Paper 2022/788
Improved Preimage Attacks on Round-Reduced Keccak-384/512
Abstract
This paper provides improved preimage analysis on round-reduced Keccak-384/512. Unlike low-capacity versions, Keccak-384/512 outputs from two parts of its state: an entire 320-bit plane and a 64/192-bit truncation of a second plane. Due to lack of degrees of freedom, most existing preimage analysis can only control the first 320-bit plane and achieve limited results. By thoroughly analyzing the algebraic structure of Keccak, this paper proposes a technology named ``extra linear dependence'', which can construct linear relations between corresponding bits from two planes. To apply the technology, this paper inherits pioneers' attack thoughts that convert output bits to linear or quadratic equations of input variables. When solving the final equation system, those linear relations can lead to extra restricting equations of output, exceeding the limit of matrix rank. As a result, the complexity of preimage attacks on 2-round and 3-round Keccak-384/512 can be decreased to $2^{39}$/$2^{204}$ and $2^{270}$/$2^{424}$ Keccak calls respectively, which are all the best known results so far. To support the theoretical analysis, this paper provides the first preimage of all `0' digest for 2-round Keccak-384, which can be obtained in one day with single core on an ordinary PC.
Metadata
- Available format(s)
-
PDF
- Category
- Attacks and cryptanalysis
- Publication info
- Preprint.
- Keywords
- KeccakPreimage attackLinear relation
- Contact author(s)
- le he @ ntu edu sg
- History
- 2023-03-08: last of 2 revisions
- 2022-06-19: received
- See all versions
- Short URL
- https://ia.cr/2022/788
- License
-
CC BY
BibTeX
@misc{cryptoeprint:2022/788,
author = {Le He and Xiaoen Lin and Hongbo Yu and Jian Guo},
title = {Improved Preimage Attacks on Round-Reduced Keccak-384/512},
howpublished = {Cryptology {ePrint} Archive, Paper 2022/788},
year = {2022},
url = {https://eprint.iacr.org/2022/788}
}
