Improved Conditional Cube Attacks on Keccak Keyed Modes with MILP Method
 12 Citations
 2.3k Downloads
Abstract
Conditional cube attack is an efficient keyrecovery attack on Keccak keyed modes proposed by Huang et al. at EUROCRYPT 2017. By assigning bit conditions, the diffusion of a conditional cube variable is reduced. Then, using a greedy algorithm (Algorithm 4 in Huang et al.’s paper), Huang et al. find some ordinary cube variables, that do not multiply together in the 1st round and do not multiply with the conditional cube variable in the 2nd round. Then the keyrecovery attack is launched. The key part of conditional cube attack is to find enough ordinary cube variables. Note that, the greedy algorithm given by Huang et al. adds ordinary cube variable without considering its bad effect, i.e. the new ordinary cube variable may result in that many other variables could not be selected as ordinary cube variable (they multiply with the new ordinary cube variable in the first round).
In this paper, we bring out a new MILP model to solve the above problem. We show how to model the CPlikekernel and model the way that the ordinary cube variables do not multiply together in the 1st round as well as do not multiply with the conditional cube variable in the 2nd round. Based on these modeling strategies, a series of linear inequalities are given to restrict the way to add an ordinary cube variable. Then, by choosing the objective function of the maximal number of ordinary cube variables, we convert Huang et al.’s greedy algorithm into an MILP problem and the maximal ordinary cube variables are found.
Using this new MILP tool, we improve Huang et al.’s keyrecovery attacks on reducedround KeccakMAC384 and KeccakMAC512 by 1 round, get the first 7round and 6round keyrecovery attacks, respectively. For Ketje Major, we conclude that when the nonce is no less than 11 lanes, a 7round keyrecovery attack could be achieved. In addition, for Ketje Minor, we use conditional cube variable with 666 pattern to launch 7round keyrecovery attack.
1 Introduction
Nowadays, the cryptanalysis progress of symmetrickey ciphers heavily depends on automated evaluation tools. Providing a reliable security evaluation is the key point for a cipher to be accepted by industry. Recently, cryptographic communities found that many classical cryptanalysis methods could be converted to mathematical optimization problems which aim to achieve the minimal or maximal value of an objective function under certain constraints. Mixedinteger Linear Programming (MILP) is the most widely studied technique to solve these optimization problems. One of the most successful applications of MILP is to search differential and linear trails. Mouha et al. [25] and Wu and Wang [30] first applied MILP method to count active Sboxes of wordbased block ciphers. Then, at Asiacrypt 2014, by deriving some linear inequalities through the HRepresentation of the convex hull of all differential patterns of Sbox, Sun et al. [29] extended this technique to search differential and linear trails. Another two important applications are to search integral distinguisher [31] and impossible differentials [8, 27].
Keccak [3], designed by Bertoni et al., has been selected as the new cryptographic hash function standard SHA3. As one of the most important cryptographic standards, Keccak attracts lots of attention from the world wide researchers and engineers. Till now, many cryptanalysis results [7, 10, 11, 18, 19, 21, 24] and evaluation tools [9, 14, 23] have been proposed, including the recent impressive collision attacks [26, 28]. Since the robust design of Keccak, the cryptanalysis progress of Keccak is still limited. It must be pointed out that the automatic evaluation tools for Keccak are still needed to be enriched urgently.
At Eurocrypt 2015, Dinur et al. [12] for the first time considered the security of the Keccak keyed modes against cubeattacklike cryptanalysis and give some key recovery attacks on reducedround KeccakMAC and Keyak [5]. At CTRSA 2015, Dobraunig et al. [15] evaluate the security of Ascon [16] against the cubelike cryptanalysis. Later, Dong et al. [17] applied the cubelike method to Ketje Sr [4] which adopts smaller state size of Keccakp permutation. At Eurocrypt 2017, Huang et al. [20] introduced a new type of cubelike attack, called conditional cube attack, which takes advantage of the large state freedom of Keccak to find a socalled conditional cube variable that do not multiply with all the other cube variables (called ordinary cube variables) in the first round and second round of Keccak, meanwhile, all ordinary cube variables do not multiply with each other in the first round. Thus, the degree of output polynomial of reducedround Keccak over the cube variables is reduced by 1 and a conditional cube tester is constructed. Then Li et al. [22] applied the conditional cube attack to reducedround Ascon.
