Skip to main content
SpringerLink
Log in
Book cover

International Conference on the Theory and Application of Cryptology and Information Security

ASIACRYPT 2022: Advances in Cryptology – ASIACRYPT 2022 pp 645–674Cite as

Exploring SAT for Cryptanalysis: (Quantum) Collision Attacks Against 6-Round SHA-3

  • Conference paper
  • First Online:

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 13793))

Abstract

In this work, we focus on collision attacks against instances of SHA-3 hash family in both classical and quantum settings. Since the 5-round collision attacks on SHA3-256 and other variants proposed by Guo et al. at JoC 2020, no other essential progress has been published. With a thorough investigation, we identify that the challenges of extending such collision attacks on SHA-3 to more rounds lie in the inefficiency of differential trail search. To overcome this obstacle, we develop a SAT-based automatic search toolkit. The tool is used in multiple intermediate steps of the collision attacks and exhibits surprisingly high efficiency in differential trail search and other optimization problems encountered in the process. As a result, we present the first 6-round classical collision attack on SHAKE128 with time complexity \(2^{123.5}\), which also forms a quantum collision attack with quantum time , and the first 6-round quantum collision attack on SHA3-224 and SHA3-256 with quantum time and , where S represents the hardware resources of the quantum computer. The fact that classical collision attacks do not apply to 6-round SHA3-224 and SHA3-256 shows the higher coverage of quantum collision attacks, which is consistent with that on SHA-2 observed by Hosoyamada and Sasaki at CRYPTO 2021.

More details are available in the full version of this paper: https://ia.cr/2022/184.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   89.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   119.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Notes

  1. 1.

    The preimage attack on 3-round Keccak-256 in [LHY21] has a time complexity \(2^{65}\), but no concrete preimage is given.

  2. 2.

    In this attack model, collision messages of 1-block are generated. The constraints imposed by the sponge construction include (1) the c-bit capacity, i.e., c continuous “0” bits, and (2) 2-bit padding “11” which is concatenated with a “01” or “1111” string at the tail of the message block.

  3. 3.

    The practical algorithms are much more complex. We just describe in this abstract way to express basic ideas.

  4. 4.

    The propagation weight is defined as the opposite of the binary logarithm of the propagation probability. For example, if the propagation probability of a differential trail is \(2^{-32}\), the corresponding weight is 32.

  5. 5.

    The other \(\beta _1\) Sboxes that are not treated are indicated with red block in Fig. 5.

  6. 6.

    Indeed, the size of solution space is not always \(2^{27}\) (or DF=27). This is an average number calculated from our experiments repeated on \(2^{14.3}\) connectors.

  7. 7.

    Refer to Remark 3 for more discussion on the cost of connectors.

  8. 8.

    Complexity analysis of quantum collision attack will be illustrated in Sect. 4.3.

  9. 9.

    More auxiliary qubits may be required for intermediate variables (e.g., in greedy algorithm and Gaussian-Jordan elimination) in \(\mathcal {C}_1\). Those variables are of the state size multiplied by a constant. As the worst case of Gaussian-Jordan elimination is considered and \(\mathcal {C}_2\) also contains intermediate variables, this evaluation is reasonable.

References

  1. Amy, M., Di Matteo, O., Gheorghiu, V., Mosca, M., Parent, A., Schanck, J.: Estimating the cost of generic quantum pre-image attacks on SHA-2 and SHA-3. In: Avanzi, R., Heys, H. (eds.) SAC 2016. LNCS, vol. 10532, pp. 317–337. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-69453-5_18

    Chapter  Google Scholar 

  2. Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Sponge functions. In: ECRYPT Hash Workshop, vol. 2007. Citeseer (2007)

    Google Scholar 

  3. Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Keccak. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 313–314. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38348-9_19

