# Rotational Cryptanalysis of Round-Reduced Keccak

## Abstract

In this paper we attack round-reduced Keccak hash function with a technique called rotational cryptanalysis. We focus on Keccak variants proposed as SHA-3 candidates in the NIST’s contest for a new standard of cryptographic hash function. Our main result is a preimage attack on 4-round Keccak and a 5-round distinguisher on Keccak-\(f\)[1600] permutation — the main building block of Keccak hash function.

## Keywords

Preimage attack Keccak Rotational cryptanalysis SHA-3## Notes

### Acknowledgement

We would like to thank the Keccak Team for useful comments and discussion. We also thank Dmitry Khovratovich, Thomas Peyrin and anonymous reviewers for improving the quality of the paper. The research was cofounded by the European Union from resources of the European Social Fund, Project PO KL Information technologies: Research and their interdisciplinary applications, Agreement UDA-POKL.04.01.01-00-051/10-00. Josef Pieprzyk was supported by the Australian Research Council grant DP0987734.

## References

- 1.Aumasson, J.P., Meier, W.: Zero-sum distinguishers for reduced Keccak-f and for the core functions of Luff a and Hamsi. Technical report, NIST mailing list (2009)Google Scholar
- 2.Bernstein, D.J.: Salsa20. Technical report, eSTREAM, ECRYPT Stream Cipher Project (2005). http://cr.yp.to/snuffle.html
- 3.Bernstein, D.J.: Second preimages for 6 (7? (8??)) rounds of Keccak? NIST mailing list (2010). http://ehash.iaik.tugraz.at/uploads/6/65/NIST-mailing-list_Bernstein-Daemen.txt
- 4.Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Cryptographic sponges. http://sponge.noekeon.org
- 5.Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Keccak sponge function family main document. http://keccak.noekeon.org/Keccak-main-2.1.pdf
- 6.Boura, C., Canteaut, A.: Zero-sum distinguishers for iterated permutations and application to Keccak-
*f*and Hamsi-256. In: Biryukov, A., Gong, G., Stinson, D.R. (eds.) SAC 2010. LNCS, vol. 6544, pp. 1–17. Springer, Heidelberg (2011) CrossRefGoogle Scholar - 7.Chernoff, H.: A note on an inequality involving the normal distribution. Ann. Probab.
**9**, 533–535 (1981)CrossRefMATHMathSciNetGoogle Scholar - 8.Dinur, I., Dunkelman, O., Shamir, A.: New attacks on Keccak-224 and Keccak-256. In: Canteaut, A. (ed.) FSE 2012. LNCS, vol. 7549, pp. 442–461. Springer, Heidelberg (2012) CrossRefGoogle Scholar
- 9.Duan, M., Lai, X.: Improved zero-sum distinguisher for full round Keccak-f permutation. Chin. Sci. Bull.
**57**, 694–697 (2012)CrossRefGoogle Scholar - 10.Duc, A., Guo, J., Peyrin, T., Wei, L.: Unaligned rebound attack - application to Keccak. Cryptology ePrint Archive, Report 2011/420 (2011)Google Scholar
- 11.Homsirikamol, E., Morawiecki, P., Rogawski, M., Srebrny, M.: Security margin evaluation of SHA-3 contest finalists through SAT-based attacks. In: Cortesi, A., Chaki, N., Saeed, K., Wierzchoń, S. (eds.) CISIM 2012. LNCS, vol. 7564, pp. 56–67. Springer, Heidelberg (2012) CrossRefGoogle Scholar
- 12.Khovratovich, D., Nikolić, I.: Rotational cryptanalysis of ARX. In: Hong, S., Iwata, T. (eds.) FSE 2010. LNCS, vol. 6147, pp. 333–346. Springer, Heidelberg (2010) CrossRefGoogle Scholar
- 13.Khovratovich, D., Nikolić, I., Rechberger, C.: Rotational rebound attacks on reduced Skein. In: Abe, M. (ed.) ASIACRYPT 2010. LNCS, vol. 6477, pp. 1–19. Springer, Heidelberg (2010) CrossRefGoogle Scholar
- 14.Knudsen, L.R., Matusiewicz, K., Thomsen, S.S.: Observations on the Shabal keyed permutation (2009). http://www.mat.dtu.dk/people/S.Thomsen/shabal/shabal.pdf
- 15.Naya-Plasencia, M., Röck, A., Meier, W.: Practical analysis of reduced-round Keccak. In: Bernstein, D.J., Chatterjee, S. (eds.) INDOCRYPT 2011. LNCS, vol. 7107, pp. 236–254. Springer, Heidelberg (2011) CrossRefGoogle Scholar
- 16.Standaert, F.-X., Piret, G., Gershenfeld, N., Quisquater, J.-J.: SEA: a scalable encryption algorithm for small embedded applications. In: Domingo-Ferrer, J., Posegga, J., Schreckling, D. (eds.) CARDIS 2006. LNCS, vol. 3928, pp. 222–236. Springer, Heidelberg (2006) CrossRefGoogle Scholar
- 17.Van Assche, G.: A rotational distinguisher on Shabal’s keyed permutation and its impact on the security proofs. http://gva.noekeon.org/papers/ShabalRotation.pdf