TIDAL: Practical Collisions on State-Reduced Keccak Variants

Abstract

An important tool that has contributed to collision search on Keccak /SHA3 is the Target Difference Algorithm (TDA) and its internal differential counterpart Target Internal Difference Algorithm (TIDA) which were introduced by Dinur et al. in separate works in FSE 2012 and 2013 respectively. These algorithms provide an ingenious way of extending the differential trails by one round and exploit the affine subspaces generated due to low algebraic degree of the Keccak S-box. The current work introduces TIDAL, which can extend TIDA by one more round capitalizing on linearization techniques introduced by Guo et al. in JoC. The TIDAL strategy in conjunction with a deterministic internal differential trail has been applied to Keccak variants up till 400-bit state-size and leads to practical collision attacks for most of them up to 5 rounds. In particular collisions have been confirmed for 4-round Keccak [136, 64] with a complexity of \(2^{20}\) and on 6-round of Keccak [84,16] with a complexity of \(2^5\). Further, this work provides a complete characterization of all collision attacks on state-reduced variants showcasing that TIDAL covers most of the space up till 5 rounds. As state and round-reduced Keccak variants are used to realize internal states of many crypto primitives, the results presented here generate significant impact. Finally, it shows new directions for the long standing problem of state-reduced variants being difficult to be attacked.

Appendices

A Collision on 6-Round

We found a collision for states of size 100 up to 6-round with same complexity with 4-round because of round-constant of the third and fourth rounds, the conforming input states and hash is given below. Hash: 0 E 2 4 2

6-round collision with hash 0 E 2 4 2
\(M_1\)	5 D D 1 2 B 2 0 0 0 9 F 6 D 6 E 9 6 0 8 F 0 0 0 0	\(M_2\)	5 8 7 1 2 E D 0 5 5 9 0 9 2 6 E 3 6 5 7 F 0 0 0 0

B The Observations that Help in S-box Linearization [11]

Observation 1

 [11] Out of the entire 5-dimensional input space,

1. 1.

   there are totally 80 2-dimensional linearizable affine subspaces.

2. 2.

   there does not exist any linearizable affine subspace with dimension 3 or more.

Observation 2

 [11] Given a 5-bit input difference \( \delta _{in} \) and a 5-bit output difference \( \delta _{out} \) such that \( DDT(\delta _{in},\delta _{out}) \ne 0 \), i.e., the solution set \( V = \{x : S(x)+S(x+\delta _{in}) = \delta _{out} \} \) is not empty, we have

1. 1.

   if \( DDT(\delta _{in},\delta _{out}) = 4 \), then V is a linearizable affine subspace.

2. 2.

   \( DDT(\delta _{in},\delta _{out}) = 8 \) then there are six \( 2- \)dimensional subsets \( V_i \subset V, i = 0, 1, \dots , 5 \) such that \( V_i(i = 0, 1,\dots , 5) \) are linearizable affine subspaces.

Observation 3

 [11] For a non-active Keccak S-box, when \( U_i \) is not 11111,

1. 1.

   if \( U_i = 00000 \), it does not require any linearization.

2. 2.

   if \( U_i \in \{00001, 00010, 00100, 01000, 10000, 00011, 00110, 01100, 11000, 10001\} \) at least 1 degree of freedom is consumed to linearize the output bit(s) of the S-box marked by \( U_i \)

3. 3.

   otherwise, at least 2 degrees of freedom are consumed to linearize the output bits of the S-box marked by \( U_i \).

C Effect on Hamming Weight of Round Constants

Table 8. This table shows all round constant for state reduced Keccak along with the hamming weight of internal difference due to round constant for different state size. Here, \( L_s(n) \) and \( n_r \) represent size of lane is n and round