Cube-Attack-Like Cryptanalysis of Round-Reduced Keccak Using MILP

. Cube-attack-like cryptanalysis on round-reduced Keccak was proposed by Dinur et al. at EUROCRYPT 2015. It recovers the key through two phases: the preprocessing phase for precomputing a look-up table and online phase for querying the output and getting the cube sum with which the right key can be retrieved by looking up the precomputed table. It was shown that such attacks are eﬃcient speciﬁcally for Keccak -based constructions with small nonce or message block size. In this paper, we provide a mixed integer linear programming (MILP) model for cube-attack-like cryptanalysis on keyed Keccak , which does not impose any unnecessary constraint on cube variables and ﬁnds almost optimal cubes by balancing the two phases of cube-attack-like cryptanalysis. Our model is applied to Ketje Jr, Ketje Sr, a Xoodoo -based authenticated encryption and Keccak -MAC-512, all of which have a relatively small nonce or message block size. As a result, time complexities of 5-round attacks on Ketje Jr and 7-round attacks on Ketje Sr can be improved signiﬁcantly. Meanwhile, 6-round attacks, one more round than the previous best attack, are possible if the key size of Ketje V1 (V2) is reduced to 72 (80) bits. For Xoodoo -based AE in Ketje style, the attack reaches 6 rounds. Additionally, a 7-round attack of Keccak -MAC-512 is achieved. To verify the correctness of our attacks, a 5-round attack on Ketje V1 is implemented and tested practically. It is noted that this work does not threaten the security of any Keccak -based construction.


Introduction
The Keccak hash function [BDPV11] was designed by Bertoni et al. and selected as the Secure Hash Algorithm-3 (SHA-3) of the National Institute of Standards and Technology of the U.S. (NIST) in 2012.The formal standardization was made public in 2015 [The15].
Apart from the keyless hash function, Keccak can be used under keyed modes, such as message authentication codes (MAC), stream ciphers, etc.What's more, the Keccak permutation or its variant has been employed in other designs, such as authenticated encryptions (AE) Keyak [BDP + 16b], Ketje [BDP + 16a] and the pseudorandom function Kravatte [BDH + 17b].Recently, a new permutation Xoodoo similar to the Keccak permutation has been proposed [DHAK18] and one of its purposes is to construct AE in Ketje style.In the literature, there is a line of cryptanalysis focusing on keyed Keccakbased constructions.In [DMP + 15], Dinur et al. analyzed keyed Keccak with cube attacks [DS09].Specifically, key recovery attacks and forgery attacks were mounted against Keyak and Keccak used as MAC and stream ciphers with reduced rounds.Particularly, a type of cube attacks (cube-attack-like cryptanalysis) which proceeds in preprocessing and online phases was proposed.In the cube-attack-like cryptanalysis, auxiliary variables which are supposed to be equal to certain key bits are used to balance the two phases such that the time complexity of the whole attack is reduced.Following [DMP + 15], Dong et al. provided cube-attack-like cryptanalysis on round-reduced Ketje in [DLWQ17], where dynamic variables inspired by dynamic cube attacks [DS11] are used.Auxiliary variables help reduce the diffusion of key bits, whereas dynamic variables, which depend on some of the cube variables and some key bits, help reduce the diffusion of both key bits and cube variables.In [HWX + 17], Huang et al. proposed conditional cube attacks for Keccak where the propagation of cube variables is controlled under conditions in the first two rounds, resulting in improved attacks on round-reduced Keyak and Keccak used as MAC.In [HWX + 17], conditional cubes were obtained through a program that has not been optimized, which allows further improvements via a mixed integer linear programming (MILP) model [LBDW17].MILP-based methods have become popular in the search for differential/linear characteristics since Mouha et al.'s pioneering work [MWGP11].However, it is the first time that MILP has been applied to cube attacks on keyed Keccak.Later, a new MILP model for searching conditional cubes was proposed in [SGSL17], showing further improvements on attacks against most keyed Keccak constructions, such as Keccak used as MAC, Keyak and Ketje except the smallest instance of Ketje, Ketje Jr. Instead of analyzing a round-reduced target in cube attacks, Fuhr et al. [FNR18] proposed a state-recovery attack against full Ketje Jr with increased rate size.Against Kravatte, algebraic attacks which utilize its structural properties were proposed in [CFG + 18].
As can be seen from the previous works [DLWQ17,SGSL17], cube-attack-like cryptanalysis has an advantage over conditional cube attacks in analyzing keyed Keccak-based constructions with small degrees of freedom, i.e., small message block size or nonce size.On the other hand, MILP-based methods have shown their efficiency in conditional cube attacks with significantly improved results.In this paper, we take the advantage of this efficiency and apply it to cube-attack-like cryptanalysis on keyed Keccak-based constructions with small degrees of freedom.
Our contributions.We develop techniques for building an MILP model for cube-attacklike cryptanalysis, which takes both auxiliary and dynamic variables into consideration and aims to find almost optimal attacks by balancing the two phases of cube-attack-like cryptanalysis.In many of previous works, cube variables are forced to be from the so-called column-parity-like (CP-like) kernel, while our model does not impose any unnecessary constraint on cube variables, and hence finds optimal cubes in terms of dimension.With regard to attack complexities, cubes found by our model are almost optimal.We apply our MILP model to keyed Keccak constructions with small nonce or message block length, including two smaller versions of Ketje Jr, Ketje Sr, a Xoodoo-based AE and Keccak-MAC-512.The results are as follows.
• Improved 5-round attacks on Ketje Jr V1 and V2, with time complexity significantly reduced; • 6-round attacks on Ketje V1 and V2, with key size reduced to 72 and 80 bits; • Improved 7-round attack on Ketje Sr V2; • 6-round attack on Xoodoo-based AE in Ketje style; • 7-round attack on Keccak-MAC-512.The results are summarized in Table 1.It is worth noticing that more rounds can be attacked against Ketje Jr when the key size is reduced, i.e., the security is reduced.Although 72 bits or 80 bits are not the recommended key size by the designers, it is good to see how the security is affected by varying the key/nonce sizes.For Ketje Sr V1, Ketje Major and Minor which have a relatively large nonce size, cube-attack-like cryptanalysis does not outperform conditional cube attacks.In addition, our analysis shows that Xoodoo-based AE bears good resistance against cube-attack-like cryptanalysis.Organization.The rest of the paper is organized as follows.In Section 2, a brief description of Ketje, Xoodoo and Keccak-MAC is given, followed by an introduction of related works.The MILP model is sketched in Section 4, and its application to Ketje Jr, Ketje Sr, a Xoodoo-based AE and Keccak-MAC-512 is provided in Section 5. A comparison with related works is provided in Section 6.We conclude the paper in Section 7.