1.1 Our Contributions
For conditional cube attack, when the conditional cube variable is determined, the most important work is to find enough ordinary cube variables to launch the key recovery attack. In [20], Huang et al. gives the Algorithm 4 to search the ordinary cube variables. It is a greedy algorithm, it randomly selects a cube variable and adds to ordinary cube variable set, when the variable does not multiply with other ordinary cube variables in the set in the first round and does not multiply with conditional cube variable either in both the first and second round. The drawback is that it can hardly get the maximum number (optimal) of ordinary cube variables. Because, when a cube variable is added to ordinary cube variable set, many more variables which multiply with the new added cube variable in the first round will be discarded, which means that we add just one cube variable with the price that many variables lost the chance to be an ordinary cube variable. Actually, the search problem is an optimization problem. When the capacity of Keccak is large, the greedy algorithm is enough to find a proper ordinary cube variable set. However, when the capacity or the state size is small, the algorithm could hardly find enough ordinary cube variables and invalidate the conditional cube attack. In fact, for KeccakMAC512 and KeccakMAC384, only 5 round and 6 round attacks are achieved by Huang et al.’s algorithm. When the capacity is large or the internal state of Keccak sponge function is smaller than 1600bit, e.g. 800bit Ketje Minor, the number of ordinary cube variables is reduced significantly.
In this paper, we present a novel technique to search ordinary cube variables by using MILP method^{1}. By modeling the relations between ordinary cube variables and conditional cube variables in the first and second round, modeling the socalled CPlikekernel and ordinary cube variables chosen conditions, we construct a linear inequality system. The target object is the maximum number of ordinary cube variables. Based on this MILP tool, we improve Huang et al.’s attacks on KeccakMAC and give some interesting results on Ketje Major and Minor, which are summarized in Table 1. In addition, we list our source code of the new MILP tool^{2} in a public domain to enrich the automatic evaluation tools on Keccak and help the academic communities study Keccak much easier. The following are the main application results of the MILP tool.
 1.
It should be noted that, when the capacity reaches 768 or 1024, the cryptanalysis of Keccak becomes very hard. In fact, collision results on roundreduced Keccak384 or Keccak512 that are better than the birthday bound could respectively reach 4/3round, while the preimage attacks [19, 24] on the two versions could reach only 4 rounds. Based on our MILP tool, for KeccakMAC384, we find more than 63 ordinary cube variables and improve Huang et al.’s attack by 1 round, and get the very first 7round keyrecovery attack. For KeccakMAC512, we find more than 31 ordinary cube variables and improve Huang et al.’s attack by 1 round, and get the first 6round keyrecovery attack. These are the longest attacks that the cryptanalysis of Keccak with big capacity (768 or 1024) could reach.
 2.
For Ketje Major, we conclude that when the nonce is no less than 11 lanes, a 7round conditional cube attack could work. In addition, we get the borderline length of the nonce for the 6round keyrecovery attack is 8 lanes.
 3.
For Ketje Minor, we use a new conditional cube variable and find 124 ordinary cube variables. Then a new 7round keyrecovery attack is proposed, which improved the previous best result by a factor of \(2^{15}\).
Summary of key recovery attacks on Keccak keyed modes
Variant  Capacity  Attacked rounds  Time  Source 

KeccakMAC  768  6  \(2^{40}\)  [20] 
7  \(2^{75}\)  Sect. 5.1  
1024  5  \(2^{24}\)  [20]  
6  \(2^{58.3}\)  Sect. 5.2 
Variant  Nonce  Attacked rounds  Time  Source 

Ketje Major  Full  6  \(2^{64}\)  [17] 
Full  7  \(2^{96}\)  [17]  
\({\ge }512\)  6  \(2^{41}\)  Sect. 6.1  
\({\ge }704\)  7  \(2^{83}\)  Sect. 6.1  
Ketje Minor  Full  6  \(2^{64}\)  [17] 
Full  7  \(2^{96}\)  [17]  
Full  6  \(2^{49}\)  Sect. 6.2  
Full  7  \(2^{81}\)  Sect. 6.2 
1.2 Organization of the Paper
Section 2 gives some notations, and brief description on Keccakpermutations, KeccakMAC, Ketje. Some related works are introduced in Sect. 3. Section 4 describes the MILP search model for conditional cube attack. Roundreduced keyrecovery attacks on KeccakMAC384/512 are introduced in Sect. 5. Section 6 gives the applications to Ketje. Section 7 concludes this paper.
