Zero-Sum Distinguishers for Iterated Permutations and Application to Keccak-f and Hamsi-256

  • Christina Boura
  • Anne Canteaut
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6544)


The zero-sum distinguishers introduced by Aumasson and Meier are investigated. First, the minimal size of a zero-sum is established. Then, we analyze the impacts of the linear and the nonlinear layers in an iterated permutation on the construction of zero-sum partitions. Finally, these techniques are applied to the Keccak-f permutation and to Hamsi-256. We exhibit several zero-sum partitions for 20 rounds (out of 24) of Keccak-f and some zero-sum partitions of size 219 and 210 for the finalization permutation in Hamsi-256.


Hash functions integral properties zero-sums SHA-3 


  1. 1.
    Aumasson, J.-P., Käsper, E., Knudsen, L.R., Matusiewicz, K., Ødegård, R., Peyrin, T., Schläffer, M.: Distinguishers for the compression function and output transformation of Hamsi-256. In: Steinfeld, R., Hawkes, P. (eds.) ACISP 2010. LNCS, vol. 6168, pp. 87–103. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  2. 2.
    Aumasson, J.-P., Meier, W.: Zero-sum distinguishers for reduced Keccak-f and for the core functions of Luffa and Hamsi. Presented at the rump session of Cryptographic Hardware and Embedded Systems - CHES 2009 (2009)Google Scholar
  3. 3.
    Bellare, M., Micciancio, D.: A new paradigm for collision-free hashing: Incrementality at reduced cost. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 163–192. Springer, Heidelberg (1997)CrossRefGoogle Scholar
  4. 4.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Keccak sponge function family main document. Submission to NIST (Round 2) (2009)Google Scholar
  5. 5.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Note on zero-sum distinguishers of Keccak-f. Public comment on the NIST Hash competition (2010),
  6. 6.
    Brouwer, A.E., Tolhuizen, L.M.G.M.: A sharpening of the Johnson bound for binary linear codes and the nonexistence of linear codes with Preparata parameters. Designs, Codes and Cryptography 3(2), 95–98 (1993)MathSciNetCrossRefzbMATHGoogle Scholar
  7. 7.
    Canteaut, A., Chabaud, F.: A new algorithm for finding minimum-weight words in a linear code: application to primitive narrow-sense BCH codes of length 511. IEEE Transactions on Information Theory 44(1), 367–378 (1998)MathSciNetCrossRefzbMATHGoogle Scholar
  8. 8.
    Canteaut, A., Videau, M.: Degree of composition of highly nonlinear functions and applications to higher order differential cryptanalysis. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 518–533. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  9. 9.
    Carlet, C., Charpin, P., Zinoviev, V.: Codes, bent functions and permutations suitable for DES-like cryptosystems. Designs, Codes and Cryptography 15(2), 125–156 (1998)MathSciNetCrossRefzbMATHGoogle Scholar
  10. 10.
    Daemen, J., Knudsen, L.R., Rijmen, V.: The block cipher Square. In: Biham, E. (ed.) FSE 1997. LNCS, vol. 1267, pp. 149–165. Springer, Heidelberg (1997)CrossRefGoogle Scholar
  11. 11.
    Dodunekov, S.M., Zinoviev, V.: A note on Preparata codes. In: Proceedings of the 6th Intern. Symp. on Information Theory, Moscow-Tashkent Part 2, pp. 78–80 (1984)Google Scholar
  12. 12.
    Finiasz, M., Sendrier, N.: Security bounds for the design of code-based cryptosystems. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 88–105. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  13. 13.
    Knudsen, L.R.: Truncated and higher order differentials. In: Preneel, B. (ed.) FSE 1994. LNCS, vol. 1008, pp. 196–211. Springer, Heidelberg (1995)CrossRefGoogle Scholar
  14. 14.
    Knudsen, L.R., Rijmen, V.: Known-key distinguishers for some block ciphers. In: Kurosawa, K. (ed.) ASIACRYPT 2007. LNCS, vol. 4833, pp. 315–324. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  15. 15.
    Knudsen, L.R., Wagner, D.: Integral cryptanalysis. In: Daemen, J., Rijmen, V. (eds.) FSE 2002. LNCS, vol. 2365, pp. 112–127. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  16. 16.
    Küçük, O.: The Hash Function Hamsi. Submission to NIST (Round 2) (2009)Google Scholar
  17. 17.
    Lai, X.: Higher order derivatives and differential cryptanalysis. In: Proc. Symposium on Communication, Coding and Cryptography, in honor of J. L. Massey on the occasion of his 60’th birthday, Kluwer Academic Publishers, Dordrecht (1994)Google Scholar
  18. 18.
    MacWilliams, F.J., Sloane, N.J.A.: The theory of error-correcting codes. North-Holland, Amsterdam (1977)zbMATHGoogle Scholar
  19. 19.
    Wagner, D.: A generalized birthday problem. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 288–303. Springer, Heidelberg (2002)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2011

Authors and Affiliations

  • Christina Boura
    • 1
    • 2
  • Anne Canteaut
    • 1
  1. 1.SECRET Project-TeamINRIA Paris-RocquencourtLe Chesnay CedexFrance
  2. 2.GemaltoMeudon sur SeineFrance

Personalised recommendations