Non-full Sbox Linearization: Applications to Collision Attacks on Round-Reduced Keccak [chapter]

Ling Song, Guohong Liao, Jian Guo
2017 Lecture Notes in Computer Science  
The Keccak hash function is the winner of the SHA-3 competition and became the SHA-3 standard of NIST in 2015. In this paper, we focus on practical collision attacks against round-reduced Keccak hash function, and two main results are achieved: the first practical collision attacks against 5-round Keccak-224 and an instance of 6-round Keccak collision challenge. Both improve the number of practically attacked rounds by one. These results are obtained by carefully studying the algebraic
more » ... s of the nonlinear layer in the underlying permutation of Keccak and applying linearization to it. In particular, techniques for partially linearizing the output bits of the nonlinear layer are proposed, utilizing which attack complexities are reduced significantly from the previous best results. Since the Keccak hash function was made public in 2008, it has attracted intensive cryptanalysis from the community [1, 9, 10, 11, 12, 13, 14, 15, 16, 18, 21] . In this paper, we mainly focus on the collision resistance of Keccak hash function, in particular those collision attacks with practical complexities. In collision attacks, the aim is to find two distinct messages which lead to the same hash digest. Up to date, the best practical collision attacks against Keccak-224/256 is for 4 out of 24 rounds due to Dinur et al.'s work [10] in 2012. These 4-round collisions were found by combining a 1-round connector and a 3-round differential trail. The same authors gave practical collision attacks for 3-round Keccak-384/512, and theoretical collision attacks for 5/4-round Keccak-256/384 in [11] using internal differentials. Following the work of Dinur et al., Qiao et al. [21] further introduced 2-round connectors by adding a fully linearized round to the 1-round connectors, and gave practical collisions for 5-round SHAKE128 and two 5-round instances of the Keccak collision challenge, as well as collision attack against 5-round Keccak-224 with theoretical complexities. To the best of our knowledge, there exists neither practical collision attacks against 5-round Keccak-224/256/384/512, nor solution for any 6-round instances of the Keccak collision challenge. Our contributions. We develop techniques of non-full linearizaion for the Keccak Sbox, upon which two major applications are found. Firstly, improved 2-round connectors are constructed and actual collisions are consequently found for 5-round Keccak-224. Secondly, we extend the connectors to 3 rounds, and apply it to Keccak[1440, 160, 6, 160] -a 6-round instance of the Keccak collision challenge, which leads to the first 6-round real collision of Keccak. These results are obtained by combining a differential trail and a connector which links the initial state of Keccak and the input of the trail. Our work benefits from two observations on linearization of the Keccak Sbox, which are necessary for building connectors for more than one round. One is to linearize part (not all) of the output bits of a non-active Sbox, at most 2 binary linear equations over the input bits are needed. The other is that, for an active Sbox whose entry in the differential distribution table (DDT) is 8, 4 out of 5 output bits are already linear when the input is chosen from the solution set. Note that to restrict the input to the solution set for such an Sbox, two linear equations of input bits are required, as noted by Dinur et al. in [10]. Therefore, for both non-active and active Sboxes, 2 or less equations can be used to linearize part of the output bits. In this paper, we call it non-full linearization. When all output bits of an Sbox need to be linearized, at least three equations of input bits are required as shown in [21] . So, the non-full linearization saves degrees of freedom on Sboxes where it is applicable. With this in mind, we apply techniques of non-full linearization to the first round permutation of Keccak-224, and successfully construct a 2-round connector with a much larger solution space, which brings the collision attack complexity against 5-round Keccak-224 from 2 101 down to practise. Applying techniques of non-full linearization to the second round, 3-round connectors are constructed for Keccak for the first time. Furthermore,
doi:10.1007/978-3-319-63715-0_15 fatcat:d3l4bvirhvarvoadjb2jw7qhxm