Paper 2019/447

Practical Key-recovery Attacks on Round-Reduced Ketje Jr, Xoodoo-AE and Xoodyak

Haibo Zhou, Zheng Li, Xiaoyang Dong, Keting Jia, and Willi Meier


Conditional cube attack was proposed by Huang et al. at EUROCRYPT 2017 to attack Keccak keyed mode. Inspired by dynamic cube attack, they reduce the degree by appending key bit conditions on the initial value (IV). Recently, Li et al. proposed new conditional cube attacks on Keccak keyed mode with extremely small degrees of freedom. In this paper, we find a new property on Li et al.'s method, and modify the new conditional cube attack for lightweight encryption algorithms using a 8-2-2 pattern, and apply it on 5-round Ketje Jr, 6-round Xoodoo-AE and Xoodyak, where Ketje Jr is among the 3rd round CAESAR competition candidates and Xoodyak is a Round 1 submission of the ongoing NIST lightweight cryptography project. Then we give the updated conditional cube attack analysis. All our results are of practical time complexity with negligible memory cost and our test codes are given in this paper. Notably, it is the first third-party cryptanalysis result for Xoodyak.

Available format(s)
Secret-key cryptography
Publication info
Preprint. Minor revision.
Conditional Cube AttackKeccakKetje JrXoodooXoodyak
Contact author(s)
zhouhaibo @ mail sdu edu cn
xiaoyangdong @ tsinghua edu cn
willi meier @ fhnw ch
2019-05-09: revised
2019-05-08: received
See all versions
Short URL
Creative Commons Attribution


      author = {Haibo Zhou and Zheng Li and Xiaoyang Dong and Keting Jia and Willi Meier},
      title = {Practical Key-recovery Attacks on Round-Reduced Ketje Jr, Xoodoo-AE and Xoodyak},
      howpublished = {Cryptology ePrint Archive, Paper 2019/447},
      year = {2019},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.