Skip to main content
SpringerLink
Log in

MILP-aided cube-attack-like cryptanalysis on Keccak Keyed modes

  • Published:
Designs, Codes and Cryptography Aims and scope Submit manuscript

Abstract

Cube-attack-like cryptanalysis was proposed by Dinur et al. at EUROCRYPT 2015, which recovers the key of Keccak keyed modes in a divide-and-conquer manner. In their attack, one selects cube variables manually, which leads to more key bits involved in the key-recovery attack, so the complexity is too high unnecessarily. In this paper, we introduce a new MILP model and make the cube attacks better on the Keccak keyed modes. Using this new MILP tool, we find the optimal cube variables for Keccak-MAC, Keyak and Ketje, which makes that a minimum number of key bits are involved in the key-recovery attack. For example, when the capacity is 256, we find a new 32-dimension cube for Keccak-MAC that involves only 18 key bits instead of Dinur et al.’s 64 bits and the complexity of the 6-round attack is reduced to \(2^{42}\) from \(2^{66}\). More impressively, using this new tool, we give the very first 7-round key-recovery attack on Keccak-MAC-512. We get the 8-round key-recovery attacks on Lake Keyak in nonce-respected setting. In addition, we get the best attacks on Ketje Major/Minor. For Ketje Major, when the length of nonce is 9 lanes, we could improve the best previous 6-round attack to 7-round. Our attacks do not threaten the full-round (12) Keyak/Ketje or the full-round (24) Keccak-MAC. When comparing with Huang et al.’s conditional cube attack, the MILP-aided cube-attack-like cryptanalysis has larger effective range and gets the best results on the Keccak keyed variants with relatively smaller number of degrees of freedom.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7

Similar content being viewed by others

Notes

  1. In Keccak-MAC, the capacity is larger, the number of degrees of freedom is smaller; in Keyak and Ketje, the nonce or size of state is smaller, the number of degrees of freedom is smaller.

  2. https://github.com/biwenquan/MILP-aided-Cube-attack-like-cryptanalysis/.

  3. https://github.com/biwenquan/MILP-aided-Cube-attack-like-cryptanalysis/.

References

  1. Berton G., Daemen J., Peeters M., Assche G.V., Keer R.V.: CAESAR submission: Ketje v2 (2016). http://competitions.cr.yp.to/round3/ketjev2.pdf. Accessed 01 Aug 2018.

  2. Berton G., Daemen J., Peeters M., Assche G.V., Keer R.V.: CAESAR submission: Keyak v2 (2016). http://competitions.cr.yp.to/round3/keyakv22.pdf.

  3. Berton G., Daemen J., Peeters M., Assche G.V.: The Keccak sponge function family. http://keccak.noekeon.org/.

  4. Bertoni G., Daemen J., Peeters M., Assche G.V.: Duplexing the sponge: singlepass authenticated encryption and other applications. In: SAC 2011, pp. 320–337 (2011).

  5. Bi W., Li Z., Dong X., Li L., Wang X.: Conditional cube attack on roundreduced river keyak. Des. Codes Cryptogr. 86, 1295–1310 (2017).

    Article  MATH  Google Scholar 

  6. Cui T., Jia K., Fu K., Chen S., Wang M.: New automatic search tool for impossible differentials and zero-correlation linear approximations. In: IACR Cryptology ePrint Archive, 2016/689 (2016).

  7. Daemen J., Van Assche G.: Differential propagation analysis of Keccak. In: FSE 2012, vol. 7549, pp. 422–441. Springer, New York (2012).

  8. Dinur I., Shamir A.: Cube attacks on tweakable black box polynomials. In: EUROCRYPT 2009, pp. 278–299 (2009).

  9. Dinur I., Dunkelman O., Shamir A.: New attacks on Keccak-224 and Keccak-256. In: FSE 2012. pp. 442–461. Springer, New York (2012).

  10. Dinur I., Dunkelman O., Shamir A.: Collision attacks on up to 5 rounds of SHA-3 using generalized internal differentials. In: FSE 2013. pp. 219–240. Springer, New York (2013).

  11. Dinur I., Morawiecki P., Pieprzyk J., Srebrny M., Straus M.: Cube attacks and cube-attack-like cryptanalysis on the round-reduced Keccak sponge function. In: EUROCRYPT 2015, pp. 733–761 (2015).

  12. Dobraunig C., Eichlseder M., Mendel F.: Heuristic tool for linear cryptanalysis with applications to CAESAR candidates. In: ASIACRYPT 2015, pp. 490–509 (2015).

  13. Dobraunig C., Eichlseder M., Mendel F., Schläffer M.: Cryptanalysis of Ascon. In: CT-RSA 2015, pp. 371–387 (2015).

  14. Dobraunig C., Eichlseder M., Mendel F., Schläffer M.: Ascon v1. 2. Submission to the CAESAR Competition (2016).

  15. Dong X., Li Z., Wang X., Qin L.: Cube-like attack on round-reduced initialization of Ketje Sr. IACR Trans. Symmetric Cryptol. 2017, 259–280 (2017).

    Google Scholar 

  16. Duc A., Guo J., Peyrin T., Wei L.: Unaligned rebound attack: application to Keccak. In: FSE 2012. pp. 402–421. Springer, New York (2012).

  17. Guo J., Liu M., Song L.: Linear structures: applications to cryptanalysis of round-reduced Keccak. In: ASIACRYPT 2016, Part I. pp. 249–274. Springer, New York (2016).

  18. http://www.gurobi.com/.

  19. Huang S., Wang X., Xu G., Wang M., Zhao J.: Conditional cube attack on reduced-round Keccak sponge function. In: EUROCRYPT 2017, pp. 259–288 (2017).

