Difference between revisions of "Keccak"
m (updated link to round 2 submission) |
Mschlaeffer (talk | contribs) (cryptanalysis results updated) |
||
(20 intermediate revisions by 3 users not shown) | |||
Line 4: | Line 4: | ||
* Website: [http://keccak.noekeon.org/ http://keccak.noekeon.org/] | * Website: [http://keccak.noekeon.org/ http://keccak.noekeon.org/] | ||
* NIST submission package: | * NIST submission package: | ||
− | ** | + | ** Round 3: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round3/documents/Keccak_FinalRnd.zip Keccak_FinalRnd.zip] |
− | ** | + | ** Round 2: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/documents/Keccak_Round2.zip Keccak_Round2.zip] |
+ | ** Round 1: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/Keccak.zip Keccak.zip] | ||
+ | |||
+ | <bibtex> | ||
+ | @misc{KeccakSub3, | ||
+ | author = {G. Bertoni and J. Daemen and M. Peeters and G. Van Assche}, | ||
+ | title = {The Keccak SHA-3 submission}, | ||
+ | url = {http://keccak.noekeon.org/Keccak-submission-3.pdf}, | ||
+ | howpublished = {Submission to NIST (Round 3)}, | ||
+ | year = {2011}, | ||
+ | } | ||
+ | </bibtex> | ||
+ | |||
+ | <bibtex> | ||
+ | @misc{KeccakRef3, | ||
+ | author = {G. Bertoni and J. Daemen and M. Peeters and G. Van Assche}, | ||
+ | title = {The Keccak reference}, | ||
+ | url = {http://keccak.noekeon.org/Keccak-reference-3.0.pdf}, | ||
+ | howpublished = {Submission to NIST (Round 3)}, | ||
+ | year = {2011}, | ||
+ | } | ||
+ | </bibtex> | ||
+ | |||
+ | <bibtex> | ||
+ | @misc{KeccakSponge3, | ||
+ | author = {G. Bertoni and J. Daemen and M. Peeters and G. Van Assche}, | ||
+ | title = {Cryptographic sponge functions}, | ||
+ | url = {http://sponge.noekeon.org/CSF-0.1.pdf}, | ||
+ | howpublished = {Submission to NIST (Round 3)}, | ||
+ | year = {2011}, | ||
+ | } | ||
+ | </bibtex> | ||
<bibtex> | <bibtex> | ||
Line 48: | Line 79: | ||
</bibtex> | </bibtex> | ||
+ | == Cryptanalysis == | ||
+ | |||
+ | We distinguish between two cases: results on the complete hash function, and results on underlying building blocks. | ||
+ | |||
+ | A description of the tables is given [http://ehash.iaik.tugraz.at/wiki/Cryptanalysis_Categories#Individual_Hash_Function_Tables here]. | ||
+ | |||
+ | Recommended security parameter: '''24''' rounds (Keccak-''f'' [1600]) | ||
+ | |||
+ | |||
+ | === Hash function === | ||
+ | |||
+ | Here we list results on the hash function according to the NIST requirements. The only allowed modification is to change the security parameter. | ||
+ | |||
+ | {| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" | ||
+ | |- style="background:#efefef;" | ||
+ | | Type of Analysis || Hash Size (n) || Parameters || Compression Function Calls || Memory Requirements || Reference | ||
+ | |- | ||
+ | | 2nd preimage || 512 || 6 rounds || 2<sup>506</sup> || 2<sup>176</sup> || [http://ehash.iaik.tugraz.at/uploads/6/65/NIST-mailing-list_Bernstein-Daemen.txt Bernstein] | ||
+ | |- | ||
+ | | 2nd preimage || 512 || 7 rounds || 2<sup>507</sup> || 2<sup>320</sup> || [http://ehash.iaik.tugraz.at/uploads/6/65/NIST-mailing-list_Bernstein-Daemen.txt Bernstein] | ||
+ | |- | ||
+ | | 2nd preimage || 512 || 8 rounds || 2<sup>511.5</sup> || 2<sup>508</sup> || [http://ehash.iaik.tugraz.at/uploads/6/65/NIST-mailing-list_Bernstein-Daemen.txt Bernstein] | ||
+ | |- | ||
+ | |} | ||
+ | |||
+ | |||
+ | === Building blocks === | ||
+ | Here we list results on underlying building blocks, and the hash function modified by other means than the security parameter. | ||
− | + | Note that these results assume more direct control or access over some internal variables (aka. free-start, pseudo, compression function, block cipher, or permutation attacks). | |
