nach oben

Journal of Cryptology

Erschienen in:

01.04.2014

Improved Practical Attacks on Round-Reduced Keccak

verfasst von: Itai Dinur, Orr Dunkelman, Adi Shamir

Erschienen in: Journal of Cryptology | Ausgabe 2/2014

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

The Keccak hash function is the winner of NIST’s SHA-3 competition, and so far it showed remarkable resistance against practical collision finding attacks: After several years of cryptanalysis and a lot of effort, the largest number of Keccak rounds for which actual collisions were found was only 2. In this paper, we develop improved collision finding techniques which enable us to double this number. More precisely, we can now find within a few minutes on a single PC actual collisions in the standard Keccak-224 and Keccak-256, where the only modification is to reduce their number of rounds to 4. When we apply our techniques to 5-round Keccak, we can get in a few days near collisions, where the Hamming distance is 5 in the case of Keccak-224 and 10 in the case of Keccak-256. Our new attack combines differential and algebraic techniques, and uses the fact that each round of Keccak is only a quadratic mapping in order to efficiently find pairs of messages which follow a high probability differential characteristic. Since full Keccak has 24 rounds, our attack does not threaten the security of the hash function.

Nächster Artikel Better Security for Deterministic Public-Key Encryption: The Auxiliary-Input Setting

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Nur mit Berechtigung zugänglich

We note that the target difference is not a valid initial difference of the permutation, which fixes many of the state bits to pre-defined values. As a result, the high probability characteristic cannot be used to extend the results of [18] by an additional round.

In general, we can choose messages of different lengths which do not necessarily have an integral number of bytes. However, the additional restrictions do not have a significant impact on our attacks.

As demonstrated in Sect. 4.1, a large number of solutions is expected unless there are many non-active Sboxes. This should be contrasted to differential attacks, where the attacker searches for differential characteristics with many non-active Sboxes, which ensure that the differential transitions occur with high probability.

In order to detect that the difference transition within the second Sbox layer is impossible for all the pairs in our subset, we try several arbitrary pairs in the subset, and observe if at least one has the desired difference after two rounds. Since we only need to check one Sbox layer transition, we expect that if this transition is indeed possible, we will find a corresponding message pair very quickly. Otherwise, we have to find a different set of message pairs by running the difference phase again.

[1]

M.R. Albrecht, C. Cid, Algebraic techniques in differential cryptanalysis, in Dunkelman [13], pp. 193–208

[2]

J.-P. Aumasson, W. Meier, Zero-sum distinguishers for reduced Keccak-f and for the core functions of Luffa and Hamsi. NIST mailing list, 2009

[3]

D.J. Bernstein, Second preimages for 6 (7? (8??)) rounds of Keccak? NIST mailing list, 2010

[4]

G. Bertoni, J. Daemen, M. Peeters, G. Van Assche, Sponge functions. Presented at the ECRYPT Hash Workshop, 2007

[5]

G. Bertoni, J. Daemen, M. Peeters, G. Van Assche, The Keccak SHA-3 submission. Submission to NIST (Round 3), 2011

[6]

C. Boura, A. Canteaut, Zero-sum distinguishers for iterated permutations and application to Keccak-f and Hamsi-256, in Selected Areas in Cryptography, ed. by A. Biryukov, G. Gong, D.R. Stinson. Lecture Notes in Computer Science, vol. 6544 (Springer, Berlin, 2010), pp. 1–17 CrossRef

[7]

C. Boura, A. Canteaut, C. De Cannière, Higher-order differential properties of Keccak and Luffa, in FSE, ed. by A. Joux. Lecture Notes in Computer Science, vol. 6733 (Springer, Berlin, 2011), pp. 252–269

[8]

A. Canteaut (ed.), Fast Software Encryption—19th International Workshop, FSE 2012, Washington, DC, USA, March 19–21, 2012. Lecture Notes in Computer Science, vol. 7549 (Springer, Berlin, 2012), Revised selected papers MATH

[9]

J. Daemen, G. Van Assche, Differential propagation analysis of Keccak, in Canteaut [8], pp. 422–441

[10]

J. Daemen, V. Rijmen, Plateau characteristics. IET Inf. Secur. 1(1), 11–17 (2007) CrossRef

[11]

M. Duan, X. Lai, Improved zero-sum distinguisher for full round Keccak-f permutation. Cryptology ePrint Archive, Report 2011/023, 2011

[12]

A. Duc, J. Guo, T. Peyrin, L. Wei, Unaligned rebound attack: application to Keccak, in Canteaut [8], pp. 402–421

[13]

O. Dunkelman (ed.), Fast Software Encryption, 16th International Workshop, FSE 2009, Leuven, Belgium, February 22–25, 2009. Lecture Notes in Computer Science, vol. 5665 (Springer, Berlin, 2009), Revised selected papers MATH

[14]

D. Khovratovich, Cryptanalysis of hash functions with structures, in Selected Areas in Cryptography, ed. by M.J. Jacobson Jr., V. Rijmen, R. Safavi-Naini. Lecture Notes in Computer Science, vol. 5867 (Springer, Berlin, 2009), pp. 108–125 CrossRef

[15]

D. Khovratovich, A. Biryukov, I. Nikolic, Speeding up collision search for byte-oriented hash functions, in CT-RSA, ed. by M. Fischlin. Lecture Notes in Computer Science, vol. 5473 (Springer, Berlin, 2009), pp. 164–181

[16]

F. Mendel, C. Rechberger, M. Schläffer, S.S. Thomsen, The rebound attack: cryptanalysis of reduced Whirlpool and Grøstl, in Dunkelman [13], pp. 260–276

[17]

P. Morawiecki, M. Srebrny, A SAT-based preimage analysis of reduced KECCAK hash functions. Cryptology ePrint Archive, Report 2010/285, 2010

[18]

M. Naya-Plasencia, A. Röck, W. Meier, Practical analysis of reduced-round Keccak, in Progress in Cryptology—INDOCRYPT 2011, ed. by D.J. Bernstein, S. Chatterjee. Lecture Notes in Computers Science, vol. 7107 (Springer, Heidelberg, 2011)

[19]

The Keccak team, Keccak crunchy crypto collision and pre-image contest, 2011

Titel: Improved Practical Attacks on Round-Reduced Keccak
verfasst von: Itai Dinur
Orr Dunkelman
Adi Shamir
Publikationsdatum: 01.04.2014
Verlag: Springer US
Erschienen in: Journal of Cryptology / Ausgabe 2/2014
Print ISSN: 0933-2790
Elektronische ISSN: 1432-1378
DOI: https://doi.org/10.1007/s00145-012-9142-5

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Weitere Artikel der Ausgabe 2/2014

On Strong Simulation and Composable Point Obfuscation

On the Amortized Complexity of Zero-Knowledge Protocols

Computationally Secure Pattern Matching in the Presence of Malicious Adversaries

Four-Dimensional Gallant–Lambert–Vanstone Scalar Multiplication

Better Security for Deterministic Public-Key Encryption: The Auxiliary-Input Setting