key: cord-0047008-v606c3g2
authors: Suryawanshi, Sahiba; Saha, Dhiman; Sachan, Satyam
title: New Results on the SymSum Distinguisher on Round-Reduced SHA3
date: 2020-06-06
journal: Progress in Cryptology - AFRICACRYPT 2020
DOI: 10.1007/978-3-030-51938-4_7
sha: ede945450b578f9b6f66e0165844a322c349db50
doc_id: 47008
cord_uid: v606c3g2

In ToSC 2017 Saha et al. demonstrated an interesting property of SHA3 based on higher-order vectorial derivatives which led to self-symmetry based distinguishers referred to as SymSum and bettered the complexity w.r.t the well-studied ZeroSum distinguisher by a factor of 4. This work attempts to take a fresh look at this distinguisher in the light of the linearization technique developed by Guo et al. in Asiacrypt 2016. It is observed that the efficiency of SymSum against ZeroSum drops from 4 to 2 for any number of rounds linearized. This is supported by theoretical proofs. SymSum augmented with linearization can penetrate up to two more rounds as against the classical version. In addition to that, one more round is extended by inversion technique on the final hash values. The combined approach leads to distinguishers up to 9 rounds of SHA3 variants with a complexity of only [Formula: see text] which is better than the equivalent ZeroSum distinguisher by the factor of 2. To the best of our knowledge this is the best distinguisher available on this many rounds of SHA3.

The hash function Keccak [3] which went on to be adopted as the SHA3 [18] standard is one of the most extensively studied hash algorithms. While finding pre-images and collisions constitute the primary analysis strategies of a hash function, the paradigm of devising distinguishers give insight into the non-randomness of the construction. Further, it has been evidenced by numerous results in contemporary literature where distinguishers have been exploited to mount collision and pre-image attacks thereby amplifying their scope and impact. In case of SHA3, one of most investigated distinguisher is the ZeroSum distinguisher which is based on the fundamental result of higher-order derivatives that the (d + 1) th derivative of a d-degree function leads to a zero function. This translates to obtaining a zero XOR-Sum for 2 d+1 computations of a vectorial function. The main research is in the direction of tight-bounding the value of d which automatically leads to reduction in complexity of computing the ZeroSum.

Most of the results have been reported on the internal permutation Keccak-f and/or Keccak-p. In 2009, Aumasson and Meier [1] introduced ZeroSum distinguisher on Keccak-f which penetrated up to 16 rounds by leveraging on the inside-out strategy. In 2011, Plasencia et al. [15] introduce 4 round distinguisher for Hash function rather than internal permutation function, and also give a 2 round pre-image attack and 3 round near-collision attack on SHA3-224 and SHA3-256 variants. The same year, Boura et al. [4] improvise ZeroSum distinguisher. They present ZeroSum distinguisher and high order differential derivative for the full Keccak-p permutation. In 2012, Duan et al. [6] state an advanced ZeroSum distinguisher full round Keccak-f with 2 1579 complexity. The same year, Duc et al. [7] present the Unaligned Rebound Attack for 8 round distinguisher with lesser complexity. In 2013, Morawiecki et al. [14] present rotational cryptanalysis. It allows a preimage attack on 4-round Keccak with complexity 2 506 . It also states distinguisher on 5 rounds Keccak-f [1600] permutation with 2 15 complexity. In 2014 Das et al. analyze differential propagation properties of Keccak furthermore uses for 6 round Distinguisher with 2 52 complexity. In 2015, Jean et al. [10] produce internal differential boomerang distinguisher. They generate boomerang pairs and analyze the differential property. Their distinguisher depends on round constant. So, according to where permutation starts, their query complexity varies. For Keccak-f permutation, when it starts at 0 round, with complexity 2 5 , they distinguish up to 6 rounds, and with 2 13 complexity to 7 rounds. Similarly, when permutation begins with 3rd round with complexity 2 10.3 , they distinguish up to 7 rounds, and with 2 18.3 complexity to 8 rounds. Same year, Dinur et al. [5] proposed a Cube attack like a cryptanalysis technique that includes algebraic and structural analysis, which contains key recovery and MAC forgery, practical up to 6 rounds and theoretical to 9 rounds of Keccak. In 2016, Guo et al. [8] introduce the linearization technique called Linear Structure. It permits linearization up to 3 rounds of Keccak. It extends the ZeroSum distinguisher of Keccak-p permutation up to 15 rounds and pre-image attack up to 4 rounds.

