Differential Biases in Reduced-Round Keccak

The Keccak hash function is the winner of the SHA-3 competition. In this paper, we examine differential propagation properties of Keccak constituent functions. We discover that low-weight differentials produce a number of biased and fixed difference bits in the state after two rounds and provide a theoretical explanation for the existence of such a bias. We also describe several other propagation properties of Keccak with respect to differential cryptanalysis. Combining our propagation analysis with results from the existing literature we find distinguishers on six rounds of the Keccak hash function with complexity 2(52) for the first time in this paper.