Troika is a recently proposed sponge-based hash function for IOTA's ternary architecture and platform, which is developed by CYBERCRYPT and is now used in IOTA's blockchain. In this paper, we introduce the preimage attack on 2/3 rounds of Troika with a divide-and-conquer approach. Firstly, we propose the equivalent conditions to determine whether a message is the preimage with an algebraic method. As a result, for the preimage attack on two-round Troika, we can search the preimage only in a valid smaller space and efficiently enumerate the messages which can satisfy most of the equivalent conditions with a guess-and-determine technique. Our experiments show that the time complexity of the preimage attack on 2-round Troika can be improved to 379 from 3243. For the preimage attack on 3-round Troika, the MILP-based method is applied to achieve the optimal time complexity, which is 327 times faster than brute force.

This paper investigates the security of KCipher-2 against differential attacks. We utilize an MILP-based method to evaluate the minimum number of active S-boxes in each round. We try to construct an accurate model to describe the 8-bit truncated difference propagation through the modular addition operation and the linear transformation of KCipher-2, respectively, which were omitted or simplified in the previous evaluation by Preneel et al. In our constructed model, the difference characteristics neglected in Preneel et al.'s evaluation can be taken into account and all valid differential characteristics can be covered. As a result, we reveal that the minimal number of active S-boxes is 25 over 15 rounds in the related IV setting and it is 17 over 24 rounds in the related IV-key setting. Therefore, this paper shows for the first time that KCipher-2 is secure against the related IV differential attack.