Advertisement

Improved Conditional Cube Attacks on Keccak Keyed Modes with MILP Method

  • Zheng Li
  • Wenquan Bi
  • Xiaoyang DongEmail author
  • Xiaoyun WangEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10624)

Abstract

Conditional cube attack is an efficient key-recovery attack on Keccak keyed modes proposed by Huang et al. at EUROCRYPT 2017. By assigning bit conditions, the diffusion of a conditional cube variable is reduced. Then, using a greedy algorithm (Algorithm 4 in Huang et al.’s paper), Huang et al. find some ordinary cube variables, that do not multiply together in the 1st round and do not multiply with the conditional cube variable in the 2nd round. Then the key-recovery attack is launched. The key part of conditional cube attack is to find enough ordinary cube variables. Note that, the greedy algorithm given by Huang et al. adds ordinary cube variable without considering its bad effect, i.e. the new ordinary cube variable may result in that many other variables could not be selected as ordinary cube variable (they multiply with the new ordinary cube variable in the first round).

In this paper, we bring out a new MILP model to solve the above problem. We show how to model the CP-like-kernel and model the way that the ordinary cube variables do not multiply together in the 1st round as well as do not multiply with the conditional cube variable in the 2nd round. Based on these modeling strategies, a series of linear inequalities are given to restrict the way to add an ordinary cube variable. Then, by choosing the objective function of the maximal number of ordinary cube variables, we convert Huang et al.’s greedy algorithm into an MILP problem and the maximal ordinary cube variables are found.

Using this new MILP tool, we improve Huang et al.’s key-recovery attacks on reduced-round Keccak-MAC-384 and Keccak-MAC-512 by 1 round, get the first 7-round and 6-round key-recovery attacks, respectively. For Ketje Major, we conclude that when the nonce is no less than 11 lanes, a 7-round key-recovery attack could be achieved. In addition, for Ketje Minor, we use conditional cube variable with 6-6-6 pattern to launch 7-round key-recovery attack.

Notes

Acknowledgments

We would like to thank the anonymous reviewers of Asiacrypt 2017 who helped us to improve this paper. This work is supported by China’s 973 Program (No. 2013CB834205), the National Key Research and Development Program of China (No. 2017YFA0303903), the National Natural Science Foundation of China (Nos. 61672019, 61402256), the Fundamental Research Funds of Shandong University (No. 2016JC029), National Cryptography Development Fund (No. MMJJ20170121), Zhejiang Province Key R&D Project (No. 2017C01062).