− | {| border="1" cellpadding="4" cellspacing="0" class="wikitable" style="text-align:center" | + | {| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" |
|- style="background:#efefef;" | |- style="background:#efefef;" | ||
| Type of Analysis || Hash Function Part || Hash Size (n) || Parameters/Variants || Compression Function Calls || Memory Requirements || Reference | | Type of Analysis || Hash Function Part || Hash Size (n) || Parameters/Variants || Compression Function Calls || Memory Requirements || Reference | ||
− | |||
− | |||
|- | |- | ||
− | | | + | | distinguisher || permutation || all || 8 rounds || 2<sup>491.47</sup> || ? || [http://eprint.iacr.org/2011/420.pdf Duc,Guo,Peyrin,Wei] |
+ | |- | ||
+ | | collision || hash || 160 || r=1440, c=160, nr={1,2} || example || || [http://keccak.noekeon.org/crunchy_contest.html Duc,Guo,Peyrin,Wei] | ||
+ | |- | ||
+ | | collision || hash || 160 || r={240,640,1440}, c=160, nr={1,2} || example || || [http://keccak.noekeon.org/crunchy_contest.html Morawiecki] | ||
+ | |- | ||
+ | | preimage || hash || 80 || r={240,640,1440}, c=160, nr={1,2} || example || || [http://keccak.noekeon.org/crunchy_contest.html Morawiecki] | ||
+ | |- | ||
+ | | distinguisher || permutation || all || 24 rounds || 2<sup>1579</sup> || || [http://eprint.iacr.org/2011/023.pdf Duan,Lai] | ||
+ | |- | ||
+ | | distinguisher || permutation || all || 24 rounds || 2<sup>1590</sup> || || [http://eprint.iacr.org/2010/589.pdf Boura,Canteaut,DeCanniere] | ||
+ | |- | ||
+ | | distinguisher || permutation || all || 20 rounds || 2<sup>1586</sup> || || [http://www-rocq.inria.fr/secret/Christina.Boura/data/sac.pdf Boura,Canteaut] | ||
+ | |- | ||
+ | | preimage<sup>(2)</sup> || hash || 1024 || 3 rounds, 40 bit message || 1852 seconds (2<sup>34.11</sup>) || ? || [http://eprint.iacr.org/2010/285.pdf Morawiecki,Srebrny] | ||
+ | |- | ||
+ | | distinguisher<sup>(1)</sup> || permutation || all || 18 rounds || 2<sup>1370</sup> || || [http://www-roc.inria.fr/secret/Anne.Canteaut/Publications/zero_sum.pdf Boura,Canteaut] | ||
|- | |- | ||
− | | distinguisher || permutation || all || 16 rounds || 2<sup>1023.88</sup> || || [http://www.131002.net/data/papers/AM09.pdf Aumasson,Meier] | + | | distinguisher<sup>(1)</sup> || permutation || all || 16 rounds || 2<sup>1023.88</sup> || || [http://www.131002.net/data/papers/AM09.pdf Aumasson,Meier] |
|- | |- | ||
+ | | key recovery || secret-prefix MAC || 224 || 4 rounds || 2<sup>19</sup> || ? || [http://www.cs.rit.edu/~jal6806/thesis/thesis.pdf Lathrop] | ||
+ | |- | ||
+ | | observations || permutation || all || || || || [http://131002.net/data/papers/AK09.pdf Aumasson,Khovratovich] | ||
+ | |- | ||
|} | |} | ||
− | |||
− | |||
+ | <sup>(1)</sup>The Keccak team commented on these distinguishers and provide generic constructions in [http://keccak.noekeon.org/NoteZeroSum.pdf this note]. | ||
+ | |||
+ | <sup>(2)</sup>The Keccak team estimated the complexity of this attack with 2<sup>34.11</sup> evaluations of 3-rounds of Keccak-f[1600] in [http://ehash.iaik.tugraz.at/uploads/5/5b/Note_SAT-basedPreimageAnalysis.txt this note] (exhaustive search: 2<sup>40</sup>). | ||
+ | |||
+ | |||
+ | <bibtex> | ||
+ | @misc{cryptoeprint:2011:420, | ||
+ | author = {Alexandre Duc and Jian Guo and Thomas Peyrin and Lei Wei}, | ||
+ | title = {Unaligned Rebound Attack - Application to Keccak}, | ||
+ | howpublished = {Cryptology ePrint Archive, Report 2011/420}, | ||
+ | year = {2011}, | ||
+ | url = {http://eprint.iacr.org/2011/420.pdf}, | ||
