Unaligned Rebound Attack: Application to Keccak

Duc, Alexandre; Guo, Jian; Peyrin, Thomas; Wei, Lei

doi:10.1007/978-3-642-34047-5_23

Cited by 43 publications

(35 citation statements)

References 18 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Recently, new results were published on the differential resistance of this function and among those heuristic techniques were proposed to build low-weight differential trails [12,15]. These gave the currently best trails for 3, 4 and 5 rounds of the underlying permutation Keccak-f [1600].…”

Section: Introductionmentioning

confidence: 99%

Differential Propagation Analysis of Keccak

Daemen

Assche

2012

Fast Software Encryption

View full text Add to dashboard Cite

Abstract. In this paper we introduce new concepts that help read and understand low-weight differential trails in Keccak. We then propose efficient techniques to exhaustively generate all 3-round trails in its largest permutation below a given weight. This allows us to prove that any 6-round differential trail in Keccak-f [1600] has weight at least 74. In the worst-case diffusion scenario where the mixing layer acts as the identity, we refine the lower bound to 82 by systematically constructing trails using a specific representation of states.

show abstract

Section: Introductionmentioning

confidence: 99%

Differential Propagation Analysis of Keccak

Daemen

Assche

2012

Fast Software Encryption

View full text Add to dashboard Cite

show abstract

“…Namely, we require that there exists a low Hamming weight state u 0 ∈ [i, v 0 ] in the CP-kernel (otherwise θ will significantly increase the weight of the internal difference already in the first round). Techniques to find state differences that stay in the CP-kernel for two consecutive rounds were described in [11,14,21] in order to construct low Hamming weight classical differential characteristics. Here, we use these techniques in a straightforward way in order to construct low Hamming weight internal differential characteristics that fulfill the two constraints: As done in several previous paper which analyze standard differential characteristics of Keccak, we first assume that the χ mappings act as an identity on the input internal differences (this is typically possible when the input internal difference is of low weight).…”

Section: Practical Collisions In 3-round Keccak-384mentioning

confidence: 99%

Collision Attacks on Up to 5 Rounds of SHA-3 Using Generalized Internal Differentials

Dinur

Dunkelman

Shamir

2014

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. On October 2-nd 2012 NIST announced its selection of the Keccak scheme as the new SHA-3 hash standard. In this paper we present the first published collision finding attacks on reduced-round versions of Keccak-384 and Keccak-512, providing actual collisions for 3-round versions, and describing an attack which is 2 45 times faster than birthday attacks for 4-round Keccak-384. For Keccak-256, we increase the number of rounds which can be attacked to 5. All these results are based on a generalized internal differential attack (introduced by Peyrin at Crypto 2010), and use it to map a large number of Keccak inputs into a relatively small subset of possible outputs with a surprisingly large probability. In such a squeeze attack it is easier to find random collisions in the reduced target subset by a standard birthday argument.

show abstract

“…However, extending such a characteristic to more rounds in a similar way is more challenging, since we have to ensure that the state differential before the application of θ remains in the CP-kernel at the beginning of each round. In [9] and [14], the authors propose algorithms for constructing low Hamming weight differential characteristics for Keccak. Both of these algorithms successfully find differential characteristics that stay in the CP-kernel for 2 rounds (named double kernel trails in [14]), some of which lead to collisions on the n-bit extract taken from the final state after 2 rounds, with high probability.…”

Section: Searching For Differential Characteristicsmentioning

confidence: 99%

“…Our attacks on round-reduced Keccak make use of the type of differential characteristics that were found in [9] and [14], namely low Hamming weight characteristics that stay in the CP-kernel for 2 rounds. The double kernel trails with the highest probability have Hamming weight of 6 at the input to the initial round, and due to their low hamming weight, we could easily find all these characteristics within a minute on a standard PC.…”

Section: Searching For Differential Characteristicsmentioning

confidence: 99%

“…Since the characteristics that we use start with a low Hamming weight state difference, we can extend them backwards by one round without reducing their probability significantly (as done in [9]): we take this low Hamming weight initial state difference, and choose a valid state difference input to the previous Sbox layer which could produce it. We then apply L −1 , and obtain a new initial state difference for the extended characteristic, which serves as a target difference for our new algorithm.…”

Section: Searching For Differential Characteristicsmentioning

confidence: 99%

See 1 more Smart Citation

New Attacks on Keccak-224 and Keccak-256

Dinur

Dunkelman

Shamir

2012

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. The Keccak hash function is one of the five finalists in NIST's SHA-3 competition, and so far it showed remarkable resistance against practical collision finding attacks: After several years of cryptanalysis and a lot of effort, the largest number of Keccak rounds for which actual collisions were found was only 2. In this paper we develop improved collision finding techniques which enable us to double this number. More precisely, we can now find within a few minutes on a single PC actual collisions in standard Keccak-224 and Keccak-256, where the only modification is to reduce their number of rounds to 4. When we apply our techniques to 5-round Keccak, we can get in a few days excellent near collisions, where the Hamming distance is 5 in the case of Keccak-224 and 10 in the case of Keccak-256. Our new attack combines differential and algebraic techniques, and uses the fact that each round of Keccak is only a quadratic mapping in order to efficiently find pairs of messages which follow a high probability differential characteristic.

show abstract

Unaligned Rebound Attack: Application to Keccak

Cited by 43 publications

References 18 publications

Differential Propagation Analysis of Keccak

Differential Propagation Analysis of Keccak

Collision Attacks on Up to 5 Rounds of SHA-3 Using Generalized Internal Differentials

New Attacks on Keccak-224 and Keccak-256

Contact Info

Product

Resources

About