Linear Structures: Applications to Cryptanalysis of Round-Reduced Keccak

  • Jian Guo
  • Meicheng Liu
  • Ling Song
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10031)


In this paper, we analyze the security of round-reduced versions of the Keccak hash function family. Based on the work pioneered by Aumasson and Meier, and Dinur et al., we formalize and develop a technique named linear structure, which allows linearization of the underlying permutation of Keccak for up to 3 rounds with large number of variable spaces. As a direct application, it extends the best zero-sum distinguishers by 2 rounds without increasing the complexities. We also apply linear structures to preimage attacks against Keccak. By carefully studying the properties of the underlying Sbox, we show bilinear structures and find ways to convert the information on the output bits to linear functions on input bits. These findings, combined with linear structures, lead us to preimage attacks against up to 4-round Keccak with reduced complexities. An interesting feature of such preimage attacks is low complexities for small variants. As extreme examples, we can now find preimages of 3-round SHAKE128 with complexity 1, as well as the first practical solutions to two 3-round instances of Keccak challenge. Both zero-sum distinguishers and preimage attacks are verified by implementations. It is noted that the attacks here are still far from threatening the security of the full 24-round Keccak.


Cryptanalysis SHA-3 Keccak Preimage attacks Zero-sum distinguishers 



We are grateful to Florian Mendel, Lei Wang, and anonymous reviewers of ASIACRYPT 2016 for their fruitful discussions and helpful comments. The second author was supported by the National Natural Science Foundation of China (Grant Nos. 61672516, 61303258, 61379139 and 11526215) and the Strategic Priority Research Program of the Chinese Academy of Sciences under Grant XDA06010701.


