Difference between revisions of "Keccak"
Mschlaeffer (talk | contribs) m (references updated) |
Mschlaeffer (talk | contribs) (cryptanalysis results updated) |
||
| Line 114: | Line 114: | ||
|- style="background:#efefef;" | |- style="background:#efefef;" | ||
| Type of Analysis || Hash Function Part || Hash Size (n) || Parameters/Variants || Compression Function Calls || Memory Requirements || Reference | | Type of Analysis || Hash Function Part || Hash Size (n) || Parameters/Variants || Compression Function Calls || Memory Requirements || Reference | ||
| + | |- | ||
| + | | distinguisher || permutation || all || 8 rounds || 2<sup>491.47</sup> || ? || [http://eprint.iacr.org/2011/420.pdf Duc,Guo,Peyrin,Wei] | ||
| + | |- | ||
| + | | collision || hash || 160 || r=1440, c=160, nr={1,2} || example || || [http://keccak.noekeon.org/crunchy_contest.html Duc,Guo,Peyrin,Wei] | ||
| + | |- | ||
| + | | collision || hash || 160 || r={240,640,1440}, c=160, nr={1,2} || example || || [http://keccak.noekeon.org/crunchy_contest.html Morawiecki] | ||
| + | |- | ||
| + | | preimage || hash || 80 || r={240,640,1440}, c=160, nr={1,2} || example || || [http://keccak.noekeon.org/crunchy_contest.html Morawiecki] | ||
|- | |- | ||
| distinguisher || permutation || all || 24 rounds || 2<sup>1579</sup> || || [http://eprint.iacr.org/2011/023.pdf Duan,Lai] | | distinguisher || permutation || all || 24 rounds || 2<sup>1579</sup> || || [http://eprint.iacr.org/2011/023.pdf Duan,Lai] | ||
| Line 137: | Line 145: | ||
<sup>(2)</sup>The Keccak team estimated the complexity of this attack with 2<sup>34.11</sup> evaluations of 3-rounds of Keccak-f[1600] in [http://ehash.iaik.tugraz.at/uploads/5/5b/Note_SAT-basedPreimageAnalysis.txt this note] (exhaustive search: 2<sup>40</sup>). | <sup>(2)</sup>The Keccak team estimated the complexity of this attack with 2<sup>34.11</sup> evaluations of 3-rounds of Keccak-f[1600] in [http://ehash.iaik.tugraz.at/uploads/5/5b/Note_SAT-basedPreimageAnalysis.txt this note] (exhaustive search: 2<sup>40</sup>). | ||
| + | |||
| + | <bibtex> | ||
| + | @misc{cryptoeprint:2011:420, | ||
| + | author = {Alexandre Duc and Jian Guo and Thomas Peyrin and Lei Wei}, | ||
| + | title = {Unaligned Rebound Attack - Application to Keccak}, | ||
| + | howpublished = {Cryptology ePrint Archive, Report 2011/420}, | ||
| + | year = {2011}, | ||
| + | url = {http://eprint.iacr.org/2011/420.pdf}, | ||
| + | abstract = {We analyze the internal permutations of Keccak, one of the NIST SHA-3 competition finalists, in regard to differential properties. By carefully studying the elements composing those permutations, we are able to derive most of the best known differential paths for up to 5 rounds. We use these differential paths in a rebound attack setting and adapt this powerful freedom degrees utilization in order to derive distinguishers for up to 8 rounds of the internal permutations of the submitted version of Keccak. The complexity of the 8 round distinguisher is $2^{491.47}$. Our results have been implemented and verified experimentally on a small version of Keccak. This is currently the best known differential attack against the internal permutations of Keccak.}, | ||
| + | } | ||
| + | </bibtex> | ||
| + | |||
| + | <bibtex> | ||
| + | @misc{KeccakDucPW11, | ||
| + | author = {Alexandre Duc and Jian Guo and Thomas Peyrin and Lei Wei}, | ||
| + | title = {Collisions for Keccak[r=1440,c=160,nr={1,2}]}, | ||
| + | url = {http://keccak.noekeon.org/crunchy_contest.html}, | ||
| + | howpublished = {Keccak website}, | ||
| + | year = {2011}, | ||
| + | } | ||
| + | </bibtex> | ||
| + | |||
| + | <bibtex> | ||
| + | @misc{KeccakMorawiecki11, | ||
| + | author = {Pawel Morawiecki}, | ||
| + | title = {Preimages and Collisions for Keccak[r={240,640,1440},c=160,nr={1,2}]}, | ||
| + | url = {http://keccak.noekeon.org/crunchy_contest.html}, | ||
| + | howpublished = {Keccak website}, | ||
| + | year = {2011}, | ||
| + | } | ||
| + | </bibtex> | ||
<bibtex> | <bibtex> | ||
Latest revision as of 08:52, 1 September 2011
1 The algorithm
- Author(s): Guido Bertoni, Joan Daemen, Michaël Peeters and Gilles Van Assche
- Website: http://keccak.noekeon.org/
- NIST submission package:
