Troika: a ternary cryptographic hash function

  • Stefan Kölbl
  • Elmar TischhauserEmail author
  • Patrick Derbez
  • Andrey Bogdanov


Linear codes over finite fields are one of the most well-studied areas in coding theory. While codes over finite fields of characteristic two are of particular practical interest due to their good implementation properties, ternary codes have been extensively studied as well. By contrast, there has been essentially no research into ternary cryptographic algorithms. The only exception to date is a cryptocurrency and distributed ledger technology called IOTA which is ternary and has been designed primarily for use in the Internet of Things. Its security depends on using a secure cryptographic hash function over \(\mathbb {F}_{3}\). With all existing hash designs being binary, a ternary prototype called Curl-P had been developed, however was found to admit practical collision attacks. A ternary adaption of SHA-3 called Kerl is currently used instead, but comparatively inefficient. In this paper, we propose a new ternary hash function called Troika which is tailored for use in IOTA’s ternary distributed ledger and can be used as a drop-in replacement for Kerl. The design of Troika leverages elements from the well-established Keccak and Rijndael design philosophies, while being designed for efficiency in terms of basic \(\mathbb {F}_{3}\) operations. In particular, it features a novel 3-trit S-box which is differentially 3-uniform while being implementable in only 7 additions and multiplications over \(\mathbb {F}_{3}\). Troika is designed to offer a security level comparable to SHA-3. It is expected that Troika, as part of IOTA’s distributed ledger, will find widespread commercial real-world use in the near- to mid-term future. We believe that not the least due to its unorthodox ternary design, it will provide both a practically relevant and interesting target for further cryptanalysis.


