Abstract
Cube-attack-like cryptanalysis on round-reduced Keccak was proposed by Dinur et al. at EUROCRYPT 2015. It recovers the key through two phases: the preprocessing phase for precomputing a look-up table and online phase for querying the output and getting the cube sum with which the right key can be retrieved by looking up the precomputed table. It was shown that such attacks are efficient specifically for Keccak-based constructions with small nonce or message block size. In this paper, we provide a mixed integer linear programming (MILP) model for cubeattack- like cryptanalysis on keyed Keccak, which does not impose any unnecessary constraint on cube variables and finds almost optimal cubes by balancing the two phases of cube-attack-like cryptanalysis. Our model is applied to Ketje Jr, Ketje Sr, a Xoodoo-based authenticated encryption and Keccak-MAC-512, all of which have a relatively small nonce or message block size. As a result, time complexities of 5-round attacks on Ketje Jr and 7-round attacks on Ketje Sr can be improved significantly. Meanwhile, 6-round attacks, one more round than the previous best attack, are possible if the key size of Ketje V1 (V2) is reduced to 72 (80) bits. For Xoodoo-based AE in Ketje style, the attack reaches 6 rounds. Additionally, a 7-round attack of Keccak-MAC-512 is achieved. To verify the correctness of our attacks, a 5-round attack on Ketje V1 is implemented and tested practically. It is noted that this work does not threaten the security of any Keccak-based construction.
Highlights
The Keccak hash function [BDPV11] was designed by Bertoni et al and selected as the Secure Hash Algorithm-3 (SHA-3) of the National Institute of Standards and Technology of the U.S (NIST) in 2012
We only focus on Keccak-message authentication codes (MAC)-512, i.e., the MAC based on Keccak-512
16dimensional conditional cubes do not exist for Ketje Jr [SGSL17], and 5-round attacks are impossible using conditional cube attacks, but both [DLWQ17] and our work show that it is not the case for cube-attack-like cryptanalysis
Summary
The Keccak hash function [BDPV11] was designed by Bertoni et al and selected as the Secure Hash Algorithm-3 (SHA-3) of the National Institute of Standards and Technology of the U.S (NIST) in 2012. It has attracted intensive cryptanalysis from the community regarding collision, preimage, and second-preimage resistance [NRM11, MS13, DDS12, DDS13, GLS16, QSLG17, SLG17]. Practical collision (preimage) attacks on Keccak reduced up to 6 (4) out of 24 rounds were achieved. Apart from the keyless hash function, Keccak can be used under keyed modes, such as message authentication codes (MAC), stream ciphers, etc. What’s more, the Keccak permutation or its variant has been employed in other designs, such as authenticated encryptions (AE) Keyak [BDP+16b], Ketje [BDP+16a] and the pseudorandom function Kravatte [BDH+17b]. Received: 2018-03-01, Revised: 2018-06-01, Accepted: 2018-08-01, Published: 2018-09-04
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