+ | abstract = {We analyze the internal permutations of Keccak, one of the NIST SHA-3 competition finalists, in regard to differential properties. By carefully studying the elements composing those permutations, we are able to derive most of the best known differential paths for up to 5 rounds. We use these differential paths in a rebound attack setting and adapt this powerful freedom degrees utilization in order to derive distinguishers for up to 8 rounds of the internal permutations of the submitted version of Keccak. The complexity of the 8 round distinguisher is $2^{491.47}$. Our results have been implemented and verified experimentally on a small version of Keccak. This is currently the best known differential attack against the internal permutations of Keccak.}, | ||
+ | } | ||
+ | </bibtex> | ||
+ | |||
+ | <bibtex> | ||
+ | @misc{KeccakDucPW11, | ||
+ | author = {Alexandre Duc and Jian Guo and Thomas Peyrin and Lei Wei}, | ||
+ | title = {Collisions for Keccak[r=1440,c=160,nr={1,2}]}, | ||
+ | url = {http://keccak.noekeon.org/crunchy_contest.html}, | ||
+ | howpublished = {Keccak website}, | ||
+ | year = {2011}, | ||
+ | } | ||
+ | </bibtex> | ||
<bibtex> | <bibtex> | ||
− | @misc{ | + | @misc{KeccakMorawiecki11, |
− | author = {Jean-Philippe Aumasson and | + | author = {Pawel Morawiecki}, |
− | title = { | + | title = {Preimages and Collisions for Keccak[r={240,640,1440},c=160,nr={1,2}]}, |
− | url = {http://131002.net/data/papers/ | + | url = {http://keccak.noekeon.org/crunchy_contest.html}, |
− | howpublished = { | + | howpublished = {Keccak website}, |
+ | year = {2011}, | ||
+ | } | ||
+ | </bibtex> | ||
+ | |||
+ | <bibtex> | ||
+ | @misc{cryptoeprint:2011:023, | ||
+ | author = {Ming Duan and Xuajia Lai}, | ||
+ | title = {Improved zero-sum distinguisher for full round Keccak-f permutation}, | ||
+ | howpublished = {Cryptology ePrint Archive, Report 2011/023}, | ||
+ | year = {2011}, | ||
+ | url = {http://eprint.iacr.org/2011/023.pdf}, | ||
+ | abstract = {K$\textsc{eccak}$ is one of the five hash functions selected for the final round of the SHA-3 competition and its inner primitive is a permutation called K$\textsc{eccak}$-$f$. In this paper, we find that for the inverse of the only one nonlinear transformation of K$\textsc{eccak}$-$f$, the algebraic degrees of any output coordinate and of the product of any two output coordinates are both 3 and also 2 less than its size 5. Combining the observation with a proposition from an upper bound on the degree of iterated permutations, we improve the zero-sum distinguisher of full 24 rounds K$\textsc{eccak}$-$f$ permutation by lowering the size of the zero-sum partition from $2^{1590}$ to $2^{1579}$.}, | ||
+ | } | ||
+ | </bibtex> | ||
+ | |||
+ | <bibtex> | ||
+ | @misc{KeccakBernstein10, | ||
+ | author = {Daniel J. Bernstein}, | ||
+ | title = {Second preimages for 6 (7? (8??)) rounds of Keccak?}, | ||
+ | url = {http://ehash.iaik.tugraz.at/uploads/6/65/NIST-mailing-list_Bernstein-Daemen.txt}, | ||
+ | howpublished = {NIST mailing list}, | ||
+ | year = {2010}, | ||
+ | } | ||
+ | </bibtex> | ||
+ | |||
+ | <bibtex> | ||
+ | @misc{cryptoeprint:2009:224, | ||
+ | author = {Christina Boura and Anne Canteaut and Christophe De Canniere}, | ||
+ | title = {Higher-order differential properties of Keccak and Luffa}, | ||
+ | howpublished = {Cryptology ePrint Archive, Report 2010/589}, | ||
+ | year = {2010}, | ||
+ | url = {http://eprint.iacr.org/2010/589.pdf}, | ||
+ | abstract = {In this paper, we identify higher-order differential and zero-sum properties in the full Keccak-f permutation, in the Luffa v1 hash function, and in components of the Luffa v2 algorithm. These structural properties rely on a new bound on the degree of iterated permutations with a nonlinear layer composed of parallel applications of smaller balanced Sboxes. These techniques yield zero-sum partitions of size $2^{1590}$ for the full Keccak-f permutation and several observations on the Luffa hash family. We first show that Luffa v1 applied to one-block messages is a function of 255 variables with degree at most 251. This observation leads to the construction of a higher-order differential distinguisher for the full Luffa v1 hash function, similar to the one presented by Watanabe et al. on a reduced version. We show that similar techniques can be used to find all-zero higher-order differentials in the Luffa v2 compression function, but the additional blank round destroys this property in the hash function.}, | ||
