New MILP Modeling: Improved Conditional Cube Attacks to Keccak-based Constructions

In this paper, we propose a new MILP modeling to find better or even optimal choices of conditional cubes, under the general framework of conditional cube attacks. These choices generally find new or improved attacks against the keyed constructions based on Keccak permutation and its variants, including Keccak-MAC, KMAC, Keyak, and Ketje, in terms of attack complexities or the number of attacked rounds. Interestingly, conditional cube attacks were applied to round-reduced Keccak-MAC, but not to KMAC despite the great similarity between Keccak-MAC and KMAC, and the fact that KMAC is the NIST standard way of constructing MAC from SHA-3. As examples to demonstrate the effectiveness of our new modeling, we report key recovery attacks against KMAC128 and KMAC256 reduced to 7 and 9 rounds, respectively; the best attack against Lake Keyak with 128-bit key is improved from 6 to 8 rounds in the nonce-respected setting and 9 rounds of Lake Keyak can be attacked if the key size is of 256 bits; attack complexity improvements are found generally on other constructions. Our new model is also applied to Keccak-based full-state keyed sponge and gives a positive answer to the open question proposed by Bertoni et al. whether cube attacks can be extended to more rounds by exploiting full-state absorbing. To verify the correctness of our attacks, reduced-variants of the attacks are implemented and verified on a PC practically. It is remarked that this work does not threaten the security of any full version of the instances analyzed in this paper.

[1]  B Guido,et al.  Cryptographic sponge functions , 2011 .

[2]  Willi Meier,et al.  Cube Testers and Key Recovery Attacks on Reduced-Round MD6 and Trivium , 2009, FSE.

[3]  Jian Guo,et al.  Cube-Attack-Like Cryptanalysis of Round-Reduced Keccak Using MILP , 2018, IACR Cryptol. ePrint Arch..

[4]  Xiaoyun Wang,et al.  Improved Conditional Cube Attacks on Keccak Keyed Modes with MILP Method , 2017, ASIACRYPT.

[5]  Guido Bertoni,et al.  Duplexing the sponge: single-pass authenticated encryption and other applications , 2011, IACR Cryptol. ePrint Arch..

[6]  Guido Bertoni,et al.  Farfalle: parallel permutation-based cryptography , 2017, IACR Trans. Symmetric Cryptol..

[7]  Adi Shamir,et al.  Cube Attacks on Tweakable Black Box Polynomials , 2009, IACR Cryptol. ePrint Arch..

[8]  Ling Qin,et al.  Cube-like Attack on Round-Reduced Initialization of Ketje Sr , 2017, IACR Trans. Symmetric Cryptol..

[9]  María Naya-Plasencia,et al.  State-Recovery Attacks on Modified Ketje Jr , 2018, IACR Trans. Symmetric Cryptol..

[10]  Meicheng Liu,et al.  New Collision Attacks on Round-Reduced Keccak , 2017, EUROCRYPT.

[11]  Jian Guo,et al.  Linear Structures: Applications to Cryptanalysis of Round-Reduced Keccak , 2016, ASIACRYPT.

[12]  Marian Srebrny,et al.  Cube Attacks and Cube-Attack-Like Cryptanalysis on the Round-Reduced Keccak Sponge Function , 2015, EUROCRYPT.

[13]  Xiaoyun Wang,et al.  MILP-aided cube-attack-like cryptanalysis on Keccak Keyed modes , 2018, IACR Cryptol. ePrint Arch..

[14]  Bart Mennink,et al.  Full-State Keyed Duplex with Built-In Multi-user Support , 2017, ASIACRYPT.

[15]  Meiqin Wang,et al.  Conditional Cube Attack on Reduced-Round Keccak Sponge Function , 2017, EUROCRYPT.

[16]  Adi Shamir,et al.  Improved Practical Attacks on Round-Reduced Keccak , 2012, Journal of Cryptology.

[17]  Jérémy Jean,et al.  Key-Recovery Attacks on Full Kravatte , 2018, IACR Trans. Symmetric Cryptol..

[18]  Lei Hu,et al.  Automatic Security Evaluation and (Related-key) Differential Characteristic Search: Application to SIMON, PRESENT, LBlock, DES(L) and Other Bit-Oriented Block Ciphers , 2014, ASIACRYPT.

[19]  Bart Mennink,et al.  Security of Full-State Keyed Sponge and Duplex: Applications to Authenticated Encryption , 2015, ASIACRYPT.

[20]  Joan Daemen,et al.  Differential Propagation Analysis of Keccak , 2012, FSE.

[21]  Yu Sasaki,et al.  New Algorithm for Modeling S-box in MILP Based Differential and Division Trail Search , 2017, SECITC.

[22]  Jian Guo,et al.  Non-full Sbox Linearization: Applications to Collision Attacks on Round-Reduced Keccak , 2017, CRYPTO.