Abstract
Linear codes over finite fields are one of the most well-studied areas in coding theory. While codes over finite fields of characteristic two are of particular practical interest due to their good implementation properties, ternary codes have been extensively studied as well. By contrast, there has been essentially no research into ternary cryptographic algorithms. The only exception to date is a cryptocurrency and distributed ledger technology called IOTA which is ternary and has been designed primarily for use in the Internet of Things. Its security depends on using a secure cryptographic hash function over \(\mathbb {F}_{3}\). With all existing hash designs being binary, a ternary prototype called Curl-P had been developed, however was found to admit practical collision attacks. A ternary adaption of SHA-3 called Kerl is currently used instead, but comparatively inefficient. In this paper, we propose a new ternary hash function called Troika which is tailored for use in IOTA’s ternary distributed ledger and can be used as a drop-in replacement for Kerl. The design of Troika leverages elements from the well-established Keccak and Rijndael design philosophies, while being designed for efficiency in terms of basic \(\mathbb {F}_{3}\) operations. In particular, it features a novel 3-trit S-box which is differentially 3-uniform while being implementable in only 7 additions and multiplications over \(\mathbb {F}_{3}\). Troika is designed to offer a security level comparable to SHA-3. It is expected that Troika, as part of IOTA’s distributed ledger, will find widespread commercial real-world use in the near- to mid-term future. We believe that not the least due to its unorthodox ternary design, it will provide both a practically relevant and interesting target for further cryptanalysis.


Similar content being viewed by others
References
Beierle C., Canteaut A., Leander G., Rotella Y.: Proving resistance against invariant attacks: How to choose the round constants. In: Katz J., Shacham H., (eds) Advances in Cryptology—CRYPTO 2017—37th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 20–24, 2017, Proceedings, Part II, vol. 10402. Lecture Notes in Computer Science, pp. 647–678. Springer, New York (2017).
Bertoni G., Daemen J., Peeters M., Van Assche G.: On the indifferentiability of the Sponge construction. In: Smart, Nigel P. (ed.) EUROCRYPT. Lecture Notes in Computer Science, vol. 4965, pp. 181–197. Springer, New York (2008).
Bertoni G., Daemen J., Peeters M., Van Assche G.: Keccak sponge function family main document. Submission to NIST SHA-3 competition (Round 3). http://keccak.noekeon.org/ (2011).
Bertoni G., Daemen J., Peeters M., Van Assche G.: Duplexing the sponge: single-pass authenticated encryption and other applications. In: Miri A, Vaudenay S, (eds.) Selected areas in cryptography—18th International Workshop, SAC 2011, Toronto, ON, Canada, August 11–12, 2011, Revised Selected Papers. Lecture Notes in Computer Science, vol. 7118, pp. 320–337. Springer, New York (2011).
Bertoni G., Daemen J., Peeters M., Van Assche G.: Cryptographic sponge functions, version 0.1. https://keccak.team/files/CSF-0.1.pdf (2011).
Bertoni G., Daemen J., Peeters M., Van Assche G.: The Keccak reference, version 3.0. Submission to NIST (SHA-3 competition, final round) (2011).
Biham E., Shamir A.: Differential cryptanalysis of DES-like cryptosystems. J. Cryptol. 4(1), 3–72 (1991).
Biryukov A., Wagner D.A.: Slide attacks. In: Knudsen, L.R., (eds.) Fast Software Encryption, 6th International Workshop, FSE ’99, Rome, Italy, March 24–26, 1999, Proceedings. Lecture Notes in Computer Science, vol. 1636, pp. 245–259. Springer, New York (1999).
Bogdanov A., Knudsen L., Leander G., Paar C., Poschmann A., Robshaw M.J.B., Seurin Y., Vikkelsoe C.: PRESENT: an ultra-lightweight block cipher. In: Paillier P., Verbauwhede I., (eds.) CHES. Lecture Notes in Computer Science, vol. 4727, pp. 450–466. Springer, New York (2007).
Chen G., Li R.: Ternary self-orthogonal codes of dual distance three and ternary quantum codes of distance three. Des. Codes Cryptogr. 69(1), 53–63 (2013).
Daemen J.: Cipher and hash function design strategies based on linear and differential cryptanalysis. PhD thesis, Katholieke Universiteit Leuven, Leuven, Belgium (1995)
Daemen J., Rijmen V.: The Design of Rijndael: AES—The Advanced Encryption Standard. Springer, New York (2002).
Daemen J., Knudsen L.R., Rijmen V.: Linear frameworks for block ciphers. Des. Codes Cryptogr. 22(1), 65–87 (2001).
Gauravaram P., Knudsen L.R., Matusiewicz K., Mendel F., Rechberger C., Schläffer M., Thomsen S.S.: Grøstl—a SHA-3 candidate. Submission to NIST (SHA-3 competition, final round) (2011).
Granboulan L., Levieil É., Piret G.: Pseudorandom permutation families over abelian groups. In: Robshaw M.J.B. (ed.) Fast Software Encryption, 13th International Workshop, FSE 2006, Graz, Austria, March 15–17, 2006, Revised Selected Papers. Lecture Notes in Computer Science, vol. 4047, pp. 57–77. Springer, New York (2006).
Greenough P.P., Hill R.: Optimal ternary quasi-cyclic codes. Des. Codes Cryptogr. 2(1), 81–91 (1992).
