Paper 2019/248

Preimage Attacks on Round-reduced Keccak-224/256 via an Allocating Approach

Ting Li and Yao Sun


We present new preimage attacks on standard Keccak-224 and Keccak-256 that are reduced to 3 and 4 rounds. An allocating approach is used in the attacks, and the whole complexity is allocated to two stages, such that fewer constraints are considered and the complexity is lowered in each stage. Specifically, we are trying to find a 2-block preimage, instead of a 1-block one, for a given hash value, and the first and second message blocks are found in two stages, respectively. Both the message blocks are constrained by a set of newly proposed conditions on the middle state, which are weaker than those brought by the initial values and the hash values. Thus, the complexities in the two stages are both lower than that of finding a 1-block preimage directly. Together with the basic allocating approach, an improved method is given to balance the complexities of two stages, and hence, obtains the optimal attacks. As a result, we present the best theoretical preimage attacks on Keccak-224 and Keccak-256 that are reduced to 3 and 4 rounds. Moreover, we practically found a (second) preimage for 3-round Keccak-224 with a complexity of 2^{39.39}.

Note: Thank Prof. Dr. Willi Meier for pointing out the mistake in Figure 9. This mistake has been fixed in this revised version.

Available format(s)
Publication info
Published by the IACR in EUROCRYPT 2019
CryptanalysisKeccakSHA-3Preimage attack
Contact author(s)
sunyao @ iie ac cn
2019-03-12: revised
2019-02-28: received
See all versions
Short URL
Creative Commons Attribution


      author = {Ting Li and Yao Sun},
      title = {Preimage Attacks on Round-reduced Keccak-224/256 via an Allocating Approach},
      howpublished = {Cryptology ePrint Archive, Paper 2019/248},
      year = {2019},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.