Keccak-p
The where T (x, y)s are rotation constants.
, where RC ir is the i r -th round constant.
In the specification of Ketje V2, the twisted permutations Keccak-p ⋆ are defined as where π −1 is the inverse of the step mapping π which is expressed by The twist is to re-order the lanes in the state, as shown in Figure 2, so the twisted permutation is considered to apply the original permutation to the state π −1 (a).

Ketje
Ketje is a set of authenticated encryption functions built on Keccak-p.Ketje Jr and Ketje Sr are proposed in Ketje V1, of state size 200 and 400 bits respectively.Later, two larger instances, Ketje Minor and Ketje Major with 800-bit and 1600-bit state respectively, are added to the set in Ketje V2.The major difference between Ketje V1 and V2 is that Keccak-p is used in Ketje V1 while Keccak-p ⋆ is used instead in Ketje V2.In the following, we give a brief description of Ketje V2.The structure of Ketje follows the MonkeyWrap, as illustrated in Figure 3. Like other authenticated encryption functions, Ketje proceeds in four phases.
• Initialization The state is initialized with the packed key, the nonce N and some paddings.Then Keccak-p ⋆ [b, n start ] is applied.
• Processing associated data The associated data is split into δ-bit blocks (except the last one).Each time an associated data block of length up to δ bits is padded to δ +4 bits and XORed to the state, followed by the application of Keccak-p ⋆ [b, n step ].If the associated data is empty, then a single block padded from the empty string will be processed.
• Processing message The message is also processed in δ-bit blocks in a similar way, where the ciphertext block is generated by XORing the message block and δ bits of the internal state before the message block is absorbed.
• Finalization Keccak-p ⋆ [b, n stride ] is used to generate δ bits.If δ is greater than the required tag length, then the tag is extracted from the δ bits; otherwise, Keccakp ⋆ [b, n step ] is applied until enough bits are collected for generating the tag.
The parameters of the four instances of Ketje V2 are summarized in It is noted in [BDH + 17a] that Xoodoo can be used as authenticated encryption in Ketje style.

Keccak-MAC-512
Keccak follows the sponge construction [BDPVA11] and uses Keccak-p[1600, 24] as the underlying permutation.The sponge construction has two parameters, the capacity c and bit rate r.At first, the state is initialized to 0. Then Keccak takes in a message M and outputs a digest.The message M is processed by splitting it into r-bit blocks which are absorbed to the first r bits of the state iteratively followed by the application of Keccak-p[1600, 24].In [BDPA11], it is proposed that Keccak can be used as MAC by taking K||M as input.Such a MAC was called Keccak-MAC in [HWX + 17] for the first time and its round-reduced versions were analyzed in papers such as [DMP + 15,LBDW17], where the key size is 128 bits no matter which instance of Keccak is used.KMAC [The16] is the NIST recommendation for constructing MAC from Keccak where the key is processed as an independent block before processing the message.In this paper, we only focus on Keccak-MAC-512, i.e., the MAC based on Keccak-512.

Cube Attacks
The cube attack, which can be seen as a variant of higher order differential attacks, was introduced by Dinur and Shamir [DS09] in 2009.It treats the output bit of a cipher as an unknown Boolean polynomial f (k 0 , ..., k n−1 , v 0 , ..., v m−1 ) where k 0 , ..., k n−1 are secret input variables and v 0 , ..., v m−1 are public input variables.Given any monomial t I which is the product of variables in I = {i 1 , ..., i d }, f can be represented as the sum of terms which are supersets of I and terms which are not supersets of I: where p S I is called the superpoly of I in f , and v i1 , ..., v i d are called cube variables.
The idea behind cube attacks is that the sum of the Boolean polynomial f (k 0 , ..., k n−1 , v 0 , ..., v m−1 ) over the cube which contains all possible values for the cube variables is exactly p S I , while this is a random function for a random polynomial.In cube attacks, low-degree p S I s in secret variables are exploited to recovery the key, while cube testers [ADMS09] work by distinguishing p S I from a random function (e.g., p S I = 0).Dynamic cube attacks [DS11] are an extension of cube testers where certain variables (called dynamic variables) are assigned a function that depends on some of the cube variables and some private variables (the key bits), so that the output polynomial can be simplified and the cube attack can be improved.