Heilman E., Narula N., Tanzer G., Lovejoy J., Colavita M., Virza M., Dryja T.: Cryptanalysis of Curl-P and Other Attacks on the IOTA Cryptocurrency. BlackHat, USA 2018 (2018).
Helleseth T., Kholosha A.: New ternary binomial bent functions. In: IEEE International Symposium on Information Theory, ISIT 2016, Barcelona, Spain, July 10–15, 2016, pp. 101–104. IEEE (2016).
Hill R., Newton D.E.: Optimal ternary linear codes. Des. Codes Cryptogr. 2(2), 137–157 (1992).
Hong D., Lee J.-K., Kim D.-C., Kwon D., Ryu K.H., Lee D.: LEA: a 128-bit block cipher for fast encryption on common processors. In: Kim Y., Lee H., Perrig A. (eds.) Information Security Applications—14th International Workshop, WISA 2013, Jeju Island, Korea, August 19–21, 2013, Revised Selected Papers. Lecture Notes in Computer Science, vol. 8267, pp. 3–27. Springer, New York (2013).
Hong D., Sung J., Hong S., Lim J., Lee S., Koo B., Lee C., Chang D., Lee J., Jeong K., Kim H., Kim J., Chee S.: HIGHT: A new block cipher suitable for low-resource device. In: Goubin L., Matsui M. (eds.) Cryptographic Hardware and Embedded Systems—CHES 2006, 8th International Workshop, Yokohama, Japan, October 10–13, 2006, Proceedings. Lecture Notes in Computer Science, , vol. 4249, pp. 46–59. Springer, New York (2006).
Kölbl S.: CryptoSMT: an easy to use tool for cryptanalysis of symmetric primitives. https://github.com/kste/cryptosmt.
Leander G., Abdelraheem M.A., AlKhzaimi H., Zenner E.: A cryptanalysis of printcipher: the invariant subspace attack. In: Rogaway P. (ed.) Advances in Cryptology—CRYPTO 2011—31st Annual Cryptology Conference, Santa Barbara, CA, USA, August 14–18, 2011. Proceedings. Lecture Notes in Computer Science, vol. 6841, pp. 206–221. Springer, New York (2011).
Lidl R., Niederreiter H.: Introduction to Finite Fields and Their Applications. Cambridge University Press, revised edition (1994).
MacWilliams F.J., Sloane N.J.A.: The Theory of Error-Correcting Codes, 2nd edn. North-holland Publishing Company, Amsterdam (1978).
Matsui M.: Linear cryptoanalysis method for DES cipher. In: Helleseth T. (ed.) EUROCRYPT. Lecture Notes in Computer Science, vol. 765, pp. 386–397. Springer, New York (1993).
Matsui M.: The first experimental cryptanalysis of the Data Encryption Standard. In: Desmedt Y. (ed.) CRYPTO. Lecture Notes in Computer Science, vol. 839, pp. 1–11. Springer, New York (1994).
Mella S., Daemen J., Van Assche G.: New techniques for trail bounds and application to differential trails in keccak. IACR Trans. Symmetric Cryptol. 2017(1), 329–357 (2017).
Morrison K.E.: Random maps and permutations. Technical report, California Polytechnic State University, San Luis Obispo (1998).
Ness G.J., Helleseth T.: A new family of ternary almost perfect nonlinear mappings. IEEE Trans. Inf. Theory 53(7), 2581–2586 (2007).
Rijmen V.: Cryptanalysis and design of iterated block ciphers. PhD thesis, Katholieke Universiteit Leuven, Leuven, Belgium (1997).
Shibutani K., Isobe T., Hiwatari H., Mitsuda A., Akishita T., Shirai T.: Piccolo: an ultra-lightweight blockcipher. In: Preneel B., Takagi T. (eds.) CHES. Lecture Notes in Computer Science, vol. 6917, pp. 342–357. Springer, New York (2011).
Shirai T., Shibutani K., Akishita T., Moriai S., Iwata T.: The 128-bit blockcipher CLEFIA (extended abstract). In: Biryukov A. (ed.) FSE. Lecture Notes in Computer Science, vol. 4593, pp. 181–195. Springer, New York (2007).
Stoffelen K., Daemen J.: Column parity mixers. IACR Trans. Symmetric Cryptol. 2018(1), 126–159 (2018).
Todo Y., Leander G., Sasaki Y.: Nonlinear invariant attack—practical attack on full scream, iscream, and midori64. In: Cheon J.H., Takagi T. (eds.) Advances in Cryptology—ASIACRYPT 2016—22nd International Conference on the Theory and Application of Cryptology and Information Security, Hanoi, Vietnam, December 4–8, 2016, Proceedings, Part II. Lecture Notes in Computer Science, vol. 10032, pp. 3–33 (2016).
Wei Y., Ye T., Wu W., Pasalic E.: Generalized nonlinear invariant attack and a new design criterion for round constants. IACR Transactions on Symmetric Cryptology, 2018(4), to appear (2019).
Zhou Z.: Three-weight ternary linear codes from a family of cyclic difference sets. Des. Codes Cryptogr. 86(11), 2513–2523 (2018).
Author information
Authors and Affiliations
Corresponding author
Additional information
Communicated by L. Knudsen.
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
About this article
Cite this article
Kölbl, S., Tischhauser, E., Derbez, P. et al. Troika: a ternary cryptographic hash function. Des. Codes Cryptogr. 88, 91–117 (2020). https://doi.org/10.1007/s10623-019-00673-2
Received:
Revised:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10623-019-00673-2