Conditional Cube Attack on Reduced-Round Keccak Sponge Function

  • Senyang Huang
  • Xiaoyun WangEmail author
  • Guangwu Xu
  • Meiqin Wang
  • Jingyuan Zhao
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10211)


The security analysis of Keccak, the winner of SHA-3, has attracted considerable interest. Recently, some attention has been paid to the analysis of keyed modes of Keccak sponge function. As a notable example, the most efficient key recovery attacks on Keccak-MAC and Keyak were reported at EUROCRYPT’15 where cube attacks and cube-attack-like cryptanalysis have been applied. In this paper, we develop a new type of cube distinguisher, the conditional cube tester, for Keccak sponge function. By imposing some bit conditions for certain cube variables, we are able to construct cube testers with smaller dimensions. Our conditional cube testers are used to analyse Keccak in keyed modes. For reduced-round Keccak-MAC and Keyak, our attacks greatly improve the best known attacks in key recovery in terms of the number of rounds or the complexity. Moreover, our new model can also be applied to keyless setting to distinguish Keccak sponge function from random permutation. We provide a searching algorithm to produce the most efficient conditional cube tester by modeling it as an MILP (mixed integer linear programming) problem. As a result, we improve the previous distinguishing attacks on Keccak sponge function significantly. Most of our attacks have been implemented and verified by desktop computers. Finally we remark that our attacks on the reduced-round Keccak will not threat the security margin of Keccak sponge function.


Keccak-MAC Keyak Cube tester Conditional cube variable Ordinary cube variable 



This work is supported by 973 Program (No. 2013CB834205), and the Strategic Priority Research Program of the Chinese Academy of Sciences (No. XDB01010600) and the National Natural Science Foundation of China (No. 61133013).