Cube-Attack-Like Cryptanalysis on Round-Reduced Keccak
In [DMP + 15], Dinur et al. proposed cube-attack-like cryptanalysis on round-reduced Keccak-MAC and Keyak, where the key is recovered in a divide-and-conquer manner.Specifically, the idea in the attack is to choose the cube variables in a way such that the superpoly involves only a small number of key bits, whose value can be recovered independently of the rest key using a cube attack separated into preprocessing and online phases.Once the cube is selected, then • in the preprocessing phase, one is to build a look-up table that stores cube sums under all possible values of the involved key bits; • in the online phase, one queries the cipher and obtains the cube sum, with which the actual value of the involved key bits can be retrieved from the look-up table.
Suppose the dimension of the cube is d and the number of involved key bits is n i .Then the time complexities of the above two phases are 2 d+ni and 2 d , respectively.As can be seen, the preprocessing phase is much more expensive than the online phase.In order to tradeoff the complexity of the preprocessing and online phases, auxiliary variables are introduced.Auxiliary variables are selected from public variables and supposed to be equal to certain key bits (the XOR of key bits in a column for Keccak), which help reduce the diffusion of key bits, and thus reduce the number of key bits n i the cube sum involves.Suppose there are n a auxiliary variables.Then in the online phase, one has to guess the key bits involved in the auxiliary variables and set the auxiliary variables accordingly.Under each setting of the auxiliary variables, one queries the cipher to obtain the cube sum.Consequently, the time complexity of the online phase is increased by a factor of 2 na .However, balanced attacks become more efficient.Following this line, Dong et al. [DLWQ17] studied the cube-attack-like cryptanalysis against round-reduced initialization of Ketje, where dynamic variables were used instead.They showed that dynamic variables are more effective than auxiliary variables since dynamic variables not only reduce the diffusion of key bits, but also reduce the diffusion of cube variables, potentially leading to cubes with larger dimensions.As a demonstration, attacks on 7-round Ketje Sr and 5-round Ketje Jr can be mounted successfully using dynamic variables, while cube-attack-like cryptanalysis with auxiliary variables fails.

Motivations
As shown in Song et al.'s work, MILP widely improves conditional cube attacks on Keccak based constructions.However, there is no MILP modeling in the literature for cubeattack-like cryptanalysis on Keccak.Additionally, it is also noted from Song et al.'s work, that for Keccak constructions with small rate (or nonce length), conditional cube attacks become less powerful whereas cube-attack-like cryptanalysis still works as shown by [DLWQ17].So the major motivation of this work is to investigate the application of MILP in cube-attack-like cryptanalysis and access its efficiency in Keccak constructions with relatively small rate, like Ketje Jr, Ketje Sr and Keccak-MAC-512.

MILP Model for Cube-Attack-Like Cryptanalysis
Mixed integer linear programming (MILP) is a general mathematical tool for optimization, which takes an objective function and a system of linear inequalities with respect to real numbers as input, and find solutions that optimize the objective function under the constraints of all inequalities.In [MWGP11], Mouha et al. firstly showed that searching differential trails can be converted to an MILP problem.
In this section, ideas and techniques are introduced for searching cubes with auxiliary/dynamic variables for Keccak-p based constructions.

Basic Idea
In cube-attack-like cryptanalysis of Keccak-based constructions, cube variables are selected such that they do not multiply with each other in the first round, i.e., the first round is linearized.Due to the fact that the algebraic degree of the round function is 2, the algebraic degree of the output after n rounds is 2 n−1 if the first round is linearized.Therefore, a 2 n−1 -dimensional cube can act as a cube tester for n-round Keccak and be used to recover the key in cube-attack-like cryptanalysis.The time complexity of such cube attacks not only depends on the dimension (d) of the cube, but also depends on the number (n i ) of key bits which the cube sum depends on, and the number (n a ) of auxiliary/dynamic variables.As introduced in Section 3, the time complexities of cubeattack-like cryptanalysis are Note that, in previous papers [DMP + 15, DLWQ17] either auxiliary variables or dynamic variables are used, where auxiliary variables only contain some key bits while dynamic variables contain both cube variables and key bits.In this paper, we utilize both and call them auxiliary variables for simplicity since their impacts on the time complexity are the same.
With the basics of cube-attack-like cryptanalysis in mind, the main goals of the MILP modeling are clear: 1. Find 2 n−1 -dimensional cubes where n is as large as possible; 2. Find balanced attacks where n i and n a are close and as small as possible.
The model for searching cubes of Keccak using auxiliary variables contains two lines: the propagation of cube variables through the linear layer and the propagation of key bits through the linear layer.At the nonlinear layer χ in the first round, these two lines merge and interact.In the following subsections, the model will be introduced accordingly.For the sake of clarity, we take Ketje Jr V1 as an example.

