Designs, Codes and Cryptography

, Volume 87, Issue 6, pp 1271–1296 | Cite as

MILP-aided cube-attack-like cryptanalysis on Keccak Keyed modes

  • Wenquan Bi
  • Xiaoyang DongEmail author
  • Zheng Li
  • Rui Zong
  • Xiaoyun WangEmail author


Cube-attack-like cryptanalysis was proposed by Dinur et al. at EUROCRYPT 2015, which recovers the key of Keccak keyed modes in a divide-and-conquer manner. In their attack, one selects cube variables manually, which leads to more key bits involved in the key-recovery attack, so the complexity is too high unnecessarily. In this paper, we introduce a new MILP model and make the cube attacks better on the Keccak keyed modes. Using this new MILP tool, we find the optimal cube variables for Keccak-MAC, Keyak and Ketje, which makes that a minimum number of key bits are involved in the key-recovery attack. For example, when the capacity is 256, we find a new 32-dimension cube for Keccak-MAC that involves only 18 key bits instead of Dinur et al.’s 64 bits and the complexity of the 6-round attack is reduced to \(2^{42}\) from \(2^{66}\). More impressively, using this new tool, we give the very first 7-round key-recovery attack on Keccak-MAC-512. We get the 8-round key-recovery attacks on Lake Keyak in nonce-respected setting. In addition, we get the best attacks on Ketje Major/Minor. For Ketje Major, when the length of nonce is 9 lanes, we could improve the best previous 6-round attack to 7-round. Our attacks do not threaten the full-round (12) Keyak/Ketje or the full-round (24) Keccak-MAC. When comparing with Huang et al.’s conditional cube attack, the MILP-aided cube-attack-like cryptanalysis has larger effective range and gets the best results on the Keccak keyed variants with relatively smaller number of degrees of freedom.


Keccak-MAC Keyak Ketje MILP Cube attack 

Mathematics Subject Classification




This work is supported by National Key Research and Development Program of China (No. 2017YFA0303903), National Cryptography Development Fund (Nos. MMJJ20180101, MMJJ20170121), National Natural Science Foundation of China (No. 61672019).


