Differential Analysis of the Ternary Hash Function Troika

Abstract

Troika is a sponge-based hash function designed by Kölbl, Tischhauser, Bogdanov and Derbez in 2019. Its specificity is that it is defined over \(\mathbb {F}_3\) in order to be used inside IOTA’s distributed ledger but could also serve in all settings requiring the generation of ternary randomness. To be used in practice, Troika needs to be proven secure against state-of-the-art cryptanalysis. However, there are today almost no analysis tools for ternary designs. In this article we take a step in this direction by analyzing the propagation of differential trails of Troika and by providing bounds on the weight of its trails. For this, we adapt a well-known framework for trail search designed for Keccak and provide new advanced techniques to handle the search on \(\mathbb {F}_3\). Our work demonstrates that providing analysis tools for non-binary designs is a highly non-trivial research direction that needs to be enhanced in order to better understand the real security offered by such non-conventional primitives.

A Appendix

We recall here the algorithm used in [6] to give a lower bound on the costs of a unit-list and its descendants. To index the coordinates of an element of \(\mathbb {F}_2^n \times \mathbb {F}_2^n\), we distinguish between the set of coordinates of the first component, denoted by \(C_a\), and the set of coordinates of the second component, denoted by \(C_b\). Let L be a unit-list and \((a_L, b_L) {:}{=}\sum _{u \in L} u\). We denote by \(A_L = S_L \cup U_L\) the set of active coordinates of \((a_L, b_L)\), where \(S_L\) is the set of stable coordinates of L and \(U_L\) is the set of unstable coordinates of L.

Algorithm 1:

Bound on the costs of the descendants of a unit-list