Paper 2019/392

New Conditional Cube Attack on Keccak Keyed Modes

Zheng Li, Xiaoyang Dong, Wenquan Bi, Keting Jia, Xiaoyun Wang, and Willi Meier


The conditional cube attack on round-reduced \textsc{Keccak} keyed modes was proposed by Huang~\emph{et al.} at EUROCRYPT 2017. In their attack, a conditional cube variable was introduced, whose diffusion was significantly reduced by certain key bit conditions. The attack requires a set of cube variables which are not multiplied in the first round while the conditional cube variable is not multiplied with other cube variables (called ordinary cube variables) in the first two rounds. This has an impact on the degree of the output of \textsc{Keccak} and hence gives a distinguisher. Later, the MILP method was applied to find ordinary cube variables. However, for some \textsc{Keccak} based versions with few degrees of freedom, one could not find enough ordinary cube variables, which weakens or even invalidates the conditional cube attack. In this paper, a new conditional cube attack on \textsc{Keccak} is proposed. We remove the limitation that no cube variables multiply with each other in the first round. As a result, some quadratic terms may appear in the first round. We make use of some new bit conditions to prevent the quadratic terms from multiplying with other cube variables in the second round, so that there will be no cubic terms in the first two rounds. Furthermore, we introduce the \emph{kernel quadratic term} and construct a \emph{6-2-2 pattern} to reduce the diffusion of quadratic terms significantly, where the $\theta$ operation even in the second round becomes an identity transformation (CP-kernel property) for the \emph{kernel quadratic term}. Previous conditional cube attacks on \textsc{Keccak} only explored the CP-kernel property of $\theta$ operation in the first round. Therefore, more degrees of freedom are available for ordinary cube variables and fewer bit conditions are used to remove the cubic terms in the second round, which plays a key role in the conditional cube attack on versions with very few degrees of freedom. We also use the MILP method in the search of cube variables and give key-recovery attacks on round-reduced \textsc{Keccak} keyed modes. As a result, we reduce the time complexity of key-recovery attacks on 7-round \textsc{Keccak}-MAC-512 and 7-round \textsc{Ketje Sr} v2 from $2^{111}$, $2^{99}$ to $2^{72}$, $2^{77}$, respectively. Additionally, we have reduced the time complexity of attacks on 9-round \texttt{KMAC256} and 7-round \textsc{Ketje Sr} v1. Besides, practical attacks on 6-round \textsc{Ketje Sr} v1 and v2 are also given in this paper for the first time.

Available format(s)
Secret-key cryptography
Publication info
Published elsewhere. ToSC 2019 Issue 2
Conditional Cube AttackKeccakKMACKetjeMILP
Contact author(s)
lizhengcn @ mail sdu edu cn
xiaoyangdong @ tsinghua edu cn
2019-05-27: last of 2 revisions
2019-04-18: received
See all versions
Short URL
Creative Commons Attribution


      author = {Zheng Li and Xiaoyang Dong and Wenquan Bi and Keting Jia and Xiaoyun Wang and Willi Meier},
      title = {New Conditional Cube Attack on Keccak Keyed Modes},
      howpublished = {Cryptology ePrint Archive, Paper 2019/392},
      year = {2019},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.