Practical Analysis of Reduced-Round Keccak

  • María Naya-Plasencia
  • Andrea Röck
  • Willi Meier
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7107)


Keccak is a finalist of the SHA-3 competition. In this paper we propose a practical distinguisher on 4 rounds of the hash function with the submission parameters. Recently, the designers of Keccak published several challenges on reduced versions of the hash function. With regard to this, we propose a preimage attack on 2 rounds, a collision attack on 2 rounds and a near collision on 3 rounds of \(\lfloor\) Keccak \(\rfloor_{224}\) and \(\lfloor\) Keccak \(\rfloor_{256}\). These are the first practical cryptanalysis results on reduced rounds of the hash function scenario. All of our results have been implemented.


hash function Keccak practical cryptanalysis SHA-3 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Bernstein, D.J.: Second preimages for 6 (7 (8??)) rounds of Keccak? NIST mailing list (2010),
  2. 2.
    Bertoni, G., Daemen, J., Peeters, M., Assche, G.V.: The Keccak reference. Submission to NIST (Round 3) (2011),
  3. 3.
    Bertoni, G., Daemen, J., Peeters, M., Assche, G.V.: The Keccak SHA-3 submission. Submission to NIST (Round 3) (2011),
  4. 4.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: On the Indifferentiability of the Sponge Construction. In: Smart, N.P. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 181–197. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  5. 5.
    Biham, E., Chen, R.: Near-Collisions of SHA-0. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 290–305. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  6. 6.
    Boura, C., Canteaut, A., De Cannière, C.: Higher-Order Differential Properties of Keccak and Luffa. In: Joux, A. (ed.) FSE 2011. LNCS, vol. 6733, pp. 252–269. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  7. 7.
    Knellwolf, S., Meier, W., Naya-Plasencia, M.: Conditional Differential Cryptanalysis of NLFSR-Based Cryptosystems. In: Abe, M. (ed.) ASIACRYPT 2010. LNCS, vol. 6477, pp. 130–145. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  8. 8.
    Morawiecki, P., Srebrny, M.: A SAT-based preimage analysis of reduced KECCAK hash functions. Cryptology ePrint Archive, Report 2010/285 (2010),
  9. 9.
    Naya-Plasencia, M.: How to Improve Rebound Attacks. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 188–205. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  10. 10.
    Rechberger, C., Rijmen, V.: On Authentication with HMAC and Non-Random Properties. In: Dietrich, S., Dhamija, R. (eds.) FC 2007 and USEC 2007. LNCS, vol. 4886, pp. 119–133. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  11. 11.
    Sönmez Turan, M., Uyan, E.: Near-Collisions for the Reduced Round Versions of Some Second Round SHA-3 Compression Functions Using Hill Climbing. In: Gong, G., Gupta, K.C. (eds.) INDOCRYPT 2010. LNCS, vol. 6498, pp. 131–143. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  12. 12.
    Wang, X., Yin, Y.L., Yu, H.: Finding Collisions in the Full SHA-1. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 17–36. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  13. 13.
    Wang, X., Yu, H.: How to Break MD5 and Other Hash Functions. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 19–35. Springer, Heidelberg (2005)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2011

Authors and Affiliations

  • María Naya-Plasencia
    • 1
    • 3
  • Andrea Röck
    • 2
  • Willi Meier
    • 1
  1. 1.FHNWWindischSwitzerland
  2. 2.Aalto University School of ScienceFinland
  3. 3.University of VersaillesFrance

Personalised recommendations