.
Collision attack results and comparison
Target [r, c, d]  \(n_r\)  Searching complexity  Searching time  Solving time\(^{2}\)  Reference 

SHAKE128  5  \(2^{39}\)  30 m  25 m  Sect. 6.2 
Keccak [1440,160,160]  5  \(2^{40}\)  2.48 h  9.6 s  Sect. 6.1 
6  \(2^{70.24}\)  N.A.\( ^{1}\)  1 h  Sect. 6.4  
Keccak [640,160,160]  5  \(2^{35}\)  2.67 h  30 m  Sect. 6.3 
\(\mathtt{{\textsc {Keccak}}}\)224  4  \(2^{24}\)  2–3 m  [10]  
\(2^{12}\)  0.3 s  2 m 15 s  Sect. 6.6  
5  \(2^{101}\)  N.A.  N.A.  Sect. 6.5  
\(\mathtt{{\textsc {Keccak}}}\)256  4  \(2^{24}\)  15–30 m  [10]  
\(2^{12}\)  0.28 s  7 m  Sect. 6.6 
Organization. The rest of the paper is organized as follows. In Sects. 2 and 3, notations and a brief description of Keccak family are given. In Sect. 4, we give a detailed description of the algebraic methods to achieve 2round connectors. In Sect. 5, we give the dedicated search strategies for differential trails. Then the experimental results are presented in Sect. 6. We conclude the paper in Sect. 7.
2 Notations
3 Description of Keccak
The Keccak permutation function in SHA3 consists of 24 rounds of five layers operating on the 1600bit state that can be represented as \(5\times 5\) 64bit lanes. In general \(2^l\) is used to denote the bit length of lanes. If A denotes a 5by5by\(2^l\) array of bits that represents the state, then its indices are the integer triples (i, j, k) for which \(0\le i<5, 0\le j<5,\) and \(0\le k<2^l\). The bit that corresponds to (i, j, k) is denoted by A[i, j, k]. Names for singledimensional subarrays and twodimensional ones are defined by the Keccak designers: \(A[\cdot ][j][k]\) is called a row, \(A[i][\cdot ][k]\) is a column, and \(A[i][j][\cdot ]\) is a lane; \(A[i][\cdot ][\cdot ]\) is called a sheet, \(A[\cdot ][j][\cdot ]\) is a plane, and \(A[\cdot ][\cdot ][k]\) is a slice.
The first three layers are linear mappings and we denote their composition by \(L \triangleq \theta \circ \rho \circ \pi \). The only nonlinear layer of the permutation is \(\chi \), which can be seen as a Sbox layer that applies 5bit substitution to 320 rows of the state. We use \(\mathtt{S}(x)\) to denote the substitution of a 5bit input value x. The difference distribution table of the Sbox is denoted by DDT, where \(\mathtt{DDT} (\delta _{in},\delta _{out})\) represents the size of the set \(\{x:\mathtt{S}(x)+\mathtt{S}(x+\delta _{in})=\delta _{out}\}\). We denote the Keccak permutation reduced to the first i rounds as \(\mathtt{R}^i\) (note the round functions are identical up to a difference of constant addition in \(\iota \) and we will omit \(\iota \) as it has little impact on our differential collision attack), i.e., \(\mathtt{R}^i(\overline{M})\) is the state after i rounds processing of the padded message \(\overline{M}\).
4 Overview of Our Collision Attack
In this section, we give an overview of our collision attacks, followed by the details of the algebraic methods to achieve tworound connectors. Without further specification, we assume in this paper the length of the messages used are of one block after padding. To fulfil the Keccak padding rule, one needs to fix the last bit of the padded message to be “1”, hence the first \(r1\) bits of the state are under the full control of the attacker through the message bits, and the last c bits of the state are fixed to zeros as in the IV specified by Keccak. When applied to SHAKE, there are \(r6\) free bits under control, by setting the last 6 bits of the padded message to be all 1’s so it is compatible with the specific SHAKE padding rule.
Following the framework by Dinur et al. [10], as well as many other collision attacks utilizing differential trails, our collision attacks consist of two parts, i.e., a high probability differential trail and a connector linking the differential trail with the initial value, as depicted in Fig. 2. Let \(\varDelta S_{I}\) and \(\varDelta S_{O}\) denote the input and output differences of the differential trail, respectively. Dinur et al. explored a method, which they call “target difference algorithm”, to find message pairs \((M, M')\) such that the output difference after one round permutation is \(\varDelta S_{I}\), formally \(\mathtt{R}^1(\overline{M}  0^c) +\mathtt{R}^1(\overline{M'}0^c) = \varDelta S_{I}\). In what follows, we show an algebraic method to extend this connector to two rounds, i.e., a new target difference algorithm to find \((M, M')\) such that \(\mathtt{R}^2(\overline{M}  0^c) +\mathtt{R}^2(\overline{M'}0^c) = \varDelta S_{I}\). The differential trail is then fulfilled probabilistically with many such message pairs, collision can be produced if the first d bits of \(\varDelta S_{O}\) are 0. As we are aiming at low complexity attacks, finding solutions of connectors should be practical so that this part will not dominate the overall complexities of collision finding. Details of the differential trail search will be discussed in Sect. 5.
