Conditional Cube Attack On Round-Reduced Keyak With Prefixed Message

Nowadays,the authentication encryption algorithms have been widely used in many fields of information security.They simultaneously provides confidentiali-ty,integrity,and authenticity assurances on the data.Encryption can transform plaintext into ciphertext while decryption do the contrary.With encryption and decryption,the transmission of information is in the form of ciphertext,ensur-ing the information's confidentiality on the communication channel,and authen-tication can estimate whether the data is forged,tampered or damaged.Six different authenticated encryption modes,namely OCB 2.0,Key Wrap,CCM,EAX,Encrypt-then-MAC(EtM),and GCM have been standardized in ISO/IEC 19772:2009.With the development of computer technology and cryptographic analysis technology,international cryptography experts believe that the security of the existing authentication encryption algorithms is facing a threat.In or-der to find a new authentication encryption algorithm with high security,wide adaptability and strong stability,the CAESAR competition has been launched in 2014.Keyak is one of the 16 survivors of the third round CAESAR competition,which is a authenticated encryption scheme submitted by Bertoni et al..In Eu-rocrypt 2015,Dinur et al.presented a key recovery cube-like attack on round-reduced Lake Keyak using a divide-and-conquer method.In Eurocrypt 2017,Huang et al.applied conditional cube attak on round-reduced Lake Keyak,by inducing some bit conditions to reduce the conditional cube variable's diffusion.They presented a key recovery attack on 6/7/8-round Lake Keyak.Then,Bi et al.explored the conditional cube attack on the small state River Keyak,and presented a key recovery attack on 6/7/8-round River Keyak.In the above mentioned analyses on Keyak,there is no restricted condition on the choice of conditional cube variables and ordinary cube variables.But we have to consider the situation that messages in Keyak have fixed formats.In such cases,though cryptanalysts can control these messages,they cannot change them to whatever they want.So,the prefixed messages cannot be chosen as conditional cube variables,or ordinary cube variables.Because conditional and ordinary cube variables should go through all possible values.Therefore,the conditional and ordinary cube variables cannot be chosen freely in conditional cube attack on Keyak with prefixed message.For that case,we bring out a MILP model for the first 2-round to find the maximum-number of ordinary cube variables under a certain conditional cube variable.When the prefixed message covers no more than 10 lanes,there are enough conditional and ordinary cube variables to make key recovery attack on 8-round Lake Keyak.When more than 10 lanes are filled with prefixed message,the number of conditional and ordinary cube variables is not enough for us to launch key recovery attack for 8-round Lake Keyak.Finally,we launch conditional cube attack on 6/7/8-round Lake Keyak when the first 10 lanes ae filled with prefixed message.