Keywords

1 Introduction

The Keccak hash function family [5] is a proposal designed by Bertoni et al. and submitted to the SHA-3 competition [22] in 2008. It was selected as the final winner of the competition in 2012, and subsequently standardized as SHA-3 [29] in 2015 by the National Institute of Standards and Technology of the U.S. (NIST). It supports four digest sizes from \(\{224, 256, 384, 512\}\) to achieve different security levels. The standard SHA-3 and the original Keccak design differ only in the way how messages are padded, and hence share almost all security analysis.

Since the Keccak hash function was made public in 2008, it has attracted intensive cryptanalysis from the research community in many different settings. Against the three major properties of hash functions: collision, preimage and second-preimage resistance, the best practical collision/preimage attacks are up to 6 and 4 out of the total 24 rounds, respectively. By observing the low algebraic degree of the Sbox in Keccak, Guo et al. [17] proposed the linear structures for up to 3 rounds of Keccak, where the Sbox can be re-expressed as linear transformations when the input is restricted to specific affine subspaces. In [27], Song et al. found the first practical collision against 5-round Keccak-224, where they used 3-round “connectors” based on the pioneer work by Qiao et al. [23] and Dinur et al. [12].

There is also a line of research on analyzing the security of keyed constructions based on Keccak-p—the Keccak permutations with variable width and rounds. Message authentication codes are naturally among the first keyed constructions based on Keccak-p, e.g., Keccak-MAC [4] and KMAC [30]. In [13], Dinur et al. proposed the first cube attack against Keccak-MAC for up to 7-round key recovery and 8-round forgery attacks. The attack complexities were subsequently improved by Huang et al. using conditional cube attacks [19]. The authenticated encryption schemes Keyak [7] and Ketje [6] are also based on Keccak-p and its variants. Similar to the attacks against Keccak-MAC, the conditional cube attack was applied to Keyak for up to 8 out of 12 rounds [19], and to Ketje [15, 20] for up to 7 out of 13 rounds. Differently from the traditional way of reducing the strength of the design by round number, there is a recent attack against full Ketje with tweaked rate size by Fuhr et al. [16]. Kravatte [2] is a pseudorandom function by instantiating the Farfalle construction with Keccak-p. Algebraic attacks on Kravatte, including cube attacks, which take advantage of structural properties of Farfalle, were proposed in [9].

Following a similar design strategy used for Keccak-MAC, KMAC [30] is the standard way of constructing MAC from SHA-3 by NIST. The major design difference is that, the master key is processed as an independent data block before processing the message in KMAC, while it was processed together with some message bits as the first data block in Keccak-MAC. Hence, at the point of injecting the first message block, the internal state for KMAC is totally unknown, while most bits of that for Keccak-MAC are known. Similar observations were discovered and made use of in the so-called “Full-State Keyed Duplex (FKD)” [10, 21] to improve the efficiency of keyed sponge constructions. It is interesting to note, despite the great similarity between Keccak-MAC and KMAC, there is no existing cryptanalysis result against KMAC to the best of our knowledge. Also, for FKD no cube attack is proposed by exploiting the full-state absorption, as stated by the Keyak designers in [7]:

Whether these attacks can still be extended to more rounds by exploiting full-state absorbing remains an open question.

Our Contributions. Based on the previous works [15, 19, 20] on conditional cube attacks against Keccak-based keyed constructions, we propose a new Mixed Integer Linear Programming (MILP) modeling. While the length of cube tester (the zero-sum property) is determined entirely by the algebraic degrees of the underlying permutations, the conditional cube attack could only be improved by finding cube variables with lesser conditions and keeping the cube size large enough meanwhile. Our new MILP modeling is able to capture the characteristics of 2 Keccak rounds, as well as the linear structures used in the first round. This new modeling is generic and imposes no unnecessary conditions, hence could be able to find optimal conditional cubes, in terms of cube size and number of conditions, whenever possible. This comes with a few key techniques:

  1. 1.

    We are able to model 2 Keccak rounds together, i.e., Sbox layer of the first round, the linear layer followed by the Sbox layer again of the second round. To do this, we exhaustively list the propagations of variables through the first Sbox layer so to keep the output of the Sbox linear. The second round is dealt in different ways.

    • For normal Keccak-based constructions, we classify the situation of the linear layer in the second round into two cases depending on whether there is spreading of variables and model them each individually.

    • For FKD, we describe column sums of the state after the Sbox layer of the first round with inequalities. With this, the diffusion of the second round can be described precisely with MILP.

    With all these together, we are able to convert all the necessary constraints in the search of conditional cubes into the MILP language.

  2. 2.

    For FKD, instead of the initial state, the internal state value just before the first Sbox layer are used as (conditional) variables by setting the variables in the column parity kernel. This simple change removes all the unnecessary constraints brought up by the linear layer of the first Keccak round, and enlarges the space covered by our search program.

We apply this new MILP modeling to Keccak-based keyed constructions including Keccak-MAC, KMAC, Keyak, Ketje, and FKD and find new or better results for each of the constructions. Specifically

  • For KMAC, due to the fact that it processes the key as an independent block compared with Keccak-MAC, it should provide better security and hence becomes harder for the attacker. With the same security level of 128 bits, we find attacks against KMAC128 reduced to 7 rounds, the same number of rounds found for Keccak-MAC in previous works. For KMAC256 aiming for 256 bits security, we find attacks up to 9 rounds combining a technique to invert the last round. Details are summarized in Table 1.

  • General complexity improvements are also found on the attacks against Keyak and Ketje. Notably, we improve the attack against Lake Keyak with 128-bit keys from 6 to 8 rounds in the nonce-respected setting and 9 rounds of Lake Keyak can be attacked if the key size is 256 bits. Details are summarized in Table 2.

  • Conditional cubes that fully linearize the first two rounds are targeted by our modeling and the open question of FKD is answered by extending cube attacks by one additional round.

Table 1. Summary of our attacks on KMAC, and Keccak-MAC with related works.
Full size table
Table 2. Summary of our attacks on Keyak, Ketje and comparison with related works
Full size table

Very recently, another two MILP models [8, 25] were proposed for cube-attack-like cryptanalysis [13], together with some new results for keyed Keccak modes. In particular, 7 rounds of Keccak-MAC-512 can be attacked. In cube-attack-like cryptanalysis, only the first round is linearized and the idea is to choose cube variables such that they multiply with a small number of key bits in the first round. Therefore, one only needs to pay attention to the diffusion of the linear layer in the first round. Due to this, cube-attack-like cryptanalysis performs well especially when the degrees of freedom is limited, e.g., smaller versions of Ketje. The drawback is that cube-attack-like cryptanalysis is not suitable for constructions with fully unknown internal state, e.g.KMAC and Keccak-based FKD which are our main targets of conditional cube attacks. Whereas, in conditional cube attacks, one has to deal with two rounds in which more degrees of freedom are needed to control the diffusion of cube variables. Also, finding good conditional cubes is more challenging. However, if sufficient degrees of freedom are available, conditional cube attacks can exploit this and provide better attacks. Examples include attacks on all instances of Keyak, Ketje Major and Ketje Minor.

Organization. The remaining part of the paper is organized as follows. Section 2 gives a detailed description of Keccak-p based constructions, including Keccak, KMAC, Keyak and Ketje, followed by an introduction in Sect. 3 to related works. Our new MILP model is presented in Sects. 4 and 5, and applied to the key recovery attacks of KMAC, Keyak, Ketje and full-state keyed duplex (FKD) in Sect. 6. Finally, Sect. 7 concludes the paper. Details of cubes are provided in the full version of this paper [26].