4.1 SBox Linearization and Affine Subspaces
The key observation is that internal state is much larger than the digest size, providing large number of freedom degrees to attackers. One can choose some subsets of the available spaces with special properties to achieve fast enumerations. In case of Keccak, we are to choose the subsets which are linear with respective to the Sbox, i.e., the expression of Sbox can be rewritten as linear transformation when the input is restricted to such subsets. It is obvious to note the Sbox is nonlinear when the entire \(2^{5}\) input space is considered. However, affine subspaces of size up to 4, as to be shown below, could be found so that the Sbox can be linearized. Note that the Sbox is the only nonlinear part of the Keccak round function. Hence, the entire round function becomes linear when restricted to such subspaces. Formally, we define
Definition 1
(Linearizable affine subspace). Linearizable affine subspaces are affine input subspaces on which Sbox substitution is equivalent to a linear transformation. If V is a linearizable affine subspace of an Sbox operation \(\mathtt{S}(\cdot )\), \(\forall x\in V, \mathtt{S}(x)=A\cdot x+b\), where A is a matrix and b is a constant vector.
Exhaustive search for the linearizable affine subspaces of the Keccak Sbox shows:
Observation 1
For completeness, any 1dimensional subspace is automatically linearizable affine subspace.
Since the affine subspaces are to be used together with differential trails, we are interested in those linearizable affine subspaces with fixed input and output differences, which is more relevant with the differential distribution table (DDT) of Sboxes. Referring to the DDT of Keccak Sbox postponed to Appendix B, we observe:
Observation 2
 a.
if \(\mathtt{DDT} (\delta _{in},\delta _{out})=2\) or 4, then V is a linearizable affine subspace.
 b.
if \(\mathtt{DDT} (\delta _{in},\delta _{out})=8\), then there are six 2dimensional subsets \(W_i\subset V,i=0,1,\cdots ,5\) such that \(W_i(i=0,1,\cdots ,5)\) are linearizable affine subspaces.
4.2 A Connector Covering Two Rounds
Algorithm for Building TwoRound Connectors. We use the basic linearization procedure to generate the equations for confining x to a smaller subspace suitable for linearization of the first \(\chi \) layer and use the main linearization procedure to generate the final equations to bypass the second \(\chi \) layer. One of the inputs of the basic procedure is the equation system \(E_M\) on x values, other inputs include the input and output differences of the first Sbox layer \(\beta _0, \alpha _1\) and \(y'\).
The Basic Linearization Procedure.
Inputs: \(E_M\), \(\beta _0,\alpha _1,y'\).
Outputs: updated \(E_M\), \(\chi _L,\chi _C\).
 1.
Initialize a matrix \(\chi _L\) and a vector \(\chi _C\).
 2.Iterate on each bit of \(y'\), calculate the index of the bit in Sbox level, say the jth bit of the ith Sbox in the first round. Then for the ith Sbox in the first round:
 (a)If the ith Sbox has not been processed in this procedure before, then:
 (i)
If it is nonactive, randomly choose a linearizable 2dimensional subspace, check whether the 3 equations specifying this 2dimensional affine subspace is consistent with the current \(E_M\).
If so, add them to \(E_M\) and update \(\chi _L\) and \(\chi _C\) with the jth line of the matrix which specifies the affine linear transformation. Continue to next bit of \(y'\) in step 2.
Otherwise, try another linearizable 2dimensional subspace. If all linearizable 2dimensional subspaces have been tried and no consistent equations exist, output “No Solution in basic procedure”.
 (ii)
Otherwise it is active: find its input and output differences from \(\beta _0\) and \(\alpha _1\), i.e., \(\delta _{in}, \delta _{out}\).
 Case 1.
When \(\mathtt{DDT} (\delta _{in},\delta _{out})=8\), randomly choose one of the six linearizable 2dimensional subspaces and the corresponding equation to specialize this 2dimensional subspace (the other two of the three equations to formulate the 2dimentional subspace have already been indicated in \(E_M\) after choosing \(\beta _0\) procedure).
If current \(E_M\) is consistent with this linear equation, add it to \(E_M\) and update \(\chi _L\) and \(\chi _C\) with the jth line of the matrix which specifies the linear map from the 2dimensional subspace to the output 2dimensional subspace of Sbox. Continue to next bit of \(y'\) in step 2.
Otherwise, try another randomly chosen 2dimensional linearizable subspace. If all six 2dimensional linearizable subspaces have been chosen and no consistent equation exist, output “No Solution in basic procedure”.
 Case 2.