+ | } | ||
+ | </bibtex> | ||
+ | |||
+ | <bibtex> | ||
+ | @inproceedings{sacBC10, | ||
+ | author = {Christina Boura, Anne Canteau}, | ||
+ | title = {Zero-Sum Distinguishers for Iterated Permutations and Application to Keccak-f and Hamsi-256}, | ||
+ | url = {http://www-rocq.inria.fr/secret/Christina.Boura/data/sac.pdf}, | ||
+ | booktitle = {SAC}, | ||
+ | year = {2010}, | ||
+ | series = {LNCS}, | ||
+ | pages = {1-17}, | ||
+ | publisher = {Springer}, | ||
+ | volume = {6544}, | ||
+ | abstract = {The zero-sum distinguishers introduced by Aumasson and Meier are investigated. First, the minimal size of a zero-sum is established. Then, we analyze the impacts of the linear and the nonlinear layers in an iterated permutation on the construction of zero-sum partitions. Finally, these techniques are applied to the Keccak-f permutation and to Hamsi-256. We exhibit several zero-sum partitions for 20 rounds (out of 24) of Keccak-f and some zero-sum partitions of size $2^{19}$ and $2^{10}$ for the finalization permutation in Hamsi-256.} | ||
+ | </bibtex> | ||
+ | |||
+ | <bibtex> | ||
+ | @misc{keccakMS10, | ||
+ | author = {Pawel Morawiecki and Marian Srebrny}, | ||
+ | title = {A SAT-based preimage analysis of reduced KECCAK hash functions}, | ||
+ | url = {http://eprint.iacr.org/2010/285.pdf}, | ||
+ | howpublished = {Cryptology ePrint Archive, Report 2010/285}, | ||
+ | year = {2010}, | ||
+ | } | ||
+ | </bibtex> | ||
+ | |||
+ | <bibtex> | ||
+ | @misc{KeccakNoteZeroSum, | ||
+ | author = {G. Bertoni and J. Daemen and M. Peeters and G. Van Assche}, | ||
+ | title = {Note on zero-sum distinguishers of Keccak-f}, | ||
+ | url = {http://keccak.noekeon.org/NoteZeroSum.pdf}, | ||
+ | howpublished = {NIST mailing list}, | ||
+ | year = {2010}, | ||
+ | } | ||
+ | </bibtex> | ||
+ | |||
+ | <bibtex> | ||
+ | @misc{keccakBC10, | ||
+ | author = {Christina Boura and Anne Canteaut}, | ||
+ | title = {A Zero-Sum property for the Keccak-f Permutation with 18 Rounds}, | ||
+ | url = {http://www-roc.inria.fr/secret/Anne.Canteaut/Publications/zero_sum.pdf}, | ||
+ | howpublished = {NIST mailing list} | ||
+ | year = {2010}, | ||
+ | abstract = {A new type of distinguishing property, named the zero-sum property | ||
+ | has been recently presented by Aumasson and Meier [1]. It has | ||
+ | been applied to the inner permutation of the hash function Keccak | ||
+ | and it has led to a distinguishing property for the Keccak-f permutation | ||
+ | up to 16 rounds, out of 24 in total. Here, we additionally exploit | ||
+ | some spectral properties of the Keccak-f permutation and we improve | ||
+ | the previously known upper bounds on the degree of the inverse | ||
+ | permutation after a certain number of rounds. This result enables us | ||
+ | to extend the zero-sum property to 18 rounds of the Keccak-f permutation, | ||
+ | which was the number of rounds in the previous version of | ||
+ | Keccak submitted to the SHA-3 competition..}, | ||
+ | </bibtex> | ||
+ | |||
+ | <bibtex> | ||
+ | @misc{keccakAM09, | ||
+ | author = {Jean-Philippe Aumasson and Willi Meier}, | ||
+ | title = {Zero-sum distinguishers for reduced Keccak-f and for the core functions of Luffa and Hamsi}, | ||
+ | url = {http://www.131002.net/data/papers/AM09.pdf}, | ||
+ | howpublished = {NIST mailing list} | ||