- Round 3: Keccak_FinalRnd.zip
- Round 2: Keccak_Round2.zip
- Round 1: Keccak.zip
G. Bertoni, J. Daemen, M. Peeters, G. Van Assche - The Keccak SHA-3 submission
- ,2011
- http://keccak.noekeon.org/Keccak-submission-3.pdf
BibtexAuthor : G. Bertoni, J. Daemen, M. Peeters, G. Van Assche
Title : The Keccak SHA-3 submission
In : -
Address :
Date : 2011
G. Bertoni, J. Daemen, M. Peeters, G. Van Assche - The Keccak reference
- ,2011
- http://keccak.noekeon.org/Keccak-reference-3.0.pdf
BibtexAuthor : G. Bertoni, J. Daemen, M. Peeters, G. Van Assche
Title : The Keccak reference
In : -
Address :
Date : 2011
G. Bertoni, J. Daemen, M. Peeters, G. Van Assche - Cryptographic sponge functions
- ,2011
- http://sponge.noekeon.org/CSF-0.1.pdf
BibtexAuthor : G. Bertoni, J. Daemen, M. Peeters, G. Van Assche
Title : Cryptographic sponge functions
In : -
Address :
Date : 2011
G. Bertoni, J. Daemen, M. Peeters, G. Van Assche - Keccak specifications
- ,2009
- http://keccak.noekeon.org/Keccak-specifications-2.pdf
BibtexAuthor : G. Bertoni, J. Daemen, M. Peeters, G. Van Assche
Title : Keccak specifications
In : -
Address :
Date : 2009
G. Bertoni, J. Daemen, M. Peeters, G. Van Assche - Keccak sponge function family main document
- ,2009
- http://keccak.noekeon.org/Keccak-main-2.0.pdf
BibtexAuthor : G. Bertoni, J. Daemen, M. Peeters, G. Van Assche
Title : Keccak sponge function family main document
In : -
Address :
Date : 2009
G. Bertoni, J. Daemen, M. Peeters, G. Van Assche - Keccak specifications
- ,2008
- http://keccak.noekeon.org/Keccak-specifications.pdf
BibtexAuthor : G. Bertoni, J. Daemen, M. Peeters, G. Van Assche
Title : Keccak specifications
In : -
Address :
Date : 2008
G. Bertoni, J. Daemen, M. Peeters, G. Van Assche - Keccak sponge function family main document
- ,2008
- http://keccak.noekeon.org/Keccak-main-1.0.pdf
BibtexAuthor : G. Bertoni, J. Daemen, M. Peeters, G. Van Assche
Title : Keccak sponge function family main document
In : -
Address :
Date : 2008
2 Cryptanalysis
We distinguish between two cases: results on the complete hash function, and results on underlying building blocks.
A description of the tables is given here.
Recommended security parameter: 24 rounds (Keccak-f [1600])
2.1 Hash function
Here we list results on the hash function according to the NIST requirements. The only allowed modification is to change the security parameter.
| Type of Analysis | Hash Size (n) | Parameters | Compression Function Calls | Memory Requirements | Reference |
| 2nd preimage | 512 | 6 rounds | 2506 | 2176 | Bernstein |
| 2nd preimage | 512 | 7 rounds | 2507 | 2320 | Bernstein |
| 2nd preimage | 512 | 8 rounds | 2511.5 | 2508 | Bernstein |
2.2 Building blocks
Here we list results on underlying building blocks, and the hash function modified by other means than the security parameter.
Note that these results assume more direct control or access over some internal variables (aka. free-start, pseudo, compression function, block cipher, or permutation attacks).
| Type of Analysis | Hash Function Part | Hash Size (n) | Parameters/Variants | Compression Function Calls | Memory Requirements | Reference |
| distinguisher | permutation | all | 8 rounds | 2491.47 | ? | Duc,Guo,Peyrin,Wei |
| collision | hash | 160 | r=1440, c=160, nr={1,2} | example | Duc,Guo,Peyrin,Wei | |
| collision | hash | 160 | r={240,640,1440}, c=160, nr={1,2} | example | Morawiecki | |
| preimage | hash | 80 | r={240,640,1440}, c=160, nr={1,2} | example | Morawiecki | |
| distinguisher | permutation | all | 24 rounds | 21579 | Duan,Lai | |
| distinguisher | permutation | all | 24 rounds | 21590 | Boura,Canteaut,DeCanniere | |
| distinguisher | permutation | all | 20 rounds | 21586 | Boura,Canteaut | |
| preimage(2) | hash | 1024 | 3 rounds, 40 bit message | 1852 seconds (234.11) | ? | Morawiecki,Srebrny |
| distinguisher(1) | permutation | all | 18 rounds | 21370 | Boura,Canteaut | |
| distinguisher(1) | permutation | all | 16 rounds | 21023.88 | Aumasson,Meier | |
| key recovery | secret-prefix MAC | 224 | 4 rounds | 219 | ? | Lathrop |
| observations | permutation | all | Aumasson,Khovratovich |
(1)The Keccak team commented on these distinguishers and provide generic constructions in this note.
