ArticlePDF Available

Finding Collisions against 4-Round SHA-3-384 in Practical Time

Authors:

Abstract and Figures

The Keccak sponge function family, designed by Bertoni et al. in 2007, was selected by the U.S. National Institute of Standards and Technology (NIST) in 2012 as the next generation of Secure Hash Algorithm (SHA-3). Due to its theoretical and practical importance, cryptanalysis of SHA-3 has attracted a lot of attention. Currently, the most powerful collision attack on SHA-3 is Jian Guo et al.’s linearisation technique. However, this technique is infeasible for variants with a smaller input space, such as SHA-3-384. In this work we improve upon previous results by utilising three ideas which were not used in previous works on collision attacks against SHA-3. First, we use 2-block messages instead of 1-block messages, to reduce constraints and increase flexibility in our solutions. Second, we reduce the connectivity problem into a satisfiability (SAT) problem, instead of applying the linearisation technique. Finally, we propose an efficient deduce-and-sieve algorithm on the basis of two new non-random properties of the Keccak non-linear layer. The resulting collision-finding algorithm on 4-round SHA-3-384 has a practical time complexity of 259.64 (and a memory complexity of 245.94). This greatly improves upon the best known collision attack so far: Dinur et al. achieved an impractical 2147 time complexity. Our attack does not threaten the security margin of the SHA-3 hash function. However, the tools developed in this paper could be used to analyse other cryptographic primitives as well as to develop new and faster SAT solvers.
Content may be subject to copyright.
IACR Transactions on Symmetric Cryptology
ISSN 2519-173X, Vol. 2022, No. 3, pp. 239–270. DOI:10.46586/tosc.v2022.i3.239-270
Finding Collisions against 4-Round SHA-3-384
in Practical Time
Senyang Huang1,3, Orna Agmon Ben-Yehuda2, Orr Dunkelman3and
Alexander Maximov4
1Department of Electrical and Information Technology, Lund University, Lund, Sweden
senyang.huang@eit.lth.se
2Caesarea Rothschild Institute for Interdisciplinary Applications of Computer Science (CRI),
University of Haifa, Haifa, Israel
ladypine@gmail.com
3Department of Computer Science, University of Haifa, Haifa, Israel
orrd@cs.haifa.ac.il
4Ericsson Research, Lund, Sweden
alexander.maximov@ericsson.com
Abstract. The Keccak sponge function family, designed by Bertoni et al. in 2007,
was selected by the U.S. National Institute of Standards and Technology (NIST)
in 2012 as the next generation of Secure Hash Algorithm (SHA-3). Due to its
theoretical and practical importance, cryptanalysis of SHA-3 has attracted a lot of
attention. Currently, the most powerful collision attack on SHA-3 is Jian Guo et
al.’s linearisation technique. However, this technique is infeasible for variants with a
smaller input space, such as SHA-3-384.
In this work we improve upon previous results by utilising three ideas which were
not used in previous works on collision attacks against SHA-3. First, we use 2-block
messages instead of 1-block messages, to reduce constraints and increase flexibility in
our solutions. Second, we reduce the connectivity problem into a satisfiability (SAT)
problem, instead of applying the linearisation technique. Finally, we propose an
efficient deduce-and-sieve algorithm on the basis of two new non-random properties
of the Keccak non-linear layer.
The resulting collision-finding algorithm on 4-round SHA-3-384 has a practical time
complexity of 2
59.64
(and a memory complexity of 2
45.94
). This greatly improves
upon the best known collision attack so far: Dinur et al. achieved an impractical 2
147
time complexity. Our attack does not threaten the security margin of the SHA-3
hash function. However, the tools developed in this paper could be used to analyse
other cryptographic primitives as well as to develop new and faster SAT solvers.
Keywords: SHA-3 hash function ·collision attack ·deduce-and-sieve algorithm ·
SAT solver
1 Introduction
Cryptographic hash functions are unkeyed primitives that accept an arbitrarily long input
message and produce a fixed length output hash value, or digest for short. Since Diffie and
Hellman [
DH76
] suggesting signing a cryptographic hash value of a message rather than the
message itself, hash functions became extremely useful in various cryptographic protocols:
authentication (e.g., HMAC [
BCK96
]), password protection, commitment schemes, key
This work was partially done when Senyang Huang was a post-doc researcher at the University of
Haifa.
Licensed under Creative Commons License CC-BY 4.0.
Received: 2022-06-01 Accepted: 2022-08-01 Published: 2022-09-09
240 Finding Collisions against 4-Round SHA-3-384 in Practical Time
exchange protocols, etc. Hence, the need for a secure and efficient hash function is great,
both for real life applications and as a component of more complex constructions.
The first de-facto cryptographic hash function was MD5 [
Riv92
], developed by Rivest
to fix a few issues with its predecessor MD4. Later, the US National Institute of Standards
in Technology (NIST) published the SHA standard [
NIS93
]. Two years later, SHA was
updated into the later named SHA-1 [
NIS95
] to prevent some attacks that were not
disclosed to the public (but were later rediscovered by Chabaud and Joux [CJ98]). With
the need for output sizes larger than SHA-1’s 160-bit, NIST published a new family of
hash functions, called SHA-2, with output sizes of 224–512 bits [NIS02].
In 2005, Wang et al. [
WLF+05
,
WY05
,
WYY05
] broke several cryptographic functions.
These fundamental works demonstrated the way to attack most of the existing hash
functions using several techniques and ideas: using modular differences (i.e., using both an
XOR difference and an additive difference); using multi-block collisions (i.e., collisions that
span over several blocks, an idea independently discovered in [
BCJ15
]); and introducing
the message modification technique (a method to tweak a pair of messages conforming to
some differential characteristic up to a certain round, so that it satisfies the characteristic
for more rounds).
These advances, along with results on the Merkle-Damgård hash function [
Dam89
,
Mer89
], which is the design all previously mentioned hash functions followed, led NIST
to start a cryptographic competition for the selection of a new hash function standard.
The process started in 2008, and in 2015 Keccak [
BDPA
] was published as the new SHA-3
standard [NIS15].
Keccak [
BDPA
], designed by Bertoni et al., is a sponge construction. It has a 1600-bit
state which is updated by XORing message blocks to the state. The number of bits that
compose a message block depends on the required output size as the capacity of the sponge
function should be twice as large as the output size, and the remaining bits are XORed
with the message block. Then, a 24-round permutation, Keccak-f, is applied to the state
and another block is absorbed into the state, until the last block is absorbed. Finally, the
internal state is updated again using Keccak-f, and some bits of the internal state are
revealed as the output.
The Keccak sponge function can be deployed in different modes, namely, keyed mode
and unkeyed mode. Since the publication of Keccak in 2008, the analysis of both keyed
mode and unkeyed mode Keccak has attracted considerable attention. For the keyed
Keccak, a cube-like attack proposed by Dinur et al. [
DMP+15
] and a conditional cube
attack proposed by Huang et al. [
HWX+17
] are the most powerful tools for analysing
primitives based on the Keccak sponge function.
The purpose of a collision attack on a hash function
H
is to find a pair of distinct
messages
M
and
M
such that
H
(
M
) =
H
(
M
). Finding a colliding pair should be
computationally difficult for a secure hash function. In 2011, Naya-Plasencia et al. re-
ported a collision attack on 2-round Keccak-512.
1
, among several other practical attacks
on the Keccak hash function [
NRM11
]. In 2012, Dinur et al. proposed practical collision
attacks on 4-round Keccak-224/256 [
DDS12
]: they combined a 1-round connector with
a 3-round low weight characteristic by algebraic techniques. In 2013, the same authors
constructed practical collision attacks on 3-round Keccak-384 and Keccak-512 and theo-
retical attacks on 4-round Keccak-384 and 5-round Keccak-256 using generalised internal
differentials [DDS13].
Currently, the most powerful tool for building a practical collision attack against
the SHA-3 hash function is the linearisation technique [
QSLG17
,
SLG17
,
GLL+20
]. In
[
QSLG17
], Qiao et al. followed the framework proposed by Dinur et al. in [
DDS12
] and
extended the previous 1-round connector by one more round. In that work, the authors
developed a novel algebraic technique to linearise all S-boxes in the first round. Song et
1SHA-3-ndiffers from Keccak-nonly in the padding rule.
