Conditional Cube Attack on ReducedRound Keccak Sponge Function
 20 Citations
 1 Mentions
 3.2k Downloads
Abstract
The security analysis of Keccak, the winner of SHA3, has attracted considerable interest. Recently, some attention has been paid to the analysis of keyed modes of Keccak sponge function. As a notable example, the most efficient key recovery attacks on KeccakMAC and Keyak were reported at EUROCRYPT’15 where cube attacks and cubeattacklike cryptanalysis have been applied. In this paper, we develop a new type of cube distinguisher, the conditional cube tester, for Keccak sponge function. By imposing some bit conditions for certain cube variables, we are able to construct cube testers with smaller dimensions. Our conditional cube testers are used to analyse Keccak in keyed modes. For reducedround KeccakMAC and Keyak, our attacks greatly improve the best known attacks in key recovery in terms of the number of rounds or the complexity. Moreover, our new model can also be applied to keyless setting to distinguish Keccak sponge function from random permutation. We provide a searching algorithm to produce the most efficient conditional cube tester by modeling it as an MILP (mixed integer linear programming) problem. As a result, we improve the previous distinguishing attacks on Keccak sponge function significantly. Most of our attacks have been implemented and verified by desktop computers. Finally we remark that our attacks on the reducedround Keccak will not threat the security margin of Keccak sponge function.
Keywords
KeccakMAC Keyak Cube tester Conditional cube variable Ordinary cube variable1 Introduction
The Keccak sponge function family, designed by Bertoni, Daemen, Peeters, and Giles in 2007 [1], was selected by the U.S. National Institute of Standards and Technology (NIST) in 2012 as the proposed SHA3 cryptographic hash function.
Due to its theoretical and practical importance, cryptanalysis of Keccak has attracted increasing attention. There has been extensive research recently, primarily on the keyless setting. For example, in keyless modes of reducedround Keccak, many results have been obtained on collision attack [2], preimage attack [3] and second preimage attack [4]. Additionally, there are also some research focused on the distinguishers of Keccak internal permutation, in which the size of input is the full state. In [5], a distinguisher of full 24round Keccak internal permutation was proposed which takes \(2^{1579}\) Keccak calls. Using the rebound attack and efficient differential trails, Duc et al. [6] derived a distinguisher for 8round Keccak internal permutation with the complexity \(2^{491}\). Jérémy et al. [7] provided an 8round internal differential boomerang distinguisher on Keccak with practical complexity. It should be remarked that these results on Keccak internal permutation seem to be a little far from the security margin of Keccak sponge function, which do not lead any attacks to Keccak hash function. For distinguishing attacks on Keccak sponge function with the bitrate part as its input, some results have been given in [8, 9, 10]. These distinguishers are one step closer to the security margin but some of these distinguisher are far from being practical.
By embedding a secret key in a message as an input, Keccak can be used in several settings. For example, Keccak sponge function can produce a pseudorandom binary string of arbitrary length, and hence can serve as a stream cipher. It is also a natural keyed hash function, namely, a message authentication code (MAC). Moreover, an authenticated encryption (AE) scheme based on Keccak was described in [11]. However, there is much less research reported for the keyed modes of the family of Keccak sponge functions. Besides the side channel attack for KeccakMAC [12], the celebrated paper on key recovery attacks [10] seems to be the only one found in the literature for analysing keyed modes of Keccak. In [10], the authors set cube variables in the column parity (CP) kernel to control the propagation of the mapping \(\theta \) in the first round. More specifically, the cube dimension can be reduced by carefully selecting cube variables so that they are not multiplied with each other after the first round. The cube sums of output polynomials depend only on a portion of key bits. The dedicated cubeattacklike cryptanalysis uses this property to construct the first key recovery attack on reducedround KeccakMAC and Keyak. It is also noted that the cube attack and cubeattacklike are very efficient techniques in analysing Keccaklike cryptosystems in [13, 14].
We observe that most of the attacks described in the previously published work deal with propagations of cube variables only after the first round. Thus, it is a natural and interesting question to ask whether and how we can control certain relations of cube variables after the second round of the Keccak sponge function to push this kind of attacks further. The purpose of this paper is to answer this question by proposing the technique of conditional cube tester and making the corresponding attacks more efficient. To the best of our knowledge, the results obtained in this paper are currently the best in terms of the number of rounds or the complexity.
1.1 Our Contributions
Conditional Cube Tester for Keccak Sponge Function. Our conditional cube tester model is inspired by the dynamic cube attack on Grain stream cipher [15]. The approach of dynamic cube attack in [15] is to set some bit conditions on the initial value (IV) so that the intermediate polynomials can be simplified and the degree of output polynomial can be reduced. However, this approach cannot be utilized directly in the setting of Keccak sponge function because its structure is very different from that of Grain stream cipher. Additionally, the number of intermediate polynomials related to the ones in the previous round is too large for Keccak, which makes the approach of dynamic cube attack infeasible. The bittracing method (see [16]), proposed by one of the authors, is a powerful technique to analyse hash functions. This method has also been used in the cryptanalysis of block ciphers such as Simon family in [17]. Some ideas of our current work are stimulated by the bittracing method. In this paper, we propose a new approach by imposing bit conditions on the input to control the propagation of cube variables caused by the nonlinear operation \(\chi \). This will be helpful in identifying the cube variables that are not multiplied with each other after the second round of Keccak sponge function. We provide several algorithms for searching the cube variables and imposing the corresponding bit conditions. These algorithms give a base to construct a conditional cube tester. In some cases the dimension of this cube tester is smaller than the cube testers in [10]. Our model is also influenced by the conditional differential cryptanalysis method developed in [18]. Noted that our analysis is algebraic in nature since the attacks are designed by exploring algebraic properties while the previous conditional differential is based on differential bias.
Summary of key recovery attacks on KeccakMAC
Rounds  Capacity  Time  Data  Memory  Reference 

5  576  \(2^{35}\)  \(2^{35}\)  Negligible  [10] 
6  256  \(2^{66}\)  \(2^{64}\)  \(2^{32}\)  [10] 
7  256  \(2^{97}\)  \(2^{64}\)  \(2^{32}\)  [10] 
5  576/1024  \(2^{24}\)  \(2^{24}\)  Negligible  Sect. 4 
6  256/768  \(2^{40}\)  \(2^{40}\)  Negligible  Sect. 4 
7  256/512  \(2^{72}\)  \(2^{72}\)  Negligible  Sect. 4 
Summary of distinguishing attacks on Keccak sponge function
Rounds  Capacity  Time  Data  Memory  Reference 

4  448/512  \(2^{25}\)  \(2^{24}\)  Negligible  [8] 
6  448  \(2^{52}\)  \(2^{52}\)  Negligible  [9] 
6  448/512/576  \(2^{33}\)  \(2^{33}\)  Negligible  [10] 
7  448/512/576  \(2^{65}\)  \(2^{65}\)  Negligible  [10] 
8  576  \(2^{129}\)  \(2^{129}\)  Negligible  [10] 
5  448/512  \(2^{9}\)  \(2^{9}\)  Negligible  Sect. 6 
6  768/1024  \(2^{9}\)  \(2^{9}\)  Negligible  Sect. 6 
6  448/512/576  \(2^{17}\)  \(2^{17}\)  Negligible  Sect. 6 
7  768  \(2^{17}\)  \(2^{17}\)  Negligible  Sect. 6 
7  448  \(2^{33}\)  \(2^{33}\)  Negligible  Sect. 6 
The remainder of the paper is organized as follows. We introduce some preliminaries needed for the paper in Sect. 2, including Keccak sponge function, two keyed modes of Keccak, and the idea of cube tester. In Sect. 3, we will describe our new model, the conditional cube tester. Key recovery attacks for KeccakMAC and Keyak based on our new model will be discussed in detail in Sects. 4 and 5. Section 6 is devoted to distinguishing Keccak sponge function from a random permutation using the conditional cube tester. Finally, we conclude the paper in Sect. 7.
2 Preliminaries
In the section, we will briefly introduce some necessary background for this paper. We will describe Keccak sponge function including two keyed modes, namely KeccakMAC and the AE scheme Keyak. In the later part of the section, the idea of cube tester will be described.