2 Preliminaries
2.1 Notations
 \(S_{i}\)

the intermediate state after iround of Keccakp, for example \(S_{0.5}\) means the intermediate state before \(\chi \) in 1st round of Keccakp,
 A

used in tables: for KeccakMAC, the initial state, for Ketje, the state after \(\pi ^{1}\) of Keccak\(p^*\),
 A[i][j]

the 32/64bit word indexed by \([i,j,*]\) of state A, \(0\!\leqslant \! i\!\leqslant \!4\), \(0\leqslant j\leqslant 4\),
 A[i][j][k]

the bit indexed by [i, j, k] of state A,
 \(v_{i}\)

the ith cube variable,
 K

128bit key, for KeccakMAC, \(K=k_0k_1\), both \(k_0\) and \(k_1\) are 64bit, for Ketje Major, \(K=k_0k_1k_2\), \(k_0\) is 56bit, \(k_1\) is 64bit, \(k_2\) is 8bit, for Ketje Minor, \(K=k_0k_1k_2k_3k_4\), \(k_0\) is 24bit, \(k_1\),\(k_2\) and \(k_3\) are 32bit, \(k_4\) is 8bit,
 \(k_i[j]\)

the jth bit of \(k_i\),
 capacity

in KeccakMAC, it is the all zero padding bits; in Ketje, it is the padding of nonce.
2.2 The Keccakp permutations
2.3 KeccakMAC
2.4 Ketje
 1.
The initialization phase: The initialization takes the secret key K, the public nonce N and some paddings as the initial state. Then \(n_{start}=12\) rounds Keccak\(p^*\) is applied.
 2.
Processing associated data: \(\rho \)bit blocks associated data are padded to (\(\rho +4\))bit and absorbed by xoring them to the state, then \(n_{step}=1\) round Keccak\(p^*\) is applied. If associated data is empty, this procedure is still needed to be applied which means an empty block is padded to (\(\rho +4\))bit and then processed similarly.
 3.
Processing the plaintext: Plaintext is processed in \(\rho \)bit blocks in a similar manner, with ciphertext blocks extracted from the state right after adding the plaintext.
 4.
Finalization: The finalization with \(n_{stride}=6\) rounds Keccak\(p^*\) and a series of \(n_{step}=1\) round Keccak\(p^*\)s are performed to get the required length of tag T.
Four instances in Ketje v2
Name  f  \(\rho \)  Main use case 

Ketje Jr  Keccak\(p^*[200]\)  16  Lightweight 
Ketje Sr  Keccak\(p^*[400]\)  32  Lightweight 
Ketje Minor  Keccak\(p^*[800]\)  128  Lightweight 
Ketje Major  Keccak\(p^*[1600]\)  256  High performance 
3 Related Work
3.1 Cube Attack
At EUROCRYPT 2009, Dinur and Shamir introduced the cube attack [13], in which the output bit of a symmetric cryptographic scheme can be regarded as a polynomial \(f(k_0,\ldots ,k_{n1},v_0,\ldots ,v_{m1})\) over GF(2), \(k_0,\ldots ,k_{n1}\) are the secret variables (the key bits), \(v_0,\ldots ,v_{m1}\) are the public variables (e.g. IV or nonce bits).
Theorem 1
The basic idea is to find enough t whose P is linear and not a constant. This enables the key recovery through solving a system of linear equations.
3.2 Huang et al.’s Conditional Cube Attack
Conditional cube attack [20] was proposed by Huang et al. to attack Keccak keyed mode, including KeccakMAC and Keyak. We quote some definitions and a theorem here.
Definition 1
[20]. Cube variables that have propagation controlled in the first round and are not multiplied with each other after the second round of Keccak are called conditional cube variables. Cube variables that are not multiplied with each other after the first round and are not multiplied with any conditional cube variable after the second round are called ordinary cube variables.
Theorem 2
[20]. For \((n + 2)\)round Keccak sponge function \((n > 0)\), if there are \(p (0 \le p < 2^n + 1)\) conditional cube variables \(v_0,\ldots ,v_{p1}\), and \(q=2^{n+1}2p+1\) ordinary cube variables, \(u_0,\ldots ,u_{q1}\) (If \(q = 0\), we set \(p = 2^n + 1\)), the term \(v_0v_1 \ldots v_{p1}u_0 \ldots u_{q1}\) will not appear in the output polynomials of \((n + 2)\)round Keccak sponge function.
Actually, we use the special case of the above theorem when \(p=1\). We describe it as a corollary for clearness.
Corollary 1
For \((n + 2)\)round Keccak sponge function \((n > 0)\), if there is one conditional cube variable \(v_0\), and \(q=2^{n+1}1\) ordinary cube variables, \(u_0,\ldots ,u_{q1}\), the term \(v_0u_0 \ldots u_{q1}\) will not appear in the output polynomials of \((n + 2)\)round Keccak sponge function.
4 Modeling Search Strategy
Define \(A[x][y][z]=1\) when it is an ordinary cube variable or conditional cube variable, else \(A[x][y][z]=0\).
