Abstract
In this work, we focus on collision attacks against instances of SHA-3 hash family in both classical and quantum settings. Since the 5-round collision attacks on SHA3-256 and other variants proposed by Guo et al. at JoC 2020, no other essential progress has been published. With a thorough investigation, we identify that the challenges of extending such collision attacks on SHA-3 to more rounds lie in the inefficiency of differential trail search. To overcome this obstacle, we develop a SAT-based automatic search toolkit. The tool is used in multiple intermediate steps of the collision attacks and exhibits surprisingly high efficiency in differential trail search and other optimization problems encountered in the process. As a result, we present the first 6-round classical collision attack on SHAKE128 with time complexity \(2^{123.5}\), which also forms a quantum collision attack with quantum time , and the first 6-round quantum collision attack on SHA3-224 and SHA3-256 with quantum time and , where S represents the hardware resources of the quantum computer. The fact that classical collision attacks do not apply to 6-round SHA3-224 and SHA3-256 shows the higher coverage of quantum collision attacks, which is consistent with that on SHA-2 observed by Hosoyamada and Sasaki at CRYPTO 2021.
More details are available in the full version of this paper: https://ia.cr/2022/184.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
The preimage attack on 3-round Keccak-256 in [LHY21] has a time complexity \(2^{65}\), but no concrete preimage is given.
- 2.
In this attack model, collision messages of 1-block are generated. The constraints imposed by the sponge construction include (1) the c-bit capacity, i.e., c continuous “0” bits, and (2) 2-bit padding “11” which is concatenated with a “01” or “1111” string at the tail of the message block.
- 3.
The practical algorithms are much more complex. We just describe in this abstract way to express basic ideas.
- 4.
The propagation weight is defined as the opposite of the binary logarithm of the propagation probability. For example, if the propagation probability of a differential trail is \(2^{-32}\), the corresponding weight is 32.
- 5.
The other \(\beta _1\) Sboxes that are not treated are indicated with red block in Fig. 5.
- 6.
Indeed, the size of solution space is not always \(2^{27}\) (or DF=27). This is an average number calculated from our experiments repeated on \(2^{14.3}\) connectors.
- 7.
Refer to Remark 3 for more discussion on the cost of connectors.
- 8.
Complexity analysis of quantum collision attack will be illustrated in Sect. 4.3.
- 9.
More auxiliary qubits may be required for intermediate variables (e.g., in greedy algorithm and Gaussian-Jordan elimination) in \(\mathcal {C}_1\). Those variables are of the state size multiplied by a constant. As the worst case of Gaussian-Jordan elimination is considered and \(\mathcal {C}_2\) also contains intermediate variables, this evaluation is reasonable.
References
Amy, M., Di Matteo, O., Gheorghiu, V., Mosca, M., Parent, A., Schanck, J.: Estimating the cost of generic quantum pre-image attacks on SHA-2 and SHA-3. In: Avanzi, R., Heys, H. (eds.) SAC 2016. LNCS, vol. 10532, pp. 317–337. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-69453-5_18
Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Sponge functions. In: ECRYPT Hash Workshop, vol. 2007. Citeseer (2007)
Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Keccak. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 313–314. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38348-9_19
Bernstein, D.J.: Second preimages for 6 (7?(8??)) rounds of keccak. NIST mailing list (2010)
Bao, Z., Guo, J., Li, S., Pham, P.: Quantum multi-collision distinguishers (2020)
Brassard, G., HØyer, P., Tapp, A.: Quantum cryptanalysis of hash and claw-free functions. In: Lucchesi, C.L., Moura, A.V. (eds.) LATIN 1998. LNCS, vol. 1380, pp. 163–169. Springer, Heidelberg (1998). https://doi.org/10.1007/BFb0054319
Bertoni, G., Peeters, M., Van Assche, G., et al. The keccak reference (2011)
