Troika: a ternary cryptographic hash function

Abstract

Linear codes over finite fields are one of the most well-studied areas in coding theory. While codes over finite fields of characteristic two are of particular practical interest due to their good implementation properties, ternary codes have been extensively studied as well. By contrast, there has been essentially no research into ternary cryptographic algorithms. The only exception to date is a cryptocurrency and distributed ledger technology called IOTA which is ternary and has been designed primarily for use in the Internet of Things. Its security depends on using a secure cryptographic hash function over \(\mathbb {F}_{3}\). With all existing hash designs being binary, a ternary prototype called Curl-P had been developed, however was found to admit practical collision attacks. A ternary adaption of SHA-3 called Kerl is currently used instead, but comparatively inefficient. In this paper, we propose a new ternary hash function called Troika which is tailored for use in IOTA’s ternary distributed ledger and can be used as a drop-in replacement for Kerl. The design of Troika leverages elements from the well-established Keccak and Rijndael design philosophies, while being designed for efficiency in terms of basic \(\mathbb {F}_{3}\) operations. In particular, it features a novel 3-trit S-box which is differentially 3-uniform while being implementable in only 7 additions and multiplications over \(\mathbb {F}_{3}\). Troika is designed to offer a security level comparable to SHA-3. It is expected that Troika, as part of IOTA’s distributed ledger, will find widespread commercial real-world use in the near- to mid-term future. We believe that not the least due to its unorthodox ternary design, it will provide both a practically relevant and interesting target for further cryptanalysis.

This is a preview of subscription content, log in to check access.

Fig. 1
Fig. 2

References

  1. 1.

    Beierle C., Canteaut A., Leander G., Rotella Y.: Proving resistance against invariant attacks: How to choose the round constants. In: Katz J., Shacham H., (eds) Advances in Cryptology—CRYPTO 2017—37th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 20–24, 2017, Proceedings, Part II, vol. 10402. Lecture Notes in Computer Science, pp. 647–678. Springer, New York (2017).

    Google Scholar 

  2. 2.

    Bertoni G., Daemen J., Peeters M., Van Assche G.: On the indifferentiability of the Sponge construction. In: Smart, Nigel P. (ed.) EUROCRYPT. Lecture Notes in Computer Science, vol. 4965, pp. 181–197. Springer, New York (2008).

    Google Scholar 

  3. 3.

    Bertoni G., Daemen J., Peeters M., Van Assche G.: Keccak sponge function family main document. Submission to NIST SHA-3 competition (Round 3). http://keccak.noekeon.org/ (2011).

  4. 4.

    Bertoni G., Daemen J., Peeters M., Van Assche G.: Duplexing the sponge: single-pass authenticated encryption and other applications. In: Miri A, Vaudenay S, (eds.) Selected areas in cryptography—18th International Workshop, SAC 2011, Toronto, ON, Canada, August 11–12, 2011, Revised Selected Papers. Lecture Notes in Computer Science, vol. 7118, pp. 320–337. Springer, New York (2011).

    Google Scholar 

  5. 5.

    Bertoni G., Daemen J., Peeters M., Van Assche G.: Cryptographic sponge functions, version 0.1. https://keccak.team/files/CSF-0.1.pdf (2011).

  6. 6.

    Bertoni G., Daemen J., Peeters M., Van Assche G.: The Keccak reference, version 3.0. Submission to NIST (SHA-3 competition, final round) (2011).

  7. 7.

    Biham E., Shamir A.: Differential cryptanalysis of DES-like cryptosystems. J. Cryptol. 4(1), 3–72 (1991).

    MathSciNet  Article  Google Scholar 

  8. 8.

    Biryukov A., Wagner D.A.: Slide attacks. In: Knudsen, L.R., (eds.) Fast Software Encryption, 6th International Workshop, FSE ’99, Rome, Italy, March 24–26, 1999, Proceedings. Lecture Notes in Computer Science, vol. 1636, pp. 245–259. Springer, New York (1999).

  9. 9.

    Bogdanov A., Knudsen L., Leander G., Paar C., Poschmann A., Robshaw M.J.B., Seurin Y., Vikkelsoe C.: PRESENT: an ultra-lightweight block cipher. In: Paillier P., Verbauwhede I., (eds.) CHES. Lecture Notes in Computer Science, vol. 4727, pp. 450–466. Springer, New York (2007).

