# Improved Conditional Cube Attacks on Keccak Keyed Modes with MILP Method

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10624)

## Abstract

Conditional cube attack is an efficient key-recovery attack on Keccak keyed modes proposed by Huang et al. at EUROCRYPT 2017. By assigning bit conditions, the diffusion of a conditional cube variable is reduced. Then, using a greedy algorithm (Algorithm 4 in Huang et al.’s paper), Huang et al. find some ordinary cube variables, that do not multiply together in the 1st round and do not multiply with the conditional cube variable in the 2nd round. Then the key-recovery attack is launched. The key part of conditional cube attack is to find enough ordinary cube variables. Note that, the greedy algorithm given by Huang et al. adds ordinary cube variable without considering its bad effect, i.e. the new ordinary cube variable may result in that many other variables could not be selected as ordinary cube variable (they multiply with the new ordinary cube variable in the first round).

In this paper, we bring out a new MILP model to solve the above problem. We show how to model the CP-like-kernel and model the way that the ordinary cube variables do not multiply together in the 1st round as well as do not multiply with the conditional cube variable in the 2nd round. Based on these modeling strategies, a series of linear inequalities are given to restrict the way to add an ordinary cube variable. Then, by choosing the objective function of the maximal number of ordinary cube variables, we convert Huang et al.’s greedy algorithm into an MILP problem and the maximal ordinary cube variables are found.

Using this new MILP tool, we improve Huang et al.’s key-recovery attacks on reduced-round Keccak-MAC-384 and Keccak-MAC-512 by 1 round, get the first 7-round and 6-round key-recovery attacks, respectively. For Ketje Major, we conclude that when the nonce is no less than 11 lanes, a 7-round key-recovery attack could be achieved. In addition, for Ketje Minor, we use conditional cube variable with 6-6-6 pattern to launch 7-round key-recovery attack.

## 1 Introduction

Nowadays, the cryptanalysis progress of symmetric-key ciphers heavily depends on automated evaluation tools. Providing a reliable security evaluation is the key point for a cipher to be accepted by industry. Recently, cryptographic communities found that many classical cryptanalysis methods could be converted to mathematical optimization problems which aim to achieve the minimal or maximal value of an objective function under certain constraints. Mixed-integer Linear Programming (MILP) is the most widely studied technique to solve these optimization problems. One of the most successful applications of MILP is to search differential and linear trails. Mouha et al.  and Wu and Wang  first applied MILP method to count active Sboxes of word-based block ciphers. Then, at Asiacrypt 2014, by deriving some linear inequalities through the H-Representation of the convex hull of all differential patterns of Sbox, Sun et al.  extended this technique to search differential and linear trails. Another two important applications are to search integral distinguisher  and impossible differentials [8, 27].

Keccak , designed by Bertoni et al., has been selected as the new cryptographic hash function standard SHA-3. As one of the most important cryptographic standards, Keccak attracts lots of attention from the world wide researchers and engineers. Till now, many cryptanalysis results [7, 10, 11, 18, 19, 21, 24] and evaluation tools [9, 14, 23] have been proposed, including the recent impressive collision attacks [26, 28]. Since the robust design of Keccak, the cryptanalysis progress of Keccak is still limited. It must be pointed out that the automatic evaluation tools for Keccak are still needed to be enriched urgently.

At Eurocrypt 2015, Dinur et al.  for the first time considered the security of the Keccak keyed modes against cube-attack-like cryptanalysis and give some key recovery attacks on reduced-round Keccak-MAC and Keyak . At CT-RSA 2015, Dobraunig et al.  evaluate the security of Ascon  against the cube-like cryptanalysis. Later, Dong et al.  applied the cube-like method to Ketje Sr  which adopts smaller state size of Keccak-p permutation. At Eurocrypt 2017, Huang et al.  introduced a new type of cube-like attack, called conditional cube attack, which takes advantage of the large state freedom of Keccak to find a so-called conditional cube variable that do not multiply with all the other cube variables (called ordinary cube variables) in the first round and second round of Keccak, meanwhile, all ordinary cube variables do not multiply with each other in the first round. Thus, the degree of output polynomial of reduced-round Keccak over the cube variables is reduced by 1 and a conditional cube tester is constructed. Then Li et al.  applied the conditional cube attack to reduced-round Ascon.

### 1.1 Our Contributions

For conditional cube attack, when the conditional cube variable is determined, the most important work is to find enough ordinary cube variables to launch the key recovery attack. In , Huang et al. gives the Algorithm 4 to search the ordinary cube variables. It is a greedy algorithm, it randomly selects a cube variable and adds to ordinary cube variable set, when the variable does not multiply with other ordinary cube variables in the set in the first round and does not multiply with conditional cube variable either in both the first and second round. The drawback is that it can hardly get the maximum number (optimal) of ordinary cube variables. Because, when a cube variable is added to ordinary cube variable set, many more variables which multiply with the new added cube variable in the first round will be discarded, which means that we add just one cube variable with the price that many variables lost the chance to be an ordinary cube variable. Actually, the search problem is an optimization problem. When the capacity of Keccak is large, the greedy algorithm is enough to find a proper ordinary cube variable set. However, when the capacity or the state size is small, the algorithm could hardly find enough ordinary cube variables and invalidate the conditional cube attack. In fact, for Keccak-MAC-512 and Keccak-MAC-384, only 5 round and 6 round attacks are achieved by Huang et al.’s algorithm. When the capacity is large or the internal state of Keccak sponge function is smaller than 1600-bit, e.g. 800-bit Ketje Minor, the number of ordinary cube variables is reduced significantly.

In this paper, we present a novel technique to search ordinary cube variables by using MILP method1. By modeling the relations between ordinary cube variables and conditional cube variables in the first and second round, modeling the so-called CP-like-kernel and ordinary cube variables chosen conditions, we construct a linear inequality system. The target object is the maximum number of ordinary cube variables. Based on this MILP tool, we improve Huang et al.’s attacks on Keccak-MAC and give some interesting results on Ketje Major and Minor, which are summarized in Table 1. In addition, we list our source code of the new MILP tool2 in a public domain to enrich the automatic evaluation tools on Keccak and help the academic communities study Keccak much easier. The following are the main application results of the MILP tool.

1. 1.

It should be noted that, when the capacity reaches 768 or 1024, the cryptanalysis of Keccak becomes very hard. In fact, collision results on round-reduced Keccak-384 or Keccak-512 that are better than the birthday bound could respectively reach 4/3-round, while the preimage attacks [19, 24] on the two versions could reach only 4 rounds. Based on our MILP tool, for Keccak-MAC-384, we find more than 63 ordinary cube variables and improve Huang et al.’s attack by 1 round, and get the very first 7-round key-recovery attack. For Keccak-MAC-512, we find more than 31 ordinary cube variables and improve Huang et al.’s attack by 1 round, and get the first 6-round key-recovery attack. These are the longest attacks that the cryptanalysis of Keccak with big capacity (768 or 1024) could reach.