Propagation of Cube Variables and the Dimension d
Cube variables have to traverse all possible values, so they should be placed where the values are under control of the attacker, e.g., the nonce or message.For Ketje Jr V1, as shown in Figure 4 (a), cube variables can be set only in white lanes under the nonce respected setting.

Suppose a[x][y][z], b[x][y]
. Each column of a may have 0, 1 or multiple cube variables.Namely, each column sum of A may be 0, 1, or more.For a column with multiple cube variables, the sum of these cube variables can be constrained to certain constant (usually 0) so that the cube variables in this column do not diffuse to other columns.If all column sums are constant, then the state a is in the column-parity-like kernel (CP-like kernel).In previous cubeattack-like cryptanalysis of Keccak-based constructions [DMP + 15, DLWQ17], or even conditional cube attacks [HWX + 17, LBDW17], cube variables are set in CP-like kernel.This is reasonable.If cube variables are set in CP-like kernel, and θ acts as the identity.In this way, the propagation of cube variables becomes simple.However, setting cube variables in CP-like kernel limits the dimension of the cube that can be obtained, and this drawback becomes non-negligible when the nonce or message block length is short.
In our model, we do not add any additional constraint to cube variables and take all possible cases into consideration.To do this, we introduce z) contains cube variables and the sum of these variables is a constant and 0 otherwise.For example, each column in the first four sheet of Ketje Jr V1 has only two bit positions, say (x, y 0 , z) and (x, y 1 , z) that can be chosen as cube variables, so follows are listed in Table 3, as well as the inequalities describing these patterns.The inequalities that confine the 0-1 patterns into a finite set can be obtained through the inequality_generator() function in SageMath, as suggested in [SHW + 14].After that, an additional algorithm from [ST17], is used to select a minimal number of inequalities from the inequalities returned by inequality_generator().

Table 3: Patterns of cube variables through θ and inequalities. A[x][y0][z] A[x][y1][z] G[x][z] D[x][z]
Inequalities For columns with other numbers of bit positions that can be chosen as cube variables, inequalities can be generated in a similar way.When the full column is available for cube variables, inequalities in Table 9 in Appendix can be used.
According to the definition of θ is 1.This can be described by the following inequalities.

B[x][y][z]
(1) Since ρ and π just change the bit positions of the state, we let c = π • ρ(b) and C = π • ρ(B).Now the propagation of cube variables through the linear layer is modeled.To linearize the first round, cube variables in c should not be adjacent, which can be constrained by

The dimension of the cube is determined by A[x][y][z] and D[x][y], and
With these inequalities, the set of solutions is exactly the set of all possible cubes that linearize the first round.

Propagation of Key Bits and n a
This subsection presents the model for the propagation of key bits, and the number of auxiliary variables n a is also calculated alongside.
For Ketje Jr, the key pack is loaded into the gray and light gray lanes as depicted in Figure 4 Second, let X[x][z] = 1 if the sum of column (x, z) contains key bits, otherwise X[x][z] = 0, meaning that no key bit in this column could diffuse to column (x − 1, z + 1) and (x + 1, z) through θ.From Figure 4, it is known that each column of Ketje Jr contains key bits.Hence, X[x][z] = 0 if and only if there is an auxiliary variable in that column.So X[x][z] depends on the bits that can be chosen as auxiliary variables and the sum of them should be 1.Suppose there are two bit positions (x, y 0 , z) and (x, y 1 , z) in column (x, z) that can be chosen as auxiliary variables, then , and any one is 1 will lead to The inequalities describing this relation are the same as (1).
At last, the number of auxiliary variables is the sum of

Interaction of Key Bits and Cube Variables, and n i
Recall that ) are listed in Table 4, which can be described with 5 inequalities, three of which are new and shown in the last line of Table 4.
To calculate the number of involved key bits n i , we sum . However, the same key bit may appear in multiple positions of U .
Recall that θ adds the XORs of bits in column (x − 1, z) and (x + 1, z − 1) to each bit of column (x, z).If at least two bits in column (x, z) do not contain key bits, then after θ these bits contain either the same key bits or none.So the same key bit appearing in multiple positions may be counted more than once with To partially solve this, we introduce the key pattern for the second and third sheet (x = 1, 2), and for the fourth and fifth sheet (x = 4, 5).Then, we let U = π • ρ(V ), and n i is set to be the sum of all distinct variables in U .
The problem remained unsolved is the impact of auxiliary variables on the key pattern ).In addition, the n i involved key bits may be not fully independent and calculating the number of independent involved key bits is beyond the reach of MILP.Therefore, n i may be still inaccurate.We leave this problem to be fixed with a postprocessing procedure.Now, the whole model for searching cubes using auxiliary variables can be built using techniques introduced in this section.We additionally set d = 2 n−1 and the objective function to be 'Minimize n i , n a '.An MILP solver like Gurobi [Gur18] can then be invoked to find optimal solutions.