year = {2009}, | year = {2009}, | ||
− | abstract = {We apply | + | abstract = {We present a new type of distinguisher, called zero-sum distinguisher, and apply it to reduced versions of the Keccak-f permutation. We obtain practical and deterministic distinguishers on up to 9 rounds, and shortcut distinguishers on up to 16 rounds, out of 18 in total. These observations do not seem to affect the security of Keccak. We also briefly describe application of zero-sum distinguishers to the core permutations of Luffa and Hamsi.}, |
− | |||
− | |||
− | |||
− | |||
</bibtex> | </bibtex> | ||
Line 93: | Line 285: | ||
<bibtex> | <bibtex> | ||
− | @misc{ | + | @misc{keccakAK09, |
− | author = {Jean-Philippe Aumasson and | + | author = {Jean-Philippe Aumasson and Dmitry Khovratovich}, |
− | title = { | + | title = {First Analysis of Keccak}, |
− | url = {http:// | + | url = {http://131002.net/data/papers/AK09.pdf}, |
− | howpublished = { | + | howpublished = {Available online}, |
year = {2009}, | year = {2009}, | ||
− | abstract = {We | + | abstract = {We apply known automated cryptanalytic tools to the Keccak-f[1600] permutation, using |
+ | a triangulation tool to solve the CICO problem, and cube testers to detect some structure in the | ||
+ | algebraic description of the reduced Keccak-f[1600]. The applicability of our tools was notably limited | ||
+ | by the strength of the inverse permutation.}, | ||
+ | } | ||
</bibtex> | </bibtex> |
Latest revision as of 08:52, 1 September 2011
1 The algorithm
- Author(s): Guido Bertoni, Joan Daemen, Michaël Peeters and Gilles Van Assche
- Website: http://keccak.noekeon.org/
- NIST submission package:
- Round 3: Keccak_FinalRnd.zip
- Round 2: Keccak_Round2.zip
- Round 1: Keccak.zip
G. Bertoni, J. Daemen, M. Peeters, G. Van Assche - The Keccak SHA-3 submission
- ,2011
- http://keccak.noekeon.org/Keccak-submission-3.pdf
BibtexAuthor : G. Bertoni, J. Daemen, M. Peeters, G. Van Assche
Title : The Keccak SHA-3 submission
In : -
Address :
Date : 2011
G. Bertoni, J. Daemen, M. Peeters, G. Van Assche - The Keccak reference
- ,2011
- http://keccak.noekeon.org/Keccak-reference-3.0.pdf
BibtexAuthor : G. Bertoni, J. Daemen, M. Peeters, G. Van Assche
Title : The Keccak reference
In : -
Address :
Date : 2011
G. Bertoni, J. Daemen, M. Peeters, G. Van Assche - Cryptographic sponge functions
- ,2011
- http://sponge.noekeon.org/CSF-0.1.pdf
BibtexAuthor : G. Bertoni, J. Daemen, M. Peeters, G. Van Assche
Title : Cryptographic sponge functions
In : -
Address :
Date : 2011
G. Bertoni, J. Daemen, M. Peeters, G. Van Assche - Keccak specifications
- ,2009
- http://keccak.noekeon.org/Keccak-specifications-2.pdf
BibtexAuthor : G. Bertoni, J. Daemen, M. Peeters, G. Van Assche
Title : Keccak specifications
In : -
Address :
Date : 2009
G. Bertoni, J. Daemen, M. Peeters, G. Van Assche - Keccak sponge function family main document
- ,2009
- http://keccak.noekeon.org/Keccak-main-2.0.pdf
BibtexAuthor : G. Bertoni, J. Daemen, M. Peeters, G. Van Assche
Title : Keccak sponge function family main document
In : -
Address :
Date : 2009
G. Bertoni, J. Daemen, M. Peeters, G. Van Assche - Keccak specifications
- ,2008
- http://keccak.noekeon.org/Keccak-specifications.pdf
BibtexAuthor : G. Bertoni, J. Daemen, M. Peeters, G. Van Assche
Title : Keccak specifications
In : -
Address :
Date : 2008
G. Bertoni, J. Daemen, M. Peeters, G. Van Assche - Keccak sponge function family main document
- ,2008
- http://keccak.noekeon.org/Keccak-main-1.0.pdf
BibtexAuthor : G. Bertoni, J. Daemen, M. Peeters, G. Van Assche
Title : Keccak sponge function family main document
In : -
Address :
Date : 2008
2 Cryptanalysis
We distinguish between two cases: results on the complete hash function, and results on underlying building blocks.