Senyang Huang, Orna Agmon Ben-Yehuda, Orr Dunkelman, Alexander Maximov 241
Table 1: Summary of existing collision attacks on SHA-3.
Rounds Target Complexity Reference
4 Keccak-224 Practical [DDS12]
5 SHA-3-224 Practical [QSLG17]
4 Keccak-256 Practical [DDS12]
5 Keccak-256 2115 [DDS13]
5 SHA-3-256 Practical [QSLG17]
3 Keccak-384 Practical [DDS13]
4 Keccak-384 2147 [DDS13]
4 SHA-3-384 259.64 Section 7
2 Keccak-512 Practical [NRM11]
3 Keccak-512 Practical [DDS13]
al. [
SLG17
] developed a new non-full linearisation technique to save degrees of freedom
in the attack. Using this new technique, they launched several practical collision attacks
on the Keccak family, such as 5-round SHA-3-224 and 5-round SHA-3-256. Jian Guo
et al. recapped the two results [
QSLG17
,
SLG17
] in [
GLL+20
]. There was no further
development after that. However, that technique cannot be directly applied to variants
with a smaller input space, such as SHA-3-384 and SHA-3-512. It is because the appended
conditions consume many degrees of freedom, which variants with a smaller input space
cannot provide enough of.
Morawiecki et al. [
MS13
] applied a SAT solver to the analysis of an unkeyed mode
modified Keccak, using different parameters than the recommended ones, to find the
preimage of a hash value up to 3rounds. However, the authors did not consider Keccak’s
algebraic structure in their work, which reduces SAT solver’s power. In our collision attack,
we combine algebraic non-random characteristics with a SAT solver to make full use of its
efficiency.
Our Contributions Our work extends previous results [
DDS12
] on finding collisions in
SHA-3: a 3-round differential characteristic that leads to a collision is used in rounds 2–4,
whereas a connecting phase is used in the first round to lead the input message pair into
the input difference of the differential characteristic.
Inspired by the collision attacks proposed by Boissier et al. in [
BNR21
] and the preimage
attacks against Keccak-224/256 proposed in [
LS19
] by Li et al., we use more than a single
block in the colliding message pair. Unlike the inner collision attacks against smaller
Keccak variants in [
BNR21
], our technique can work on the outer part of a Keccak default
variant. Namely, we noticed that often good input differences impose conditions on the
input that cannot be satisfied (as they are in the capacity part of the state). By first
finding a message pair that satisfies these conditions, we levy this restriction. This step
increases the flexibility in choosing a differential characteristic. In addition, we use the
first block to set some capacity bits to values that help the connectivity step.
In addition, we introduce another two techniques into collision attacks on Keccak. Our
second contribution is to replace the linearisation connection phase that was used before
in [
GLL+20
] with a SAT-connection phase. This idea is inspired by the dedicated collision
attack against SHA-1 with aid of a SAT solver, proposed by Stevens et al. in [
SBK+17
].
Namely, we use SAT solvers to find message values that satisfy the required difference
conditions while previous works [
GLL+20
,
QSLG17
,
SLG17
] did the connection from the
input difference of the characteristic to the message conditions using linearisation. Again,
there are two advantages for this approach the first, is that we gain greater flexibility
in choosing the differential characteristic as now we can “connect” to a wider range of
input differences. Secondly, non-linear conditions which are useful in finding collisions (i.e.,
fixing intermediate bits to some values) are much easier to be satisfied using this sort of
tools.
242 Finding Collisions against 4-Round SHA-3-384 in Practical Time
The third contribution is the introduction of detection and sieving tools. They complete
internal states more efficiently than applying a SAT solver directly on non-linear problems.
This reduces the number of unknowns and simplifies relations, making SAT solvers more
efficient by orders of magnitude. We introduce a Truncated Difference Transform Table: for
a given truncated differential transition, the table stores the possible differential transitions.
I.e., if a truncated differential is followed. The table allows to efficiently find actual
bit differences that were involved in the transition. We also introduce a Fixed Value
Distribution Table, a precomputed table used to efficiently identify values that correspond
to certain truncated difference transitions (just like in the original work of [
BS93
] stored in
the difference distribution table also the values that correspond to the transition). Using
these two tools enables, for each pair, the deduction of information needed to satisfy the
differential characteristic.
We combine these ideas and produce the first practical attack that can find collisions
in 4-round SHA-3-384. The expected running time of this attack is below 2
60
(we remind
the reader that the SHA-1 collision found by [
SBK+17
] used about 2
63
computation).
While we implemented the attack and verified it, our best result at the moment is a 4-bit
semi-free internal collision, which is to date, the best known semi-free against SHA-3-384.
We compare our result with previous results of collision attacks on SHA-3 in Table 1.
Moreover, our two-block collision attack can be extended to a multi-block attack, where
the first few blocks can be chosen prefixes with meaningful information. This idea is
inspired by the chosen-prefix collision attacks against MD5 [
SLdW07
] proposed by Stevens
et al. and against SHA-1 [
LP19
] proposed by Leurent et al. A chosen-prefix collision attack
is to find messages (
M, M
)such that
H
(
P||M
) =
H
(
P||M
), where
P
and
P
are chosen
prefixes and
||
denotes concatenation [
SLdW07
]. In this situation, the attacker’s task is
then to find a collision while starting from a random difference in the internal state (due
to the prefixes pair that is not controlled at all by the attacker). Chosen-prefix collision
attacks are more difficult to mount but are stronger attacks more relevant to practice
because the chosen prefixes can be arbitrary meaningful texts.
Organisation of the paper The rest of the paper is organised as follows. In Section 2, we
describe the SHA-3 hash function and properties of the Keccak round function. In Section 3,
we revisit the collision attack proposed by Guo et al. The new framework of our attack
is illustrated in Section 4. The methods of constructing the differential characteristic
and generating the first blocks are stated in Section 5. The SAT-connection phase is
described in Section 6. In Section 7, experimental results of our attack are given. Finally,
we conclude the paper in Section 8.
2 Background
2.1 SHA-3 hash function
The Keccak algorithm. In this section we describe the Keccak hash function in its default
version. We refer the reader to [BDPA,NIS15] for the complete Keccak specification.
The Keccak hash function works on a 1600-bit state
A
, which is treated as a three-
dimensional array of bits, namely
A
[5][5][64]. As shown in Figure 1, the one-dimensional
arrays
A
[ ][
y
][
z
],
A
[
x
][ ][
z
]and
A
[
x
][
y
][ ] are called a column, a row and a lane, respectively;
the two-dimensional array
A
[ ][ ][
z
]is called a slice. The coordinates are considered modulo
5 for
x
and
y
, and modulo 64 for
z
. A 1600-bit string
a
is converted to the state
A
in the
following manner: the (64(5y+x) + z)th bit of abecomes A[x][y][z].
We will also utilise a one-dimensional manner for referring to a single related bit. For
example, we use
A
[
i
]to represent the bit
A
[
ψ0
(
i
)][
ψ1
(
i
)][
ψ2
(
i
)], where
ψ0
(
i
) =
i/
320
,
ψ1
(
i
) =
i/
64
mod
5,
ψ2
(
i
) =
imod
64,
is the floor function, and 0
i <
1600. We
Senyang Huang, Orna Agmon Ben-Yehuda, Orr Dunkelman, Alexander Maximov 243
state
slice
row
bit
lane
column
Figure 1: Terminologies in Keccak.
also define a function
ϕ0
such that the bit
A
[
i
]is in the
ϕ0
(
i
)th column of the state
A
,
where ϕ0(i) = 64ψ1(i) + ψ2(i).
There are four different variants of the Keccak hash function, namely Keccak-224,
Keccak-256, Keccak-384 and Keccak-512. For each
n {
224
,
256
,
384
,
512
}
, Keccak-
n
corresponds to the parameters
r
(bitrate) and
c
= 2
n
(capacity), where
r
+
c
= 1600. The
capacity
c
is 448
,
512
,
768
,
1024 and the bitrate
r
is 1152
,
1088
,
832
,
576, respectively for
Keccak-224, Keccak-256, Keccak-384 and Keccak-512.
