Top

Designs, Codes and Cryptography

Published in:

23-08-2018

MILP-aided cube-attack-like cryptanalysis on Keccak Keyed modes

Authors: Wenquan Bi, Xiaoyang Dong, Zheng Li, Rui Zong, Xiaoyun Wang

Published in: Designs, Codes and Cryptography | Issue 6/2019

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Abstract

Cube-attack-like cryptanalysis was proposed by Dinur et al. at EUROCRYPT 2015, which recovers the key of Keccak keyed modes in a divide-and-conquer manner. In their attack, one selects cube variables manually, which leads to more key bits involved in the key-recovery attack, so the complexity is too high unnecessarily. In this paper, we introduce a new MILP model and make the cube attacks better on the Keccak keyed modes. Using this new MILP tool, we find the optimal cube variables for Keccak-MAC, Keyak and Ketje, which makes that a minimum number of key bits are involved in the key-recovery attack. For example, when the capacity is 256, we find a new 32-dimension cube for Keccak-MAC that involves only 18 key bits instead of Dinur et al.’s 64 bits and the complexity of the 6-round attack is reduced to \(2^{42}\) from \(2^{66}\). More impressively, using this new tool, we give the very first 7-round key-recovery attack on Keccak-MAC-512. We get the 8-round key-recovery attacks on Lake Keyak in nonce-respected setting. In addition, we get the best attacks on Ketje Major/Minor. For Ketje Major, when the length of nonce is 9 lanes, we could improve the best previous 6-round attack to 7-round. Our attacks do not threaten the full-round (12) Keyak/Ketje or the full-round (24) Keccak-MAC. When comparing with Huang et al.’s conditional cube attack, the MILP-aided cube-attack-like cryptanalysis has larger effective range and gets the best results on the Keccak keyed variants with relatively smaller number of degrees of freedom.

previous article The extension theorem for Lee and Euclidean weight codes over integer residue rings

next article Beyond-birthday secure domain-preserving PRFs from a single permutation

Available only for authorised users

In Keccak-MAC, the capacity is larger, the number of degrees of freedom is smaller; in Keyak and Ketje, the nonce or size of state is smaller, the number of degrees of freedom is smaller.

https://github.com/biwenquan/MILP-aided-Cube-attack-like-cryptanalysis/.

Berton G., Daemen J., Peeters M., Assche G.V., Keer R.V.: CAESAR submission: Ketje v2 (2016). http://competitions.cr.yp.to/round3/ketjev2.pdf. Accessed 01 Aug 2018.

Berton G., Daemen J., Peeters M., Assche G.V., Keer R.V.: CAESAR submission: Keyak v2 (2016). http://competitions.cr.yp.to/round3/keyakv22.pdf.

Berton G., Daemen J., Peeters M., Assche G.V.: The Keccak sponge function family. http://keccak.noekeon.org/.

Bertoni G., Daemen J., Peeters M., Assche G.V.: Duplexing the sponge: singlepass authenticated encryption and other applications. In: SAC 2011, pp. 320–337 (2011).

Bi W., Li Z., Dong X., Li L., Wang X.: Conditional cube attack on roundreduced river keyak. Des. Codes Cryptogr. 86, 1295–1310 (2017).CrossRefMATH

Cui T., Jia K., Fu K., Chen S., Wang M.: New automatic search tool for impossible differentials and zero-correlation linear approximations. In: IACR Cryptology ePrint Archive, 2016/689 (2016).

Daemen J., Van Assche G.: Differential propagation analysis of Keccak. In: FSE 2012, vol. 7549, pp. 422–441. Springer, New York (2012).

Dinur I., Shamir A.: Cube attacks on tweakable black box polynomials. In: EUROCRYPT 2009, pp. 278–299 (2009).

Dinur I., Dunkelman O., Shamir A.: New attacks on Keccak-224 and Keccak-256. In: FSE 2012. pp. 442–461. Springer, New York (2012).

10.

Dinur I., Dunkelman O., Shamir A.: Collision attacks on up to 5 rounds of SHA-3 using generalized internal differentials. In: FSE 2013. pp. 219–240. Springer, New York (2013).

11.

Dinur I., Morawiecki P., Pieprzyk J., Srebrny M., Straus M.: Cube attacks and cube-attack-like cryptanalysis on the round-reduced Keccak sponge function. In: EUROCRYPT 2015, pp. 733–761 (2015).

12.

Dobraunig C., Eichlseder M., Mendel F.: Heuristic tool for linear cryptanalysis with applications to CAESAR candidates. In: ASIACRYPT 2015, pp. 490–509 (2015).

13.

Dobraunig C., Eichlseder M., Mendel F., Schläffer M.: Cryptanalysis of Ascon. In: CT-RSA 2015, pp. 371–387 (2015).

14.

Dobraunig C., Eichlseder M., Mendel F., Schläffer M.: Ascon v1. 2. Submission to the CAESAR Competition (2016).

15.

Dong X., Li Z., Wang X., Qin L.: Cube-like attack on round-reduced initialization of Ketje Sr. IACR Trans. Symmetric Cryptol. 2017, 259–280 (2017).

16.