2 Description of KMAC, Keyak and Ketje

2.1 Keccak-p

The Keccak-p permutations are specified with two parameters: the width of the permutation in bits \(\varvec{b}\) and the number of rounds \(\varvec{n_r}\). The Keccak-p permutation with \(\varvec{n_r}\) rounds and width \(\varvec{b}\) is denoted by Keccak-p[\(\varvec{b}\), \(\varvec{n_r}\)], where \(\varvec{n_r}\) is any positive integer and \(\varvec{b}\) can be any value of the form \(25\cdot 2^l\) for \(l=0, \cdots , 6\). The \(\varvec{b}\)-bit state a for the Keccak-p[\(\varvec{b,n_r}\)] permutation is seen as a three-dimensional array of bits, namely a[5][5][w] with \(w = 2^l\). The expression a[x][y][z] with \(0\le x, y<5\), \( 0\le z<w\), denotes the bit with (xyz) coordinate. The coordinates are always considered within modulo 5 for x and y and modulo w for z. The one-dimensional portion \(a[*][y][z]\) is called a row, \(a[x][*][z]\) a column and \(a[x][y][*]\) a lane. A lane of the state is also denoted by a[x][y] by omitting the z index. At lane level, the state a[x][y] becomes a \(5\times 5\) array as shown in Fig. 1 with x for the column index and y for the row index.

Fig. 1.
figure 1

Lane coordinates. Each square stands for a lane in the state.

Full size image

The Keccak-p[\(\varvec{b,n_r}\)] permutation iterates an identical round function (up to a difference of round-dependent constant addition) \(\varvec{n_r}\) times, each of which consists of five steps \(\mathtt{R}=\iota \circ \chi \circ \pi \circ \rho \circ \theta \), with details as follows.  

\(\theta \): :

\(a[x][y][z]=a[x][y][z]\oplus \bigoplus _{y=0}^4 a[x-1][y][z]\oplus \bigoplus _{y=0}^4 a[x+1][y][z-1]\).

\(\rho \): :

\(a[x][y][z]= a[x][y][(z - T(x,y))],\text {where }T(x,y)s\text { are rotation constants}\).

\(\pi \): :

\(a[y][2x+3y][z]= a[x][y][z]\).

\(\chi \): :

\(a[x][y][z]= a[x][y][z]\oplus (a[x+1][y][z]\oplus 1)\cdot a[x+2][y][z]\).

\(\iota \): :

\(a[0][0]= a[0][0]\oplus RC_{i_r},\text {where }RC_{i_r}\text { is the }i_r\text {-th round constant}\).

 

Here, ‘\(\oplus \)’ denotes XOR and ‘\(\cdot \)’ denotes logic AND. Expressions in the x and y coordinates should, as mentioned, be taken in modulo 5 and expressions in the z coordinate modulo w.

The Keccak-f family of permutations is a specification of the Keccak-p family to the case of \(\varvec{n_r} = 12 + 2l\), that is Keccak-f[\(\varvec{b}\)] = Keccak-p[\(\varvec{b}\), \(12 + 2l\)]. The permutation underlying SHA-3 and KMAC is of width 1600 bits and 24 rounds, i.e.,  Keccak-f[1600] = Keccak-p[1600, 24].

2.2 The Sponge Construction and KMAC

The sponge construction is a framework for constructing hash functions from permutations, as depicted in Fig. 2. The construction consists of three components: an underlying \(\varvec{b}\)-bit permutation f, a parameter \(\varvec{r}\) called rate and a padding rule. The capacity is defined as \(\varvec{c}:=\varvec{b}-\varvec{r}\). A hash function following this construction takes in a message M as input and outputs a digest of \(\varvec{d}\) bits. Given the message M, it is first padded and split into \(\varvec{r}\)-bit blocks. The \(\varvec{b}\)-bit state is initialized to be all zeros. The sponge construction then proceeds in two phases. In the absorbing phase, each message block is XORed into the first \(\varvec{r}\) bits of the state, followed by application of the permutation f. This process is repeated until all message blocks are processed. Then, the sponge construction switches to the squeezing phase, where each iteration returns the first \(\varvec{r}\) bits of the state as output and then applies the permutation f to the current state. This repeats until \(\varvec{d}\) bits digest are obtained.

Fig. 2.
figure 2

Sponge construction [3].

Full size image
Fig. 3.
figure 3

KMAC processing one message block

Full size image

The Keccak hash function follows the sponge construction and takes Keccak-f[1600] as the underlying permutation. In 2015, Keccak was formally standardized by NIST as SHA-3 [29], based on which more functions, including cSHAKE128, cSHAKE256 and KMAC, are derived in the NIST Special Publication 800-185 [30].

KMAC (Keccak Message Authentication Code) is a keyed hash function with a variable-length output, and can be used as a pseudorandom function. It has two variants: KMAC128 and KMAC256, based on Keccak \([\varvec{c}=256](M,L)\) and Keccak[\(\varvec{c}=512\)](ML), whose capacities are set to be 256 and 512 bits, respectively. The input of KMAC consists of the key K, the main message M, the output length L, the name string \(N =\) “KMAC” and the optional customization bit string S of any length (including 0). Given these inputs, KMAC first processes a block encoded from the public values N and S. Then it accepts a block of the padded key, and absorbs message blocks from the third call of permutation f onwards. Figure 3 demonstrates the procedure of KMAC processing one message block. Different from Keccak, KMAC supports variable-length output, e.g., KMAC128 supports any output of length no less than 256 bits and at least 512 bits for KMAC256.

Keccak-MAC [4] is a Keccak-based MAC where Keccak directly takes the combination of a key and a message, i.e., K||M as input. The key size is assumed to be 128 bits.

2.3 The Duplex Construction and Keyak, Ketje

The duplex construction [4] is closely related to the sponge construction, and is mostly used for authenticated encryption. Following variants of the duplex construction, Keyak and Ketje [6, 7] are two Keccak-p based authenticated encryption schemes. Figure 4(a) shows the scheme of Keyak which employs an almost full-state keyed duplex construction [10]. It consists of five instances. In this paper, we focus on River Keyak and Lake Keyak which are based on Keccak-p[800, 12] and Keccak-p[1600, 12] respectively. The capacity for both versions is 256. Note that any attack on Lake Keyak is also applicable to the three remaining instances.

Fig. 4.
figure 4

(a) Keyak and (b) Ketje, where the finalization is omitted.

Full size image

Figure 4(b) displays the scheme of Ketje. It employs a twisted version of Keccak-p, denoted by Keccak-\(p^{\star }\), where Keccak-\(p^{\star }\) \(=\pi \circ \) Keccak-p \(\circ \pi ^{-1}\). Specifically, the underlying permutations \(f_0=\) Keccak-p[\(\varvec{b},12\)] and \(f_1=\) Keccak-p[\(\varvec{b},1\)]. Ketje has four instances which are:

Name

\(\varvec{b}\)

\(\rho \)

Ketje JR

200

16

Ketje SR

400

32

Ketje Minor

800

128

Ketje Major

1600

256

In the old version of Ketje, Keccak-p, instead of Keccak-\(p^{\star }\), is used.

Full-state Keyed Duplex (resp. Full-state Keyed Sponge) [10, 21] is generalized from duplex (resp. sponge) for better efficiency by allowing full-state absorption. This idea has been applied to Keyak which absorbs data blocks of length greater than \(\varvec{r}\) bits.

2.4 Notations

In this paper, \(\varvec{r}\) and \(\varvec{c}\) in bold denote the rate and capacity for the sponge construction. \(\varvec{b}\) in bold stands for the width in bits of the permutation. The first three mappings \(\theta , \pi , \rho \) of the round function of Keccak-p are linear, and we denote their composition by \(\lambda \triangleq \pi \circ \rho \circ \theta \). The nonlinear layer \(\chi \) applying to each row is called an Sbox. Only one-block padded messages are considered in our attacks for KMAC while there is no restriction on message length for attacks on other instances.

For describing the model, we use variables abcd in lowercase to denote states and the capital ones, namely ABCD to denote their activeness, i.e., a bit is active if it contains cube variables. The demension of the cube is denoted by d, and the number of conditions is denoted by t.