2. 2.

For Ketje Major, we conclude that when the nonce is no less than 11 lanes, a 7-round conditional cube attack could work. In addition, we get the borderline length of the nonce for the 6-round key-recovery attack is 8 lanes.

3. 3.

For Ketje Minor, we use a new conditional cube variable and find 124 ordinary cube variables. Then a new 7-round key-recovery attack is proposed, which improved the previous best result by a factor of $$2^{15}$$.

Table 1.

Summary of key recovery attacks on Keccak keyed modes

Variant

Capacity

Attacked rounds

Time

Source

Keccak-MAC

768

6

$$2^{40}$$



7

$$2^{75}$$

Sect. 5.1

1024

5

$$2^{24}$$



6

$$2^{58.3}$$

Sect. 5.2

Variant

Nonce

Attacked rounds

Time

Source

Ketje Major

Full

6

$$2^{64}$$



Full

7

$$2^{96}$$



$${\ge }512$$

6

$$2^{41}$$

Sect. 6.1

$${\ge }704$$

7

$$2^{83}$$

Sect. 6.1

Ketje Minor

Full

6

$$2^{64}$$



Full

7

$$2^{96}$$



Full

6

$$2^{49}$$

Sect. 6.2

Full

7

$$2^{81}$$

Sect. 6.2

Full: the attacks use maximum length of nonce.

### 1.2 Organization of the Paper

Section 2 gives some notations, and brief description on Keccak-permutations, Keccak-MAC, Ketje. Some related works are introduced in Sect. 3. Section 4 describes the MILP search model for conditional cube attack. Round-reduced key-recovery attacks on Keccak-MAC-384/512 are introduced in Sect. 5. Section 6 gives the applications to Ketje. Section 7 concludes this paper.

## 2 Preliminaries

### 2.1 Notations

$$S_{i}$$

the intermediate state after i-round of Keccak-p, for example $$S_{0.5}$$ means the intermediate state before $$\chi$$ in 1st round of Keccak-p,

A

used in tables: for Keccak-MAC, the initial state, for Ketje, the state after $$\pi ^{-1}$$ of Keccak-$$p^*$$,

A[i][j]

the 32/64-bit word indexed by $$[i,j,*]$$ of state A, $$0\!\leqslant \! i\!\leqslant \!4$$, $$0\leqslant j\leqslant 4$$,

A[i][j][k]

the bit indexed by [ijk] of state A,

$$v_{i}$$

the ith cube variable,

K

128-bit key, for Keccak-MAC, $$K=k_0||k_1$$, both $$k_0$$ and $$k_1$$ are 64-bit, for Ketje Major, $$K=k_0||k_1||k_2$$, $$k_0$$ is 56-bit, $$k_1$$ is 64-bit, $$k_2$$ is 8-bit, for Ketje Minor, $$K=k_0||k_1||k_2||k_3||k_4$$, $$k_0$$ is 24-bit, $$k_1$$,$$k_2$$ and $$k_3$$ are 32-bit, $$k_4$$ is 8-bit,

$$k_i[j]$$

the jth bit of $$k_i$$,

capacity

in Keccak-MAC, it is the all zero padding bits; in Ketje, it is the padding of nonce.

### 2.2 The Keccak-p permutations

The Keccak-p permutations are derived from the Keccak-f permutations  and have a tunable number of rounds. A Keccak-p permutation is defined by its width $$b=25\times 2^l$$, with $$b\in \{25,50,100,200,400,800,1600\}$$, and its number of rounds $$n_r$$, denoted as Keccak-p[b]. The round function R consists of five operations:
$$\texttt {R}=\iota \circ \chi \circ \pi \circ \rho \circ \theta$$ Fig. 1. (a) The Keccak State , (b) state A in 2-dimension
Keccak-p[b] works on a state A of size b, which can be represented as $$5\times 5$$ $$\frac{b}{25}$$-bit lanes, as depicted in Fig. 1, A[i][j] with i for the index of column and j for the index of row. In what follows, indexes of i and j are in set $$\{0,1,2,3,4\}$$ and they are working in modulo 5 without other specification.
$$\begin{array}{l} \theta {:}\,A[x][y] = A[x][y] \oplus \sum \nolimits _{j = 0}^4 {(A[x - 1][j] \oplus (A[x + 1][j]\lll 1)).} \\ \rho {:}\,A[x][y] = A[x][y]\lll r[x,y].\\ \pi {:}\,A[y][2x+3y] = A[x][y].\\ \chi {:}\,A[x][y] = A[x][y]\oplus ((\lnot A[x+1][y])\wedge A[x+2][y].\\ \iota {:}\,A=A\oplus RC. \end{array}$$
In Ketje v2, the twisted permutations, Keccak-$$p^*[b]=\pi \circ$$ Keccak-$$p[b]\circ \pi ^{-1}$$, are introduced to effectively re-order the bits in the state. $$\pi ^{-1}$$ is the inverse of $$\pi$$, shown in Fig. 2.
$$\begin{array}{l} \pi ^{-1}{:}\,A[x+3y][x] = A[x][y]. \end{array}$$ Fig. 2. $$\pi ^{-1}$$

### 2.3 Keccak-MAC

A MAC form of Keccak can be obtained by adding key as the prefix of message/nonce. As depicted in Fig. 3, the input of Keccak-MAC-n is concatenation of key and message and n is half of the capacity length. Fig. 3. Construction of Keccak-MAC-n

### 2.4 Ketje

Ketje  is a submission by Keccak team. It is a sponge-like construction. In Ketje v1, two instances are proposed, Ketje Sr and Jr with 400-bit and 200-bit state sizes, respectively. In the latest Ketje v2, another two instances Ketje Minor and Major are added to the family, with 800-bit and 1600-bit state sizes, respectively. Ketje Sr is the primary recommendation. In the following, we give a brief overview about the Ketje v2. For a complete description, we refer to the design document . Fig. 4. Wrapping a header and a body with MonkeyWrap 
The structure of Ketje is an authenticated encryption mode MonkeyWrap, shown Fig. 4, which is based on MonkeyDuplex . It consists of four parts as follows:
1. 1.

The initialization phase: The initialization takes the secret key K, the public nonce N and some paddings as the initial state. Then $$n_{start}=12$$ rounds Keccak-$$p^*$$ is applied.

2. 2.

Processing associated data: $$\rho$$-bit blocks associated data are padded to ($$\rho +4$$)-bit and absorbed by xoring them to the state, then $$n_{step}=1$$ round Keccak-$$p^*$$ is applied. If associated data is empty, this procedure is still needed to be applied which means an empty block is padded to ($$\rho +4$$)-bit and then processed similarly.

