The PHOTON lightweight hash functions provide strong security arguments against all state-of-the-art attacks. In particular against differential and linear cryptanalysis: one can easily show that any 4-round differential path for any of the PHOTON internal permutations will contain at least (d+1)2 active Sboxes (i.e. Sboxes with a non-zero difference), where d stands for the size of the internal state cell square matrix (see Design page).
Security Claims
We claim the following best attack complexities for a PHOTON variant with hash output n, internal state t, capacity c and output bitrate r':
Collision: min{ 2n/2 ; 2c/2 }
2nd-Preimage: min{ 2n ; 2c/2 }
Preimage: min{ 2min{n,t} ; max{ 2min{n,t}-r' ; 2c/2 } }
This gives for the five PHOTON variants:
Best Known Cryptanalysis
We will list here the currently best known analysis against the PHOTON variants or one of its components. We recall that all PHOTON variants have 12 rounds.