Differential Propagation Analysis of Keccak

  • Joan Daemen
  • Gilles Van Assche
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7549)


In this paper we introduce new concepts that help read and understand low-weight differential trails in Keccak. We then propose efficient techniques to exhaustively generate all 3-round trails in its largest permutation below a given weight. This allows us to prove that any 6-round differential trail in Keccak-f[1600] has weight at least 74. In the worst-case diffusion scenario where the mixing layer acts as the identity, we refine the lower bound to 82 by systematically constructing trails using a specific representation of states.


cryptographic hash function Keccak differential cryptanalysis computer-aided proof 


  1. 1.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: On the Indifferentiability of the Sponge Construction. In: Smart, N.P. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 181–197. Springer, Heidelberg (2008), http://sponge.noekeon.org/CrossRefGoogle Scholar
  2. 2.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Cryptographic sponge functions (January 2011), http://sponge.noekeon.org/
  3. 3.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: On alignment in Keccak. In: ECRYPT II Hash Workshop 2011 (2011)Google Scholar
  4. 4.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: The Keccak reference (January 2011), http://keccak.noekeon.org/
  5. 5.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: KeccakTools software (April 2012), http://keccak.noekeon.org/
  6. 6.
    Biham, E., Shamir, A.: Differential Cryptanalysis of DES-like Cryptosystems. In: Menezes, A., Vanstone, S.A. (eds.) CRYPTO 1990. LNCS, vol. 537, pp. 2–21. Springer, Heidelberg (1991)Google Scholar
  7. 7.
    Daemen, J., Van Assche, G.: Differential propagation analysis of Keccak. Cryptology ePrint Archive, Report 2012/163 (2012), http://eprint.iacr.org/
  8. 8.
    Daemen, J., Peeters, M., Van Assche, G., Rijmen, V.: Nessie proposal: the block cipher Noekeon, Nessie submission (2000), http://gro.noekeon.org/
  9. 9.
    Daemen, J., Rijmen, V.: The design of Rijndael — AES, the advanced encryption standard. Springer (2002)Google Scholar
  10. 10.
    Daemen, J., Rijmen, V.: Plateau characteristics and AES. IET Information Security 1(1), 11–17 (2007)CrossRefGoogle Scholar
  11. 11.
    Dinur, I., Dunkelman, O., Shamir, A.: New Attacks on Keccak-224 and Keccak-256. In: Canteaut, A. (ed.) FSE 2012. LNCS, vol. 7549, pp. 447–463. Springer, Heidelberg (2012)Google Scholar
  12. 12.
    Duc, A., Guo, J., Peyrin, T., Wei, L.: Unaligned rebound attack: Application to Keccak. In: Canteaut, A. (ed.) FSE 2012. LNCS, vol. 7549, pp. 407–426. Springer, Heidelberg (2012)Google Scholar
  13. 13.
    Gauravaram, P., Knudsen, L.R., Matusiewicz, K., Mendel, F., Rechberger, C., Schläffer, M., Thomsen, S.S.: Grøstl – a SHA-3 candidate. Submission to NIST (round 3) (2011)Google Scholar
  14. 14.
    Heilman, E.: Restoring the differential security of MD6. In: ECRYPT II Hash Workshop 2011 (2011)Google Scholar
  15. 15.
    Naya-Plasencia, M., Röck, A., Meier, W.: Practical Analysis of Reduced-Round Keccak. In: Bernstein, D.J., Chatterjee, S. (eds.) INDOCRYPT 2011. LNCS, vol. 7107, pp. 236–254. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  16. 16.
    NIST, Announcing request for candidate algorithm nominations for a new cryptographic hash algorithm (SHA-3) family. Federal Register Notices 72(212), 62212–62220 (2007), http://csrc.nist.gov/groups/ST/hash/index.html
  17. 17.
    Rivest, R., Agre, B., Bailey, D.V., Cheng, S., Crutchfield, C., Dodis, Y., Fleming, K.E., Khan, A., Krishnamurthy, J., Lin, Y., Reyzin, L., Shen, E., Sukha, J., Sutherland, D., Tromer, E., Yin, Y.L.: The MD6 hash function – a proposal to NIST for SHA-3. Submission to NIST (2008), http://groups.csail.mit.edu/cis/md6/
  18. 18.
    Wu, H.: The hash function JH. Submission to NIST (round 3) (2011)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Joan Daemen
    • 1
  • Gilles Van Assche
    • 1
  1. 1.STMicroelectronicsBelgium

Personalised recommendations