2.1 Keccak Sponge Function
Description of Keccak Sponge Function. We shall just describe the Keccak sponge function in its default version. We refer the readers to [1] for the complete Keccak specification.
For each \(n\in \{224,256,384,512\}\), the sponge function Keccakn corresponds to parameters r (bitrate) and \(c=2n\) (capacity) with \(r+c=1600\). Initially, all the 1600 bits are filled with 0s and the message will be split into rbit blocks. There are two phases in the Keccak sponge function. In the absorbing phase, the next rbit message block is XORed with its first rbit segment of the state and then the state is processed by internal permutation which consists of 24 rounds. After all the blocks are absorbed, the squeezing phase starts. In this phase, Keccakn will return the first r bits as the output of the function with internal permutation iteratively until the nbit digest is produced.
The purpose of \(\theta \) is to diffuse the state. If a variable in every column of state has even parity, it will not diffuse to other columns: this is the column parity kernel (CP kernel) property. Thus diffusion of some input variables caused by \(\theta \) can be controlled in the first round. This property has been widely used in cryptanalysis of Keccak. For example, the attacks in [10] use it to decrease the dimension of the cube. The operations \(\rho \) and \(\pi \) just change the position of bits. The first three linear operations \(\theta , \rho \) and \(\pi \) will be called half a round. In the permutation, the only nonlinear operation is \(\chi \) whose algebraic degree is 2. Therefore, after an nround Keccak internal permutation, the algebraic degree of the output polynomial is at most \(2^{n}\). We will not consider \(\iota \) since it has no impact on our attacks.
2.2 Keyed Modes of Keccak
MAC Based on Keccak. As an example demonstrated in Fig. 2, one gets a MAC (or a tag) by concatenating a secret key with a message as the input to a hash function. This primitive to ensure data integrity and authentication of a message should satisfy the two following security requirements: no key recovery and resistance of MAC forgery.
Authenticated Encryption Scheme Based on Keccak. An AE scheme is used to provide confidentiality, integrity and authenticity of data where decryption is combined with integrity verification. An authenticated encryption scheme based on Keccak is the scheme Keyak [11] which is a thirdround candidate algorithm submitted to CAESAR [19]. Figure 3 depicts the construction of Keyak on twoblock message. Both key and nonce are 128 bits. The capacity is 256 bits long and the bitrate is 1344 bits long.
2.3 Cube Tester
Cube tester introduced in [20] is a distinguisher to detect some algebraic property of cryptographic primitives. The idea is to reveal nonrandom behaviour of a Boolean function with algebraic degree d by summing its values when cube variables of size k (\(k\le d\)) run over all of their \(2^{k}\) inputs. This cube sum can be taken as higher order derivative [21] of the output polynomial with respect to cube variables. More precisely, we have
Theorem 1
Some properties for the polynomial \(P_t\), such as its low algebraic degree and highly unbalanced truth table, have been extensively considered in [20, 22].
\((n+1)\) Round Cube Tester on Keccak Sponge Functions. A cube tester can be constructed based on algebraic properties of Keccak sponge function to distinguish a roundreduced Keccak from a random permutation. An adversary can easily select a combination of \(2^n+1\) cube variables such that they are not multiplied with each other after the first round of Keccak. Note that after nround Keccak the degree of these cube variables is at most \(2^n\). So the adversary can sum the output values over a cube of dimension \(2^n+1\) to get zero for a \((n+1)\)round Keccak. This property is also used to perform MAC forgery attack in [10] when \(n\le 6\).
3 Conditional Cube Tester for Keccak Sponge Function
In our new model, we develop a strategy to carefully choose the cube variables such that they are either not multiplied with each other after the second round or multiplied within a restrict set of variables.
The idea of our new model—the conditional cube tester, is to attach some bit conditions to a cube tester. Figure 4 illustrates how to formulate such conditions. A detailed discussion will be given later in this section. To minimize the possibilities that the cube variable \(v_0\) gets multiplied with other cube variables, we need to slow down the propagation of \(v_0\). This can be done by imposing some additional conditions on the input message so that the coloured input bits of the second round are not related to \(v_0\). Thus these coloured input bits of the second round will not diffuse to other bits in the next round Keccak internal permutation. This is how the propagation of \(v_0\) is controlled.
In the rest of this section, we shall define some types of cube variables in the CP kernel that are involved in the conditional cube tester. An important type is a set of variables that are well behaved through two rounds of Keccak, and we will see that some extra conditions on bits must be satisfied in order to get such variables. Then we will prove a useful result for these cube variables in a conditional cube tester. In the last part of the section, we shall discuss some properties on Keccak sponge function and describe algorithms based on these properties to examine multiplication relation after the second round between every pair of cube variables.
3.1 Conditional and Ordinary Cube Variables in a Conditional Cube Tester
In our discussion, cube variables are the variables in the CP kernel that are not multiplied with each other after the first round of Keccak. Now let us define two types of cube variables for the conditional cube tester.
Definition 1
Cube variables that have propagation controlled in the first round and are not multiplied with each other after the second round of Keccak are called conditional cube variables. Cube variables that are not multiplied with each other after the first round and are not multiplied with any conditional cube variable after the second round are called ordinary cube variables.
An ordinary cube variable has the advantage that it does not need any extra conditions. However, there are no mechanisms to prevent ordinary cube variables from being multiplied with each other after the second round. Thus, in order to get an optimal cube tester for Keccak sponge function, a proper combinations of ordinary cube variables and conditional cube variables should be carefully selected.
To construct an \((n+2)\)round cube tester, we need to choose p conditional cube variables and q ordinary cube variables. With an appropriate choice of p and q, we have
Theorem 2
For \((n+2)\)round Keccak sponge function \((n>0)\), if there are p \((0\le p < 2^{n}+1)\) conditional cube variables \(v_1,\dots ,v_p\), and \(q=2^{n+1}2p+1\) ordinary cube variables, \(u_{1},\dots , u_{q}\) (If \(q=0\), we set \(p=2^n+1\)), then the term \(v_1v_2\dots v_{p}u_1\dots u_q \) will not appear in the output polynomials of \((n+2)\)round Keccak sponge function.
Proof
Let \(X_1, \cdots , X_s\) be the terms that contain \(v_i \ (i=1, \dots , p)\) after the second round. Then by the definition of conditional cube variables, the degree of each \(X_j\) is one with respect to some \(v_i(i=1, \dots , p)\). Similarly, let \(Y_1, \cdots , Y_t\) be the terms that contain \(u_i \ (i=1, \dots , q)\) after the second round. Then by the definition of ordinary variables, the degree of each \(Y_j\) is at most two with respect to some \(u_i\)s \((i=1, \dots , p)\), and no \(v_i \ (i=1, \dots , p)\) appears in \(Y_j\).
Let us make some remarks on this theorem. The case that there is no conditional cube variable (i.e., \(p=0\)) has been discussed extensively in [10], such as forgery attacks on KeccakMAC and Keyak. For the case where \(1\le p \le 2^{n}+1\), we can apply the conditional cube tester to recover the key for the \((n+2)\)round keyed modes of Keccak based on Theorem 2. The specific methods will be described in Sects. 4 and 5. Furthermore, in Sect. 6, we are able to use the case \(p=2^n+1\) to implement the distinguishing attacks on Keccak sponge function.
In this paper, we only consider the cases when \(n=3,4,5\). If a proper combination of cube variables could be found for \(n>5\), the conditional cube tester still works.
3.2 Properties of Keccak Sponge Function
Before stating three useful properties of Keccak sponge function, we will describe the bitwise derivative of Boolean functions–a tool that helps us to explain our ideas accurately. The bitwise derivative of Boolean functions was proposed by Bo Zhu et al. and used to analyse Boolean algebra based block ciphers [23]. We observe that there is an equivalent relation between the differential characteristic and the bitwise derivatives of Boolean functions. However, it is much more efficient to trace the propagation of a variable by observing the differential characteristic rather than by computing the exact bitwise derivatives of Boolean functions. The bitwise derivative of a Boolean function is defined as follows.