4.1 Modeling CPlikekernel
In the Keccak submission document [3], the original concept is illustrated as following: if all columns in a state have even parity, \(\theta \) is the identity, which is illustrated. The conditional cube variable used in this is set in CPkernel to reach a reduced diffusion. At ASIACRYPT 2016, Guo et al. [19] assign A[1][y], \(y=0,1,2,3\), to be variables and \(A[1][4]=\bigoplus _{i=0}^{3}A[1][y]\) so that variables in each column sum to 0. Then \(\theta \) is the identity. In fact, when the parity of a column remains constant, the variables in the column do not propagate through \(\theta \) operation. We denoted this property as a CPlikekernel. In order to reduce the diffusion of ordinary cube variables, we set them as CPlikekernel.
 1.
Avoid the number of bits containing cube variable in each column from being one;
 2.
Record which column contains cube variables.
4.2 Modeling the First Round
 1.
 (a)
Condition: Any of the ordinary cube variables do not multiply with each other in the first round.
 (b)Constraint: If two bits \(S_{0}[x_1][y_1][z_1]\) and \(S_{0}[x_2][y_2][z_2]\) multiply, the constraintwill be added to avoid their simultaneous selection as ordinary cube variables.$$\begin{aligned} A[x_1][y_1][z_1] + A[x_2][y_2][z_2] \le 1 \end{aligned}$$
 (a)
 2.
 (a)
Condition: The conditional cube variable does not multiply with any of the ordinary cube variables in the first round.
 (b)Constraint: If one bit \(S_{0}[x][y][z]\) multiplies with the conditional cube variable, the constraintwill be added to avoid it from being selected as ordinary cube variables.$$\begin{aligned} A[x][y][z] = 0 \end{aligned}$$
 (a)
4.3 Modeling the Second Round
We list Property 1 for the conditions added to control the diffusion of the conditional cube variable \(v_0\).
Property 1
In \(\chi \) operation, denote the input and output state as X and Y respectively, one bit X[x][y][z] only multiplies with two bits \(X[x1][y][z]+1\) and \(X[x+1][y][z]\).
 (1)
If only one bit X[x][y][z] contains variable \(v_0\), conditions \(X[x1][y][z]+1=0\) and \(X[x+1][y][z]=0\) can avoid \(v_0\) from diffusing by \(\chi \).
 (2)If only n bits \({X[x_0][y_0][z_0],X[x_1][y_1][z_1]\ldots X[x_{n1}][y_{n1}][z_{n1}]}\) contain variable \(v_0\), 2n conditions can avoid \(v_0\) from diffusing by \(\chi \).
 1.
Condition: Under the above conditions added to the first round, the conditional cube variable does not multiply with any of the ordinary cube variables in the second round.
 2.Constraint: If one bit \(S_{0}[x][y][z]\) multiplies with the conditional cube variable, the constraintwill be added to avoid it from being selected as ordinary cube variables.$$\begin{aligned} A[x][y][z] = 0 \end{aligned}$$
5 Applications to RoundReduced KeccakMAC
5.1 Attack on 7Round KeccakMAC384
Parameters set for attack on 7round KeccakMAC384
 (1)
\(v_0,v_1\ldots v_{63}\) do not multiply with each other in the first round;
 (2)
Under some conditions on key and nonce, \(v_0\) does not multiply with any of \(v_1,v_2\ldots v_{63}\) in the second round.
While all the nonce bits are constant, all the bit conditions are satisfied if and only if all the key bits are guessed correctly. Thus, zero sums over the 128bit tag with cube variables set as Table 3 mean a correct key guess.
We analyze the time and data complexity of the attack: with the parameters set in Table 3, the 8 guessed key bits \(k_{0}[5]\) + \(k_{1}[5]\), \(k_{0}[60]\), \(k_{0}[35]\), \(k_{0}[54]\), \(k_{1}[29]\), \(k_{0}[7]\), \(k_{1}[45]\), \(k_{0}[18]\) can be recovered. The time complexity of one recovery is \(2^8*2^{64}\). According to the property of permutation, it is totally symmetric in zaxis. Thus we can obtain corresponding parameters set with any rotation of ibit \((0\le i<64)\) in zaxis. Therefore, the guessed key bits rotated ibit i.e. \(k_{0}[i+5]\) + \(k_{1}[i+5]\), \(k_{0}[i+60]\), \(k_{0}[i+35]\), \(k_{0}[i+54]\), \(k_{1}[i+29]\), \(k_{0}[i+7]\), \(k_{1}[i+45]\), \(k_{0}[i+18]\) can be recovered. Through simple count, for \(0\le i<8\), 70 independent key bits out of 128 key bits can be recovered, 8 iterations consumes \(8\times 2^8\times 2^{64}\) and the remaining 58 key bits are left to exhaustive search consuming \(2^{58}\). Combine the two parts, the procedure consumes \(8\times 2^8\times 2^{64}+2^{58}=2^{75}\) computations of 7round of KeccakMAC384, correspondingly \(2^{75}\) (message, tag) pairs are needed. After the procedure above, all the 128 bits in \(k_0,k_1\) can be recovered. Therefore, both time and data complexity of the attack are \(2^{75}\).