    Chapter  Google Scholar 

  4. Bernstein, D.J.: Second preimages for 6 (7?(8??)) rounds of keccak. NIST mailing list (2010)

    Google Scholar 

  5. Bao, Z., Guo, J., Li, S., Pham, P.: Quantum multi-collision distinguishers (2020)

    Google Scholar 

  6. Brassard, G., HØyer, P., Tapp, A.: Quantum cryptanalysis of hash and claw-free functions. In: Lucchesi, C.L., Moura, A.V. (eds.) LATIN 1998. LNCS, vol. 1380, pp. 163–169. Springer, Heidelberg (1998). https://doi.org/10.1007/BFb0054319

    Chapter  Google Scholar 

  7. Bertoni, G., Peeters, M., Van Assche, G., et al. The keccak reference (2011)

    Google Scholar 

  8. Chang, D., Kumar, A., Morawiecki, P., Sanadhya, S.K.: 1st and 2nd Preimage Attacks on 7, 8 and 9 Rounds of Keccak-224,256,384,512. SHA-3 workshop, August 2014

    Google Scholar 

  9. Chailloux, A., Naya-Plasencia, M., Schrottenloher, A.: An efficient quantum collision search algorithm and implications on symmetric cryptography. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10625, pp. 211–240. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70697-9_8

    Chapter  Google Scholar 

  10. Dinur, I., Dunkelman, O., Shamir, A.: New attacks on keccak-224 and keccak-256. In: Canteaut, A. (ed.) FSE 2012. LNCS, vol. 7549, pp. 442–461. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-34047-5_25

    Chapter  Google Scholar 

  11. Dinur, I., Dunkelman, O., Shamir, A.: Collision attacks on up to 5 rounds of SHA-3 using generalized internal differentials. In: Moriai, S. (ed.) FSE 2013. LNCS, vol. 8424, pp. 219–240. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-43933-3_12

    Chapter  Google Scholar 

  12. Dinur, I.: Dunkelman, orr, shamir, adi: improved practical attacks on round-reduced keccak. J. Cryptol. 27(2), 183–209 (2014)

    Article  MATH  Google Scholar 

  13. Dong, X., Sun, S., Shi, D., Gao, F., Wang, X., Hu, L.: Quantum aHashing with Low Quantum Random Access Memories. In: Moriai, S., Wang, H. (eds.) ASIACRYPT 2020. LNCS, vol. 12492, pp. 727–757. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64834-3_25

    Chapter  Google Scholar 

  14. Daemen, Joan, Van Assche, Gilles: Differential propagation analysis of Keccak. In: Canteaut, Anne (ed.) FSE 2012. LNCS, vol. 7549, pp. 422–441. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-34047-5_24

    Chapter  Google Scholar 

  15. Dworkin, M.J.: SHA-3 standard: Permutation-based hash and extendable-output functions (2015)

    Google Scholar 

  16. Guido, B., Joan, D., Michaël, P., Gilles, V.A.: Cryptographic sponge functions (2011)

    Google Scholar 

  17. Guo, J.: Liao, Guohong, Liu, Guozhen, Liu, Meicheng, Qiao, Kexin, Song, Ling: Practical collision attacks against round-reduced sha-3. J. Cryptol. 33(1), 228–270 (2020)

    Article  Google Scholar 

  18. Guo, J., Liu, M., Song, L.: Linear structures: applications to cryptanalysis of round-reduced Keccak. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10031, pp. 249–274. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53887-6_9

    Chapter  Google Scholar 

  19. Guo, J., Liu, G., Song, L., Tu, Y.: Exploring SAT for cryptanalysis: (Quantum) collision attacks against 6-Round SHA-3 (Full Version) (2022). https://eprint.iacr.org/2022/184

  20. Grover, L.K.: A fast quantum mechanical algorithm for database search. In: Proceedings of the Twenty-Eighth Annual ACM Symposium on Theory of Computing, pp. 212–219 (1996)

    Google Scholar 

  21. Han, C.-S., Jiang, J.-H.R.: When Boolean satisfiability meets gaussian elimination in a simplex way. In: Madhusudan, P., Seshia, S.A. (eds.) CAV 2012. LNCS, vol. 7358, pp. 410–426. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-31424-7_31

