Exploiting output bits and the $$\chi $$ operation in MitM preimage attacks on Keccak

This paper provides an improved preimage attack method on standard 4-round Keccak-224/256. The method is based on the work pioneered by Li and Sun, who design a linear structure of 2-round Keccak-224/256 with 194 degrees of freedom left. By partially linearizing 17 output bits through the last 2 rounds, they finally reach a complexity of 2207/2239 for searching a 4-round preimage. Yet under their strategy, those 17 bits are regarded as independent bits and the linearization costs a great amount of freedom. Inspired by their thoughts, we improve the partial linearization method where multiple output bits can reuse some common degrees of freedom. As a result, the complexity of preimage attack on 4-round Keccak-224/256 can be decreased to 2192/2218, which are both the best known theoretical preimage cryptanalysis so far. To support the theoretical analysis, we apply our strategy to a 64-bit partial preimage attack within practical complexity. It is remarkable that this partial linearization method can be directly applied if a better linear structure with more freedom left is proposed.

In this paper, we analyze the security of round-reduced versions of the Keccak hash function family. Based on the work pioneered by Aumasson and Meier, and Dinur et al., we formalize and develop a technique named linear structure, which allows linearization of the underlying permutation of Keccak for up to 3 rounds with large number of variable spaces. As a direct application, it extends the best zero-sum distinguishers by 2 rounds without increasing the complexities. We also apply linear structures to preimage attacks against Keccak. By carefully studying the properties of the underlying Sbox, we show bilinear structures and find ways to convert the information on the output bits to linear functions on input bits. These findings, combined with linear structures, lead us to preimage attacks against up to 4-round Keccak with reduced complexities. An interesting feature of such preimage attacks is low complexities for small variants. As extreme examples, we can now find preimages of 3-round SHAKE128 with complexity 1, as well as the first practical solutions to two 3-round instances of Keccak challenge. Both zero-sum distinguishers and preimage attacks are verified by implementations. It is noted that the attacks here are still far from threatening the security of the full 24-round Keccak.

In this study the authors propose a new multivariate hash function with HAsh Iterative FrAmework framework which we call the hash function quadratic polynomials multiplying linear polynomials (QML). The new hash function is made of cubic polynomials which are the products of quadratic polynomials and linear polynomials. The authors design the quadratic-polynomial part of the compression function based on the centre map of the multivariate public key cryptosystem Matsumoto-Imai cryptosystem (MI). The hash function QML can keep the three cryptography properties and be immune to the pre-image attack, second pre-image attack, collision attack, differential attack and algebraic attack. The required memory storage is about 50% of the one which is built of the cubic polynomials and their coefficients are random. On the avalanche effect, by experiments the authors get the result that about one half of the output bits are different when one input bit is changed randomly. The one-round diffusion of the hash function QML is twice of that of Blake. Also the authors simplify the matrixes of the new hash function, analyse the rationality and show the comparable data. Finally, the authors give the advice to the parameters of the new hash function and summarise the paper.