  1. 1.
    Berton G., Daemen J., Peeters M., Assche G.V., Keer R.V.: CAESAR submission: Ketje v2 (2016). Accessed 01 Aug 2018.
  2. 2.
    Berton G., Daemen J., Peeters M., Assche G.V., Keer R.V.: CAESAR submission: Keyak v2 (2016).
  3. 3.
    Berton G., Daemen J., Peeters M., Assche G.V.: The Keccak sponge function family.
  4. 4.
    Bertoni G., Daemen J., Peeters M., Assche G.V.: Duplexing the sponge: singlepass authenticated encryption and other applications. In: SAC 2011, pp. 320–337 (2011).Google Scholar
  5. 5.
    Bi W., Li Z., Dong X., Li L., Wang X.: Conditional cube attack on roundreduced river keyak. Des. Codes Cryptogr. 86, 1295–1310 (2017).CrossRefzbMATHGoogle Scholar
  6. 6.
    Cui T., Jia K., Fu K., Chen S., Wang M.: New automatic search tool for impossible differentials and zero-correlation linear approximations. In: IACR Cryptology ePrint Archive, 2016/689 (2016).Google Scholar
  7. 7.
    Daemen J., Van Assche G.: Differential propagation analysis of Keccak. In: FSE 2012, vol. 7549, pp. 422–441. Springer, New York (2012).Google Scholar
  8. 8.
    Dinur I., Shamir A.: Cube attacks on tweakable black box polynomials. In: EUROCRYPT 2009, pp. 278–299 (2009).Google Scholar
  9. 9.
    Dinur I., Dunkelman O., Shamir A.: New attacks on Keccak-224 and Keccak-256. In: FSE 2012. pp. 442–461. Springer, New York (2012).Google Scholar
  10. 10.
    Dinur I., Dunkelman O., Shamir A.: Collision attacks on up to 5 rounds of SHA-3 using generalized internal differentials. In: FSE 2013. pp. 219–240. Springer, New York (2013).Google Scholar
  11. 11.
    Dinur I., Morawiecki P., Pieprzyk J., Srebrny M., Straus M.: Cube attacks and cube-attack-like cryptanalysis on the round-reduced Keccak sponge function. In: EUROCRYPT 2015, pp. 733–761 (2015).Google Scholar
  12. 12.
    Dobraunig C., Eichlseder M., Mendel F.: Heuristic tool for linear cryptanalysis with applications to CAESAR candidates. In: ASIACRYPT 2015, pp. 490–509 (2015).Google Scholar
  13. 13.
    Dobraunig C., Eichlseder M., Mendel F., Schläffer M.: Cryptanalysis of Ascon. In: CT-RSA 2015, pp. 371–387 (2015).Google Scholar
  14. 14.
    Dobraunig C., Eichlseder M., Mendel F., Schläffer M.: Ascon v1. 2. Submission to the CAESAR Competition (2016).Google Scholar
  15. 15.
    Dong X., Li Z., Wang X., Qin L.: Cube-like attack on round-reduced initialization of Ketje Sr. IACR Trans. Symmetric Cryptol. 2017, 259–280 (2017).Google Scholar
  16. 16.
    Duc A., Guo J., Peyrin T., Wei L.: Unaligned rebound attack: application to Keccak. In: FSE 2012. pp. 402–421. Springer, New York (2012).Google Scholar
  17. 17.
    Guo J., Liu M., Song L.: Linear structures: applications to cryptanalysis of round-reduced Keccak. In: ASIACRYPT 2016, Part I. pp. 249–274. Springer, New York (2016).Google Scholar
  18. 18.
  19. 19.
    Huang S., Wang X., Xu G., Wang M., Zhao J.: Conditional cube attack on reduced-round Keccak sponge function. In: EUROCRYPT 2017, pp. 259–288 (2017).Google Scholar
  20. 20.
    Li Z., Bi W., Dong X., Wang X.: Improved conditional cube attacks on Keccak keyed modes with milp method. Cryptology ePrint Archive, Report 2017/804 (2017).
  21. 21.
    Li Z., Dong X., Wang X.: Conditional cube attack on round-reduced ASCON. IACR Trans. Symmetric Cryptol. 2017(1), 175–202 (2017).Google Scholar
  22. 22.
    Mella S., Daemen J., Assche G.V.: New techniques for trail bounds and application to differential trails in Keccak. IACR Trans. Symmetric Cryptol. 2017(1), 329–357 (2017).
  23. 23.
    Morawiecki P., Pieprzyk J., Srebrny M.: Rotational cryptanalysis of roundreduced Keccak. In: FSE2013. pp. 241–262. Springer, New York (2013).Google Scholar
  24. 24.
    Mouha N., Wang Q., Gu D., Preneel B.: Differential and linear cryptanalysis using mixed-integer linear programming. In: Inscrypt 2011. pp. 57–76. Springer, New York (2011).Google Scholar
  25. 25.
    Qiao K., Song L., Liu M., Guo J.: New collision attacks on round-reduced Keccak. In: EUROCRYPT 2017. pp. 216–243. Springer, New York (2017).Google Scholar
  26. 26.
    Sasaki Y., Todo Y.: New impossible differential search tool from design and cryptanalysis aspects—revealing structural properties of several ciphers. In: EUROCRYPT 2017, Part III. pp. 185–215 (2017).Google Scholar
  27. 27.
    Song L., Liao G., Guo J.: Non-full sbox linearization: applications to collision attacks on round-reduced Keccak. In: CRYPTO 2017. pp. 428–451. Springer, New York (2017).Google Scholar
  28. 28.
    Song L., Guo J., Shi D.: New milp modeling: improved conditional cube attacks to Keccak-based constructions. Cryptology ePrint Archive, Report 2017/1030 (2017).
  29. 29.
    Sun S., Hu L., Wang P., Qiao K., Ma X., Song L.: Automatic security evaluation and (related-key) differential characteristic search: application to SIMON, PRESENT, LBlock, DES(L) and other bit-oriented block ciphers. In: ASIACRYPT 2014. pp. 158–178. Springer, New York (2014).Google Scholar
  30. 30.
    Wang X., Yu H.: How to break MD5 and other hash functions. In: EUROCRYPT 2005. pp. 19–35. Springer, New York (2005).Google Scholar
  31. 31.
    Wang X., Yin Y.L., Yu H.: Finding Collisions in the Full SHA-1. In: CRYPTO 2005. pp. 17–36. Springer, New York (2005).Google Scholar
  32. 32.
    Xiang Z., Zhang W., Bao Z., Lin D.: Applying milp method to searching integral distinguishers based on division property for 6 lightweight block ciphers. In: ASIACRYPT 2016, Part I. pp. 648–678. Springer, New York (2016).Google Scholar
  33. 33.
    Ye C., Tian T.: New insights into divide-and-conquer attacks on the round-reduced Keccak-mac. Cryptology ePrint Archive, Report 2018/059 (2018).
  34. 34.
    Zong R., Dong X., Wang X.: Related-tweakey impossible differential attack on reduced-round Deoxys-BC-25 cryptology ePrint Archive, Report 2018/680 (2018).
  35. 35.
    Zong R., Dong X., Wang X.: MILP-paided related-tweak/key impossible differential attack and its applications to QARMA, Joltik-BC. Cryptology ePrint Archive, Report 2018/142 (2018).

Copyright information

© Springer Science+Business Media, LLC, part of Springer Nature 2018

Authors and Affiliations

  1. 1.Key Laboratory of Cryptologic Technology and Information Security, Ministry of EducationShandong UniversityJinanChina
  2. 2.Institute for Advanced StudyTsinghua UniversityBeijingChina

Personalised recommendations