3 Related Works and Motivations

3.1 Cube Attacks

The cube attack, a variant of higher order differential attacks, was introduced by Dinur and Shamir [14] in 2009. It considers the output bit of a cipher as an unknown Boolean polynomial \(f(k_0,\cdots ,k_{n-1},v_0,\cdots ,v_{m-1})\) where \(k_0,\cdots ,k_{n-1}\) are secret input variables and \(v_0,\cdots ,v_{m-1}\) are public input variables. Given a monomial \(t_I=v_{i_1}\cdots v_{i_d}\), \(I=\{i_1,\cdots , i_d\}\) (\(d\le m\)), any Boolean polynomial f can be written as the sum of terms which are supersets of \(t_I\) and terms that are not divisible by \(t_I\):

$$f(k_0,\cdots ,k_{n-1},v_0,\cdots ,v_{m-1}) = t_{I}\cdot p_{S_I} + q(k_0,\cdots ,k_{n-1},v_0,\cdots ,v_{m-1}),$$

where \(p_{S_I}\) is called the superpoly of I in f. The basic idea of cube attacks and cube testers [1] is that the sum of the outputs over the cube which contains all possible values for \(v_{i_1},\cdots ,v_{i_d}\) (called cube variables) is exactly \(p_{S_I}\), while this is a random function for a random polynomial. By carefully selecting I, cube attacks aim to find a low-degree polynomial \(p_{S_I}\) in secret variables, and cube testers aim to distinguish \(p_{S_I}\) from a random function, e.g.\(p_{S_I}=0\).

In [13], Dinur et al. applied cube attacks and cube testers to the keyed variants of Keccak, including Keccak-MAC, Keyak and a Keccak stream cipher.

3.2 Conditional Cube Attacks

In [19], Huang et al. developed conditional cube testers for the keyed Keccak sponge function, where the propagation of certain cube variables are controlled in the first few rounds if some conditions are satisfied. There are two major advantages of conditional cube testers over ordinary cube testers. One is to potentially reduce the algebraic degree of the permutation under the conditions, and hence the required cube dimension to carry out the attack can be reduced accordingly. The other advantage of conditional cubes is that the conditions, which control how the conditional cube variables propagate in the first few rounds, are related to the initial state values, which may contain the key information. By observing the cube sum of the final output, one may recover the key.

To proceed further, we recall the definition of conditional cube variables and a theorem from [19] below.

Definition 1

([19]). Cube variables that have propagation controlled in the first round and are not multiplied with each other in the second round of Keccak are called conditional cube variables. Cube variables that are not multiplied with each other in the first round and are not multiplied with any conditional cube variable in the second round are called ordinary cube variables.

Theorem 1

([19]). For \((n + 2)\)-round Keccak sponge function (\(n > 0\)), if there are p (\(0 \le p < 2^n+1\)) conditional cube variables \(v_0,\cdots ,v_{p-1}\), and \(q = 2^{n+1}-2p+1\) ordinary cube variables, \(u_0,\cdots ,u_{q-1}\) (If \(q = 0\), we set \(p = 2^n + 1\)), then the term \(v_0v_1\cdots v_{p-1}u_0\cdots u_{q-1}\) will not appear in the output polynomials of (\(n + 2\))-round Keccak sponge function.

Using conditional cube testers, better key recovery attacks were obtained for Keccak-MAC and Keyak in [19]. Later, the attacks on Keccak-MAC were further improved with better conditional cubes found by an MILP model in [20].

Attack Procedure. In previous works [19, 20], the number of conditional cube variables is chosen to be 1, i.e., \(p=1\). Then, over a conditional cube with dimension \(d=2^n\), the cube sum is zero for \((n+1)\)-round Keccak sponge function if the conditions are satisfied. For such a conditional cube whose conditions involve t-bit secret information, the (\(n+1\))-round attack proceeds in two steps as follows.

  1. 1.

    Guess the t-bit secret information and set the conditions accordingly.

  2. 2.

    Query the \(2^d=2^{2^n}\) outputs and calculate the cube sum. If the cube sum is zero, mark the guess as a candidate for the t-bit secret information.

The attack has a time and data complexity of \(2^{d+t}=2^{2^{n}+t}\). If t is far less than the output length, the t-bit secret information can be recovered uniquely. There may exist conditions that do not involve any secret information, but only conditions involving secret information affect the complexities. In the following, t is referred to the number of bits of secret information in conditions.

3.3 Linear Structures

In [17], Guo et al. developed a technique named linear structure which allows linearization of Keccak-f for up to 3 rounds. Based on the linear structures, a series of new zero-sum distinguishers of Keccak-f were proposed, as well as several new preimage attacks against Keccak.

Let a[x][y], \(x=0,2, y=0,1,2,3\) be variables and \(a[x][4]=\bigoplus _{y=0}^{3}a[x][y]\oplus \alpha _x\) with any constant \(\alpha _x\) so that variables in each column sum to a constant. The core idea is to reduce the diffusion effect of \(\theta \). With all columns sum to constants, the variables do not propagate through \(\theta \). Note \(\theta \) is the only mapping in \(\lambda \) with diffusion property, so \(\lambda \) does not diffuse the variables under this setting. Figure 5 shows how the variables influence the internal state under the transformation of Keccak-f round function \(\mathtt{R}=\iota \circ \chi \circ \pi \circ \rho \circ {\theta }\). All bits of the lanes with orange slashes have algebraic degree 1, those lanes with orange dots have algebraic degree at most 1 (meaning it is either a variable of degree 1 or a constant), and the other lanes are all constants where gray, light gray and white bits stand for values 1, 0, and arbitrary constants, respectively. Note the algebraic degrees remain through the linear operations \(\theta \), \(\rho \), \(\pi \), and \(\iota \). The only non-linear operation is the \(\chi \) which increases the algebraic degree through the AND operation of two adjacent bits. As shown in the figure, all variables before \(\chi \) are not adjacent to each other, which makes sure that the algebraic degree of the state bits remains at most 1 after one round function R.

Moreover, bit 1 (0) on the left (right) of the variable helps to restrict the diffusion of variables through \(\chi \), while an unknown neighboring constant diffuses the variable in an uncertain way, as denoted by lanes with orange dots where the variable has an uncertain coefficient. This structure has degrees of freedom 512. Also, it can be regarded as a cube of dimension 512 that linearizes the first round.

Fig. 5.
figure 5

1-round linear structure of Keccak-p with the degrees of freedom up to 512, with bits in orange slashes (resp. dots) of degree 1 (resp. at most 1), and gray, light gray and white bits being values 1, 0, and arbitrary unknown constants, respectively.

Full size image

3.4 Motivations

Through the linear structure, the diffusion effect of variables through \(\chi \) is illustrated, which enables us to give a full description of \(\chi \) using MILP. Then we consider the possibility of building a new MILP model for searching conditional cube attacks for Keccak-p based constructions, especially for finding optimal conditional cubes for constructions with fully unknown internal state.

Impact of p . If the number of conditional cube variables p increases by 1, the dimension d of the required cube reduces by 1 but t increases by at least 1. So there is no need to have more than one conditional cube variable for most cases. Therefore, we set \(p=1\) in our attacks on KMAC, Keyak and Ketje.

However, multiple conditional cube variables may be useful for analyzing Full-state Keyed Sponge (FKS) or Full-state Keyed Duplex (FKD) [10, 21] where full-state message absorption is used. Due to full-state degrees of freedom, a large number of conditional cube variables may exist and even without any condition. The following table shows the comparison between two extreme cases where \(p=1\) and \(p=2^n+1\), latter of which means all cube variables are conditional cube variables and thus the first two rounds are fully linearized. If p is large enough and \(2^{d+t}=2^{2^{n+1}-p+1+t}<2^{|K|}\), the cube attack can be extended by one round.

p

Dimension

\(n_r\) rounds with zero sum

1

\(2^n\)

\(n+1\)

\(2^n+1\)

\(2^n+1\)

\(n+2\)

For clarity, we define two types of conditional cubes as follows.  

