Guido Bertoni^{3}, Joan Daemen^{2}, Seth Hoffert, Michaël Peeters^{1}, Gilles Van Assche^{1} and Ronny Van Keer^{1}

^{1}STMicroelectronics - ^{2}Radboud University - ^{3}Security Pattern

This page lists all the third-party cryptanalysis results that we know of on Keccak, including FIPS 202 and SP 800-185 instances, KangarooTwelve, the authenticated encryption schemes Ketje and Keyak, and Kravatte. We may have forgotten some results, so if you think your result is relevant and should be on this page, please do not hesitate to contact us.

The results are divided into the following categories:

- analysis of Keccak (covering also KangarooTwelve, FIPS 202 and SP 800-185 instances) in the context of (unkeyed) hashing;
- analysis that is more specifically targetting keyed modes of use of Keccak, as well as Ketje, Keyak and Kravatte;
- analysis on the (reduced-round) Keccak-
*f*permutations that does not extend to any of the aforementioned cryptographic functions.

In each category, the most recent results come first.

First, the Crunchy Crypto Collision and Pre-image Contest contains third-party cryptanalysis results with practical complexities.

M. S. Rajasree, **Cryptanalysis of Round-Reduced Keccak using Non-Linear Structures**, IACR Cryptology ePrint Archive, 2019

In this paper, Mahesh Sreekumar Rajasree presents new preimage attacks on Keccak by defining non-linear structures. The author focuses on instances with the number of rounds reduced to 2, 3 or 4, and with a capacity of *c*=768 or 1024 bits.

T. Li and Y. Sun, **Preimage Attacks on Round-Reduced Keccak-224/256 via an Allocating Approach**, Eurocrypt, 2019

In this paper, Ting Li and Yao Sun present a new technique for performing a preimage attack on Keccak. They aim for 2 blocks, allowing the constraints to be spread and thus solved more easily. For 3 rounds, the preimage attacks with a practical complexity of 2^{38}-2^{41} when the capacity is 448 bits and of 2^{81}-2^{86} for *c*=512. For 4 rounds, the complexities are theoretical and above 2^{200}, yet improving upon the previous results.

J. Guo, G. Liao, G. Liu, M. Liu, K. Qiao and L. Song, **Practical Collision Attacks against Round-Reduced SHA-3**, IACR Cryptology ePrint Archive, 2019

In this paper (to appear in Jounal of Cryptology), Jian Guo, Guohong Liao, Guozhen Liu, Meicheng Liu, Kexin Qiao and Ling Song recap on the state-of-the art collision attacks against Keccak with practical complexity.

R. Kumar, N. Mittal and S. Singh, **Cryptanalysis of 2 Round Keccak-384**, Indocrypt, 2018

In this paper, Rajendra Kumar, Nikhil Mittal and Shashank Singh improve upon the existing preimage attacks on Keccak. Specifically, they present a preimage attack on Keccak[*r*=832, *c*=768] reduced to 2 rounds with a time complexity of 2^{89}.

Y. Chen and X. Gao, **Quantum Algorithms for Boolean Equation Solving and Quantum Algebraic Attack on Cryptosystems**, IACR Cryptology ePrint Archive, 2018

In this paper, Yu-Ao Chen and Xiao-Shan Gao present a new algorithm for solving Boolean equations using a quantum computer. The apply their algorithm to mount a preimage attack. It is however unclear what is the complexity of this attack.

T. Li, Y. Sun, M. Liao and D. Wang, **Preimage Attacks on the Round-reduced Keccak with Cross-linear Structures**, IACR Trans. Symmetric Cryptol., 2017

In this paper, Ting Li, Yao Sun, Maodong Liao and Dingkang Wang construct a novel kind of structures of polynomials inside the Keccak-*f* permutation, called *cross-linear structures*. Based on this, they present new preimage attacks on Keccak[*r*=240, *c*=160] and on Keccak[*r*=1088, *c*=512] (SHA3-256, SHAKE256), both reduced to 3 rounds. For the former, they solved the 3-round collision challenge in the Crunchy Contest after a computational effort of about 2^{45} operations.

L. Song, G. Liao and J. Guo, **Non-Full Sbox Linearization: Applications to Collision Attacks on Round-Reduced Keccak**, CRYPTO, 2017

In this paper, Ling Song, Guohong Liao and Jian Guo improve upon their previous work by developing new techniques to save degrees of freedom in their attack. As a result, they propose a practical collision attack on Keccak[*r*=1152, *c*=448] reduced to 5 rounds, and they describe how they solved the 6-round collision challenge in the Crunchy Contest, which took 2^{50} operations.