When \(\mathtt{DDT} (\delta _{in},\delta _{out})=2\text { or }4\), update \(\chi _L\) and \(\chi _C\) with the jth line of the matrix which specifies the affine linear transformation of the input 1 or 2dimensional subspace to the output 1 or 2dimensional subspace of Sbox. Continue to next bit of \(y'\) in step 2.
 Case 1.
 (i)
 (b)
Otherwise, if the ith Sbox has already been processed in this procedure: update \(\chi _L\) and \(\chi _C\) with the jth line of the matrix which specifies the affine linear transformation of the predefined linearizable subspace to the output subspace of Sbox.
 (a)
 3.
Output the current equations system \(E_M\) as well as \(\chi _L\) and \(\chi _C\) such that \(\chi _L\cdot x+\chi _C=y'\).
The inputs to the Main procedure are \(\beta _0,\alpha _1, \beta _1, \alpha _2(\varDelta S_I)\) and \(E_M\) we get after choosing \(\beta _0\).
The Main Linearization Procedure.
Input: \(E_M, \beta _0,\alpha _1,\beta _1,\alpha _2\).
Output: Updated \(E_M\).
 1.
Using \(\beta _1\) and \(\alpha _2\), initialize a coefficient matrix G and a constant vector m that specify the linear equations to constrain the input bits of the second Sbox layer for deriving the equation \(G\cdot z=m\).
 2.
Derive the L into the matrix format for \(L \cdot (y + RC[0]) = z\).
 3.
Initialize a counter to 0.
 4.
Execute the basic linear procedure with indexes of know bits \(y'\) in y and \(E_M, \beta _0\) and \(\alpha _1\). If the procedure succeeds, it will return the matrix specifying the linearization of the first Sbox layer such that \(\chi _L\cdot x+\chi _C=y'\), then continue to Step 6. Otherwise, go to step 5.
 5.
Increment the counter. If the counter’s value is equal to a preset threshold T1, output “Failed”. Otherwise, go to step 4.
 6.
Test whether the equation system (5) is consistent with \(E_M\). If so, add the new system to \(E_M\) and output final \(E_M\). Otherwise, go to step 5.
Note that the algorithms do not succeed all the time. To overcome this problem, from the input difference \(\varDelta S_I\) of a 3round differential trail, we repeat random picks of compatible input differences \(\beta _1\) until the main procedure succeeds. As the number of active Sboxes in \(\alpha _2\) is large enough (range from tens to hundreds in our experiments), there are enough different cases for \(\beta _1\) resulting in high final success probability. An interesting point is that the invertion from \(\alpha _2\) to \(\beta _1\) does not need to maintain high probability because this transition is covered in our tworound connector. Besides, the unconstrained number of active Sboxes of an input difference allows more freedom in searching of the most suitable three round differential trails. We will describe the searching strategies in Sect. 5. Finally, exhaustive search of solution for the following 3round differential trails can be performed from the solution space of \(E_M\).
4.3 Analysis of Degree of Freedom
The degree of freedom of solution space of final \(E_M\) is a key factor on success of our method. A solution space with degree of freedom larger than the weight of the 3round differential trail is possible to suggest a message pair with collision digest. After the linearization of the first round, the degree of freedom is \(\sum _{i=0}^{\frac{b}{5}1}{\mathtt{DF}} ^{(1)}_i\) in which \({\mathtt{DF}} ^{(1)}_i\) is the degree of freedom of 5bit input space of the ith Sbox in the first round. The value is assigned for \({\mathtt{DF}} ^{(1)}_i\) according to rules in Table 2.
Rules for value assignment for \({\mathtt{DF}} ^1_i\).
\({\mathtt{DF}} ^{(1)}_i\) \(^{*}\)  Nonactive  \(\mathtt{DDT} (\delta _{in},\delta _{out})=2\)  \(\mathtt{DDT} (\delta _{in},\delta _{out})=4\)  \(\mathtt{DDT} (\delta _{in},\delta _{out})=8\) 

Involved in \(y'\)  2  1  2  2 
Not involved in \(y'\)  5  1  2  3 
4.4 How to Choose \(\beta _0\)
So far we have not given details on how \(\beta _0\) can be selected. We follow Dinur et al.’s work [10] in a more general way to uniquely determine \(\beta _0\), the difference before \(\chi \) layer in the first round. The algorithm is called “target difference algorithm” and consists of difference phase and value phase.
Given \(\varDelta S_{I}\), we have randomly chosen a compatible input difference \(\beta _1\). We then build two equation systems \(E_{\varDelta }\) and \(E_{M}\) accordingly. \(E_{\varDelta }\) is on differences of the message pairs and \(E_{M}\) is on values of one message. The initialization of \(E_{\varDelta }\) should abide by (1) the constraints implied by padding rules that the last \(c+1\) difference bits of initial state equal to 0, and (2) the input difference bits of nonactive Sboxes in the first round equal to 0. The initialization of \(E_M\) should abide by the padding rules that the last \(c+p\) value bits equal to \(1^p0^c\). We set \(p=1\) for Keccak and \(p=6\) for SHAKE. These rules are easy to be implemented as the variable vector x is an invertible linear mapping of the initial vector. Therefore, in the initialization period, we equate the corresponding bits to their enforced values in \(E_{\varDelta }\) and \(E_M\).
