Paper 2017/804

Improved Conditional Cube Attacks on Keccak Keyed Modes with MILP Method

Zheng Li, Wenquan Bi, Xiaoyang Dong, and Xiaoyun Wang


Conditional cube attack is an efficient key-recovery attack on Keccak keyed modes proposed by Huang et al. at EUROCRYPT 2017. By assigning bit conditions, the diffusion of a conditional cube variable is reduced. Then, using a greedy algorithm (Algorithm 4 in Huang et al.'s paper), Huang et al. find some ordinary cube variables, that do not multiply together in the 1st round and do not multiply with the conditional cube variable in the 2nd round. Then the key-recovery attack is launched. The key part of conditional cube attack is to find enough ordinary cube variables. Note that, the greedy algorithm given by Huang et al. adds ordinary cube variable without considering its bad effect, i.e. the new ordinary cube variable may result in that many other variables could not be selected as ordinary cube variable (they multiply with the new ordinary cube variable in the first round). In this paper, we bring out a new MILP model to solve the above problem. We show how to model the CP-like-kernel and model the way that the ordinary cube variables do not multiply together in the 1st round as well as do not multiply with the conditional cube variable in the 2nd round. Based on these modeling strategies, a series of linear inequalities are given to restrict the way to add an ordinary cube variable. Then, by choosing the objective function of the maximal number of ordinary cube variables, we convert Huang et al.'s greedy algorithm into an MILP problem and the maximal ordinary cube variables are found. Using this new MILP tool, we improve Huang et al.'s key-recovery attacks on reduced-round Keccak-MAC-384 and Keccak-MAC-512 by 1 round, get the first 7-round and 6-round key-recovery attacks, respectively. For Ketje Major, we conclude that when the nonce is no less than 11 lanes, a 7-round key-recovery attack could be achieved. In addition, for Ketje Minor, we use conditional cube variable with 6-6-6 pattern to launch 7-round key-recovery attack.

Available format(s)
Secret-key cryptography
Publication info
Published by the IACR in ASIACRYPT 2017
MILPConditional Cube AttackKeccak Keyed ModeKey Recovery
Contact author(s)
xiaoyangdong @ tsinghua edu cn
2017-08-29: revised
2017-08-28: received
See all versions
Short URL
Creative Commons Attribution


      author = {Zheng Li and Wenquan Bi and Xiaoyang Dong and Xiaoyun Wang},
      title = {Improved Conditional Cube Attacks on Keccak Keyed Modes with MILP Method},
      howpublished = {Cryptology ePrint Archive, Paper 2017/804},
      year = {2017},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.