5.2 Attack on 6Round KeccakMAC512
Parameters set for attack on 6round KeccakMAC512
The method of adding constraints to avoid multiplication is just the same as KeccakMAC384. With the help of Gurobi [2], the objective function is optimized under all the above constraints. The maximum of cube variables obeying CPlikekernel is 26 (including a conditional cube variables). As the number of cube variables is not enough to perform the 6round attack on KeccakMAC512, and many nonce bits are not utilized, we continue the search for appropriate ordinary cube variables among the single bits in lanes [0, 1], [1, 1], [4, 0].
Modeling the single bits
A single bit here means it is the only bit in its column that contains cube variable, exactly, it is set as a new ordinary cube variable. As the optimization according to CPlikekernel above, most cube variables have been settled. Additionally, the state is so large as 1600bit. Although a single bit diffuse to 11 bits after the first \(\theta \) operation, it may not multiply with all the other cube variables in the first round, and not multiply with conditional cube variable \(v_0\) in the second round. The objective function is the sum of all possible bits to be ordinary cube variables. Then, constraints are added to avoid the above two kinds of multiplication in the same way.
Another 6 single bits are found as 6 new ordinary cube variables. Totally, we find (6 + 26=)32 dimension cube and based on it a 6 round keyrecovery attack on KeccakMAC512 is achieved. Both the cube variables and conditions are listed in Table 4.
 (1)
\(v_0,v_1\ldots v_{31}\) do not multiply with each other in the first round;
 (2)
Under some conditions on key and nonce, \(v_0\) does not multiply with any of \(v_1,v_2\ldots v_{31}\) in the second round.
All the bit conditions are satisfied if and only if all the key bits are guessed correctly. Thus, zero sums over the 128bit tag with cube variables set as Table 4 suggest a correct key guess. Furthermore, the similar key recovery can be performed with any offset in zaxis.
We analyze the time and data complexity of the attack: 4 iterations in zaxis recover 72 key bits, and the remaining 56 key bits are recovered by exhaustive search, thus the procedure consumes \(4\times 2^{24} \times 2^{32} + 2^{56}=2^{58.3}\) computations of 6round initialization of KeccakMAC512, correspondingly \(2^{58.3}\) (message, tag) pairs are needed. After the procedure above, all the 128 bits in \(k_0,k_1\) can be recovered. Therefore, both time and data complexity of the attack are \(2^{58.3}\).
6 Attacks on RoundReduced Initialization of Ketje
At 6 March 2017, the Keccak team announces the Ketje cryptanalysis prize to encourage the cryptanalysis.
6.1 Attacks on RoundReduced Initialization of Ketje Major
The number of cube variables in CPlikekernel in different nonces in Ketje Major
Nonce: bits(lanes)  Number of cube variables in CPlikekernel 

448(7)  21 
512(8)  41 
576(9)  50 
640(10)  59 
704(11)  75 
832(13)  81 
Parameters set for attack on 6round Ketje Major
To explore the resistance against conditional cube attack of the different instances, we apply the MILP search strategy to search the possible cube variables in the instances with different lengths of nonce, and list the corresponding number of cube variables in Table 5. Similar to attacks on KeccakMAC described in Sects. 5.1, 5.2, 32 cube variables are needed to perform 6round attack, and 64 cube variables are needed to perform 7round attack. Thus, Table 5 tells us that when the nonce is no less than 704 bits (11 lanes), cube variables are enough to perform 7round attack on Ketje Major and 6round attack on Ketje Major can be performed if the nonce is no less than 512 bits (8 lanes).
As instances with more nonce bits can directly use the parameters of instances with less nonce bits, we list the details of 6round and 7round attacks on Ketje Major with 512bit and 704bit nonce.