For \(E_{\varDelta }\), we add additional equations to enforce that \(\alpha _1\) is possibly deduced from \(\beta _0\). Though the obvious way is to equate the 5 input difference bits to a specific value for each active Sbox in \(\beta _0\), this will restricts the solution space significantly. As suggested in [10], we chose one of the 2dimensional affine subsets of input differences instead of a specific value for each active Sbox. This is based on the fact that given any nonzero 5bit output difference to a Keccak Sbox, the set of possible input differences contains at least five 2dimensional affine subspaces. After a consistent \(E_{\varDelta }\) system has been constructed, the solution space is an affine subspace of candidates for \(\beta _0\). Then we continue to maintain \(E_{\varDelta }\) by iteratively add the additional 2 equations to uniquely specify each 5bit input difference for the active Sboxes. For all active Sboxes, once the specific input differences is determined, we add equations to \(E_M\) system to enforce every active 5bit of x (input bits to active Sbox) to an affine subspace corresponding to the uniquely determined \(\delta _{in}\) and \(\delta _{out}\). In this way, we always find a compatible \(\beta _0\) from \(\alpha _1\) fulfilling the constraints from the \(c+p\) bits of padding and preset bits of capacities.
5 Search for Differential Trails
In this section, we elaborate on our searching algorithms for finding differential trails of Keccak. Our ideas greatly benefit from previous works of searching differential trails for Keccak [9, 14, 19]. We start by recalling several properties of the operations in the round function, followed by our considerations in finding differential trails. Then, we describe our searching algorithms which provide differential trails for practical collision attacks against Keccak [1440, 160, 5, 160], 5round SHAKE128 and Keccak [640, 160, 5, 160] respectively, and trails for theoretical collision attack against 5round \(\mathtt{{\textsc {Keccak}}}\)224 and Keccak [1440, 160, 6, 160].
5.1 Properties of \(\theta ,\rho ,\pi ,\iota \) and \(\chi \)
\(\theta ,\rho ,\pi ,\iota \) are linear operations while \(\chi \) acts as the parallel application of 5bit nonlinear Sboxes on the rows of the state. Since \(\iota \) adds a round constant and has no essential effect on difference, we ignore it in this section. Additionally, \(\rho \) and \(\pi \) do not change the number of active bits in a differential trail, but only positions. Therefore, \(\theta \) and \(\chi \) are the crucial parts for differential analysis.
To describe the properties of \(\theta \), we take definitions from [3]. The column parity (or parity for short) P(A) of a value (or difference) A is defined as the parity of the columns of A, i.e. \(P(A)[i][k]=\Sigma _j A[i][j][k]\). A column is even, if its parity is 0, otherwise it is odd. A state is in CPkernel if all its columns are even.
\(\theta \) adds a pattern to the state, and this pattern is called the \(\theta \)effect. The \(\theta \)effect of a state A is \(E(A)[i][k]=P(A)[i1][k]+P(A)[i+1][k1]\). So \(\theta \) depends only on column parities. The \(\theta \)gap is defined as the Hamming weight of the \(\theta \)effect divided by two. Note that if the \(\theta \)gap is g, after applying \(\theta \) there are 10g bits flipped. Given a state A in CPkernel, the \(\theta \)gap is zero and hence the Hamming weight of A remains after \(\theta \). Another interesting property is that \(\theta ^{1}\) diffuses much faster than \(\theta \). More exactly, a single bit difference can be propagated to about half state bits through \(\theta ^{1}\).
Given an input difference to \(\chi \), all possible output differences occur with the same probability. On the contrary, given an output difference to \(\chi \), it is not the same case, but the highest probability of all possible input differences is determined. Moreover, for onebit differences, each Sbox of \(\chi \) acts as identity with probability \(2^{2}\).
5.2 Representation of Trails and Their Weights
We denote the weight of ith round differential by \(w_{i}\) where i starts from 0, and thus the weight of a trail is the sum of the weights of round differentials that constitute the trail. In addition, we use \(\#\mathrm {AS}(\alpha )\) to represent the number of active Sboxes in a state difference \(\alpha \). According to the properties of \(\chi \), given \(\beta _{i}\) the weight of (\(\beta _{i}\rightarrow \alpha _{i+1}\)) is determined; also, given \(\beta _{i}\) the minimum reverse weight of (\(\beta _{i1}\rightarrow L^{1}(\beta _i)\)) is fixed.
