International Association
for Cryptologic Research

This paper introduces the guess-and-determine rebound attack that improves Dong et al.'s triangulating rebound attack in CRYPTO 2022 and Taiyama et al.’s key collision attack in ASIACRYPT 2024. The improvement comes from two aspects: The first improvement is to explore related-key differentials to suit for key collision attack, while Dong et al.'s triangulating rebound attack only considered single-key differentials on AES. To avoid the contradictions in the related-key differential, two tricks are proposed to identify valid trails for key collision attacks. The second improvement is to determine the range of Inbound phase flexibly with the guess-and-determine technique, to reduce the overall time complexity of the attack. By dividing the conflicts in the guess-and-determine steps into different types and handling them separately, the Inbound phase is significantly extended and ultimately leads to better or even practical key collision attacks. Finally, we apply our method to the key collisions on AES, and improve the time complexities of all the theoretical key collision attacks on AES proposed by Taiyama et al. into practical ones, i.e., from 2^{49} to our 2^{6} on 2-round AES-128, from 2^{61} to our 2^{21} for 5-round AES-192 and 6-round AES-256. Additionally, a new 3-round practical key collision attack on AES-128 is given, which is assumed to be impossible by Taiyama et al. All the practical attacks are implemented and some example pairs were found instantly on a standard PC. Besides, some quantum key collisions attacks and semi-free-start collision attacks are proposed.

The conditional cube attack on round-reduced Keccak keyed modes was proposed by Huang et al. at EUROCRYPT 2017. In their attack, a conditional cube variable was introduced, whose diffusion was significantly reduced by certain key bit conditions. The attack requires a set of cube variables which are not multiplied in the first round while the conditional cube variable is not multiplied with other cube variables (called ordinary cube variables) in the first two rounds. This has an impact on the degree of the output of Keccak and hence gives a distinguisher. Later, the MILP method was applied to find ordinary cube variables. However, for some Keccak based versions with few degrees of freedom, one could not find enough ordinary cube variables, which weakens or even invalidates the conditional cube attack.In this paper, a new conditional cube attack on Keccak is proposed. We remove the limitation that no cube variables multiply with each other in the first round. As a result, some quadratic terms may appear in the first round. We make use of some new bit conditions to prevent the quadratic terms from multiplying with other cube variables in the second round, so that there will be no cubic terms in the first two rounds. Furthermore, we introduce the kernel quadratic term and construct a 6-2-2 pattern to reduce the diffusion of quadratic terms significantly, where the Θ operation even in the second round becomes an identity transformation (CP-kernel property) for the kernel quadratic term. Previous conditional cube attacks on Keccak only explored the CP-kernel property of Θ operation in the first round. Therefore, more degrees of freedom are available for ordinary cube variables and fewer bit conditions are used to remove the cubic terms in the second round, which plays a key role in the conditional cube attack on versions with very few degrees of freedom. We also use the MILP method in the search of cube variables and give key-recovery attacks on round-reduced Keccak keyed modes.As a result, we reduce the time complexity of key-recovery attacks on 7-round Keccak-MAC-512 and 7-round Ketje Sr v2 from 2111, 299 to 272, 277, respectively. Additionally, we have reduced the time complexity of attacks on 9-round KMAC256 and 7-round Ketje Sr v1. Besides, practical attacks on 6-round Ketje Sr v1 and v2 are also given in this paper for the first time.