New zero-sum distinguishers on full 24-round KECCAK-f using the division property

The authors analyse the security of KECCAK (the winner in SHA-3 competition) by focusing on the zero-sum distinguishers of its underlying permutation (named KECCAK-f). The authors’ analyses are developed by using the division property, a generalised integral property that was initially used in the integral cryptanalysis of symmetric-key algorithms. Following the work pioneered by Todo at CRYPTO 2015, they first formalise and prove a more delicate propagation rule of the division property under the assumption that the S-box's specification is known to attackers. Then, they apply this rule to the inverse S-box in KECCAK-f with a further study on properties of its algebraic degree. They find that the rate of decline in the division property is gentler than that of a randomly chosen S-box. Meanwhile, they get the same results for the S-box in ASCON permutation. Thanks to this vulnerable property, they can improve the higher-order differential characteristics against the inverse of KECCAK-f in terms of the required number of chosen plaintexts. As an application, they give new zero-sum distinguishers on full 24-round KECCAK-f of size 2¹⁵⁷³. To the authors’ knowledge, this is currently the best zero-sum distinguishers of full-round KECCAK-f permutation. Incidentally, they give the corresponding results for 12-round ASCON permutation.