    Chapter  Google Scholar 

  22. He, L., Lin, X., Hongbo, Yu.: Improved preimage attacks on 4-round keccak-224/256. IACR Trans. Symmetric Cryptol. 2021(1), 217–238 (2021)

    Google Scholar 

  23. Hosoyamada, A., Sasaki, Y.: Finding hash collisions with quantum computers by using differential trails with smaller probability than birthday bound. In: Advances Cryptology-EUROCRYPT, vol. 249, p. 12106 (2020)

    Google Scholar 

  24. Hosoyamada, A., Sasaki, Y.: Quantum collision attacks on reduced sha-256 and sha-512. IACR Cryptol. ePrint Arch. 292 (2021)

    Google Scholar 

  25. Lin, X., He, L., Hongbo, Y.: Improved preimage attacks on 3-round KECCAK-224/256. IACR Trans. Symmetric Cryptol.2021(3), 84–101 (2021)

    Google Scholar 

  26. Liu, G., Qiu, W., Tu, T.: New techniques for searching differential trails in keccak. IACR Trans. Symmet. Cryptol. 2019, 407–437 (2019)

    Google Scholar 

  27. Ting Li and Yao Sun. Preimage attacks on round-reduced KECCAK-224/256 via an allocating approach. In Yuval Ishai and Vincent Rijmen, editors, Advances in Cryptology - EUROCRYPT 2019–38th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Darmstadt, Germany, May 19–23, 2019, Proceedings, Part III, volume 11478 of LNCS, pages 556–584. Springer, 2019

    Google Scholar 

  28. Li, T.: Sun, Yao, Liao, Maodong, Wang, Dingkang: Preimage attacks on the round-reduced KECCAK with cross-linear structures. IACR Trans. Symmetric Cryptol. 2017(4), 39–57 (2017)

    Article  Google Scholar 

  29. Mella, S., Daemen, J.J.C., Van Assche, G.: New techniques for trail bounds and application to differential trails in Keccak . IACR Trans. Symmet. Cryptol. 2017(1), 329–357 (2017)

    Google Scholar 

  30. Mouha, N., Preneel, B.: Towards finding optimal differential characteristics for ARX: application to salsa20. Cryptology ePrint Archive, Report 2013/328 (2013). https://eprint.iacr.org/2013/328

  31. Morawiecki, P., Pieprzyk, J., Srebrny, M.: Rotational cryptanalysis of round-reduced Keccak. In: Moriai, S. (ed.) FSE 2013. LNCS, vol. 8424, pp. 241–262. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-43933-3_13

    Chapter  Google Scholar 

  32. Morawiecki, P.: Srebrny, Marian: a sat-based preimage analysis of reduced Keccak hash functions. Inf. Process. Lett. 113(10–11), 392–397 (2013)

    Article  MATH  Google Scholar 

  33. Naya-Plasencia, M., Röck, A., Meier, W.: Practical analysis of reduced-round Keccak. In: Bernstein, D.J., Chatterjee, S. (eds.) INDOCRYPT 2011. LNCS, vol. 7107, pp. 236–254. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25578-6_18

    Chapter  Google Scholar 

  34. Qiao, K., Song, L., Liu, M., Guo, J.: New collision attacks on round-reduced keccak. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10212, pp. 216–243. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-56617-7_8

    Chapter  Google Scholar 

  35. SEPARATE DECISION QUEUE. Cadical at the sat race 2019. SAT RACE 2019, p. 8 (2019)

    Google Scholar 

  36. Rajasree, M.S.: Cryptanalysis of round-reduced KECCAK using non-linear structures. In: Hao, F., Ruj, S., Sen Gupta, S. (eds.) INDOCRYPT 2019. LNCS, vol. 11898, pp. 175–192. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-35423-7_9

    Chapter  Google Scholar 

  37. Soos, M., Biere, A., Heule, M., Jarvisalo, M., Suda, M.: Cryptominisat 5.6 with yalsat at the sat race 2019. In: Proceedings of SAT Race, pp. 14–15 (2019)