  20. Li Z., Bi W., Dong X., Wang X.: Improved conditional cube attacks on Keccak keyed modes with milp method. Cryptology ePrint Archive, Report 2017/804 (2017). http://eprint.iacr.org/2017/804.

  21. Li Z., Dong X., Wang X.: Conditional cube attack on round-reduced ASCON. IACR Trans. Symmetric Cryptol. 2017(1), 175–202 (2017).

    Google Scholar 

  22. Mella S., Daemen J., Assche G.V.: New techniques for trail bounds and application to differential trails in Keccak. IACR Trans. Symmetric Cryptol. 2017(1), 329–357 (2017). http://tosc.iacr.org/index.php/ToSC/article/view/597.

  23. Morawiecki P., Pieprzyk J., Srebrny M.: Rotational cryptanalysis of roundreduced Keccak. In: FSE2013. pp. 241–262. Springer, New York (2013).

  24. Mouha N., Wang Q., Gu D., Preneel B.: Differential and linear cryptanalysis using mixed-integer linear programming. In: Inscrypt 2011. pp. 57–76. Springer, New York (2011).

  25. Qiao K., Song L., Liu M., Guo J.: New collision attacks on round-reduced Keccak. In: EUROCRYPT 2017. pp. 216–243. Springer, New York (2017).

  26. Sasaki Y., Todo Y.: New impossible differential search tool from design and cryptanalysis aspects—revealing structural properties of several ciphers. In: EUROCRYPT 2017, Part III. pp. 185–215 (2017).

  27. Song L., Liao G., Guo J.: Non-full sbox linearization: applications to collision attacks on round-reduced Keccak. In: CRYPTO 2017. pp. 428–451. Springer, New York (2017).

  28. Song L., Guo J., Shi D.: New milp modeling: improved conditional cube attacks to Keccak-based constructions. Cryptology ePrint Archive, Report 2017/1030 (2017). https://eprint.iacr.org/2017/1030.pdf.

  29. Sun S., Hu L., Wang P., Qiao K., Ma X., Song L.: Automatic security evaluation and (related-key) differential characteristic search: application to SIMON, PRESENT, LBlock, DES(L) and other bit-oriented block ciphers. In: ASIACRYPT 2014. pp. 158–178. Springer, New York (2014).

  30. Wang X., Yu H.: How to break MD5 and other hash functions. In: EUROCRYPT 2005. pp. 19–35. Springer, New York (2005).

  31. Wang X., Yin Y.L., Yu H.: Finding Collisions in the Full SHA-1. In: CRYPTO 2005. pp. 17–36. Springer, New York (2005).

  32. Xiang Z., Zhang W., Bao Z., Lin D.: Applying milp method to searching integral distinguishers based on division property for 6 lightweight block ciphers. In: ASIACRYPT 2016, Part I. pp. 648–678. Springer, New York (2016).

  33. Ye C., Tian T.: New insights into divide-and-conquer attacks on the round-reduced Keccak-mac. Cryptology ePrint Archive, Report 2018/059 (2018). https://eprint.iacr.org/2018/059.pdf.

  34. Zong R., Dong X., Wang X.: Related-tweakey impossible differential attack on reduced-round Deoxys-BC-25 cryptology ePrint Archive, Report 2018/680 (2018). https://eprint.iacr.org/2018/680.

  35. Zong R., Dong X., Wang X.: MILP-paided related-tweak/key impossible differential attack and its applications to QARMA, Joltik-BC. Cryptology ePrint Archive, Report 2018/142 (2018). https://eprint.iacr.org/2018/142.

Download references

Acknowledgements

This work is supported by National Key Research and Development Program of China (No. 2017YFA0303903), National Cryptography Development Fund (Nos. MMJJ20180101, MMJJ20170121), National Natural Science Foundation of China (No. 61672019).

Author information

Authors and Affiliations

  1. Key Laboratory of Cryptologic Technology and Information Security, Ministry of Education, Shandong University, Jinan, 250100, China

    Wenquan Bi, Zheng Li, Rui Zong & Xiaoyun Wang

  2. Institute for Advanced Study, Tsinghua University, Beijing, 100084, China

    Xiaoyang Dong & Xiaoyun Wang

Authors
  1. Wenquan Bi
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Xiaoyang Dong
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Zheng Li
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Rui Zong
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Xiaoyun Wang
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding authors

Correspondence to Xiaoyang Dong or Xiaoyun Wang.

Additional information

Communicated by L. R. Knudsen.

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Appendix: Parameters set for attack

Appendix: Parameters set for attack

See Tables 6, 7, 8, 9, 10, 11, 12 and 13.

Table 6 Parameters set for attack on 6-round Keccak-MAC-128
Full size table
Table 7 Parameters set for attack on 7-round Keccak-MAC-128
Full size table
Table 8 Parameters set for attack on 6-round Keccak-MAC-512
Full size table
Table 9 Parameters set for attack on 7-round Keccak-MAC-512
Full size table
Table 10 Parameters set for attack on 7-round Lake Keyak
Full size table
Table 11 Parameters set for attack on 8-round Lake Keyak
Full size table
Table 12 Parameters set for attack on 7-round Ketje Minor
Full size table
Table 13 Parameters set for attack on 7-round Ketje Major
Full size table

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Bi, W., Dong, X., Li, Z. et al. MILP-aided cube-attack-like cryptanalysis on Keccak Keyed modes. Des. Codes Cryptogr. 87, 1271–1296 (2019). https://doi.org/10.1007/s10623-018-0526-x

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10623-018-0526-x

Keywords

Mathematics Subject Classification

Search

Navigation