Non-full Sbox Linearization: Applications to Collision Attacks on Round-Reduced Keccak

  • Ling Song
  • Guohong Liao
  • Jian GuoEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10402)


The Keccak hash function is the winner of the SHA-3 competition and became the SHA-3 standard of NIST in 2015. In this paper, we focus on practical collision attacks against round-reduced Keccak hash function, and two main results are achieved: the first practical collision attacks against 5-round Keccak-224 and an instance of 6-round Keccak collision challenge. Both improve the number of practically attacked rounds by one. These results are obtained by carefully studying the algebraic properties of the nonlinear layer in the underlying permutation of Keccak and applying linearization to it. In particular, techniques for partially linearizing the output bits of the nonlinear layer are proposed, utilizing which attack complexities are reduced significantly from the previous best results.


Keccak SHA-3 Hash function Collision Non-full linearization Adaptive 



The authors would like to thank anonymous reviewers of CRYPTO 2017 for their helpful comments and suggestions. Part of this work was supported by the National Key Basic Research Program of China (2013CB834203) the National Natural Science Foundation of China (Grants 61472417, 61472415, 61402469, 61672516, and 61572028), the Project of Science and Technology of Guangdong (2016B010125002), and the Natural Science Foundation of Guangdong (No. 2015A030313630, 2014A030313439).

Supplementary material


  1. 1.
    Aumasson, J.P., Meier, W.: Zero-Sum distinguishers for reduced keccak-f and for the core functions of Luffa and Hamsi. In: Rump Session of Cryptographic Hardware and Embedded Systems-CHES 2009 (2009)Google Scholar
  2. 2.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Keccak crunchy crypto collision and pre-image contest.
  3. 3.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Cryptographic Sponge functions. Submission to NIST (Round 3) (2011).
  4. 4.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: The Keccak Reference, version 3.0.
  5. 5.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: The Keccak SHA-3 Submission. Submission to NIST (Round 3) 6(7) (2011)Google Scholar
  6. 6.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: KeccakTools (2015).
  7. 7.
    Canteaut, Anne (ed.): FSE 2012. LNCS, vol. 7549. Springer, Heidelberg (2012)zbMATHGoogle Scholar
  8. 8.
    Cayrel, P.-L., Hoffmann, G., Schneider, M.: GPU implementation of the Keccak Hash function family. In: Kim, T., Adeli, H., Robles, R.J., Balitanas, M. (eds.) ISA 2011. CCIS, vol. 200, pp. 33–42. Springer, Heidelberg (2011). doi: 10.1007/978-3-642-23141-4_4 CrossRefGoogle Scholar
  9. 9.
    Daemen, J., Assche, G.V.: Differential propagation analysis of keccak. In: Canteaut [7], pp. 422–441Google Scholar
  10. 10.
    Dinur, I., Dunkelman, O., Shamir, A.: New attacks on keccak-224 and keccak-256. In: Canteaut [7], pp. 442–461Google Scholar
  11. 11.
    Dinur, I., Dunkelman, O., Shamir, A.: Collision attacks on up to 5 rounds of SHA-3 using generalized internal differentials. In: Moriai, S. (ed.) FSE 2013. LNCS, vol. 8424, pp. 219–240. Springer, Heidelberg (2014). doi: 10.1007/978-3-662-43933-3_12 Google Scholar
  12. 12.
    Dinur, I., Dunkelman, O., Shamir, A.: Improved practical attacks on round-reduced keccak. J. Cryptol. 27(2), 183–209 (2014)MathSciNetCrossRefzbMATHGoogle Scholar
  13. 13.
    Dinur, I., Morawiecki, P., Pieprzyk, J., Srebrny, M., Straus, M.: Cube attacks and cube-attack-like cryptanalysis on the round-reduced keccak sponge function. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 733–761. Springer, Heidelberg (2015). doi: 10.1007/978-3-662-46800-5_28 Google Scholar
  14. 14.
    Duc, A., Guo, J., Peyrin, T., Wei, L.: Unaligned rebound attack: application to keccak. In: Canteaut [7], pp. 402–421Google Scholar
  15. 15.
    Guo, J., Liu, M., Song, L.: Linear structures: applications to cryptanalysis of round-reduced Keccak. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10031, pp. 249–274. Springer, Heidelberg (2016). doi: 10.1007/978-3-662-53887-6_9 CrossRefGoogle Scholar
  16. 16.
    Jean, J., Nikolic, I.: Internal differential boomerangs: practical analysis of the round-reduced Keccak-f permutation. In: Leander, G. (ed.) FSE 2015. LNCS, vol. 9054, pp. 537–556. Springer, Heidelberg (2015)CrossRefGoogle Scholar
  17. 17.
    Murthy, G.S.: Optimal loop unrolling for GPGPU programs. Ph.D. thesis, The Ohio State University (2009)Google Scholar
  18. 18.
    Naya-Plasencia, M., Röck, A., Meier, W.: Practical analysis of reduced-round Keccak. In: Bernstein, D.J., Chatterjee, S. (eds.) INDOCRYPT 2011. LNCS, vol. 7107, pp. 236–254. Springer, Heidelberg (2011). doi: 10.1007/978-3-642-25578-6_18 CrossRefGoogle Scholar
  19. 19.
    NIST: SHA-3 COMPETITION (2007–2012).
  20. 20.
    Nvidia, C.: CUDA C Programming Guide. Nvidia Corporation 120(18) (2011)Google Scholar
  21. 21.
    Qiao, K., Song, L., Liu, M., Guo, J.: New collision attacks on round-reduced Keccak. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10212, pp. 216–243. Springer, Cham (2017). doi: 10.1007/978-3-319-56617-7_8 CrossRefGoogle Scholar
  22. 22.
    Sevestre, G.: Implementation of Keccak hash function in tree hashing mode on Nvidia GPU (2010).
  23. 23.
    The U.S. National Institute of Standards and Technology: SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions. Federal Information Processing Standard, FIPS 202, 5th August 2015,
  24. 24.
    Volkov, V.: Better performance at lower occupancy. In: Proceedings of the GPU Technology Conference, GTC, vol. 10. San Jose, CA (2010)Google Scholar

Copyright information

© International Association for Cryptologic Research 2017

Authors and Affiliations

  1. 1.Nanyang Technological UniversitySingaporeSingapore
  2. 2.State Key Laboratory of Information Security, Institute of Information EngineeringChinese Academy of SciencesBeijingChina
  3. 3.South China Normal UniversityGuangzhouChina
  4. 4.Data Assurance and Communication Research CenterChinese Academy of SciencesBeijingChina

Personalised recommendations