As in [3], \(n1\) consecutive \(\beta _i\)’s, say \((\beta _1,\cdots ,\beta _{n1})\) is called an nround trail core which defines a set of nround trails \(\alpha _0\xrightarrow {L}\beta _0\xrightarrow {\chi }\alpha _1\xrightarrow {L}\beta _1\cdots \xrightarrow {L}\beta _{n1}\xrightarrow {\chi }\alpha _n\) where the first round is of the minimal weight determined by \(\alpha _1=L^{1}(\beta _1)\), and \(\alpha _n\) is compatible with \(\beta _{n1}\). The first step of mount collision attacks against nround Keccak is to find good \((n1)\)round trail cores.
5.3 Requirements for Differential Trails
Good trail cores are those satisfying all the requirements which we will explain as follows. The first requirement is that the difference of the output is zero, i.e. \(\alpha _{n_r}^d=0\) (we denote output digest difference after \(n_r\) rounds with \(\alpha _{n_r}^d\)). The second requirement relates to the freedom degree budget.
Thirdly, the collision attack should be practical. Note that after we obtain a subspace of message pairs making it sure to bypass the first two rounds, the complexity for searching a collision is \(2^{w_2+\cdots +w_{n_r1}^d}\). To make our attacks practical, we restrict \(w_2+\cdots +w_{n_r1}^d\) to be small enough, say 48.
We summarize the requirements for differential trails as follows and list \({\mathtt{TDF}} \)s for different versions of Keccak \([r,c,n_r,d]\) in Table 3.
 (1)
\(\alpha _{n_r}^d=0\), i.e. the difference of output must be zero.
 (2)
\({\mathtt{TDF}} >w_1+\cdots +w_{n_r1}^d\), i.e. the degree of freedom must be sufficient;
 (3)
\(w_2+\cdots +w_{n_r1}^d\le 48\), the complexity for finding a collision should be low.
\({\mathtt{TDF}} \)s of different versions of Keccak \([r,c,n_r,d]\).
Keccak \([r,c,n_r,d]\)  \({\mathtt{TDF}} \)  Remarks 

Keccak [1440, 160, 5, 160]  479  Challenge 
Keccak [1344, 256, 5, 256]  378  SHAKE128 
Keccak [ 640, 160, 5, 160]  159  Challenge 
Keccak [1440, 160, 6, 160]  479  Challenge 
Keccak [1152, 448, 5, 224]  191  \(\mathtt{{\textsc {Keccak}}}\)224 
5.4 Searching Strategies
Searching From Light \(\varvec{\beta _3}\) ’s. Our initial goal is to find collisions for 5round Keccak. To facilitate a 5round collision of Keccak, we need to find 4round differential trails satisfying the three requirements mentioned previously. However it is difficult to meet all of them simultaneously even though each of them can be fulfilled easily.
We explain as follows. Since we aim for practical attacks, \(w_2+w_3+w_{4}^d\) must be small enough, say 48. That is to say, the last three rounds of the trail must be light and sparse. When we restrict a 3round trail to be lightweight and extend it backwards for one round, we almost always unfortunately get a heavy state \(\alpha _2\) (usually \(\#AS(\alpha _2)>120\)) whose weight may exceeds the TDF. We take \(\mathtt{{\textsc {Keccak}}}\)224 as an example. The \({\mathtt{TDF}} \) of \(\mathtt{{\textsc {Keccak}}}\)224 is 191, which indicates \(\#\mathrm {AS}(\alpha _2)<92\) as the least weight for an Sbox is 2. For a lightweight 3round trail, it satisfies Requirement (1) occasionally. The greater d is, the less trails satisfy Requirement (1).
With these requirements in mind, we search for 4round differential trail cores from light middle state differences \(\beta _3\)’s. From light \(\beta _3\)’s we search forwards and backwards, and check whether Requirement (1) and (2) are satisfied respectively; once these two requirements are satisfied, we compute the weight \(w_2+w_3+w_{4}^d\) for brute force, hoping it is small enough for practical attacks.
\(\alpha _3, \alpha _4\) in CPkernel. The designers of Keccak show in [3] that it is not possible to construct 3round low weight differential trails which stay in CPkernel. However, 2round differential trails in CPkernel are possible, as studied in [9, 14, 19].
We restrict \(\alpha _3\) in CPkernel. If \(\rho ^{1}\circ \pi ^{1}(\beta _3)\) is outside the CPkernel and sparse, say 8 active bits, the active bits of \(\alpha _3=L^{1}(\beta _3)\) will increase due to the strong diffusion of \(\theta ^{1}\) and the sparseness of \(\beta _3\). When \(\#AS(\alpha _3)>10\), the complexity for searching backwards for one \(\beta _3\) is greater than \(2^{31.7}\) which is too timeconsuming. We had better also confine \(\alpha _4\) to the CPkernel. If not, the requirement \(\alpha _{n_r}^d=0\) may not be satisfied. As can be seen from the lightest 3round trail for \(\mathtt{{\textsc {Keccak}}}\)f[1600] [14], even though the \(\theta \)gap is only one, after \(\theta \) the difference bits are diffused among the state making a 224bit collision impossible (a 160bit collision is still possible). So our starting point is special \(\beta _3\)’s which makes sure \(\alpha _3 = L^{1}(\beta _3)\) lies in CPkernel, and for which there exists a compatible \(\alpha _4\) in CPkernel. Fortunately, such kind of \(\beta _3\)’s can be obtained with KeccakTools [6].