Initially, the state is filled with zeroes and the message is split into
r
-bit blocks. There
are two phases in the Keccak hash function. In the absorbing phase, the next
r
-bit message
block is XORed with its first
r
-bit segment of the state and then the state is processed
by an internal permutation that consists of 24 rounds. After all the blocks are absorbed,
the squeezing phase begins. In the squeezing phase, Keccak-
n
iteratively returns the first
r
bits of the state as the output of the function with the internal permutation, until an
n-bit digest is produced.
In the permutation, the round function
R
consists of five operations, namely,
θ, ρ, π, χ
and
ι
. The round function is defined as
R
=
ιχπρθ
, with the following sub-functions:
θ:A[i][j][k]A[i][j][k]+Σ4
j=0A[i1][j][k]+Σ4
j=0A[i+ 1][j][k1],
ρ:A[i][j]A[i][j]r[i, j], r[i, j]s are constants,
π:A[j][2i+ 3j]A[i][j],
χ:A[i][j]A[i][j]+(A[i+ 1][j] + 1)A[i+ 2][j][k],
ι:A[0][0] A[0][0] + RCir, RCiris the irth round constant,
where 0i < 5,0j < 5,0k < 64 and 0ir<24.
The operation
θ
diffuses the state. In the operation
θ
, the bit
A
[
i
]is summed up with
the
ϕ1
(
i
)th and
ϕ2
(
i
)th columns of bits, where
ϕ1
(
i
) = 64((
ψ0
(
i
)
1)
mod
5) +
ψ2
(
i
)and
ϕ2(i) = 64((ψ0(i) + 1) mod 5) + ((ψ2(i)1) mod 5).
The operations
ρ
and
π
implement a bit-level permutation of the state. Let us denote
this combined permutation by
σ
=
πρ
, which forms a mapping on integers
{
0
,
1
,· · · ,
1599
}
such that
σ
(
i
)is the new position of the
i
-th bit in the state after applying
πρ
. We
denote by
L
the first three linear operations
θ, ρ
and
π
, which we call a half round. We
rewrite the expression of Lin Equation 1:
B[i] = A[σ1(i)] col[ϕ1(σ1(i))] col[ϕ2(σ1(i))].(1)
In Equation 1,
A
is the input state of
L
while
B
is the output state.
col
[
ϕ1
(
σ1
(
i
))] and
col
[
ϕ2
(
σ1
(
i
))] are the sums of the five bits in the
ϕ1
(
σ1
(
i
))th and
ϕ2
(
σ1
(
i
))th columns,
respectively. The sum of the five bits in one column is called a column sum.
Padding rule. The Keccak hash function uses a multi-rate padding rule. By this rule,
the original message
M
is appended with a single bit 1followed by the minimum number
244 Finding Collisions against 4-Round SHA-3-384 in Practical Time
of 0bits and a single 1bit such that the resulting message is of length that is a multiple
of the bitrate r. Specifically, the resulting padded message is M = M|10 1.
In the four Keccak variants adopted by the SHA-3 standard, the message is first
appended with ‘01’, then the padding rule is applied. Namely, the resulting padded
message is M = M|0110 1.
2.2 Properties of the Keccak round function
In this section we show five properties of the Keccak round function. The first property is
called the column parity kernel (CP-kernel) equation: for states in which all columns have
even parity,
θ
is the identity [
BDPA
]. This property has been widely used in cryptanalysis
of Keccak. E.g., the attacks in [
HWX+17
] use it to control the diffusion of cube variables.
Property 1. (CP-kernel Equation) For every
i
-th and
j
-th bits in the same column of
the state Awe have:
A[i]A[j] = B[σ(i)] B[σ(j)],
where
A
and
B
are the input and output states of
L
, respectively, and 0
i, j <
1600
, i
=
j
.
Property 1 can be easily verified through Equation 1. As the operations in the first
half round are all linear, the equality also holds for differences of corresponding bits.
Before we present four differential properties of the non-linear operation
χ
, we first
recall the definition of the difference distribution table (DDT) of
χ
[
BS93
]. The operation
χ
is applied to each row of the state independently, and can be regarded as an S-box.
In differential cryptanalysis proposed by Biham and Shamir in [
BS93
], the DDT of an
S-box counts the number of cases where the input difference of a pair is
a
and the output
difference is
b
. In our case, for an input difference
aF5
2
and an output difference
bF5
2
,
the entry δ(a, b)of the DDT of the Keccak S-box Sis:
δ(a, b) = |{zF5
2|S(z)S(za) = b}|.
The set
{zF5
2|S
(
z
)
S
(
za
) =
b}
is called a solution set.
2
We present an important
property of the solution set as follows.
Property 2. ([
Dae95
,
DDS12
,
BDPA
]) For every
a, b F5
2
, the solution set of the Keccak
S-box, {zF5
2|S(z)S(za) = b}forms an affine subspace of F5
2.
In Property 3 and Property 4, we will show that for some special output differences of
the Keccak S-box, the input difference should follow certain conditions. The two properties
can be easily proven by checking the DDT of the Keccak S-box. Suppose a 5-bit input
difference of the S-box is
δin
= (
δin
[4]
, δin
[3]
, δin
[2]
, δin
[1]
, δin
[0]) and the output difference
is
δout
= (
δout
[4],
δout
[3],
δout
[2],
δout
[1],
δout
[0]).Property 3 and Property 4 are then as
follows.
Property 3. If δout = 0x1then δin[0] = 1.
Property 4. If δout = 0x3then δin[1] δin [3] = 1.
We summarise all cases with special output differences in Table 2 when the output
differences in Property 3 and Property 4 are shifted to the right.
Table 2: Summary of conditions for special output differences of χ.
Output Difference Conditions Output Difference Conditions
0x1δin[0] = 1 0x3δin[1] δin [3] = 1
0x2δin[1] = 1 0x6δin[2] δin [4] = 1
0x4δin[2] = 1 0xc δin[3] δin [0] = 1
0x8δin[3] = 1 0x18 δin[4] δin [1] = 1
0x10 δin[4] = 1 0x11 δin[0] δin [2] = 1
2
The idea of the solution set first appeared in Biham and Shamir’s original work on differential
cryptanalysis.
Senyang Huang, Orna Agmon Ben-Yehuda, Orr Dunkelman, Alexander Maximov 245
If only one input bit of the Keccak S-box is known, two output differences of the S-box
become linear. Let us show only the case when the least significant input bit is given in
Property 5. The other cases are shown in Appendix A. Suppose the two 5-bit inputs of the
Keccak S-box are
x4x3x2x1x0
and
x
4x
3x
2x
1x
0
. The corresponding outputs are
y4y3y2y1y0
and y
4y
3y
2y
1y
0.
Property 5. ([
GLL+20
]) Given
x1
and
x
1
,
δout
[0] is a linear combination of
δin
[0],
x2
and x
2. Similarly, δout[4] is a linear combination of δin[4],x1and x
1.
Property 5 directly follows from the algebraic relation between the input and the
output of
χ
. When
x1
and
x
1
take different values, the expressions of
δout
[0] and
δout
[4]
are linearised as shown in Table 3.
Table 3: Linear expressions of δout [0] and δout [4] with different x1and x
1.
Conditions Linear Expressions
x1=x
1= 0 δout[0] = δin [0] + δin[2] δout[4] = δin [4]
x1=x
1= 1 δout[0] = δin [0] δout[4] = δin[4] + δin [0]
x1= 1,x
1= 0 δout[0] = δin [0] + x
2δout
[4] =
δin
[4] +
x0
+ 1
x1= 0,x
1= 1 δout[0] = δin [0] + x2δout
[4] =
δin
[4] +
x
0
+ 1
3 Guo et al.’s collision attacks on SHA-3
In this section we revisit the most dedicated existing collision attacks against the SHA-3
hash function. They were constructed by Guo et al. utilising an algebraic and differential
hybrid method [
GLL+20
], which follows the 1-round connector technique proposed by
Dinur et al. in [DDS12].
