Rotational Cryptanalysis of Round-Reduced Keccak

  • Paweł Morawiecki
  • Josef Pieprzyk
  • Marian Srebrny
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8424)


In this paper we attack round-reduced Keccak hash function with a technique called rotational cryptanalysis. We focus on Keccak variants proposed as SHA-3 candidates in the NIST’s contest for a new standard of cryptographic hash function. Our main result is a preimage attack on 4-round Keccak and a 5-round distinguisher on Keccak-\(f\)[1600] permutation — the main building block of Keccak hash function.


Preimage attack Keccak Rotational cryptanalysis SHA-3 



We would like to thank the Keccak Team for useful comments and discussion. We also thank Dmitry Khovratovich, Thomas Peyrin and anonymous reviewers for improving the quality of the paper. The research was cofounded by the European Union from resources of the European Social Fund, Project PO KL Information technologies: Research and their interdisciplinary applications, Agreement UDA-POKL.04.01.01-00-051/10-00. Josef Pieprzyk was supported by the Australian Research Council grant DP0987734.


  1. 1.
    Aumasson, J.P., Meier, W.: Zero-sum distinguishers for reduced Keccak-f and for the core functions of Luff a and Hamsi. Technical report, NIST mailing list (2009)Google Scholar
  2. 2.
    Bernstein, D.J.: Salsa20. Technical report, eSTREAM, ECRYPT Stream Cipher Project (2005).
  3. 3.
    Bernstein, D.J.: Second preimages for 6 (7? (8??)) rounds of Keccak? NIST mailing list (2010).
  4. 4.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Cryptographic sponges.
  5. 5.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Keccak sponge function family main document.
  6. 6.
    Boura, C., Canteaut, A.: Zero-sum distinguishers for iterated permutations and application to Keccak-f and Hamsi-256. In: Biryukov, A., Gong, G., Stinson, D.R. (eds.) SAC 2010. LNCS, vol. 6544, pp. 1–17. Springer, Heidelberg (2011) CrossRefGoogle Scholar
  7. 7.
    Chernoff, H.: A note on an inequality involving the normal distribution. Ann. Probab. 9, 533–535 (1981)CrossRefMATHMathSciNetGoogle Scholar
  8. 8.
    Dinur, I., Dunkelman, O., Shamir, A.: New attacks on Keccak-224 and Keccak-256. In: Canteaut, A. (ed.) FSE 2012. LNCS, vol. 7549, pp. 442–461. Springer, Heidelberg (2012) CrossRefGoogle Scholar
  9. 9.
    Duan, M., Lai, X.: Improved zero-sum distinguisher for full round Keccak-f permutation. Chin. Sci. Bull. 57, 694–697 (2012)CrossRefGoogle Scholar
  10. 10.
    Duc, A., Guo, J., Peyrin, T., Wei, L.: Unaligned rebound attack - application to Keccak. Cryptology ePrint Archive, Report 2011/420 (2011)Google Scholar
  11. 11.
    Homsirikamol, E., Morawiecki, P., Rogawski, M., Srebrny, M.: Security margin evaluation of SHA-3 contest finalists through SAT-based attacks. In: Cortesi, A., Chaki, N., Saeed, K., Wierzchoń, S. (eds.) CISIM 2012. LNCS, vol. 7564, pp. 56–67. Springer, Heidelberg (2012) CrossRefGoogle Scholar
  12. 12.
    Khovratovich, D., Nikolić, I.: Rotational cryptanalysis of ARX. In: Hong, S., Iwata, T. (eds.) FSE 2010. LNCS, vol. 6147, pp. 333–346. Springer, Heidelberg (2010) CrossRefGoogle Scholar
  13. 13.
    Khovratovich, D., Nikolić, I., Rechberger, C.: Rotational rebound attacks on reduced Skein. In: Abe, M. (ed.) ASIACRYPT 2010. LNCS, vol. 6477, pp. 1–19. Springer, Heidelberg (2010) CrossRefGoogle Scholar
  14. 14.
    Knudsen, L.R., Matusiewicz, K., Thomsen, S.S.: Observations on the Shabal keyed permutation (2009).
  15. 15.
    Naya-Plasencia, M., Röck, A., Meier, W.: Practical analysis of reduced-round Keccak. In: Bernstein, D.J., Chatterjee, S. (eds.) INDOCRYPT 2011. LNCS, vol. 7107, pp. 236–254. Springer, Heidelberg (2011) CrossRefGoogle Scholar
  16. 16.
    Standaert, F.-X., Piret, G., Gershenfeld, N., Quisquater, J.-J.: SEA: a scalable encryption algorithm for small embedded applications. In: Domingo-Ferrer, J., Posegga, J., Schreckling, D. (eds.) CARDIS 2006. LNCS, vol. 3928, pp. 222–236. Springer, Heidelberg (2006) CrossRefGoogle Scholar
  17. 17.
    Van Assche, G.: A rotational distinguisher on Shabal’s keyed permutation and its impact on the security proofs.

Copyright information

© Springer-Verlag Berlin Heidelberg 2014

Authors and Affiliations

  • Paweł Morawiecki
    • 1
    • 3
  • Josef Pieprzyk
    • 2
  • Marian Srebrny
    • 1
    • 3
  1. 1.Section of InformaticsUniversity of CommerceKielcePoland
  2. 2.Department of ComputingMacquarie UniversitySydneyAustralia
  3. 3.Institute of Computer SciencePolish Academy of SciencesWarsawPoland

Personalised recommendations