Dear Ketje Team and all,
In response to “The Ketje cryptanalysis contest”:
https://keccak.team/ketje_contest.html,
we give a state-recovery attack on Ketje Jr, using 3 or 4 consecutive
outputs, where we consider an augmented rate of 40 bits and 32 bits.
We focus on weaker versions of Ketje Jr by considering rates of 32 bits or 40 bits (instead of 16 bits). With those rates, Ketje Jr is vulnerable to divide-and-conquer attacks with time complexities 2^71.5 for the original version and 2^82.3 for
the current tweaked version, both with a key of 96 bits.
Hence, this cryptanalysis does not threat the security of Ketje Jr instanciated with the parameters of the authors, but provides new non-trivial limit on the rate we can output.
Best Regards,
Thomas Fuhr, ANSSI, France
Maria Naya-Plasencia, Inria de Paris, France
Yann Rotella, Inria de Paris, France