**Finding Ordinary Cube Variables for Keccak-MAC with Greedy Algorithm**

*Fukang Liu and Zhenfu Cao and Gaoli Wang*

**Abstract: **In this paper, we introduce an alternative method to find ordinary cube variables for Keccak-MAC by making full use of the key-independent bit conditions. First, we select some potential candidates for ordinary cube variables by properly adding key-independent bit conditions, which do not multiply with the chosen conditional cube variables in the first two rounds. Then, we carefully determine the ordinary cube variables from the candidates to establish the conditional cube tester with an approach inspired from the greedy algorithm. Finally, based on our new method to recover the 128-bit key, the conditional cube attack on 7-round Keccak-MAC-128/256/384 is improved to $2^{71}$ and 6-round Keccak-MAC-512 can be attacked with at most $2^{40}$ calls to 6-round Keccak internal permutation. It should be emphasized that our new approach does not require sophisticated modeling nor usage of a solver.

**Category / Keywords: **Keccak, Keccak-MAC, ordinary cube variables, conditional cube attack, cube tester

**Date: **received 31 Aug 2018, last revised 11 Nov 2018

**Contact author: **liufukangs at 163 com

**Available format(s): **PDF | BibTeX Citation

**Note: **1. Correct two mistakes for Keccak-MAC-512, i.e. two bit conditions on $A_{\theta}^{0}[3][3][20]$ and $A_{\theta}^{0}[3][4][21]$).

2. Provide the source code to verify our discovered 32-dimensional cube with fewer key-independent bit conditions.

3. Add a section to introduce our tracing algorithm in a formal way.

4. Add a subsection to introduce cube tester and conditional cube tester.

5. Some minor corrections such as Figures and statements.

**Version: **20181112:055317 (All versions of this report)

**Short URL: **ia.cr/2018/799

[ Cryptology ePrint archive ]