New MILP Modeling: Improved Conditional Cube Attacks on Keccak-Based Constructions

  • Ling SongEmail author
  • Jian GuoEmail author
  • Danping ShiEmail author
  • San LingEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11273)


In this paper, we propose a new MILP modeling to find better or even optimal choices of conditional cubes, under the general framework of conditional cube attacks. These choices generally find new or improved attacks against the keyed constructions based on Keccak permutation and its variants, including Keccak-MAC, KMAC, Keyak, and Ketje, in terms of attack complexities or the number of attacked rounds. Interestingly, conditional cube attacks were applied to round-reduced Keccak-MAC, but not to KMAC despite the great similarity between Keccak-MAC and KMAC, and the fact that KMAC is the NIST standard way of constructing MAC from SHA-3. As examples to demonstrate the effectiveness of our new modeling, we report key recovery attacks against KMAC128 and KMAC256 reduced to 7 and 9 rounds, respectively; the best attack against Lake Keyak with 128-bit key is improved from 6 to 8 rounds in the nonce-respected setting and 9 rounds of Lake Keyak can be attacked if the key size is of 256 bits; attack complexity improvements are found generally on other constructions. Our new model is also applied to Keccak-based full-state keyed sponge and gives a positive answer to the open question proposed by Bertoni et al. whether cube attacks can be extended to more rounds by exploiting full-state absorbing. To verify the correctness of our attacks, reduced-variants of the attacks are implemented and verified on a PC practically. It is remarked that this work does not threaten the security of any full version of the instances analyzed in this paper.


Keccak SHA-3 KMAC Keyak Ketje Full-state Conditional cube attack MILP 



Ling Song and Danping Shi are partially supported by the Fundamental Theory and Cutting Edge Technology Research Program of Institute of Information Engineering, CAS (Grant No. Y7Z0251103), Youth Innovation Promotion Association CAS, the National Natural Science Foundation of China (Grants No. 61802399, 61802400, 61732021, 61772519 and 61472415) and Chinese Major Program of National Cryptography Development Foundation (Grant No. MMJJ20180102).