Cryptographic hash functions Sponge construction Ternary codes 

Mathematics Subject Classification



Supplementary material


  1. 1.
    Beierle C., Canteaut A., Leander G., Rotella Y.: Proving resistance against invariant attacks: How to choose the round constants. In: Katz J., Shacham H., (eds) Advances in Cryptology—CRYPTO 2017—37th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 20–24, 2017, Proceedings, Part II, vol. 10402. Lecture Notes in Computer Science, pp. 647–678. Springer, New York (2017).Google Scholar
  2. 2.
    Bertoni G., Daemen J., Peeters M., Van Assche G.: On the indifferentiability of the Sponge construction. In: Smart, Nigel P. (ed.) EUROCRYPT. Lecture Notes in Computer Science, vol. 4965, pp. 181–197. Springer, New York (2008).Google Scholar
  3. 3.
    Bertoni G., Daemen J., Peeters M., Van Assche G.: Keccak sponge function family main document. Submission to NIST SHA-3 competition (Round 3). (2011).
  4. 4.
    Bertoni G., Daemen J., Peeters M., Van Assche G.: Duplexing the sponge: single-pass authenticated encryption and other applications. In: Miri A, Vaudenay S, (eds.) Selected areas in cryptography—18th International Workshop, SAC 2011, Toronto, ON, Canada, August 11–12, 2011, Revised Selected Papers. Lecture Notes in Computer Science, vol. 7118, pp. 320–337. Springer, New York (2011).Google Scholar
  5. 5.
    Bertoni G., Daemen J., Peeters M., Van Assche G.: Cryptographic sponge functions, version 0.1. (2011).
  6. 6.
    Bertoni G., Daemen J., Peeters M., Van Assche G.: The Keccak reference, version 3.0. Submission to NIST (SHA-3 competition, final round) (2011).Google Scholar
  7. 7.
    Biham E., Shamir A.: Differential cryptanalysis of DES-like cryptosystems. J. Cryptol. 4(1), 3–72 (1991).MathSciNetCrossRefzbMATHGoogle Scholar
  8. 8.
    Biryukov A., Wagner D.A.: Slide attacks. In: Knudsen, L.R., (eds.) Fast Software Encryption, 6th International Workshop, FSE ’99, Rome, Italy, March 24–26, 1999, Proceedings. Lecture Notes in Computer Science, vol. 1636, pp. 245–259. Springer, New York (1999).Google Scholar
  9. 9.
    Bogdanov A., Knudsen L., Leander G., Paar C., Poschmann A., Robshaw M.J.B., Seurin Y., Vikkelsoe C.: PRESENT: an ultra-lightweight block cipher. In: Paillier P., Verbauwhede I., (eds.) CHES. Lecture Notes in Computer Science, vol. 4727, pp. 450–466. Springer, New York (2007).Google Scholar
  10. 10.
    Chen G., Li R.: Ternary self-orthogonal codes of dual distance three and ternary quantum codes of distance three. Des. Codes Cryptogr. 69(1), 53–63 (2013).MathSciNetCrossRefzbMATHGoogle Scholar
  11. 11.
    Daemen J.: Cipher and hash function design strategies based on linear and differential cryptanalysis. PhD thesis, Katholieke Universiteit Leuven, Leuven, Belgium (1995)Google Scholar
  12. 12.
    Daemen J., Rijmen V.: The Design of Rijndael: AES—The Advanced Encryption Standard. Springer, New York (2002).CrossRefzbMATHGoogle Scholar
  13. 13.
    Daemen J., Knudsen L.R., Rijmen V.: Linear frameworks for block ciphers. Des. Codes Cryptogr. 22(1), 65–87 (2001).MathSciNetCrossRefzbMATHGoogle Scholar
  14. 14.
    Gauravaram P., Knudsen L.R., Matusiewicz K., Mendel F., Rechberger C., Schläffer M., Thomsen S.S.: Grøstl—a SHA-3 candidate. Submission to NIST (SHA-3 competition, final round) (2011).Google Scholar
  15. 15.
    Granboulan L., Levieil É., Piret G.: Pseudorandom permutation families over abelian groups. In: Robshaw M.J.B. (ed.) Fast Software Encryption, 13th International Workshop, FSE 2006, Graz, Austria, March 15–17, 2006, Revised Selected Papers. Lecture Notes in Computer Science, vol. 4047, pp. 57–77. Springer, New York (2006).Google Scholar
  16. 16.
    Greenough P.P., Hill R.: Optimal ternary quasi-cyclic codes. Des. Codes Cryptogr. 2(1), 81–91 (1992).MathSciNetCrossRefzbMATHGoogle Scholar
  17. 17.
    Heilman E., Narula N., Tanzer G., Lovejoy J., Colavita M., Virza M., Dryja T.: Cryptanalysis of Curl-P and Other Attacks on the IOTA Cryptocurrency. BlackHat, USA 2018 (2018).Google Scholar
  18. 18.
    Helleseth T., Kholosha A.: New ternary binomial bent functions. In: IEEE International Symposium on Information Theory, ISIT 2016, Barcelona, Spain, July 10–15, 2016, pp. 101–104. IEEE (2016).Google Scholar
  19. 19.
    Hill R., Newton D.E.: Optimal ternary linear codes. Des. Codes Cryptogr. 2(2), 137–157 (1992).MathSciNetCrossRefzbMATHGoogle Scholar
  20. 20.
