Abstract
In this paper, based on the work pioneered by Aumasson and Meier, Dinur et al., and Guo et al., we construct some new delicate structures from the roundreduced versions of Keccakhash function family. The new constructed structures are called cross-linear structures, because linear polynomials appear across in different equations of these structures. And we apply cross-linear structures to do preimage attacks on some instances of the round-reduced Keccak. There are three main contributions in this paper. First, we construct a kind of cross-linear structures by setting the statuses carefully. With these cross-linear structures, guessing the value of one linear polynomial could lead to three linear equations (including the guessed one). Second, for some special cases, e.g. the 3-round Keccakchallenge instance Keccak[r=240, c=160, nr=3], a more special kind of cross-linear structures is constructed, and these structures can be used to obtain seven linear equations (including the guessed) if the values of two linear polynomials are guessed. Third, as applications of the cross-linear structures, we practically found a preimage for the 3-round KeccakChallenge instance Keccak[r=240, c=160, nr=3]. Besides, by constructing similar cross-linear structures, the complexity of the preimage attack on 3-round Keccak-256/SHA3-256/SHAKE256 can be lowered to 2150/2151/2153 operations, while the previous best known result on Keccak-256 is 2192.
Highlights
The Keccaksponge function family [BDPA11] is designed by Bertoni et al and became a candidate of the Secure Hash Algorithm-3 [oST15] (SHA-3) competition [NIS] in 2008
Song et al proposed a practical collision attack on Keccak-224 reduced to 5 rounds [SLG17]
We focus on attacking this instance in this paper, because it has more similar initial status with Keccak-256/SHAKE 256/SHA3-256 than the instance Keccak[r = 1440, c = 160, nr = 3]
Summary
The Keccaksponge function family [BDPA11] is designed by Bertoni et al and became a candidate of the SHA-3 competition [NIS] in 2008. To encourage the practical analysis of the Keccaksponge functions, the Keccakteam organized the “KeccakCrunchy Crypto Collision and Preimage Contest” (KeccakChallenge for short) and presented challenges for reduced-round Keccakinstances, namely Keccak[c = 160, r = b − c] with b ≥ 200 [BDPA], where c is the capacity and b is the width. Using “1 → 3” cross-linear structures, a preimage of the instance Keccak[r = 240, c = 160, nr = 3] can be found in 248 operations. The “2 → 7” cross-linear structures enable us to find a preimage of the instance Keccak[r = 240, c = 160, nr = 3] in 245 operations. By using the similar attack done on the KeccakChallenge instance and dealing with the paddings carefully, we obtained new theoretical preimage complexities, say 2150/2151/2153 operations, on 3-round Keccak-256/SHA3-256/SHAKE256, while the previous known best result on Keccak-256 is 2192 [GLS16]. We prefix the calls made to a specific duplex object D by its name D and a dot
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