Attack on 6Round Initialization of Ketje Major. According to parameters set in Table 6, guess the 3 key bits listed, compute cube sums on variables \(v_0,\ldots ,v_{31}\), zero cube sums suggest a right key(i.e. 3 guessed key bits in Table 6). It consumes \(2^3\times 2^{32}=2^{35}\) computations of 6round initialization of Ketje Major. According to the property of permutation, it is totally symmetric in zaxis. Thus we can obtain corresponding parameters set with any rotation of ibit \((0\le i<64)\) in zaxis. Therefore, 128 key bits can be recovered by 64 iterations for \(0\le i<64\), so the time complexity is \(64\times 2^3\times 2^{32}=2^{41}\).
Parameters set for attack on 7round Ketje Major
6.2 Attacks on RoundReduced Initialization of Ketje Minor
In order to solve the problem, we find a new conditional cube variable. As shown in the lower part of Fig. 7, after adding some conditions, the diffusion pattern is 666 and only 6 bits in \(S_{1.5}\) contains the conditional cube variable. At last, we find enough ordinary cube variables with the MILP tool to launch the keyrecovery attacks on 5/6/7round reduced Ketje Minor.
Parameters set for attack on the 5round initialization of Ketje Minor
 (1)
\(v_0,v_1\ldots v_{15}\) do not multiply with each other in the first round;
 (2)
Under some conditions on key and nonce, \(v_0\) does not multiply with any of \(v_1,v_2\ldots v_{15}\) in the second round.
Under (1), any of cube variables \(v_0,v_1\ldots v_{15}\) only exists as a onedegree term in the output of 1round Ketje Minor, i.e. the degree of any bit in \(S_1\) is no more than one. The degree of one round function is 2. When we say the degree of some state, we mean the highest degree among the cube variables in all terms of the state. If conditions in (2) are met, according to Corollary 1, the term \(v_0v_1\ldots v_{15}\) will not appear in \(S_5\), so the degree over cube variables \(v_0,v_1\ldots v_{15}\) is at most 15. Otherwise, the degree of \(S_5\) is 16.
Thus, under given conditions on key and nonce, the cube sums of all bits in \(S_5\) over \(v_0,v_1\ldots v_{15}\) are zero, otherwise the cube sums are random if those conditions are not met. Actually, \(\rho =128\) bits of \(S_5\) are known in Ketje Minor. If the cube sum on each of the 128 bits is zero, we can determine that the corresponding conditions are satisfied.
Ordinary cube variables and bit conditions for attack on the 6round initialization of Ketje Minor
Furthermore, we can perform the similar key recovery with any offset \(0,1\ldots 31\) in zaxis. We analyze the time and data complexity of the attack: the procedure consumes \(32\times 2^{12} \times 2^{16}=2^{33}\) computations of 5round initialization of Ketje Minor, correspondingly \(2^{33}\) (nonce, plaintext, ciphertext, tag) pairs are needed. After the procedure above, all the 120 bits in \(k_0,k_1,k_2,k_3\) can be recovered, and the remaining 8 bits of \(k_4\) can be determined by brute search. Therefore, time complexity of the attack is \(2^{33}\) computations of 5round initialization of Ketje Minor, and data complexity is \(2^{33}\) (nonce, plaintext, ciphertext, tag) pairs.
 (1)
\(v_0,v_1\ldots v_{31}\) do not multiply with each other in the first round;
 (2)
Under some conditions on key and nonce, \(v_0\) does not multiply with any of \(v_1,v_2\ldots v_{31}\) in the second round.
We analyze the time and data complexity of the attack: the procedure consumes \(32\times 2^{12} \times 2^{32}=2^{49}\) computations of 6round initialization of Ketje Minor, correspondingly \(2^{49}\) (nonce, plaintext, ciphertext, tag) pairs are needed. After the procedure above, all the 120 bits in \(k_0,k_1,k_2,k_3\) can be recovered, and the remaining 8 bits in \(k_4\) can be determined by brute search. Therefore, both time and data complexity of the attack are \(2^{49}\).
 (1)
\(v_0,v_1\ldots v_{63}\) do not multiply with each other in the first round;
 (2)
Under some conditions on key and nonce, \(v_0\) does not multiply with any of \(v_1,v_2\ldots v_{63}\) in the second round.
While all the nonce bits are constant, all the bit conditions are satisfied if and only if all the key bits are guessed correctly. Thus, zero sums over the 128 known bits of \(S_7\) (\(S_7[0][0],S_7[1][1],S_7[2][2],S_7[3][3]\)) with conditional cube variable set as Table 8 and ordinary cube variables set as Table 10 mean a correct key guess.
Ordinary cube variables for attack on the 7round initialization of Ketje Minor
7 Conclusion
Bit conditions for attack on the 7round initialization of Ketje Minor
Currently, the cryptanalysis progress of symmetrickey ciphers heavily depends on automated evaluation tools. For many reasons, the cryptanalysis of the new SHA3 standard Keccak is very hard and limited, more evaluation tools on Keccak are urgently needed. The MILP method introduced in this paper enriches the Keccak tools, and helps academic communities study Keccak much easier.