Steps for Searching 4Round Differential Trails. We sketch below our steps for finding 4round differential trail cores for Keccak and provide a description in more detail in Appendix C. To mount collision attacks on 6round Keccak, 5round differential trail cores are needed. In this case, we just extend our forward extension for one more round.
 1.
Using KeccakTools, find special \(\beta _3\)’s with a low Hamming weight, say 8.
 2.
For every \(\beta _3\) obtained, traverse all possible \(\alpha _4\) using a tree structure, compute \(\beta _4=L(\alpha _4)\) and test whether there exists a compatible \(\alpha _5\) where \(\alpha _5^d=0\). If so, keep this \(\beta _3\) and record its forward extension, otherwise discard it.
 3.
For remaining \(\beta _3\)’s, also using a tree structure traverse all possible \(\beta _2\) which is compatible with \(L^{1}(\beta _3)\)’s, compute \(\#AS(\alpha _2)\) from \(\beta _2\). If \(\#AS(\alpha _2)\) is small enough, say below 110, check whether this trail core \((\beta _2,\beta _3,\beta _4)\) under consideration is sufficient for collision attacks.
5.5 Searching Results
Differential trail cores for Keccak \([r,c,n_r,d]\).
No  \(r+c\)  \(\#AS(\alpha _2\)\(\beta _2\)\(\beta _3\)\(\beta _4^d)\)  \(w_1\)\(w_2\)\(w_3\)\(w_4^d\)  d 

1  1600  102882  24019164  256 
2  1600  88870  19521150  256 
3  1600  859102  19025203  224 
4  800  38880  8520160  160 
No.  \(r+c\)  \(\#AS(\alpha _2\)\(\beta _2\)\(\beta _3\)\(\beta _4\)\(\beta _5^d)\)  \(w_1\)\(w_2\)\(w_3\)\(w_4\)\(w_5^d\)  d 

5  1600  145661014  34015122223  160 
6 Experiments and Results

Connecting stage. Find a subspace of messages bypassing the first two rounds.

Bruteforce searching stage. Find a colliding pair from this subspace by brute force.
In the first stage, with \(\alpha _2\) fixed by the trail core, we choose compatible \(\beta _1\) where \(\alpha _1=L^{1}(\beta _1)\) and all the Sboxes in \(\alpha _1\) are active. In order to save freedom degrees, we also restrict that \(\beta _1\rightarrow \alpha _2\) should be of least weight. When \(\beta _1\) is chosen, we run the tworound connector. If a certain number of failures is reached, we select another \(\beta _1\) until a solution is found, i.e. a subspace of message pairs definitely reaching to \(\alpha _2\) is obtained. If the number freedom degrees of this subspace is large enough, the first stage succeeds. Once the first stage succeeds, we move on to the second stage for finding a colliding message pair.
6.1 Collision Attack of Open image in new window
We apply Trail core No. 2 to the collision attack of 5round Keccak \([1440,160,5,160]\). In this case, we choose compatible \(\beta _1\)s randomly. After solving the tworound problem in 9.6 s, the degree of freedom is 162, which is enough for collision search of the remaining 3 rounds with probability \(2^{40}\). The searching time for the collision is 2.48 h. We give one example of collisions in Table 10, with which we solve a challenge of Keccak Crunchy Crypto Collision and Preimage Contest [2].
6.2 Collision Attack of 5Round SHAKE128
We apply Trail core No. 1 to the collision attack of 5round SHAKE128 ^{2}. As the capacity of SHAKE128 is much larger than that of Keccak[1440, 160, 5, 160], which means about 100 more freedom degrees are needed, we just choose compatible \(\beta _1\)s where \(\beta _1\rightarrow \alpha _2\) is of least weight. We also follow this rule in later collision attacks. After solving the tworound problem with 25 min, the degree of freedom is 94 and the search for 3round collision with probability \(2^{39}\) costs half an hour. We give an instance of collision in Table 11.
6.3 Collision Attack of Open image in new window
We apply Trail core No. 5 to the collision attack of Keccak [640, 160, 5, 160]. The methods used in this case are similar to those of 5round SHAKE128. The first stage succeeds in 30 min. The second stage takes 2 h 40 min to find a collision which happens with probability \(2^{35}\). An example of collision is provide in Table 12, with which we solve another challenge of Keccak Crunchy Crypto Collision and Preimage Contest [2].