The framework of the attack against SHA-3-
n
is shown in Figure 2. Given an
n2
-round
high-probability differential characteristic
SI
SO
with the first
n
bits of the output
difference
SO
as zeros, the attack consists of two stages. In the first stage the adversary
applies an
n1
-round connector by linearising the first
n1
rounds. Thus the adversary
obtains message pairs as
{
(
M1, M
1
)
|Rn1
(
M1||
0)
Rn1
(
M
1||
0) =
SI}
, where
SI
is the
input difference of the differential characteristic. In the second stage, the adversary finds a
colliding pair following the
n2
-round differential characteristic by searching through pairs
of messages obtained in the first stage.
-round connector -round differential trail
𝑟
𝑐
𝑛1
𝑛
Δ𝑆𝐼
Δ𝑆𝑂
𝑛2
Figure 2: Overview of Guo et al.’s (n1+n2)-round collision attacks.
The main drawback of this approach is that in the linearisation technique in the first
stage, bit conditions are added in order to linearise the first
n1
rounds, thus consuming
many degrees of freedom. As the input space of SHA-3-384 is too small for a sufficient level
246 Finding Collisions against 4-Round SHA-3-384 in Practical Time
of degrees of freedom, extra bit conditions may cause contradictions with restrictions on
the initial values in the capacity part, thus making the linearisation technique infeasible.
4
A new framework for a collision attack against 4-round
SHA-3-384
In this section we introduce a new framework for a collision attack that overcomes drawbacks
in the techniques of both Dinur et al. and Guo et al. There are three stages in our attack,
namely the 1st block generation stage, the 1-round SAT-based connector stage, and the
collision searching stage, as depicted in Figure 3. Before we overview the three stages, we
introduce some notations, definitions, and parameters.
f
L
f
L
𝑀1
𝑀1
𝑀2
𝑀2
𝛼1
𝛼0
Figure 3: Framework of our attack.
The first blocks
M1
and
M
1
in Figure 3 are called prefixes. A four-round Keccak
permutation, denoted as
f
, is operated on
M1
and
M
1
, before absorbing the next blocks
M2
and
M
2
, respectively. The second blocks
M2
and
M
2
are called suffixes. In our attack,
we assume that message pairs (
M1||M2
)and (
M
1||M
2
)are actually messages after applying
the padding rule. Note that a block of SHA-3-384 is with size of 1600
384
×
2 = 832 bits.
The first blocks
M1
and
M
1
as well as the first 828 bits of the suffixes
M2
and
M
2
are
controlled by the adversary and the last four bits of the suffixes are 0111. The size of the
input space in this case is 832 + 828 = 1660 bits. The last (
c
+ 4) bits of the input state of
the second block are defined as chaining values, which are known given a fixed prefix pair.
The 3-round differential characteristic depicted in Figure 3 is given in Table 4. The
‘?’ in Table 4 means that the corresponding nibble is unknown. The probability of
the characteristic is 2
42
. The method of constructing the characteristic is discussed in
Section 5.2. The differential transition of the
i
-th round in the characteristic is denoted by
αi1
L
βi1
χ
αi
, where
i
1. Let
α0
be the input difference of the second block after
adding message blocks as shown in Figure 3. Next, we overview the three stages.
Senyang Huang, Orna Agmon Ben-Yehuda, Orr Dunkelman, Alexander Maximov 247
Table 4: The 3-round differential characteristic.
Differential Characteristic
Probability
α1(∆SI)7c0bc4f5b4398002 2407de4bc9668001 ac02095d32eb8000 d402e98975068000 3c05706a07f58000 1
7c0bccf5b4398002 240fde4bc9e68001 ac02095d32ef8000 c40ae98975068000 3414706a05f58000
7c0bc4f5b4398000 240fda4bc9e68001 ac02095d32eb8000 c40ae9897d068000 3c15706a25f58000
7c0bc4f5bc398002 240fde4fc9668001 ac02095d32eb8000 c40ae98975068000 3c15706a05f48000
7c0bc4f1b4398002 240fde4bc9e68001 ac02095d3aeb8000 d40ae98975868000 3c15706a05f58000
β10000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 226
0000000001008000 0000000000008010 0000000000000010 0000000000008010 0000000001000000
0010000001000000 0000000001000000 0010000000000000 0000000001000000 0010000000000000
0010000000008000 0000000000008000 0010000000000000 0000000000000000 0010000000008000
0000000000000000 0000000000000000 0000000000000010 0000000000000010 0000000000000000
β20000000000000000 8000000000000000 0000000000000000 0000000000000000 0000000000000000 215
0000000000000000 0000000000000000 0000000080000000 0000000000000001 0000000000000000
0000000000000000 0000000000000000 0000000000000000 0000000000000001 0000000000000000
0000000000000000 0000000000000001 0000000000000000 0000000000000000 0000000000000001
0000000000000000 8000000000000000 0000000080000000 0000000000000000 0000000000000000
β30000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 21
0000000000000000 0000000000000000 0000000000000000 0000200000000000 0000000010000000
0000000000000001 0000002000000000 0000000002000000 0000000000000000 0000000000000000
0000000000000000 0000000000000000 0000000000000400 0000000000000000 0000000000000000
0000000000000000 0080000000000000 0000000000000000 0000000000000000 0000000000000002
α4(∆SO)0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
0000000000000000 0000000000000000 0000000000000000 0000200000000000 0000?00010000000
0000000000000001 000000200000000? 000000?00200000? 000000?000000000 0000000000000000
0000000000000000 0000000000000000 0000000000000400 0000000000000?00 0000000000000?00
000000000000000? 008000000000000? 00?0000000000000 00?0000000000000 0000000000000002
4.1 1st block generation stage
In this stage the adversary generates prefix pairs fulfilling required conditions on corre-
sponding chaining values. The method of deriving these conditions is given in Section 5.1.
Instead of working on single-block messages like in the previous technique, we turn to
two-block messages, similar to the attacks proposed by Wang et al. against MD-like hash
functions [
WLF+05
,
WY05
,
WYY05
]. This helps to reduce the impact of the initial values
in the capacity part on the 1-round connector. The Keccak permutation on a prefix is
regarded as a pseudo random number generator (PRNG), which provides pseudo random
chaining values in our attack. Once a corresponding 1-round connector fails, the adversary
just generates another random prefix pair (
M1, M
1
)fulfilling the required conditions over
the chaining values. In comparison, Guo et al.’s adversary would have to search for a new
differential characteristic with a special form, which is a hard and time-consuming process.
4.2 1-round SAT-based connector stage
We develop a new 1-round SAT-based connector that replaces Guo et al.’s linearisation
technique, and removes the constraint on the size of the input space. In this stage,
for each prefix pair generated in the first stage, the adversary searches for a suffix pair
which connects the chaining values with a preset 1-round input difference
α1
. This is a
connectivity problem, defined as follows.
Definition 1. Given a prefix pair (
M1, M
1
), the connectivity problem is to determine if
there exists a suffix pair (M2, M
2)such that
R(f(M1||0) (M2||0)) R(f(M
1||0) (M
2||0)) = α1.(2)
The connectivity problem can be reduced to a satisfiability (SAT) problem and solved
by a SAT solver. However, solving the connectivity problem using a SAT solver for every
prefix pair generated in the first stage is still time consuming. Instead, we develop a
preliminary deduce-and-sieve algorithm that filters prefix pairs based on their differential
properties.
In the deduce-and-sieve algorithm, the adversary rejects a prefix pair (
M1, M
1
)if there
exists no differential transition from
α0
to
α1
, where the last 1600
828 = 772 bits of
α0
are the sum of the chaining values. Thus, the adversary can efficiently dismiss most of
prefix pairs that have no solution for corresponding connectivity problems.
Then, the adversary applies the SAT solver to solve the connectivity problem for the
remaining pairs. For a prefix pair (
M1, M
1
), if there exists a suffix pair (
ˆ
M2,ˆ
M
2
)such
248 Finding Collisions against 4-Round SHA-3-384 in Practical Time
that Equation 2 holds, the SAT solver then returns the corresponding suffix pair, which is
called a suffix seed pair; otherwise, the SAT solver rejects the prefix pair. The 1-round
SAT-based connector stage is described in more detail in Section 6.