It is evidenced from the above discussion that most of the results have been reported on Keccak-p that few on the hash function SHA3. Moreover, only a few of the distinguishers on Keccak-p can be extended on to any SHA3 variant itself. However, in 2017, Saha et al. [17] introduced a new distinguisher called SymSum which examines a symmetric property of the output-sum of SHA3 when evaluated on symmetric inputs. These distinguishers penetrate up to 9 rounds and theoretically achieve a 4-fold improvement over ZeroSum in terms of complexity. The prime observation was the position of the nonlinear operation χ in the sequence of sub-operations in the Keccak-p round function. Same year, Huang et al. [9] improvise a Cube attack named Conditional Cube attack, impose some conditions on specific bits and use Mixed Integer Linear Programming (MILP) to construct conditional cubes with complexity 2 33 , 7 round cube distinguisher builds on SHA3-224. The same year, Qiao et al. [16] introduce a pre-image attack up to 5 rounds, by linearize all S-box at first round and form a 3 round differential trail for SHAKE128 and SHA3-224. They put some conditions so that it satisfies for linearization and differential trail. Same year, Li et al. [12] proposed a cross-linear structure for a pre-image attack. They constructed a cross-linear structure for Keccak [400] and found a pre-image. The complexity of their attack is 2 150 for 3 round SHA3-256. In 2019, Li et al. [13] proposed a pre-image attack referred to as the Allocating Approach on 4 round SHA3-256.

In this work, we investigate the SymSum property introduced by Saha et al. further and try to augment with observations by Guo et al. in their work on linear structures. In particular, we achieve a one/two-round advantage by combining SymSum with linear structures. However, the structures we use slightly differ from the ones reported in [8] since we do not have any requirement of keeping χ −1 to be linear. This is attributed to the fact that we are mounting the attack on the hashfunction and hence cannot leverage the inside-out technique. Consequently, we can relax the constraints that were imposed for the same. Further, we show a simple trick to gain one more round by just inverting 1 the last round χ before computing the output-sum. Using all these techniques, we are able to mount SymSum distinguishers on up to 9-rounds of SHA3 variants with a complexity of only 2 64 . We show that SymSum loses its 4-fold advantage over ZeroSum when augmented with linear structures and also furnish a proof for the same. The present SymSum distinguishers still have a 2-fold advantage making them the best available distinguishers on SHA3 which are independent of the number (≥1) of rounds linearized. We validate most of claims by providing experimental evidence for some of the practically verifiable distinguishers. Our results are summarized in Table 1 . 

In this section, we give a brief description of the SymSum distinguisher and the idea of linear structure in Keccak-p.

The Keccak structure follows Sponge [2] construction that applies fixed-length permutation on variable-length input and maps to variable-length output. It gives F n 2 length element output from F m 2 length input element where n and m are of any length. The permutation applied on finite-state b = r + c bits, where r is rate and c is capacity. Here the finite state b of Sponge construction is the width of Keccak-f permutation. The Sponge construction has 2 phases: the absorption and squeezing phases. Firstly the input message M padded according to the padding rule that makes input message after padding M multiple of r and breaks M into m 1 , m 2 , . . . m k each of size r. Initially, state b set to all 0 s which is initialization vector (IV ) and input of f is the XORed value of the first input message block m 1 of size r and r bits of IV then the output of f is XORed with next input message m 2 and input to f this will happen until all the message blocks get processed this is absorption phase. The required output digest collects on the squeezing phase. Suppose Z is the required digest. If Z < r then, it takes first Z bits of the output of absorbing phase, otherwise, if Z > r then, it needs to input to f and get more bits repeatedly until it gets Z bits output digest. Finally, the output digest Z is the output of the Sponge function. 

θ: θ mapping is a linear operation that provides diffusion. In the θ mapping A[x, y, z] XORed with parities of neighbouring 2 columns in the following manner:

Here P [x, * , z] is parity of a column that can be calculated as:

ρ: ρ mapping is another linear operation that rotates each lane by some predefined values. Here first column and last row represent y axis and x axis values respectively.

