Advertisement

New MILP Modeling: Improved Conditional Cube Attacks on Keccak-Based Constructions

  • Ling SongEmail author
  • Jian GuoEmail author
  • Danping ShiEmail author
  • San LingEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11273)

Abstract

In this paper, we propose a new MILP modeling to find better or even optimal choices of conditional cubes, under the general framework of conditional cube attacks. These choices generally find new or improved attacks against the keyed constructions based on Keccak permutation and its variants, including Keccak-MAC, KMAC, Keyak, and Ketje, in terms of attack complexities or the number of attacked rounds. Interestingly, conditional cube attacks were applied to round-reduced Keccak-MAC, but not to KMAC despite the great similarity between Keccak-MAC and KMAC, and the fact that KMAC is the NIST standard way of constructing MAC from SHA-3. As examples to demonstrate the effectiveness of our new modeling, we report key recovery attacks against KMAC128 and KMAC256 reduced to 7 and 9 rounds, respectively; the best attack against Lake Keyak with 128-bit key is improved from 6 to 8 rounds in the nonce-respected setting and 9 rounds of Lake Keyak can be attacked if the key size is of 256 bits; attack complexity improvements are found generally on other constructions. Our new model is also applied to Keccak-based full-state keyed sponge and gives a positive answer to the open question proposed by Bertoni et al. whether cube attacks can be extended to more rounds by exploiting full-state absorbing. To verify the correctness of our attacks, reduced-variants of the attacks are implemented and verified on a PC practically. It is remarked that this work does not threaten the security of any full version of the instances analyzed in this paper.

Keywords

Keccak SHA-3 KMAC Keyak Ketje Full-state Conditional cube attack MILP 

Notes

Acknowledgement

Ling Song and Danping Shi are partially supported by the Fundamental Theory and Cutting Edge Technology Research Program of Institute of Information Engineering, CAS (Grant No. Y7Z0251103), Youth Innovation Promotion Association CAS, the National Natural Science Foundation of China (Grants No. 61802399, 61802400, 61732021, 61772519 and 61472415) and Chinese Major Program of National Cryptography Development Foundation (Grant No. MMJJ20180102).