4.3 Collision searching stage
The method in the collision searching stage follows Guo et al.’s work: once the adversary
obtains a prefix pair (
M1, M
1
)and a suffix seed pair (
ˆ
M2,ˆ
M
2
), the adversary aims to find
a suffix pair (M2, M
2)following the differential characteristic depicted in Figure 3.
All solutions for a corresponding connectivity problem form an affine subspace. Next,
we explain how to derive that subspace of suffixes
M2
, which also applies to deriving a
subspace of suffixes
M
2
. We will discuss later that searching the affine subspace of
M2
for
the colliding pair is equivalent to searching the affine subspace of M
2.
Given a pair of prefix and suffix seeds (
ˆ
M2,ˆ
M
2
), the input difference of the operation
χ
,
denoted as
β0
, can be deduced by computing
L
(
f
(
M1||
0)
(
ˆ
M2||
0))
L
(
f
(
M
1||
0)
(
ˆ
M
2||
0)).
Let
x
be a vector of bit values before
χ
, i.e.
x
=
L
(
f
(
M1||
0)
(
M2||
0)). By Property 2,
given
β0
and
α1
, all the linear equations on the input affine subspaces of active S-boxes in
the first round can be derived and expressed as
A1·x=b1,(3)
where
A1
is a block-diagonal matrix in which each diagonal block together with corre-
sponding constants in
b1
forms equations for one active S-box. Additional constraints that
xneeds to fulfill are that given M1, the chaining values are prefixed:
A2·x=b2,(4)
where
A2
is a submatrix of
L1
and
b2
is the vector of those prefixed chaining values
computed from
f
(
M1||
0). Thus,
x
is in an affine subspace, which is equivalent to
M2
being
in an affine subspace.
The adversary combines and solves Equation 3 and Equation 4 and obtains all solutions
to the connectivity problem. The adversary then exhaustively searches for the colliding
pair that follows the 3-round differential characteristic depicted in Figure 3.
Searching the affine subspace of
M2
, denoted as
W1
, for the colliding pair is equivalent to
searching the affine subspace of
M
2
, denoted as
W2
. As discussed above,
x
=
L
(
f
(
M
1||
0)
(
M
2||
0)) satisfies a system of linear equations combined with two parts. The first part is
in a similar form to Equation 3, which is
A1·x=b1.(5)
The second part is writen as:
A2·x=b
2,(6)
where
A2
is a submatrix of
L1
and
b2
is the vector of those prefixed chaining values
computed from f(M
1||0).
For each
xL
(
W1
),
xLβ0
is in
L
(
W2
). We will show next that
xLβ0
fulfills
both Equation 5 and Equation 6. As
xW1
,(
x, x Lβ0
)should follow the differential
characteristic
β0α1
, which indicates that
xLβ0
fulfills Equation 5. As
L
is linear, the
following equation should work:
L1(xMβ0) = L1(x)ML1(β0) = L1(x)Mα0.(7)
As
L1
(
x
)is the internal input state of the second block, the least significant bits of
L1
(
xLβ0
)are indeed the prefixed chaining values computed from
f
(
M
1||
0). Therefore,
xLβ0
fulfills both Equation 5 and Equation 6. It can be concluded that searching the
affine subspace of
M2
for the colliding pair is equivalent to searching the affine subspace of
M
2.
Senyang Huang, Orna Agmon Ben-Yehuda, Orr Dunkelman, Alexander Maximov 249
Algorithm 1 Deriving Linear Conditions
Input: α1
Output: Set of Linear Conditions SA
1: Compute the output difference for each S-box from α1.
2: Initialise the system of equations E.
3: S0=,S1=,SA=.
4: for each S-box do
5: δout is the output difference of the S-Box.
6: if δout = 0 then
7: for each bit in the S-box do
8: Add the corresponding equation β0[i1] = 0 to both Eand S0.
9: else if δout {0x1,0x2,0x4,0x8,0x10}then
10: Check Table 2 and add the corresponding equation β0[i1] = 1 to Eand S1.
11: else if δout {0x3,0x6,0xc,0x11,0x18}then
12: Check Table 2 and add the corresponding equation β0[i1] + β0[i2]=1to E.
13:
Substitute the variables
β0
[0
,· · · ,
1599] in
E
by
α0
[0
,· · · ,
1599] according to the
expression of θ.
14: Reduce Eto its row echelon form.
15: for each equation in Edo
16: if all the variables in the equation are from {α0[828],· · · α0[1599]}then
17: Add this equation to SA
18: return SA
5 Constructing a 3-round differential characteristic
In this section, we first introduce the deduction of conditions on chaining values given
an input difference. Afterwards, we discuss two criteria when constructing a differential
characteristic. With the differential characteristic, we explain the method of generating
prefix pairs satisfying conditions on corresponding chaining values.
5.1 Requirements on the chaining values
For the connectivity problem to have at least one solution (at least one pair of compatible
suffixes), chaining values must follow certain linear conditions. We demonstrate how to
comply with these conditions in chaining values. With
α1
, the adversary obtains the
output difference of each S-box from
α1
. There are three types of output differences from
which the adversary can derive conditions on
β0
. The other output differences do not
derive conditions on β0. These cases are listed as follows:
Type-I Output Difference: The output difference of an S-box is zero when it is
inactive.
Type-II Output Difference: The output difference of an S-box is 0x1, 0x2, 0x4,
0x8, or 0x10.
Type-III Output Difference: The output difference of an S-box is 0x3, 0x6, 0xc,
0x11 or 0x18.
The adversary can derive conditions from the three types of output differences by
applying linear algebra. The procedure is shown in Algorithm 1. From Line 6 to Line
12, the adversary obtains the three types of output differences from
α1
and writes the
corresponding conditions on the input differences according to Property 3 and Property 4.
Then, the adversary transforms the system of equations
E
in the terms of
α0
according
250 Finding Collisions against 4-Round SHA-3-384 in Practical Time
to
θ
operation and reduces
E
to its row echelon form. At last, the adversary checks each
equation in Eand obtains linear conditions on chaining values.
5.2 How to construct a 3-round differential characteristic
The 3-round differential characteristic in our attack adapts the second characteristic in
[
GLL+20
, Table 9]. The last two rounds of their characteristic are used as the last two
rounds characteristic from the third round to the fourth round in our attack. We slightly
change the output difference of their characteristic to make the first 384 bits have a zero
difference. Thus, the probability of the last two rounds characteristic is 2
16
instead of
215 in the original one.
We extend the 2-round backward characteristic by one extra round. When
β1
is fixed,
the 3-round differential characteristic is determined. We choose
β1
according to two criteria
as follows:
Criterion 1: The affine subspace in the collision searching stage should be sufficiently
large to find a collision pair.
Criterion 2: The number of conditions on the chaining values should not be too
large.
If Criterion 1 is not fulfilled, the affine subspace defined by Equation 3 and Equation 4
is so small that the probability that a collision pair is obtained in the third stage becomes
negligible.
If the characteristic does not follow Criterion 2, the procedure of generating the first
message blocks will become infeasible to be realised in practice. To keep our attack
practical, the differential characteristic should satisfy Criterion 2.
The difference
α2
has 8active S-boxes in the second round. From the DDT of the S-box,
the probability of a nonzero differential transition is at least 2
4
. Thus, the probability of
our 3-round differential characteristic is no less than (2
4
)
8·
2
16
= 2
48
. The dimension
of the affine subspace in the collision searching stage should be larger than 48. The
probability of the first round transition should not be smaller than 2
828+48
= 2
780
. As
the average probability of a nonzero differential transition in DDT is 2
3
, there should be
no more than 780/3 = 260 active S-boxes in the first round to satisfy Criterion 1.
As for Criterion 2, we set the threshold for the number of conditions as 50. We use
a hash table to generate prefix pairs, as discussed in Section 5.3. When the number of
conditions is too large, the memory consumption when generating the first message blocks
is infeasible.
To extend the 2-round characteristic, the adversary picks a
β1
at random, which is
compatible with
α2
from the second characteristic in [
GLL+20
, Table 9]. Then, the
adversary computes
α1
as
L1
(
β1
). Given
α1
, the adversary obtains the number of
active S-boxes in the first round. With Algorithm 1, the adversary deduces conditions
on the chaining values. If the two criteria are satisfied, the adversary outputs a 3-round
characteristic; otherwise, the adversary picks another compatible
β1
and continues the
procedure.