Here ≪ is a bitwise rotation. π: π mapping is another Linear operation which permutes on slices by interchanging lanes as:

χ: χ is the only Non-linear operation that operates on rows independently as:

In 2017, Saha et al. introduced an interesting algebraic property related to SPN round functions where the non-linear transformation preceded the roundconstant addition. This was used to devise a new class of distinguishers referred to as SymSum. The basic result was that the round-constants could not influence the highest degree monomials which determined the upper-bound on the degree of a vectorial function. This helped them devise a round-constant independent function by computing a special type of derivative called the m-fold vectorial derivative. They further showed that the order of this derivative can be a factor of 4 less than the ZeroSum distinguisher which actually computes the m-fold simple derivatives. To verify this property, they used self-symmetric input states as inputs and the hypothesis was that the output sum across all hash values would also preserve the self-symmetry. Self-symmetry of Keccak can be defined as the first 32 slices are identical to the last 32 slices of the Keccak state as shown in Fig. 1 . Here σ 1 and σ 2 are identical. For brevity, the main results are mentioned below, where TYPE-II as defined in [17] are monomials that are dependent on round-constants:

Theorem 1. [17] The upper-bound on the degree of TYPE-II monomials is given by the following expression:

Here d • F, d • N are the upper bounds on the degrees of function G and nonlinear function N respectively and F q is function after q rounds. Using the above mentioned lemmas the authors furnished a proof that SymSum distinguisher is better than ZeroSum distinguisher for SHA3 by a factor of 4.

The idea of linearization as introduced by Guo et al. is basically a lane-wise restriction on the input space so as to handle the linear θ and non-linear χ operations of the Keccak-p round function. The authors demonstrate linearization of the Keccak-p permutation up to 3 rounds: 1 round backward and 2 rounds forward. It extends the ZeroSum distinguisher and also leads to new pre-image attacks. To understand the technique, one needs to look at the Boolean expression of the χ function. The primary observation is that if two consecutive variables never come together in a row then, then all output co-ordinate functions of χ become linear. The operation θ which relies on the column parity of spatially adjacent columns can be handled so that it does not diffuse the state by keeping the column parity constants across calls to Keccak-p. The idea is captured in Fig. 2 . As evident from the figure, to handle the effect of θ on the variables, the following condition is imposed where α is any constant: To increase the degree of freedom, it is possible to take variables at different columns as shown in Fig. 3 as

For 2-round linearization, the input state should be taken as shown in the Fig. 4 , here light gray cells and dark grey has value 0 and 1 respectively. To handle θ at 1 round variables need to satisfy the following condition. At second-round θ, ρ, π permute variables, so to handle 2 round θ variables have to satisfy the following conditions.

Our first study constitutes analyzing the effect of using linear structures in conjunction with the SymSum property. We extend the ZeroSum distinguisher and SymSum distinguisher by applying linearization technique up to 2 rounds. However, we argue that because of linearization, the difference in complexities for obtaining SymSum and ZeroSum decreases from the factor of 4 to 2. We next try to furnish theoretical arguments to support this claim. Thus, we first need to look at a more general result that compares the behaviour of a SPN round function (as observed in [17] ) with and without linearization. For the SPN round function without applying linear structures, the behaviour is described by Lemma 1. The following lemma captures the same while incorporating the effect of linearization. Proof. Let us write down the degree of the unlinearized version G. Since the degree grows exponentially (before asymptotically converging on the highest possible degree which is determined by the number of independent input variables) in the degree of the non-linear component, we can write the following expression:

Now let us write the expression for the linearized version:

From Eq. 1 and Eq. 2 it follows that:

With the above proof in place, we revisit Lemma 1 in the light of linearization. We argue that Lemma 1 still holds for the linearized version G of G. This implies that the degree of G will be determined by monomials which are independent of round constants (TYPE-I) from monomials that involve round constants (TYPE-II). We use the same terminology as stated in [17] and redo the proof of Lemma 1.

Proof. Let us consider the SPN round function (G) as stated above with the restriction that the non-linear operation precedes the round-constant addition (as required by Lemma 1). So, let G = C • N • L where C represents the round constant addition, N is non-linear component, and L is the linear component. So for n r rounds, G can be written as:

However, if linear structures are applied for l r rounds then G can be expressed as:

Here L is a linearized version of N thus d • L will be reduced by (λ − 1). Due to Eq. (3) and (4), it can be observed that after 1 round, the round constant C 1 has no effect of N (or L in case of linearization). Now, using the strategy described in [17] to segregate monomials which are independent of round constants (TYPE-I) from monomials that involve round constants (TYPE-II) we can visualize any co-ordinate function of G as F nr :

Base case: Let n r = 1 which implies G = G 1 = C 1 • N • L, However, we have to take into account the linearization. So let l r = 1.