3. 3.

Processing the plaintext: Plaintext is processed in $$\rho$$-bit blocks in a similar manner, with ciphertext blocks extracted from the state right after adding the plaintext.

4. 4.

Finalization: The finalization with $$n_{stride}=6$$ rounds Keccak-$$p^*$$ and a series of $$n_{step}=1$$ round Keccak-$$p^*$$s are performed to get the required length of tag T.

In Ketje v2, four concrete instances are proposed, shown in Table 2. $$n_{start}=12$$,$$n_{step}=1$$ and $$n_{stride}=6$$. For Ketje Minor and Major, the recommended key length is 128-bit, so the maximal length of nonce is (800 − 128 − 18=)654 and (1600 − 128 − 18=)1454 bits. This paper discusses the shortest length of nonce that a conditional cube attack could be applied.
Table 2.

Four instances in Ketje v2

Name

f

$$\rho$$

Main use case

Ketje Jr

Keccak-$$p^*$$

16

Lightweight

Ketje Sr

Keccak-$$p^*$$

32

Lightweight

Ketje Minor

Keccak-$$p^*$$

128

Lightweight

Ketje Major

Keccak-$$p^*$$

256

High performance

## 3 Related Work

### 3.1 Cube Attack

At EUROCRYPT 2009, Dinur and Shamir introduced the cube attack , in which the output bit of a symmetric cryptographic scheme can be regarded as a polynomial $$f(k_0,\ldots ,k_{n-1},v_0,\ldots ,v_{m-1})$$ over GF(2), $$k_0,\ldots ,k_{n-1}$$ are the secret variables (the key bits), $$v_0,\ldots ,v_{m-1}$$ are the public variables (e.g. IV or nonce bits).

### Theorem 1

.
\begin{aligned} f(k_0,\ldots ,k_{n-1},v_0,\ldots ,v_{m-1}) = t \cdot {P} + {Q}(k_0,\ldots ,k_{n-1},v_0,\ldots ,v_{m-1}) \end{aligned}
(1)
t is called maxterm and is a product of certain public variables, for example $$(v_0,\ldots ,v_{s-1})$$, $$1\le s\le m$$, denoted as cube $$C_t$$. None of the monomials in Q is divisible by t. P is called superpoly, which does not contain any variables of $$C_t$$. Then the sum of f over all values of the cube $$C_t$$ (cube sum) is
\begin{aligned} \sum \limits _{v'=(v_0,\ldots ,v_{s-1}) \in {C_t}} {f(k_0,\ldots ,k_{n-1},v',v_{s},\ldots ,v_{m-1}) = {P}} \end{aligned}
(2)
where $$C_t$$ contains all binary vectors of the length s, $$v_{s},\ldots ,v_{m-1}$$ are fixed to constant.

The basic idea is to find enough t whose P is linear and not a constant. This enables the key recovery through solving a system of linear equations.

### 3.2 Huang et al.’s Conditional Cube Attack

Conditional cube attack  was proposed by Huang et al. to attack Keccak keyed mode, including Keccak-MAC and Keyak. We quote some definitions and a theorem here.

### Definition 1

. Cube variables that have propagation controlled in the first round and are not multiplied with each other after the second round of Keccak are called conditional cube variables. Cube variables that are not multiplied with each other after the first round and are not multiplied with any conditional cube variable after the second round are called ordinary cube variables.

### Theorem 2

. For $$(n + 2)$$-round Keccak sponge function $$(n > 0)$$, if there are $$p (0 \le p < 2^n + 1)$$ conditional cube variables $$v_0,\ldots ,v_{p-1}$$, and $$q=2^{n+1}-2p+1$$ ordinary cube variables, $$u_0,\ldots ,u_{q-1}$$ (If $$q = 0$$, we set $$p = 2^n + 1$$), the term $$v_0v_1 \ldots v_{p-1}u_0 \ldots u_{q-1}$$ will not appear in the output polynomials of $$(n + 2)$$-round Keccak sponge function.

Actually, we use the special case of the above theorem when $$p=1$$. We describe it as a corollary for clearness.

### Corollary 1

For $$(n + 2)$$-round Keccak sponge function $$(n > 0)$$, if there is one conditional cube variable $$v_0$$, and $$q=2^{n+1}-1$$ ordinary cube variables, $$u_0,\ldots ,u_{q-1}$$, the term $$v_0u_0 \ldots u_{q-1}$$ will not appear in the output polynomials of $$(n + 2)$$-round Keccak sponge function.

## 4 Modeling Search Strategy

Define $$A[x][y][z]=1$$ when it is an ordinary cube variable or conditional cube variable, else $$A[x][y][z]=0$$.

### 4.1 Modeling CP-like-kernel

In the Keccak submission document , the original concept is illustrated as following: if all columns in a state have even parity, $$\theta$$ is the identity, which is illustrated. The conditional cube variable used in this is set in CP-kernel to reach a reduced diffusion. At ASIACRYPT 2016, Guo et al.  assign A[y], $$y=0,1,2,3$$, to be variables and $$A=\bigoplus _{i=0}^{3}A[y]$$ so that variables in each column sum to 0. Then $$\theta$$ is the identity. In fact, when the parity of a column remains constant, the variables in the column do not propagate through $$\theta$$ operation. We denoted this property as a CP-like-kernel. In order to reduce the diffusion of ordinary cube variables, we set them as CP-like-kernel.

In CP-like-kernel, if certain column contain ordinary cube variables, then the number of the variables must be no less than two. If $$n(n=2,3,4,5)$$ bits in a column contain cube variables, we set the $$n-1$$ bits to be independent ordinary cube variables and 1 bit variable to be the sum of the $$n-1$$ bits. So the constraints in modeling CP-like-kernel have the following two purposes:
1. 1.

Avoid the number of bits containing cube variable in each column from being one;

2. 2.

Record which column contains cube variables.

Given xz, suppose $$A[x][y][z],y=0,1,2,3,4$$ possibly contain ordinary cube variables. If there exists an ordinary cube variable in A[x][y][z] for some y, then the dummy variable $$d=1$$. Else $$d=0$$. Then we get the following inequalities
\begin{aligned} \left\{ \begin{aligned}&\sum \limits _{y = 0}^4 {A[x][y][z]} \ge 2d\\&d \ge A[x][z]\\&d \ge A[x][z]\\&d \ge A[x][z]\\&d \ge A[x][z]\\&d \ge A[x][z] \end{aligned} \right. \end{aligned}
(3)
For any $$x,z~(x=0,1,\ldots ,4,z=0,1,\ldots ,63)$$, denote the corresponding dummy variable as d[x][z]. d[x][z] records whether the column [x][z] contain cube variables as illustrated above. The [x][z] column can provide $$\sum \limits _{y = 0}^4 {A[x][y][z]} - d[x][z]$$ independent cube variables. The number of independent cube variables that the whole state can provide is to sum up the ones of all columns with $$x=0,1\ldots 4, z=0,1\ldots 63$$. Correspondingly, the objective function of the MILP model is set as
\begin{aligned} \sum \limits _{x,y,z}{A[x][y][z]} - \sum \limits _{x,z}{d[x][z]}, \end{aligned}
i.e. the number of cube variables in the whole state.