Footnotes
Notes
Acknowledgments
We would like to thank the anonymous reviewers of Asiacrypt 2017 who helped us to improve this paper. This work is supported by China’s 973 Program (No. 2013CB834205), the National Key Research and Development Program of China (No. 2017YFA0303903), the National Natural Science Foundation of China (Nos. 61672019, 61402256), the Fundamental Research Funds of Shandong University (No. 2016JC029), National Cryptography Development Fund (No. MMJJ20170121), Zhejiang Province Key R&D Project (No. 2017C01062).
References
 1.
 2.
 3.Berton, G., Daemen, J., Peeters, M., Assche, G.V.: The Keccak sponge function family. http://keccak.noekeon.org/
 4.Berton, G., Daemen, J., Peeters, M., Assche, G.V., Keer, R.V.: CAESAR submission: Ketje v2 (2016). http://competitions.cr.yp.to/round3/ketjev2.pdf
 5.Berton, G., Daemen, J., Peeters, M., Assche, G.V., Keer, R.V.: CAESAR submission: Keyak v2 (2016). http://competitions.cr.yp.to/round3/keyakv22.pdf
 6.Bertoni, G., Daemen, J., Peeters, M., Assche, G.: Duplexing the sponge: singlepass authenticated encryption and other applications. In: Miri, A., Vaudenay, S. (eds.) SAC 2011. LNCS, vol. 7118, pp. 320–337. Springer, Heidelberg (2012). https://doi.org/10.1007/9783642284960_19 CrossRefGoogle Scholar
 7.Boura, C., Canteaut, A., De Cannière, C.: Higherorder differential properties of Keccak and Luffa. In: Joux, A. (ed.) FSE 2011. LNCS, vol. 6733, pp. 252–269. Springer, Heidelberg (2011). https://doi.org/10.1007/9783642217029_15 CrossRefGoogle Scholar
 8.Cui, T., Jia, K., Fu, K., Chen, S., Wang, M.: New automatic search tool for impossible differentials and zerocorrelation linear approximations. IACR Cryptology ePrint Archive 2016/689 (2016). http://eprint.iacr.org/2016/689
 9.Daemen, J., Van Assche, G.: Differential propagation analysis of Keccak. In: Canteaut, A. (ed.) FSE 2012. LNCS, vol. 7549, pp. 422–441. Springer, Heidelberg (2012). https://doi.org/10.1007/9783642340475_24 CrossRefGoogle Scholar
 10.Dinur, I., Dunkelman, O., Shamir, A.: New attacks on Keccak224 and Keccak256. In: Canteaut, A. (ed.) FSE 2012. LNCS, vol. 7549, pp. 442–461. Springer, Heidelberg (2012). https://doi.org/10.1007/9783642340475_25 CrossRefGoogle Scholar
 11.Dinur, I., Dunkelman, O., Shamir, A.: Collision attacks on up to 5 rounds of SHA3 using generalized internal differentials. In: Moriai, S. (ed.) FSE 2013. LNCS, vol. 8424, pp. 219–240. Springer, Heidelberg (2014). https://doi.org/10.1007/9783662439333_12 Google Scholar
 12.Dinur, I., Morawiecki, P., Pieprzyk, J., Srebrny, M., Straus, M.: Cube attacks and cubeattacklike cryptanalysis on the roundreduced Keccak sponge function. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 733–761. Springer, Heidelberg (2015). https://doi.org/10.1007/9783662468005_28 Google Scholar
 13.Dinur, I., Shamir, A.: Cube attacks on tweakable black box polynomials. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 278–299. Springer, Heidelberg (2009). https://doi.org/10.1007/9783642010019_16 CrossRefGoogle Scholar
 14.Dobraunig, C., Eichlseder, M., Mendel, F.: Heuristic tool for linear cryptanalysis with applications to CAESAR candidates. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015. LNCS, vol. 9453, pp. 490–509. Springer, Heidelberg (2015). https://doi.org/10.1007/9783662488003_20 CrossRefGoogle Scholar
 15.Dobraunig, C., Eichlseder, M., Mendel, F., Schläffer, M.: Cryptanalysis of Ascon. In: Nyberg, K. (ed.) CTRSA 2015. LNCS, vol. 9048, pp. 371–387. Springer, Cham (2015). https://doi.org/10.1007/9783319167152_20 Google Scholar
 16.Dobraunig, C., Eichlseder, M., Mendel, F., Schläffer, M.: Ascon v1.2. Submission to the CAESAR Competition (2016)Google Scholar
 17.Dong, X., Li, Z., Wang, X., Qin, L.: Cubelike attack on roundreduced initialization of Ketje Sr. IACR Trans. Symmetric Cryptol. 2017(1), 259–280 (2017). http://tosc.iacr.org/index.php/ToSC/article/view/594 Google Scholar