Definition 2
Now let us describe differential properties of \(\chi \) in the view of bitwise derivative. In this section, we first fix some notations. We will write the input of \(\chi \) to be the (vectorvalued) Boolean function \(F=(f_0,f_1,f_2,f_3,f_4)\). The corresponding output is written as the (vectorvalued) Boolean function \(G=(g_0,g_1,g_2,g_3,g_4)\). The bitwise derivative of a (vectorvalued) Boolean function is defined to be the (vectorvalued) Boolean function by taking bitwise derivative in a componentwise manner.
Property 1
(Bit Conditions). If \(\delta _{v_0}F=(1,0,0,0,0)\), then \(\delta _{v_0}G=(1,0,0,0,0)\) if and only if \(f_1=0\) and \(f_4+1=0\).
Proof
Summary of conditions for bitwise derivative of \(\chi \)
Input/Output bitwise derivative (Difference)  Conditions 

\((1,0,0,0,0) \xrightarrow {} (1,0,0,0,0)\)  \(f_1=0, f_4=1\) 
\((0,1,0,0,0) \xrightarrow {} (0,1,0,0,0)\)  \(f_2=0, f_0=1\) 
\((0,0,1,0,0) \xrightarrow {} (0,0,1,0,0)\)  \(f_3=0, f_1=1\) 
\((0,0,0,1,0) \xrightarrow {} (0,0,0,1,0)\)  \(f_4=0, f_2=1\) 
\((0,0,0,0,1) \xrightarrow {} (0,0,0,0,1)\)  \(f_0=0, f_3=1\) 
In order to show the advantage of a conditional cube variable over an ordinary cube variable, we consider the propagation of variable \(A[2][0][0]=A[2][1][0]= v_0\) in two views: as an ordinary cube variable in the view of truncated differential characteristic (Fig. 6(a)) and as a conditional cube variable in the view of differential characteristic (Fig. 6(b)).
It is obvious to see that the two active bits at the beginning of the second round will affect 22 bits caused by the step \(\theta \). Thus, the conditional cube variable in Fig. 6(b) only relates to 22 active bits after 1.5round Keccak internal permutation. However, not only bits with black colour but also those with gray colour after 1.5round Keccak involve the ordinary cube variable in Fig. 6(a). In total, there are 62 bits related to \(v_0\) after 1.5round Keccak. So it is more likely for a ordinary cube variable to get multiplied with other cube variables after the second round Keccak.
The pattern of the conditional cube variable \(v_0\) in Fig. 6(b) will be called a 2222 pattern to reflect the number of active bits in three states (the input state, the output state of the first round and the output state of the first 1.5 rounds).
During the process of searching more cube variables, we need to determine whether candidate variables get multiplied after the second round of Keccak and eliminate conditional cube variable candidates that require conflicting conditions. We observe that the following two properties with respect to the operation \(\chi \) will be useful in dealing with these situations.
Property 2
(Multiplication). Assume that \(\delta _{v_0}F=(\delta _{v_0}f_0,0,0,0,0)\) and \(\delta _{v_1}F=(0,\delta _{v_1}f_1,0,0,0)\) with \(\delta _{v_0}f_0\cdot \delta _{v_1}f_1\not =0\), then the term \(v_0v_1\) will be in the output of \(\chi \).
Proof
Property 3
(Exclusion). If \(\delta _{v_0}F=(1,0,0,0,0)\) and \(\delta _{v_1}F=(0,0,1,0,0)\), then at least one of \(\delta _{v_0}G=(1,0,0,0,0)\) and \(\delta _{v_1}G=(0,0,1,0,0)\) is false.
Proof
From the Property 1 as well as the Table 4, the conditions \(\delta _{v_0}F=(1,0,0,0,0)\) and \(\delta _{v_0}G=(1,0,0,0,0)\) would imply \(f_1=0, f_4=1\). Under the assumption \(\delta _{v_1}F=(0,0,1,0,0)\), if \(\delta _{v_1}G=(0,0,1,0,0)\) also holds true, then we would have \(f_1=1, f_3=0\). This is a contradiction. \(\square \)
For a version of Keccak sponge function, many positions in the plaintext space can be set as cube variables. For example, as shown in Fig. 7, we can set the bits in the same colour as a cube variable for the version Keccak512. There are 256 such cases in 64 slices. Each of these cases in a version of Keccak is called a cube variable candidate.
In the three algorithms, \(v_0\) and \(v_1\) are assumed to be two cube variable candidates in a Keccak version. We use \(\delta _{v_0}A \ (\delta _{v_1}A)\) to denote the positions of \(v_0 \ (v_1)\) in the input state, which means to apply bitwise derivative on each entry of A. For example \(\delta _{v_0}A[i][j][k]=1\) means \(A[i][j][k]=v_0+h\), where h is a Boolean function independent of \(v_0\). For a cube variable candidate v, we shall use ‘0’, ‘1’ and ‘2’ to denote the inactive bit, the active bit and the unknown bit respectively. To be more specific, v is of type ‘0’ if \(\delta _{v}A[i][j][k]=0\), v is of type ‘1’ if \(\delta _{v}A[i][j][k]=1\) and type ‘2’ if \(\delta _{v}A[i][j][k]\) is a Boolean function. In this way, the truncated differences or differences in the algorithms can be used to interpret the bitwise derivatives on the state with respect to v.
4 Key Recovery Attack on ReducedRound KeccakMAC
In this section, we will use conditional cube testers to perform key recovery attacks against KeccakMAC. First, we will discuss the general procedure for key recovery attack, including the attack process, complexity analysis and searching algorithm for suitable combinations of conditional and ordinary cube variables. Then we will describe conditional cube attacks to different variants of KeccakMAC, including KeccakMAC512, KeccakMAC384 and KeccakMAC224.
4.1 General Process for Key Recovery Attack on KeccakMAC
 Step 1.

Assign free variables with random values.
 Step 2.

Guess values of the s equivalent key bits.
 Step 3.

Calculate the values of conditional variables under the guess of key bits.
 Step 4.

For each possible set of values of cube variables, compute the corresponding tag and then sum all of the 128bit tags over the \((2^{n+1}p+1)\)dimension cube.
 Step 5.

If the sum is zero, the guess of these s key bits is probable correct and the process terminates; otherwise the guess is invalid, go back to Step 2.
4.2 Key Recovery on 5/6/7Round KeccakMAC
We first discuss 5round KeccakMAC512. In this case, \(n=3\) and full key bits can be recovered with one conditional cube variable and 15 ordinary cube variables. The block size of this version is \(16002 \cdot 512=576\) bits. As discussed in Sect. 4.1, we set \(A[2][0][0]=A[2][1][0]=v_0\) to be the conditional cube variable. A[4][0][44], A[2][0][4], A[2][0][59] and A[2][0][27] are the conditional variables assigned with Boolean functions and a set of the corresponding ordinary cube variables is produced by Algorithm 4 (see Table 5). To recover the remaining key bits, the positions of the conditional cube variable shall be shifted to \(A[2][0][i]=A[2][1][i]=v_0(1\le i\le 63)\) and the positions of ordinary cube variables shall be rotated at the same time. The key is recovered in \(2^{24}\) time and data, which is very practical. On a desktop computer, the process of recovering a key only costs a few minutes.
Parameters set for attack on 5round KeccakMAC512
Ordinary cube variables  A[2][0][8]=A[2][1][8]=\(v_{1}\), A[2][0][12]=A[2][1][12]=\(v_{2}\), A[2][0][20]=A[2][1][20]=\(v_{3}\), A[2][0][28]=A[2][1][28]=\(v_{4}\), A[2][0][41]=A[2][1][41]=\(v_{5}\), A[2][0][43]=A[2][1][43]=\(v_{6}\), A[2][0][45]=A[2][1][45]=\(v_{7}\), A[2][0][53]=A[2][1][53]=\(v_{8}\), A[2][0][62]=A[2][1][62]=\(v_{9}\), A[3][0][3]=A[3][1][3]=\(v_{10}\), A[3][0][4]=A[3][1][4]=\(v_{11}\), A[3][0][9]=A[3][1][9]=\(v_{12}\), A[3][0][13]=A[3][1][13]=\(v_{13}\), A[3][0][23]=A[3][1][23]=\(v_{14}\), A[3][0][30]=A[3][1][30]=\(v_{15}\) 
Conditional cube variable  A[2][0][0]=A[2][1][0]=\(v_{0}\) 
Bit conditions  A[4][0][44]=0, A[2][0][4]= \(k_{5}\) + \(k_{69}\) + A[0][1][5] + A[2][1][4] + 1, A[2][0][59]= \(k_{60}\) + A[0][1][60] + A[2][1][59] + 1, A[2][0][7]= A[4][0][6] + A[2][1][7] + A[3][1][7] 
Guessed key bits  \(k_{60},k_{5}+k_{69}\) 
5 Key Recovery Attacks on ReducedRound Keyak
Similar to the key recovery attack on Keyak in [10], we also deal with twoblock messages (as depicted in Fig. 3) and allow the reuse of a nonce. In this way, we can use the first block to control the input of the second permutation and the second block to get the output of the second permutation. The attack described here is in fact a state recovery attack. We are able to get the bitrate part \(X_0\) (see Fig. 3) but not the 256 bits in the capacity part. Denoting the capacity part as \(k =(k_0,k_1,\cdots , k_{255})\), we will first recover k, then get the master key by performing the inverse of the first Keccak internal permutation.