In our differential characteristic presented in Table 4, there are 228 active S-boxes in the
first round. Applying Algorithm 1 on the differential characteristic, there are 39 conditions
on the chaining values. These conditions are listed in Appendix B. The probability of the
differential characteristic is 242.
We note that the differential characteristic searching process needs to be run only
once and its complexity is of polynomial time from our experiment. Furthermore, the
found differential characteristic may not be the most optimal one. Finding the optimal
differential characteristic is thus an open problem.
Senyang Huang, Orna Agmon Ben-Yehuda, Orr Dunkelman, Alexander Maximov 251
Algorithm 2 Generating Prefix Pairs
1: procedure GPP(n)
2: Constant XOR Σ=0x7c00000000
3: SP=
4: Initialise an array Counter of length 239 with zeros.
5: for each integer i[0,2n)do
6: Randomly pick a message Mof 832 bits and compute the value string c.
7: HashTable[c][Counter[c]]=M
8: Increase Counter[c] by 1.
9: for each integer i[0,2n)do
10: if i<iΣthen
11: for each integer j[0,Counter[i]) do
12: for each integer k[0,Counter[iΣ]] do
13: SP=SP {(HashTable[i][j],HashTable[iΣ][k])}
return SP
5.3 Generating prefix pairs fulfilling the requirements
We explain the generation procedure of prefix pairs fulfilling the 39 conditions in Table 9.
In our approach, we use a hash table to trade off memory for time and data complexities.
The memory consumption in this procedure is mainly from a hash table indexed by 39
bits. Before we describe the procedure, we introduce some additional definitions.
We define a constant XOR as a binary string
c38c37 · · · c1c0
, where
ci
is the sum in
the
i
-th condition, 0
i
38. In our case, the constant XOR is 0x7c00000000 from the
conditions in Table 9. The conditions are the sums of differences in certain bit positions of
the input state of the second block. To check whether a given prefix pair (
M1, M
1
)satisfies
the conditions, the adversary first computes sums of binary values in these positions, which
we call by the value string and records with a 39-bit string. Then, the adversary sums up
value strings and checks whether the result equals the constant XOR value. If true, then
the adversary obtains a prefix pair fulfilling all conditions; otherwise discards it.
The procedure of generating prefix pairs satisfying the conditions is shown in Algo-
rithm 2. First, the adversary generates 2
n
first-block messages
M
of length 832 bits and
computes corresponding value strings
c
. The adversary places
M
into the
c
th row of the
hash table. Thereafter, the adversary searches through the hash table for prefix pairs that
satisfy the constraints (Lines 8 to 12).
Algorithm 2 generates around 2
n·
2
n1·
2
39
= 2
2n40
pairs. The time and data
complexity is 2
n
. The memory consumption is mainly from the hash table, which is also
2n. The value of nis experimentally discussed in Section 7.
It should be noted that the prefixes generated in Algorithm 2 can be extended to
messages of length 832
nb
bits, where
nb
is the number of blocks and
nb
1. The procedure
of generating multi-block prefix pairs is shown in Algorithm 16 of Appendix C. As shown
in Algorithm 16, the adversary starts from arbitrary chosen messages (
P, P
)as part
of the prefixes in the first (
nb
1) blocks. The remaining block is picked randomly to
fulfill the linear conditions on the chaining values. Thus, our attack can be extended to a
chosen-prefix collision attack like the works of [SLdW07,LP19].
6 1-round SAT-based connector
We develop a new 1-round SAT-based connector to solve the connectivity problem in
an efficient way. The connector includes two phases. First, we use a deduce-and-sieve
algorithm to filter prefix pairs generated by Algorithm 2. Then, for each remaining prefix
252 Finding Collisions against 4-Round SHA-3-384 in Practical Time
Algorithm 3 Initial Phase of the Deduce-and-sieve Algorithm
1: procedure Initial(M1,M
1)
2: A=f(M1||0),A=f(M
1||0)
3: for each integer i[0,1600) do
4: if i828 then
5: α0[i] = A[i]A[i],αS
0[i]=1,AS[i]=1,A
S[i]=1
6: else
7: α0[i]=0,αS
0[i]=0,A[i]=0,A[i]=0,AS[i]=0,A
S[i]=0 The
second block is controlled by the adversary.
8: if iS0then
9: β0[i]=0,βS
0[i]=1
10: else if iS1then
11: β0[i]=1,βS
0[i]=1
12: else
13: βS
0[i]=0
14: for each integer i[0,320) do
15: Σ[i] = 0,ΣS[i] = 0
16: return A, A, AS, A
S, α0, αS
0, β0, βS
0
pair, the connectivity problem is solved by applying a SAT solver.
6.1 Deduce-and-sieve algorithm
In the deduce-and-sieve algorithm, we assume that for a prefix pair (
M1, M
1
)there exists a
suffix pair (
M2, M
2
)in the connectivity problem. It indicates that in some S-boxes, input
differences for Type-I and Type-II output differences should be of a special form. Thus,
some bit differences of
β0
are supposed to be fixed, which are then recorded in the sets
S0
and S1, see Algorithm 1.
There are two phases in the deduce-and-sieve algorithm. In the difference phase, given
a prefix pair (
M1, M
1
)the adversary deduces new bit differences and checks whether a
contradiction has been reached, in which case the prefix pair is discarded. The value phase
helps to sieve prefix pairs more efficiently, as the filtering rate of the difference phase is
low. In the value phase, more bit values can be deduced from the algebraic properties of
Keccak’s S-box. If new bit differences are obtained from new bit values, the adversary
returns to the difference phase to seek a contradiction and to discard the prefix pair.
In the initial phase of the deduce-and-sieve algorithm (Algorithm 3), the adversary
computes the chaining values for a prefix pair (
M1, M
1
)and stores the values in two vectors
A
and
A
of length 1600, respectively. As the bit values in vectors
A
and
A
can be either
known or unknown, two extra vectors
AS
,
A
S
, called indicator vectors, record whether the
bit value in a corresponding position is known. To be more specific, for 0
i <
1600, if
and only if the
i
-th bit in
A
is known then
AS
[
i
] = 1. The adversary then computes the
bit difference
α0
[
i
], where 828
i <
1600, and sets the corresponding bit differences of
β0
as a constant vector. Two indicator vectors
αS
0
and
βS
0
record whether the bit difference
in a corresponding position is known.
In the deduce-and-sieve algorithm, we use the vector Σof length 320 to record sums of
five bit differences in each column. In the beginning, each entry of the indicator vector Σ
S
is initialised as 0denoting an unknown state.
Senyang Huang, Orna Agmon Ben-Yehuda, Orr Dunkelman, Alexander Maximov 253
6.1.1 The difference phase
In the difference phase of the deduce-and-sieve algorithm, for a given prefix pair (
M1, M
1
),
bit differences of
α0
in the chaining value part can be obtained. As we assume that
there exists a solution in the connectivity problem for the prefix pair (M1, M
1), some bit
differences of
β0
should be certain values from the sets
S0
and
S1
, deduced by Algorithm 1.
With the CP-kernel equations and the expression of
L
, the adversary can deduce new
bit differences from
α0
and
β0
. We investigate the differential transition of the Keccak
S-box and develop a tool called Truncated Difference Transform Table (TDTT), which is
inspired by truncated differential cryptanalysis, proposed by Knudsen in [
Knu94
]. With the
TDTT of the Keccak S-box, a contradiction may be reached for the prefix pair (
M1, M
1
)
as there is no compatible differential transition from the input difference of the first round
α0
to the output difference
α1
. Before we define the TDTT of an S-box, we first introduce
truncated difference in Definition 2.3
Definition 2. An
n
-bit difference is called a truncated difference if only
m
bits of it are
known, where m<n.
We use a 2
n
-bit integer
a||b
, where
a, b Fn
2
, to represent a truncated difference. Let
(
an1,· · · , a0
)and (
bn1,· · · , b0
)be the binary representations of
a
and
b
, respectively.