Type I.:

Among all cube variables, there is only one conditional cube variable.

Type II.:

All cube variables are conditional cube variables, i.e., all the cube variables do not multiply with each other in the first two rounds.  

In [7], it is stated that whether cube attacks can be extended to more rounds by exploiting full-state absorbing remains an open question. In this paper, we try to answer the open question by exploiting Type II cubes.

4 Modeling Each Step with MILP

MIL is a general mathematical tool, which takes an objective function and a system of linear inequalities with respect to real numbers as input, and aims to search for an optimal solution which not only satisfies all the inequalities but also minimizes/maximizes the objective function.

Cryptanalysis using MILP takes five main steps as shown in Fig. 6. Firstly, one defines variables which are mostly binary for the cryptanalytical problem. Secondly, she identifies links between the variables, which deeply depend on the cryptanalytical problem. Based on the links, she then generates all valid patterns for the variables which can be described with inequalities, using existing methods. In this paper, we use the convex hull method [28] together with a selection algorithm from [24]. Once the cryptanalytical problem is converted to an MILP problem, it can be solved with an MILP solver. Cryptanalysis using other tools such as SAT solvers works in a similar way. Since the last two steps are straightforward, the first three steps are the core part for MILP-based cryptanalysis which will be our focus in Sects. 4 and 5.

Fig. 6.
figure 6

Workflow of cryptanalysis using MILP

Full size image

In this section, through a 1-round linear structure of KMAC we first show where the conditions come from, and formulate the time complexity of conditional cube attacks. Then we describe each step of the Keccak-p round function using inequalities. The full model for searching conditional cubes will be introduced in the next section. Note that our modeling is described under the assumption that the internal state of the target constructions is fully unknown. The difference of the model for constructions with partially known internal state will be discussed in Sect. 5.3.

4.1 A 1-Round Linear Structure of KMAC

Suppose the internal state before injecting messages is denoted by k[x][y], \(0\le x,y<5\). For convenience, the \(\varvec{r}\)-bit message block is denoted as a[x][y], \(0\le x,y<5\), where the last \(\varvec{c}\) bits are set to 0. Figure 7 provides a 1-round linear structure of KMAC128 and shows the transformation of the internal state under the first round function R after absorbing the message block. Following the same notations in Sect. 3.3, lanes with orange slashes denote variables, lanes with orange dots have algebraic degree at most 1, and bits in white lanes are constants. Here, the first four lanes of the first and the third columns of a[x][y] are set to be variables such that the sum \(\bigoplus _{y=0}^{3}a[x,y]\) equals to certain constants for \(x=0,2\). The capacity of KMAC128 consists of four lanes, so these lanes can not be chosen as variables. As can be seen from Fig. 7, the output of the first round function is linear since there are no adjacent variables at the input of \(\chi \). This 1-round linear structure of KMAC128 has a degree of freedom up to 384. A similar 1-round linear structure can also be constructed for KMAC256.

As can be seen, the first round can be linearized without any condition on constants by just excluding neighbouring variables before \(\chi \). Let us consider constructing a conditional cube, where at least one variable should be selected such that it is not multiplied with any other variables in the second round, while there is no such restriction for the rest of the variables. Specifically, if an input bit of the \(\chi \) in the second round contains the conditional variable, its two neighbouring bits should be constants. According to the property of Keccak-p (specifically the \(\theta \)), each neighbouring bit is calculated from 11 output bits of the first round. These 11 bits may be variables or constants, depending on the actual constant values involved in the \(\chi \) of the first round.

Fig. 7.
figure 7

1-round linear structure of KMAC128 with the degrees of freedom up to 384, with bits in orange slashes (resp. dots) of degree 1 (resp. at most 1), and white bits being arbitrary unknown constants, respectively.

Full size image

Unlike the linear structure proposed in [17], all the constants before \(\chi \) of the first round are not controllable because of the unknown initial state. Hence, it is impossible to determine how the variables are propagated due to the logic AND, where ANDing with 1 allows propagation, and no propagation otherwise. This makes it hard to track the positions of all variables in the second round deterministically, hence increases the difficulty to find conditional cubes fulfilling the requirement that there is no multiplication (a.k.a. AND operation) with any conditional cube variables in the second round. However, if part of constants meets certain conditions, then it can be guaranteed that the conditional cube variable do not multiply with any variable in the second round and thus conditional cubes can be constructed. This is where bit conditions come from for conditional cubes.

Given a \(2^n\)-dimensional conditional cube with one conditional cube variable and t bit conditions, it requires a time complexity of \(2^{2^n+t}\) to recover t bits of the internal state for an \((n+1)\)-round Keccak-p based construction. Hence the overall complexity to recover the internal state is around \(\lceil \frac{|\varvec{b}|}{t} \rceil \cdot 2^{2^n+t}\). Once the internal state is recovered, the key can be computed directly. It is inferred that the smaller t is, the lower the time complexity would be. So the aim of our new MILP model is to find conditional cubes with minimal bit conditions, meanwhile keeping the cube dimension large enough.

4.2 Modeling the Non-linear Layer

The first observation before giving the MILP model is that, although one input bit to the first \(\chi \) is calculated from 11 bits of the initial state, it is unnecessary for us to start from the initial state, as there is a bijective relation (the \(\lambda \)) between it and the state just before the \(\chi \). In the meanwhile, the 1-round linear structure could be started from the middle as well. Hence, instead of trying to derive everything from the very beginning, we start from the state just before \(\chi \). This simple yet crucial observation will reduce the complexity of the problem significantly, as will be seen later.

Recall that the message block is denoted by a, and \(b=\lambda (a)\), and k stands for the secret internal state. Let \(k'=\lambda (k)\). Thus, \(b\oplus k'\) is the input of the first \(\chi \) and c indicates the output. The tuple (xyz) denotes the coordinates of one bit in the state. Additional notations ABC, V and H are used for the modeling. Specifically, A[x][y][z] (B[x][y][z] or C[x][y][z]) is 1 if a[x][y][z] (b[x][y][z] or c[x][y][z]) is active and 0 otherwise, while \(V[x][y][z]=1\) indicates a bit condition that \(b[x][y][z]+k'[x][y][z]\) should be fixed to H[x][y][z]. The number of bit conditions is denoted by t.

Note, we are to model two layers of \(\chi \). Without losing any degree of freedom, we do it in two steps by modeling the first \(\chi \) without imposing any additional condition, and the second \(\chi \) using the output from our modeling of the first \(\chi \), i.e., nested modeling. This may cost higher search complexity compared with previous works at first glance, we will see the effectiveness and power later. Due to the generality of our modeling, we could find optimal solutions whenever it is practical to solve.

Although \(\chi \) is the only non-linear operation of Keccak-p, modeling it into inequalities is non-trivial. Let us look at the computation of one bit through \(\chi \). According to the algebraic expression of \(\chi \), \(c[x][y][z]=b[x][y][z] \oplus (1\oplus b[x+1][y][z])\cdot b[x+2][y][z]\). For a conditional cube, the output bits of the first round should be linear, which can be guaranteed by the constraint that variables do not appear in adjacent input bits, namely \(B[x][y][z]+B[x+1][y][z]\le 1\). However, the value of input constants influences the diffusion of variables through \(\chi \) and further influences the second round, as shown in Fig. 5. However, as we find out, the diffusion patterns of variables through \(\chi \) fall in a smaller than expected set as listed in Table 3, which makes the modeling of all cases possible without imposing any additional conditions. To make it clear, we explain some rows of Table 3. The first two rows mean that if both \(b[x+1][y][z]\) and \(b[x+2][y][z]\) are constants, then the constants can be any value and c[x][y][z] will inherit the same activeness from b[x][y][z]. The third row means that if \(b[x+2][y][z]\) is active and \(b[x][y][z],b[x+1][y][z]\) are constants but the value of \(b[x+1][y][z]\) is uncertain, then c[x][y][y] contains uncertain propagation from \(b[x+2][y][z]\) and its algebraic degree is at most 1. On the contrary, if the value of \(b[x+1][y][z]\) is restricted to 1 (resp. 0) as in the fourth (resp. fifth) row, c[x][y][z] turns to be inactive (active) definitely. The fifth row can be ignored since it costs a bit condition but still diffuses the variable from \(b[x+2][x][y]\) to c[x][y][z], making the second round denser. The remaining rows can be explained similarly. Next, we generate a set of inequalities (see Table 7 in Appendix B) to describe these 0–1 patterns.

