Finding Collisions against 4-Round SHA-3-384 in Practical Time

The Keccak sponge function family, designed by Bertoni et al. in 2007, was selected by the U.S. National Institute of Standards and Technology (NIST) in 2012 as the next generation of Secure Hash Algorithm (SHA-3). Due to its theoretical and practical importance, cryptanalysis of SHA-3 has attracted...

Full description

Saved in:
Bibliographic Details
Published inIACR Transactions on Symmetric Cryptology Vol. 2022; no. 3; pp. 239 - 270
Main Authors Huang, Senyang, Ben-Yehuda, Orna Agmon, Dunkelman, Orr, Maximov, Alexander
Format Journal Article
LanguageEnglish
Published Ruhr-Universität Bochum 09.09.2022
Subjects
collision attack
Computer Systems
Datorsystem
deduce-and-sieve algorithm
Electrical Engineering, Electronic Engineering, Information Engineering
Elektroteknik och elektronik
Engineering and Technology
SAT solver
SHA-3 hash function
Teknik
Online AccessGet full text

Cover

More Information
Summary:The Keccak sponge function family, designed by Bertoni et al. in 2007, was selected by the U.S. National Institute of Standards and Technology (NIST) in 2012 as the next generation of Secure Hash Algorithm (SHA-3). Due to its theoretical and practical importance, cryptanalysis of SHA-3 has attracted a lot of attention. Currently, the most powerful collision attack on SHA-3 is Jian Guo et al.’s linearisation technique. However, this technique is infeasible for variants with asmaller input space, such as SHA-3-384.In this work we improve upon previous results by utilising three ideas which were not used in previous works on collision attacks against SHA-3. First, we use 2-block messages instead of 1-block messages, to reduce constraints and increase flexibility in our solutions. Second, we reduce the connectivity problem into a satisfiability (SAT) problem, instead of applying the linearisation technique. Finally, we propose an efficient deduce-and-sieve algorithm on the basis of two new non-random propertiesof the Keccak non-linear layer.The resulting collision-finding algorithm on 4-round SHA-3-384 has a practical time complexity of 259.64 (and a memory complexity of 245.94). This greatly improves upon the best known collision attack so far: Dinur et al. achieved an impractical 2147 time complexity. Our attack does not threaten the security margin of the SHA-3 hash function. However, the tools developed in this paper could be used to analyse other cryptographic primitives as well as to develop new and faster SAT solvers.
ISSN:2519-173X
2519-173X
DOI:10.46586/tosc.v2022.i3.239-270