Keccak
From The ECRYPT Hash Function Website
Contents |
1 The algorithm
- Author(s): Guido Bertoni, Joan Daemen, Michaël Peeters and Gilles Van Assche
- Website: http://keccak.noekeon.org/
- NIST submission package:
- Round 3: Keccak_FinalRnd.zip
- Round 2: Keccak_Round2.zip
- Round 1: Keccak.zip
- Submission to NIST (Round 3), 2011
- [Electronic Edition] [Bibtex] Author : G. Bertoni, J. Daemen, M. Peeters, G. Van Assche
Title : The Keccak SHA-3 submission
In : Submission to NIST (Round 3) -
G. Bertoni, J. Daemen, M. Peeters, G. Van Assche - The Keccak reference
- Submission to NIST (Round 3), 2011
- [Electronic Edition] [Bibtex] Author : G. Bertoni, J. Daemen, M. Peeters, G. Van Assche
Title : The Keccak reference
In : Submission to NIST (Round 3) -
G. Bertoni, J. Daemen, M. Peeters, G. Van Assche - Cryptographic sponge functions
- Submission to NIST (Round 3), 2011
- [Electronic Edition] [Bibtex] Author : G. Bertoni, J. Daemen, M. Peeters, G. Van Assche
Title : Cryptographic sponge functions
In : Submission to NIST (Round 3) -
G. Bertoni, J. Daemen, M. Peeters, G. Van Assche - Keccak specifications
- Submission to NIST (Round 2), 2009
- [Electronic Edition] [Bibtex] Author : G. Bertoni, J. Daemen, M. Peeters, G. Van Assche
Title : Keccak specifications
In : Submission to NIST (Round 2) -
G. Bertoni, J. Daemen, M. Peeters, G. Van Assche - Keccak sponge function family main document
- Submission to NIST (Round 2), 2009
- [Electronic Edition] [Bibtex] Author : G. Bertoni, J. Daemen, M. Peeters, G. Van Assche
Title : Keccak sponge function family main document
In : Submission to NIST (Round 2) -
G. Bertoni, J. Daemen, M. Peeters, G. Van Assche - Keccak specifications
- Submission to NIST (Round 1), 2008
- [Electronic Edition] [Bibtex] Author : G. Bertoni, J. Daemen, M. Peeters, G. Van Assche
Title : Keccak specifications
In : Submission to NIST (Round 1) -
G. Bertoni, J. Daemen, M. Peeters, G. Van Assche - Keccak sponge function family main document
- Submission to NIST (Round 1), 2008
- [Electronic Edition] [Bibtex] Author : G. Bertoni, J. Daemen, M. Peeters, G. Van Assche
Title : Keccak sponge function family main document
In : Submission to NIST (Round 1) -
2 Cryptanalysis
We distinguish between two cases: results on the complete hash function, and results on underlying building blocks.
A description of the tables is given here.
Recommended security parameter: 24 rounds (Keccak-f [1600])
2.1 Hash function
Here we list results on the hash function according to the NIST requirements. The only allowed modification is to change the security parameter.
| Type of Analysis | Hash Size (n) | Parameters | Compression Function Calls | Memory Requirements | Reference |
| 2nd preimage | 512 | 6 rounds | 2506 | 2176 | Bernstein |
| 2nd preimage | 512 | 7 rounds | 2507 | 2320 | Bernstein |
| 2nd preimage | 512 | 8 rounds | 2511.5 | 2508 | Bernstein |
2.2 Building blocks
Here we list results on underlying building blocks, and the hash function modified by other means than the security parameter.
Note that these results assume more direct control or access over some internal variables (aka. free-start, pseudo, compression function, block cipher, or permutation attacks).
| Type of Analysis | Hash Function Part | Hash Size (n) | Parameters/Variants | Compression Function Calls | Memory Requirements | Reference |
| distinguisher | permutation | all | 8 rounds | 2491.47 | ? | Duc,Guo,Peyrin,Wei |
| collision | hash | 160 | r=1440, c=160, nr={1,2} | example | Duc,Guo,Peyrin,Wei | |
| collision | hash | 160 | r={240,640,1440}, c=160, nr={1,2} | example | Morawiecki | |
| preimage | hash | 80 | r={240,640,1440}, c=160, nr={1,2} | example | Morawiecki | |
| distinguisher | permutation | all | 24 rounds | 21579 | Duan,Lai | |
| distinguisher | permutation | all | 24 rounds | 21590 | Boura,Canteaut,DeCanniere | |
| distinguisher | permutation | all | 20 rounds | 21586 | Boura,Canteaut | |
| preimage(2) | hash | 1024 | 3 rounds, 40 bit message | 1852 seconds (234.11) | ? | Morawiecki,Srebrny |
| distinguisher(1) | permutation | all | 18 rounds | 21370 | Boura,Canteaut | |
| distinguisher(1) | permutation | all | 16 rounds | 21023.88 | Aumasson,Meier | |
| key recovery | secret-prefix MAC | 224 | 4 rounds | 219 | ? | Lathrop |
| observations | permutation | all | Aumasson,Khovratovich |
(1)The Keccak team commented on these distinguishers and provide generic constructions in this note.