Table 3. Diffusion of variables through \(\chi \), where coordinates [y][z]s are omitted and symbol ‘*’ denotes arbitrary value.
Full size table

4.3 Modeling the Linear Layer

The linear layer \(\lambda \) consists of three steps: \(\theta , \rho \) and \(\pi \), the latter two of which just change the positions of the state bits. Hence, we focus on modeling \(\theta \). \(\theta \) adds two columns to a bit. If both columns have even parity, then the bit does not change at all after \(\theta \). If all columns have even parity, then it is said that the state is in the column parity kernel (CP-kernel). While the original column parity is defined on values, in the context of cube attacks, it refers to activeness.

Following [25], we introduce F[x][z] and G[x][z] to describe the parity of a column in the state.

  • The column is not active, i.e., there is no variable: \(G[x][z]=0,F[x][z]=0\);

  • The column is active and the column sum is active: \(G[x][z]=1,F[x][z]=0\);

  • The column is active and the column sum is inactive: \(G[x][z]=0,F[x][z]=1\);

As can be seen, \(G[x][z]=1\) indicates that the column sum contains variables, and only constants otherwise. If \(G[x][z]=0\) for all columns, then the cube lies in the CP-kernel. \(F[x][z]=1\) means that the column contains variables but the variables sum to certain constant, by consuming one bit degree of freedom. Suppose \(A[x][y][z], y=0,\cdots ,4\) stands for the activeness of column (xz), then the patterns of \(A[x][y][z], y=0,\cdots ,4\) and F[x][z], G[x][z] fall into a set of \(1+5+(32-6)\times 2=58\) discrete points in \(\mathbb {R}^7\). The inequalities model this set are derived and listed in Table 8.

The activeness of the output of \(\theta \) now can be calculated from A[x][y][z] and G[x][z]. Assume B[x][y][z] denotes the activeness of \(\theta \)’s output (elsewhere B[x][y][z] denotes the activeness of the output of the linear layer). Then B[x][y][z] \(=1\) if any of A[x][y][z], \(G[x-1][z]\) and \(G[x+1][z-1]\) is 1; otherwise \(B[x][y][z]=0\). This can be modeled by the following inequalities.

$$\begin{aligned} B[x][y][z] - A[x][y][z]\ge 0, \nonumber \\ B[x][y][z] - G[x-1][z]\ge 0, B[x][y][z] - G[x+1][z-1]\ge 0,\nonumber \\ A[x][y][z]+G[x-1][z]+G[x+1][z-1] - B[x][y][z] \ge 0. \end{aligned}$$
(1)

If only cubes in the CP-kernel are of interest, set \(G[x][z]=0\) and inequalities in (1) can be replaced with \(B[x][y][z]=A[x][y][z]\). In this way, the model of the linear layer is simplified.

5 Modeling the Search for Conditional Cubes

This section presents a full model for searching conditional cubes of both types. The conditional cube requires conditional cube variables not to multiply with any variable even in the second round, which means their neighboring bits before the second \(\chi \) should be constants. For the Type I, we could fix the positions of the conditional cube variable (we place the same variable at two bit positions in the same column of the initial state) and focus only on it and its neighboring bits. Whereas for Type II, attention should be paid to the diffusion of all variables in the second round. Due to this difference for the second round, our model for searching conditional cubes of both types will be constructed separately.

5.1 Model for Searching Conditional Cubes of Type I

Modeling the Second Round. The neighboring bits of the conditional cube variable before the second \(\chi \) should be constants. Suppose these neighboring bits are denoted by \(s_i\). According to the round function \(\mathtt{R}\), each neighboring bit \(s_i\) is calculated from 11 bits of c[x][y][z]. There are two cases depending on whether there is any variable among the 11 bits:  

Case 1.:

For these 11 bits, none of them are variables, i.e., \(C[x][y][z]=0\);

Case 2.:

There are variables among the 11 bits and the XOR of these 11 bits form a linear equation which consumes one bit degree of freedom.

 

We introduce one more dummy variable \(S_i\) for \(s_i\) to indicate which case happens, where \(S_i=0\) for Case 1 and \(S_i=1\) for Case 2. Case 1 is simple, while for Case 2 one needs to pay attention to “uncertain propagations” or lanes with orange dots in Fig. 7 since no exact information can be derived from a linear equation containing variables with uncertain coefficients. So once Case 2 happens, additional conditions should be imposed to avoid uncertain propagations.

Similarly, all possible patterns of \(S_i\) and its related bits can be enumerated as shown in Table 4 and the set of inequalities are provided in Table 9. Specifically, if c[x][y][z] is required in calculating \(s_i\), the inequalities in Table 9 are added to the MILP model.

Table 4. Influence of conditional cube variables in the second round. Symbol ‘*’ denotes arbitrary value.
Full size table

Modeling the Search for Conditional Cubes. The following constraints are generated for searching conditional cubes of Type I.

  1. 1.

    Constraints for the linear layer of the first round, according to Sect. 4.3;

  2. 2.

    Constraints for the nonlinear layer of the first round, according to Table 7;

  3. 3.

    Constraints for the conditional cube variable in the first round. If a input bit b[x][y][z] of \(\chi \) involves the conditional cube variable, then we fix its neighboring bits to constants such that it does not diffuse to other positions. It requires

    $$\begin{aligned} B[x-1][y][z] = 0, B[x+1][y][z] =0,\nonumber \\ V[x-1][y][z] = 1, V[x+1][y][z] =1. \\ H[x-1][y][z] = 1, H[x+1][y][z] =0.\nonumber \ \end{aligned}$$
    (2)
  4. 4.

    Constraints for the conditional cube variable in the second round, according to Table 9;

  5. 5.

    Constraint for the dimension. If a \(2^n\)-dimensional conditional cube is required, then set

    $$\begin{aligned} \sum A[x][y][z] - \sum F[x][z] - \sum S_i = 2^n, \end{aligned}$$
    (3)

    where \(\sum F[x][z] + \sum S_i\) is the number of consumed degrees of freedom.

  6. 6.

    Objective. The objective is to minimize bit conditions. That is

    $$\begin{aligned} \mathrm {Minimize:\quad } \sum V[x][y][z]. \end{aligned}$$
    (4)

Besides, there may exist additional constraints. For example, the last \(\varvec{c}\) bits and some padded bits cannot be variables. When all constraints are generated, an MILP solver is invoked to find a solution that minimizes the objective.

5.2 Model for Searching Conditional Cubes of Type II

Modeling the Second Round. For Type II conditional cubes, all the cube variables should not multiply with each other in the second round. Therefore the diffusion of each cube variable in the second round becomes indispensable and must be modeled. Beside the activeness of the input of the second round, the diffusion of cube variables also depends on the activeness of column sums which is the core part to be modeled.

Recall that we start from b, the input of \(\chi \) in the first round and \(c=\chi (b)\). Let \(d=\lambda (c)\) by omitting the \(\iota \) step of the first round, and D[x][y][z] denotes the activeness of d. From the algebraic expression of \(\chi \), namely, \(c[x][y][z]=b[x][y][z] \oplus (1\oplus b[x+1][y][z])\cdot b[x+2][y][z]\), it is known that if \(B[x][y][z]=1\), then \(C[x][y][z]=1\). If the sum of column (xz) of b is inactive, then in what circumstance the sum of column (xz) of c is also active? This is what we need to explore. Note that, columns with an inactive sum do not diffuse to other columns, which is beneficial to the linearization of the second round.