K. Qiao, L. Song, M. Liu and J. Guo, **New Collision Attacks on Round-Reduced Keccak**, Eurocrypt, 2017

In this paper, Kexin Qiao, Ling Song, Meicheng Liu and Jian Guo develop a hybrid method combining algebraic and differential techniques to mount collision attacks on Keccak. They can find collisions on various instances of Keccak with the permutation Keccak-*f*[1600] or Keccak-*f*[800] reduced to 5 rounds. This includes the 5-round collision challenges in the Crunchy Contest.

D. Saha, S. Kuila and D. R. Chowdhury, **SymSum: Symmetric-Sum Distinguishers Against Round Reduced SHA3**, IACR Trans. Symmetric Cryptol., 2017

In this paper, Dhiman Saha, Sukhendu Kuila and Dipanwita Roy Chowdhury combine the analysis of symmetries and of the algebraic degree of the Keccak-*f* permutation to propose a distinguisher on the Keccak sponge function. It can reach up to 9 rounds with a complexity of 2^{511}.

M. Amy, O. Di Matteo, V. Gheorghiu, M. Mosca, A. Parent and J. M. Schanck, **Estimating the Cost of Generic Quantum Pre-image Attacks on SHA-2 and SHA-3**, Selected Areas in Cryptography, 2016

In this paper, Matthew Amy, Olivia Di Matteo, Vlad Gheorghiu, Michele Mosca, Alex Parent and John Schanck investigate the cost of Grover's quantum search algorithm when used to find preimage attacks on SHA3-256 (i.e., Keccak[*r*=1088, *c*=512] with 256 bits of output), as well as on SHA-2. They compare the cost of a classical generic attack (2^{256} operations) with that on a quantum computer with a carefully motivated cost metric (2^{166} logical-qubit-cycles).

J. Guo, M. Liu and L. Song, **Linear Structures: Applications to Cryptanalysis of Round-Reduced Keccak**, Asiacrypt, 2016

In this paper, Jian Guo, Meicheng Liu and Ling Song develop the technique of *linear structures* and show how to linearize 3 rounds of Keccak-*f*. They then apply it in preimage attacks on up to 4 rounds. For instance, a preimage on SHAKE128 reduced to 4 rounds with 128 bits of output can be found in complexity 2^{106}. The same technique has been used to solve the 3-round pre-image challenge in the Crunchy Contest. They also used the linear structures to improve the complexity of zero-sum distinguishers on Keccak-*f*[1600].

S. Das and W. Meier, **Differential Biases in Reduced-Round Keccak**, Africacrypt, 2014

In this paper, Sourav Das and Willi Meier investigate the bias of difference bits after the propagation of low-weight differential trails after two rounds of Keccak-*f*. They apply this technique to find distinguishers on Keccak when the permutation is reduced to 6 rounds, with a complexity of 2^{52}.

P. Morawiecki, J. Pieprzyk, M. Srebrny and M. Straus, **Preimage attacks on the round-reduced Keccak with the aid of differential cryptanalysis**, IACR Cryptology ePrint Archive, 2013

In this paper, Paweł Morawiecki, Josef Pieprzyk, Marian Srebrny and Michał Straus present a preimage attack on Keccak[*r*=576, *c*=1024] reduced to 3 rounds and 512 bits of output with complexity 2^{503}. They also present a partial preimage attack, where 256 bits of a 640-bit input message are unknown. This attack works on 4 rounds with a complexity of 2^{251}.

S. Kölbl, F. Mendel, T. Nad and M. Schläffer, **Differential Cryptanalysis of Keccak Variants**, IMA Int. Conf., 2013

In this paper, Stefan Kölbl, Florian Mendel, Tomislav Nad and Martin Schläffer analyze the differential properties of Keccak-*f*[800] and Keccak-*f*[1600]. They present collision attacks with practical complexity on Keccak when the permutation is reduced to 4 rounds. The instances covered include *c*≤352 when using Keccak-*f*[800] and *c*≤640 when using Keccak-*f*[1600].

I. Dinur, O. Dunkelman and A. Shamir, **Collision Attacks on Up to 5 Rounds of SHA-3 Using Generalized Internal Differentials**, FSE, 2013

In this paper, Itai Dinur, Orr Dunkelman and Adi Shamir present collision attacks on Keccak with practical complexity up to 3 rounds of Keccak-*f*[1600] and with complexity 2^{115} for 5 rounds.

