International Association
for Cryptologic Research

We introduce internal differential boomerang distinguisher as a combination of internal differentials and classical boomerang distinguishers. The new boomerangs can be successful against cryptographic primitives having high-probability round-reduced internal differential characteristics. The internal differential technique, which follow the evolution of differences between parts of the state, is particularly meaningful for highly symmetric functions like the inner permutation Keccak-f of the hash functions defined in the future SHA-3 standard.

We find internal differential and standard characteristics for three to four rounds of Keccak-f, and with the use of the new technique, enhanced with a strong message modification, show practical distinguishers for this permutation.

Namely, we need $2^{12}$ queries to distinguish 7 rounds of the permutation starting from the first round, and approximately $2^{18}$ queries to distinguish 8 rounds starting from the fourth round.

Due to the exceptionally low complexities, all of our results have been completely verified with a computer implementation of the analysis.