Troika – a ternary hash function

Overview

Troika is a cryptographic hash function operating on ternary messages for the use in IOTA’s distributed ledger technology designed by CYBERCRYPT. This page gives an overview of the design of Troika and provides material such as the reference document and implementation.

The main features of Troika are:

  • Permutation designed for ternary platforms
  • Sponge-based construction
  • Output length of 243 trits
  • Security level of 243 trits for (second) preimages, 243/2 trits for collisions

Be sure to check out the Troika cryptoanalysis competition sponsored by the IOTA Foundation.  A total of 200.000 EUR in prizes are awarded for breaking reduced-round variants of Troika.

Design

Troika follows the sponge construction using a state of 729 trits with a rate r of 243 trits and capacity c of 486 trits.

troika-overwritesponge-1 Troika - a ternary hash function

Figure: Overview of Troika’s sponge construction.

A 729-trit permutation f is used to update the state using 24 rounds. The state is organized as a 9x3x27 cuboid of trits. For naming different parts of the state we use the same convention as introduced by Keccak (see here).

parallelepiped-300x171 Troika - a ternary hash function

Figure: Illustration of the rate (red) and capacity (white) parts of the state of Troika.

One round of the permutation updates the state using the following operations:

  • SubTrytes: Applies a 3-trit S-box on each tryte of the state.
  • ShiftRows: Rotates each row of the state by a constant value.
  • ShiftLanes: Rotates each lane of the state by a constant value.
  • AddColumnParity: Adds to each column the parity of two adjacent columns.
  • AddRoundConstant: Adds a round-dependent constant to the state.

For a more detailed description of the individual steps we refer to the reference document.

Security

Troika has been designed to withstand all currently known cryptanalysis techniques and comes with the following security claims:

  • Preimage resistance: 243 trits.
  • Second-preimage resistance: 243 trits.
  • Collision resistance: 121.5 trits.

The design rationale and a summary of the security analysis including differential and linear cryptanalysis, diffusion properties, meet-in-the-middle attacks, algebraic attacks and invariant attacks can be found in the reference document.

This website uses cookies to improve your experience. See our Privacy Policy. By continuing to use this website you confirm your acceptance to these cookies.
Privacy Policy