**Improved Conditional Cube Attacks on Keccak Keyed Modes with MILP Method**

*Zheng Li and Wenquan Bi and Xiaoyang Dong and Xiaoyun Wang*

**Abstract: **Conditional cube attack is an efficient key-recovery attack on Keccak keyed modes proposed by Huang et al. at EUROCRYPT 2017. By assigning bit conditions, the diffusion of a conditional cube variable is reduced. Then, using a greedy algorithm (Algorithm 4 in Huang et al.'s paper), Huang et al. find some ordinary cube variables, that do not multiply together in the 1st round and
do not multiply with the conditional cube variable in the 2nd round. Then the key-recovery attack is launched. The key part of conditional cube attack is to find enough ordinary cube variables. Note that, the greedy algorithm given by Huang et al. adds ordinary cube variable without considering its bad effect, i.e. the new ordinary cube variable may result in that many other variables could not be selected as ordinary cube variable (they multiply with the new ordinary cube variable in the first round).

In this paper, we bring out a new MILP model to solve the above problem. We show how to model the CP-like-kernel and model the way that the ordinary cube variables do not multiply together in the 1st round as well as do not multiply with the conditional cube variable in the 2nd round. Based on these modeling strategies, a series of linear inequalities are given to restrict the way to add an ordinary cube variable. Then, by choosing the objective function of the maximal number of ordinary cube variables, we convert Huang et al.'s greedy algorithm into an MILP problem and the maximal ordinary cube variables are found.

Using this new MILP tool, we improve Huang et al.'s key-recovery attacks on reduced-round Keccak-MAC-384 and Keccak-MAC-512 by 1 round, get the first 7-round and 6-round key-recovery attacks, respectively. For Ketje Major, we conclude that when the nonce is no less than 11 lanes, a 7-round key-recovery attack could be achieved. In addition, for Ketje Minor, we use conditional cube variable with 6-6-6 pattern to launch 7-round key-recovery attack.

**Category / Keywords: **secret-key cryptography / MILP, Conditional Cube Attack, Keccak Keyed Mode, Key Recovery

**Original Publication**** (in the same form): **IACR-ASIACRYPT-2017

**Date: **received 25 Aug 2017, last revised 28 Aug 2017

**Contact author: **xiaoyangdong at tsinghua edu cn

**Available format(s): **PDF | BibTeX Citation

**Version: **20170829:014740 (All versions of this report)

**Short URL: **ia.cr/2017/804

[ Cryptology ePrint archive ]