# Non-full Sbox Linearization: Applications to Collision Attacks on Round-Reduced Keccak

## Abstract

The Keccak hash function is the winner of the SHA-3 competition and became the SHA-3 standard of NIST in 2015. In this paper, we focus on practical collision attacks against round-reduced Keccak hash function, and two main results are achieved: the first practical collision attacks against 5-round Keccak-224 and an instance of 6-round Keccak collision challenge. Both improve the number of practically attacked rounds by one. These results are obtained by carefully studying the algebraic properties of the nonlinear layer in the underlying permutation of Keccak and applying linearization to it. In particular, techniques for partially linearizing the output bits of the nonlinear layer are proposed, utilizing which attack complexities are reduced significantly from the previous best results.

## Keywords

Keccak SHA-3 Hash function Collision Non-full linearization Adaptive## Notes

### Acknowledgement

The authors would like to thank anonymous reviewers of CRYPTO 2017 for their helpful comments and suggestions. Part of this work was supported by the National Key Basic Research Program of China (2013CB834203) the National Natural Science Foundation of China (Grants 61472417, 61472415, 61402469, 61672516, and 61572028), the Project of Science and Technology of Guangdong (2016B010125002), and the Natural Science Foundation of Guangdong (No. 2015A030313630, 2014A030313439).

## Supplementary material

## References

- 1.Aumasson, J.P., Meier, W.: Zero-Sum distinguishers for reduced keccak-f and for the core functions of Luffa and Hamsi. In: Rump Session of Cryptographic Hardware and Embedded Systems-CHES 2009 (2009)Google Scholar
- 2.Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Keccak crunchy crypto collision and pre-image contest. http://keccak.noekeon.org/crunchy_contest.html
- 3.Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Cryptographic Sponge functions. Submission to NIST (Round 3) (2011). http://sponge.noekeon.org/CSF-0.1.pdf
- 4.Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: The Keccak Reference, version 3.0. http://keccak.noekeon.org
- 5.Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: The Keccak SHA-3 Submission. Submission to NIST (Round 3) 6(7) (2011)Google Scholar
- 6.Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: KeccakTools (2015). http://keccak.noekeon.org/
- 7.Canteaut, Anne (ed.): FSE 2012. LNCS, vol. 7549. Springer, Heidelberg (2012)MATHGoogle Scholar
- 8.Cayrel, P.-L., Hoffmann, G., Schneider, M.: GPU implementation of the Keccak Hash function family. In: Kim, T., Adeli, H., Robles, R.J., Balitanas, M. (eds.) ISA 2011. CCIS, vol. 200, pp. 33–42. Springer, Heidelberg (2011). doi: 10.1007/978-3-642-23141-4_4 CrossRefGoogle Scholar
- 9.Daemen, J., Assche, G.V.: Differential propagation analysis of keccak. In: Canteaut [7], pp. 422–441Google Scholar
- 10.Dinur, I., Dunkelman, O., Shamir, A.: New attacks on keccak-224 and keccak-256. In: Canteaut [7], pp. 442–461Google Scholar
- 11.Dinur, I., Dunkelman, O., Shamir, A.: Collision attacks on up to 5 rounds of SHA-3 using generalized internal differentials. In: Moriai, S. (ed.) FSE 2013. LNCS, vol. 8424, pp. 219–240. Springer, Heidelberg (2014). doi: 10.1007/978-3-662-43933-3_12 Google Scholar
- 12.Dinur, I., Dunkelman, O., Shamir, A.: Improved practical attacks on round-reduced keccak. J. Cryptol.
**27**(2), 183–209 (2014)MathSciNetCrossRefMATHGoogle Scholar - 13.Dinur, I., Morawiecki, P., Pieprzyk, J., Srebrny, M., Straus, M.: Cube attacks and cube-attack-like cryptanalysis on the round-reduced keccak sponge function. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 733–761. Springer, Heidelberg (2015). doi: 10.1007/978-3-662-46800-5_28 Google Scholar
- 14.Duc, A., Guo, J., Peyrin, T., Wei, L.: Unaligned rebound attack: application to keccak. In: Canteaut [7], pp. 402–421Google Scholar
- 15.Guo, J., Liu, M., Song, L.: Linear structures: applications to cryptanalysis of round-reduced Keccak. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10031, pp. 249–274. Springer, Heidelberg (2016). doi: 10.1007/978-3-662-53887-6_9 CrossRefGoogle Scholar
- 16.Jean, J., Nikolic, I.: Internal differential boomerangs: practical analysis of the round-reduced Keccak-f permutation. In: Leander, G. (ed.) FSE 2015. LNCS, vol. 9054, pp. 537–556. Springer, Heidelberg (2015)CrossRefGoogle Scholar
- 17.Murthy, G.S.: Optimal loop unrolling for GPGPU programs. Ph.D. thesis, The Ohio State University (2009)Google Scholar
- 18.Naya-Plasencia, M., Röck, A., Meier, W.: Practical analysis of reduced-round Keccak. In: Bernstein, D.J., Chatterjee, S. (eds.) INDOCRYPT 2011. LNCS, vol. 7107, pp. 236–254. Springer, Heidelberg (2011). doi: 10.1007/978-3-642-25578-6_18 CrossRefGoogle Scholar
- 19.NIST: SHA-3 COMPETITION (2007–2012). http://csrc.nist.gov/groups/ST/hash/sha-3/index.html
- 20.Nvidia, C.: CUDA C Programming Guide. Nvidia Corporation 120(18) (2011)Google Scholar
- 21.Qiao, K., Song, L., Liu, M., Guo, J.: New collision attacks on round-reduced Keccak. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10212, pp. 216–243. Springer, Cham (2017). doi: 10.1007/978-3-319-56617-7_8 CrossRefGoogle Scholar
- 22.Sevestre, G.: Implementation of Keccak hash function in tree hashing mode on Nvidia GPU (2010). http://hgpu.org/?p=6833
- 23.The U.S. National Institute of Standards and Technology: SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions. Federal Information Processing Standard, FIPS 202, 5th August 2015, http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf
- 24.Volkov, V.: Better performance at lower occupancy. In: Proceedings of the GPU Technology Conference, GTC, vol. 10. San Jose, CA (2010)Google Scholar