In the attack, cube variables are set in the input state of the second Keccak internal permutation by choosing the values of \(P_1\) while the second message block \(P_2\) is set to zero bits. This implies that the second ciphertext block \(C_2\) is the output of Keccak internal permutation. The attack procedure is almost identical to the general process described in Sect. 4.1 except for the bit conditions and the inverse process on the output. For 1344 output bits of Keyak, the operation \(\chi \) of the last round on the most significant 1280 bits can be reversed. Note that the linear operations of the final round do not increase the degree of output polynomials, so the previous \((n+2)\)round cube tester can be used for \((n+3)\)round. In other words, conditional cube attack can be extended by one more round forward without increasing the dimension of cube.
For 7round Keyak, conditional cube attack is built with the same cube as in Table 9 except for a different set of bit conditions as shown in Table 6. Note that in Table 6 A denotes the input state to the second internal permutation. By shifting the positions of cube variables and repeating the attack for \(192/4=48\) times, three lanes of secret values, i.e. \(k_0,\dots , k_{191}\), can be recovered with \(2^{36}\cdot 48 =2^{41.58}\) Keyak calls. The other lane of key bits can be recovered by changing the conditional cube variable to \(A[3][0][i]=A[3][1][i]=v_{0}\) and a set of the corresponding ordinary cube variables could be produced similarly by Algorithm 4. Since only one key bit is involved in the bit conditions after recovering three lanes of secret values, the remaining lane of secret values can be identified with \(2^{33}\cdot 2^6=2^{39}\) Keyak calls. In total, the time complexity to recover the full 128bit master key is about \(2^{42}\) Keyak calls.
For 8round Keyak, cube variables in Table 10 and bit conditions in the Table 6 are used in the conditional cube attack. Using a similar analysis as that to 7round Keyak, the data and time complexities for 8round attack are \(2^{74}\).
Parameters for attacking 7round and 8round Keyak
Bit conditions for 8(7)round Keyak  A[4][0][44]=\(k_{169}\) (+A[4][1][44]) + A[2][2][45] + A[3][2][45] + A[4][2][44] + A[2][3][45] + A[4][3][44], A[0][0][5]= \(k_{128}\) + A[1][0][5] + A[2][0][4] + A[0][1][5] + A[2][1][4] + A[0][2][5] + A[2][2][4] + A[0][3][5] + A[2][3][4] + A[0][4][5] + 1, A[0][0][60]= \(k_{56}\) + \(k_{183}\) + A[2][0][59] + A[0][1][60] + A[2][1][59] + A[0][2][60] + A[2][2][59] + A[0][3][60] + A[2][3][59]+ A[0][4][60] + 1, A[2][0][7]= \(k_{131}\) + A[4][0][6] + A[2][1][7] + A[3][1][7] + A[4][1][6] + A[2][2][7]+ A[4][2][6] + A[2][3][7] + A[4][3][6] 
Guessed key bits  \(k_{169}\), \(k_{128}\), \(k_{56}\) + \(k_{183}\), \(k_{131}\) 
6 Distinguishing Attacks on Keccak Sponge Function
In this section, conditional cube tester will be applied to establish distinguishing attacks on Keccak sponge function with practical complexity. By Theorem 2, if we use \(2^n+1\) conditional cube variables, the monomial containing these \(2^n+1\) conditional cube variables will not appear in the output polynomials of \((n+2)\)round Keccak sponge function. This means that the dimension of the cube to distinguish \((n+2)\)round Keccak is reduced to \(2^n+1\) from higher numbers reported in [10]. In some cases like Keccak512 and Keccak384, the distinguishing attacks could be extended one more round forward.

Find a combination of sufficiently many conditional cube variables;

Derive the corresponding bit conditions for the chosen conditional cube variables.
6.1 Constructing Conditional Cube Tester with MILP
A mixedinteger linear programming (MILP) problem is a linear programming problem with some variables taking integer values. MILP has been used to find the best differential characteristic in [25]. In this section, we model the problem of finding a combination of sufficiently many conditional cube variables as an MILP problem.
Four differential characteristics in double kernel pattern
6.2 Distinguishing Attack on Keccak512 and Keccak384
Offsets r[x,y] in operation \(\rho \)
0  1  62  28  27 
36  44  6  55  20 
3  10  43  25  39 
41  45  15  21  8 
18  2  61  56  14 
Parameters set for attack on 6round KeccakMAC384
Ordinary cube variables  A[2][0][12]=A[2][1][12]=\(v_{1}\), A[2][0][20]=A[2][1][20]=\(v_{2}\), A[2][0][28]=A[2][1][28]=\(v_{3}\), A[2][0][41]=A[2][1][41]=\(v_{4}\), A[2][0][43]=A[2][1][43]=\(v_{5}\), A[2][0][45]=A[2][1][45]=\(v_{6}\), A[2][0][53]=A[2][1][53]=\(v_{7}\), A[2][0][61]=A[2][1][61]=\(v_{8}\), A[2][0][62]=A[2][1][62]=\(v_{9}\), A[3][0][3]=A[3][1][3]=\(v_{10}\), A[3][0][9]=A[3][1][9]=\(v_{11}\), A[3][0][13]=A[3][1][13]=\(v_{12}\), A[3][0][15]=A[3][1][15]=\(v_{13}\), A[3][0][23]=A[3][1][23]=\(v_{14}\), A[3][0][30]=A[3][1][30]=\(v_{15}\), A[3][0][40]=A[3][1][40]=\(v_{16}\), A[3][0][46]=A[3][1][46]=\(v_{17}\), A[3][0][56]=A[3][1][56]=\(v_{18}\), A[3][0][57]=A[3][1][57]=\(v_{19}\), A[4][0][5]=A[4][1][5]=\(v_{20}\), A[4][0][10]=A[4][1][10]=\(v_{21}\), A[4][0][12]=A[4][1][12]=\(v_{22}\), A[4][0][14]=A[4][1][14]=\(v_{23}\), A[4][0][47]=A[4][1][47]=\(v_{24}\), A[4][0][58]=A[4][1][58]=\(v_{25}\), A[4][0][62]=A[4][1][62]=\(v_{26}\), A[4][0][63]=A[4][1][63]=\(v_{27}\), A[0][1][28]=A[0][2][28]=\(v_{28}\), A[0][1][34]=A[0][2][34]=\(v_{29}\), A[0][1][37]=A[0][2][37]=\(v_{30}\), A[0][1][46]=A[0][2][46]=\(v_{31}\) 
Conditional cube variable  A[2][0][0]=A[2][1][0]=\(v_{0}\) 
Bit conditions  A[4][0][44]= A[4][1][44] + A[2][2][45], A[2][0][4]= \(k_{5}\) + \(k_{69}\) + A[0][1][5] + A[2][1][4] + A[0][2][5] + A[2][2][4] + 1, A[2][0][59]= \(k_{60}\) + A[0][1][60] + A[2][1][59] + A[0][2][60] + A[2][2][59] + 1, A[2][0][7]= A[4][0][6] + A[2][1][7] + A[4][1][6] + A[2][2][7] + A[3][1][7]. 
