[Ketje contest] Cryptanalysis of Keje Jr

[Rotella Yann]

Dear Ketje Team and all,

In response to “The Ketje cryptanalysis contest”: https://keccak.team/ketje_contest.html, we give a state-recovery attack on Ketje Jr, using 3 or 4 consecutive outputs, where we consider an augmented rate of 40 bits and 32 bits.

We focus on weaker versions of Ketje Jr by considering rates of 32 bits or 40 bits (instead of 16 bits). With those rates, Ketje Jr is vulnerable to divide-and-conquer attacks with time complexities 2^71.5 for the original version and 2^82.3 for the current tweaked version, both with a key of 96 bits.

Hence, this cryptanalysis does not threat the security of Ketje Jr instanciated with the parameters of the authors, but provides new non-trivial limit on the rate we can output.

Best Regards,

Thomas Fuhr, ANSSI, France

Maria Naya-Plasencia, Inria de Paris, France

Yann Rotella, Inria de Paris, France