Practical Collision Attacks against Round-Reduced SHA-3

The Keccak hash function is the winner of the SHA-3 competition (2008–2012) and became the SHA-3 standard of NIST in 2015. In this paper, we focus on practical collision attacks against round-reduced SHA-3 and some Keccak variants. Following the framework developed by Dinur et al. at FSE 2012 where...

Full description

Saved in:
Bibliographic Details
Published in:Journal of cryptology 2020-01, Vol.33 (1), p.228-270
Main Authors: Guo, Jian, Liao, Guohong, Liu, Guozhen, Liu, Meicheng, Qiao, Kexin, Song, Ling
Format: Article
Language:English
Subjects:
Coding and Information Theory
Collisions
Combinatorics
Communications Engineering
Computational Mathematics and Numerical Analysis
Computer Science
Connectors
Degrees of freedom
Linear equations
Linearization
Networks
Probability Theory and Stochastic Processes
Citations: Items that this one cites
Items that cite this one
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
cited_by cdi_FETCH-LOGICAL-c429t-2d5e1289194442c2a53b87e79c262a98b234bd6bdaabdda0d3c56be95f6d961d3
cites cdi_FETCH-LOGICAL-c429t-2d5e1289194442c2a53b87e79c262a98b234bd6bdaabdda0d3c56be95f6d961d3
container_end_page 270
container_issue 1
container_start_page 228
container_title Journal of cryptology
container_volume 33
creator Guo, Jian
Liao, Guohong
Liu, Guozhen
Liu, Meicheng
Qiao, Kexin
Song, Ling
description The Keccak hash function is the winner of the SHA-3 competition (2008–2012) and became the SHA-3 standard of NIST in 2015. In this paper, we focus on practical collision attacks against round-reduced SHA-3 and some Keccak variants. Following the framework developed by Dinur et al. at FSE 2012 where 4-round collisions were found by combining 3-round differential trails and 1-round connectors, we extend the connectors to up to three rounds and hence achieve collision attacks for up to 6 rounds. The extension is possible thanks to the large degree of freedom of the wide internal state. By linearizing S-boxes of the first round, the problem of finding solutions of 2-round connectors is converted to that of solving a system of linear equations. When linearization is applied to the first two rounds, 3-round connectors become possible. However, due to the quick reduction in the degree of freedom caused by linearization, the connector succeeds only when the 3-round differential trails satisfy some additional conditions. We develop dedicated strategies for searching differential trails and find that such special differential trails indeed exist. To summarize, we obtain the first real collisions on six instances, including three round-reduced instances of SHA-3, namely 5-round SHAKE128, SHA3-224 and SHA3-256, and three instances of Keccak contest, namely Keccak [1440, 160, 5, 160], Keccak [640, 160, 5, 160] and Keccak [1440, 160, 6, 160], improving the number of practically attacked rounds by two. It is remarked that the work here is still far from threatening the security of the full 24-round SHA-3 family.
doi_str_mv 10.1007/s00145-019-09313-3
format article
fullrecord <record><control><sourceid>proquest_cross</sourceid><recordid>TN_cdi_proquest_journals_2343277484</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><sourcerecordid>2343277484</sourcerecordid><originalsourceid>FETCH-LOGICAL-c429t-2d5e1289194442c2a53b87e79c262a98b234bd6bdaabdda0d3c56be95f6d961d3</originalsourceid><addsrcrecordid>eNp9kMFKxDAQQIMoWFd_wFPBczTJpE1zLEVdYUFZ9RzSJF261nZN0oN_b7SCN08Dw3sz8BC6pOSaEiJuAiGUF5hQiYkEChiOUEY5MExBVMcoS1vATEhyis5C2CdcFAIyJJ68NrE3esibaRj60E9jXseozVvI9U73Y4j5dppHi7fOzsbZ_HldYzhHJ50egrv4nSv0enf70qzx5vH-oak32HAmI2a2cJRVkkrOOTNMF9BWwglpWMm0rFoGvLVla7VurdXEginK1smiK60sqYUVulruHvz0MbsQ1X6a_ZheqqQCE4JXPFFsoYyfQvCuUwffv2v_qShR34HUEkilQOonkIIkwSKFBI875_9O_2N9AXD9Zus</addsrcrecordid><sourcetype>Aggregation