References

  1. 1.
  2. 2.
  3. 3.
    Berton, G., Daemen, J., Peeters, M., Assche, G.V.: The Keccak sponge function family. http://keccak.noekeon.org/
  4. 4.
    Berton, G., Daemen, J., Peeters, M., Assche, G.V., Keer, R.V.: CAESAR submission: Ketje v2 (2016). http://competitions.cr.yp.to/round3/ketjev2.pdf
  5. 5.
    Berton, G., Daemen, J., Peeters, M., Assche, G.V., Keer, R.V.: CAESAR submission: Keyak v2 (2016). http://competitions.cr.yp.to/round3/keyakv22.pdf
  6. 6.
    Bertoni, G., Daemen, J., Peeters, M., Assche, G.: Duplexing the sponge: single-pass authenticated encryption and other applications. In: Miri, A., Vaudenay, S. (eds.) SAC 2011. LNCS, vol. 7118, pp. 320–337. Springer, Heidelberg (2012).  https://doi.org/10.1007/978-3-642-28496-0_19 CrossRefGoogle Scholar
  7. 7.
    Boura, C., Canteaut, A., De Cannière, C.: Higher-order differential properties of Keccak and Luffa. In: Joux, A. (ed.) FSE 2011. LNCS, vol. 6733, pp. 252–269. Springer, Heidelberg (2011).  https://doi.org/10.1007/978-3-642-21702-9_15 CrossRefGoogle Scholar
  8. 8.
    Cui, T., Jia, K., Fu, K., Chen, S., Wang, M.: New automatic search tool for impossible differentials and zero-correlation linear approximations. IACR Cryptology ePrint Archive 2016/689 (2016). http://eprint.iacr.org/2016/689
  9. 9.
    Daemen, J., Van Assche, G.: Differential propagation analysis of Keccak. In: Canteaut, A. (ed.) FSE 2012. LNCS, vol. 7549, pp. 422–441. Springer, Heidelberg (2012).  https://doi.org/10.1007/978-3-642-34047-5_24 CrossRefGoogle Scholar
  10. 10.
    Dinur, I., Dunkelman, O., Shamir, A.: New attacks on Keccak-224 and Keccak-256. In: Canteaut, A. (ed.) FSE 2012. LNCS, vol. 7549, pp. 442–461. Springer, Heidelberg (2012).  https://doi.org/10.1007/978-3-642-34047-5_25 CrossRefGoogle Scholar
  11. 11.
    Dinur, I., Dunkelman, O., Shamir, A.: Collision attacks on up to 5 rounds of SHA-3 using generalized internal differentials. In: Moriai, S. (ed.) FSE 2013. LNCS, vol. 8424, pp. 219–240. Springer, Heidelberg (2014).  https://doi.org/10.1007/978-3-662-43933-3_12 Google Scholar
  12. 12.
    Dinur, I., Morawiecki, P., Pieprzyk, J., Srebrny, M., Straus, M.: Cube attacks and cube-attack-like cryptanalysis on the round-reduced Keccak sponge function. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 733–761. Springer, Heidelberg (2015).  https://doi.org/10.1007/978-3-662-46800-5_28 Google Scholar
  13. 13.
    Dinur, I., Shamir, A.: Cube attacks on tweakable black box polynomials. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 278–299. Springer, Heidelberg (2009).  https://doi.org/10.1007/978-3-642-01001-9_16 CrossRefGoogle Scholar
  14. 14.
    Dobraunig, C., Eichlseder, M., Mendel, F.: Heuristic tool for linear cryptanalysis with applications to CAESAR candidates. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015. LNCS, vol. 9453, pp. 490–509. Springer, Heidelberg (2015).  https://doi.org/10.1007/978-3-662-48800-3_20 CrossRefGoogle Scholar
  15. 15.
    Dobraunig, C., Eichlseder, M., Mendel, F., Schläffer, M.: Cryptanalysis of Ascon. In: Nyberg, K. (ed.) CT-RSA 2015. LNCS, vol. 9048, pp. 371–387. Springer, Cham (2015).  https://doi.org/10.1007/978-3-319-16715-2_20 Google Scholar
  16. 16.
    Dobraunig, C., Eichlseder, M., Mendel, F., Schläffer, M.: Ascon v1.2. Submission to the CAESAR Competition (2016)Google Scholar
  17. 17.
    Dong, X., Li, Z., Wang, X., Qin, L.: Cube-like attack on round-reduced initialization of Ketje Sr. IACR Trans. Symmetric Cryptol. 2017(1), 259–280 (2017). http://tosc.iacr.org/index.php/ToSC/article/view/594 Google Scholar
  18. 18.
    Duc, A., Guo, J., Peyrin, T., Wei, L.: Unaligned rebound attack: application to Keccak. In: Canteaut, A. (ed.) FSE 2012. LNCS, vol. 7549, pp. 402–421. Springer, Heidelberg (2012).  https://doi.org/10.1007/978-3-642-34047-5_23 CrossRefGoogle Scholar
  19. 19.
