Conditional Cube Attack on Reduced-Round Keccak Sponge Function

Since Keccak was selected as SHA-3 hash function by NIST, it has attracted considerable attention from cryptographic researchers. Keccak sponge function [1] has also been used to design message authentication codes (MAC) and authenticated encryption (AE) scheme Keyak. Till now, the most efficient key recovery attacks on Keccak-MAC and Keyak are cube attacks and cube-attack-like cryptanalysis proposed at EUROCRYPT’15. In this paper, we provide a new type of cube distinguisher named conditional cube tester for Keccak sponge function, where we append some bit conditions for some cube variables to reduce the dimension of the original cube tester. We apply the conditional cube tester to recover the key for reduced-round Keccak-MAC and Keyak. Compared to the previous key recovery attacks for Keccak-MAC and Keyak, our attacks are the best attacks according to the number of rounds or the complexity. Moreover, by constructing an MILP (mixed integer linear programming) model, we provide a searching algorithm to produce the most efficient conditional cube tester, which can be utilized as a distinguisher for Keccak sponge function. As a result, we improve the previous distinguishing attacks on Keccak sponge function. Although the attacks in this paper are the best ones compared with previous results, they cannot threat the security margin of Keccak sponge function.