Postprocessing Procedure
Algorithm 1: Postprocessing procedure for recalculating n i .
Input: A, W of the solution, the cube dimension d and the key length |K| Output: From the solution returned by MILP solvers, we recalculated the number of involved key bits using symbolic computations.First, key bits are loaded to the state, and cube variables and auxiliary variables are set according to the solution.Then pass the state through the linear layer, and collect key bits (linear expressions of key bits) that are adjacent to the cube variables.The denser the key bits are in the initial state, the more complex the relation of involved key bits will be, but only the number of independent involved key bits matters and is the actual n i .The detailed postprocessing procedure is described in Algorithm 1.Since the number of involved key bits optimized by our model may not be equal to the actual n i , our model does not guarantee optimal solutions with respect to attack complexities, even though the dimension of cubes can be optimized.The experiments show that in most cases the actual where n ⋆ i is the claimed number of involved key bits by the model.This means that our model still finds almost optimal solutions.

5-Round Attack against Ketje Jr V1 with Recommended Key Size
The attack on 5-round Ketje V1 sequentially utilizes three 16-dimensional cubes as shown in Table 7 and 8.Each cube helps to recover part of the key and these three cubes work together to make the whole time complexity low.
The first cube has n i = 18 involved key bits (linear combination of key bits) and n a = 17 auxiliary variables which are listed in Table 5.The two phases of the attack proceed as follows.

Preprocessing phase:
1. Set the 18 bits in light gray according to the encoding rule, as illustrated in Figure 4 (a).Set all key bits to zero except Set all other state bits to an arbitrary constant except the 16 cube variables, 9 out of the 17 auxiliary variables a

Auxiliary variables
Involved key bits Online phase: 1.For all possible values of the 17 linear expressions of key bits in auxiliary variables: (a) Set the auxiliary variables accordingly.For each of the 4 values of a request the 16-bit outputs for the cube and calculate the cube sums (setting the same constant values in the state as in the preprocessing).
(b) For each match in L, retrieve the 18-bit value for the involved key bits and record it and the current value of the 17 key bits in auxiliary variables as a candidate.
In the online phase, only one candidate for the 35-bit partial key will survive, since 2 18+17 • 2 −64 < 1.The time complexity of the preprocessing phase is 2 18+16+2 = 2 36 , and the memory complexity is 2 18 .The time complexity of the online phase is 2 17+16+2 = 2 35 .In the end, n k = 35 bits information of the key are obtained.However, 96 − 35 = 51 bits of the key are still unknown.Next, we use the second and the third cube to recover more key bits.Since the two phases of the attack using other cubes work similarly to those of the first cube for Ketje Jr V1, details of the attacks are omitted afterward, and only complexities are given.
The second cube has n i = 22 involved key bits and n a = 21 auxiliary variables, see Table 7 in the appendix.With 35 bits of the key known from the first cube, the number of unknown involved key bits is n ′ i = 14, and the number of unknown key bits in the auxiliary variables is n ′ a = 9.So the complexities are as follows.• Preprocessing phase: the time complexity is 2 14+16+2 = 2 32 and the memory complexity is 2 14 ; • Online phase: the time complexity is 2 9+16+2 = 2 27 .
The accumulated number of key bits recovered from the first two cubes is n k = 57.The third cube has n i = 27 involved key bits and n a = 26 auxiliary variables, see Table 8.With 57 bits of the key known, the number of unknown involved key bits becomes n ′ i = 16, and the number of unknown key bits in the auxiliary variables is n ′ a = 4.So the complexities are as follows.
The number of key bits recovered from the three cubes is n k = 74.

5-Round Attack against Ketje Jr V2 with Recommended Key Size
The attack on 5-round Ketje Jr V2 also uses three 16-dimensional cubes, shown in Table 10,11.The attack on Ketje Jr V2 proceeds the same as the attack on V1.Here, we just calculate the complexities.The first cube has n i = 14 involved key bits and n a = 15 auxiliary variables (see Table 10).The complexities using the first cube are as follows.
The number of key bits recovered from the first cube is n k = 29.
The second cube has n i = 18 involved key bits and n a = 15 auxiliary variables (see Table 10).With 29 bits of the key known from the first cube, the number of unknown involved key bits is n ′ i = 13, and the number of unknown key bits in the auxiliary variables is n ′ a = 9.So the complexities are as follows.
The accumulated number of key bits recovered from the first two cubes is n k = 47.
The third cube has n i = 32 involved key bits and n a = 26 auxiliary variables (see Table 11).With 47 bits of the key known, the number of unknown involved key bits becomes n ′ i = 15, and the number of unknown key bits in the auxiliary variables is n ′ a = 1.So the complexities are as follows.

6-Round Attack against Ketje Jr V1 with Reduced Key Size
To extend our attack on Ketje Jr V1 by one round, we need 32-dimensional cubes.However, cubes that linearize the first round have dimension of 25 at most, as demonstrated by the experiment where we only focus on cube variables and set no constraint on the number of auxiliary variables or involved key bits.Recall that our model covers all possible cubes that linearize the first round.Therefore, 32-dimensional cubes that linearize the first round of Ketje Jr V1 do not exist.
When the key size of Ketje Jr V1 is reduced to 72 bits, i.e., the nonce size increases, 32-dimensional cubes can be found.Consequently, one more round can be attacked.The 32-dimensional cube used in our attack is presented in Table 12, and has 29 auxiliary variables and 34 involved key bits.The time complexities of the 6-round attack on Ketje Jr V1 with a 72-bit key are calculated as follows.
With this cube, 57 bits information of the key can be recovered.The remaining 72 − 57 = 15 key bits can be recovered by brute force.In total, the time complexity is 2 68 + 2 63 + 2 15 = 2 68.04 , and the memory complexity is 2 34 .

