Abstract

The conditional cube attack on round-reduced Keccak keyed modes was proposed by Huang et al. at EUROCRYPT 2017. In their attack, a conditional cube variable was introduced, whose diffusion was significantly reduced by certain key bit conditions. The attack requires a set of cube variables which are not multiplied in the first round while the conditional cube variable is not multiplied with other cube variables (called ordinary cube variables) in the first two rounds. This has an impact on the degree of the output of Keccak and hence gives a distinguisher. Later, the MILP method was applied to find ordinary cube variables. However, for some Keccak based versions with few degrees of freedom, one could not find enough ordinary cube variables, which weakens or even invalidates the conditional cube attack.In this paper, a new conditional cube attack on Keccak is proposed. We remove the limitation that no cube variables multiply with each other in the first round. As a result, some quadratic terms may appear in the first round. We make use of some new bit conditions to prevent the quadratic terms from multiplying with other cube variables in the second round, so that there will be no cubic terms in the first two rounds. Furthermore, we introduce the kernel quadratic term and construct a 6-2-2 pattern to reduce the diffusion of quadratic terms significantly, where the Θ operation even in the second round becomes an identity transformation (CP-kernel property) for the kernel quadratic term. Previous conditional cube attacks on Keccak only explored the CP-kernel property of Θ operation in the first round. Therefore, more degrees of freedom are available for ordinary cube variables and fewer bit conditions are used to remove the cubic terms in the second round, which plays a key role in the conditional cube attack on versions with very few degrees of freedom. We also use the MILP method in the search of cube variables and give key-recovery attacks on round-reduced Keccak keyed modes.As a result, we reduce the time complexity of key-recovery attacks on 7-round Keccak-MAC-512 and 7-round Ketje Sr v2 from 2111, 299 to 272, 277, respectively. Additionally, we have reduced the time complexity of attacks on 9-round KMAC256 and 7-round Ketje Sr v1. Besides, practical attacks on 6-round Ketje Sr v1 and v2 are also given in this paper for the first time.

Highlights

  • Keccak [BDPVA09], designed by Bertoni et al, has been selected as the new cryptographic hash function standard SHA-3

  • While the basis of the new conditional cube attack shown in Corollary 2 is quite similar, it is to find q = 2n+1 − 1 ordinary cube variables that are not multiplied with v0v1 even in the second round

  • We introduce a new conditional cube attack on Keccak keyed modes

Read more

Summary

Introduction

Keccak [BDPVA09], designed by Bertoni et al, has been selected as the new cryptographic hash function standard SHA-3. The expected output degree of the 7-round Keccak-p permutation round under correct conditions will be 64, rather than 65 As shown in previous works [LBDW17, SGSL18, DLWQ17], it is hard to find enough ordinary cube variables that do not multiply with v0 in the first two rounds for Keccak versions with few degrees of freedom. We can find enough other cube variables that do not multiply with v0v1 in the second round with ease and can perform new key-recovery attacks on versions with few degrees of freedom, like Keccak-MAC-512 and Ketje Sr v2. Based on our new conditional cube attack, the time complexity of key-recovery attacks on 7-round Keccak-MAC-512, 7-round Ketje Sr v2, and 9-round KMAC256 is reduced from 2111, 299 and 2147 to 272, 277 and 2139, respectively.

The Keccak-p permutations
Keccak-MAC
Cube Attack
Dynamic Cube Attack
Conditional Differential Cryptanalysis
Conditional Cube Attack
MILP Model of Conditional Cube Attack
New Conditional Cube Attack
New 6-2-2 Pattern
MILP Model of the New Conditional Cube Attack
Attack on 7-round Keccak-MAC-512
Attack on Round-Reduced Ketje Sr
Attack on Round-Reduced Ketje Sr v1
Attack on Round-Reduced Ketje Sr v2
Attack on 9-round KMAC256
Conclusion
A Supplementary of Variables in MILP model

Talk to us

Join us for a 30 min session where you can share your feedback and ask us any queries you have

Schedule a call

Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.