Database</sourcetype><iscdi>true</iscdi><recordtype>article</recordtype><pqid>2343277484</pqid></control><display><type>article</type><title>Practical Collision Attacks against Round-Reduced SHA-3</title><source>Springer Nature</source><creator>Guo, Jian ; Liao, Guohong ; Liu, Guozhen ; Liu, Meicheng ; Qiao, Kexin ; Song, Ling</creator><creatorcontrib>Guo, Jian ; Liao, Guohong ; Liu, Guozhen ; Liu, Meicheng ; Qiao, Kexin ; Song, Ling</creatorcontrib><description>The Keccak hash function is the winner of the SHA-3 competition (2008–2012) and became the SHA-3 standard of NIST in 2015. In this paper, we focus on practical collision attacks against round-reduced SHA-3 and some Keccak variants. Following the framework developed by Dinur et al. at FSE 2012 where 4-round collisions were found by combining 3-round differential trails and 1-round connectors, we extend the connectors to up to three rounds and hence achieve collision attacks for up to 6 rounds. The extension is possible thanks to the large degree of freedom of the wide internal state. By linearizing S-boxes of the first round, the problem of finding solutions of 2-round connectors is converted to that of solving a system of linear equations. When linearization is applied to the first two rounds, 3-round connectors become possible. However, due to the quick reduction in the degree of freedom caused by linearization, the connector succeeds only when the 3-round differential trails satisfy some additional conditions. We develop dedicated strategies for searching differential trails and find that such special differential trails indeed exist. To summarize, we obtain the first real collisions on six instances, including three round-reduced instances of SHA-3, namely 5-round SHAKE128, SHA3-224 and SHA3-256, and three instances of Keccak contest, namely Keccak [1440, 160, 5, 160], Keccak [640, 160, 5, 160] and Keccak [1440, 160, 6, 160], improving the number of practically attacked rounds by two. It is remarked that the work here is still far from threatening the security of the full 24-round SHA-3 family.</description><identifier>ISSN: 0933-2790</identifier><identifier>EISSN: 1432-1378</identifier><identifier>DOI: 10.1007/s00145-019-09313-3</identifier><language>eng</language><publisher>New York: Springer US</publisher><subject>Coding and Information Theory ; Collisions ; Combinatorics ; Communications Engineering ; Computational Mathematics and Numerical Analysis ; Computer Science ; Connectors ; Degrees of freedom ; Linear equations ; Linearization ; Networks ; Probability Theory and Stochastic Processes</subject><ispartof>Journal of cryptology, 2020-01, Vol.33 (1), p.228-270</ispartof><rights>International Association for Cryptologic Research 2019</rights><rights>2019© International Association for Cryptologic Research 2019</rights><lds50>peer_reviewed</lds50><oa>free_for_read</oa><woscitedreferencessubscribed>false</woscitedreferencessubscribed><citedby>FETCH-LOGICAL-c429t-2d5e1289194442c2a53b87e79c262a98b234bd6bdaabdda0d3c56be95f6d961d3</citedby><cites>FETCH-LOGICAL-c429t-2d5e1289194442c2a53b87e79c262a98b234bd6bdaabdda0d3c56be95f6d961d3</cites></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><link.rule.ids>314,780,784,27924,27925</link.rule.ids></links><search><creatorcontrib>Guo, Jian</creatorcontrib><creatorcontrib>Liao, Guohong</creatorcontrib><creatorcontrib>Liu, Guozhen</creatorcontrib><creatorcontrib>Liu, Meicheng</creatorcontrib><creatorcontrib>Qiao, Kexin</creatorcontrib><creatorcontrib>Song, Ling</creatorcontrib><title>Practical Collision Attacks against Round-Reduced SHA-3</title><title>Journal of cryptology</title><addtitle>J Cryptol</addtitle><description>The Keccak hash function is the winner of the SHA-3 competition (2008–2012) and became the SHA-3 standard of NIST in 2015. In this paper, we focus on practical collision attacks against round-reduced SHA-3 and some Keccak variants. Following the framework developed by Dinur et al. at FSE 