6-Round Attack against Ketje Jr V2 with Reduced Key Size
The experiment shows that 32-dimensional cubes of Ketje Jr V2 that linearize the first round do not exist and the maximal dimension of such cubes is 24.When the key size of Ketje Jr V2 is reduced to 80 bits, 32-dimensional cubes can be found using our model, and the number of rounds attacked can be increased to 6.The 32-dimensional cube used in our attack is presented in Table 13 which has 22 auxiliary variables and 25 involved key bits.The time complexities of the 6-round attack on Ketje Jr V2 with an 80-bit key are calculated as follows.
With this cube, 40 bits information of the key can be recovered.The remaining 80 − 40 = 40 key bits can be recovered by brute force.In total, the time complexity is 2 59 +2 56 +2 40 = 2 59.17 , and the memory complexity is 2 25 .

7-Round Attack against Ketje Sr
For Ketje Sr V1, the best 64-dimensional cube found by our model has 48 auxiliary variables and 48 involved key bits, leading to an attack on 7 rounds of Ketje Sr V1 with time complexity 2 114 , which is slightly better than the attack in [DLWQ17], but worse than the conditional attack in [SGSL17].
For Ketje Sr V2, the 64-dimensional cube used in our attack is presented in Table 14 which has 33 auxiliary variables and 33 involved key bits.The time complexities of the 7-round attack on Ketje Sr V2 are calculated as follows.
With this cube, 60 bits information of the key can be recovered.The remaining 128 − 60 = 68 key bits can be recovered by brute force.In total, the time complexity is 2 98 + 2 98 + 2 68 ≈ 2 99 , and the memory complexity is 2 33 .

6-Round Attack against Xoodoo-based AE
Assume that the key of the Xoodoo-based AE has 128 bits and follows the Ketje's packing, as shown in Figure 5 (a).Since the operations θ and χ of Xoodoo are very similar to those of Keccak-p and ρ west just reorders the state bits, the model described in Section 4 can be adapted to Xoodoo easily.When we only focus on cube variables, the experiment shows that 64-dimensional cubes linearizing the first round do not exist and the maximal dimension of such cubes is 62.Therefore, we mount an attack on 6-round Xoodoo-based AE using a 32-dimensional cube.
The 32-dimensional cube used in our attack is presented in Table 15 which has 55 auxiliary variables and 55 involved key bits.The time complexities of the 6-round attack on the Xoodoo-based AE are calculated as follows under the assumption that the rate is 32.
With this cube, 106 bits information of the key can be recovered.The remaining 128 − 106 = 22 key bits can be recovered by brute force.In total, the time complexity is 2 88 + 2 88 + 2 22 ≈ 2 89 , and the memory complexity is 2 55 .Note that such cubes with dimension 64 exist for Ketje Sr but it is not the case for Xoodoo-based AE.One reason is that Ketje Sr has a slightly larger state which provides 16 more degrees of freedom.Another important reason lies in the differences of the underlying permutation as follows • Columns in Xoodoo are shorter than those in Keccak-p.Note long columns (specifically, columns of more free bits) are advantageous to save degrees of freedom.
• The non-linear operation (S-box) is applied to every 3-bit column in Xoodoo but to every 5-bit row in Keccak-p.More specifically, at most one bit in each column of Xoodoo contains cube variables while at most two bits in each row of Keccak-p contain cube variables.
Interestingly, if the non-linear operation is applied to every 4-bit row in Xoodoo (even though such nonlinear operations on 4-bit rows are not invertible), the dimension of cubes that linearize the first round can reach 99, allowing 64-dimensional cubes that cover one more round.Therefore, short columns and narrow S-boxes which heavily limit the dimension of the cube are helpful for Xoodoo-based AE in resisting cube-attack-like analysis.

7-Round Attack against Keccak-MAC-512
The key pack of Keccak-MAC-512 is shown in Figure 5 (b).One of 64-dimensional cubes for Keccak-MAC-512 is shown in Table 16, which has 46 auxiliary variables and 46 involved key bits.The time complexities of the 7-round attack on Keccak-MAC-512 are calculated as follows.
With this cube, 92 bits information of the key can be recovered.The remaining 128 − 92 = 36 key bits can be recovered by brute force.In total, the time complexity is 2 110 + 2 110 + 2 36 ≈ 2 111 , and the memory complexity is 2 46 .

Experiment and Verification
In this paper, cubes are searched by feeding the generated inequalities to Gurobi Optimizer [Gur18].The running time for searching cubes varies from seconds to hours.Specifically, it takes seconds on a PC to search cubes for Ketje Jr and Ketje Sr, minutes for Xoodoo and hours for Keccak-MAC-512.
To verify the correctness of the attacks in this section, we implemented the attack on 5-round Ketje Jr V1 using the first cube whose details are displayed in Table 7.The 18 involved key bits and 17 auxiliary variables are also presented in Table 5 for better understanding.The experiments show that the right value of the involved key bits and the key bits in auxiliary variables can be recovered successfully2 .