Supplementary material


  1. 1.
    Aumasson, J., Dinur, I., Meier, W., Shamir, A.: Cube testers and key recovery attacks on reduced-round MD6 and Trivium. In: Handschuh, H., Lucks, S., Preneel, B., Rogaway, P. (eds.) Symmetric Cryptography, 11.01. - 16.01.2009. Dagstuhl Seminar Proceedings, vol. 09031. Schloss Dagstuhl - Leibniz-Zentrum für Informatik, Germany (2009). Scholar
  2. 2.
    Bertoni, G., Daemen, J., Hoffert, S., Peeters, M., Van Assche, G., Van Keer, R.: Farfalle: parallel permutation-based cryptography. IACR Trans. Symmetric Cryptol. 2017(4), 1–38 (2017).
  3. 3.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Cryptographic Sponge functions. Submission to NIST (Round 3) (2011).
  4. 4.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Duplexing the sponge: single-pass authenticated encryption and other applications. In: Miri, A., Vaudenay, S. (eds.) SAC 2011. LNCS, vol. 7118, pp. 320–337. Springer, Heidelberg (2012). Scholar
  5. 5.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: The Keccak Reference, January 2011., version 3.0
  6. 6.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G., Van Keer, R.: CAESAR Submission: Ketje v2. Candidate of CAESAR Competition, September 2016Google Scholar
  7. 7.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G., Van Keer, R.: CAESAR Submission: Keyak v2. Candidate of CAESAR Competition, September 2016Google Scholar
  8. 8.
    Bi, W., Dong, X., Li, Z., Zong, R., Wang, X.: Milp-aided cube-attack-like cryptanalysis on Keccak keyed modes. Designs, Codes and Cryptography, August 2018.
  9. 9.
    Chaigneau, C., Fuhr, T., Gilbert, H., Guo, J., Jean, J., Reinhard, J., Song, L.: Key-recovery attacks on full kravatte. IACR Trans. Symmetric Cryptol. 2018(1), 5–28 (2018).
  10. 10.
    Daemen, J., Mennink, B., Van Assche, G.: Full-state keyed duplex with built-in multi-user support. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10625, pp. 606–637. Springer, Cham (2017). Scholar
  11. 11.
    Daemen, J., Van Assche, G.: Differential propagation analysis of Keccak. In: Canteaut, A. (ed.) FSE 2012. LNCS, vol. 7549, pp. 422–441. Springer, Heidelberg (2012). Scholar
  12. 12.
    Dinur, I., Dunkelman, O., Shamir, A.: Improved practical attacks on round-reduced Keccak. J. Cryptol. 27(2), 183–209 (2014). Scholar
  13. 13.
    Dinur, I., Morawiecki, P., Pieprzyk, J., Srebrny, M., Straus, M.: Cube attacks and cube-attack-like cryptanalysis on the round-reduced Keccak sponge function. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015, Part I. LNCS, vol. 9056, pp. 733–761. Springer, Heidelberg (2015). Scholar
  14. 14.
    Dinur, I., Shamir, A.: Cube attacks on tweakable black box polynomials. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 278–299. Springer, Heidelberg (2009). Scholar
  15. 15.
    Dong, X., Li, Z., Wang, X., Qin, L.: Cube-like attack on round-reduced initialization of Ketje Sr. IACR Trans. Symmetric Cryptol. 2017(1), 259–280 (2017).
  16. 16.
    Fuhr, T., Naya-Plasencia, M., Rotella, Y.: State-recovery attacks on modified Ketje Jr. IACR Trans. Symmetric Cryptol. 2018(1), 29–56 (2018).
  17. 17.
    Guo, J., Liu, M., Song, L.: Linear structures: applications to cryptanalysis of round-reduced Keccak. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016, Part I. LNCS, vol. 10031, pp. 249–274. Springer, Heidelberg (2016). Scholar
  18. 18.
    Gurobi: Gurobi Optimizer.
  19. 19.
    Huang, S., Wang, X., Xu, G., Wang, M., Zhao, J.: Conditional cube attack on reduced-round Keccak sponge function. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017, Part II. LNCS, vol. 10211, pp. 259–288. Springer, Cham (2017). Scholar
  20. 20.
    Li, Z., Bi, W., Dong, X., Wang, X.: Improved conditional cube attacks on Keccak keyed modes with MILP method. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017, Part I. LNCS, vol. 10624, pp. 99–127. Springer, Cham (2017). Scholar
  21. 21.
    Mennink, B., Reyhanitabar, R., Vizár, D.: Security of full-state keyed sponge and duplex: applications to authenticated encryption. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015, Part II. LNCS, vol. 9453, pp. 465–489. Springer, Heidelberg (2015). Scholar
  22. 22.
    NIST: SHA-3 COMPETITION. (2007–2012)
  23. 23.
    Qiao, K., Song, L., Liu, M., Guo, J.: New collision attacks on round-reduced Keccak. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017, Part III. LNCS, vol. 10212, pp. 216–243. Springer, Cham (2017). Scholar
  24. 24.
    Sasaki, Y., Todo, Y.: New algorithm for modeling S-box in MILP based differential and division trail search. In: Farshim, P., Simion, E. (eds.) SecITC 2017. LNCS, vol. 10543, pp. 150–165. Springer, Cham (2017). Scholar
  25. 25.
    Song, L., Guo, J.: Cube-Attack-like cryptanalysis of round-reduced Keccak using MILP. To appear in IACR Trans. Symmetric Cryptol. 2018(3) (2018).
  26. 26.
    Song, L., Guo, J., Shi, D., Ling, S.: New MILP Modeling: Improved Conditional Cube Attacks on Keccak-based Constructions. Cryptology ePrint Archive, Report 2017/1030 (2017).
  27. 27.
    Song, L., Liao, G., Guo, J.: Non-full Sbox linearization: applications to collision attacks on round-reduced Keccak. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017, Part II. LNCS, vol. 10402, pp. 428–451. Springer, Cham (2017). Scholar
  28. 28.
    Sun, S., Hu, L., Wang, P., Qiao, K., Ma, X., Song, L.: Automatic security evaluation and (related-key) differential characteristic search: application to SIMON, PRESENT, LBlock, DES(L) and other bit-oriented block ciphers. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014, Part I. LNCS, vol. 8873, pp. 158–178. Springer, Heidelberg (2014). Scholar
  29. 29.
    The U.S. National Institute of Standards and Technology: SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions. Federal Information Processing Standard, FIPS 202, 5th August 2015.
  30. 30.
    The U.S. National Institute of Standards and Technology: SHA-3 Derived Functions: cSHAKE, KMAC, TupleHash and ParallelHash. NIST Special Publication 800–185, 21 December 2016.

Copyright information

© International Association for Cryptologic Research 2018

Authors and Affiliations

  1. 1.Division of Mathematical Sciences, School of Physical and Mathematical SciencesNanyang Technological UniversitySingaporeSingapore
  2. 2.State Key Laboratory of Information Security, Institute of Information EngineeringChinese Academy of SciencesBeijingChina

Personalised recommendations