Troika: a ternary cryptographic hash function


Linear codes over finite fields are one of the most well-studied areas in coding theory. While codes over finite fields of characteristic two are of particular practical interest due to their good implementation properties, ternary codes have been extensively studied as well. By contrast, there has been essentially no research into ternary cryptographic algorithms. The only exception to date is a cryptocurrency and distributed ledger technology called IOTA which is ternary and has been designed primarily for use in the Internet of Things. Its security depends on using a secure cryptographic hash function over 𝔽3. With all existing hash designs being binary, a ternary prototype called Curl-P had been developed, however was found to admit practical collision attacks. A ternary adaption of SHA-3 called Kerl is currently used instead, but comparatively inefficient. In this paper, we propose a new ternary hash function called Troika which is tailored for use in IOTA’s ternary distributed ledger and can be used as a drop-in replacement for Kerl. The design of Troika leverages elements from the well-established Keccak and Rijndael design philosophies, while being designed for efficiency in terms of basic 𝔽3 operations. In particular, it features a novel 3-trit S-box which is differentially 3-uniform while being implementable in only 7 additions and multiplications over 𝔽3. Troika is designed to offer a security level comparable to SHA-3. It is expected that Troika, as part of IOTA’s distributed ledger, will find widespread commercial real-world use in the near- to mid-term future. We believe that not the least due to its unorthodox ternary design, it will provide both a practically relevant and interesting target for further cryptanalysis.

Stefan Kölbl
Information Security Engineer

Security engineer with extensive background in cryptography.