Guessed key bits  \(k_{60},k_{5}+k_{69}\) 
Parameters set for attack on 7round KeccakMAC256
Ordinary cube variables  A[2][0][8]=A[2][1][8]=\(v_{1}\), A[2][0][12]=A[2][1][12]=\(v_{2}\), A[2][0][20]=A[2][1][20]=\(v_{3}\), A[2][0][28]=A[2][1][28]=\(v_{4}\), A[2][0][41]=A[2][1][41]=\(v_{5}\), A[2][0][43]=A[2][1][43]=\(v_{6}\), A[2][0][45]=A[2][1][45]=\(v_{7}\), A[2][0][53]=A[2][1][53]=\(v_{8}\), A[2][0][62]=A[2][1][62]=\(v_{9}\), A[3][0][3]=A[3][1][3]=\(v_{10}\), A[3][0][9]=A[3][1][9]=\(v_{11}\), A[3][0][13]=A[3][1][13]=\(v_{12}\), A[3][0][30]=A[3][1][30]=\(v_{13}\), A[3][0][40]=A[3][1][40]=\(v_{14}\), A[3][0][46]=A[3][1][46]=\(v_{15}\), A[3][0][56]=A[3][1][56]=\(v_{16}\), A[4][0][5]=A[4][1][5]=\(v_{17}\), A[4][0][10]=A[4][1][10]=\(v_{18}\), A[4][0][12]=A[4][1][12]=\(v_{19}\), A[4][0][14]=A[4][1][14]=\(v_{20}\), A[4][0][31]=A[4][1][31]=\(v_{21}\), A[4][0][47]=A[4][1][47]=\(v_{22}\), A[4][0][58]=A[4][1][58]=\(v_{23}\), A[4][0][62]=A[4][1][62]=\(v_{24}\), A[4][0][63]=A[4][1][63]=\(v_{25}\), A[0][1][37]=A[0][2][37]=\(v_{26}\), A[0][1][47]=\(v_{27}\), A[0][2][47]=\(v_{27}\)+\(v_{28}\), A[0][3][47]=\(v_{28}\), A[0][1][46]=A[0][2][46]=\(v_{29}\), A[0][1][59]=A[0][2][59]=\(v_{30}\), A[1][1][7]=A[1][2][7]=\(v_{31}\), A[1][1][15]=A[1][2][15]=\(v_{32}\), A[1][1][20]=A[1][2][20]=\(v_{33}\), A[1][1][26]=A[1][2][26]=\(v_{34}\), A[1][1][30]=A[1][2][30]=\(v_{35}\), A[1][1][38]=A[1][2][38]=\(v_{36}\), A[1][1][39]=A[1][2][39]=\(v_{37}\), A[1][1][40]=A[1][2][40]=\(v_{38}\), A[1][1][52]=A[1][2][52]=\(v_{39}\), A[1][1][54]=A[1][2][54]=\(v_{40}\), A[2][1][11]=A[2][2][11]=\(v_{41}\), A[2][1][15]=A[2][2][15]=\(v_{42}\), A[2][1][19]=A[2][2][19]=\(v_{43}\), A[2][1][24]=A[2][2][24]=\(v_{44}\), A[2][1][52]=A[2][2][52]=\(v_{45}\), A[2][1][58]=A[2][2][58]=\(v_{46}\), A[2][1][61]=A[2][2][61]=\(v_{47}\), A[3][1][23]=A[3][2][23]=\(v_{48}\), A[3][1][29]=A[3][2][29]=\(v_{49}\), A[3][1][58]=A[3][2][58]=\(v_{50}\), A[4][1][1]=A[4][2][1]=\(v_{51}\), A[4][1][28]=A[4][2][28]=\(v_{52}\), A[4][1][44]=A[4][2][44]=\(v_{53}\), A[4][1][50]=A[4][2][50]=\(v_{54}\), A[4][1][61]=A[4][2][61]=\(v_{55}\), A[0][2][17]=A[0][3][17]=\(v_{56}\), A[0][2][28]=A[0][3][28]=\(v_{57}\), A[0][2][34]=A[0][3][34]=\(v_{58}\), A[0][2][56]=A[0][3][56]=\(v_{59}\), A[1][2][44]=A[1][3][44]=\(v_{60}\), A[1][2][49]=A[1][3][49]=\(v_{61}\), A[1][2][57]=A[1][3][57]=\(v_{62}\), A[2][0][5]=A[2][2][5]=\(v_{63}\) 
Conditional cube variable  A[2][0][0]=A[2][1][0]=\(v_{0}\) 
Bit conditions  A[4][0][44]= A[2][2][45] + A[3][2][45], A[2][0][4]= \(k_{5}\) + \(k_{69}\) + A[0][1][5] + A[2][1][4] + A[0][2][5] + A[2][2][4] + A[0][3][5] + 1, A[2][0][59]= \(k_{60}\) + A[0][1][60] + A[2][1][59] + A[0][2][60] + A[2][2][59] + A[0][3][60] + 1, A[2][0][7]= A[3][1][7] + A[4][1][6] + A[2][1][7] + A[4][1][6] +A[2][2][7] + A[4][2][6] 
Guessed key bits  \(k_{60},k_{5}+k_{69}\) 
The most significant 320 bits of Keccak512 output can be reversed so that the distinguishing attack can be extended one more round further without increasing the complexity. The time complexity for the distinguishing attack on 6round Keccak512 with the conditional cube tester is thus \(2^9\) Keccak calls and the data complexity is also \(2^9\). From the fact that a distinguishing attack on Keccak with the capacity \(c_1\) also works on Keccak with the capacity \(c_2\) with the same complexity as long as \(c_1 > c_2\), this attack can also distinguish Keccak224, Keccak256 up to 5 rounds and Keccak384 up to 6 rounds.
We can find a combination of 17 conditional cube variables for Keccak384 and construct a 7round conditional cube tester in a similar manner with a complexity of \(2^{17}\).
Conditions to distinguish Keccak512
Conditional cube variables  A[2][0][0]=A[2][1][0]=\(v_{0}\), A[2][0][1]=A[2][1][1]=\(v_{1}\),A[2][0][2]=A[2][1][2]=\(v_{2}\), A[2][0][3]=A[2][1][3]=\(v_{3}\),A[2][0][22]=A[2][1][22]=\(v_{4}\), A[2][0][23]=A[2][1][23]=\(v_{5}\),A[2][0][44]=A[2][1][44]=\(v_{6}\), A[2][0][45]=A[2][1][45]=\(v_{7}\),A[3][0][15]=A[3][1][15]=\(v_{8}\) 
Bit conditions  A[2][0][4]= A[0][0][5]+ A[1][0][5]+ A[0][1][5]+ A[2][1][4]+ 1, A[2][0][5]= A[0][0][6]+ A[1][0][6]+ A[0][1][6]+ A[2][1][5]+ 1, A[2][0][6]= A[0][0][7]+ A[1][0][7]+ A[0][1][7]+ A[2][1][6]+ 1, A[2][0][7]= A[0][0][8]+ A[1][0][8]+ A[0][1][8]+ A[2][1][7]+ 1, A[2][0][8]= A[4][0][7]+ A[2][1][8]+ A[3][1][8], A[2][0][9]= A[4][0][8]+ A[2][1][9]+ A[3][1][9], A[2][0][10]= A[4][0][9]+ A[2][1][10]+ A[3][1][10], A[2][0][17]= A[0][0][18]+ A[0][1][18]+ A[2][1][17]+ 1, A[2][0][25]= A[4][0][24]+ A[2][1][25], A[2][0][26]= A[0][0][27]+ A[1][0][27]+ A[0][1][27]+ A[2][1][26]+ 1, A[2][0][27]= A[0][0][28]+ A[1][0][28]+ A[0][1][28]+ A[2][1][27]+ 1, A[2][0][29]= A[4][0][28]+ A[2][1][29]+ A[3][1][29], A[2][0][30]= A[4][0][29]+ A[2][1][30]+ A[3][1][30], A[2][0][40]= A[0][0][41]+ A[0][1][41]+ A[2][1][40]+ 1, A[2][0][46]= A[4][0][45]+ A[2][1][46], A[2][0][47]= A[4][0][46]+ A[2][1][47], A[2][0][48]= A[4][0][47]+ A[2][1][48], A[2][0][49]= A[0][0][50]+ A[1][0][50]+ A[0][1][50]+ A[2][1][49]+ 1, A[2][0][51]= A[4][0][50]+ A[2][1][51]+ A[3][1][51], A[2][0][52]= A[4][0][51]+ A[2][1][52]+ A[3][1][52], A[2][0][59]= A[0][0][60]+ A[0][1][60]+ A[2][1][59]+ 1, A[2][0][60]= A[0][0][61]+ A[0][1][61]+ A[2][1][60]+ 1, A[2][0][61]= A[0][0][62]+ A[0][1][62]+ A[2][1][61]+ 1, A[2][0][62]= A[0][0][63]+ A[0][1][63]+ A[2][1][62]+ 1, A[3][0][23]= A[0][0][22]+ A[0][1][22]+ A[3][1][23], A[3][0][31]= A[0][0][30]+ A[0][1][30]+ A[3][1][31], A[3][0][45]= A[1][0][46]+ A[1][1][46]+ A[3][1][45]+ 1, A[4][0][3]= A[0][0][5]+ A[1][0][5]+ A[0][1][5]+ 1, A[4][0][6]= A[0][0][8]+ A[1][0][8]+ A[0][1][8]+ A[3][1][7]+ 1, A[4][0][25]= A[0][0][27]+ A[1][0][27]+ A[0][1][27]+ 1, A[0][1][49]= A[0][0][49]+ A[1][0][49]+ A[4][0][47]+ 1, A[4][0][44]=0, A[4][0][2] = 1. 
