Higher order differential properties constitute a very insightful tool at the hands of a cryptanalyst allowing for probing a cryptographic primitive from an algebraic perspective. In FSE 2017, Saha et al. reported SymSum (referred to as \(\textsf {SymSum}_\textsf {Vec}\) in this paper), a new distinguisher based on higher order vectorial Boolean derivatives of SHA-3, constituting one of the best distinguishers on the latest cryptographic hash standard. \(\textsf {SymSum}_\textsf {Vec}\) exploits the difference in the algebraic degree of highest degree monomials in the algebraic normal form of SHA-3 with regards to their dependence on round constants. Later in AFRICACRYPT 2020, Suryawanshi et al. extended \(\textsf {SymSum}_\textsf {Vec}\) using linearization techniques and in SSS 2023 also applied it to NIST-LWC finalist Xoodyak. However, a major limitation of \(\textsf {SymSum}_\textsf {Vec}\) is the maximum attainable derivative (MAD) of the polynomial representation, which is less than half of the widely studied ZeroSum distinguisher. This is attributed to \(\textsf {SymSum}_\textsf {Vec}\) being dependent on k-fold vectorial derivatives while ZeroSum relies on k-fold simple derivatives. In this work we overcome this limitation of \(\textsf {SymSum}_\textsf {Vec}\) by developing and validating the theory of computing \(\textsf {SymSum}_\textsf {Vec}\) with simple derivatives. This gives us a close to \(100\%\) improvement in the MAD that can be computed. The new distinguisher reported in this work can also be combined with 1/2-round linearization to penetrate more rounds. Moreover, we identify an issue with the 2-round linearization claim made by Suryawanshi et al. which renders it invalid and also furnishes an algebraic fix at the cost of some additional constraints. Combining all the results we report \(\textsf {SymSum}_\textsf {Sim}\), a new variant of the \(\textsf {SymSum}_\textsf {Vec}\) distinguisher based on k-fold simple derivatives that outperforms ZeroSum by a factor of \(2^{257}, 2^{129}\) for \( 10- \)round SHA3-384 and 9-round SHA3-512 respectively while enjoying the same MAD as ZeroSum. For every other SHA-3 variant, \(\textsf {SymSum}_\textsf {Sim}\) maintains an advantage of factor 2 over the ZeroSum. Combined with 1/2-round linearization, \(\textsf {SymSum}_\textsf {Sim}\) improves upon all existing ZeroSum and \(\textsf {SymSum}_\textsf {Vec}\) distinguishers on both SHA-3 and Xoodyak. As regards Keccak \(-p\), the internal permutation of SHA-3, we report the best 15-round distinguisher with a complexity of \(2^{256}\) and the first better than birthday-bound 16-round distinguisher with a complexity of \(2^{512}\) (improving upon the 15/16-round results by Guo et al. in ASIACRYPT 2016). We also devise the best full-round distinguisher on the Xoodoo internal permutation of Xoodyak with a practically verifiable complexity of \(2^{32}\) and furnish the first third-party distinguishers on the Belarushian-standard hash function Bash. All distinguishers presented in this work have been verified through implementations whenever practically viable. Overall, with the MAD barrier broken, \(\textsf {SymSum}_\textsf {Sim}\) emerges as a better distinguisher than ZeroSum on all fronts and adds to the state-of-the-art of cryptanalytic tools investigating non-randomness of crypto primitives.

高阶差分属性构成了密码分析师手中非常有洞察力的工具，允许从代数角度探测密码原语。在 FSE 2017 中，Saha 等人报道了 SymSum（在本文中称为 \（\textsf {SymSum}_\textsf {Vec}\），这是一种基于 SHA-3 的高阶向量布尔导数的新区分器，构成了最新加密哈希标准上的最佳区分器之一。\（\textsf {SymSum}_\textsf {Vec}\） 利用了 SHA-3 代数范式中最高次单项式的代数度差异，即它们对舍入常数的依赖性。后来在 AFRICACRYPT 2020 中，Suryawanshi 等人使用线性化技术扩展了 \（\textsf {SymSum}_\textsf {Vec}\），并在 SSS 2023 中将其应用于 NIST-LWC 决赛选手 Xoodyak。然而，\（\textsf {SymSum}_\textsf {Vec}\） 的一个主要限制是多项式表示的最大可达到导数 （MAD），它不到广泛研究的零和区分器的一半。这归因于 \（\textsf {SymSum}_\textsf {Vec}\） 依赖于 k 折叠向量导数，而 ZeroSum 依赖于 k 折叠简单导数。在这项工作中，我们通过开发和验证用简单导数计算 \（\textsf {SymSum}_\textsf {Vec}\） 的理论来克服 \（\textsf {SymSum}_\textsf {Vec}\） 的这一限制。这使我们可以计算的 MAD 提高了接近 \（100\%\）。 本研究中报道的新区分器也可以与 1/2 轮线性化相结合，以穿透更多轮次。此外，我们发现 Suryawanshi 等人提出的 2 轮线性化主张存在一个问题，该问题使其无效，并且还以一些额外的约束为代价提供了代数修复。综合所有结果，我们报告了 \（\textsf {SymSum}_\textsf {Sim}\），这是基于 k 折简单导数的 \（\textsf {SymSum}_\textsf {Vec}\） 区分器的新变体，对于 \（ 10- \） 轮 SHA3-384 和 9 轮 SHA3-512，它的性能分别比零和高出 \（2^{257}， 2^{129}\） 倍，同时享受与零和相同的 MAD。对于所有其他 SHA-3 变体，\（\textsf {SymSum}_\textsf {Sim}\） 保持因子 2 优于零和的优势。结合 1/2 轮线性化，\（\textsf {SymSum}_\textsf {Sim}\） 改进了 SHA-3 和 Xoodyak 上所有现有的零和和 \（\textsf {SymSum}_\textsf {Vec}\） 区分器。关于 SHA-3 的内部排列 Keccak\（-p\），我们报告了最好的 15 轮区分器，复杂度为 \（2^{256}\），第一个优于生日绑定的 16 轮区分器，复杂度为 \（2^{512}\）（改进了 Guo 等人在 ASIACRYPT 2016 中的 15/16 轮结果）。 我们还设计了关于 Xoodyak 的 Xoodoo 内部排列的最佳全能区分器，其实际可验证的复杂度为 \（2^{32}\），并在 Belarushian 标准哈希函数 Bash 上提供了第一个第三方区分器。在实际可行的情况下，这项工作中介绍的所有区分器都已通过实施进行了验证。总体而言，随着 MAD 障碍的打破，\（\textsf {SymSum}_\textsf {Sim}\） 在所有方面都成为比 ZeroSum 更好的区分器，并增加了研究加密原语非随机性的密码分析工具的最新水平。