2012 where 4-round collisions were found by combining 3-round differential trails and 1-round connectors, we extend the connectors to up to three rounds and hence achieve collision attacks for up to 6 rounds. The extension is possible thanks to the large degree of freedom of the wide internal state. By linearizing S-boxes of the first round, the problem of finding solutions of 2-round connectors is converted to that of solving a system of linear equations. When linearization is applied to the first two rounds, 3-round connectors become possible. However, due to the quick reduction in the degree of freedom caused by linearization, the connector succeeds only when the 3-round differential trails satisfy some additional conditions. We develop dedicated strategies for searching differential trails and find that such special differential trails indeed exist. To summarize, we obtain the first real collisions on six instances, including three round-reduced instances of SHA-3, namely 5-round SHAKE128, SHA3-224 and SHA3-256, and three instances of Keccak contest, namely Keccak [1440, 160, 5, 160], Keccak [640, 160, 5, 160] and Keccak [1440, 160, 6, 160], improving the number of practically attacked rounds by two. It is remarked that the work here is still far from threatening the security of the full 24-round SHA-3 family.</description><subject>Coding and Information Theory</subject><subject>Collisions</subject><subject>Combinatorics</subject><subject>Communications Engineering</subject><subject>Computational Mathematics and Numerical Analysis</subject><subject>Computer Science</subject><subject>Connectors</subject><subject>Degrees of freedom</subject><subject>Linear equations</subject><subject>Linearization</subject><subject>Networks</subject><subject>Probability Theory and Stochastic Processes</subject><issn>0933-2790</issn><issn>1432-1378</issn><fulltext>true</fulltext><rsrctype>article</rsrctype><creationdate>2020</creationdate><recordtype>article</recordtype><recordid>eNp9kMFKxDAQQIMoWFd_wFPBczTJpE1zLEVdYUFZ9RzSJF261nZN0oN_b7SCN08Dw3sz8BC6pOSaEiJuAiGUF5hQiYkEChiOUEY5MExBVMcoS1vATEhyis5C2CdcFAIyJJ68NrE3esibaRj60E9jXseozVvI9U73Y4j5dppHi7fOzsbZ_HldYzhHJ50egrv4nSv0enf70qzx5vH-oak32HAmI2a2cJRVkkrOOTNMF9BWwglpWMm0rFoGvLVla7VurdXEginK1smiK60sqYUVulruHvz0MbsQ1X6a_ZheqqQCE4JXPFFsoYyfQvCuUwffv2v_qShR34HUEkilQOonkIIkwSKFBI875_9O_2N9AXD9Zus</recordid><startdate>20200101</startdate><enddate>20200101</enddate><creator>Guo, Jian</creator><creator>Liao, Guohong</creator><creator>Liu, Guozhen</creator><creator>Liu, Meicheng</creator><creator>Qiao, Kexin</creator><creator>Song, Ling</creator><general>Springer US</general><general>Springer Nature B.V</general><scope>AAYXX</scope><scope>CITATION</scope></search><sort><creationdate>20200101</creationdate><title>Practical Collision Attacks against Round-Reduced SHA-3</title><author>Guo, Jian ; Liao, Guohong ; Liu, Guozhen ; Liu, Meicheng ; Qiao, Kexin ; Song, Ling</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-LOGICAL-c429t-2d5e1289194442c2a53b87e79c262a98b234bd6bdaabdda0d3c56be95f6d961d3</frbrgroupid><rsrctype>articles</rsrctype><prefilter>articles</prefilter><language>eng</language><creationdate>2020</creationdate><topic>Coding and Information Theory</topic><topic>Collisions</topic><topic>Combinatorics</topic><topic>Communications Engineering</topic><topic>Computational Mathematics and Numerical Analysis</topic><topic>Computer Science</topic><topic>Connectors</topic><topic>Degrees of freedom</topic><topic>Linear equations</topic><topic>Linearization</topic><topic>Networks</topic><topic>Probability Theory and Stochastic Processes</topic><toplevel>peer_reviewed</toplevel><toplevel>online_resources</toplevel><creatorcontrib>Guo, Jian</creatorcontrib><creatorcontrib>Liao, Guohong</creatorcontrib><creatorcontrib>Liu, Guozhen</creatorcontrib><creatorcontrib>Liu, Meicheng</creatorcontrib><creatorcontrib>Qiao, Kexin</creatorcontrib><creatorcontrib>Song, Ling</creatorcontrib><collection>CrossRef</collection><jtitle>Journal