A description of the tables is given here.
Recommended security parameter: 24 rounds (Keccak-f [1600])
2.1 Hash function
Here we list results on the hash function according to the NIST requirements. The only allowed modification is to change the security parameter.
Type of Analysis | Hash Size (n) | Parameters | Compression Function Calls | Memory Requirements | Reference |
2nd preimage | 512 | 6 rounds | 2506 | 2176 | Bernstein |
2nd preimage | 512 | 7 rounds | 2507 | 2320 | Bernstein |
2nd preimage | 512 | 8 rounds | 2511.5 | 2508 | Bernstein |
2.2 Building blocks
Here we list results on underlying building blocks, and the hash function modified by other means than the security parameter.
Note that these results assume more direct control or access over some internal variables (aka. free-start, pseudo, compression function, block cipher, or permutation attacks).
Type of Analysis | Hash Function Part | Hash Size (n) | Parameters/Variants | Compression Function Calls | Memory Requirements | Reference |
distinguisher | permutation | all | 8 rounds | 2491.47 | ? | Duc,Guo,Peyrin,Wei |
collision | hash | 160 | r=1440, c=160, nr={1,2} | example | Duc,Guo,Peyrin,Wei | |
collision | hash | 160 | r={240,640,1440}, c=160, nr={1,2} | example | Morawiecki | |
preimage | hash | 80 | r={240,640,1440}, c=160, nr={1,2} | example | Morawiecki | |
distinguisher | permutation | all | 24 rounds | 21579 | Duan,Lai | |
distinguisher | permutation | all | 24 rounds | 21590 | Boura,Canteaut,DeCanniere | |
distinguisher | permutation | all | 20 rounds | 21586 | Boura,Canteaut | |
preimage(2) | hash | 1024 | 3 rounds, 40 bit message | 1852 seconds (234.11) | ? | Morawiecki,Srebrny |
distinguisher(1) | permutation | all | 18 rounds | 21370 | Boura,Canteaut | |
distinguisher(1) | permutation | all | 16 rounds | 21023.88 | Aumasson,Meier | |
key recovery | secret-prefix MAC | 224 | 4 rounds | 219 | ? | Lathrop |
observations | permutation | all | Aumasson,Khovratovich |
(1)The Keccak team commented on these distinguishers and provide generic constructions in this note.
(2)The Keccak team estimated the complexity of this attack with 234.11 evaluations of 3-rounds of Keccak-f[1600] in this note (exhaustive search: 240).