Hence the degree of TYPE-I and TYPE-II monomials are:

Hence lemma hold for base condition i.e., at n r = 1.

Inductive hypothesis: Let us assume the lemma hold for n r = m i.e.,

Inductive step: Let n r = m + 1.

Hence, by induction, the lemma holds ∀n r ∈ N.

Our next claim is that the difference in the degrees of TYPE-I and TYPE-II monomials as stated by Saha et al. in [17] no longer holds as we linearize the SPN. For any value of l r ≥ 1, the following theorem holds instead. One can note that unlike [17] , the following result is independent of the degree of the non-linear component.

We start by segregating the TYPE-II monomials further. The new sub-type is referred to as TYPE-III and represents a TYPE-II monomial which is independent of any variables and constitutes only constants terms as stated below:

C i where C i is any constant term Suppose our function is in the linear form up to l r rounds (l r ≥ 1) then using notations used above:

Since there is no non-linear function, the degree of TYPE-I and TYPE-II monomials never change. Also for TYPE-II monomials, only TYPE-III monomials occur. Thus the degree of TYPE-I monomials and TYPE-II monomials should 1 and 0 (because of TYPE-III), respectively i.e., d • F lr c = 0 and d • F lr c = 1. Now, we prove by induction.

Base Case: Let n r = l r +1, i.e. G = G •G lr implying a single non-linear function and d • N = λ. Now, TYPE-I monomials will reach the highest degree after the current round when λ TYPE-I monomials mix together under N in the current round. This final degree of TYPE-I is expressed as:

Next, TYPE-II monomials reach the highest degree when (λ − 1) TYPE-I monomials from (λ − 1) co-ordinate functions mix with one TYPE-II monomial. Thus for TYPE-II monomials we have

Hence, by Eq. (5) and (6) 

Similarly for TYPE-II monomials

Thus by principle of induction Theorem 2 holds ∀n r ∈ N.

We now have the following corollary which forms the base of all distinguishers reported in this work. As one might realize this constitutes a deviation from the result reported in [17] as stated in Lemma 2.

The corollary easily follows from Lemma 3 and Theorem 2. Since linearized version G of G has degree d • G λ lr and the maximum degree of TYPE-II mono-

λ lr -fold vectorial derivative of G will result in a round-constant independent function. Consequently, such a function would preserve the SymSum property as introduced in [17] . In the next section, we show how the above results are used to mount highly efficient and practical SymSum distinguishers on SHA3 variants.

The SymSum property can be extended at varied number of rounds based on the augmentation strategies like prepending linear structures and appending the hash-inversion trick wherever applicable. This is captured by Fig. 5 . In the subsequent sub-sections we explore these strategies that help us to reach highest number of rounds for some SHA3 variants. 

To gain an advantage of 2 rounds for the SymSum distinguisher, we linearize the first round and perform χ −1 • ι −1 on the output digest when applicable. The input set should satisfy the following conditions so that it linearizes 1 round and also satisfies the condition for SymSum distinguisher which constitutes giving self-symmetric inputs:

1. The input set is a set of inputs such that the first 32 slices of the state are the same as the last 32 slices 2. For linearization, input state has the restriction that ∀A [i, j] where i = 0, 2, j = 0, 1, 2, 3, The χ −1 trick applies only to those variants of SHA3 which give at least one plane ofKeccak state in the output hash value. Therefore, it is not applicable to SHA3-224 and SHA3-256 because they give 224 and 256 bits of hash value respectively which is less that 320 bits required for a full plane. The degree of freedom of this state will be 192 if we take the input state equivalent to the state shown in Fig. 6a . Therefore, after 1-round linearization and applying χ −1 strategy, SymSum on SHAKE128 can distinguish up to 9 rounds. For the other variants of SHA3, the input state is different because of the difference in size of capacity part. For instance, after computing the output sum for 4 rounds on SHA3, we get SymSum for 2 4 invocations. For the classical SymSum distinguisher, it is obtained at 2 15 and 2 14 . Therefore, the extended SymSum distinguisher has an advantage of 2 rounds, although the effectiveness reduces by the factor of 2.

