Security

The PHOTON lightweight hash functions provide strong security arguments against all state-of-the-art attacks. In particular against differential and linear cryptanalysis: one can easily show that any 4-round differential path for any of the PHOTON internal permutations will contain at least (d+1)2 active Sboxes (i.e. Sboxes with a non-zero difference), where d stands for the size of the internal state cell square matrix (see Design page).

Security Claims

We claim the following best attack complexities for a PHOTON variant with hash output n, internal state t, capacity c and output bitrate r':
  • Collision: min{ 2n/2 ; 2c/2 }
  • 2nd-Preimage: min{ 2n ; 2c/2 }
  • Preimage: min{ 2min{n,t} ; max{ 2min{n,t}-r' ; 2c/2 } }

This gives for the five PHOTON variants:


hash
output n
internal
state t
capacity c output
bitrate r' 
Preimage2nd-PreimageCollision
PHOTON-80/20/16801008016264240240
PHOTON-128/16/16128144128162112264264
PHOTON-160/36/36160196160362124280280
PHOTON-224/32/3222425622432219221122112
PHOTON-256/32/3225628825632222421282128

Best Known Cryptanalysis

We will list here the currently best known analysis against the PHOTON variants or one of its components. We recall that all PHOTON variants have 12 rounds.

PHOTON
versions
 type of attack  Component analyzed number of rounds 
computation
complexity
 memory complexity  generic complexity  comment Reference
PHOTON-80/20/16  distinguisher internal perm.  8 28 24 210 super-sbox original article
PHOTON-128/16/16 distinguisher  internal perm.  8 28 24 212 super-sbox original article
PHOTON-160/36/36  distinguisher  internal perm.  8 28 24 214 super-sbox original article
PHOTON-224/32/32  distinguisher  internal perm.  8 28 24 216 super-sbox original article
PHOTON-224/32/32 distinguisher internal perm.  9 2184 232 2192 parallel merging Jean et al. FSE 2012
PHOTON-256/32/32  distinguisher  internal perm.  8 216 28 224 super-sbox original article