Browse By

New Lightweight Trinary Cryptographic Hash Function

Continuing with this great serie of announcements with which IOTA keeps surprising us, the most amazing was Troika. We are witnessing how the IOTA Foundation is working to perfect this protocol, that if everything goes well, we will see implemented in every device connected to the Internet of Things in just a couple of years.

Gabriela Jara
Content Coordinator & Writer
IOTA Hispano

If you like what we are doing help us to continue working!


But what am I talking about?

The IOTA Foundation and CYBERCRYPT have been working since November 2017 and a couple of days ago they gave us this great news, they announced the implementation of the new hash function Troika, developed by cryptographic experts. IOTA Foundation commissioned CYBERCRYPT to develop a secure hash function for IOTA’s trinary architecture and platform. This hash function, named Troika, was developed by CYBERCRYPT’s expert cryptographers, and will lay a strong cryptographic bases for the final IOTA protocol.

“The IOTA Foundation is honored and excited to be collaborating with CYBERCRYPT, to ensure we achieve world-leading security for the IOTA protocol. We hope that this competition will bring the cryptographic community together on solving security in the Internet-of-Things,” 
David Sønstebø, Co-Founder and Co-chair of IOTA Foundation.

Currently IOTA uses the relatively hardware intensive NIST standard SHA-3/Keccak for crucial operations for maximal security and Troika could enable more efficiency, which will be central in the IoT world.

In order for communication between devices to be effective in the IoT era, each connected device must support specific amounts of energy, especially the smaller ones which are limited by their energy restriction and have limited capabilities. The last years the companies linked to the area of IoT have been in the continuous search of new strategies to improve the computational performance of the devices, in view of the fact that Moore’s law would be coming to an end.

What does Moore’s Law say? INTEL co-founder Gordon Moore in 1965 stated that the technology had a future, that the number of transistors per unit area of integrated circuits doubled every year and that the trend would continue for the next 20 years from that statement. In 1975 he modified his own law by stating that the pace would slow down and that integration would not occur every 1 year, if not every 2 years approximately. This exponential growth progression, by doubling the capacity of the integrated circuits is what is called Moore’s Law. However, a few years later, Moore said in 2005 that his law would cease to be fulfilled in about 15 years from that date and that a new technology would come to replace the current one.

Why Ternary

The first modern, electronic ternary computer Setun was built in 1958 in the Soviet Union at the Moscow State University by Nikolay Brusentsov, and it had notable advantages over the binary computers which eventually replaced it, such as lower electricity consumption and lower production cost.

We have seen that with the introduction of trinary-based hardware, trinary algorithms will run more efficiently, leading to a significant reduction in calculation and energy consumption. These energy gains underlie the choice of trinary architecture in the IOTA protocol. Since the origin of the IOTA vision back in 2014,  a diverse group of electrical engineers, cryptographers, distributed ledger pioneers  started tackling the hardware side with new thinking in computational processing. A next generation of microprocessor architecture based on ternary logic for ultimate efficiency in IoT is the result

So, What is TROIKA?

IOTA has developed a novel public distributed ledger technology based on a
directed acyclic graph (DAG), called the Tangle, which is scalable, lightweight, without any fees and provides a consensus in a decentralized peer-to-peer system. These features make IOTA and its Tangle perfect for nanopayments and the Machine-to-Machine Economy.
The security of the core components in this system relies on the security of a cryptographic hash function and it is therefore crucial that this hash function fulfills the security requirements to ensure the validity of the transactions on the Tangle.

Troika is a cryptographic hash function operating on ternary messages for the use in IOTA’s distributed ledger technology designed by CYBERCRYPT.

CYBERCRYPT is delighted to be a part of this ambitious large-scale project for public-ledger based digital payments. We are happy to support IOTA in their quest for the secure digital ecosystem in future IoT applications,
Andrey Bogdanov, Founder of CYBERCRYPT A/S.
The main features of Troika are:
  1. Permutation designed for ternary platforms
  2. Sponge-based construction
  3. Output length of 243 trits
  4. Security level of 243 trits for (second) preimages, 243/2 trits for collisions
Troika has been designed to withstand all currently known cryptanalysis techniques and comes with the following security claims:
  1. Preimage resistance: 243 trits.
  2. Second-preimage resistance: 243 trits.
  3. Collision resistance: 121.5 trits.

The design rationale and a summary of the security analysis including differential and linear cryptanalysis, diffusion properties, meet-in-the-middle attacks, algebraic attacks and invariant attacks can be found in the reference document.

The desing of TROIKA

Troika follows the sponge construction using a state of 729 trits with a rate r of 243 trits and capacity c of 486 trits.

A 729-trit permutation f is used to update the state using 24 rounds. The state is organized as a 9x3x27 cuboid of trits. For naming different parts of the state we use the same convention as introduced by Keccak (see here).

One round of the permutation updates the state using the following operations:

  • SubTrytes: Applies a 3-trit S-box on each tryte of the state.
  • ShiftRows: Rotates each row of the state by a constant value.
  • ShiftLanes: Rotates each lane of the state by a constant value.
  • AddColumnParity: Adds to each column the parity of two adjacent columns.
  • AddRoundConstant: Adds a round-dependent constant to the state.

Breaking Variants of TROIKA’s Hash Function

Cryptography allows the storage and transmission of encrypted data so that they can only be read or processed by the recipient, an integral part of IoT’s security. Developing a new cryptographic method is no easy task. This requires numerous time-consuming tests and peer review. CYBERCRYPT technologies are designed to make applications, data and assets immune to cyber attacks. This is also why CYBERCRYPT together with IOTA Foundation have launched a contest so that cryptanalysts can evaluate TROIKA to win up to a cumulative prize of 200,000 € for breaking the variants of TROIKA’s hash function.

“We are excited about this collaboration with IOTA and have used the latest design principles and our best people to develop this state-of-the art hash function, coined Troika,”
Peter Jerry Sørensen, Chairman of CYBERCRYPT A/S.

The first to find collisions for rounds 1 and 2, is called Virginie Lallemand who won 200€ for finding these first collisions. Many cryptographic algorithms (hash functions, symmetric encryption…) are organized as a sequence of “rounds”, which are more or less similar to each other. It was empirically noticed that for a given algorithm structure, usually, more rounds imply more security; precisely, some classes of attacks (e.g. differential and linear cryptanalysis) see their efficiency decrease more or less exponentially with the number of rounds.
When cryptographers don’t know how to break a complete algorithm, they try to break reduced versions of the same algorithm, with some features removed; in particular less rounds, for algorithms which have rounds.


TROIKA Document