Simple vs. vectorial: exploiting structural symmetry to beat the ZeroSum distinguisher

Higher order differential properties constitute a very insightful tool at the hands of a cryptanalyst allowing for probing a cryptographic primitive from an algebraic perspective. In FSE 2017, Saha et al. reported SymSum (referred to as \(\textsf {SymSum}_\textsf {Vec}\) in this paper), a new distinguisher based on higher order vectorial Boolean derivatives of SHA-3, constituting one of the best distinguishers on the latest cryptographic hash standard. \(\textsf {SymSum}_\textsf {Vec}\) exploits the difference in the algebraic degree of highest degree monomials in the algebraic normal form of SHA-3 with regards to their dependence on round constants. Later in AFRICACRYPT 2020, Suryawanshi et al. extended \(\textsf {SymSum}_\textsf {Vec}\) using linearization techniques and in SSS 2023 also applied it to NIST-LWC finalist Xoodyak. However, a major limitation of \(\textsf {SymSum}_\textsf {Vec}\) is the maximum attainable derivative (MAD) of the polynomial representation, which is less than half of the widely studied ZeroSum distinguisher. This is attributed to \(\textsf {SymSum}_\textsf {Vec}\) being dependent on k-fold vectorial derivatives while ZeroSum relies on k-fold simple derivatives. In this work we overcome this limitation of \(\textsf {SymSum}_\textsf {Vec}\) by developing and validating the theory of computing \(\textsf {SymSum}_\textsf {Vec}\) with simple derivatives. This gives us a close to \(100\%\) improvement in the MAD that can be computed. The new distinguisher reported in this work can also be combined with 1/2-round linearization to penetrate more rounds. Moreover, we identify an issue with the 2-round linearization claim made by Suryawanshi et al. which renders it invalid and also furnishes an algebraic fix at the cost of some additional constraints. Combining all the results we report \(\textsf {SymSum}_\textsf {Sim}\), a new variant of the \(\textsf {SymSum}_\textsf {Vec}\) distinguisher based on k-fold simple derivatives that outperforms ZeroSum by a factor of \(2^{257}, 2^{129}\) for \( 10- \)round SHA3-384 and 9-round SHA3-512 respectively while enjoying the same MAD as ZeroSum. For every other SHA-3 variant, \(\textsf {SymSum}_\textsf {Sim}\) maintains an advantage of factor 2 over the ZeroSum. Combined with 1/2-round linearization, \(\textsf {SymSum}_\textsf {Sim}\) improves upon all existing ZeroSum and \(\textsf {SymSum}_\textsf {Vec}\) distinguishers on both SHA-3 and Xoodyak. As regards Keccak \(-p\), the internal permutation of SHA-3, we report the best 15-round distinguisher with a complexity of \(2^{256}\) and the first better than birthday-bound 16-round distinguisher with a complexity of \(2^{512}\) (improving upon the 15/16-round results by Guo et al. in ASIACRYPT 2016). We also devise the best full-round distinguisher on the Xoodoo internal permutation of Xoodyak with a practically verifiable complexity of \(2^{32}\) and furnish the first third-party distinguishers on the Belarushian-standard hash function Bash. All distinguishers presented in this work have been verified through implementations whenever practically viable. Overall, with the MAD barrier broken, \(\textsf {SymSum}_\textsf {Sim}\) emerges as a better distinguisher than ZeroSum on all fronts and adds to the state-of-the-art of cryptanalytic tools investigating non-randomness of crypto primitives.