Paper 2017/1030

New MILP Modeling: Improved Conditional Cube Attacks to Keccak-based Constructions

Ling Song and Jian Guo and Danping Shi

Abstract

In this paper, we provide a new MILP modeling to find better/optimal choices of conditional cubes. These choices generally find new or improved attacks against the keyed constructions based on Keccak permutations, including Keccak-MAC, KMAC, Kravatte, KEYAK, and KETJE, in terms of attack complexities or the number of attacked rounds. Specifically, we find new key recovery attacks against KMAC128 and KMAC256, which are NIST standard way of constructing MAC from SHA-3, reduced to $7$ and $9$ rounds respectively. For Kravatte, up to 10 out of 14 rounds can be attacked similarly. The best attack against Lake KEYAK with 128-bit keys is improved from $6$ to $8$ rounds in the nonce respected setting and 9 rounds of Lake KEYAK can be attacked if the key size is 256. Attack complexity improvements are found generally on other constructions. To verify the correctness of our attacks, reduced-variants of the attacks against KMAC are implemented and tested on a PC practically.