Conditional Cube Attack on Reduced-Round Keccak Sponge Function

The security analysis of Keccak, the winner of SHA-3, has attracted considerable interest. Recently, some attention has been paid to the analysis of keyed modes of Keccak sponge function. As a notable example, the most efficient key recovery attacks on Keccak-MAC and Keyak were reported at EUROCRYPT’15 where cube attacks and cube-attack-like cryptanalysis have been applied. In this paper, we develop a new type of cube distinguisher, the conditional cube tester, for Keccak sponge function. By imposing some bit conditions for certain cube variables, we are able to construct cube testers with smaller dimensions. Our conditional cube testers are used to analyse Keccak in keyed modes. For reduced-round Keccak-MAC and Keyak, our attacks greatly improve the best known attacks in key recovery in terms of the number of rounds or the complexity. Moreover, our new model can also be applied to keyless setting to distinguish Keccak sponge function from random permutation. We provide a searching algorithm to produce the most efficient conditional cube tester by modeling it as an MILP (mixed integer linear programming) problem. As a result, we improve the previous distinguishing attacks on Keccak sponge function significantly. Most of our attacks have been implemented and verified by desktop computers. Finally we remark that our attacks on the reduced-round Keccak will not threat the security margin of Keccak sponge function.

[1]  Adi Shamir,et al.  Breaking Grain-128 with Dynamic Cube Attacks , 2011, IACR Cryptol. ePrint Arch..

[2]  Patrick Schaumont,et al.  Differential Power Analysis of MAC-Keccak at Any Key-Length , 2013, IWSEC.

[3]  Marian Srebrny,et al.  Preimage attacks on the round-reduced Keccak with the aid of differential cryptanalysis , 2013, IACR Cryptol. ePrint Arch..

[4]  Marian Srebrny,et al.  Cube Attacks and Cube-Attack-Like Cryptanalysis on the Round-Reduced Keccak Sponge Function , 2015, EUROCRYPT.

[5]  Adi Shamir,et al.  Improved Practical Attacks on Round-Reduced Keccak , 2012, Journal of Cryptology.

[6]  Jérémy Jean,et al.  Internal Differential Boomerangs: Practical Analysis of the Round-Reduced Keccak- f f Permutation , 2015, FSE.

[7]  María Naya-Plasencia,et al.  Conditional Differential Cryptanalysis of NLFSR-Based Cryptosystems , 2010, ASIACRYPT.

[8]  Xiaoyun Wang,et al.  Improved Linear Hull Attack on Round-Reduced Simon with Dynamic Key-Guessing Techniques , 2015, FSE.

[9]  Bo Zhu,et al.  Bitwise Higher Order Differential Cryptanalysis , 2009, INTRUST.

[10]  Willi Meier,et al.  Differential Biases in Reduced-Round Keccak , 2014, AFRICACRYPT.

[11]  Adi Shamir,et al.  Cube Attacks on Tweakable Black Box Polynomials , 2009, IACR Cryptol. ePrint Arch..

[12]  Willi Meier,et al.  Cube Testers and Key Recovery Attacks on Reduced-Round MD6 and Trivium , 2009, FSE.

[13]  Xuejia Lai,et al.  Improved zero-sum distinguisher for full round Keccak-f permutation , 2011, IACR Cryptol. ePrint Arch..

[14]  Xiaoyun Wang,et al.  How to Break MD5 and Other Hash Functions , 2005, EUROCRYPT.

[15]  Florian Mendel,et al.  Cryptanalysis of Ascon , 2015, CT-RSA.

[16]  Guido Bertoni,et al.  Keccak sponge function family main document , 2009 .

[17]  María Naya-Plasencia,et al.  Practical Analysis of Reduced-Round Keccak , 2011, INDOCRYPT.

[18]  Xuejia Lai Higher Order Derivatives and Differential Cryptanalysis , 1994 .

[19]  Lei Hu,et al.  Extending the Applicability of the Mixed-Integer Programming Technique in Automatic Differential Cryptanalysis , 2015, ISC.

[20]  David Joyner,et al.  SAGE: system for algebra and geometry experimentation , 2005, SIGS.

[21]  Marian Srebrny,et al.  Applications of Key Recovery Cube-attack-like , 2015, IACR Cryptol. ePrint Arch..

[22]  Thomas Peyrin,et al.  Unaligned Rebound Attack: Application to Keccak , 2012, FSE.