 18.Duc, A., Guo, J., Peyrin, T., Wei, L.: Unaligned rebound attack: application to Keccak. In: Canteaut, A. (ed.) FSE 2012. LNCS, vol. 7549, pp. 402–421. Springer, Heidelberg (2012). https://doi.org/10.1007/9783642340475_23 CrossRefGoogle Scholar
 19.Guo, J., Liu, M., Song, L.: Linear structures: applications to cryptanalysis of roundreduced Keccak. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10031, pp. 249–274. Springer, Heidelberg (2016). https://doi.org/10.1007/9783662538876_9 CrossRefGoogle Scholar
 20.Huang, S., Wang, X., Xu, G., Wang, M., Zhao, J.: Conditional cube attack on reducedround Keccak sponge function. In: Coron, J.S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10211, pp. 259–288. Springer, Cham (2017). https://doi.org/10.1007/9783319566146_9 CrossRefGoogle Scholar
 21.Jean, J., Nikolić, I.: Internal differential boomerangs: practical analysis of the roundreduced Keccak \(f\) permutation. In: Leander, G. (ed.) FSE 2015. LNCS, vol. 9054, pp. 537–556. Springer, Heidelberg (2015). https://doi.org/10.1007/9783662481165_26 CrossRefGoogle Scholar
 22.Li, Z., Dong, X., Wang, X.: Conditional cube attack on roundreduced ASCON. IACR Trans. Symmetric Cryptol. 2017(1), 175–202 (2017)Google Scholar
 23.Mella, S., Daemen, J., Assche, G.V.: New techniques for trail bounds and application to differential trails in Keccak. IACR Trans. Symmetric Cryptol. 2017(1), 329–357 (2017). http://tosc.iacr.org/index.php/ToSC/article/view/597 Google Scholar
 24.Morawiecki, P., Pieprzyk, J., Srebrny, M.: Rotational cryptanalysis of roundreduced Keccak. In: Moriai, S. (ed.) FSE 2013. LNCS, vol. 8424, pp. 241–262. Springer, Heidelberg (2014). https://doi.org/10.1007/9783662439333_13 Google Scholar
 25.Mouha, N., Wang, Q., Gu, D., Preneel, B.: Differential and linear cryptanalysis using mixedinteger linear programming. In: Wu, C.K., Yung, M., Lin, D. (eds.) Inscrypt 2011. LNCS, vol. 7537, pp. 57–76. Springer, Heidelberg (2012). https://doi.org/10.1007/9783642347047_5 CrossRefGoogle Scholar
 26.Qiao, K., Song, L., Liu, M., Guo, J.: New collision attacks on roundreduced keccak. In: Coron, J.S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10212, pp. 216–243. Springer, Cham (2017). https://doi.org/10.1007/9783319566177_8 CrossRefGoogle Scholar
 27.Sasaki, Y., Todo, Y.: New impossible differential search tool from design and cryptanalysis aspects. In: Coron, J.S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10212, pp. 185–215. Springer, Cham (2017). https://doi.org/10.1007/9783319566177_7 CrossRefGoogle Scholar
 28.Song, L., Liao, G., Guo, J.: Nonfull sbox linearization: applications to collision attacks on roundreduced Keccak. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10402, pp. 428–451. Springer, Cham (2017). https://doi.org/10.1007/9783319637150_15 CrossRefGoogle Scholar
 29.Sun, S., Hu, L., Wang, P., Qiao, K., Ma, X., Song, L.: Automatic security evaluation and (relatedkey) differential characteristic search: application to SIMON, PRESENT, LBlock, DES(L) and other bitoriented block ciphers. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8873, pp. 158–178. Springer, Heidelberg (2014). https://doi.org/10.1007/9783662456118_9 Google Scholar
 30.Wu, S., Wang, M.: Security evaluation against differential cryptanalysis for block cipher structures. IACR Cryptology ePrint Archive 2011/551 (2011)Google Scholar
 31.Xiang, Z., Zhang, W., Bao, Z., Lin, D.: Applying MILP method to searching integral distinguishers based on division property for 6 lightweight block ciphers. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10031, pp. 648–678. Springer, Heidelberg (2016). https://doi.org/10.1007/9783662538876_24 CrossRefGoogle Scholar