  1. 1.
    Guido, B., Joan, D., Michaël, P., Van Assche, G.: Keccak Sponge Function Family Main Document.
  2. 2.
    Dinur, I., Dunkelman, O., Shamir, A.: Improved practical attacks on round-reduced keccak. J. Cryptology 27(2), 183–209 (2014)MathSciNetCrossRefzbMATHGoogle Scholar
  3. 3.
    Pawel, M., Josef, P., Marian, S., Michal, S.: Preimage Attacks on the Round-Reduced Keccak with the Aid of Differential Cryptanalysis. Cryptology ePrint Archive, Report 2013/561 (2013).
  4. 4.
    Bernstein, D.J.: Second Preimages for 6 (7 (8??)) Rounds of Keccak. NIST mailing list (2010)Google Scholar
  5. 5.
    Duan, M., Lai, X.J.: Improved zero-sum distinguisher for full round keccak-f permutation. Chin. Sci. Bull. 57(6), 694–697 (2012)CrossRefGoogle Scholar
  6. 6.
    Duc, A., Guo, J., Peyrin, T., Wei, L.: Unaligned rebound attack: application to keccak. In: Canteaut, A. (ed.) FSE 2012. LNCS, vol. 7549, pp. 402–421. Springer, Heidelberg (2012). doi: 10.1007/978-3-642-34047-5_23 CrossRefGoogle Scholar
  7. 7.
    Jean, J., Nikolić, I.: Internal differential boomerangs: practical analysis of the round-reduced keccak- \(f\) permutation. In: Leander, G. (ed.) FSE 2015. LNCS, vol. 9054, pp. 537–556. Springer, Heidelberg (2015). doi: 10.1007/978-3-662-48116-5_26 CrossRefGoogle Scholar
  8. 8.
    Naya-Plasencia, M., Röck, A., Meier, W.: Practical analysis of reduced-round keccak. In: Bernstein, D.J., Chatterjee, S. (eds.) INDOCRYPT 2011. LNCS, vol. 7107, pp. 236–254. Springer, Heidelberg (2011). doi: 10.1007/978-3-642-25578-6_18 CrossRefGoogle Scholar
  9. 9.
    Das, S., Meier, W.: Differential biases in reduced-round keccak. In: Pointcheval, D., Vergnaud, D. (eds.) AFRICACRYPT 2014. LNCS, vol. 8469, pp. 69–87. Springer, Cham (2014). doi: 10.1007/978-3-319-06734-6_5 CrossRefGoogle Scholar
  10. 10.
    Dinur, I., Morawiecki, P., Pieprzyk, J., Srebrny, M., Straus, M.: Cube attacks and cube-attack-like cryptanalysis on the round-reduced keccak sponge function. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 733–761. Springer, Heidelberg (2015). doi: 10.1007/978-3-662-46800-5_28 Google Scholar
  11. 11.
    Guido, B., Joan, D., Michaël, P., Van Assche, G.: Keyak.
  12. 12.
    Taha, M., Schaumont, P.: Differential power analysis of MAC-keccak at any key-length. In: Sakiyama, K., Terada, M. (eds.) IWSEC 2013. LNCS, vol. 8231, pp. 68–82. Springer, Heidelberg (2013). doi: 10.1007/978-3-642-41383-4_5 CrossRefGoogle Scholar
  13. 13.
    Dobraunig, C., Eichlseder, M., Mendel, F., Schläffer, M.: Cryptanalysis of Ascon. In: Nyberg, K. (ed.) CT-RSA 2015. LNCS, vol. 9048, pp. 371–387. Springer, Cham (2015). doi: 10.1007/978-3-319-16715-2_20 Google Scholar
  14. 14.
    Pawel, M., Josef, P., Michal, S., Marian, S.: Applications of Key Recovery Cube-attack-like. Cryptology ePrint Archive, Report 2015/1009 (2015).
  15. 15.
    Dinur, I., Shamir, A.: Breaking Grain-128 with dynamic cube attacks. In: Joux, A. (ed.) FSE 2011. LNCS, vol. 6733, pp. 167–187. Springer, Heidelberg (2011). doi: 10.1007/978-3-642-21702-9_10 CrossRefGoogle Scholar
  16. 16.
    Wang, X., Yu, H.: How to break MD5 and other hash functions. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 19–35. Springer, Heidelberg (2005). doi: 10.1007/11426639_2 CrossRefGoogle Scholar
  17. 17.
    Chen, H., Wang, X.: Improved linear hull attack on round-reduced Simon with dynamic key-guessing techniques. In: Peyrin, T. (ed.) FSE 2016. LNCS, vol. 9783, pp. 428–449. Springer, Heidelberg (2016). doi: 10.1007/978-3-662-52993-5_22 CrossRefGoogle Scholar
  18. 18.
    Knellwolf, S., Meier, W., Naya-Plasencia, M.: Conditional differential cryptanalysis of NLFSR-based cryptosystems. In: Abe, M. (ed.) ASIACRYPT 2010. LNCS, vol. 6477, pp. 130–145. Springer, Heidelberg (2010). doi: 10.1007/978-3-642-17373-8_8 CrossRefGoogle Scholar
  19. 19.
    CAESAR: Competition for Authenticated Encryption: Security, Applicability, and Robustness.
  20. 20.
    Aumasson, J.-P., Dinur, I., Meier, W., Shamir, A.: Cube testers and key recovery attacks on reduced-round MD6 and trivium. In: Dunkelman, O. (ed.) FSE 2009. LNCS, vol. 5665, pp. 1–22. Springer, Heidelberg (2009). doi: 10.1007/978-3-642-03317-9_1 CrossRefGoogle Scholar
  21. 21.
    Lai, X.: Higher order derivatives and differential cryptanalysis. In: Blahut, R.E., Costello, D.J., Maurer, U., Mittelholzer, T. (eds.) Communications and Cryptography: Two Sides of One Tapestry, pp. 227–233. Springer (1994)Google Scholar
  22. 22.
    Dinur, I., Shamir, A.: Cube attacks on tweakable black box polynomials. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 278–299. Springer, Heidelberg (2009). doi: 10.1007/978-3-642-01001-9_16 CrossRefGoogle Scholar
  23. 23.
    Zhu, B., Chen, K., Lai, X.: Bitwise higher order differential cryptanalysis. In: Chen, L., Yung, M. (eds.) INTRUST 2009. LNCS, vol. 6163, pp. 250–262. Springer, Heidelberg (2010). doi: 10.1007/978-3-642-14597-1_16 CrossRefGoogle Scholar
  24. 24.
    Stein, W., Joyner, D.: SAGE: System for algebra and geometry experimentation. ACM SIGSAM Bull. 39(2), 61–64 (2005)CrossRefzbMATHGoogle Scholar
  25. 25.
    Sun, S., Hu, L., Wang, M., Yang, Q., Qiao, K., Ma, X., Song, L., Shan, J.: Extending the applicability of the mixed-integer programming technique in automatic differential cryptanalysis. In: Lopez, J., Mitchell, C.J. (eds.) ISC 2015. LNCS, vol. 9290, pp. 141–157. Springer, Cham (2015). doi: 10.1007/978-3-319-23318-5_8 CrossRefGoogle Scholar
  26. 26.
    Gurobi optimization. Gurobi: Gurobi optimizer reference manual (2015).

Copyright information

© International Association for Cryptologic Research 2017

Authors and Affiliations

  • Senyang Huang
    • 1
  • Xiaoyun Wang
    • 1
    • 2
    • 3
    Email author
  • Guangwu Xu
    • 4
  • Meiqin Wang
    • 2
    • 3
  • Jingyuan Zhao
    • 5
  1. 1.Institute for Advanced StudyTsinghua UniversityBeijingChina
  2. 2.Key Laboratory of Cryptologic Technology and Information Security, Ministry of EducationShandong UniversityJinanChina
  3. 3.School of MathematicsShandong UniversityJinanChina
  4. 4.Department of EE and CSUniversity of Wisconsin-MilwaukeeMilwaukeeUSA
  5. 5.State Key Laboratory of Information Security, Institute of Information EngineeringChinese Academy of SciencesBeijingChina

Personalised recommendations