Suppose \(G_1[x][z]=1\) means the sum of column (xz) in b is active and \(G_1[x][z=0]\) otherwise. Let \(G_2[x][z]\) play the same role for c. With \(G_2[x][z]\) and C[x][y][z], the linear layer in the second round can be modeled just as the linear layer in the first round. To make the second round linear, we only need to add the constraint \(D[x][y][z]+D[x+1][y][z]\le 1\). So the only problem unsolved is to model the activeness of columns of c.

The value of \(G_2[x][z]\) is influenced by three columns of b at \((x,z),(x+1,z)\) and \((x+1,z)\). This is the most complex relation to be modeled in this paper. Specifically, variables at position (xyz) of b propagate to position (xyz) of c for sure; variables at positions \((x+1,y,z)\) and \((x+2,y,z)\) of b may diffuse to position (xyz) of c. The sum of column (xz) of c is inactive, i.e., \(G_2[x][z]=0\) only if all the following three conditions hold.

  • \(G_1[x][z]=0\).

  • No variable in column \((x+1)\) of b propagates to column (xz) of c.

  • (a) No variable in column \((x+2)\) of b propagates to column (xz) of c, or (b) all the variables in column \((x+2)\) of b propagate to column (xz) of c and \(G_1[x+2][z]=0\)Footnote 1.

In the following, the three conditions will be analyzed in detail individually.

  1. 1.

    The effect of variables in column (xz). \(C[x][z]=1\) if \(B[x][z]=1\), so \(G_2[x][z]=1\) if \(G_1[x][z]=1\).

  2. 2.

    The effect of variables in column \((x+1,z)\) of b depends on conditions in column \((x+2,z)\). If there is any uncertain propagation of variables from column \((x+1,z)\), \(G[x][z]=1\). Additionally, P[x][y][z] is introduced where \(P[x][y][z]=1\) if the variable at \((x+1,y,z)\) is propagated to (xyz) with an uncertain coefficient and \(P[x][y][z]=0\) otherwise. The relation of P[x][y][z] and \(B[x+1][y][z], V[x+2][y][z]\) is described in the following table.

    P[x]

    \(B[x+1]\)

    \(V[x+2]\)

    inequalities

    0

    0

    *

    \(-P[x]+B[x+1] \ge 0\)

    1

    1

    0

    \(-P[x]-V[x+2]\ge -1\)

    0

    1

    1

    \(P[x]-B[x+1]+V[x+2]\ge 0\)

    The effect of column \((x+1,z)\) to column (xz) is denoted by M[x][z] where \(M[x][z]=1\), i.e., there exist uncertain propagations of variables from column \((x+1,z)\) if any \(P[x][y][z], y=0,\cdots ,4\) is 1. This can be described with inequalities in (5).

    $$\begin{aligned} M[x][z]-P[x][y][z]&\ge 0, y=0,\cdots ,4.\nonumber \\ \sum _yP[x][y][z]-M[x][z]&\ge 0. \end{aligned}$$
    (5)
  3. 3.

    The effect of variables in column \((x+2,z)\) of b is relatively complicated. As shown previously, there are two cases that column \((x+2,z)\) of b does not affect \(G_2[x][z]\). To identify these two cases, we introduce \(Q_1[x][y][z], Q_2[x][y][z]\), \(N_1[x][z],N_2[x][z]\) and \(N_3[x][z]\). \(Q_1[x][y][z]\) and \(N_1[x][z]\) play similar roles as P[x][y][z] and M[x][z], i.e., \(N_1[x][z]=1\) if there is uncertain propagation from column \((x+2,z)\).

    \(Q_2[x][y][z]=1\) if the variable at \((x+2,y,z)\) of b is propagated to (xyz) of c for sure. Let \(N_2[x][z]=0\) if and only if \(\sum _yQ_2[x][y][z]=0\). Let \(N_3[x][z]=0\) if \(\sum _yQ_2[x][y][z]=\sum _yB[x+2][y][z]\), i.e., all variables in column \((x+2,z)\) of b are diffused to column (xz) of c.

    \(Q_1[x][y][z]\) and \(Q_2[x][y][z]\) can be modeled as shown in the following table.

    \(Q_1[x]\)

    \(Q_2[x]\)

    \(B[x+2]\)

    \(V[x+1]\)

    \(H[x+1]\)

    Inequalities

    0

    0

    0

    0

    *

    \(-Q_1[x]-Q_2[x]+B[x+2]\ge 0\)

    0

    0

    0

    1

    *

    \(Q_1[x]-B[x+2]+V[x+1]\ge 0\)

    1

    0

    1

    0

    *

    \(-Q_1[x]-V[x+1] \ge -1\)

    0

    1

    1

    1

    0

    \(Q_1[x]+Q_2[x]-B[x+2]+H[x+1] \ge 0\)

    0

    0

    1

    1

    1

    \(-Q_2[x] -H[x+1] \ge -1\)

    The relation between \(N_1[x][z],N_2[x][z]\) and \(Q_1[x][y][z], Q_2[x][y][z]\) can also be described in the same way as in (5). To model \(N_3[x][z]\), a large integer I is used to express the IF-ELSE logic that \(N_3[x][z]=0\) if \(\sum _yQ_2[x][y][z]=\sum _yB[x+2][y][z]\) as long as I is larger than 5, say 100. The exact inequalities are shown in (6).

    $$\begin{aligned} \sum _yQ_2[x][y][z] - \sum _yB[x+2][y][z]+I\cdot N_3[x][z]&\le I-1, \nonumber \\ \sum _yQ_2[x][y][z] - \sum _yB[x+2][y][z]+I\cdot N_3[x][z]&\ge 0. \end{aligned}$$
    (6)

    According to our model, \((N_1[x][z],N_2[x][z], N_3[x][z])=(0,0,*)\) indicates the first case, and \((N_1[x][z],N_2[x][z], N_3[x][z])=(0,1,0)\) stands for the second case.

As can be derived from the above analysis, when (a) \((M[x][z],N_1[x][z]\), \(N_2[x][z]\), \(N_3[x][z])=(0,0,0,*)\), or (b) \((M[x][z],N_1[x][z]\), \(N_2[x][z]\), \(N_3[x][z])=(0,0,1,0)\), and \(G_1[x+2][z]=0\), \(G_2[x][z]=G_1[x][z]\); otherwise \(G_2[x][z]\) is 1. The inequalities in Table 10 can be used to model this property.

Modeling the Search for Conditional Cubes. After introducing special techniques for modeling the column parity of the state in the second round, we can build the whole model for searching conditional cubes that linearize the first two rounds. Note that we start from the input of \(\chi \) in the first round.

  1. 1.

    Describe the column parity of b using \(G_1[x][z],F_1[x][z]\), according to Table 8.

  2. 2.

    Constraints for \(\chi \) in the first round, according to Sect. 4.2;

  3. 3.

    Constraints for modeling the column parity of c, according to this subsection.

  4. 4.

    Constraints for the linear layer in the second round, according to Sect. 4.3;

  5. 5.

    Constraints for \(\chi \) in the second round, i.e., \(D[x][y][z]+D[x+1][y][z]\le 1\).

  6. 6.

    Constraint for the dimension. If a \((2^n+1)\)-dimensional conditional cube is required, then set

    $$\begin{aligned} \sum C[x][y][z] - \sum F_1[x][z] = 2^n+1, \end{aligned}$$
    (7)

    where \(\sum F_1[x][z]\) is the number of consumed degrees of freedom.

  7. 7.