P. Morawiecki, J. Pieprzyk and M. Srebrny, **Rotational Cryptanalysis of Round-Reduced Keccak**, FSE, 2013

In this paper, Paweł Morawiecki, Josef Pierpzyk and Marian Srebrny apply rotational cryptanalysis to Keccak. They use it to construct a 5-round distinguisher for Keccak-*f*[1600] and to do preimage generation for 4 rounds of Keccak[*r*=1024,*c*=576] truncated to 512 bits with complexity 2^{506} calls to Keccak-*f*[1600].

P. Morawiecki and M. Srebrny, **A SAT-based preimage analysis of reduced Keccak hash functions**, Inf. Process. Lett., 2013

In this paper, Paweł Morawiecki and Marian Srebrny report on experiments for generating preimages using SAT solvers. They attack Keccak versions calling Keccak-*f* with width 50, 200 and 1600 and with a reduced number of rounds. They compare the SAT solver approach with plain exhaustive search and it turns out to be faster for up to 3 rounds.

I. Dinur, O. Dunkelman and A. Shamir, **New Attacks on Keccak-224 and Keccak-256**, FSE, 2012 (also published in Journal of Cryptology 27(2) (pp. 183-209), 2014)

The authors of this paper present practical-time collisions on Keccak[*r*=1088,*c*=512] (and lower capacity) with 4 rounds. They combine a low-weight trail over 3 rounds with algebraic techniques. They also find near-collisions when the number of rounds is reduced to 5.

M. Naya-Plasencia, A. Röck and W. Meier, **Practical Analysis of Reduced-Round Keccak**, Indocrypt, 2011

In this paper, the authors propose several practical-time attacks on the Keccak hash function with 2 to 4 rounds. First, they give a differential distinguisher exploiting a low-weight differential trail. Its complexity is 2^{25} for 4 rounds. Then, they show how to produce a collision (resp. near-collision) on 2 (resp. 3) rounds of Keccak[*r*=1088,*c*=512] (and lower capacity) with complexity 2^{33} (resp. 2^{25}). Finally, they present an algorithm to find (second) preimages in time 2^{31} and memory 2^{29}.

D. J. Bernstein, **Second preimages for 6 (7? (8??)) rounds of Keccak?**, NIST hash forum, 2010

The attack exploits the low degree of Keccak-*f*'s round function and turns it into a (second) preimage attack at the sponge function level. The downside of the attack is that this workload reduction comes at the cost of memory. For 6 rounds, 2^{176} bits of memory give a workload reduction by a factor 50 (~6 bits); for 7 rounds, 2^{320} bits of memory give a workload reduction by a factor 37 (~5 bits); and for 8 rounds, 2^{508} bits of memory give a workload reduction by a factor 1.4 (half a bit). The author was awarded the fourth prize for the best cryptanalysis.

H. Zhou, Z. Li, X. Dong, K. Jia and W. Meier, **Practical Key-recovery Attacks on Round-Reduced Ketje Jr, Xoodoo-AE and Xoodyak**, IACR Cryptology ePrint Archive, 2019

In this paper, Haibo Zhou, Zheng Li, Xiaoyang Dong, Keting Jia and Willi Meier further investigate conditional cube attacks on Ketje Jr, on an authenticated encryption mode based on Xoodoo, and on Xoodyak. When Ketje Jr is reduced to 5 rounds, they can recover the key with time complexity 2^{27}. For Xoodyak reduced to 6 rounds, this is 2^{44}.

F. Liu, Z. Cao and G. Wang, **Finding Ordinary Cube Variables for Keccak-MAC with Greedy Algorithm**, IWSEC, 2019

In this paper, Fukang Liu, Zhenfu Cao and Gaoli Wang look at conditional cube attacks and introduce new techniques to find cube variables. They propose key recovery attacks that can break a MAC based on Keccak[*r*=576, *c*=1024] reduced to 6 rounds in time 2^{40}. For Keccak[*r*, *c*] with *c*=256, 512 or 768 reduced to 7 rounds, the time complexity is 2^{71}.