(2)The Keccak team estimated the complexity of this attack with 234.11 evaluations of 3-rounds of Keccak-f[1600] in this note (exhaustive search: 240).
Alexandre Duc, Jian Guo, Thomas Peyrin, Lei Wei - Unaligned Rebound Attack - Application to Keccak
- ,2011
- http://eprint.iacr.org/2011/420.pdf
BibtexAuthor : Alexandre Duc, Jian Guo, Thomas Peyrin, Lei Wei
Title : Unaligned Rebound Attack - Application to Keccak
In : -
Address :
Date : 2011
Alexandre Duc, Jian Guo, Thomas Peyrin, Lei Wei - Collisions for Keccak[r=1440,c=160,nr={1,2}]
- ,2011
- http://keccak.noekeon.org/crunchy_contest.html
BibtexAuthor : Alexandre Duc, Jian Guo, Thomas Peyrin, Lei Wei
Title : Collisions for Keccak[r=1440,c=160,nr={1,2}]
In : -
Address :
Date : 2011
Pawel Morawiecki - Preimages and Collisions for Keccak[r={240,640,1440},c=160,nr={1,2}]
- ,2011
- http://keccak.noekeon.org/crunchy_contest.html
BibtexAuthor : Pawel Morawiecki
Title : Preimages and Collisions for Keccak[r={240,640,1440},c=160,nr={1,2}]
In : -
Address :
Date : 2011
Ming Duan, Xuajia Lai - Improved zero-sum distinguisher for full round Keccak-f permutation
- ,2011
- http://eprint.iacr.org/2011/023.pdf
BibtexAuthor : Ming Duan, Xuajia Lai
Title : Improved zero-sum distinguisher for full round Keccak-f permutation
In : -
Address :
Date : 2011
Daniel J. Bernstein - Second preimages for 6 (7? (8??)) rounds of Keccak?
- ,2010
- http://ehash.iaik.tugraz.at/uploads/6/65/NIST-mailing-list_Bernstein-Daemen.txt
BibtexAuthor : Daniel J. Bernstein
Title : Second preimages for 6 (7? (8??)) rounds of Keccak?
In : -
Address :
Date : 2010
Christina Boura, Anne Canteaut, Christophe De Canniere - Higher-order differential properties of Keccak and Luffa
- ,2010
- http://eprint.iacr.org/2010/589.pdf
BibtexAuthor : Christina Boura, Anne Canteaut, Christophe De Canniere
Title : Higher-order differential properties of Keccak and Luffa
In : -
Address :
Date : 2010
Christina Boura, Anne Canteau - Zero-Sum Distinguishers for Iterated Permutations and Application to Keccak-f and Hamsi-256
- SAC 6544:1-17,2010
- http://www-rocq.inria.fr/secret/Christina.Boura/data/sac.pdf
BibtexAuthor : Christina Boura, Anne Canteau
Title : Zero-Sum Distinguishers for Iterated Permutations and Application to Keccak-f and Hamsi-256
In : SAC -
Address :
Date : 2010
Pawel Morawiecki, Marian Srebrny - A SAT-based preimage analysis of reduced KECCAK hash functions
- ,2010
- http://eprint.iacr.org/2010/285.pdf
BibtexAuthor : Pawel Morawiecki, Marian Srebrny
Title : A SAT-based preimage analysis of reduced KECCAK hash functions
In : -
Address :
Date : 2010
G. Bertoni, J. Daemen, M. Peeters, G. Van Assche - Note on zero-sum distinguishers of Keccak-f
- ,2010
- http://keccak.noekeon.org/NoteZeroSum.pdf
BibtexAuthor : G. Bertoni, J. Daemen, M. Peeters, G. Van Assche
Title : Note on zero-sum distinguishers of Keccak-f
In : -
Address :
Date : 2010
Christina Boura, Anne Canteaut - A Zero-Sum property for the Keccak-f Permutation with 18 Rounds
- ,2010
- http://www-roc.inria.fr/secret/Anne.Canteaut/Publications/zero_sum.pdf
BibtexAuthor : Christina Boura, Anne Canteaut
Title : A Zero-Sum property for the Keccak-f Permutation with 18 Rounds
In : -
Address :
Date : 2010
Jean-Philippe Aumasson, Willi Meier - Zero-sum distinguishers for reduced Keccak-f and for the core functions of Luffa and Hamsi
- ,2009
- http://www.131002.net/data/papers/AM09.pdf
BibtexAuthor : Jean-Philippe Aumasson, Willi Meier
Title : Zero-sum distinguishers for reduced Keccak-f and for the core functions of Luffa and Hamsi
In : -
Address :
Date : 2009
Joel Lathrop - Cube Attacks on Cryptographic Hash Functions
- ,2009
- http://www.cs.rit.edu/~jal6806/thesis/thesis.pdf
BibtexAuthor : Joel Lathrop
Title : Cube Attacks on Cryptographic Hash Functions
In : -
Address :
Date : 2009
Jean-Philippe Aumasson, Dmitry Khovratovich - First Analysis of Keccak
