Abstract

The cube attack is an important technique for the cryptanalysis of symmetric key primitives, especially for stream ciphers. Aiming at recovering some secret key bits, the adversary reconstructs a superpoly with the secret key bits involved, by summing over a set of the plaintexts/IV which is called a cube. Traditional cube attack only exploits linear/quadratic superpolies. Moreover, for a long time after its proposal, the size of the cubes has been largely confined to an experimental range, e.g., typically 40. These limits were first overcome by the division property based cube attacks proposed by Todo et al. at CRYPTO 2017. Based on MILP modelled division property, for a cube (index set) I, they identify the small (index) subset J of the secret key bits involved in the resultant superpoly. During the precomputation phase which dominates the complexity of the cube attacks, \(2^{|I|+|J|}\) encryptions are required to recover the superpoly. Therefore, their attacks can only be available when the restriction \(|I|+|J|<n\) is met.

Highlights

  • Cube attack, proposed by Dinur and Shamir [1] in 2009, is one of the general cryptanalytic techniques of analyzing symmetric-key cryptosystems

  • We propose the “flag” technique to enhance the preciseness of mixed integer linear programming (MILP) models so that the proper non-cube IV assignments can be identified to obtain a non-constant superpoly. c International Association for Cryptologic Research 2018 H

  • The operations on 0-1 vector sets are transformed to imposing division property values (0 or 1) to MILP variables, and the corresponding integral characteristics are acquired by solving the models with MILP solvers like Gurobi [17]

Read more

Summary

Introduction

Cube attack, proposed by Dinur and Shamir [1] in 2009, is one of the general cryptanalytic techniques of analyzing symmetric-key cryptosystems. With the help of mixed integer linear programming (MILP) aided division property, they can identify the variables excluded from the superpoly and explore cubes with larger size, e.g., 72 for 832-round Trivium. This enables them to improve the traditional cube attack. The operations on 0-1 vector sets are transformed to imposing division property values (0 or 1) to MILP variables, and the corresponding integral characteristics are acquired by solving the models with MILP solvers like Gurobi [17] With this method, they are able to give integral characteristics for block ciphers with block sizes much larger than 32 bits. The correlation attack is based on the numeric mapping technique first appeared in [23] originally used for constructing zero-sum distinguishers

Motivations
Our Contributions
Mixed Integer Linear Programming
Cube Attack
Bit-Based Division Property and Its MILP Representation
The Bit-Based Division Property for Cube Attack
Online Phase
Modeling the Constant Bits to Improve the Preciseness of the MILP Model
13: Update M according to round functions and output functions
Upper Bounding the Degree of the Superpoly
Applications of Flag Technique and Degree Evaluation
Specification of Trivium
MILP Model of Trivium
Experimental Verification
2: Prepare empty MILP Model M
Theoretical Results
Lower Complexity with Term Enumeration
Application to Trivium
Applications to Kreyvium
Applications to ACORN
A Clique View of the Superpoly Recovery
Conclusion
Full Text
Paper version not known

Talk to us

Join us for a 30 min session where you can share your feedback and ask us any queries you have

Schedule a call

Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.