6.4 Collision Attack of Open image in new window
We found four trail cores for which there exist zero 160bit output differences. The one with the best probability is Trail core No. 5 which is displayed in Table 9. From \(\beta _4\) there are 24 trails to zero \(\alpha _6^d\). Taking all these trails into consideration, we get a complexity of \(2^{67.24}\)–\(2^{70.24}\) for the second stage. If we let \(\#AS(\alpha _2)\) (\(w_2\)) be the smallest, the complexity for the second stage is \(2^{70.24}\) (\(2^{67.24}\)). In the experiments, we let \(\#AS(\alpha _2)\) be the smallest. In one hour our tworound algorithm returns a subspace of messages with freedom degree 135, and in 20 min we get a message pair shown in Table 13 that follows the first four rounds of the differential trail, which demonstrates that in time complexity of \(2^{70.24}\) a collision for 6round Keccak [1440, 160, 6, 160] will be found with great confidence.
6.5 Collision Attack of 5Round \(\mathtt{{\textsc {Keccak}}}\)224
For the collision attack of 5round \(\mathtt{{\textsc {Keccak}}}\)224, all the 4round trail cores we found for Keccakf[1600] are not good enough, i.e. the weight of the trail cores exceeds \({\mathtt{TDF}} \) too much and even \(w_2>{\mathtt{TDF}} \). However, our tworound connector is still likely to work. For one hand, from Trail core No. 4 for \(\mathtt{{\textsc {Keccak}}}\)f[800] we can construct a 4round trail core for \(\mathtt{{\textsc {Keccak}}}\)f[1600] with weight pattern (17040320) which makes our tworound connector possible. From the other, as the capacity increases, it is probable that equations added in connecting phase are not always mutually independent, which means the assumption of freedom degrees of our connector may be less than \({\mathtt{TDF}} \). The applicability of our connector in this case is verified with experiments. With Trail core No. 4, the two round connector returns a subspace of messages of freedom degree 11 and 2 or 3 for Trail core No. 3. Since the message subspaces derived are too small to mount collision attacks against 5round \(\mathtt{{\textsc {Keccak}}}\)224, we turn to twoblock messages. Once we get c bits from the first block, we set corresponding c bit constants in \(E_M\) to the value we obtained and then solve the system to find a subspace of messages for the second block. Now the attack proceeds in the following way.
 Connecting stage.

Use the tworound connector to find a message subspace with freedom degree s as large as possible, hoping that \(t=(c+p)+{\text {rank}}(E_M ~\textbackslash ~ E_{(c,p)}){\text {rank}}(E_M)\) is as small as possible.

 Bruteforce searching stage.

Choose the first message randomly and compute the cbit value for the second block. Replace the corresponding c bit constants in \(E_M\) and check whether it is still consistent. If it is consistent, we obtain another subspace with size \(2^s\).

Search for collision with the subspace.

Repeat until we find a twoblock collision.

In our experiment, using Trail core No. 3 the connector returns a message subspace with freedom degree \(s=2\), and \(t=55\). Then the complexity for find a twoblock collision is \(2^{55+(482)}=2^{101}\).
6.6 Relaunch 4Round Collision Attacks of \(\mathtt{{\textsc {Keccak}}}\)224 and \(\mathtt{{\textsc {Keccak}}}\)256
Though the 4round collisions of \(\mathtt{{\textsc {Keccak}}}\)224 and \(\mathtt{{\textsc {Keccak}}}\)256 have already been found [10], we use our method to optimize the complexity. We start from the same 2round differential trail in Dinur et al.’s work [10] and build a tworound connector. The time spent on building and solving the tworound connectors is 2 min 15 s for \(\mathtt{{\textsc {Keccak}}}\)224 and 7 min for \(\mathtt{{\textsc {Keccak}}}\)256. Then the complexity for brute forth searching is reduced to \(2^{12}\) and cost 0.325 s and 0.28 s respectively which outperforms \(2^{24}\) online complexity in [10]. Besides, it is pointed out in [10] that even though they got subsets with more than \(2^{30}\) message pairs from their target difference algorithm, they were not able to find collisions within some of these subsets. The reason was suspected to be the incomplete diffusion within the first two rounds and the closely related message pairs within a subset. While in our algorithm, we did not encounter such a problem. In other words, we always find collisions from the subsets deduced from the tworound connector. Thus once we succeed in the 2round connector building phase with a large enough subset, we never need to repeat it.
7 Conclusion
In conclusion, we observed that the Keccak Sbox can be reexpressed as linear transformations under some restricted input subspaces. With this property, we linearized all Sboxes of the first round, and extended the existing connector by one round. Implementations confirmed our idea, and found us real examples of 5round SHAKE128, and two instances of Keccak challenges. Theoretical results on 5round \(\mathtt{{\textsc {Keccak}}}\)224 and a 6round Keccak challenge version are projected.