### 4.2 Modeling the First Round

We omit the $$\theta$$ operation in the first round, as it does not influence the distribution of cube variables according to the property of CP-like-kernel. With the help of SAGE , the Keccak round function can be operated in the form of algebraic symbols. So the internal the bits of state $$S_1$$ are describe as algebraic form functions about the bits of the initial state $$S_0$$. Using a easy search program, we know which two bits in state $$S_0$$ will be multiplied in $$S_1$$. Constraints are added according to the following two conditions:
1. 1.
1. (a)

Condition: Any of the ordinary cube variables do not multiply with each other in the first round.

2. (b)
Constraint: If two bits $$S_{0}[x_1][y_1][z_1]$$ and $$S_{0}[x_2][y_2][z_2]$$ multiply, the constraint
\begin{aligned} A[x_1][y_1][z_1] + A[x_2][y_2][z_2] \le 1 \end{aligned}
will be added to avoid their simultaneous selection as ordinary cube variables.

2. 2.
1. (a)

Condition: The conditional cube variable does not multiply with any of the ordinary cube variables in the first round.

2. (b)
Constraint: If one bit $$S_{0}[x][y][z]$$ multiplies with the conditional cube variable, the constraint
\begin{aligned} A[x][y][z] = 0 \end{aligned}
will be added to avoid it from being selected as ordinary cube variables.

### 4.3 Modeling the Second Round

We list Property 1 for the conditions added to control the diffusion of the conditional cube variable $$v_0$$.

### Property 1

In $$\chi$$ operation, denote the input and output state as X and Y respectively, one bit X[x][y][z] only multiplies with two bits $$X[x-1][y][z]+1$$ and $$X[x+1][y][z]$$.

1. (1)

If only one bit X[x][y][z] contains variable $$v_0$$, conditions $$X[x-1][y][z]+1=0$$ and $$X[x+1][y][z]=0$$ can avoid $$v_0$$ from diffusing by $$\chi$$.

2. (2)
If only n bits $${X[x_0][y_0][z_0],X[x_1][y_1][z_1]\ldots X[x_{n-1}][y_{n-1}][z_{n-1}]}$$ contain variable $$v_0$$, 2n conditions
can avoid $$v_0$$ from diffusing by $$\chi$$.

1. 1.

Condition: Under the above conditions added to the first round, the conditional cube variable does not multiply with any of the ordinary cube variables in the second round.

2. 2.
Constraint: If one bit $$S_{0}[x][y][z]$$ multiplies with the conditional cube variable, the constraint
\begin{aligned} A[x][y][z] = 0 \end{aligned}
will be added to avoid it from being selected as ordinary cube variables.

## 5 Applications to Round-Reduced Keccak-MAC

### 5.1 Attack on 7-Round Keccak-MAC-384

For Keccak-MAC-384 with 1600-bit state, rate occupies 832 bits, and capacity 768 bits. As Fig. 5 shows us, 128-bit key ($$k_0,k_1$$) locates at the first two yellow lanes, and conditional cube variable $$v_0$$ is set in CP-like-kernel as $$S_0=S_0=v_0$$ in blue, then the white bits represent nonce or message bits, all of which can be selected as ordinary cube variables, while the grey ones are initialized with all zero. Note that the lanes, which are possible to be ordinary cube variables, obey CP-like-kernel. List these lanes in a set $$\mathbb {V}$$:
$$\mathbb {V}=\{,,,,,,,,,,\}$$
Additionally, the subset of $$\mathbb {V}$$, $$\mathbb {V}_i,i=0,1\ldots 4$$ represents the set of lanes whose x-index equals 0, 1 ...4 respectively. Fig. 5. The initial state of Keccak-MAC-384 (Color figure online)
According to the modeling search strategy illustrated in Sect. 4, we search for the maximal number of independent ordinary cube variables. The objective function is
\begin{aligned} \sum \limits _{x,y\in \mathbb {V},z\in \{0,1\ldots 63\}}{A[x][y][z]}\ - \sum \limits _{x\in \{0,1\ldots 4\},z\in \{0,1\ldots 63\}}{d[x][z]}, \end{aligned}
To model the CP-like-kernel, constraints are in the following:
\begin{aligned} \left\{ \begin{aligned}&\sum \limits _{x,y\in \mathbb {V}_x,z}{A[x][y][z]} \ge 2d[x][z]\\&d[x][z] \ge A[x][y][z], y\in \mathbb {V}_x\\ \end{aligned} \ for \ x=0,1\ldots 4, z=0,1\ldots 63 \right. \end{aligned}
(4)
The input state is initialized with key k, conditional cube variable $$v_0$$, possible ordinary cube variables $$v_i$$ (placed in bit position $$[x_i][y_i][z_i]$$) and zero padding. After $$\rho , \pi , \chi$$ operation in the first round, the state is in the algebraic symbolic form of the initial state bits. If any $$v_0v_i$$ exists, and the bit corresponding to i is $$[x_i][y_i][z_i]$$, constraint $$A[x_i][y_i][z_i]=0$$ is added. If any $$v_iv_j$$ exists, the bit corresponding to ij, constraint $$A[x_i][y_i][z_i] + A[x_j][y_j][z_j] \le 1$$ is added. The above constraints are to avoid any multiplication in the first round among cube variables. Additionally, we add the four bit conditions around conditional cube variable $$v_0$$ before the first $$\chi$$ operation to reduce its diffusion. After $$\theta , \rho , \pi , \chi$$ operation in the second round, similarly, if any $$v_0v_i$$ exists, and the bit corresponding to i is $$[x_i][y_i][z_i]$$, constraint $$A[x_i][y_i][z_i]=0$$ is added to avoid any ordinary cube variables from multiplying with $$v_0$$ in the second second. With the help of Gurobi , the objective function is optimized under all the above constraints, i.e. with all cube variables obeying CP-like-kernel, the maximum of cube variables is 65. Actually, 64 cube variables are enough to perform the 7-round attack on Keccak-MAC-384. Both the cube variables and conditions are listed in Table 3.
Table 3.