    Hong D., Lee J.-K., Kim D.-C., Kwon D., Ryu K.H., Lee D.: LEA: a 128-bit block cipher for fast encryption on common processors. In: Kim Y., Lee H., Perrig A. (eds.) Information Security Applications—14th International Workshop, WISA 2013, Jeju Island, Korea, August 19–21, 2013, Revised Selected Papers. Lecture Notes in Computer Science, vol. 8267, pp. 3–27. Springer, New York (2013).Google Scholar
  21. 21.
    Hong D., Sung J., Hong S., Lim J., Lee S., Koo B., Lee C., Chang D., Lee J., Jeong K., Kim H., Kim J., Chee S.: HIGHT: A new block cipher suitable for low-resource device. In: Goubin L., Matsui M. (eds.) Cryptographic Hardware and Embedded Systems—CHES 2006, 8th International Workshop, Yokohama, Japan, October 10–13, 2006, Proceedings. Lecture Notes in Computer Science, , vol. 4249, pp. 46–59. Springer, New York (2006).Google Scholar
  22. 22.
    Kölbl S.: CryptoSMT: an easy to use tool for cryptanalysis of symmetric primitives.
  23. 23.
    Leander G., Abdelraheem M.A., AlKhzaimi H., Zenner E.: A cryptanalysis of printcipher: the invariant subspace attack. In: Rogaway P. (ed.) Advances in Cryptology—CRYPTO 2011—31st Annual Cryptology Conference, Santa Barbara, CA, USA, August 14–18, 2011. Proceedings. Lecture Notes in Computer Science, vol. 6841, pp. 206–221. Springer, New York (2011).Google Scholar
  24. 24.
    Lidl R., Niederreiter H.: Introduction to Finite Fields and Their Applications. Cambridge University Press, revised edition (1994).Google Scholar
  25. 25.
    MacWilliams F.J., Sloane N.J.A.: The Theory of Error-Correcting Codes, 2nd edn. North-holland Publishing Company, Amsterdam (1978).zbMATHGoogle Scholar
  26. 26.
    Matsui M.: Linear cryptoanalysis method for DES cipher. In: Helleseth T. (ed.) EUROCRYPT. Lecture Notes in Computer Science, vol. 765, pp. 386–397. Springer, New York (1993).Google Scholar
  27. 27.
    Matsui M.: The first experimental cryptanalysis of the Data Encryption Standard. In: Desmedt Y. (ed.) CRYPTO. Lecture Notes in Computer Science, vol. 839, pp. 1–11. Springer, New York (1994).Google Scholar
  28. 28.
    Mella S., Daemen J., Van Assche G.: New techniques for trail bounds and application to differential trails in keccak. IACR Trans. Symmetric Cryptol. 2017(1), 329–357 (2017).Google Scholar
  29. 29.
    Morrison K.E.: Random maps and permutations. Technical report, California Polytechnic State University, San Luis Obispo (1998).Google Scholar
  30. 30.
    Ness G.J., Helleseth T.: A new family of ternary almost perfect nonlinear mappings. IEEE Trans. Inf. Theory 53(7), 2581–2586 (2007).MathSciNetCrossRefzbMATHGoogle Scholar
  31. 31.
    Rijmen V.: Cryptanalysis and design of iterated block ciphers. PhD thesis, Katholieke Universiteit Leuven, Leuven, Belgium (1997).Google Scholar
  32. 32.
    Shibutani K., Isobe T., Hiwatari H., Mitsuda A., Akishita T., Shirai T.: Piccolo: an ultra-lightweight blockcipher. In: Preneel B., Takagi T. (eds.) CHES. Lecture Notes in Computer Science, vol. 6917, pp. 342–357. Springer, New York (2011).Google Scholar
  33. 33.
    Shirai T., Shibutani K., Akishita T., Moriai S., Iwata T.: The 128-bit blockcipher CLEFIA (extended abstract). In: Biryukov A. (ed.) FSE. Lecture Notes in Computer Science, vol. 4593, pp. 181–195. Springer, New York (2007).Google Scholar
  34. 34.
    Stoffelen K., Daemen J.: Column parity mixers. IACR Trans. Symmetric Cryptol. 2018(1), 126–159 (2018).Google Scholar
  35. 35.
    Todo Y., Leander G., Sasaki Y.: Nonlinear invariant attack—practical attack on full scream, iscream, and midori64. In: Cheon J.H., Takagi T. (eds.) Advances in Cryptology—ASIACRYPT 2016—22nd International Conference on the Theory and Application of Cryptology and Information Security, Hanoi, Vietnam, December 4–8, 2016, Proceedings, Part II. Lecture Notes in Computer Science, vol. 10032, pp. 3–33 (2016).Google Scholar
  36. 36.
    Wei Y., Ye T., Wu W., Pasalic E.: Generalized nonlinear invariant attack and a new design criterion for round constants. IACR Transactions on Symmetric Cryptology, 2018(4), to appear (2019).Google Scholar
  37. 37.
    Zhou Z.: Three-weight ternary linear codes from a family of cyclic difference sets. Des. Codes Cryptogr. 86(11), 2513–2523 (2018).MathSciNetCrossRefzbMATHGoogle Scholar

Copyright information

© Springer Science+Business Media, LLC, part of Springer Nature 2019

Authors and Affiliations

  1. 1.Cybercrypt A/SCopenhagenDenmark
  2. 2.IRISARennesFrance
  3. 3.Technical University of DenmarkLyngbyDenmark

Personalised recommendations