  10. 10.

    Chen G., Li R.: Ternary self-orthogonal codes of dual distance three and ternary quantum codes of distance three. Des. Codes Cryptogr. 69(1), 53–63 (2013).

    MathSciNet  Article  Google Scholar 

  11. 11.

    Daemen J.: Cipher and hash function design strategies based on linear and differential cryptanalysis. PhD thesis, Katholieke Universiteit Leuven, Leuven, Belgium (1995)

  12. 12.

    Daemen J., Rijmen V.: The Design of Rijndael: AES—The Advanced Encryption Standard. Springer, New York (2002).

    Google Scholar 

  13. 13.

    Daemen J., Knudsen L.R., Rijmen V.: Linear frameworks for block ciphers. Des. Codes Cryptogr. 22(1), 65–87 (2001).

    MathSciNet  Article  Google Scholar 

  14. 14.

    Gauravaram P., Knudsen L.R., Matusiewicz K., Mendel F., Rechberger C., Schläffer M., Thomsen S.S.: Grøstl—a SHA-3 candidate. Submission to NIST (SHA-3 competition, final round) (2011).

  15. 15.

    Granboulan L., Levieil É., Piret G.: Pseudorandom permutation families over abelian groups. In: Robshaw M.J.B. (ed.) Fast Software Encryption, 13th International Workshop, FSE 2006, Graz, Austria, March 15–17, 2006, Revised Selected Papers. Lecture Notes in Computer Science, vol. 4047, pp. 57–77. Springer, New York (2006).

    Google Scholar 

  16. 16.

    Greenough P.P., Hill R.: Optimal ternary quasi-cyclic codes. Des. Codes Cryptogr. 2(1), 81–91 (1992).

    MathSciNet  Article  Google Scholar 

  17. 17.

    Heilman E., Narula N., Tanzer G., Lovejoy J., Colavita M., Virza M., Dryja T.: Cryptanalysis of Curl-P and Other Attacks on the IOTA Cryptocurrency. BlackHat, USA 2018 (2018).

  18. 18.

    Helleseth T., Kholosha A.: New ternary binomial bent functions. In: IEEE International Symposium on Information Theory, ISIT 2016, Barcelona, Spain, July 10–15, 2016, pp. 101–104. IEEE (2016).

  19. 19.

    Hill R., Newton D.E.: Optimal ternary linear codes. Des. Codes Cryptogr. 2(2), 137–157 (1992).

    MathSciNet  Article  Google Scholar 

  20. 20.

    Hong D., Lee J.-K., Kim D.-C., Kwon D., Ryu K.H., Lee D.: LEA: a 128-bit block cipher for fast encryption on common processors. In: Kim Y., Lee H., Perrig A. (eds.) Information Security Applications—14th International Workshop, WISA 2013, Jeju Island, Korea, August 19–21, 2013, Revised Selected Papers. Lecture Notes in Computer Science, vol. 8267, pp. 3–27. Springer, New York (2013).

  21. 21.

    Hong D., Sung J., Hong S., Lim J., Lee S., Koo B., Lee C., Chang D., Lee J., Jeong K., Kim H., Kim J., Chee S.: HIGHT: A new block cipher suitable for low-resource device. In: Goubin L., Matsui M. (eds.) Cryptographic Hardware and Embedded Systems—CHES 2006, 8th International Workshop, Yokohama, Japan, October 10–13, 2006, Proceedings. Lecture Notes in Computer Science, , vol. 4249, pp. 46–59. Springer, New York (2006).

    Google Scholar 

  22. 22.

    Kölbl S.: CryptoSMT: an easy to use tool for cryptanalysis of symmetric primitives. https://github.com/kste/cryptosmt.

  23. 23.

    Leander G., Abdelraheem M.A., AlKhzaimi H., Zenner E.: A cryptanalysis of printcipher: the invariant subspace attack. In: Rogaway P. (ed.) Advances in Cryptology—CRYPTO 2011—31st Annual Cryptology Conference, Santa Barbara, CA, USA, August 14–18, 2011. Proceedings. Lecture Notes in Computer Science, vol. 6841, pp. 206–221. Springer, New York (2011).

    Google Scholar 

  24. 24.