Z. Li, X. Dong, W. Bi, K. Jia, X. Wang and W. Meier, **New Conditional Cube Attack on Keccak Keyed Modes**, IACR Trans. Symmetric Cryptol., 2019

In this paper, Zheng Li, Xiaoyang Dong, Wenquan Bi, Keting Jia, Xiaoyun Wang and Willi Meier propose improved conditional cube attacks to reduce the complexity of the known key recovery attacks on Keccak, KMAC and Ketje Sr. In particular, for KMAC256 reduced to 9 rounds, the time complexity is now 2^{139}, for a MAC based on Keccak[*r*=576, *c*=1024] reduced to 7 rounds, the time complexity is 2^{72} and for Ketje Sr reduced to 7 rounds, the complexity is 2^{77}.

W. Bi, X. Dong, Z. Li, R. Zong and X. Wang, **MILP-aided Cube-attack-like Cryptanalysis on Keccak Keyed Modes**, Des. Codes Cryptography, 2019

In this paper, Wenquan Bi, Xiaoyang Dong, Zheng Li, Rui Zong and Xiaoyun Wang improve upon the cube attacks of Dinur et al. [Eurocrypt 2015] by optimizing the choice of public variables in the cube using mixed-integer linear programming (MILP). Their method works best and outperforms other methods when the number of degrees of freedom is small (e.g., small rate or small permutation width). They apply the method to a MAC function on top of Keccak[*r*=1344, *c*=256] and Keccak[*r*=576, *c*=1024] reduced to 6 (time 2^{42}-2^{59}) or 7 rounds (2^{80}-2^{112}). They also apply it to Lake Keyak reduced to 7 (2^{42}) or 8 rounds (2^{79}) and to Ketje Minor and Major reduced to 7 rounds (2^{94}-2^{113}).

L. Song and J. Guo, **Cube-Attack-Like Cryptanalysis of Round-Reduced Keccak Using MILP**, IACR Trans. Symmetric Cryptol., 2018

In this paper, Ling Song and Jian Guo further develop cube-attack-like techniques involving mixed integer linear programming (MILP) to attack reduced-round Keccak, Ketje and Xoodoo. More specifically, they attack a MAC based on Keccak[*r*=576, *c*=1024] reduced to 7 rounds with a time complexity of 2^{111}. For Ketje Jr, they attack 5 and 6 rounds with time complexities of 2^{35} and 2^{59} respectively. They also consider a Ketje-style authenticated encryption mode on top of Xoodoo reduced to 6 rounds with a complexity of 2^{89}.

T. Fuhr, M. Naya-Plasencia and Y. Rotella, **State-Recovery Attacks on Modified Ketje Jr**, IACR Trans. Symmetric Cryptol., 2018

In this paper, Thomas Fuhr, María Naya-Plasencia and Yann Rotella describe key recovery attacks on Ketje Jr, targeting the encryption phase. The attacks work with a rate extended to 32 or 40 bits (instead of the nominal 16 bits). They compare the resistance of their attacks between Ketje Jr v1 and v2, and show that the latter has a thicker safety margin.

C. Chaigneau, T. Fuhr, H. Gilbert, J. Guo, J. Jean, J. Reinhard and L. Song, **Key-Recovery Attacks on Full Kravatte**, IACR Trans. Symmetric Cryptol., 2018

In this paper, Colin Chaigneau, Thomas Fuhr, Henri Gilbert, Jian Guo, Jérémy Jean, Jean-René Reinhard and Ling Song analyze the Kravatte pseudo-random function. They show that Kravatte 6644 is vulnerable to key recovery attacks using high-order differential attacks or using algebraic attacks on the expansion phase. They also show that the attacks work even if the number of rounds is raised to 6 for all permutations. However, their attacks do not extend to the final version of Kravatte, namely, Kravatte Achouffe. The authors were so generous to communicate their results to us during the review process of our Farfalle paper submission to ToSC, allowing us to tweak Kravatte accordingly.

C. Ye and T. Tian, **New Insights into Divide-and-Conquer Attacks on the Round-Reduced Keccak-MAC**, IACR Cryptology ePrint Archive, 2018

In this paper, Chen-Dong Ye and Tian Tian investigate a variant of cube attacks called divide-and-conquer attacks, and apply it to a MAC function on top of Keccak[*r*=1024, *c*=576] reduced to 6 or 7 rounds. They improve upon the attacks of Dinur et al. [Eurocrypt 2015], but not on the attacks of Huang et al. [Eurocrypt 2017].