    Objective. The objective is to minimize bit conditions. That is

    $$\begin{aligned} \mathrm {Minimize:\quad } \sum V[x][y][z]. \end{aligned}$$
    (8)

5.3 Discussion and Comparison

Model for Constructions with Partially Known Internal State. While minimal conditions means optimal conditional cubes for Keccak-p-based construction with fully unknown internal state, such as KMAC, it is not the case if the internal state is partially known even though the number of conditions involving the key is still minimized. Note that the conditions are imposed on certain input bits of the first \(\chi \) and each bit involves some key information. For Keccak-p-based construction with partially unknown internal state, t bit conditions do not necessarily contain t-bit key information. For example, in the 64-dimensional cube of Ketje SR v1, there are 27 bit conditions all of which involve the key but contain only 26-bit information of the key due to dependency.

Comparison with the Existing MILP Model. Recently, Li et al. proposed an MILP model for searching cubes of Type I [20]. Their model sets every b[x][y][z] to a constant if it relates to the neighboring bits of the conditional variable in the first two rounds. In our model, we incorporate the full diffusion effect of \(\chi \) and hence consider a broader class of conditional cubes. In particular, b[x][y][z] can be a variable even if it relates to the neighboring bits of the conditional variable in the second round. As a result, more conditional cubes can be found with a greater range of dimension. As demonstrated in Table 5, better conditional cubes are found using our model under the same setting. In particular, given the dimension, our model returns conditional cubes with much fewer bit conditions. For example, the 32-dimensional conditional cube of Keccak-MAC-512 in [20] requires 24 bit conditions involving the key, while using our model, the number of bit conditions can be only 3 (\(n=5\) and \(t=3\)), which reduces the time complexity of attacking 6-round Keccak-MAC-512 from \(2^{58.3}\) [20] to \(\lceil \frac{|k|}{t} \rceil \cdot 2^{2^n+t} = \lceil \frac{128}{3} \rceil \cdot 2^{2^5+3}\approx 2^{40}\). Our cube of Keccak-MAC-512 is provided in Table 5. Moreover, our models cover both types of conditional cubes while Li et al.’s model aims for only Type I conditional cubes.

Table 5. Comparison with the previous MILP model on Keccak-MAC with the conditional cube placed at (2, 0, 0) and (2, 1, 0). The number of bit conditions only takes those involving key bits into account.
Full size table

6 Applications

In this section, we apply our models to conditional cubes attacks on KMAC, Keyak and Ketje where Type I cubes are used. In order to extend the cube attacks on Keccak-p based constructions with full-state absorption, we exploit Type II cubes.

6.1 Conditional Cube Attacks on KMAC

In this subsection, techniques described in Sects. 4 and 5.1 are used to find conditional cubes for KMAC, based on which key recovery attacks can be mounted on 7-round KMAC128 and 9-round KMAC256 respectively.

Cube Attack on KMAC128 . For KMAC128, the capacity is 256, which covers only four lanes. By placing the conditional cube variable at two bits in a column of aFootnote 2, our MILP model could find large conditional cubes with 4 bit conditions which are least possible conditions. To make the attack clear, a toy cube of KMAC is introduced first, as shown in Table 6. This cube is selected from the CP-kernel and has dimension 16, and the conditional cube variable is placed at a[0][0][0], a[0][1][0]. The 4-bit conditions can be derived directly from the positions of the conditional cube variable since only the conditional cube variable contributes to bit conditions in this case. Note that, \(b=\lambda (a)\) and the relation between a[x][y][z] and b[x][y][z] is not expressed explicitly in the bit conditions. The remaining 15 ordinary cube variables can be extracted from A[x][y][z], \(0\le x,y<5,0\le z<64\) which are represented as a \(5\times 5\) array of lanes and labeled as ‘Positions of cube variables’ in the table. In the remainder of the paper, the bit conditions are omitted if they come only from the conditional cube variable.

Table 6. A conditional cube of KMAC in the CP-kernel. Positions of cube variables are derived from a \(5\times 5\) array of lanes in hexadecimal using the little-endian format where ‘0’ is replaced with ‘−’.
Full size table

For KMAC128, 64-dimensional conditional cubes are enough for attacking 7 rounds of KMAC128. In the following, multiple 64-dimensional conditional cubes are used for the recovery of the internal state. Once the internal state is recovered, the key can be derived directly.

  1. 1.

    Recover t bits of the internal state. Given a 64-dimensional conditional cube with t bit conditions where \(t=4\) for KMAC128, the t bits of the secret internal state \(k'[x][y][z]\) involving in the conditions are guessed and then the constant part of the messages is chosen such that the t bit conditions are satisfied. The right guess is detected by assigning all possible values to each cube variable and checking the sum of all outputs under the guess. If the cube sum is zero, then the corresponding guess is the right one with overwhelming probability and then the t bits of the secret internal state are recovered. The time complexity for recovering the t bits of the internal state is \(2^{64+t}=2^{68}\).

  2. 2.

    Recover t lanes of the internal state. Due to the z-axis translation invariance of Keccak-p, a conditional cube is still a conditional cube after being rotated along the z-axis. A cube and all its rotations are z-axis equivalent. However, for KMAC the padding rule may break the z-axis equivalence. To avoid it from happening, the last lane of the \(\varvec{r}\)-bit message block is set to be inactive. Therefore, by rotating the cube bit by bit, t lanes of the internal state would be recovered in \(2^6\cdot 2^{68}=2^{74}\) calls of 7-round KMAC128.

  3. 3.

    Recover the whole internal state. Ten z-axis equivalent conditional cubes are used to recover the full internal state. The details of these cubes are given in [26], and the order of the lanes recovered are displayed in Fig. 8. The total time complexity of recovering the whole internal state is \(2^6\cdot 2^{64}(1\cdot 2^4+3\cdot 2^3+6\cdot 2^2)= 2^{76}\).

Fig. 8.
figure 8

The lanes recovered using ten z-axis equivalent conditional cubes. The underline means bits of these lanes are involved in conditions but they are already known.

Full size image

Cube Attack on KMAC256. KMAC256 has a capacity of 512 bits which is equivalent to 8 lanes. Including the last lane of the message block where certain bits are padded, there are 9 lanes which can not contain variables. Apart from this, the cube search for KMAC256 remains as that for KMAC128. Our MILP model could find many 128-dimensional conditional cubes which can be used to attack 8 rounds of KMAC256. Since the output length of KMAC256 can be more than 320 bits, the first 5 lanes of the output can be reversed through the \(\chi \) of the last round. This immediately increases the attacked rounds by one, as this inversion covers the \(\chi \) of the last round, while \(\lambda \) does not increase the algebraic degree. As a result, 9 rounds of KMAC256 can be attacked.

Choice of the Conditional Cube Variable. When we place the conditional cube variable at two bit positions of the same column in a, the obtained cubes generally have more than 30 bit conditions. The increase of bit conditions is caused by the increase of capacity. In order to reduce the number of bit conditions, we place the conditional cube variable in a 2-round CP-kernel so that it does not diffuse even in the second round, leading to a small set of constraints for the conditional cube variable. As studied in [11], the minimal Hamming weight of a 2-round CP-kernel differential trail of Keccak-f[1600] is 6. Among all the 2-round CP-kernel differential trails, only those which have no difference in the last 9 lanes can be applied to the conditional cube search of KMAC256. Fortunately, there is one (only one) 2-round CP-kernel differential trail satisfying this requirement. The active bit positions of the 2-round CP-kernel differential trail are

$$[(0,0,0), (0,1,0), (1,0,63), (1,2,63), (2,1,30), (2,2,30)].$$

By setting the conditional cube variable to these six bit positions, our MILP model returns 128-dimensional cubes with 12 bit conditions, with which 11 lanes (one lane overlapped) of the internal state can be recovered. With these 11 lanes known, cubes with the conditional cube variable placed at two bit positions of a column of a[x][y][z], \(0\le y<3\) can then be exploited to recover the remaining lanes.