We now show the use of 2-round linear structures in conjunction with inverting the hash for the last round. For 2 round linearization we use the linear structure, for which we need to handle the θ, ρ, π, χ mappings of Keccak. To handle the first round χ we take variables in 2 alternative columns so that no two variables come adjacent in χ operation, thus maintaining the linearity after the first round. We restrict other columns to 0 and/or 1, as shown in the Fig. 7 so that before χ in the second round no two adjacent lanes become variable. Additionally, because of the columns that have variables, constant values may change because of θ. To handle θ the following conditions need to be imposed: Now, to linearize the second round we need to handle θ of second round. But for this the positions of the variables after first round χ need to be closely handles as would change due to ρ and π in the first round. Therefore to make two rounds linear the variables should satisfy the conditions as below:

It has been shown in [8] that the above system of equations has 128 degrees of freedom. However, for the SymSum property, we have the additional restriction of self-symmetric inputs which lead to revisiting the system of equations as below. The main idea is to rewrite the equations considering half of the state and then extend the solutions to the other half thereby always keeping the over-all solution self-symmetric.

Here k ∈ {0, 1, . . . , 31}. Similarly, to make the second round linear the relations are rephrased w.r.t a 32-lane state as follows:

From the above equations, we get the first 32 slices that are as per our requirement, therefore, we take a copy of this state and make them the last 32 slices. By doing this the degree of freedom will be 64 because we have 8 × 32 variables and 6 × 32 equations. Accordingly, the degree of freedom is 8 × 32 − 6 × 32. Hence for SHAKE128, we get the SymSum for 9 rounds with complexity 2 64 .

In this section, we present experimental validation of some of the claims furnished above. In particular, we choose SHAKE128 as it has the smallest capacity part allowing for more control over the input. However, the attacks can easily be extended onto other SHA3 variants with proper adjustments. In the following we demonstrate an attack on 6-rounds of SHAKE128 using the 1-round linearization and hash-inverse strategy. Due to 2-round extension, the degree of 6-rounds reduces to 2 6−2 = 16 and by Corollary 1, the 16 th order vectorial derivative will exhibit SymSum property. Figure 6b shows input state for SHAKE128. Here orange, white, light gray lanes are variable, constant and 0's (that is also capacity part of SHAKE128) respectively. Here, we have taken first and third column as variables which satisfies the conditions as per Eq. (9). The input base message for our experiment is shown below: 8bd9162e 8bd9162e 1245c1c7 1245c1c7 0a3f3940 0a3f3940 eb6e955a eb6e955a 61d62226 61d62226 64cf1036 64cf1036 36da615c 36da615c 3d3b488a 3d3b488a e86d0018 e86d0018 1b16874d 1b16874d 64cf1036 64cf1036 44bbe571 44bbe571 0d0b9c27 0d0b9c27 72f3c98c 72f3c98c 53598e96 53598e96 ebc29253 ebc29253 75f22314 75f22314 92d8c5f9 92d8c5f9 372772f3 372772f3 3839af6d 3839af6d b185e09f b185e0 Table 2 shows the full Keccak State, where **** is the variable nibble that generates individual messages by altering their values. To maintain the Self-Symmetry **** and **** should be the equivalent. To make one round linear each message generated by changing **** should satisfy the condition described above thus the value of † † † † and † † † † will modify accordingly. Table 2 . Representing Keccak State ****9162e ****9162e 1245c1c7 1245c1c7 0a3f3940 0a3f3940 eb6e955a eb6e955a 61d62226 61d62226 64cf1036 64cf1036 36da615c 36da615c 3d3b488a 3d3b488a e86d0018 e86d0018 1b16874d 1b16874d 64cf1036 64cf1036 44bbe571 44bbe571 0d0b9c27 0d0b9c27 72f3c98c 72f3c98c 53598e96 53598e96 † † † †9253 † † † †9253 75f22314 75f22314 92d8c5f9 92d8c5f9 372772f3 372772f3 3839af6d 3839af6d b185e09f b185e09f 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000

By changing **** values of the input base message, 2 16 individual messages were produced and inputted to 6-round SHAKE128 with output hash-size of 320. For each of the hash-values, apply χ −1 • ι −1 and compute the output-sum. We witnessed ZeroSum with complexity 2 17 and SymSum with 2 16 that confirms the expected outcome predicted by theoretical arguments.