6.3 Distinguishing Attack on Keccak224
Conditions to distinguish Keccak384
Conditional cube variables  A[0][0][14]=A[0][1][14]=\(v_{0}\), A[2][0][23]=A[2][1][23]=\(v_{1}\),A[2][0][24]=A[2][1][24]=\(v_{2}\), A[2][0][43]=A[2][1][43]=\(v_{3}\), A[2][0][44]=\(v_{4}\), A[2][1][44]=\(v_{4}\)+\(v_{5}\), A[2][2][44]=\(v_{5}\), A[3][0][56]=A[3][1][56]=\(v_{6}\), A[3][0][58]=A[3][1][58]=\(v_{7}\), A[0][1][57]=A[0][2][57]=\(v_{8}\), A[0][1][58]=A[0][2][58]=\(v_{9}\), A[1][1][49]=A[1][2][49]=\(v_{10}\), A[1][1][50]=A[1][2][50]=\(v_{11}\), A[2][1][41]=A[2][2][41]=\(v_{12}\), A[0][0][20]=A[0][2][20]=\(v_{13}\), A[1][0][13]=A[1][2][13]=\(v_{14}\), A[2][0][0]=A[2][2][0]=\(v_{15}\), A[2][0][16]=A[2][2][16]=\(v_{16}\) 
Bit conditions  A[0][0][1]= A[3][0][2]+ A[0][1][1]+ A[3][1][2]+ A[4][1][2]+ A[0][2][1] A[0][0][2]= A[3][0][3]+ A[0][1][2]+ A[3][1][3]+ A[4][1][3]+ A[0][2][2]+ 1 A[0][0][5]= A[3][0][6]+ A[0][1][5]+ A[3][1][6]+ A[0][2][5]+ 1 A[0][0][7]= A[3][0][8]+ A[0][1][7]+ A[3][1][8]+ A[0][2][7] A[0][0][9]= A[3][0][10]+ A[0][1][9]+ A[3][1][10]+ A[0][2][9] A[0][0][12]= A[2][0][11]+ A[0][1][12]+ A[2][1][11]+ A[0][2][12]+ A[2][2][11]+ 1 A[0][0][15]= A[2][0][14]+ A[0][1][15]+ A[2][1][14]+ A[0][2][15]+ A[2][2][14] A[0][0][16]= A[2][0][15]+ A[0][1][16]+ A[2][1][15]+ A[0][2][16]+ A[2][2][15] A[0][0][19]= A[2][0][18]+ A[0][1][19]+ A[2][1][18]+ A[0][2][19]+ A[2][2][18]+ 1 A[0][0][22]= A[3][0][23]+ A[0][1][22]+ A[3][1][23]+ A[4][1][23]+ A[0][2][22]+ A[2][2][24]+ 1 A[0][0][28]= A[1][0][29]+ A[2][0][27]+ A[2][0][28]+ A[4][0][29]+ A[0][1][28]+ A[0][1][29]+ A[1][1][28]+ A[2][1][27]+ A[2][1][28]+ A[4][1][29]+ A[0][2][28]+ A[0][2][29]+ A[1][2][28]+ A[2][2][27]+ A[2][2][28]+ 1 A[0][0][29]= A[1][0][29]+ A[2][0][28]+ A[0][1][29]+ A[2][1][28]+ A[0][2][29]+ A[2][2][28]+ 1 A[0][0][30]= A[1][0][29]+ A[4][0][30]+ A[1][1][29]+ A[4][1][30]+ A[1][2][29]+ 1 A[0][0][34]= A[2][0][33]+ A[0][1][34]+ A[1][1][34]+ A[2][1][33]+ A[0][2][34]+ A[2][2][33] A[0][0][39]= A[4][0][37]+ A[0][1][39]+ A[4][1][37]+ A[0][2][39]+ 1 A[0][0][40]= A[3][0][41]+ A[0][1][40]+ A[3][1][41]+ A[4][1][41]+ A[0][2][40]+ 1 A[0][0][42]= A[2][0][41]+ A[0][1][42]+ A[0][2][42] A[0][0][43]= A[2][0][42]+ A[0][1][43]+ A[1][1][43]+ A[2][1][42]+ A[0][2][43]+ A[2][2][42]+ 1 A[0][0][46]= A[1][2][46]+ A[2][0][45]+ A[0][1][46]+ A[2][1][45]+ A[0][2][46]+ A[2][2][45]+ 1 A[0][0][48]= A[1][0][48]+ A[2][0][47]+ A[0][1][48]+ A[2][1][47]+ A[0][2][48]+ A[2][2][47]+ 1 A[0][0][49]= A[2][0][48]+ A[2][0][49]+ A[3][0][48]+ A[0][1][49]+ A[2][1][48] + A[3][1][48]+ A[0][2][49]+ A[2][2][48] A[0][0][60]= A[2][0][59]+ A[0][1][60]+ A[2][1][59]+ A[0][1][60]+ A[2][2][59]+ 1 A[0][0][63]= A[3][0][0]+ A[0][1][63]+ A[3][1][0]+ A[0][2][63]+ 1 A[1][0][8]= A[3][0][7]+ A[1][1][8]+ A[3][1][7]+ A[1][2][8] A[1][0][22]= A[0][1][23]+ A[1][1][22]+ A[1][2][22]+ A[2][2][24]+ 1 A[1][0][23]= A[4][0][24]+ A[0][1][24]+ A[1][1][23]+ A[4][1][24]+ A[1][2][23]+ 1 A[1][0][25]= A[3][0][24]+ A[1][1][25]+ A[3][1][24]+ A[1][2][25]+ 1 A[1][0][28]= A[1][0][29]+ A[2][0][28]+ A[4][0][29]+ A[0][1][29]+ A[1][1][28]+ A[2][1][28]+ A[4][1][29]+ A[0][2][29]+ A[1][2][28]+ A[2][2][28] A[1][0][44]= A[3][0][43]+ A[1][1][44]+ A[3][1][43]+ A[1][2][44] A[1][0][45]= A[3][0][44]+ A[1][1][45]+ A[3][1][44]+ A[1][2][45] A[1][0][49]= A[2][0][49]+ A[3][0][48]+ A[3][1][48]+ 1 A[1][0][50]= A[4][0][51]+ A[0][1][51]+ A[4][4][51]+ 1 A[1][0][51]= A[3][0][50]+ A[1][1][51]+ A[3][1][50]+ A[1][2][51]+ A[2][2][51] A[1][0][59]= A[4][0][60]+ A[1][1][59]+ A[4][1][60]+ A[1][2][59] A[2][0][2]= A[4][0][1]+ A[2][1][2]+ A[4][1][1]+ A[2][2][2] A[2][0][4]= A[2][1][4]+ A[2][2][4] A[2][0][5]= A[4][0][4]+ A[2][1][5]+ A[4][1][4]+ A[2][2][5] A[2][0][7]= A[4][0][6]+ A[2][1][7]+ A[3][1][7]+ A[4][1][6]+ A[2][2][7] A[2][0][22]= A[4][0][21]+ A[2][1][22]+ A[4][1][21]+ A[2][2][22] A[2][0][25]= A[4][0][24]+ A[2][1][25]+ A[4][0][24]+ A[2][2][25] A[2][0][30]= A[4][0][29]+ A[2][1][30]+ A[3][1][30]+ A[4][1][29]+ A[2][2][30] A[2][0][31]= A[4][0][30]+ A[2][1][31]+ A[3][1][31]+ A[4][1][30]+ A[2][2][31] A[2][0][38]= A[4][0][37]+ A[2][1][38]+ A[4][1][37]+ A[2][2][38] A[2][0][39]= A[3][0][41]+ A[2][1][39]+ A[3][1][41]+ A[4][1][41]+ A[2][2][39] A[2][0][50]= A[4][0][49]+ A[2][1][50]+ A[3][1][50]+ A[4][1][49]+ A[2][2][50] A[2][0][51]= A[2][2][51]+ 1 A[2][0][62]= A[3][0][0]+ A[1][1][63]+ A[2][1][62]+ A[3][1][0]+ A[2][2][62] A[2][0][63]= A[4][0][62]+ A[2][1][63]+ A[4][1][62]+ A[2][2][63] A[3][0][22]= A[4][0][24]+ A[0][1][24]+ A[3][1][22]+ A[4][1][24] A[3][0][40]= A[4][0][37]+ A[3][1][40]+ A[4][1][37]+ A[4][1][40] A[3][0][49]= A[4][0][51]+ A[0][1][51]+ A[3][1][49]+ A[4][1][51]+ A[2][2][50]+ 1 A[4][0][2]= A[4][1][2]+ 1 A[4][0][22]= A[3][1][23]+ A[4][1][22]+ A[2][2][23] A[4][0][23]= A[4][1][23]+ A[2][2][24] A[4][0][50]= A[2][1][51]+ A[3][1][51]+ A[4][1][50]+ 1 A[0][1][20]= A[2][0][19]+ A[2][1][19]+ A[2][2][19]+ 1 A[1][2][40]= 1 A[4][1][0]= 1 A[1][2][19]= 1 A[1][2][20]= 1 A[1][1][40]= 1 A[2][1][8]= 0 A[1][1][15]= 1 
Conditional cube variables to distinguish Keccak224
Conditional cube variables 
A[0][0][3]=A[1][2][2]=\(v_{0}\), A[0][1][3]=A[2][1][33]=A[2][2][33]=\(v_{0}\)+\(v_{25}\), A[1][0][2]=\(v_{0}\)+\(v_{17}\), A[0][0][6]=A[1][0][5]=A[1][2][5]=\(v_{1}\), A[0][1][6]=A[2][1][36]=A[2][2][36]=\(v_{1}\)+\(v_{17}\), A[0][0][9]=A[0][1][9]=A[2][1][39]=A[2][2][39]=A[1][0][8]=A[1][2][8]=\(v_{2}\), A[0][0][11]=A[1][0][10]=\(v_{3}\), A[0][1][11]=A[2][1][41]=A[2][2][41]=\(v_{3}\)+\(v_{18}\), A[1][2][10]=\(v_{3}\)+\(v_{16}\), A[0][0][14]=A[2][1][44]=A[2][2][44]=A[1][0][13]=A[1][2][13]=\(v_{4}\), A[0][1][14]=\(v_{4}\)+\(v_{16}\)+\(v_{26}\), A[0][0][16]=\(v_{5}\), A[0][1][16]=A[2][1][46]=A[2][2][46]=\(v_{5}\)+\(v_{19}\), A[1][0][15]=\(v_{5}\)+\(v_{20}\)+\(v_{27}\), A[1][2][15]=\(v_{5}\)+\(v_{27}\), A[0][0][19]=A[1][0][18]=A[1][2][18]=\(v_{6}\), A[0][1][19]=A[2][1][49]=A[2][2][49]=\(v_{6}\)+\(v_{20}\), A[0][0][21]=A[0][1][21]=A[2][1][51]=A[2][2][51]=\(v_{7}\), A[1][0][20]=\(v_{7}\)+\(v_{21}\)+\(v_{28}\), A[1][2][20]=\(v_{7}\)+\(v_{28}\), A[0][0][22]=A[2][1][52]=A[2][2][52]=A[1][0][21]=\(v_{8}\), A[0][1][22]=A[1][2][21]=\(v_{8}\)+\(v_{14}\), A[0][0][24]=A[1][0][23]=A[1][2][23]=\(v_{9}\), A[0][1][24]=A[2][1][54]=A[2][2][54]=\(v_{9}\)+\(v_{21}\), A[0][0][27]=A[2][1][57]=A[2][2][57]=A[1][0][26]=A[1][2][26]=\(v_{10}\), A[0][1][27]=\(v_{10}\)+\(v_{28}\), A[0][0][29]=A[1][0][28]=\(v_{11}\), A[0][1][29]=A[2][1][59]=A[2][2][59]=\(v_{11}\)+\(v_{22}\), A[1][2][28]=\(v_{11}\)+\(v_{15}\), A[0][1][32]=\(v_{12}\)+\(v_{15}\)+\(v_{29}\), A[0][0][32]=A[2][1][62]=A[2][2][62]=A[1][0][31]=A[1][2][31]=\(v_{12}\), A[0][0][62]=A[1][2][61]=\(v_{13}\), A[0][1][62]=A[2][1][28]=A[2][2][28]=\(v_{13}\)+\(v_{23}\), A[1][0][61]=\(v_{13}\)+\(v_{24}\), A[3][1][6]=A[3][2][6]=A[1][3][21]=A[0][1][25]=A[0][3][25]=\(v_{14}\), A[3][1][13]=A[3][2][13]=\(v_{15}\)+\(v_{29}\), A[1][3][28]=A[0][3][32]=\(v_{15}\), A[3][1][59]=A[3][2][59]=\(v_{16}\)+\(v_{26}\), A[1][3][10]=A[0][3][14]=\(v_{16}\) A[1][3][2]=A[4][0][40]=A[4][2][40]=A[0][3][6]=\(v_{17}\), A[1][0][7]=A[4][0][45]=A[4][2][45]=\(v_{18}\)+\(v_{26}\), A[1][3][7]=A[0][3][11]=\(v_{18}\) A[1][0][12]=A[1][3][12]=A[4][0][50]=A[4][2][50]=A[0][3][16]=\(v_{19}\), A[1][3][15]=A[0][3][19]=\(v_{20}\), A[4][0][53]=A[4][2][53]=\(v_{20}\)+\(v_{27}\), A[1][3][20]=A[0][3][24]=\(v_{21}\), A[4][0][58]=A[4][2][58]=\(v_{21}\)+\(v_{28}\), A[1][0][25]=A[4][0][63]=A[4][2][63]=\(v_{22}\)+\(v_{29}\), A[1][3][25]=A[0][3][29]=\(v_{22}\), A[1][0][58]=A[1][3][58]=A[4][0][32]=A[4][2][32]=A[0][3][62]=\(v_{23}\), A[1][3][61]=A[4][0][35]=A[4][2][35]=A[0][1][1]=A[0][3][1]=A[2][1][31]=A[2][2][31]=\(v_{24}\), A[1][0][63]=A[1][3][63]=A[4][0][37]=A[4][2][37]=A[0][3][3]=\(v_{25}\), A[1][2][7]=A[0][2][14]=\(v_{26}\), A[0][2][22]=A[3][1][3]=A[3][2][3]=\(v_{27}\) A[0][2][27]=A[3][1][8]=A[3][2][8]=\(v_{28}\), A[1][2][25]=A[0][2][32]=\(v_{29}\), A[2][0][55]=A[2][1][55]=\(v_{30}\) A[0][2][60]=A[0][3][60]=\(v_{31}\), A[0][1][37]=A[0][3][37]=\(v_{32}\) 
The time complexity of this distinguishing attack is \(2^{33}\). Memory complexity is negligible. This distinguishing attack can be performed on a desktop computer in several hours.
