基于不可能差分的 SHA3-512 约减轮区分攻击^*

Keccak is a family of Hash functions with sponge construction, which was designed by Bertoni et al., and selected as the winner of the SHA3 competition. The security analysis of Keccak can be divided into three parts, which are the analyses of Keccak in the context of hashing, the analyses on Keccak-MAC and authenticated encryption schemes, and the distinguish attacks on Keccak-f permutations. This paper studies the impossible differential property of Keccak, and presents a distinguish attack based on it. It is found that the XOR of two bits in a column remains unchanged after the linear operation θ in the round function. Based on this property, a 4-round impossible differential characteristic of Keccak function can be constructed. Considering that the sizes of the message and the digest are different in each version and will affect the choice of the input and output differentials, an impossible differential characteristic is selected that conforms to SHA3-512. Then we develop a property of the non-linear operation χ⁻¹, which shows that when the input pairs satisfy some constraints, the output difference and the input difference should be equal. Finally, Based on the characteristic and the property, an impossible differential distinguish attack on 4-round SHA3-512 is performed. The success rate of this attack is 99%, where the data complexity is 2^8.21 messages and the corresponding time complexity is 2^8.21. We did some experiments to verify the above theoretical results by taking SHA-512 as the random function, and it shows that the complexity of our attack is better than other methods in the same number of rounds.