Parameters set for attack on 7-round Keccak-MAC-384

In 7-round attack on Keccak-MAC-384, $$2^6=64$$ cube variables are denoted by $$v_0,v_1\ldots v_{63}$$. Based on Corollary 1, $$v_0$$ is the conditional cube variable fixed in the beginning and $$v_1,v_2\ldots v_{63}$$ are ordinary cube variables found by MILP search strategy. We summarize the requirements as following:
1. (1)

$$v_0,v_1\ldots v_{63}$$ do not multiply with each other in the first round;

2. (2)

Under some conditions on key and nonce, $$v_0$$ does not multiply with any of $$v_1,v_2\ldots v_{63}$$ in the second round.

While all the nonce bits are constant, all the bit conditions are satisfied if and only if all the key bits are guessed correctly. Thus, zero sums over the 128-bit tag with cube variables set as Table 3 mean a correct key guess.

We analyze the time and data complexity of the attack: with the parameters set in Table 3, the 8 guessed key bits $$k_{0}$$ + $$k_{1}$$, $$k_{0}$$, $$k_{0}$$, $$k_{0}$$, $$k_{1}$$, $$k_{0}$$, $$k_{1}$$, $$k_{0}$$ can be recovered. The time complexity of one recovery is $$2^8*2^{64}$$. According to the property of permutation, it is totally symmetric in z-axis. Thus we can obtain corresponding parameters set with any rotation of i-bit $$(0\le i<64)$$ in z-axis. Therefore, the guessed key bits rotated i-bit i.e. $$k_{0}[i+5]$$ + $$k_{1}[i+5]$$, $$k_{0}[i+60]$$, $$k_{0}[i+35]$$, $$k_{0}[i+54]$$, $$k_{1}[i+29]$$, $$k_{0}[i+7]$$, $$k_{1}[i+45]$$, $$k_{0}[i+18]$$ can be recovered. Through simple count, for $$0\le i<8$$, 70 independent key bits out of 128 key bits can be recovered, 8 iterations consumes $$8\times 2^8\times 2^{64}$$ and the remaining 58 key bits are left to exhaustive search consuming $$2^{58}$$. Combine the two parts, the procedure consumes $$8\times 2^8\times 2^{64}+2^{58}=2^{75}$$ computations of 7-round of Keccak-MAC-384, correspondingly $$2^{75}$$ (messagetag) pairs are needed. After the procedure above, all the 128 bits in $$k_0,k_1$$ can be recovered. Therefore, both time and data complexity of the attack are $$2^{75}$$.

### 5.2 Attack on 6-Round Keccak-MAC-512

For Keccak-MAC-384 with 1600-bit state, rate occupies 832 bits, and capacity 768 bits. As Fig. 6 shows us, 128-bit key ($$k_0,k_1$$) locates at the first two yellow lanes, and conditional cube variable $$v_0$$ is set in CP-like-kernel as $$S_0=S_0=v_0$$ in blue, then the white bits represent nonce or message bits, all of which can be selected as ordinary cube variables, while the grey ones are initialized with all zero. Note that the lanes, which are possible to be ordinary cube variables, obey CP-like-kernel. List these lanes in a set $$\mathbb {V}$$:
$$\mathbb {V}=\{,,,\}$$
Additionally, the subset of $$\mathbb {V}$$, $$\mathbb {V}_i,i=2,3$$ represents the set of lanes whose x-index equals 2, 3 respectively. According to the modeling search strategy illustrated in Sect. 4, we search the controllable bits for the most ordinary cube variables. The objective function is
\begin{aligned} \sum \limits _{x,y\in \mathbb {V},z\in \{0,1\ldots 63\}}{A[x][y][z]} - \sum \limits _{x\in \{0,1\ldots 4\},z\in \{0,1\ldots 63\}}{d[x][z]}, \end{aligned}
To model the CP-like-kernel, constraints are in the following according to Eq. 3:
\begin{aligned} \left\{ \begin{aligned}&\sum \limits _{x,y\in \mathbb {V}_x,z}{A[x][y][z]} \ge 2d[x][z]\\&d[x][z] \ge A[x][y][z], y\in \mathbb {V}_x\\ \end{aligned} \ for \ x=2,3, z=0,1\ldots 63 \right. \end{aligned}
(5)
Table 4.

Parameters set for attack on 6-round Keccak-MAC-512

The method of adding constraints to avoid multiplication is just the same as Keccak-MAC-384. With the help of Gurobi , the objective function is optimized under all the above constraints. The maximum of cube variables obeying CP-like-kernel is 26 (including a conditional cube variables). As the number of cube variables is not enough to perform the 6-round attack on Keccak-MAC-512, and many nonce bits are not utilized, we continue the search for appropriate ordinary cube variables among the single bits in lanes [0, 1], [1, 1], [4, 0].

Modeling the single bits

A single bit here means it is the only bit in its column that contains cube variable, exactly, it is set as a new ordinary cube variable. As the optimization according to CP-like-kernel above, most cube variables have been settled. Additionally, the state is so large as 1600-bit. Although a single bit diffuse to 11 bits after the first $$\theta$$ operation, it may not multiply with all the other cube variables in the first round, and not multiply with conditional cube variable $$v_0$$ in the second round. The objective function is the sum of all possible bits to be ordinary cube variables. Then, constraints are added to avoid the above two kinds of multiplication in the same way.

Another 6 single bits are found as 6 new ordinary cube variables. Totally, we find (6 + 26=)32 dimension cube and based on it a 6 round key-recovery attack on Keccak-MAC-512 is achieved. Both the cube variables and conditions are listed in Table 4.

In 6-round attack on Keccak-MAC-512, $$2^5=32$$ cube variables denoted by $$v_0,v_1\ldots v_{31}$$. Based on Corollary 1, $$v_0$$ is the conditional cube variable and $$v_1,v_2\ldots v_{31}$$ are ordinary cube variables. We summarize the requirements as following:
1. (1)

$$v_0,v_1\ldots v_{31}$$ do not multiply with each other in the first round;

2. (2)

Under some conditions on key and nonce, $$v_0$$ does not multiply with any of $$v_1,v_2\ldots v_{31}$$ in the second round.

All the bit conditions are satisfied if and only if all the key bits are guessed correctly. Thus, zero sums over the 128-bit tag with cube variables set as Table 4 suggest a correct key guess. Furthermore, the similar key recovery can be performed with any offset in z-axis.

We analyze the time and data complexity of the attack: 4 iterations in z-axis recover 72 key bits, and the remaining 56 key bits are recovered by exhaustive search, thus the procedure consumes $$4\times 2^{24} \times 2^{32} + 2^{56}=2^{58.3}$$ computations of 6-round initialization of Keccak-MAC-512, correspondingly $$2^{58.3}$$ (messagetag) pairs are needed. After the procedure above, all the 128 bits in $$k_0,k_1$$ can be recovered. Therefore, both time and data complexity of the attack are $$2^{58.3}$$.