Discussion and Comparison
Our results of Section 5 are summarized in Table 1, along with a comparison with related works.Below, the comparison will be explained in more detail.

Cube-attack-like cryptanalysis with and without MILP. In [DLWQ17], Dong et al.
studied cube-attack-like cryptanalysis of Ketje, where cubes were constructed manually.Compared with Dong et al.'s work, our automated method using MILP helps to find better cubes and thus obtains better attacks.Moreover, using our model, it becomes easier to carry out cube-attack-like cryptanalysis of keyed Keccak constructions or prove that cubes of certain dimensions do not exist.

Cube-attack-like cryptanalysis and conditional cube attacks.
In general, the most important factor in both types of attack is the number of degrees of freedom, i.e., message block size or nonce size.Table 6 summarizes the numbers of degrees of freedom for keyed Keccak construction discussed in this paper.Recall that the first round of the Keccak permutation is linearized in both attacks, but in conditional cube attacks the propagation of some cube variables is controlled in the second round by consuming additional degrees of freedom.If there are sufficient degrees of freedom in a keyed Keccak construction, only a few conditions are required to construct conditional cubes, resulting in a lower time complexity than cube-attack-like cryptanalysis.But on keyed Keccak constructions with small degrees of freedom, i.e., small message block size or nonce size, conditional cube attacks do not perform as well as cube-attack-like cryptanalysis.For example, 16-dimensional conditional cubes do not exist for Ketje Jr [SGSL17], and thus 5-round attacks are impossible using conditional cube attacks, but both [DLWQ17] and our work show that it is not the case for cube-attack-like cryptanalysis.
Apart from the number of degrees of freedom, another important factor in both attacks is the layout of the state, especially the layout of free bits.This can be seen from the analysis of Ketje Sr and Keccak-MAC-512.Keccak-MAC-512 has 447 degrees of freedom which is much larger than that of Ketje Sr, but the dimension of conditional cubes of Keccak-MAC-512 hardly reaches 64 while 64-dimensional conditional cubes of Ketje Sr can be found easily [SGSL17].One reason is that each column in the initial state of Keccak-MAC-512 has only one or two free bits while in that of Ketje Sr almost every column has at least three free bits.As discussed in Section 5.6, columns of more free bits are beneficial to save degrees of freedom.
Very recently, Bi et al. [BDL + 18] also provided an MILP model for cube-attack-like cryptanalysis of keyed Keccak and applied it to Lake Keyak, Ketje Major, Ketje Minor and Keccak-MAC which were also analyzed in [SGSL17].The comparison between the results from [SGSL17] and [BDL + 18] shows that for Keyak, Ketje Major and Ketje Minor which have relatively large degrees of freedom, conditional cube attacks outperform cube-attack-like cryptanalysis.Further, our work shows that for Ketje Sr V2, Ketje Jr, and Keccak-MAC-512 with relatively small degrees of freedom, cubeattack-like cryptanalysis is more efficient.To make sure we can stop at Ketje Sr safely, we add an experiment on Ketje Minor and obtain a 7-round attack with complexity 2 92 by finding the cube in Table 17.This attack is better than the attack of Ketje Minor in [BDL + 18] which has a time complexity of 2 113 , but worse than the conditional cube attack in [SGSL17] whose time complexity is 2 73.03 .Therefore, we do not apply our model to other targets with degrees of freedom larger than that of Ketje Sr, such as Ketje Major, and Keyak.

Conclusion
Cube-attack-like cryptanalysis using auxiliary/dynamic variables are of special interest since they are efficient for Keccak-p based constructions with a small message block size or nonce size.In this paper, we proposed a new MILP model for cube-attack-like cryptanalysis against Keccak-p based constructions, which particularly takes both auxiliary and dynamic variables into consideration and aims to find almost optimal attacks by balancing the two phases of the cube-attack-like cryptanalysis.Under the new model, the best 5-round attacks on Ketje Jr and 7-round attacks on Ketje Sr V2 were improved and 6-round attacks on Ketje Jr were achieved when the key size is reduced.The application of our model to the Xoodoo-based AE in Ketje style brought out a 6-round attack and showed that the differences between the Keccak permutation and Xoodoo do affect the resistance against cube-attack-like cryptanalysis.Finally, a 7-round attack on Keccak-MAC-512 was also proposed.

Auxiliary variables
Involved key bits Cube variables Involved key bits  In total, there are 57 bits key information involved in both auxiliary variables and involved key bits.
Cube varaibles Auxiliary variables Involved key bits  In total, there are 40 bits key information involved in both auxiliary variables and involved key bits.
Table 15: A 32-dimensional cube for the Xoodoo AE, where (na, ni) = (55, 55).In total, there are 106 bits key information involved in both auxiliary variables and involved key bits.
Keccak-p permutations, denoted by Keccak-p[b, n], are specified with two parameters: the width of the permutation in bits b = 25 × 2 l , l = 0, • • • , 6, and the number of rounds n.The b-bit state a of the Keccak-p[b, n] can be seen as a three-dimensional array of bit a[5][5][w] with w = 2 l .The expression a[x][y][z] represents the bit at position (x, y, z), where expressions in the x and y coordinates are always implicitly taken modulo 5 and expressions in the z coordinate modulo w.The two-dimensional part a[x][ * ][ * ] is called a sheet.The one-dimensional part a[ * ][y][z] is called a row, a[x][ * ][z] a column and a[x][y][ * ] a lane.A lane of the state is also denoted as a[x][y] by omitting the z index.At lane level, the state a[x][y] becomes a 5 × 5 array with x for the column index and y for the row index.These notations are visualized in Figure 1.