L. Song, J. Guo, D. Shi and S. Ling, **New MILP Modeling: Improved Conditional Cube Attacks on Keccak-Based Constructions**, Asiacrypt, 2018

In this paper, Ling Song, Jian Guo, Danping Shi and San Ling improve cube attacks on Keccak-based functions by finding more optimal sets of conditional cubes. Their findings apply to many instances: to KMAC128 reduced to 7 rounds (time 2^{76}), KMAC256 reduced to 9 rounds (2^{147}), Lake Keyak reduced to 9 rounds (2^{137}), River and Lake Keyak reduced to 8 rounds (2^{71}-2^{77}), Ketje Minor and Major reduced to 7 rounds (2^{71}-2^{73}) and Ketje Sr reduced to 7 rounds (2^{92}). They also present a general attack on the full-state keyed duplex with Keccak-*p*[1600, *n*_{r}=9] of complexity 2^{90}.

Z. Li, W. Bi, X. Dong and X. Wang, **Improved Conditional Cube Attacks on Keccak Keyed Modes with MILP Method**, Asiacrypt, 2017

In this paper, Zheng Li, Wenquan Bi, Xiaoyang Dong and Xiaoyun Wang improve the cube attacks on Keccak and Ketje. First, they present key recovery attacks on Keccak used in a MAC mode, reduced to 6 rounds (time 2^{58}) and 7 rounds (time 2^{75}), gaining one round comapred to by Huang et al. Second, they reduce the time complexity of the key recovery attacks by Dong et al. on reduced-round Ketje Minor and Major, from 2^{96} down to 2^{81} and 2^{83}, respectively.

X. Dong, Z. Li, X. Wang and L. Qin, **Cube-like Attack on Round-Reduced Initialization of Ketje Sr**, IACR Trans. Symmetric Cryptol., 2017

In this paper, Xiaoyang Dong, Zheng Li, Xiaoyun Wang and Ling Qin mount cube attacks on the Ketje family of authenticated encryption schemes, with a focus on the primary recommendation Ketje Sr. They can successfully recover the key when the number of rounds of the initialization step is reduced from 12 down to 6, with various complexities (e.g., from 2^{96} for Ketje Minor or Major to 2^{113} for Ketje Sr).

S. Huang, X. Wang, G. Xu, M. Wang and J. Zhao, **Conditional Cube Attack on Reduced-Round Keccak Sponge Function**, Eurocrypt, 2017

In this paper, Senyang Huang, Xiaoyun Wang, Guangwu Xu, Meiqin Wang and Jingyuan Zhao generalize cube attacks into *conditional* cube testers. They present different attacks in different settings. With a MAC mode on top of Keccak with a reduced-round Keccak-*f*[1600], they can recover the secret key up to 7 rounds with a time and data complexity of 2^{72}. On Lake Keyak, their attack extends to 8 rounds with a time and data complexity of 2^{74}. Finally, they also propose (unkeyed) distinguishers on Keccak reduced to 7 rounds.

I. Dinur, P. Morawiecki, J. Pieprzyk, M. Srebrny and M. Straus, **Cube Attacks and Cube-Attack-Like Cryptanalysis on the Round-Reduced Keccak Sponge Function**, Eurocrypt, 2015

In their paper, Itai Dinur, Paweł Morawiecki, Josef Pieprzyk, Marian Srebrny and Michał Straus present attacks that combine cube attacks and structural properties of Keccak. They target different keyed modes of Keccak as well as Keyak v1. They achieve forgery attacks up to 7 rounds (complexity: 2^{65}), key recovery attacks up to 7 rounds (complexity: 2^{76}) and keystream predictions up to 9 rounds (complexity: 2^{256}). These are the attacks that reach the largest number of rounds of Keccak and Keyak v1.

I. Dinur, P. Morawiecki, J. Pieprzyk, M. Srebrny and M. Straus, **Practical Complexity Cube Attacks on Round-Reduced Keccak Sponge Function**, IACR Cryptology ePrint Archive, 2014

In their paper, Itai Dinur, Paweł Morawiecki, Josef Pieprzyk, Marian Srebrny and Michał Straus present some cube attacks on stream cipher and MAC modes of Keccak. The attacks allow to recover the key with a small complexity of 2^{36} when the permutation is reduced to 6 rounds or less.

J. Lathrop, **Cube Attacks on Cryptographic Hash Functions**, Rochester Institute of Technology, 2009

In his thesis, Joel Lathrop shows that cube attacks can not only be applied to keyed cryptosystems but also to hash functions by way of a partial preimage attack. Cube attacks are applied to reduced-round variants of ESSENCE and Keccak.

