Conditional Cube Attack On Reduced-Round Keccak Sponge Function

Nowadays,with the rapid development of computers and the widely use of inter-net,there is a huge amount of data transferred in the channel.To insure the security and reliability of the data becomes an important issue.To solve this issue,symmet-ric cryptographic primitives are an efficient method.Symmetric cryptography,which attracts the attention of academic community,is to study the security of symmetric cryptographic primitives.As the key technology of symmetric cryptography,hash function is applied to insure data integrity and confidentiality during the information communication.The security analysis of Keccak,the winner of SHA-3,is a standard hash function.It has attracted considerable interest.Based on the diffusion property of Keccak sponge function,we proposed a new cryptanalysis model–conditional cube tester in this paper.By imposing some bit conditions for certain ordinary cube variables,we are able to construct cube testers with smaller dimensions so that we reduce the complexity of several attacks.In this paper,we apply our conditional cube attack to analyse the security of t-wo different modes of Keccak sponge functions.And we get three different results.Among them,there are two results related to the key mode of Keccak sponge func-tion.Firstly,we improve the best key recovery attack proposed by Itai et al.In our results,time complexity of 6-round Keccak-MAC key recovery attack is reduced to 2⁴⁰from 2⁶⁵and memory complexity is negligible,which makes the attack a practical one.Time complexity of 7-round Keccak-MAC key recovery attack is decreased from 2⁹⁷to 2⁷².Then,we also apply our conditional cube attack to an Authenticated Encryption Scheme Keyak based on Keccak.Our attack can analyse Keyak to 8-round but the previous best result is 7-round.Our third result in this paper is to construct some more efficient distinguishers on Keccak sponge function.The distinguishers can distinguish Keccak sponge function from random permutation.We provide a searching algorithm to produce the most effi-cient conditional cube tester by modeling it as an MILP?mixed integer linear program-ming?problem.As a result,we improve the previous distinguishing attacks on Keccak sponge function significantly.We get a 7-round distinguishing attack with complexi-ty of 2³³,which improves the 7-round distinguishing attack proposed by Itai et al.in Eurocrypt'15 with complexity of 2⁶⁵.Most of our attacks have been implemented and verified by desktop computers.