Alexandre Duc, Jian Guo, Thomas Peyrin, Lei Wei - Unaligned Rebound Attack - Application to Keccak
- ,2011
- http://eprint.iacr.org/2011/420.pdf
BibtexAuthor : Alexandre Duc, Jian Guo, Thomas Peyrin, Lei Wei
Title : Unaligned Rebound Attack - Application to Keccak
In : -
Address :
Date : 2011
Alexandre Duc, Jian Guo, Thomas Peyrin, Lei Wei - Collisions for Keccak[r=1440,c=160,nr={1,2}]
- ,2011
- http://keccak.noekeon.org/crunchy_contest.html
BibtexAuthor : Alexandre Duc, Jian Guo, Thomas Peyrin, Lei Wei
Title : Collisions for Keccak[r=1440,c=160,nr={1,2}]
In : -
Address :
Date : 2011
Pawel Morawiecki - Preimages and Collisions for Keccak[r={240,640,1440},c=160,nr={1,2}]
- ,2011
- http://keccak.noekeon.org/crunchy_contest.html
BibtexAuthor : Pawel Morawiecki
Title : Preimages and Collisions for Keccak[r={240,640,1440},c=160,nr={1,2}]
In : -
Address :
Date : 2011
Ming Duan, Xuajia Lai - Improved zero-sum distinguisher for full round Keccak-f permutation
- ,2011
- http://eprint.iacr.org/2011/023.pdf
BibtexAuthor : Ming Duan, Xuajia Lai
Title : Improved zero-sum distinguisher for full round Keccak-f permutation
In : -
Address :
Date : 2011
Daniel J. Bernstein - Second preimages for 6 (7? (8??)) rounds of Keccak?
- ,2010
- http://ehash.iaik.tugraz.at/uploads/6/65/NIST-mailing-list_Bernstein-Daemen.txt
BibtexAuthor : Daniel J. Bernstein
Title : Second preimages for 6 (7? (8??)) rounds of Keccak?
In : -
Address :
Date : 2010
Christina Boura, Anne Canteaut, Christophe De Canniere - Higher-order differential properties of Keccak and Luffa
- ,2010
- http://eprint.iacr.org/2010/589.pdf
BibtexAuthor : Christina Boura, Anne Canteaut, Christophe De Canniere
Title : Higher-order differential properties of Keccak and Luffa
In : -
Address :
Date : 2010
Christina Boura, Anne Canteau - Zero-Sum Distinguishers for Iterated Permutations and Application to Keccak-f and Hamsi-256
- SAC 6544:1-17,2010
- http://www-rocq.inria.fr/secret/Christina.Boura/data/sac.pdf
BibtexAuthor : Christina Boura, Anne Canteau
Title : Zero-Sum Distinguishers for Iterated Permutations and Application to Keccak-f and Hamsi-256
In : SAC -
Address :
Date : 2010
Pawel Morawiecki, Marian Srebrny - A SAT-based preimage analysis of reduced KECCAK hash functions
- ,2010
- http://eprint.iacr.org/2010/285.pdf
BibtexAuthor : Pawel Morawiecki, Marian Srebrny
Title : A SAT-based preimage analysis of reduced KECCAK hash functions
In : -
Address :
Date : 2010
G. Bertoni, J. Daemen, M. Peeters, G. Van Assche - Note on zero-sum distinguishers of Keccak-f
- ,2010
- http://keccak.noekeon.org/NoteZeroSum.pdf
BibtexAuthor : G. Bertoni, J. Daemen, M. Peeters, G. Van Assche
Title : Note on zero-sum distinguishers of Keccak-f
In : -
Address :
Date : 2010
Christina Boura, Anne Canteaut - A Zero-Sum property for the Keccak-f Permutation with 18 Rounds
- ,2010
- http://www-roc.inria.fr/secret/Anne.Canteaut/Publications/zero_sum.pdf
BibtexAuthor : Christina Boura, Anne Canteaut
Title : A Zero-Sum property for the Keccak-f Permutation with 18 Rounds
In : -
Address :
Date : 2010
Jean-Philippe Aumasson, Willi Meier - Zero-sum distinguishers for reduced Keccak-f and for the core functions of Luffa and Hamsi
- ,2009
- http://www.131002.net/data/papers/AM09.pdf
BibtexAuthor : Jean-Philippe Aumasson, Willi Meier
Title : Zero-sum distinguishers for reduced Keccak-f and for the core functions of Luffa and Hamsi
In : -
Address :
Date : 2009
Joel Lathrop - Cube Attacks on Cryptographic Hash Functions
- ,2009
- http://www.cs.rit.edu/~jal6806/thesis/thesis.pdf
BibtexAuthor : Joel Lathrop
Title : Cube Attacks on Cryptographic Hash Functions
In : -
Address :
Date : 2009
Jean-Philippe Aumasson, Dmitry Khovratovich - First Analysis of Keccak