It is noted that the algorithm for solving the tworound connectors are heuristic, further work includes finding the theoretical bounds of this algorithm and factors deciding the complexities for possible improvements. Note, any relaxation on the restrictions of \(\varDelta S_I\) might lead us to better differential trails in the searching phase.
Footnotes
Notes
Acknowledgement
The authors would like to thank anonymous reviewers and Joan Daemen for their helpful comments and suggestions. The work of this paper was supported by the National Key Basic Research Program of China (2013CB834203) and the National Natural Science Foundation of China (Grants 61472417, 61472415, 61402469, and 61672516).
Supplementary material
References
 1.Aumasson, J.P., Meier, W.: Zerosum distinguishers for reduced Keccakf and for the core functions of Luffa and Hamsi. rump session of Cryptographic Hardware and Embedded SystemsCHES 2009, p. 67 (2009)Google Scholar
 2.Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Keccak Crunchy Crypto Collision and Preimage Contest. http://keccak.noekeon.org/crunchy_contest.html
 3.Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: The Keccak reference, version 3.0 (2011). http://keccak.noekeon.org/Keccakreference3.0.pdf
 4.Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Cryptographic Sponge functions. Submission to NIST (Round 3) (2011)Google Scholar
 5.Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: The Keccak SHA3 submission. Submiss. NIST (Round 3) 6(7), 16 (2011)Google Scholar
 6.Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Keccaktools (2015). http://keccak.noekeon.org/
 7.Canteaut, A. (ed.): FSE 2012. LNCS, vol. 7549. Springer, Heidelberg (2012)zbMATHGoogle Scholar
 8.Daemen, J.: Cipher and hash function design strategies based on linear and differential cryptanalysis. Ph.D. thesis, Doctoral dissertation, KU Leuven, March 1995Google Scholar
 9.Daemen, J., Assche, G.: Differential propagation analysis of Keccak. In: Canteaut, A. (ed.) FSE 2012. LNCS, vol. 7549, pp. 422–441. Springer, Heidelberg (2012). doi: 10.1007/9783642340475_24. [7]
 10.Dinur, I., Dunkelman, O., Shamir, A.: New attacks on Keccak224 and Keccak256. In: Canteaut, A. (ed.) FSE 2012. LNCS, vol. 7549, pp. 442–461. Springer, Heidelberg (2012). doi: 10.1007/9783642340475_25. [7]CrossRefGoogle Scholar
 11.Dinur, I., Dunkelman, O., Shamir, A.: Collision attacks on up to 5 rounds of SHA3 using generalized internal differentials. In: Moriai, S. (ed.) FSE 2013. LNCS, vol. 8424, pp. 219–240. Springer, Heidelberg (2014)Google Scholar
 12.Dinur, I., Dunkelman, O., Shamir, A.: Improved practical attacks on roundreduced Keccak. J. Cryptol. 27(2), 183–209 (2014)MathSciNetCrossRefzbMATHGoogle Scholar
 13.Dinur, I., Morawiecki, P., Pieprzyk, J., Srebrny, M., Straus, M.: Cube attacks and cubeattacklike cryptanalysis on the roundreduced Keccak sponge function. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 733–761. Springer, Heidelberg (2015). doi: 10.1007/9783662468005_28 Google Scholar
 14.Duc, A., Guo, J., Peyrin, T., Wei, L.: Unaligned rebound attack: application to Keccak. In: Canteaut, A. (ed.) FSE 2012. LNCS, vol. 7549, pp. 402–421. Springer, Heidelberg (2012). doi: 10.1007/9783642340475_23 CrossRefGoogle Scholar
 15.Guo, J., Jean, J., Nikolic, I., Qiao, K., Sasaki, Y., Sim, S.M.: Invariant subspace attack against Midori64 and the resistance criteria for Sbox designs. IACR Trans. Symmetric Cryptol. 1(1) (2017, to appear)Google Scholar
 16.Jean, J., Nikolić, I.: Internal differential boomerangs: practical analysis of the roundreduced Keccak \(f\) permutation. In: Leander, G. (ed.) FSE 2015. LNCS, vol. 9054, pp. 537–556. Springer, Heidelberg (2015). doi: 10.1007/9783662481165_26 CrossRefGoogle Scholar
 17.Mendel, F., Nad, T., Schläffer, M.: Finding SHA2 characteristics: searching through a minefield of contradictions. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 288–307. Springer, Heidelberg (2011)CrossRefGoogle Scholar
 18.National Institute of Standards and Technology: SHA3 STANDARD: PERMUTATIONBASED HASH AND EXTENDABLEOUTPUT FUNCTIONS. Federal Information Processing Standards (FIPS) Publication Series (2015)Google Scholar
 19.NayaPlasencia, M., Röck, A., Meier, W.: Practical analysis of reducedround Keccak. In: Bernstein, D.J., Chatterjee, S. (eds.) INDOCRYPT 2011. LNCS, vol. 7107, pp. 236–254. Springer, Heidelberg (2011)CrossRefGoogle Scholar