In this paper, we bring out a new MILP model to solve the above problem. We show how to model the CP-like-kernel and model the way that the ordinary cube variables do not multiply together in the 1st round as well as do not multiply with the conditional cube variable in the 2nd round. Based on these modeling strategies, a series of linear inequalities are given to restrict the way to add an ordinary cube variable. Then, by choosing the objective function of the maximal number of ordinary cube variables, we convert Huang et al.'s greedy algorithm into an MILP problem and the maximal ordinary cube variables are found.
Using this new MILP tool, we improve Huang et al.'s key-recovery attacks on reduced-round Keccak-MAC-384 and Keccak-MAC-512 by 1 round, get the first 7-round and 6-round key-recovery attacks, respectively. For Ketje Major, we conclude that when the nonce is no less than 11 lanes, a 7-round key-recovery attack could be achieved. In addition, for Ketje Minor, we use conditional cube variable with 6-6-6 pattern to launch 7-round key-recovery attack.
Category / Keywords: secret-key cryptography / MILP, Conditional Cube Attack, Keccak Keyed Mode, Key Recovery Original Publication (in the same form): IACR-ASIACRYPT-2017 Date: received 25 Aug 2017, last revised 28 Aug 2017 Contact author: xiaoyangdong at tsinghua edu cn Available format(s): PDF | BibTeX Citation Version: 20170829:014740 (All versions of this report) Short URL: ia.cr/2017/804