To recover the whole internal state, three z-axis equivalent conditional cubes as shown in [26] are used and lanes recovered in each cube are displayed in Fig. 9. As can be learned from the figure, the time complexity of the internal state recovery is \(2^6\cdot 2^{128}(2^{12}+2^{11}+2^3)=2^{146.58}\) calls of 9-round KMAC256.

Fig. 9.
figure 9

The lanes recovered using three z-axis equivalent conditional cubes. The underline means bits of these lanes are involved in conditions but they are already known.

Full size image

6.2 Conditional Cube Attacks on Keyak and Ketje

This subsection considers conditional cube attacks of Keyak and Ketje under the nonce respect setting, i.e., the cube variables are placed among the positions where the nonce is loaded, and suppose there is no associated data to be processed.

Figure 10 shows the key pack of Keyak and Ketje respectively (for Ketje, it shows the key pack after \(\pi ^{-1}\)), where blue positions stand for the key, light blue positions denote padded or encoded bits and white positions are the nonce. This means that the cube variable should be placed in white lanes. Unlike KMAC, the internal state of both Keyak and Ketje is known except the key part. Due to the dependence of key bits in conditions, our model may not guarantee optimal solutions.

Fig. 10.
figure 10

Key pack of Keyak and Ketje where the blue part means the key, the light blue part denotes padded or encoded bits and the white part is the nonce.

Full size image

All instances of Keyak and Ketje considered in this paper use 128-bit keys, except Lake Keyak, where 256-bit keys are supported by replacing Keccak-p [1600, 12] with Keccak-p[1600, 14]. Our main results are as follows and summarized in Table 2.  

Lake Keyak128.:

Using a 64-dimensional cube with 2 bit conditions involving the key (see [26]), the key recovery attack of 8-round Lake Keyak128 costs a data and time complexities \(2^2\cdot 2^{64}\cdot 32 + 2^{64}=2^{71.01}\) where the last \(\chi \) can be partially reversed due to large output length.

Lake Keyak256.:

Using a 128-dimensional cube with 4 bit conditions involving the key (see [26]), the key recovery attack of 9-round Lake Keyak256 costs a data and time complexities less than \(2^4\cdot 2^{128} + 2^3\cdot 2^{128}\cdot 63 + 2^{128}=2^{137.05}\).

River Keyak.:

Using a 64-dimensional cube with 12 bit conditions involving the key (see [26], these 12 bit conditions involve 11 bits key information), the key recovery attack of 8-round River Keyak costs a data and time complexities \(2^{11}\cdot 2^{64} + 2^{10}\cdot 2^{64}\cdot 6 + 2^{128-71}= 2^{77.00}\).

Ketje Major.:

Using a 64-dimensional cube with 3 bit conditions involving the key (see [26]), the key recovery attack of 7-round Ketje Major costs a data and time complexities \(2^3 \cdot 2^{64} \cdot 3 + 2^2 \cdot 2^{64}\cdot 2 + 2^1\cdot 2^{64} \cdot (64-5) + 2^{64} = 2^{71.24}\).

Ketje Minor.:

Using a 64-dimensional cube with 4 bit conditions involving the key (see [26]), the key recovery attack of 7-round Ketje Minor costs a data and time complexities less than \(2^4 \cdot 2^{64} + 2^3\cdot 2^{64}\cdot 63 + 2^{64} = 2^{73.03}\).

 

For Ketje SR and Ketje JR, our model could not find better attacks than the existing ones in [15]. However, for Ketje SR with Keccak-p as the underlying permutation, namely, Ketje SR v1, better attacks on 7-round Ketje SR are found using a 64-dimensional cube with 27 bit conditions (see [26], involve 26 bits key information) and the time and data complexities are \(2^{26}\cdot 2^{64}\cdot 2 + 2^{128-54}=2^{91.00}\). Therefore, Ketje instances using Keccak-\(p^{\star }\) are stronger than those instances using Keccak-p under our attacks.

6.3 Conditional Cube Attacks on Full-State Keyed Duplex

In this subsection, we consider conditional cube attacks on Keccak-p based FKD (or FKS) which provides full-state degrees of freedom. We assume that the first data block is absorbed after the application of the underlying permutation, as in Keyak. Therefore, the internal state before injecting the first data block is fully unknown. This is not a nonce-respected attack since the cube will be constructed on the full-state data block.

For convenience, FKD with Keccak-p \([\varvec{b},n_r]\) as the underlying permutation is denoted by FKD[\(\varvec{b}\)]. A direct application of linear structures shows that 512-dimensional Type II cubes for FKD[1600] can be constructed by constraining 960 bits to certain constants. However, in key/state recovery attacks the number of bit conditions allowed is limited. In this subsection, we apply our model for searching Type II cubes of FKD[\(\varvec{b}\)], and try to find some useful cubes with a small number of bit conditions.

When the number of bit conditions is set to 0, Type II cubes of FKD[1600] can be found with dimension at least 48. If the dimension is set to 65, a Type II cube with 25 bit conditions is found, as shown in [26]. Since the first two rounds are linearized, the cube sum of 8-round Keccak is zero. Thus, this cube can be used to attack 8-round FKD[1600] by recovering the internal state in a similar way to the attack on KMAC. As long as the rate \(\varvec{r}\) is greater than 320 bits, a 9-round attack of FKD[1600] can be achieved by partially reversing the last round. The time complexity is about \(2^{65+25}=2^{90}\). For more experimental results, please refer to Appendix A.

Compared with cube attacks on Keccak-p based constructions where \(\varvec{r}\)-bit messages are absorbed, cube attacks on FKD[1600] can be extended to one more round by exploiting the full-state absorption. With this, the open question proposed by the Keyak designers in [7] now is answered.

The idea of full-state absorption has already been applied to Keyak which absorbs data blocks of more than \(\varvec{r}\) bits each but less than \(\varvec{b}\) bits. For example, Lake Keyak processes data blocks of 1536 bits, less than 1600 bits. A simple way to adapt our attack on 9-round FKD[1600] to Lake Keyak is to find a Type II cube with dimension 129 (65+64). However, such a cube with increased dimension could not be found in a practical amount of time. Therefore, the extended attack does not apply to Lake Keyak.

6.4 Experimental Verification and Codes

Since the attacks in this paper are impractical with current computation power, the correctness of the attacks is verified on cubes with small dimensions. We do no change to the attacks except reducing the number of rounds for the cube tester in the middle, so the attack complexity reduces to a practical level. We implement two Type I conditional cube attacks: one based on the 16-dimensional toy cube in Table 6 for fast verification, and the other based on a 32-dimensional cube for attacking 7-round KMAC256 (or 6-round KMAC128). A conditional cube attack on 7-round FKD[1600] is also implemented with a 32-dimensional cube of Type II. Note that this cube has three bit conditions which are set intentionally; otherwise, there can be no condition. The correctness of our attacks are confirmed by these three experiments. The source codes for experimental verification are available via http://team.crypto.sg/VerificationCodesConCube.zip. The codes for building our models are available through http://team.crypto.sg/modelConCube.zip.

7 Conclusions

In the paper, we proposed new MILP models for searching two types of conditional cubes for Keccak-p based keyed constructions. Particularly, we incorporated the diffusion effect of variables through the non-linear layer and took a broader class of Type I conditional cubes into account and we proposed a model for searching Type II conditional cube for the first time. With the new models, conditional cubes with desired dimensions and least bit conditions were found for KMAC. As a result, key recovery attacks of 7-round KMAC128, 9-round KMAC256 can be mounted respectively. To the best of our knowledge, these are the first cryptanalysis results against KMAC. Using our model, we solve the open question of FKD by extending the conditional cube attack by one additional round. The application of our model to Keyak and Ketje gives rise to new attacks or better attacks with reduced complexities. Specifically, the number of rounds attacked against Lake Keyak with 128-bit keys is improved from 6 to 8 in the nonce-respected setting and 9 rounds of Lake Keyak can be attacked when using 256-bit keys; attack complexities are reduced generally on other constructions.