Supplementary material

References

  1. 1.
    Aumasson, J., Dinur, I., Meier, W., Shamir, A.: Cube testers and key recovery attacks on reduced-round MD6 and Trivium. In: Handschuh, H., Lucks, S., Preneel, B., Rogaway, P. (eds.) Symmetric Cryptography, 11.01. - 16.01.2009. Dagstuhl Seminar Proceedings, vol. 09031. Schloss Dagstuhl - Leibniz-Zentrum für Informatik, Germany (2009). http://drops.dagstuhl.de/opus/volltexte/2009/1944/Google Scholar
  2. 2.
    Bertoni, G., Daemen, J., Hoffert, S., Peeters, M., Van Assche, G., Van Keer, R.: Farfalle: parallel permutation-based cryptography. IACR Trans. Symmetric Cryptol. 2017(4), 1–38 (2017). https://tosc.iacr.org/index.php/ToSC/article/view/801
  3. 3.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Cryptographic Sponge functions. Submission to NIST (Round 3) (2011). http://sponge.noekeon.org/CSF-0.1.pdf
  4. 4.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Duplexing the sponge: single-pass authenticated encryption and other applications. In: Miri, A., Vaudenay, S. (eds.) SAC 2011. LNCS, vol. 7118, pp. 320–337. Springer, Heidelberg (2012).  https://doi.org/10.1007/978-3-642-28496-0_19CrossRefGoogle Scholar
  5. 5.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: The Keccak Reference, January 2011. http://keccak.noekeon.org, version 3.0
  6. 6.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G., Van Keer, R.: CAESAR Submission: Ketje v2. Candidate of CAESAR Competition, September 2016Google Scholar
  7. 7.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G., Van Keer, R.: CAESAR Submission: Keyak v2. Candidate of CAESAR Competition, September 2016Google Scholar
  8. 8.
    Bi, W., Dong, X., Li, Z., Zong, R., Wang, X.: Milp-aided cube-attack-like cryptanalysis on Keccak keyed modes. Designs, Codes and Cryptography, August 2018. https://doi.org/10.1007/s10623-018-0526-x
  9. 9.
    Chaigneau, C., Fuhr, T., Gilbert, H., Guo, J., Jean, J., Reinhard, J., Song, L.: Key-recovery attacks on full kravatte. IACR Trans. Symmetric Cryptol. 2018(1), 5–28 (2018). https://doi.org/10.13154/tosc.v2018.i1.5-28
  10. 10.
    Daemen, J., Mennink, B., Van Assche, G.: Full-state keyed duplex with built-in multi-user support. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10625, pp. 606–637. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-70697-9_21CrossRefzbMATHGoogle Scholar
  11. 11.
    Daemen, J., Van Assche, G.: Differential propagation analysis of Keccak. In: Canteaut, A. (ed.) FSE 2012. LNCS, vol. 7549, pp. 422–441. Springer, Heidelberg (2012).  https://doi.org/10.1007/978-3-642-34047-5_24CrossRefGoogle Scholar
  12. 12.
    Dinur, I., Dunkelman, O., Shamir, A.: Improved practical attacks on round-reduced Keccak. J. Cryptol. 27(2), 183–209 (2014). https://doi.org/10.1007/s00145-012-9142-5MathSciNetCrossRefGoogle Scholar
  13. 13.
    Dinur, I., Morawiecki, P., Pieprzyk, J., Srebrny, M., Straus, M.: Cube attacks and cube-attack-like cryptanalysis on the round-reduced Keccak sponge function. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015, Part I. LNCS, vol. 9056, pp. 733–761. Springer, Heidelberg (2015).  https://doi.org/10.1007/978-3-662-46800-5_28CrossRefGoogle Scholar
  14. 14.
    Dinur, I., Shamir, A.: Cube attacks on tweakable black box polynomials. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 278–299. Springer, Heidelberg (2009).  https://doi.org/10.1007/978-3-642-01001-9_16CrossRefGoogle Scholar
  15. 15.
    Dong, X., Li, Z., Wang, X., Qin, L.: Cube-like attack on round-reduced initialization of Ketje Sr. IACR Trans. Symmetric Cryptol. 2017(1), 259–280 (2017). https://doi.org/10.13154/tosc.v2017.i1.259-280
  16. 16.
    Fuhr, T., Naya-Plasencia, M., Rotella, Y.: State-recovery attacks on modified Ketje Jr. IACR Trans. Symmetric Cryptol. 2018(1), 29–56 (2018). https://tosc.iacr.org/index.php/ToSC/article/view/843
  17. 17.
    Guo, J., Liu, M., Song, L.: Linear structures: applications to cryptanalysis of round-reduced Keccak. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016, Part I. LNCS, vol. 10031, pp. 249–274. Springer, Heidelberg (2016).  https://doi.org/10.1007/978-3-662-53887-6_9CrossRefGoogle Scholar
  18. 18.
    Gurobi: Gurobi Optimizer. http://www.gurobi.com/
  19. 19.
    Huang, S., Wang, X., Xu, G., Wang, M., Zhao, J.: Conditional cube attack on reduced-round Keccak sponge function. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017, Part II. LNCS, vol. 10211, pp. 259–288. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-56614-6_9CrossRefGoogle Scholar
  20. 20.
    Li, Z., Bi, W., Dong, X., Wang, X.: Improved conditional cube attacks on Keccak keyed modes with MILP method. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017, Part I. LNCS, vol. 10624, pp. 99–127. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-70694-8_4CrossRefGoogle Scholar
  21. 21.
    Mennink, B., Reyhanitabar, R., Vizár, D.: Security of full-state keyed sponge and duplex: applications to authenticated encryption. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015, Part II. LNCS, vol. 9453, pp. 465–489. Springer, Heidelberg (2015).  https://doi.org/10.1007/978-3-662-48800-3_19CrossRefGoogle Scholar
  22. 22.
    NIST: SHA-3 COMPETITION. http://csrc.nist.gov/groups/ST/hash/sha-3/index.html (2007–2012)
  23. 23.
    Qiao, K., Song, L., Liu, M., Guo, J.: New collision attacks on round-reduced Keccak. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017, Part III. LNCS, vol. 10212, pp. 216–243. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-56617-7_8CrossRefGoogle Scholar
  24. 24.
    Sasaki, Y., Todo, Y.: New algorithm for modeling S-box in MILP based differential and division trail search. In: Farshim, P., Simion, E. (eds.) SecITC 2017. LNCS, vol. 10543, pp. 150–165. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-69284-5_11CrossRefGoogle Scholar
  25. 25.
    Song, L., Guo, J.: Cube-Attack-like cryptanalysis of round-reduced Keccak using MILP. To appear in IACR Trans. Symmetric Cryptol. 2018(3) (2018). https://eprint.iacr.org/2018/810
  26. 26.
    Song, L., Guo, J., Shi, D., Ling, S.: New MILP Modeling: Improved Conditional Cube Attacks on Keccak-based Constructions. Cryptology ePrint Archive, Report 2017/1030 (2017). https://eprint.iacr.org/2017/1030
  27. 27.
    Song, L., Liao, G., Guo, J.: Non-full Sbox linearization: applications to collision attacks on round-reduced Keccak. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017, Part II. LNCS, vol. 10402, pp. 428–451. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-63715-0_15CrossRefGoogle Scholar
  28. 28.
    Sun, S., Hu, L., Wang, P., Qiao, K., Ma, X., Song, L.: Automatic security evaluation and (related-key) differential characteristic search: application to SIMON, PRESENT, LBlock, DES(L) and other bit-oriented block ciphers. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014, Part I. LNCS, vol. 8873, pp. 158–178. Springer, Heidelberg (2014).  https://doi.org/10.1007/978-3-662-45611-8_9CrossRefGoogle Scholar
  29. 29.
    The U.S. National Institute of Standards and Technology: SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions. Federal Information Processing Standard, FIPS 202, 5th August 2015. http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf
  30. 30.
    The U.S. National Institute of Standards and Technology: SHA-3 Derived Functions: cSHAKE, KMAC, TupleHash and ParallelHash. NIST Special Publication 800–185, 21 December 2016. http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-185.pdf

Copyright information

© International Association for Cryptologic Research 2018

Authors and Affiliations

  1. 1.Division of Mathematical Sciences, School of Physical and Mathematical SciencesNanyang Technological UniversitySingaporeSingapore
  2. 2.State Key Laboratory of Information Security, Institute of Information EngineeringChinese Academy of SciencesBeijingChina

Personalised recommendations