Paper 2022/788

Improved Preimage Attacks on Round-Reduced Keccak-384/512

Le He, Tsinghua University
Xiaoen Lin, Tsinghua University
Hongbo Yu, Tsinghua University
Jian Guo, Nanyang Technological University

This paper provides improved preimage analysis on round-reduced Keccak-384/512. Unlike low-capacity versions, Keccak-384/512 outputs from two parts of its state: an entire 320-bit plane and a 64/192-bit truncation of a second plane. Due to lack of degrees of freedom, most existing preimage analysis can only control the first 320-bit plane and achieve limited results. By thoroughly analyzing the algebraic structure of Keccak, this paper proposes a technology named ``extra linear dependence'', which can construct linear relations between corresponding bits from two planes. To apply the technology, this paper inherits pioneers' attack thoughts that convert output bits to linear or quadratic equations of input variables. When solving the final equation system, those linear relations can lead to extra restricting equations of output, exceeding the limit of matrix rank. As a result, the complexity of preimage attacks on 2-round and 3-round Keccak-384/512 can be decreased to $2^{39}$/$2^{204}$ and $2^{270}$/$2^{424}$ Keccak calls respectively, which are all the best known results so far. To support the theoretical analysis, this paper provides the first preimage of all `0' digest for 2-round Keccak-384, which can be obtained in one day with single core on an ordinary PC.

Available format(s)
Attacks and cryptanalysis
Publication info
KeccakPreimage attackLinear relation
Contact author(s)
le he @ ntu edu sg
2023-03-08: last of 2 revisions
2022-06-19: received
See all versions
Short URL
Creative Commons Attribution


      author = {Le He and Xiaoen Lin and Hongbo Yu and Jian Guo},
      title = {Improved Preimage Attacks on Round-Reduced Keccak-384/512},
      howpublished = {Cryptology ePrint Archive, Paper 2022/788},
      year = {2022},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.