## 6 Attacks on Round-Reduced Initialization of Ketje

At 6 March 2017, the Keccak team announces the Ketje cryptanalysis prize to encourage the cryptanalysis.

### 6.1 Attacks on Round-Reduced Initialization of Ketje Major

Ketje Major operates on a 1600-bit state, the recommended key length is 128-bit, which is similar to Keccak-MAC. We focus on the instances with recommended 128-bit key. The number of nonce bits in Ketje Major is variable from 0 to 1454.
Table 5.

The number of cube variables in CP-like-kernel in different nonces in Ketje Major

Nonce: bits(lanes)

Number of cube variables in CP-like-kernel

448(7)

21

512(8)

41

576(9)

50

640(10)

59

704(11)

75

832(13)

81

Table 6.

Parameters set for attack on 6-round Ketje Major

To explore the resistance against conditional cube attack of the different instances, we apply the MILP search strategy to search the possible cube variables in the instances with different lengths of nonce, and list the corresponding number of cube variables in Table 5. Similar to attacks on Keccak-MAC described in Sects. 5.15.2, 32 cube variables are needed to perform 6-round attack, and 64 cube variables are needed to perform 7-round attack. Thus, Table 5 tells us that when the nonce is no less than 704 bits (11 lanes), cube variables are enough to perform 7-round attack on Ketje Major and 6-round attack on Ketje Major can be performed if the nonce is no less than 512 bits (8 lanes).

As instances with more nonce bits can directly use the parameters of instances with less nonce bits, we list the details of 6-round and 7-round attacks on Ketje Major with 512-bit and 704-bit nonce.

Attack on 6-Round Initialization of Ketje Major. According to parameters set in Table 6, guess the 3 key bits listed, compute cube sums on variables $$v_0,\ldots ,v_{31}$$, zero cube sums suggest a right key(i.e. 3 guessed key bits in Table 6). It consumes $$2^3\times 2^{32}=2^{35}$$ computations of 6-round initialization of Ketje Major. According to the property of permutation, it is totally symmetric in z-axis. Thus we can obtain corresponding parameters set with any rotation of i-bit $$(0\le i<64)$$ in z-axis. Therefore, 128 key bits can be recovered by 64 iterations for $$0\le i<64$$, so the time complexity is $$64\times 2^3\times 2^{32}=2^{41}$$.

Attack on 7-Round Initialization of Ketje Major. We use A =  A = $$v_{0}$$ as condition cube variable. According to parameters set in Table 7, guess the 16 key bits listed, compute cube sums on variables $$v_0,\ldots ,v_{63}$$, zero cube sums suggest a right key (i.e. 16 guessed key bits in Table 7). It consumes $$2^{16}\times 2^{64}=2^{80}$$ computations of 7-round initialization of Ketje Major. Similar to the case above, 46 key bits can be recovered by 4 iterations for $$0\le i<4$$, and the remaining 82 key bits can be recovered by exhaustive search. The time complexity is $$4\times 2^{16}\times 2^{64} + 2^{82}=2^{83}$$.
Table 7.

Parameters set for attack on 7-round Ketje Major

### 6.2 Attacks on Round-Reduced Initialization of Ketje Minor

The state of Ketje Minor is 800-bit, which is the half of the state size of Keccak-MAC (1600-bit). As the upper part of Fig. 7 shows, in Huang et al.’s attack on Keccak-MAC, one conditional cube variable $$v_0$$ is chosen, placed in two black bits of $$S_0$$. After adding some conditions, the conditional cube variable $$v_0$$ is diffused to 22 bits shown in state $$S_{1.5}$$, we denote the diffusion pattern as 2-2-22. For the state of Ketje Minor is much smaller, the conditional cube variable in 2-2-22 pattern diffuses relatively much greater, there are only 26 ordinary cube variables in CP-like-kernel optimized with MILP search strategy, which is not enough for 7-round attack. Fig. 7. Diffusions of the conditional cube variable in 2-2-22 and 6-6-6 Pattern in Ketje Minor

In order to solve the problem, we find a new conditional cube variable. As shown in the lower part of Fig. 7, after adding some conditions, the diffusion pattern is 6-6-6 and only 6 bits in $$S_{1.5}$$ contains the conditional cube variable. At last, we find enough ordinary cube variables with the MILP tool to launch the key-recovery attacks on 5/6/7-round reduced Ketje Minor.

In details, from $$S_0$$ to $$S_1$$, $$\theta ,\rho ,\pi ,\chi ,\iota$$ are operated in sequence. $$\theta$$ operation holds the distribution of $$v_0$$ according to CP-like-kernel. Operations $$\rho$$ and $$\pi$$ only permute the bit positions, while $$\iota$$ only adds a constant. Thus, we only need to control the diffusion of $$\chi$$ operation. We denote the state before $$\chi$$ operation in the first round as $$S_{0.5}$$. According to Property 1-(2), 12-bit conditions based on key and nonce are introduced to keep the 6 bits containing $$v_0$$ from diffusion. Then the diffusion of $$v_0$$ maintains the 6-6-6 pattern.
Table 8.

Parameters set for attack on the 5-round initialization of Ketje Minor

Attack on 5-Round Initialization of Ketje Minor. In 5-round attack, we choose $$2^4=16$$ cube variables denoted by $$v_0,v_1\ldots v_{15}$$. Based on Corollary 1, $$v_0$$ is the conditional cube variable and $$v_1,v_2\ldots v_{15}$$ are ordinary cube variables. We summarize the requirements as following:
1. (1)

$$v_0,v_1\ldots v_{15}$$ do not multiply with each other in the first round;

2. (2)

Under some conditions on key and nonce, $$v_0$$ does not multiply with any of $$v_1,v_2\ldots v_{15}$$ in the second round.

Under (1), any of cube variables $$v_0,v_1\ldots v_{15}$$ only exists as a one-degree term in the output of 1-round Ketje Minor, i.e. the degree of any bit in $$S_1$$ is no more than one. The degree of one round function is 2. When we say the degree of some state, we mean the highest degree among the cube variables in all terms of the state. If conditions in (2) are met, according to Corollary 1, the term $$v_0v_1\ldots v_{15}$$ will not appear in $$S_5$$, so the degree over cube variables $$v_0,v_1\ldots v_{15}$$ is at most 15. Otherwise, the degree of $$S_5$$ is 16.

Thus, under given conditions on key and nonce, the cube sums of all bits in $$S_5$$ over $$v_0,v_1\ldots v_{15}$$ are zero, otherwise the cube sums are random if those conditions are not met. Actually, $$\rho =128$$ bits of $$S_5$$ are known in Ketje Minor. If the cube sum on each of the 128 bits is zero, we can determine that the corresponding conditions are satisfied.

