As the Internet of Things (IoT) continues to grow, the urgency to bolster IoT device security escalates, particularly in evaluating the security of lightweight ciphers. Since the inception of Keccak (also known as SHA-3), embedding a permutation within a certain operational mode has become a pivotal approach in designing lightweight cryptography. This led to numerous permutation-based lightweight ciphers tailored for IoT applications. Among them, Xoodyak and Gaston are typical examples and even incorporate Keccak’s non-linear operation χ within their round functions. This paper focuses on assessing the security of Keccak-like lightweight hash functions against preimage attacks. We introduce a generic preimage attack framework from an algebraic perspective and propose a new linearization method that leverages the algebraic properties of χ in the permutation. Additionally, in order to find good guessing strategies, we develop automatic tools based on bit-level MILP on Xoodyak and Gaston. As a result, the complexity of finding a preimage for 2-round Xoodyak-XOF with a 128-bit digest is 294.66 while that for 3-round Xoodyak-XOF can be reduced from 2125.06 to 2123.91 and memory consumption from 297 to a negligible level. This marks the most efficient preimage attack against a 3-round Xoodyak-XOF to date. Furthermore, we present the first preimage attacks on 1-/2-round Gaston with complexities of 290.56 and 2122.15, respectively.

中文翻译：

---

基于代数策略的 Xoodyak 和 Gaston 的原像攻击


随着物联网 (IoT) 的不断发展，加强物联网设备安全性的紧迫性不断升级，特别是在评估轻量级密码的安全性方面。自从 Keccak（也称为 SHA-3）诞生以来，在特定操作模式中嵌入排列已成为设计轻量级密码学的关键方法。这导致了许多为物联网应用量身定制的基于排列的轻量级密码。其中，Xoodyak和Gaston是典型的例子，甚至在他们的轮函数中融入了Keccak的非线性运算χ。本文重点评估类似 Keccak 的轻量级哈希函数针对原像攻击的安全性。我们从代数角度引入了通用的原像攻击框架，并提出了一种新的线性化方法，该方法利用了排列中 χ 的代数性质。此外，为了找到好的猜测策略，我们在 Xoodyak 和 Gaston 上开发了基于位级 MILP 的自动工具。因此，寻找具有 128 位摘要的 2 轮 Xoodyak-XOF 的原像复杂度为 294.66，而 3 轮 Xoodyak-XOF 的原像复杂度可以从 2125.06 降低到 2123.91，内存消耗从 297 降低到可以忽略不计的水平。这标志着迄今为止针对 3 轮 Xoodyak-XOF 的最有效的原像攻击。此外，我们首次对 1-/2-轮 Gaston 进行原像攻击，复杂度分别为 290.56 和 2122.15。