Collision Attacks on Round-Reduced SHA-3 Using Conditional Internal Differentials

Abstract

The KECCAK hash function was selected by NIST as the winner of the \(\texttt {SHA-3}\) competition in 2012 and became the \(\texttt {SHA-3}\) hash standard of NIST in 2015. On account of \(\texttt {SHA-3}\)’s importance in theory and applications, the analysis of its security has attracted increasing attention. In the \(\texttt {SHA-3}\) family, \(\texttt {SHA3-512}\) shows the strongest resistance against collision attacks: the theoretical attacks of \(\texttt {SHA3-512}\) only extend to four rounds by solving polynomial systems with 64 times faster than the birthday attack. Yet for the \(\texttt {SHA-3}\) instance SHAKE256 there are no results on collision attacks that we are aware of in the literatures.

In this paper, we study the collision attacks against round-reduced \(\texttt {SHA-3}\). Inspired by the work of Dinur, Dunkelman and Shamir in 2013, we propose a variant of birthday attack and improve the internal differential cryptanalysis by abstracting new concepts such as differential transition conditions and difference conditions table. With the help of these techniques, we develop new collision attacks on round-reduced \(\texttt {SHA-3}\) using conditional internal differentials. More exactly, the initial messages constrained by linear conditions pass through the first two rounds of internal differential, and their corresponding inputs entering the last two rounds are divided into different subsets for collision search according to the values of linear conditions. Together with an improved target internal difference algorithm (TIDA), collision attacks on up to 5 rounds of all the six \(\texttt {SHA-3}\) functions are obtained. In particular, collision attacks on 4-round \(\texttt {SHA3-512}\) and 5-round \(\texttt {SHAKE256}\) are achieved with complexity of \(2^{237}\) and \(2^{185}\) respectively. As far as we know, this is the best collision attack on reduced \(\texttt {SHA3-512}\), and it is the first collision attack on reduced \(\texttt {SHAKE256}\).

Supported by the National Natural Science Foundation of China (Grant No. 62122085 and 12231015) and the Youth Innovation Promotion Association of Chinese Academy of Sciences.

Appendices

A Internal Differential Characteristics for the Attacks

The internal difference [i, v] is represented by its canonical representative state defined in Sect. 4.1. Each state is given as a matrix of \(5\times 5\) lanes of 64 bits, order from left to right, where each lane is given in hexadecimal using the little-endian format. The symbol ‘-’ is used in order to denote a zero 4-bit value.

B Appendix: Difference Conditions Table of KECCAK Sbox

Here we list the differential transition conditions of non-zero input differences (Table 7).

Table 7. Difference Conditions Table of KECCAK Sbox

C Appendix: Values of Difference Conditions Table of KECCAK Sbox

Here we list the values of differential transition conditions of some input differences, and the other input differences and their differential transition conditions’ values can be obtained through cyclic shifting of existing input differences and conditions (Table 8).

Table 8. Values of Difference Conditions Table of KECCAK Sbox

D Appendix: 2D Affine Subspaces of KECCAK Sbox

Here we give the 2-dimensional affine subspaces and affine equations to the output differences of Sbox using in TIDA (Table 9).

Table 9. 2D Affine Subspaces of KECCAK Sbox