(2)The Keccak team estimated the complexity of this attack with 234.11 evaluations of 3-rounds of Keccak-f[1600] in this note (exhaustive search: 240).
- Cryptology ePrint Archive, Report 2011/420, 2011
- [Electronic Edition] [Bibtex] Author : Alexandre Duc, Jian Guo, Thomas Peyrin, Lei Wei[Abstract]
Title : Unaligned Rebound Attack - Application to Keccak
In : Cryptology ePrint Archive, Report 2011/420 -
Alexandre Duc, Jian Guo, Thomas Peyrin, Lei Wei - Collisions for Keccak[r=1440,c=160,nr={1,2}]
- Keccak website, 2011
- [Electronic Edition] [Bibtex] Author : Alexandre Duc, Jian Guo, Thomas Peyrin, Lei Wei
Title : Collisions for Keccak[r=1440,c=160,nr={1,2}]
In : Keccak website -
Pawel Morawiecki - Preimages and Collisions for Keccak[r={240,640,1440},c=160,nr={1,2}]
- Keccak website, 2011
- [Electronic Edition] [Bibtex] Author : Pawel Morawiecki
Title : Preimages and Collisions for Keccak[r={240,640,1440},c=160,nr={1,2}]
In : Keccak website -
Ming Duan, Xuajia Lai - Improved zero-sum distinguisher for full round Keccak-f permutation
- Cryptology ePrint Archive, Report 2011/023, 2011
- [Electronic Edition] [Bibtex] Author : Ming Duan, Xuajia Lai[Abstract]
Title : Improved zero-sum distinguisher for full round Keccak-f permutation
In : Cryptology ePrint Archive, Report 2011/023 -
Daniel J. Bernstein - Second preimages for 6 (7? (8??)) rounds of Keccak?
- NIST mailing list, 2010
- [Electronic Edition] [Bibtex] Author : Daniel J. Bernstein
Title : Second preimages for 6 (7? (8??)) rounds of Keccak?
In : NIST mailing list -
Christina Boura, Anne Canteaut, Christophe De Canniere - Higher-order differential properties of Keccak and Luffa
- Cryptology ePrint Archive, Report 2010/589, 2010
- [Electronic Edition] [Bibtex] Author : Christina Boura, Anne Canteaut, Christophe De Canniere[Abstract]
Title : Higher-order differential properties of Keccak and Luffa
In : Cryptology ePrint Archive, Report 2010/589 -
Christina Boura, Anne Canteau - Zero-Sum Distinguishers for Iterated Permutations and Application to Keccak-f and Hamsi-256
- In Proceedings of SAC, LNCS 6544, pp. 1-17, Springer, 2010
- [Electronic Edition] [Bibtex] Author : Christina Boura, Anne Canteau[Abstract]
Title : Zero-Sum Distinguishers for Iterated Permutations and Application to Keccak-f and Hamsi-256
In : In Proceedings of SAC -
Pawel Morawiecki, Marian Srebrny - A SAT-based preimage analysis of reduced KECCAK hash functions
- Cryptology ePrint Archive, Report 2010/285, 2010
- [Electronic Edition] [Bibtex] Author : Pawel Morawiecki, Marian Srebrny
Title : A SAT-based preimage analysis of reduced KECCAK hash functions
In : Cryptology ePrint Archive, Report 2010/285 -
G. Bertoni, J. Daemen, M. Peeters, G. Van Assche - Note on zero-sum distinguishers of Keccak-f
- NIST mailing list, 2010
- [Electronic Edition] [Bibtex] Author : G. Bertoni, J. Daemen, M. Peeters, G. Van Assche
Title : Note on zero-sum distinguishers of Keccak-f
In : NIST mailing list -
Christina Boura, Anne Canteaut - A Zero-Sum property for the Keccak-f Permutation with 18 Rounds
- NIST mailing list, 2010
- [Electronic Edition] [Bibtex] Author : Christina Boura, Anne Canteaut[Abstract]
Title : A Zero-Sum property for the Keccak-f Permutation with 18 Rounds
In : NIST mailing list -
Jean-Philippe Aumasson, Willi Meier - Zero-sum distinguishers for reduced Keccak-f and for the core functions of Luffa and Hamsi
- NIST mailing list, 2009
- [Electronic Edition] [Bibtex] Author : Jean-Philippe Aumasson, Willi Meier[Abstract]
Title : Zero-sum distinguishers for reduced Keccak-f and for the core functions of Luffa and Hamsi
In : NIST mailing list -
Joel Lathrop - Cube Attacks on Cryptographic Hash Functions
- Available online, 2009
- [Electronic Edition] [Bibtex] Author : Joel Lathrop[Abstract]
Title : Cube Attacks on Cryptographic Hash Functions
In : Available online -
Jean-Philippe Aumasson, Dmitry Khovratovich - First Analysis of Keccak