For each
i
where 0
i < n
, if
bi
is known,
ai
= 1; otherwise,
ai
= 0. In regular truncated
differences, for each
i
where 0
i<n
,
aibi
. Otherwise, the truncated difference is
called irregular.
Differences covered by a regular truncated difference
a||b
, where
a, b Fn
2
, are
{d
Fn
2|di
=
bn+iif ai
= 1
,
0
i < n}
. A difference
dFn
2
being covered by a truncated
difference F2n
2is denoted by d.
We observe that with an output difference of the Keccak S-box and a corresponding
truncated input difference, more bits of the input difference can be fixed. For example,
suppose that the output difference of an S-box is 0x1 and the truncated input difference
is 0
||
0where none of the input bit differences is known. Property 3 indicates that the
least significant input bit difference should be 1. Then, the truncated input difference
of the S-box can be updated as 00001
||
00001 in the binary representation. A complete
transforming behaviour of the differences of an S-box can be described by its TDTT:
Definition 3. Given a truncated input difference
T
in
and an output difference
out
, the
entry TDTT(∆T
in,out )of the S-box’s TDTT is:
T DT T (∆T
in,out ) =
null, if T
in does not deduce out, or T
in is irregular
T
in ,if more bits of the input difference can be derived
T
in,if no more bits can be derived
where T
in is the new truncated input difference, T
in,T
in F2n
2and out Fn
2.
In case of Property 3, it can be observed that TDTT(0||0,1) is 0x1||0x1.
The TDTT of an S-box can be constructed from its DDT, which is shown in Algorithm 4.
For a regular truncated difference
aF2n
2
and an output difference
bFn
2
, the adversary
finds all the covered differences
in
by
a
such that the differential transition
in b
is compatible, where
in Fn
2
(Line 4 in Algorithm 4). If there exists no such
in
,
TDTT(
a, b
) =null. Otherwise, the adversary finds the new truncated difference
T
covering
all
in
and TDTT(
a, b
) =
T
(Line 8 to 14 in Algorithm 4). For an irregular truncated
difference
aF2n
2
, the adversary labels the entire row of the TDTT as null, shown in Line
16 of Algorithm 4.
3
We alert the reader that the original definition in [
Knu94
] allowed for sets of differences. We use the
common interpretation that characterizes the set by bits set to 0.
254 Finding Collisions against 4-Round SHA-3-384 in Practical Time
Algorithm 4 Constructing the TDTT of an n-bit S-box from its DDT
Input: DDT of an n-bit S-box
Output: TDTT of the S-box
1: for each integer a[0,22n)do
2: if ais a regular truncated difference then
3: for each integer b[0,2n)do TDDT(a, b)is computed in the loop.
4: Find D={in Fn
2|DDT(∆in, b)= 0}∩{in Fn
2|in a}
5: if D=then
6: TDTT(a,b)=null
7: else
8: T=0 T is a 2n-bit integer.
9: for each integer i[0, n)do
10: if the i-th bit of each entry in Dis a constant as cithen
11: Ti=ci, Tn+i= 1 Tiis the i-th bit of T.
12: else
13: Ti= 0, Tn+i= 0
14: TDTT(a, b) = T
15: else
16: TDTT(a,*)=null
17: return TDTT
Next, we describe the method of deducing new bit differences from the CP-kernel
equations and the expression of
L
. Then, we explain the method of applying it for sieving
prefix pairs.
Deducing new differences from the CP-kernel equations. New differences of some bit
positions can be derived from the CP-kernel equations. For example, as shown in Figure 4,
the differences
α
[
i3
],
α
[
i4
]and
β
[
σ
(
i3
)] are known. The difference
β
[
σ
(
i4
)] can be deduced
from the CP-kernel equation as
β
[
σ
(
i4
)] =
α
[
i3
]
α
[
i4
]
β
[
σ
(
i3
)]. New differences can be
L
0
0
i0
i1
i2
i3
i4
(i0)
󰇛i1󰇜
󰇛i2󰇜
󰇛i3󰇜
󰇛i4󰇜
deduced bit
known bit
unknown bit
Figure 4: Deducing new differences from the CP-kernel equations.
derived in a column if there exists a position
ij
in the column such that both
α
[
ij
]and
β
[
σ
(
ij
)] are known, and 0
j <
5. The procedure of deducing new differences in the
i
-th
column is shown in Algorithm 5.
L
L
(a) (b)
known bits
unknown bits
dont care bits
Figure 5: Representatives when the sum state is 1.
Senyang Huang, Orna Agmon Ben-Yehuda, Orr Dunkelman, Alexander Maximov 255
Algorithm 5 Deducing New Differences in the i-th Column
1: procedure CPKernel(α0,β0,αS
0,βS
0,i)
2: Compute the indices of the five bits in the i-th column as i0, i1,· · · , i4.
3: flag = 0
4: for each integer j[0,5) do
5: if αS
0[ij]=1 and βS
0[σ(ij)] = 1 then
6: flag = 1,sum =α0[ij]β0[σ(ij)]
7: if flag then
8: for each integer j[0,5) do
9: if αS
0[ij]=1 and βS
0[σ(ij)] = 0 then
10: β0[σ(ij)] = sum α0[ij],βS
0[σ(ij)] = 1.
11: else if αS
0[ij]=0 and βS
0[σ(ij)] = 1 then
12: α0[ij] = sum β0[σ(ij)],αS
0[σ(ij)] = 1
L
L
(a) (b)
known bit
unknown bit
marked bit
dont care bit
known bit
unknown bit
marked bit
dont care bit
L
(c)
Figure 6: Representatives when the sum state is 2.
Deducing new differences from the expression of
L
.New bit differences can be derived
from the expression of
L
. Applying Equation 1, the bit difference
β0
[
i
]can be expressed
as:
β0[i] = α0[σ1(i)] Σ[ϕ1(σ1(i))] Σ[ϕ2(σ1(i))],(8)
where Σ[
ϕ1
(
σ1
(
i
))] and Σ[
ϕ2
(
σ1
(
i
))] are the sums of the five bits in the
ϕ1
(
σ1
(
i
))th and
ϕ2
(
σ1
(
i
))th columns, respectively, and 0
i <
1600. If only one variable in Equation 8
is unknown, its value can be deduced. Before we show the technique of deducing new
difference applying Equation 8, we introduce the method of computing the column sum.
We classify the situations of the column sum into three cases. The first case is that the
column sum is known. The second is that the column sum becomes known with one more
known bit. The third is that more than two bits of information are needed to derive the
column sum. In order to compute the column sum, we use another variable called sum
state that encodes the three states: 1for the first case, 2for the second case, and 0for the
third case.
Representatives, when the sum state is 1, are shown in Figure 5.
4
For example, as
shown in Figure 5 (b),
α0
[
i2
],
α0
[
i3
],
α0
[
i4
],
β0
[
σ
(
i0
)] and
β0
[
σ
(
i1
)] are known. Applying
the CP-kernel equation, the column sum can be computed as
α0[i2]α0[i3]α0[i4]β0[σ(i0)] β0[σ(i1)].
Representatives of the cases when the sum state is 2are shown in Figure 6.
5
In these
three representatives the sum of four bits of one column can be derived with the CP-kernel
equation. The index of the left bit in the column, defined as the marked bit, is recorded.
The difference of the marked bit may be deduced in a later step.
4
We only show a representative in Figure 5 (b). The other cases can be obtained by permuting the bits
in the two columns simultaneously.
5
We only show three representatives in Figure 6. The other cases can be obtained by permuting the
bits in the two columns of the subfigures simultaneously.
256 Finding Collisions against 4-Round SHA-3-384 in Practical Time
Algorithm 6 Computing the i-th Column Sum
1: procedure ColumnSum(α0,β0,αS
0,βS
0,i,Σ,ΣS,MarkedBit)
2: Compute the indices of the five bits in the i-th column as i0, i1,· · · , i4.