As Table 8 shows, the 12 bit conditions are related to key and nonce bits. We guess the 12 key bits with all the possible values. While all the nonce bits are constant, all the bit conditions are satisfied if and only if all the key bits are guessed correctly. Thus, zero sums over the 128 known bits of $$S_5$$ ($$S_5,S_5,S_5,S_5$$ 3) with cube variables set as Table 8 mean a correct key guess. We give an example here for intuition, in which key is generated randomly and all the controllable nonce bits are set as zero.
Table 9.

Ordinary cube variables and bit conditions for attack on the 6-round initialization of Ketje Minor

Furthermore, we can perform the similar key recovery with any offset $$0,1\ldots 31$$ in z-axis. We analyze the time and data complexity of the attack: the procedure consumes $$32\times 2^{12} \times 2^{16}=2^{33}$$ computations of 5-round initialization of Ketje Minor, correspondingly $$2^{33}$$ (nonceplaintextciphertexttag) pairs are needed. After the procedure above, all the 120 bits in $$k_0,k_1,k_2,k_3$$ can be recovered, and the remaining 8 bits of $$k_4$$ can be determined by brute search. Therefore, time complexity of the attack is $$2^{33}$$ computations of 5-round initialization of Ketje Minor, and data complexity is $$2^{33}$$ (nonceplaintextciphertexttag) pairs.

Attack on 6-Round Initialization of Ketje Minor. In 6-round attack, similar to the 5-round attack, we choose $$2^5=32$$ cube variables denoted by $$v_0,v_1\ldots v_{31}$$. Based on Corollary 1, $$v_0$$ is the conditional cube variable and $$v_1,v_2\ldots v_{31}$$ are ordinary cube variables. We summarize the requirements as following:
1. (1)

$$v_0,v_1\ldots v_{31}$$ do not multiply with each other in the first round;

2. (2)

Under some conditions on key and nonce, $$v_0$$ does not multiply with any of $$v_1,v_2\ldots v_{31}$$ in the second round.

The recovery attack can be performed similarly to 5-round attack. While all the nonce bits are constant, all the bit conditions are satisfied if and only if all the key bits are guessed correctly. Thus, zero sums over the 128 known bits of $$S_6$$ ($$S_6,S_6,S_6,S_6$$) with conditional cube variable set as Table 8 and ordinary cube variables set as Table 9 mean a correct key guess. We give an example here for intuition, in which key is generated randomly and all the controllable nonce bits are set as zero.

We analyze the time and data complexity of the attack: the procedure consumes $$32\times 2^{12} \times 2^{32}=2^{49}$$ computations of 6-round initialization of Ketje Minor, correspondingly $$2^{49}$$ (nonceplaintextciphertexttag) pairs are needed. After the procedure above, all the 120 bits in $$k_0,k_1,k_2,k_3$$ can be recovered, and the remaining 8 bits in $$k_4$$ can be determined by brute search. Therefore, both time and data complexity of the attack are $$2^{49}$$.

Attack on 7-Round Initialization of Ketje Minor. In 7-round attack, similar to the 5/6-round attack, we choose $$2^6=64$$ cube variables denoted by $$v_0,v_1\ldots v_{63}$$. Based on Corollary 1, $$v_0$$ is the conditional cube variable and $$v_1,v_2\ldots v_{63}$$ are ordinary cube variables. We summarize the requirements as following:
1. (1)

$$v_0,v_1\ldots v_{63}$$ do not multiply with each other in the first round;

2. (2)

Under some conditions on key and nonce, $$v_0$$ does not multiply with any of $$v_1,v_2\ldots v_{63}$$ in the second round.

While all the nonce bits are constant, all the bit conditions are satisfied if and only if all the key bits are guessed correctly. Thus, zero sums over the 128 known bits of $$S_7$$ ($$S_7,S_7,S_7,S_7$$) with conditional cube variable set as Table 8 and ordinary cube variables set as Table 10 mean a correct key guess.

We analyze the time and data complexity of the attack: the procedure consumes $$32\times 2^{12} \times 2^{64}=2^{81}$$ computations of 7-round initialization of Ketje Minor, correspondingly $$2^{81}$$ (nonceplaintextciphertexttag) pairs are needed. After the procedure above, all the 120 bits in $$k_0,k_1,k_2,k_3$$ can be recovered, and the remaining 8 bits in $$k_4$$ can be determined by brute search. Therefore, both time and data complexity of the attack are $$2^{81}$$.
Table 10.

Ordinary cube variables for attack on the 7-round initialization of Ketje Minor

## 7 Conclusion

In this paper, we comprehensively study the conditional cube attack against Keccak keyed modes. In order to find enough ordinary cube variables in low degrees of freedom of Keccak keyed modes, we introduce a new MILP model. We show how to model the CP-like-kernel and model the way that the ordinary cube variables do not multiply together in the first round as well as do not multiply with the conditional cube variable in the second round. Then, a series of linear inequality system are brought out, which accurately restrict the way to add an ordinary cube variable. Then, by choosing the objective function of the maximal number of ordinary cube variables, we convert Huang et al.’s greedy algorithm into an MILP problem and maximal number of ordinary cube variables is determined. Based on this method, we extend the best previous attacks on round-reduced Keccak-MAC-384 and Keccak-MAC-512 by 1 round, and achieve the first 7-round and 6-round key-recovery attacks, respectively. In addition, we give some results on Ketje Major and Minor and get the best results on these two ciphers (Tables 7, 10 and 11).
Table 11.

Bit conditions for attack on the 7-round initialization of Ketje Minor

Currently, the cryptanalysis progress of symmetric-key ciphers heavily depends on automated evaluation tools. For many reasons, the cryptanalysis of the new SHA-3 standard Keccak is very hard and limited, more evaluation tools on Keccak are urgently needed. The MILP method introduced in this paper enriches the Keccak tools, and helps academic communities study Keccak much easier.

## Footnotes

1. 1.

Note that, in Huang et al.’s paper, a small MILP model is also introduced, however, it could only find some distinguisher attacks on Keccak hash function.

2. 2.
3. 3.

These four 32-bit words are the first four words after $$\pi$$ which are the output bits of Keccak-$$p^*$$.

