Finding Collisions against 4-Round SHA-3-384 in Practical Time

Huang, Senyang; Ben-Yehuda, Orna Agmon; Dunkelman, Orr; Maximov, Alexander

Finding Collisions against 4-Round SHA-3-384 in Practical Time

Mark

Huang, Senyang ^LU ; Ben-Yehuda, Orna Agmon ; Dunkelman, Orr and Maximov, Alexander ^LU (2022) In IACR Transactions on Symmetric Cryptology 2022(3). p.239-270

Abstract: The Keccak sponge function family, designed by Bertoni et al. in 2007, was selected by the U.S. National Institute of Standards and Technology (NIST) in 2012 as the next generation of Secure Hash Algorithm (SHA-3). Due to its theoretical and practical importance, cryptanalysis of SHA-3 has attracted a lot of attention. Currently, the most powerful collision attack on SHA-3 is Jian Guo et al.’s linearisation technique. However, this technique is infeasible for variants with a smaller input space, such as SHA-3-384. In this work we improve upon previous results by utilising three ideas which were not used in previous works on collision attacks against SHA-3. First, we use 2-block messages instead of 1-block messages, to reduce constraints... (More); The Keccak sponge function family, designed by Bertoni et al. in 2007, was selected by the U.S. National Institute of Standards and Technology (NIST) in 2012 as the next generation of Secure Hash Algorithm (SHA-3). Due to its theoretical and practical importance, cryptanalysis of SHA-3 has attracted a lot of attention. Currently, the most powerful collision attack on SHA-3 is Jian Guo et al.’s linearisation technique. However, this technique is infeasible for variants with a smaller input space, such as SHA-3-384. In this work we improve upon previous results by utilising three ideas which were not used in previous works on collision attacks against SHA-3. First, we use 2-block messages instead of 1-block messages, to reduce constraints and increase flexibility in our solutions. Second, we reduce the connectivity problem into a satisfiability (SAT) problem, instead of applying the linearisation technique. Finally, we propose an efficient deduce-and-sieve algorithm on the basis of two new non-random properties of the Keccak non-linear layer. The resulting collision-finding algorithm on 4-round SHA-3-384 has a practical time complexity of 2^59.64 (and a memory complexity of 2^45.94). This greatly improves upon the best known collision attack so far: Dinur et al. achieved an impractical 2¹⁴⁷ time complexity. Our attack does not threaten the security margin of the SHA-3 hash function. However, the tools developed in this paper could be used to analyse other cryptographic primitives as well as to develop new and faster SAT solvers.
(Less)

Please use this url to cite or link to this publication: https://lup.lub.lu.se/record/3ee88e30-9b8e-436f-babf-21b5346a889e

author

Huang, Senyang ^LU ; Ben-Yehuda, Orna Agmon ; Dunkelman, Orr and Maximov, Alexander ^LU

organization

Networks and Security (research group)

publishing date

2022-09-09

type

Contribution to journal

publication status

published

subject

Computer Systems

keywords

collision attack, deduce-and-sieve algorithm, SAT solver, SHA-3 hash function

in

IACR Transactions on Symmetric Cryptology

volume

2022

issue

3

pages

32 pages

publisher

Ruhr-Universität Bochum

external identifiers

scopus:85137737459

ISSN

2519-173X

DOI

10.46586/tosc.v2022.i3.239-270

language

English

LU publication?

yes

id

3ee88e30-9b8e-436f-babf-21b5346a889e

date added to LUP

2022-11-30 11:18:35

date last changed

2022-11-30 11:18:35

@article{3ee88e30-9b8e-436f-babf-21b5346a889e,
  abstract     = {{<p>The Keccak sponge function family, designed by Bertoni et al. in 2007, was selected by the U.S. National Institute of Standards and Technology (NIST) in 2012 as the next generation of Secure Hash Algorithm (SHA-3). Due to its theoretical and practical importance, cryptanalysis of SHA-3 has attracted a lot of attention. Currently, the most powerful collision attack on SHA-3 is Jian Guo et al.’s linearisation technique. However, this technique is infeasible for variants with a smaller input space, such as SHA-3-384. In this work we improve upon previous results by utilising three ideas which were not used in previous works on collision attacks against SHA-3. First, we use 2-block messages instead of 1-block messages, to reduce constraints and increase flexibility in our solutions. Second, we reduce the connectivity problem into a satisfiability (SAT) problem, instead of applying the linearisation technique. Finally, we propose an efficient deduce-and-sieve algorithm on the basis of two new non-random properties of the Keccak non-linear layer. The resulting collision-finding algorithm on 4-round SHA-3-384 has a practical time complexity of 2<sup>59.64</sup> (and a memory complexity of 2<sup>45.94</sup>). This greatly improves upon the best known collision attack so far: Dinur et al. achieved an impractical 2<sup>147</sup> time complexity. Our attack does not threaten the security margin of the SHA-3 hash function. However, the tools developed in this paper could be used to analyse other cryptographic primitives as well as to develop new and faster SAT solvers.</p>}},
  author       = {{Huang, Senyang and Ben-Yehuda, Orna Agmon and Dunkelman, Orr and Maximov, Alexander}},
  issn         = {{2519-173X}},
  keywords     = {{collision attack; deduce-and-sieve algorithm; SAT solver; SHA-3 hash function}},
  language     = {{eng}},
  month        = {{09}},
  number       = {{3}},
  pages        = {{239--270}},
  publisher    = {{Ruhr-Universität Bochum}},
  series       = {{IACR Transactions on Symmetric Cryptology}},
  title        = {{Finding Collisions against 4-Round SHA-3-384 in Practical Time}},
  url          = {{http://dx.doi.org/10.46586/tosc.v2022.i3.239-270}},
  doi          = {{10.46586/tosc.v2022.i3.239-270}},
  volume       = {{2022}},
  year         = {{2022}},
}

Lund University Publications

LUND UNIVERSITY LIBRARIES

Finding Collisions against 4-Round SHA-3-384 in Practical Time