    Google Scholar 

  38. Soos, M., Devriendt, J., Gocht, S.,. Shaw, A., Meel, K.S.: CryptoMiniSat with CCAnr at the sat competition 2020. In: SAT Competition , p. 27 (2020)

    Google Scholar 

  39. Sinz, C.: Towards an optimal CNF encoding of Boolean cardinality constraints. In: van Beek, P. (ed.) CP 2005. LNCS, vol. 3709, pp. 827–831. Springer, Heidelberg (2005). https://doi.org/10.1007/11564751_73

    Chapter  MATH  Google Scholar 

  40. Song, L., Liao, G., Guo, J.: Non-full Sbox linearization: applications to collision attacks on round-reduced Keccak. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10402, pp. 428–451. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63715-0_15

    Chapter  Google Scholar 

  41. Soos, M., Nohl, K., Castelluccia, C.: Extending SAT solvers to cryptographic problems. In: Kullmann, O. (ed.) SAT 2009. LNCS, vol. 5584, pp. 244–257. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-02777-2_24

    Chapter  Google Scholar 

  42. Soos, M., Nohl, K., Castelluccia, K.: Cryptominisat, SAT Race solver descriptions (2010)

    Google Scholar 

  43. Soos, M.: Cryptominisat v4. SAT Competition, p. 23 (2014)

    Google Scholar 

  44. Soos, M.: The CryptoMiniSat 5 set of solvers at sat competition 2016. In: Proceedings of SAT Competition, p. 28 (2016)

    Google Scholar 

  45. Soos, M., Selman, B., Kautz, H., Devriendt, J., Gocht, S.: CryptoMiniSat with Walksat at the SAT competition 2020. In: SAT Competition 2020, pp. 29 (2020)

    Google Scholar 

  46. Sun, L., Wang, W., Wang. M.: More accurate differential properties of led64 and midori64. IACR Trans. Symmet. Cryptol. 2018, 93–123 (2018)

    Google Scholar 

  47. Sun, L., Wang, W., Wang, W.: Accelerating the search of differential and linear characteristics with the sat method. IACR Trans. Symmet. Cryptol. 2021, 269–315 (2021)

    Google Scholar 

  48. Van Oorschot, P.C., Wiener, M.J.: Parallel collision search with application to hash functions and discrete logarithms. In: Proceedings of the 2nd ACM Conference on Computer and Communications Security, pp. 210–218 (1994)

    Google Scholar 

Download references

Acknowledgements

This research is partially supported by Nanyang Technological University in Singapore under Start-up Grant 04INS000397C230, and Ministry of Education in Singapore under Grants RG91/20 and MOE2019-T2-1-060. Ling Song is supported by the National Natural Science Foundation of China (Grants 62022036, 62132008).

Author information

Authors and Affiliations

  1. School of Physical and Mathematical Sciences, Nanyang Technological University, Singapore, Singapore

    Jian Guo, Guozhen Liu & Yi Tu

  2. College of Cyber Security, Jinan University, Guangzhou, China

    Ling Song

Authors
  1. Jian Guo
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Guozhen Liu
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Ling Song
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Yi Tu
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Jian Guo .

Editor information

Editors and Affiliations

  1. Indian Institute of Technology Madras, Chennai, India

    Shweta Agrawal

  2. Chinese Academy of Sciences, Beijing, China

    Dongdai Lin

Rights and permissions

Reprints and permissions

Copyright information

© 2022 International Association for Cryptologic Research

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Guo, J., Liu, G., Song, L., Tu, Y. (2022). Exploring SAT for Cryptanalysis: (Quantum) Collision Attacks Against 6-Round SHA-3. In: Agrawal, S., Lin, D. (eds) Advances in Cryptology – ASIACRYPT 2022. ASIACRYPT 2022. Lecture Notes in Computer Science, vol 13793. Springer, Cham. https://doi.org/10.1007/978-3-031-22969-5_22

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-22969-5_22

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-22968-8

  • Online ISBN: 978-3-031-22969-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation