Paper 2017/159

Cube-like Attack on Round-Reduced Initialization of Ketje Sr

Xiaoyang Dong, Zheng Li, Xiaoyun Wang, and Ling Qin


This paper studies the Keccak-based authenticated encryption (AE) scheme Ketje Sr against cube-like attacks. Ketje is one of the remaining 16 candidates of third round CAESAR competition, whose primary recommendation is Ketje Sr. Although the cube-like method has been successfully applied to Ketje's sister ciphers, including Keccak-MAC and Keyak -- another Keccak-based AE scheme, similar attacks are missing for Ketje. For Ketje Sr, the state (400-bit) is much smaller than Keccak-MAC and Keyak (1600-bit), thus the 128-bit key and cubes with the same dimension would occupy more lanes in Ketje Sr. Hence, the number of key bits independent of the cube sum is very small, which makes the divide-and-conquer method (it has been applied to 7-round attack on Keccak-MAC by Dinur et al.)~can not be translated to Ketje Sr trivially. This property seems to be the barrier for the translation of the previous cube-like attacks to Ketje Sr. In this paper, we evaluate Ketje Sr against the divide-and-conquer method. Firstly, by applying the linear structure technique, we find some 32/64-dimension cubes of Ketje Sr that do not multiply with each other as well as some bits of the key in the first round. In addition, we introduce the new dynamic variable instead of the auxiliary variable (it was used in Dinur et al.'s divide-and-conquer attack to reduce the diffusion of the key) to reduce the diffusion of the key as well as the cube variables. Finally, we successfully launch a 6/7-round key recovery attack on Ketje Sr v1 and v2 (v2 is presented for the 3rd round CAESAR competition.). In 7-round attack, the complexity of online phase for Ketje Sr v1 is $2^{113}$, while for Ketje Sr v2, it is $2^{97}$ (the preprocessing complexity is the same). We claim 7-round reduced Ketje Sr v2 is weaker than v1 against our attacks. In addition, some results on other Ketje instances and Ketje Sr with smaller nonce are given. Those are the first results on Ketje and bridge the gaps of cryptanalysis between its sister ciphers -- Keyak and the Keccak keyed modes.

Available format(s)
Publication info
A minor revision of an IACR publication in FSE 2017
secret-key cryptography
Contact author(s)
dongxiaoyang @ mail sdu edu cn
2017-02-23: received
Short URL
Creative Commons Attribution


      author = {Xiaoyang Dong and Zheng Li and Xiaoyun Wang and Ling Qin},
      title = {Cube-like Attack on Round-Reduced Initialization of Ketje Sr},
      howpublished = {Cryptology ePrint Archive, Paper 2017/159},
      year = {2017},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.