In this work, we have extended the classical SymSum distinguisher up to 3 rounds by applying linear structures and the χ −1 trick. Together, we have an advantage of 3 rounds on almost all previously reported derivative based distinguishers.

One of the most important observations was the shift in the highest degree reachable by TYPE-II monomials which are fundamental to achieving a roundconstant independent function thereby being the basis of the SymSum distinguisher. As dictated by Theorem 2, irrespective of the number (≥ 1) of rounds linearized SymSum loses its 4 factor advantage over ZeroSum. However, that is a little price to pay against the increase in the number of rounds penetrated. A comparison among the various approaches that extend the SymSum distinguisher is furnished in Fig. 8 . The comparisons are provided for 7, 8, 9 and 10 rounds for each variant of SHA3. As one can observe for SHA3-224 and SHA3-256, the best distinguisher in terms if #Rounds is still the classical SymSum. This is due to the fact that χ −1 is not applicable for SHA3-224 and SHA3-256 as the output hash value length is <320 bits which is minimum requirement for applying χ −1 on the hash-digest. Another observation is that for SHA3-384/512 and SHAKE128/256, the maximum rounds are reached using χ −1 technique over classical SymSum. This is attributed to the degrees of freedom that is available when we just augment classical SymSum with χ −1 technique. On the other hand, linear structures lead to drastic reduction in degrees of freedom. Also, it can be noted that SymSum always enjoys a degree 2 advantage as predicted by the results discussed earlier. However, for the same number of round ZeroSum always has a better degree of freedom for well-understood reason of not having to conform to the self-symmetry constraint.

The maximum degree of freedom for different variants and approaches is depicted in Table 3 . The table also shows the corresponding slice/state configuration for achieving that degree of freedom. Moreover, the constraints to be 1 Fig. 8 . Comparison of SHA3 variants for different approaches as applying χ −1 , 1-round linearization, 1-round linearization + χ −1 , 2-round linearization and 2-round linearization + χ −1 with classical SymSum distinguisher applied on the slice variables to fulfill the condition for 1-round linearization is also exhibited in the table. Similar data is furnished in Table 4 for 2-round linearization. It is worth mentioning that for SHA3-512 2-round linearization is not applicable as the rate part is substantially lower leaving very less room to formulate the necessary constraints. It is easy to appreciate that the results reported here are better than ZeroSum and classical SymSum. Interestingly, even the simple χ −1 trick helps classical SymSum to breach the 10-round barrier (as stated in [17] ) which is now possible to be distinguished with 2 511 calls to SHA3. 

This work aims to combine two very interesting results on SHA3 namely the SymSum property and the idea of linear structures to devise the best distinguishers on the SHA3 standard in terms of complexity and number of rounds penetrated.

The main contribution lies in studying the effect of linearization on the core SymSum property. The results show that due to the effect of linear structures the factor of four advantage that SymSum enjoys over ZeroSum is reduced to two. Theoretical arguments are provided to explain this reduction. A simple χ inversion trick is also devised on applicable variants to penetrate one round further. With the combined power of all strategies, this work reaches up to 9 rounds of certain SHA3 variants with a practically feasible complexity of 2 64 .

Zero-sum distinguishers for reduced Keccak-f and for the core functions of Luffa and Hamsi

EcryptHash Workshop

The Keccak SHA-3 submission

Higher-order differential properties of Keccak and Luffa

Cube attacks and cube-attack-like cryptanalysis on the round-reduced Keccak sponge function

Improved zero-sum distinguisher for full round Keccak-f permutation. IACR Cryptology ePrint Archive

Unaligned rebound attack: application to Keccak

Linear structures: applications to cryptanalysis of roundreduced Keccak

Conditional cube attack on reduced-round Keccak sponge function

Internal differential boomerangs: practical analysis of the round-reduced Keccak-f permutation

Practical distinguishers against 6-round Keccak-f exploiting self-symmetry

Preimage attacks on the round-reduced Keccak with cross-linear structures

Preimage attacks on round-reduced Keccak-224/256 via an allocating approach. IACR Cryptology ePrint Archive

Rotational cryptanalysis of roundreduced Keccak

Practical analysis of reduced-round Keccak

New collision attacks on round-reduced Keccak. IACR Cryptology ePrint Archive

SymSum: symmetric-sum distinguishers against round reduced SHA3

SHA-3: Cryptographic hash algorithm competition