    Guo, J., Liu, M., Song, L.: Linear structures: applications to cryptanalysis of round-reduced Keccak. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10031, pp. 249–274. Springer, Heidelberg (2016).  https://doi.org/10.1007/978-3-662-53887-6_9 CrossRefGoogle Scholar
  20. 20.
    Huang, S., Wang, X., Xu, G., Wang, M., Zhao, J.: Conditional cube attack on reduced-round Keccak sponge function. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10211, pp. 259–288. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-56614-6_9 CrossRefGoogle Scholar
  21. 21.
    Jean, J., Nikolić, I.: Internal differential boomerangs: practical analysis of the round-reduced Keccak- \(f\) permutation. In: Leander, G. (ed.) FSE 2015. LNCS, vol. 9054, pp. 537–556. Springer, Heidelberg (2015).  https://doi.org/10.1007/978-3-662-48116-5_26 CrossRefGoogle Scholar
  22. 22.
    Li, Z., Dong, X., Wang, X.: Conditional cube attack on round-reduced ASCON. IACR Trans. Symmetric Cryptol. 2017(1), 175–202 (2017)Google Scholar
  23. 23.
    Mella, S., Daemen, J., Assche, G.V.: New techniques for trail bounds and application to differential trails in Keccak. IACR Trans. Symmetric Cryptol. 2017(1), 329–357 (2017). http://tosc.iacr.org/index.php/ToSC/article/view/597 Google Scholar
  24. 24.
    Morawiecki, P., Pieprzyk, J., Srebrny, M.: Rotational cryptanalysis of round-reduced Keccak. In: Moriai, S. (ed.) FSE 2013. LNCS, vol. 8424, pp. 241–262. Springer, Heidelberg (2014).  https://doi.org/10.1007/978-3-662-43933-3_13 Google Scholar
  25. 25.
    Mouha, N., Wang, Q., Gu, D., Preneel, B.: Differential and linear cryptanalysis using mixed-integer linear programming. In: Wu, C.-K., Yung, M., Lin, D. (eds.) Inscrypt 2011. LNCS, vol. 7537, pp. 57–76. Springer, Heidelberg (2012).  https://doi.org/10.1007/978-3-642-34704-7_5 CrossRefGoogle Scholar
  26. 26.
    Qiao, K., Song, L., Liu, M., Guo, J.: New collision attacks on round-reduced keccak. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10212, pp. 216–243. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-56617-7_8 CrossRefGoogle Scholar
  27. 27.
    Sasaki, Y., Todo, Y.: New impossible differential search tool from design and cryptanalysis aspects. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10212, pp. 185–215. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-56617-7_7 CrossRefGoogle Scholar
  28. 28.
    Song, L., Liao, G., Guo, J.: Non-full sbox linearization: applications to collision attacks on round-reduced Keccak. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10402, pp. 428–451. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-63715-0_15 CrossRefGoogle Scholar
  29. 29.
    Sun, S., Hu, L., Wang, P., Qiao, K., Ma, X., Song, L.: Automatic security evaluation and (related-key) differential characteristic search: application to SIMON, PRESENT, LBlock, DES(L) and other bit-oriented block ciphers. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8873, pp. 158–178. Springer, Heidelberg (2014).  https://doi.org/10.1007/978-3-662-45611-8_9 Google Scholar
  30. 30.
    Wu, S., Wang, M.: Security evaluation against differential cryptanalysis for block cipher structures. IACR Cryptology ePrint Archive 2011/551 (2011)Google Scholar
  31. 31.
    Xiang, Z., Zhang, W., Bao, Z., Lin, D.: Applying MILP method to searching integral distinguishers based on division property for 6 lightweight block ciphers. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10031, pp. 648–678. Springer, Heidelberg (2016).  https://doi.org/10.1007/978-3-662-53887-6_24 CrossRefGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2017

Authors and Affiliations

  1. 1.Key Laboratory of Cryptologic Technology and Information SecurityMinistry of Education, Shandong UniversityJinanPeople’s Republic of China
  2. 2.Institute for Advanced StudyTsinghua UniversityBeijingPeople’s Republic of China

Personalised recommendations