Abstract
Cube attack was proposed by Dinur and Shamir, and it has become an important tool for analyzing stream ciphers. As the problem that how to recover the superpolys accurately was resolved by Hao et al. in EUROCRYPT 2020, another important problem is how to find “good” superpolys, which is equivalent to finding “good” cubes. However, there are two difficulties in finding “good” cubes. Firstly, the number of candidate cubes is enormous and most of the cubes are not “good”. Secondly, it is costly to evaluate whether a cube is “good”.In this paper, we present a new algorithm to search for a kind of “good” cubes, called valuable cubes. A cube is called valuable, if its superpoly has (at least) a balanced secret variable. A valuable cube is “good”, because its superpoly brings in 1 bit of information about the key. More importantly, the superpolys of valuable cubes could be used in both theoretical and practical analyses. To search for valuable cubes, instead of testing a set of cubes one by one, the new algorithm deals with the set of cubes together, such that the common computations can be done only once for all candidate cubes and duplicated computations are avoided. Besides, the new algorithm uses a heuristic method to reject useless cubes efficiently. This heuristic method is based on the divide-and-conquer strategy as well as an observation.For verifications of this new algorithm, we applied it to Trivium and Kreyvium, and obtained three improvements. Firstly, we found two valuable cubes for 843-round Trivium, such that we proposed, as far as we know, the first theoretical key-recovery attack against 843-round Trivium, while the previous highest round of Trivium that can be attacked was 842, given by Hao et al. in EUROCRYPT 2020. Secondly, by finding many small valuable cubes, we presented practical attacks against 806- and 808-round Trivium for the first time, while the previous highest round of Trivium that can be attacked practically was 805. Thirdly, based on the cube used to attack 892-round Kreyvium in EUROCRYPT 2020, we found more valuable cubes and mounted the key-recovery attacks against Kreyvium to 893-round.
Highlights
Cube Attack: Dinur and Shamir proposed cube attack in EUROCRYPT 2009 [DS09], and the cube attack has been successfully used to attack various stream ciphers [ADMS09, DS11, FV14, DMP+15, SBD+16]
We found 29 new valuable cubes, which are all from the subsets of Sa
For an evidence of Observation 2, we studied the probabilities of the monomials obtained when recovering the superpolys of 841- and 842-round Trivium
Summary
Cube Attack: Dinur and Shamir proposed cube attack in EUROCRYPT 2009 [DS09], and the cube attack has been successfully used to attack various stream ciphers [ADMS09, DS11, FV14, DMP+15, SBD+16]. With the help of Mix Integer Linear Programming (MILP) approach, cube attack is able to attack stream ciphers using large cubes. Todo et al proposed the division property in [Tod, TM16], and by combining with the cube attack, they were able to significantly improve the attacks against Trivium, Grain128a, ACORN in [TIHM17]. Cube attack utilizes a large amount of data to build special relations between. Instead of using a single value of v, cube attack takes advantage of enormous values. By taking the values of f (k, v) over all values in the cube, the sum leads to a relation of secret variables. This relation is called the superpoly of the cube, and it is much simpler than f (k, v). Some information about the secret variables can be achieved
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