  1. 1.
    Aoki, K., Guo, J., Matusiewicz, K., Sasaki, Y., Wang, L.: Preimages for step-reduced SHA-2. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 578–597. Springer, Heidelberg (2009). doi: 10.1007/978-3-642-10366-7_34 CrossRefGoogle Scholar
  2. 2.
    Aumasson, J.P., Meier, W.: Zero-sum distinguishers for reduced Keccak-f and for the core functions of Luffa and Hamsi (2009).
  3. 3.
    Bernstein, D.J.: Second Preimages for 6 (7?(8??)) Rounds of Keccak. NIST mailing list (2010)Google Scholar
  4. 4.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Keccak crunchy crypto collision and pre-image contest.
  5. 5.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Cryptographic sponge functions, January 2011.
  6. 6.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: The Keccak reference, Version 3.0, January 2011.
  7. 7.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G., Van Keer, R.: CAESAR submission: KETJE v1, March 2014.
  8. 8.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G., Van Keer, R.: CAESAR submission: Keyak v2, December 2015.
  9. 9.
    Boura, C., Canteaut, A., Cannière, C.: Higher-order differential properties of Keccak and Luffa. In: Joux, A. (ed.) FSE 2011. LNCS, vol. 6733, pp. 252–269. Springer, Heidelberg (2011). doi: 10.1007/978-3-642-21702-9_15 CrossRefGoogle Scholar
  10. 10.
    Canteaut, A. (ed.): FSE 2012. LNCS, vol. 7549. Springer, Heidelberg (2012)zbMATHGoogle Scholar
  11. 11.
    Chang, D., Kumar, A., Morawiecki, P., Sanadhya, S.K.: 1st and 2nd preimage attacks on 7, 8 and 9 rounds of Keccak-224,256,384,512. In: SHA-3 Workshop, August 2014Google Scholar
  12. 12.
    Dinur, I., Dunkelman, O., Shamir, A.: New attacks on Keccak-224 and Keccak-256. In: Canteaut, A. (ed.) FSE 2012. LNCS, vol. 7549, pp. 442–461. Springer, Heidelberg (2012). doi: 10.1007/978-3-642-34047-5_25 CrossRefGoogle Scholar
  13. 13.
    Dinur, I., Dunkelman, O., Shamir, A.: Collision attacks on up to 5 rounds of SHA-3 using generalized internal differentials. In: Moriai, S. (ed.) FSE 2013. LNCS, vol. 8424, pp. 219–240. Springer, Heidelberg (2014). doi: 10.1007/978-3-662-43933-3_12 Google Scholar
  14. 14.
    Dinur, I., Dunkelman, O., Shamir, A.: Improved practical attacks on round-reduced Keccak. J. Cryptol. 27(2), 183–209 (2014)MathSciNetCrossRefzbMATHGoogle Scholar
  15. 15.
    Dinur, I., Morawiecki, P., Pieprzyk, J., Srebrny, M., Straus, M.: Cube attacks and cube-attack-like cryptanalysis on the round-reduced Keccak sponge function. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 733–761. Springer, Heidelberg (2015). doi: 10.1007/978-3-662-46800-5_28 Google Scholar
  16. 16.
    Duan, M., Lai, X.: Improved zero-sum distinguisher for full round Keccak-f permutation. Cryptology ePrint Archive, Report 2011/023 (2011).
  17. 17.
    Duc, Alexandre, Guo, Jian, Peyrin, Thomas, Wei, Lei: Unaligned rebound attack: application to Keccak. In: [10] 402–421Google Scholar
  18. 18.
    Guo, J., Ling, S., Rechberger, C., Wang, H.: Advanced meet-in-the-middle preimage attacks: first results on full tiger, and improved results on MD4 and SHA-2. In: Abe, M. (ed.) ASIACRYPT 2010. LNCS, vol. 6477, pp. 56–75. Springer, Heidelberg (2010). doi: 10.1007/978-3-642-17373-8_4 CrossRefGoogle Scholar
  19. 19.
    Jean, J., Nikolić, I.: Internal differential boomerangs: practical analysis of the round-reduced Keccak- \(f\) permutation. In: Leander, G. (ed.) FSE 2015. LNCS, vol. 9054, pp. 537–556. Springer, Heidelberg (2015). doi: 10.1007/978-3-662-48116-5_26 CrossRefGoogle Scholar
  20. 20.
    Morawiecki, P., Pieprzyk, J., Srebrny, M.: Rotational Cryptanalysis of Round-Reduced Keccak. In: [22] 241–262Google Scholar
  21. 21.
    Morawiecki, P., Srebrny, M.: A SAT-based preimage analysis of reduced Keccak hash functions. Inf. Process. Lett. 113(10–11), 392–397 (2013)MathSciNetCrossRefzbMATHGoogle Scholar
  22. 22.
    Morawiecki, P., Pieprzyk, J., Srebrny, M.: Rotational cryptanalysis of round-reduced Keccak. In: Moriai, S. (ed.) FSE 2013. LNCS, vol. 8424, pp. 241–262. Springer, Heidelberg (2014). doi: 10.1007/978-3-662-43933-3_13 Google Scholar
  23. 23.
    Naya-Plasencia, M., Röck, A., Meier, W.: Practical analysis of reduced-round Keccak. In: Bernstein, D.J., Chatterjee, S. (eds.) INDOCRYPT 2011. LNCS, vol. 7107, pp. 236–254. Springer, Heidelberg (2011). doi: 10.1007/978-3-642-25578-6_18 CrossRefGoogle Scholar
  24. 24.
    NIST: SHA-3 COMPETITION (2007–2012).
  25. 25.
    The U.S. National Institute of Standards and Technology: SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions . Federal Information Processing Standard, FIPS 202, 5th August 2015Google Scholar

Copyright information

© International Association for Cryptologic Research 2016

Authors and Affiliations

  1. 1.Cryptanalysis Taskforce, Temasek Laboratories@NTUSingaporeSingapore
  2. 2.School of Physical and Mathematical SciencesNanyang Technological UniversitySingaporeSingapore
  3. 3.State Key Laboratory of Information Security, Institute of Information EngineeringChinese Academy of SciencesBeijingPeople’s Republic of China

Personalised recommendations