## References

1. 1.
2. 2.
3. 3.
Berton, G., Daemen, J., Peeters, M., Assche, G.V.: The Keccak sponge function family. http://keccak.noekeon.org/
4. 4.
Berton, G., Daemen, J., Peeters, M., Assche, G.V., Keer, R.V.: CAESAR submission: Ketje v2 (2016). http://competitions.cr.yp.to/round3/ketjev2.pdf
5. 5.
Berton, G., Daemen, J., Peeters, M., Assche, G.V., Keer, R.V.: CAESAR submission: Keyak v2 (2016). http://competitions.cr.yp.to/round3/keyakv22.pdf
6. 6.
Bertoni, G., Daemen, J., Peeters, M., Assche, G.: Duplexing the sponge: single-pass authenticated encryption and other applications. In: Miri, A., Vaudenay, S. (eds.) SAC 2011. LNCS, vol. 7118, pp. 320–337. Springer, Heidelberg (2012).
7. 7.
Boura, C., Canteaut, A., De Cannière, C.: Higher-order differential properties of Keccak and Luffa. In: Joux, A. (ed.) FSE 2011. LNCS, vol. 6733, pp. 252–269. Springer, Heidelberg (2011).
8. 8.
Cui, T., Jia, K., Fu, K., Chen, S., Wang, M.: New automatic search tool for impossible differentials and zero-correlation linear approximations. IACR Cryptology ePrint Archive 2016/689 (2016). http://eprint.iacr.org/2016/689
9. 9.
Daemen, J., Van Assche, G.: Differential propagation analysis of Keccak. In: Canteaut, A. (ed.) FSE 2012. LNCS, vol. 7549, pp. 422–441. Springer, Heidelberg (2012).
10. 10.
Dinur, I., Dunkelman, O., Shamir, A.: New attacks on Keccak-224 and Keccak-256. In: Canteaut, A. (ed.) FSE 2012. LNCS, vol. 7549, pp. 442–461. Springer, Heidelberg (2012).
11. 11.
Dinur, I., Dunkelman, O., Shamir, A.: Collision attacks on up to 5 rounds of SHA-3 using generalized internal differentials. In: Moriai, S. (ed.) FSE 2013. LNCS, vol. 8424, pp. 219–240. Springer, Heidelberg (2014). Google Scholar
12. 12.
Dinur, I., Morawiecki, P., Pieprzyk, J., Srebrny, M., Straus, M.: Cube attacks and cube-attack-like cryptanalysis on the round-reduced Keccak sponge function. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 733–761. Springer, Heidelberg (2015). Google Scholar
13. 13.
Dinur, I., Shamir, A.: Cube attacks on tweakable black box polynomials. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 278–299. Springer, Heidelberg (2009).
14. 14.
Dobraunig, C., Eichlseder, M., Mendel, F.: Heuristic tool for linear cryptanalysis with applications to CAESAR candidates. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015. LNCS, vol. 9453, pp. 490–509. Springer, Heidelberg (2015).
15. 15.
Dobraunig, C., Eichlseder, M., Mendel, F., Schläffer, M.: Cryptanalysis of Ascon. In: Nyberg, K. (ed.) CT-RSA 2015. LNCS, vol. 9048, pp. 371–387. Springer, Cham (2015). Google Scholar
16. 16.
Dobraunig, C., Eichlseder, M., Mendel, F., Schläffer, M.: Ascon v1.2. Submission to the CAESAR Competition (2016)Google Scholar
17. 17.
Dong, X., Li, Z., Wang, X., Qin, L.: Cube-like attack on round-reduced initialization of Ketje Sr. IACR Trans. Symmetric Cryptol. 2017(1), 259–280 (2017). http://tosc.iacr.org/index.php/ToSC/article/view/594 Google Scholar
18. 18.
Duc, A., Guo, J., Peyrin, T., Wei, L.: Unaligned rebound attack: application to Keccak. In: Canteaut, A. (ed.) FSE 2012. LNCS, vol. 7549, pp. 402–421. Springer, Heidelberg (2012).
19. 19.
Guo, J., Liu, M., Song, L.: Linear structures: applications to cryptanalysis of round-reduced Keccak. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10031, pp. 249–274. Springer, Heidelberg (2016).
20. 20.
Huang, S., Wang, X., Xu, G., Wang, M., Zhao, J.: Conditional cube attack on reduced-round Keccak sponge function. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10211, pp. 259–288. Springer, Cham (2017).
21. 21.
Jean, J., Nikolić, I.: Internal differential boomerangs: practical analysis of the round-reduced Keccak- $$f$$ permutation. In: Leander, G. (ed.) FSE 2015. LNCS, vol. 9054, pp. 537–556. Springer, Heidelberg (2015).
22. 22.
Li, Z., Dong, X., Wang, X.: Conditional cube attack on round-reduced ASCON. IACR Trans. Symmetric Cryptol. 2017(1), 175–202 (2017)Google Scholar
23. 23.
Mella, S., Daemen, J., Assche, G.V.: New techniques for trail bounds and application to differential trails in Keccak. IACR Trans. Symmetric Cryptol. 2017(1), 329–357 (2017). http://tosc.iacr.org/index.php/ToSC/article/view/597 Google Scholar
24. 24.
Morawiecki, P., Pieprzyk, J., Srebrny, M.: Rotational cryptanalysis of round-reduced Keccak. In: Moriai, S. (ed.) FSE 2013. LNCS, vol. 8424, pp. 241–262. Springer, Heidelberg (2014). Google Scholar
25. 25.
Mouha, N., Wang, Q., Gu, D., Preneel, B.: Differential and linear cryptanalysis using mixed-integer linear programming. In: Wu, C.-K., Yung, M., Lin, D. (eds.) Inscrypt 2011. LNCS, vol. 7537, pp. 57–76. Springer, Heidelberg (2012).
26. 26.
Qiao, K., Song, L., Liu, M., Guo, J.: New collision attacks on round-reduced keccak. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10212, pp. 216–243. Springer, Cham (2017).
27. 27.
Sasaki, Y., Todo, Y.: New impossible differential search tool from design and cryptanalysis aspects. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10212, pp. 185–215. Springer, Cham (2017).
28. 28.
Song, L., Liao, G., Guo, J.: Non-full sbox linearization: applications to collision attacks on round-reduced Keccak. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10402, pp. 428–451. Springer, Cham (2017).
29. 29.
Sun, S., Hu, L., Wang, P., Qiao, K., Ma, X., Song, L.: Automatic security evaluation and (related-key) differential characteristic search: application to SIMON, PRESENT, LBlock, DES(L) and other bit-oriented block ciphers. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8873, pp. 158–178. Springer, Heidelberg (2014). Google Scholar
30. 30.
Wu, S., Wang, M.: Security evaluation against differential cryptanalysis for block cipher structures. IACR Cryptology ePrint Archive 2011/551 (2011)Google Scholar
31. 31.
Xiang, Z., Zhang, W., Bao, Z., Lin, D.: Applying MILP method to searching integral distinguishers based on division property for 6 lightweight block ciphers. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10031, pp. 648–678. Springer, Heidelberg (2016).