Chang, D., Kumar, A., Morawiecki, P., Sanadhya, S.K.: 1st and 2nd Preimage Attacks on 7, 8 and 9 Rounds of Keccak-224,256,384,512. SHA-3 workshop, August 2014
Chailloux, A., Naya-Plasencia, M., Schrottenloher, A.: An efficient quantum collision search algorithm and implications on symmetric cryptography. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10625, pp. 211–240. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70697-9_8
Dinur, I., Dunkelman, O., Shamir, A.: New attacks on keccak-224 and keccak-256. In: Canteaut, A. (ed.) FSE 2012. LNCS, vol. 7549, pp. 442–461. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-34047-5_25
Dinur, I., Dunkelman, O., Shamir, A.: Collision attacks on up to 5 rounds of SHA-3 using generalized internal differentials. In: Moriai, S. (ed.) FSE 2013. LNCS, vol. 8424, pp. 219–240. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-43933-3_12
Dinur, I.: Dunkelman, orr, shamir, adi: improved practical attacks on round-reduced keccak. J. Cryptol. 27(2), 183–209 (2014)
Dong, X., Sun, S., Shi, D., Gao, F., Wang, X., Hu, L.: Quantum aHashing with Low Quantum Random Access Memories. In: Moriai, S., Wang, H. (eds.) ASIACRYPT 2020. LNCS, vol. 12492, pp. 727–757. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64834-3_25
Daemen, Joan, Van Assche, Gilles: Differential propagation analysis of Keccak. In: Canteaut, Anne (ed.) FSE 2012. LNCS, vol. 7549, pp. 422–441. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-34047-5_24
Dworkin, M.J.: SHA-3 standard: Permutation-based hash and extendable-output functions (2015)
Guido, B., Joan, D., Michaël, P., Gilles, V.A.: Cryptographic sponge functions (2011)
Guo, J.: Liao, Guohong, Liu, Guozhen, Liu, Meicheng, Qiao, Kexin, Song, Ling: Practical collision attacks against round-reduced sha-3. J. Cryptol. 33(1), 228–270 (2020)
Guo, J., Liu, M., Song, L.: Linear structures: applications to cryptanalysis of round-reduced Keccak. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10031, pp. 249–274. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53887-6_9
Guo, J., Liu, G., Song, L., Tu, Y.: Exploring SAT for cryptanalysis: (Quantum) collision attacks against 6-Round SHA-3 (Full Version) (2022). https://eprint.iacr.org/2022/184
Grover, L.K.: A fast quantum mechanical algorithm for database search. In: Proceedings of the Twenty-Eighth Annual ACM Symposium on Theory of Computing, pp. 212–219 (1996)
Han, C.-S., Jiang, J.-H.R.: When Boolean satisfiability meets gaussian elimination in a simplex way. In: Madhusudan, P., Seshia, S.A. (eds.) CAV 2012. LNCS, vol. 7358, pp. 410–426. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-31424-7_31
He, L., Lin, X., Hongbo, Yu.: Improved preimage attacks on 4-round keccak-224/256. IACR Trans. Symmetric Cryptol. 2021(1), 217–238 (2021)
Hosoyamada, A., Sasaki, Y.: Finding hash collisions with quantum computers by using differential trails with smaller probability than birthday bound. In: Advances Cryptology-EUROCRYPT, vol. 249, p. 12106 (2020)
Hosoyamada, A., Sasaki, Y.: Quantum collision attacks on reduced sha-256 and sha-512. IACR Cryptol. ePrint Arch. 292 (2021)
Lin, X., He, L., Hongbo, Y.: Improved preimage attacks on 3-round KECCAK-224/256. IACR Trans. Symmetric Cryptol.2021(3), 84–101 (2021)
Liu, G., Qiu, W., Tu, T.: New techniques for searching differential trails in keccak. IACR Trans. Symmet. Cryptol. 2019, 407–437 (2019)
Ting Li and Yao Sun. Preimage attacks on round-reduced KECCAK-224/256 via an allocating approach. In Yuval Ishai and Vincent Rijmen, editors, Advances in Cryptology - EUROCRYPT 2019–38th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Darmstadt, Germany, May 19–23, 2019, Proceedings, Part III, volume 11478 of LNCS, pages 556–584. Springer, 2019
Li, T.: Sun, Yao, Liao, Maodong, Wang, Dingkang: Preimage attacks on the round-reduced KECCAK with cross-linear structures. IACR Trans. Symmetric Cryptol. 2017(4), 39–57 (2017)
Mella, S., Daemen, J.J.C., Van Assche, G.: New techniques for trail bounds and application to differential trails in Keccak . IACR Trans. Symmet. Cryptol. 2017(1), 329–357 (2017)
Mouha, N., Preneel, B.: Towards finding optimal differential characteristics for ARX: application to salsa20. Cryptology ePrint Archive, Report 2013/328 (2013). https://eprint.iacr.org/2013/328