3: if the five bits match one of the representatives in Figure 5 then
4: Compute the sum and record it in Σ[i]
5: Set ΣS[i]=1
6: else if the five bits match one of the representatives in Figure 6 then
7: Compute the sum of the four corresponding known bits and record it in Σ[i]
8: Set ΣS[i]=2
9: Record the index of the corresponding marked bit in MarkedBit[i]
10: else
11: Set ΣS[i]=0
The procedure for computing the
i
-th column sum is shown in Algorithm 6. The
adversary finds the states of the 10 related bits from
α0
and
β0
. If the states of 10 related
bits match one of the representatives in Figure 5, the column sum is known. The adversary
computes the sum and updates the sum state Σ
S
[
i
]with 1. If the states of 10 related
bits match one of the representatives in Figure 6, where one bit difference is missing, the
adversary computes the sum of the corresponding blue bits. The adversary then records
the sum and the index of the marked bit and updates the sum state Σ
S
[
i
]with 2. If the
situation does not match any of the representatives in Figure 5 or Figure 6, the adversary
labels the corresponding sum state as 0.
Given the column sums, the adversary can obtain new bit differences from the expression
of
θ
. To be more specific, if there is only one variable is unknown in Equation 8, the value
of it can be easily deduced. The procedure is shown in Algorithm 7. There are 5situations
in which new differences can be deduced. In the two situations shown in Figure 6, marked
bits are obtained and corresponding column sums are updated.
Sieving prefix pairs with TDTT. The sieving procedure applying the TDTT of the
Keccak S-box is shown in Algorithm 8. With
β0
and
βS
0
, the adversary can deduce the
truncated input difference for each S-box. Then, the adversary discards prefix pairs with
no solutions in the connectivity problem according to the TDTT. For pairs that cannot be
discarded, the adversary may obtain new bit differences of
β0
from the TDTT. Once a bit
difference is obtained, the adversary checks the related CP-kernel equations to deduce new
bit differences in α0and β0, as shown in Lines 13-15 in Algorithm 8.
Let us summarise the difference phase of the deduce-and-sieve algorithm in Algorithm 9.
The adversary first initialises the difference phase by deducing bit differences through
checking the CP-kernel equations. Then, she updates column sums and deduces new
bit differences from the expression of
L
. Finally, the adversary checks the TDTT of the
Keccak S-box and decides whether a certain prefix pair (
M1, M
1
)should be discarded. If
the pair should not be discarded, the adversary computes the number of new deduced
bit differences from Lines 8-13 in Algorithm 9. If new bit differences are deduced, the
adversary goes back to Line 8; otherwise, she accepts the prefix pair.
6.1.2 The value phase
In the value phase, the adversary uses another algebraic property of the Keccak round
function to deduce new input bit values of
χ
in the first round. New values can be deduced
using a new tool called Fixed Value Distribution Table (FVDT) and applying the CP-kernal
Equalities.
Senyang Huang, Orna Agmon Ben-Yehuda, Orr Dunkelman, Alexander Maximov 257
Algorithm 7 Deducing New Differences from the Expression of L
1: procedure LinearTrans(α0,β0,αS
0,βS
0,Σ,ΣS,MarkedBit)
2: for each integer i[0,1600) do
3: i0=σ1(i),i1=ϕ1(i0),i2=ϕ2(i0)
4: Deduce the expression of β0[i] = α0[i0]Σ[i1]Σ[i2]
5: if βS
0[i]=0and αS
0[i0]=1 and ΣS[i1] = 1 and ΣS[i2]=1then
6: Set β0[i] = α0[i0]Σ[i1]Σ[i2],βS
0[i] = 1
7: Call CPkernel(α0,β0,αS
0,βS
0,ϕ0(i0))
8: else if βS
0[i]=1and αS
0[i0]=0 and ΣS[i1]=1 and ΣS[i2] = 1 then
9: Set α0[i0] = β0[i]Σ[i1]Σ[i2],αS
0[i0]=1
10: Call CPkernel(α0,β0,αS
0,βS
0,ϕ0(i0))
11: else if βS
0[i]=1and αS
0[i0]=1 and ΣS[i1]=0 and ΣS[i2] = 1 then
12: Set Σ[i1] = β0[i]α0[i0]Σ[i2],ΣS[i1]=1
13: else if βS
0[i] = 1 and αS
0[i0]=1 and ΣS[i1]=2 and ΣS[i2] = 1 then
14: Set α0[MarkedBit[i1]] = β0[i]α0[i0]Σ[i1]Σ[i2]
15: Set αS
0[MarkedBit[i1]] = 1
16: Set Σ[i1] = α0[MarkedBit[i1]] Σ[i1],ΣS[i1]=1
17: Call CPkernel(α0,β0,αS
0,βS
0,ϕ0(MarkedBit[i1]))
18: else if βS
0[i] = 1 and αS
0[i0]=1 and ΣS[i1]=1 and ΣS[i2]=0then
19: Set Σ[i2] = β0[i]α0[i0]Σ[i1],ΣS[i2]=1
20: else if βS
0[i] = 1 and αS
0[i0]=1 and ΣS[i1]=1 and ΣS[i2]=2then
21: Set α0[MarkedBit[i2]] = β0[i]α0[i0]Σ[i1]Σ[i2]
22: Set αS
0[MarkedBit[i2]] = 1
23: Set Σ[i2] = α0[MarkedBit[i2]] Σ[i2],ΣS[i2]=1
24: Call CPkernel(α0,β0,αS
0,βS
0,ϕ0(MarkedBit[i2]))
The FVDT is developed from an observation that with a truncated input difference
and an output difference of the Keccak S-box, bit values in some positions are constants.
Applying the FVDT of the Keccak S-box, the adversary can obtain new input bit values
of
χ
. With these new values and the chaining values, the adversary applies the CP-kernal
equations to deduce additional input bits of
χ
. With the new values, the adversary can
derive new bit differences from the expression of
χ
. Then, she can continue with the
difference phase.
Fixed Value Distribution Table (FVDT). Before we delve into the details of the FVDT
of an
n
-bit S-box, we first define a solution set of a truncated input difference
T
in
and an
output difference out as follows:
Definition 4. The solution set of a truncated input difference
T
in
and an output difference
out is
ST(∆T
in,out ) = [
inT
in
{(a, a in )|S(a)S(ain)=∆out },
where T
in F2n
2,in Fn
2and out Fn
2.
The solution set of the truncated input difference
T
in
and the output difference
out
is a generalisation of the solution set of the input difference
in
and the output difference
out
of regular DDTs. From Definition 4, it is a union of solution sets of the input difference
in and the output difference out, where in T
in.
We observe that for the truncated input difference
T
in
and the output difference
out
,
some bits of the pairs in the solution set
ST
(∆
T
in,
out
)may be constants. For example,
258 Finding Collisions against 4-Round SHA-3-384 in Practical Time
Algorithm 8 Discarding Prefix Pairs with TDTT
1: procedure Sieve(α0,β0,α1,αS
0,βS
0, TDTT)
2: for each S-box do
3: Deduce the output difference out from α1.
4: Deduce the truncated input difference T
in from β0and βS
0.
5: TTDTT(T
in,out )
6: if T=null then
7: return 0.
8: else if T=T
in then
9: continue
10: else if T= T
in then
11: Find the indices of the five bits in the S-box as i0, i1,· · · , i4.
12: for each integer j[0,5) do
13: if the (j+ 5)th bit of in is 0and Tj+5 = 1 then
14: Set β0[ij] = Tj,βS
0[ij]=1 Tjis the j-th bit of T.
15: Call CPkernel(α0,β0,αS
0,βS
0,ϕ0(σ1(ij)))
when the truncated input difference
T
in
is 0xc2, the covered differences are 0x2, 0x3, 0xa,
0xb, 0x12, 0x13, 0x1a, and 0x1b. If the output difference
out
is 0
x
1, the compatible
differences are 0xb and 0x1b. The solution set is
ST
(
0xc2,0x1
) =
{0x0, 0x3, 0x8, 0xb}
{0x1, 0x1a}
. It can be easily verified that the value of the third bit in the solution set is
fixed as 0.
Based on this observation, we develop a useful tool called Fixed Value Distribution
Table. If the adversary can obtain fixed values in some bit positions with
T
in
and
out
,
we use a 2
n
-bit integer
a||b
, called as fixed point, to record constant values and their
corresponding positions, where
a, b Fn
2
. If the
i
-th bit in the S-box is a constant,
ai
= 1
and
bi
is assigned to be a fixed value; otherwise,
ai
= 0 and
bi