Figure 3 :
Figure 3: Wrapping a header and a body with MonkeyWrap [BDP + 16a] In [HWX + 17], Huang et al. proposed conditional cube testers for keyed Keccak sponge function, in which the propagation of certain cube variables are controlled in the first few rounds if some conditions are satisfied.If the conditions involve the key information, such cube tester could be used to recover the key.Using conditional cube testers, key recovery attacks were obtained for various instances of Keccak-MAC and Keyak in [HWX + 17].Later, the attacks on Keccak-MAC and Ketje attacks were improved with better conditional cubes found by an MILP model byLi et al. in [LBDW17].Inspired by[LBDW17], Song et al.[SGSL17] provided a new MILP model for searching conditional cubes of Keccak that fully describes the first two rounds, and the application of the new model leads to a series of better attacks against KMAC [The16], Keyak, Ketje and Keccak-MAC.

Figure 4 :
Figure 4: Key pack of Ketje Jr and Ketje Sr, where gray lanes are the key, light gray lanes denote padded or encoded bits and white lanes are the nonce.
and Z[x][y][z] = 1 indicates that the input of χ in the first round at (x, y, z) contains key information.If its neighbouring bits contain cube variables, i.e., C[x − 1][y][z] = 1 or C[x + 1][y][z] = 1, then the key bit propagated to position (x, y, z) affects the cube sum and thus it is an involved key bit.In order to calculate the number of involved key bits n i , U [x][y][z] is introduced, where U [x][y][z] = 1 if the key bit at (x, y, z) is an involved key bit and 0 otherwise.All possible patterns of

Figure 5 :
Figure 5: Key pack of Xoodoo in Ketje style and Keccak-MAC-512, where gray lanes are the key, light gray lanes denote constants and white lanes are the nonce or message.

Table 1 :
Summary of our attacks on Ketje Jr, Ketje Sr, Xoodoo and Keccak-MAC-512 under the nonce respected setting and comparison with related works

Bi et al.'s model.
Concurrently, another model for cube-attack-like cryptanalysis on keyed Keccak was proposed by Bi et al. [BDL + 18].Bi et al.'s model utilizes auxiliary variables and finds cubes in the CP-like kernel with low complexity for the preprocessing phase.Balancing the two phases is processed independently from the model.In contrast, our model utilizes both auxiliary and dynamic variables and imposes no extra constraint on cube variables (thus covers the full set of solutions with respect to dimension).Moreover, balancing is considered inside the model.Even though both models are general to keyed Keccak constructions, our targets differentiate from those of Bi et al.'s.Specifically, Bi et al. focus on Keccak-MAC, Keyak and two larger versions of Ketje, which have relatively large degrees of freedom, while our targets are the smaller versions of Ketje, namely Ketje Jr, Ketje Sr and a Xoodoo-based AE.We also apply our model to Keccak-MAC-512 and a slightly better result is obtained than that from [BDL + 18].

32. The round function of Xoodoo has five steps as follows.
Table2, and for all four instances, n start = 12, n step = 1 and n stride = 6.As can be seen from the above phases, the first ciphertext block is generated after at least n start + n step = 13 rounds.Most attacks on Ketje in the literature, as well as this paper, consider versions of Ketje with this number reduced.

Table 4 :
Patterns of key bits and cube variables.Symbol '*' denotes arbitrary value.
Ketje Jr, Ketje Sr, Xoodoo and Keccak-MAC-512In this section, we apply the model described in Section 4 to Ketje Jr, Ketje Sr, Xoodoo-based AE in Ketje style and Keccak-MAC-512, all of which have relatively small nonce or message block length.First, improved 5-round attacks of Ketje Jr are obtained, where the time complexity of the attack is reduced significantly.Then, we consider Ketje Jr with reduced key size.Namely, the key size is less than 96 bits, and the security goal of confidentiality becomes |K| = min(96, |K|) according to the security claims of Ketje [BDP + 16a].As a result, one more round of Ketje Jr V1 (V2) can be attacked if the key size is reduced to 72 (80) bits.Also, we give an improved 7-round attack on Ketje Sr V2.Finally, a 6-round attack on the Xoodoo-based AE and a 7-round attack of Keccak-MAC-512 are also achieved.

Table 5 :
Auxiliary variables and involved key bits of the first cube for Ketje Jr V1 where the gray key bits are set to be zero in the preprocessing phase.

Table 6 :
Keccak-p-based constructions and their available degrees of freedom and dimensions of cubes used in attacks.'Type' refers to the attack which is more advantageous.
CC Conditional cube attacks CAL Cube-attack-like cryptanalysis

Table 10 :
The first two 16-dimensional cubes for Ketje Jr V2, where the corresponding (na, ni)