International Association for Cryptologic Research

International Association
for Cryptologic Research


Paper: Finding Collisions against 4-Round SHA-3-384 in Practical Time

Senyang Huang , Department of Electrical and Information Technology, Lund University, Lund, Sweden; Department of Computer Science, University of Haifa, Haifa, Israel
Orna Agmon Ben-Yehuda , Caesarea Rothschild Institute for Interdisciplinary Applications of Computer Science (CRI), University of Haifa, Haifa, Israel
Orr Dunkelman , Department of Computer Science, University of Haifa, Haifa, Israel
Alexander Maximov , Ericsson Research, Lund, Sweden
DOI: 10.46586/tosc.v2022.i3.239-270
Search ePrint
Search Google
Abstract: The Keccak sponge function family, designed by Bertoni et al. in 2007, was selected by the U.S. National Institute of Standards and Technology (NIST) in 2012 as the next generation of Secure Hash Algorithm (SHA-3). Due to its theoretical and practical importance, cryptanalysis of SHA-3 has attracted a lot of attention. Currently, the most powerful collision attack on SHA-3 is Jian Guo et al.’s linearisation technique. However, this technique is infeasible for variants with asmaller input space, such as SHA-3-384.In this work we improve upon previous results by utilising three ideas which were not used in previous works on collision attacks against SHA-3. First, we use 2-block messages instead of 1-block messages, to reduce constraints and increase flexibility in our solutions. Second, we reduce the connectivity problem into a satisfiability (SAT) problem, instead of applying the linearisation technique. Finally, we propose an efficient deduce-and-sieve algorithm on the basis of two new non-random propertiesof the Keccak non-linear layer.The resulting collision-finding algorithm on 4-round SHA-3-384 has a practical time complexity of 259.64 (and a memory complexity of 245.94). This greatly improves upon the best known collision attack so far: Dinur et al. achieved an impractical 2147 time complexity. Our attack does not threaten the security margin of the SHA-3 hash function. However, the tools developed in this paper could be used to analyse other cryptographic primitives as well as to develop new and faster SAT solvers.
  title={Finding Collisions against 4-Round SHA-3-384 in Practical Time},
  journal={IACR Transactions on Symmetric Cryptology},
  publisher={Ruhr-Universität Bochum},
  volume={2022, Issue 3},
  author={Senyang Huang and Orna Agmon Ben-Yehuda and Orr Dunkelman and Alexander Maximov},