新的低轮Keccak线性结构设计

针对Keccak算法S盒层线性分解的问题，提出一种新的线性结构构造方法，该方法主要基于Keccak算法S盒代数性质。首先，S盒层的输入比特需要固定部分约束条件，以确保状态数据经过这种线性结构仍具有线性关系；然后再结合中间相遇攻击的思想给出新的低轮Keccak算法零和区分器的构造方法。实验结果表明：新的顺1轮、逆1轮零和区分器可以完成目前理论上最好的15轮Keccak的区分攻击，且复杂度降低至2²⁵⁷；新的顺1轮、逆2轮零和区分器具有自由变量更多、区分攻击的组合方式更丰富等优点。

New design of linear structure for round-reduced Keccak

Focusing on the linear decomposition of the S-box layer in Keccak algorithm, a new linear structure construction method was proposed based on the algebraic properties of the S-box. Firstly, to ensure the state data was still linear with that after this linear structure, some constraints about input bits of S-box needed to be fixed. Then, as an application of this technique, some new zero-sum distinguishers of round-reduced Keccak were constructed by combining the idea of meet-in-the-middle attack. The results show that a new 15-round distinguisher of Keccak is found, which extends 1-round forward and 1-round backward. This work is consistent with the best known ones and its complexity is reduced to 2²⁵⁷. The new distinguisher, which extends 1-round forward and 2-round backward, has the advantages of more free variables and richer distinging attack combinations.