of cryptology</jtitle></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext</fulltext></delivery><addata><au>Guo, Jian</au><au>Liao, Guohong</au><au>Liu, Guozhen</au><au>Liu, Meicheng</au><au>Qiao, Kexin</au><au>Song, Ling</au><format>journal</format><genre>article</genre><ristype>JOUR</ristype><atitle>Practical Collision Attacks against Round-Reduced SHA-3</atitle><jtitle>Journal of cryptology</jtitle><stitle>J Cryptol</stitle><date>2020-01-01</date><risdate>2020</risdate><volume>33</volume><issue>1</issue><spage>228</spage><epage>270</epage><pages>228-270</pages><issn>0933-2790</issn><eissn>1432-1378</eissn><abstract>The Keccak hash function is the winner of the SHA-3 competition (2008–2012) and became the SHA-3 standard of NIST in 2015. In this paper, we focus on practical collision attacks against round-reduced SHA-3 and some Keccak variants. Following the framework developed by Dinur et al. at FSE 2012 where 4-round collisions were found by combining 3-round differential trails and 1-round connectors, we extend the connectors to up to three rounds and hence achieve collision attacks for up to 6 rounds. The extension is possible thanks to the large degree of freedom of the wide internal state. By linearizing S-boxes of the first round, the problem of finding solutions of 2-round connectors is converted to that of solving a system of linear equations. When linearization is applied to the first two rounds, 3-round connectors become possible. However, due to the quick reduction in the degree of freedom caused by linearization, the connector succeeds only when the 3-round differential trails satisfy some additional conditions. We develop dedicated strategies for searching differential trails and find that such special differential trails indeed exist. To summarize, we obtain the first real collisions on six instances, including three round-reduced instances of SHA-3, namely 5-round SHAKE128, SHA3-224 and SHA3-256, and three instances of Keccak contest, namely Keccak [1440, 160, 5, 160], Keccak [640, 160, 5, 160] and Keccak [1440, 160, 6, 160], improving the number of practically attacked rounds by two. It is remarked that the work here is still far from threatening the security of the full 24-round SHA-3 family.</abstract><cop>New York</cop><pub>Springer US</pub><doi>10.1007/s00145-019-09313-3</doi><tpages>43</tpages><oa>free_for_read</oa></addata></record>
fulltext fulltext
identifier ISSN: 0933-2790
ispartof Journal of cryptology, 2020-01, Vol.33 (1), p.228-270
issn 0933-2790
1432-1378
language eng
recordid cdi_proquest_journals_2343277484
source Springer Nature
subjects Coding and Information Theory
Collisions
Combinatorics
Communications Engineering
Computational Mathematics and Numerical Analysis
Computer Science
Connectors
Degrees of freedom
Linear equations
Linearization
Networks
Probability Theory and Stochastic Processes
title Practical Collision Attacks against Round-Reduced SHA-3
url http://sfxeu10.hosted.exlibrisgroup.com/loughborough?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2024-12-26T21%3A39%3A45IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-proquest_cross&rft_val_fmt=info:ofi/fmt:kev:mtx:journal&rft.genre=article&rft.atitle=Practical%20Collision%20Attacks%20against%20Round-Reduced%20SHA-3&rft.jtitle=Journal%20of%20cryptology&rft.au=Guo,%20Jian&rft.date=2020-01-01&rft.volume=33&rft.issue=1&rft.spage=228&rft.epage=270&rft.pages=228-270&rft.issn=0933-2790&rft.eissn=1432-1378&rft_id=info:doi/10.1007/s00145-019-09313-3&rft_dat=%3Cproquest_cross%3E2343277484%3C/proquest_cross%3E%3Cgrp_id%3Ecdi_FETCH-LOGICAL-c429t-2d5e1289194442c2a53b87e79c262a98b234bd6bdaabdda0d3c56be95f6d961d3%3C/grp_id%3E%3Coa%3E%3C/oa%3E%3Curl%3E%3C/url%3E&rft_id=info:oai/&rft_pqid=2343277484&rft_id=info:pmid/&rfr_iscdi=true