Conditional Cube Attack on Reduced-Round Keccak Sponge Function
The security analysis of Keccak, the winner of SHA-3, has attracted considerable interest. Recently, some attention has been paid to the analysis of keyed modes of Keccak sponge function. As a notable example, the most efficient key recovery attacks on Keccak-MAC and Keyak were reported at EUROCRYPT’15 where cube attacks and cube-attack-like cryptanalysis have been applied. In this paper, we develop a new type of cube distinguisher, the conditional cube tester, for Keccak sponge function. By imposing some bit conditions for certain cube variables, we are able to construct cube testers with smaller dimensions. Our conditional cube testers are used to analyse Keccak in keyed modes. For reduced-round Keccak-MAC and Keyak, our attacks greatly improve the best known attacks in key recovery in terms of the number of rounds or the complexity. Moreover, our new model can also be applied to keyless setting to distinguish Keccak sponge function from random permutation. We provide a searching algorithm to produce the most efficient conditional cube tester by modeling it as an MILP (mixed integer linear programming) problem. As a result, we improve the previous distinguishing attacks on Keccak sponge function significantly. Most of our attacks have been implemented and verified by desktop computers. Finally we remark that our attacks on the reduced-round Keccak will not threat the security margin of Keccak sponge function.
KeywordsKeccak-MAC Keyak Cube tester Conditional cube variable Ordinary cube variable
This work is supported by 973 Program (No. 2013CB834205), and the Strategic Priority Research Program of the Chinese Academy of Sciences (No. XDB01010600) and the National Natural Science Foundation of China (No. 61133013).
- 1.Guido, B., Joan, D., Michaël, P., Van Assche, G.: Keccak Sponge Function Family Main Document. http://Keccak.noekeon.org/Keccak-main-2.1.pdf
- 3.Pawel, M., Josef, P., Marian, S., Michal, S.: Preimage Attacks on the Round-Reduced Keccak with the Aid of Differential Cryptanalysis. Cryptology ePrint Archive, Report 2013/561 (2013). http://eprint.iacr.org/
- 4.Bernstein, D.J.: Second Preimages for 6 (7 (8??)) Rounds of Keccak. NIST mailing list (2010)Google Scholar
- 10.Dinur, I., Morawiecki, P., Pieprzyk, J., Srebrny, M., Straus, M.: Cube attacks and cube-attack-like cryptanalysis on the round-reduced keccak sponge function. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 733–761. Springer, Heidelberg (2015). doi: 10.1007/978-3-662-46800-5_28 Google Scholar
- 11.Guido, B., Joan, D., Michaël, P., Van Assche, G.: Keyak. http://keyak.noekeon.org
- 14.Pawel, M., Josef, P., Michal, S., Marian, S.: Applications of Key Recovery Cube-attack-like. Cryptology ePrint Archive, Report 2015/1009 (2015). http://eprint.iacr.org/
- 19.CAESAR: Competition for Authenticated Encryption: Security, Applicability, and Robustness. http://competitions.cr.yp.to/caesar.html
- 21.Lai, X.: Higher order derivatives and differential cryptanalysis. In: Blahut, R.E., Costello, D.J., Maurer, U., Mittelholzer, T. (eds.) Communications and Cryptography: Two Sides of One Tapestry, pp. 227–233. Springer (1994)Google Scholar
- 25.Sun, S., Hu, L., Wang, M., Yang, Q., Qiao, K., Ma, X., Song, L., Shan, J.: Extending the applicability of the mixed-integer programming technique in automatic differential cryptanalysis. In: Lopez, J., Mitchell, C.J. (eds.) ISC 2015. LNCS, vol. 9290, pp. 141–157. Springer, Cham (2015). doi: 10.1007/978-3-319-23318-5_8 CrossRefGoogle Scholar
- 26.Gurobi optimization. Gurobi: Gurobi optimizer reference manual (2015). http://www.gurobi.com