    Lidl R., Niederreiter H.: Introduction to Finite Fields and Their Applications. Cambridge University Press, revised edition (1994).

  25. 25.

    MacWilliams F.J., Sloane N.J.A.: The Theory of Error-Correcting Codes, 2nd edn. North-holland Publishing Company, Amsterdam (1978).

    Google Scholar 

  26. 26.

    Matsui M.: Linear cryptoanalysis method for DES cipher. In: Helleseth T. (ed.) EUROCRYPT. Lecture Notes in Computer Science, vol. 765, pp. 386–397. Springer, New York (1993).

  27. 27.

    Matsui M.: The first experimental cryptanalysis of the Data Encryption Standard. In: Desmedt Y. (ed.) CRYPTO. Lecture Notes in Computer Science, vol. 839, pp. 1–11. Springer, New York (1994).

    Google Scholar 

  28. 28.

    Mella S., Daemen J., Van Assche G.: New techniques for trail bounds and application to differential trails in keccak. IACR Trans. Symmetric Cryptol. 2017(1), 329–357 (2017).

    Google Scholar 

  29. 29.

    Morrison K.E.: Random maps and permutations. Technical report, California Polytechnic State University, San Luis Obispo (1998).

  30. 30.

    Ness G.J., Helleseth T.: A new family of ternary almost perfect nonlinear mappings. IEEE Trans. Inf. Theory 53(7), 2581–2586 (2007).

    MathSciNet  Article  Google Scholar 

  31. 31.

    Rijmen V.: Cryptanalysis and design of iterated block ciphers. PhD thesis, Katholieke Universiteit Leuven, Leuven, Belgium (1997).

  32. 32.

    Shibutani K., Isobe T., Hiwatari H., Mitsuda A., Akishita T., Shirai T.: Piccolo: an ultra-lightweight blockcipher. In: Preneel B., Takagi T. (eds.) CHES. Lecture Notes in Computer Science, vol. 6917, pp. 342–357. Springer, New York (2011).

    Google Scholar 

  33. 33.

    Shirai T., Shibutani K., Akishita T., Moriai S., Iwata T.: The 128-bit blockcipher CLEFIA (extended abstract). In: Biryukov A. (ed.) FSE. Lecture Notes in Computer Science, vol. 4593, pp. 181–195. Springer, New York (2007).

    Google Scholar 

  34. 34.

    Stoffelen K., Daemen J.: Column parity mixers. IACR Trans. Symmetric Cryptol. 2018(1), 126–159 (2018).

    Google Scholar 

  35. 35.

    Todo Y., Leander G., Sasaki Y.: Nonlinear invariant attack—practical attack on full scream, iscream, and midori64. In: Cheon J.H., Takagi T. (eds.) Advances in Cryptology—ASIACRYPT 2016—22nd International Conference on the Theory and Application of Cryptology and Information Security, Hanoi, Vietnam, December 4–8, 2016, Proceedings, Part II. Lecture Notes in Computer Science, vol. 10032, pp. 3–33 (2016).

  36. 36.

    Wei Y., Ye T., Wu W., Pasalic E.: Generalized nonlinear invariant attack and a new design criterion for round constants. IACR Transactions on Symmetric Cryptology, 2018(4), to appear (2019).

  37. 37.

    Zhou Z.: Three-weight ternary linear codes from a family of cyclic difference sets. Des. Codes Cryptogr. 86(11), 2513–2523 (2018).

    MathSciNet  Article  Google Scholar 

Download references

Author information

Affiliations

Authors

Corresponding author

Correspondence to Elmar Tischhauser.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Communicated by L. Knudsen.

Appendices

A Illustration of the state layout of Troika

Fig. 3
figure3

Illustration of the nomenclature for different parts of the state of Troika

Fig. 4
figure4

Illustration of the rate (orange) and capacity (white) parts of the state of Troika

B Test vectors

Table 8 Test vectors for Troika

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Kölbl, S., Tischhauser, E., Derbez, P. et al. Troika: a ternary cryptographic hash function. Des. Codes Cryptogr. 88, 91–117 (2020). https://doi.org/10.1007/s10623-019-00673-2

Download citation

Keywords

  • Cryptographic hash functions
  • Sponge construction
  • Ternary codes

Mathematics Subject Classification

  • 94A60