Preimage Attacks on 4-Round Keccak by Solving Multivariate Quadratic Systems

In this paper, we present preimage attacks on 4-round Keccak-224/256 as well as 4-round Keccak[r = 640, c = 160, / = 80] in the preimage challenges. We revisit the Crossbred algorithm for solving the Boolean multivariate quadratic (MQ) system and elaborate the computational complexity for the case D = 2. The result shows that the Crossbred algorithm has advantages when n is small and m outperforms n with feasible memory costs. In our attacks, we construct Boolean MQ systems in order to make full use of variables. With the help of solving MQ systems, we successfully improve preimage attacks on Keccak224/256 reduced to 4 rounds. Moreover, we implement the preimage attack on 4 -round Keccak[r = 640, c = 160, / = 80], an instance in the Keccak preimage challenges, and find 78-bit matched near preimages.