7 Conclusion
In this paper, we propose the conditional cube tester for Keccak sponge function with the advantage of having smaller dimensions compared to the previous cube tester in some cases. Our approach is based on a novel idea to add some conditions for certain cube variables, so that the multiplication between cube variables are under control after the second round of Keccak sponge function. More specifically, using a conditional cube tester to roundreduced KeccakMAC and Keyak, our key recovery attacks are more efficient than the currently best known attacks according to the number of rounds or the complexity. Another application of our conditional cube tester is to construct distinguishing attacks on Keccak sponge function. Our distinguishing attacks are much faster and improve the existing attacks. Most of our attacks are very practical and implementations and experiments have been conducted on desktop computers. We should also remark that our proposed conditional cube testers may be used to analyse Keccaklike cryptosystems. Implementations of our methods are available at http://people.uwm.edu/gxu4uwm/eurocrypt17_code/.
Notes
Acknowledgement
This work is supported by 973 Program (No. 2013CB834205), and the Strategic Priority Research Program of the Chinese Academy of Sciences (No. XDB01010600) and the National Natural Science Foundation of China (No. 61133013).
References
 1.Guido, B., Joan, D., Michaël, P., Van Assche, G.: Keccak Sponge Function Family Main Document. http://Keccak.noekeon.org/Keccakmain2.1.pdf
 2.Dinur, I., Dunkelman, O., Shamir, A.: Improved practical attacks on roundreduced keccak. J. Cryptology 27(2), 183–209 (2014)MathSciNetCrossRefzbMATHGoogle Scholar
 3.Pawel, M., Josef, P., Marian, S., Michal, S.: Preimage Attacks on the RoundReduced Keccak with the Aid of Differential Cryptanalysis. Cryptology ePrint Archive, Report 2013/561 (2013). http://eprint.iacr.org/
 4.Bernstein, D.J.: Second Preimages for 6 (7 (8??)) Rounds of Keccak. NIST mailing list (2010)Google Scholar
 5.Duan, M., Lai, X.J.: Improved zerosum distinguisher for full round keccakf permutation. Chin. Sci. Bull. 57(6), 694–697 (2012)CrossRefGoogle Scholar
 6.Duc, A., Guo, J., Peyrin, T., Wei, L.: Unaligned rebound attack: application to keccak. In: Canteaut, A. (ed.) FSE 2012. LNCS, vol. 7549, pp. 402–421. Springer, Heidelberg (2012). doi: 10.1007/9783642340475_23 CrossRefGoogle Scholar
 7.Jean, J., Nikolić, I.: Internal differential boomerangs: practical analysis of the roundreduced keccak \(f\) permutation. In: Leander, G. (ed.) FSE 2015. LNCS, vol. 9054, pp. 537–556. Springer, Heidelberg (2015). doi: 10.1007/9783662481165_26 CrossRefGoogle Scholar
 8.NayaPlasencia, M., Röck, A., Meier, W.: Practical analysis of reducedround keccak. In: Bernstein, D.J., Chatterjee, S. (eds.) INDOCRYPT 2011. LNCS, vol. 7107, pp. 236–254. Springer, Heidelberg (2011). doi: 10.1007/9783642255786_18 CrossRefGoogle Scholar
 9.Das, S., Meier, W.: Differential biases in reducedround keccak. In: Pointcheval, D., Vergnaud, D. (eds.) AFRICACRYPT 2014. LNCS, vol. 8469, pp. 69–87. Springer, Cham (2014). doi: 10.1007/9783319067346_5 CrossRefGoogle Scholar
 10.Dinur, I., Morawiecki, P., Pieprzyk, J., Srebrny, M., Straus, M.: Cube attacks and cubeattacklike cryptanalysis on the roundreduced keccak sponge function. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 733–761. Springer, Heidelberg (2015). doi: 10.1007/9783662468005_28 Google Scholar
 11.Guido, B., Joan, D., Michaël, P., Van Assche, G.: Keyak. http://keyak.noekeon.org
 12.Taha, M., Schaumont, P.: Differential power analysis of MACkeccak at any keylength. In: Sakiyama, K., Terada, M. (eds.) IWSEC 2013. LNCS, vol. 8231, pp. 68–82. Springer, Heidelberg (2013). doi: 10.1007/9783642413834_5 CrossRefGoogle Scholar
 13.Dobraunig, C., Eichlseder, M., Mendel, F., Schläffer, M.: Cryptanalysis of Ascon. In: Nyberg, K. (ed.) CTRSA 2015. LNCS, vol. 9048, pp. 371–387. Springer, Cham (2015). doi: 10.1007/9783319167152_20 Google Scholar
 14.Pawel, M., Josef, P., Michal, S., Marian, S.: Applications of Key Recovery Cubeattacklike. Cryptology ePrint Archive, Report 2015/1009 (2015). http://eprint.iacr.org/
 15.Dinur, I., Shamir, A.: Breaking Grain128 with dynamic cube attacks. In: Joux, A. (ed.) FSE 2011. LNCS, vol. 6733, pp. 167–187. Springer, Heidelberg (2011). doi: 10.1007/9783642217029_10 CrossRefGoogle Scholar
 16.Wang, X., Yu, H.: How to break MD5 and other hash functions. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 19–35. Springer, Heidelberg (2005). doi: 10.1007/11426639_2 CrossRefGoogle Scholar
 17.Chen, H., Wang, X.: Improved linear hull attack on roundreduced Simon with dynamic keyguessing techniques. In: Peyrin, T. (ed.) FSE 2016. LNCS, vol. 9783, pp. 428–449. Springer, Heidelberg (2016). doi: 10.1007/9783662529935_22 CrossRefGoogle Scholar
 18.Knellwolf, S., Meier, W., NayaPlasencia, M.: Conditional differential cryptanalysis of NLFSRbased cryptosystems. In: Abe, M. (ed.) ASIACRYPT 2010. LNCS, vol. 6477, pp. 130–145. Springer, Heidelberg (2010). doi: 10.1007/9783642173738_8 CrossRefGoogle Scholar
 19.CAESAR: Competition for Authenticated Encryption: Security, Applicability, and Robustness. http://competitions.cr.yp.to/caesar.html
 20.Aumasson, J.P., Dinur, I., Meier, W., Shamir, A.: Cube testers and key recovery attacks on reducedround MD6 and trivium. In: Dunkelman, O. (ed.) FSE 2009. LNCS, vol. 5665, pp. 1–22. Springer, Heidelberg (2009). doi: 10.1007/9783642033179_1 CrossRefGoogle Scholar
 21.Lai, X.: Higher order derivatives and differential cryptanalysis. In: Blahut, R.E., Costello, D.J., Maurer, U., Mittelholzer, T. (eds.) Communications and Cryptography: Two Sides of One Tapestry, pp. 227–233. Springer (1994)Google Scholar
 22.Dinur, I., Shamir, A.: Cube attacks on tweakable black box polynomials. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 278–299. Springer, Heidelberg (2009). doi: 10.1007/9783642010019_16 CrossRefGoogle Scholar
 23.Zhu, B., Chen, K., Lai, X.: Bitwise higher order differential cryptanalysis. In: Chen, L., Yung, M. (eds.) INTRUST 2009. LNCS, vol. 6163, pp. 250–262. Springer, Heidelberg (2010). doi: 10.1007/9783642145971_16 CrossRefGoogle Scholar
 24.Stein, W., Joyner, D.: SAGE: System for algebra and geometry experimentation. ACM SIGSAM Bull. 39(2), 61–64 (2005)CrossRefzbMATHGoogle Scholar
 25.Sun, S., Hu, L., Wang, M., Yang, Q., Qiao, K., Ma, X., Song, L., Shan, J.: Extending the applicability of the mixedinteger programming technique in automatic differential cryptanalysis. In: Lopez, J., Mitchell, C.J. (eds.) ISC 2015. LNCS, vol. 9290, pp. 141–157. Springer, Cham (2015). doi: 10.1007/9783319233185_8 CrossRefGoogle Scholar
 26.Gurobi optimization. Gurobi: Gurobi optimizer reference manual (2015). http://www.gurobi.com