J. Jean and I. Nikolić, **Internal Differential Boomerangs: Practical Analysis of the Round-Reduced Keccak- f Permutation**, Fast Software Encryption, 2015

In this paper, Jérémy Jean and Ivica Nikolić introduce the technique of *internal differential boomerang distinguishers*. They analyze the symmetry inside the permutation and propose distinguishers up to 8 rounds of Keccak-*f*[1600] with practical complexities.

S. Kuila, D. Saha, M. Pal and D. R. Chowdhury, **Practical Distinguishers against 6-Round Keccak- f Exploiting Self-Symmetry**, Africacrypt, 2014

In this paper, Sukhendu Kuila, Dhiman Saha, Madhumangal Pal and Dipanwita Roy Chowdhury consider distinguishers on Keccak-*f*[1600] where the state is self-symmetric, i.e., it has a period less than 64 along the *z*-axis. They show distinguishers up to 6 rounds with a complexity of 2^{11}.

A. Duc, J. Guo, T. Peyrin and L. Wei, **Unaligned Rebound Attack: Application to Keccak**, Fast Software Encryption, 2012

This paper analyzes two aspects of differential cryptanalysis on Keccak: efficient trails and rebound attacks. In the former, the authors propose a heuristic to build differential trails with a low restriction weight. For Keccak-*f*[1600], they obtained trails of weight 32, 142 and 709 for 3, 4 and 5 rounds, respectively. In the latter, the paper presents distinguishers making use of the rebound attack for up to 8 rounds of Keccak-*f*[1600] with a complexity of 2^{491}.

M. Duan and X. Lai, **Improved zero-sum distinguisher for full round Keccak- f permutation**, IACR Cryptology ePrint Archive, 2011

The authors of this paper noted a property of the inverse of the non-linear function *χ*: while *χ*^{-1} has algebraic degree 3, the product of any two output bits also has degree 3. This allows to estimate the degree of the Keccak-*f* rounds more tightly and to extend the zero-sum distinguisher on Keccak-*f*[1600] to size 2^{1575} for 24 rounds.

C. Boura, A. Canteaut and C. De Cannière, **Higher-Order Differential Properties of Keccak and Luffa**, Fast Software Encryption, 2011

In this work, the authors present a new upper bounds for the algebraic degree of iterated permutations. While for a small number of rounds the algebraic degree increases exponentially with the number of rounds, for a large number of rounds the algebraic degree only converges exponentially to the maximum value (permutation width minus 1). This improves upon existing zero-sum distinguishers for several SHA-3 candidates. For Keccak-*f*, it allows extending the zero-sum distinguishers to the full 24-round version, although the size of the zero-sums is 2^{1590} and the distinguisher does not extend to any other type of attack against Keccak.

C. Boura and A. Canteaut, **A zero-sum property for the Keccak- f permutation with 18 rounds**, ISIT, 2010

In this paper, Christina Boura and Anne Canteaut extend the zero-sum distinguisher of Aumasson and Meier to 18 rounds by analyzing the Walsh spectrum of the non-linear part and bounding the degree of the rounds more tightly. The authors won the third prize for the best cryptanalysis.

J. Aumasson and W. Meier, **Zero-sum distinguishers for reduced Keccak- f and for the core functions of Luffa and Hamsi**, rump session of CHES, 2009

In this note, Jean-Philippe Aumasson and Willi Meier investigate a new kind of distinguishers called *zero-sum distinguishers*. In particular, they compute high-order derivatives of the rounds and the inverse rounds of Keccak-*f*. Starting from the middle, they obtain a set of values whose sum is zero and whose sum of images through reduced-round Keccak-*f* is also zero. This distinguisher is successful up to 16 rounds. The authors did not find a way to use this distinguisher against the Keccak sponge function, though. The authors won the second prize for the best cryptanalysis.

J. Aumasson and D. Khovratovich, **First Analysis of Keccak**, NIST hash forum, 2009

In this paper, Jean-Philippe Aumasson and Dmitry Khovratovich look at two possible distinguishers on reduced-round Keccak-*f*[1600]. First, cube testers are applied to detect non-ideal behavior in the algebraic description of the permutation. Second, the authors try to solve the constrained-input constrained-output (CICO) problem using automated algebraic techniques. The authors received 25 bottles of Belgian trappist beer as the paper was awarded the first prize for the best cryptanalysis. It was presented by Dmitry Khovratovich at the rump session of Eurocrypt 2009 (Beer-recovery analysis).