Abstract
In this paper, we analyze the collision resistance of the two smallest versions of Keccak which have a width of 200 and 400 bits respectively. We show that algebraic and linearization techniques can serve collision cryptanalysis by using some interesting properties of the linear part of the round function of Keccak. We present an attack on the Keccak versions that could be used in lightweight cryptography reduced to two rounds. For Keccak[40, 160] (resp. Keccak[72, 128] and Keccak[144, 256]) our attack has a computational complexity of 273 (resp. 252.5 and 2101.5) Keccak calls.
Highlights
IntroductionThere is a plethora of cryptanalysis of keccak instances using cube-like attacks thanks to the very low degree of the round function: the only non-linear part is χ, which is quadratic
The family of primitives Keccak was designed by the Keccak team (Guido Bertoni, Joan Daemen, Michaël Peeters and Gilles Van Assche) as a candidate to the US National Institute of Standards and Technology’s hash function competition to create a new Secure Hash Algorithm standard
The first practical pre-image and collision attack on 2-round Keccak was introduced by Naya-Plasencia, Röck and Meier in 2011 using differential cryptanalysis [NRM11]
Summary
There is a plethora of cryptanalysis of keccak instances using cube-like attacks thanks to the very low degree of the round function: the only non-linear part is χ, which is quadratic. While those attacks are of interest to distinguish the Keccak-p permutations from a random permutation, it is unlikely to use them in a collision or pre-image attack on a Keccak instance. Previous techniques [NRM11, DDS12, DDS13, QSLG17, SLG17, GLL+20] which have been used to build squeeze attacks to get collisions in the output cannot be employed on small versions since the attacker can only control a small amount of bits between each iteration of Keccak-p[200] and Keccak-p[400].
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have