Duc A., Guo J., Peyrin T., Wei L.: Unaligned rebound attack: application to Keccak. In: FSE 2012. pp. 402–421. Springer, New York (2012).

17.

Guo J., Liu M., Song L.: Linear structures: applications to cryptanalysis of round-reduced Keccak. In: ASIACRYPT 2016, Part I. pp. 249–274. Springer, New York (2016).

18.

http://www.gurobi.com/.

19.

Huang S., Wang X., Xu G., Wang M., Zhao J.: Conditional cube attack on reduced-round Keccak sponge function. In: EUROCRYPT 2017, pp. 259–288 (2017).

20.

Li Z., Bi W., Dong X., Wang X.: Improved conditional cube attacks on Keccak keyed modes with milp method. Cryptology ePrint Archive, Report 2017/804 (2017). http://eprint.iacr.org/2017/804.

21.

Li Z., Dong X., Wang X.: Conditional cube attack on round-reduced ASCON. IACR Trans. Symmetric Cryptol. 2017(1), 175–202 (2017).

22.

Mella S., Daemen J., Assche G.V.: New techniques for trail bounds and application to differential trails in Keccak. IACR Trans. Symmetric Cryptol. 2017(1), 329–357 (2017). http://tosc.iacr.org/index.php/ToSC/article/view/597.

23.

Morawiecki P., Pieprzyk J., Srebrny M.: Rotational cryptanalysis of roundreduced Keccak. In: FSE2013. pp. 241–262. Springer, New York (2013).

24.

Mouha N., Wang Q., Gu D., Preneel B.: Differential and linear cryptanalysis using mixed-integer linear programming. In: Inscrypt 2011. pp. 57–76. Springer, New York (2011).

25.

Qiao K., Song L., Liu M., Guo J.: New collision attacks on round-reduced Keccak. In: EUROCRYPT 2017. pp. 216–243. Springer, New York (2017).

26.

Sasaki Y., Todo Y.: New impossible differential search tool from design and cryptanalysis aspects—revealing structural properties of several ciphers. In: EUROCRYPT 2017, Part III. pp. 185–215 (2017).

27.

Song L., Liao G., Guo J.: Non-full sbox linearization: applications to collision attacks on round-reduced Keccak. In: CRYPTO 2017. pp. 428–451. Springer, New York (2017).

28.

Song L., Guo J., Shi D.: New milp modeling: improved conditional cube attacks to Keccak-based constructions. Cryptology ePrint Archive, Report 2017/1030 (2017). https://eprint.iacr.org/2017/1030.pdf.

29.

Sun S., Hu L., Wang P., Qiao K., Ma X., Song L.: Automatic security evaluation and (related-key) differential characteristic search: application to SIMON, PRESENT, LBlock, DES(L) and other bit-oriented block ciphers. In: ASIACRYPT 2014. pp. 158–178. Springer, New York (2014).

30.

Wang X., Yu H.: How to break MD5 and other hash functions. In: EUROCRYPT 2005. pp. 19–35. Springer, New York (2005).

31.

Wang X., Yin Y.L., Yu H.: Finding Collisions in the Full SHA-1. In: CRYPTO 2005. pp. 17–36. Springer, New York (2005).

32.

Xiang Z., Zhang W., Bao Z., Lin D.: Applying milp method to searching integral distinguishers based on division property for 6 lightweight block ciphers. In: ASIACRYPT 2016, Part I. pp. 648–678. Springer, New York (2016).

33.

Ye C., Tian T.: New insights into divide-and-conquer attacks on the round-reduced Keccak-mac. Cryptology ePrint Archive, Report 2018/059 (2018). https://eprint.iacr.org/2018/059.pdf.

34.

Zong R., Dong X., Wang X.: Related-tweakey impossible differential attack on reduced-round Deoxys-BC-25 cryptology ePrint Archive, Report 2018/680 (2018). https://eprint.iacr.org/2018/680.

35.

Zong R., Dong X., Wang X.: MILP-paided related-tweak/key impossible differential attack and its applications to QARMA, Joltik-BC. Cryptology ePrint Archive, Report 2018/142 (2018). https://eprint.iacr.org/2018/142.

Title: MILP-aided cube-attack-like cryptanalysis on Keccak Keyed modes
Authors: Wenquan Bi
Xiaoyang Dong
Zheng Li
Rui Zong
Xiaoyun Wang
Publication date: 23-08-2018
Publisher: Springer US
Published in: Designs, Codes and Cryptography / Issue 6/2019
Print ISSN: 0925-1022
Electronic ISSN: 1573-7586
DOI: https://doi.org/10.1007/s10623-018-0526-x

Springer Professional

MILP-aided cube-attack-like cryptanalysis on Keccak Keyed modes

Abstract

Premium Partner

Springer Professional

Abstract

Please log in to get access to your license.

Other articles of this Issue 6/2019

Local bounds for the optimal information ratio of secret sharing schemes

Minimum weight codewords in dual algebraic-geometric codes from the Giulietti-Korchmáros curve

Existence of frame-derived H-designs

Simulation-based selective opening security for receivers under chosen-ciphertext attacks

Correction to: Miklós–Manickam–Singhi conjectures on partial geometries

Primitive idempotent tables of cyclic and constacyclic codes

Premium Partner