Morawiecki, P., Pieprzyk, J., Srebrny, M.: Rotational cryptanalysis of round-reduced Keccak. In: Moriai, S. (ed.) FSE 2013. LNCS, vol. 8424, pp. 241–262. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-43933-3_13
Morawiecki, P.: Srebrny, Marian: a sat-based preimage analysis of reduced Keccak hash functions. Inf. Process. Lett. 113(10–11), 392–397 (2013)
Naya-Plasencia, M., Röck, A., Meier, W.: Practical analysis of reduced-round Keccak. In: Bernstein, D.J., Chatterjee, S. (eds.) INDOCRYPT 2011. LNCS, vol. 7107, pp. 236–254. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25578-6_18
Qiao, K., Song, L., Liu, M., Guo, J.: New collision attacks on round-reduced keccak. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10212, pp. 216–243. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-56617-7_8
SEPARATE DECISION QUEUE. Cadical at the sat race 2019. SAT RACE 2019, p. 8 (2019)
Rajasree, M.S.: Cryptanalysis of round-reduced KECCAK using non-linear structures. In: Hao, F., Ruj, S., Sen Gupta, S. (eds.) INDOCRYPT 2019. LNCS, vol. 11898, pp. 175–192. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-35423-7_9
Soos, M., Biere, A., Heule, M., Jarvisalo, M., Suda, M.: Cryptominisat 5.6 with yalsat at the sat race 2019. In: Proceedings of SAT Race, pp. 14–15 (2019)
Soos, M., Devriendt, J., Gocht, S.,. Shaw, A., Meel, K.S.: CryptoMiniSat with CCAnr at the sat competition 2020. In: SAT Competition , p. 27 (2020)
Sinz, C.: Towards an optimal CNF encoding of Boolean cardinality constraints. In: van Beek, P. (ed.) CP 2005. LNCS, vol. 3709, pp. 827–831. Springer, Heidelberg (2005). https://doi.org/10.1007/11564751_73
Song, L., Liao, G., Guo, J.: Non-full Sbox linearization: applications to collision attacks on round-reduced Keccak. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10402, pp. 428–451. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63715-0_15
Soos, M., Nohl, K., Castelluccia, C.: Extending SAT solvers to cryptographic problems. In: Kullmann, O. (ed.) SAT 2009. LNCS, vol. 5584, pp. 244–257. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-02777-2_24
Soos, M., Nohl, K., Castelluccia, K.: Cryptominisat, SAT Race solver descriptions (2010)
Soos, M.: Cryptominisat v4. SAT Competition, p. 23 (2014)
Soos, M.: The CryptoMiniSat 5 set of solvers at sat competition 2016. In: Proceedings of SAT Competition, p. 28 (2016)
Soos, M., Selman, B., Kautz, H., Devriendt, J., Gocht, S.: CryptoMiniSat with Walksat at the SAT competition 2020. In: SAT Competition 2020, pp. 29 (2020)
Sun, L., Wang, W., Wang. M.: More accurate differential properties of led64 and midori64. IACR Trans. Symmet. Cryptol. 2018, 93–123 (2018)
Sun, L., Wang, W., Wang, W.: Accelerating the search of differential and linear characteristics with the sat method. IACR Trans. Symmet. Cryptol. 2021, 269–315 (2021)
Van Oorschot, P.C., Wiener, M.J.: Parallel collision search with application to hash functions and discrete logarithms. In: Proceedings of the 2nd ACM Conference on Computer and Communications Security, pp. 210–218 (1994)
Acknowledgements
This research is partially supported by Nanyang Technological University in Singapore under Start-up Grant 04INS000397C230, and Ministry of Education in Singapore under Grants RG91/20 and MOE2019-T2-1-060. Ling Song is supported by the National Natural Science Foundation of China (Grants 62022036, 62132008).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2022 International Association for Cryptologic Research
About this paper
Cite this paper
Guo, J., Liu, G., Song, L., Tu, Y. (2022). Exploring SAT for Cryptanalysis: (Quantum) Collision Attacks Against 6-Round SHA-3. In: Agrawal, S., Lin, D. (eds) Advances in Cryptology – ASIACRYPT 2022. ASIACRYPT 2022. Lecture Notes in Computer Science, vol 13793. Springer, Cham. https://doi.org/10.1007/978-3-031-22969-5_22
Download citation
DOI: https://doi.org/10.1007/978-3-031-22969-5_22
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-22968-8
Online ISBN: 978-3-031-22969-5
eBook Packages: Computer ScienceComputer Science (R0)