Abstract
Cube attacks are an important type of key recovery attacks against stream ciphers. In particular, they are shown to be powerful against Trivium-like ciphers. Traditional cube attacks are experimental attacks which could only exploit cubes of size less than 40. At CRYPTO 2017, division property based cube attacks were proposed by Todo et al., and an advantage of introducing the division property to cube attacks is that large cube sizes which are beyond the experimental range could be explored, and so powerful theoretical attacks were mounted on many lightweight stream ciphers.In this paper, we revisit the division property based cube attacks. There is an important assumption, called Weak Assumption, proposed in division property based cube attacks to support the effectiveness of key recovery. Todo et al. in CRYPTO 2017 said that the Weak Assumption was expected to hold for theoretically recovered superpolies of Trivium according to some experimental results on small cubes. In this paper, it is shown that the Weak Assumption often fails in cube attacks against Trivium, and moreover a new method to recover the exact superpoly of a given cube is developed based on the bit-based division property. With our method, for the cube I proposed by Todo et al. at CRYPTO 2017 to attack the 832-round Trivium, we recover its superpoly pI(x, v) = v68v78 · (x58⊕v70) · (x59x60⊕x34⊕x61). Furthermore, we prove that some best key recovery results given at CRYPTO 2018 on Trivium are actually distinguishing attacks. Hopefully this paper gives some new insights on accurately recovering the superpolies with the bit-based division property and also attract some attention on the validity of division property based cube attacks against stream ciphers.
Highlights
The cube attack is a powerful cryptanalytic technique against stream ciphers proposed by Dinur and Shamir at Eurocrypt 2009 in [DS09]
We propose a new method to recover the superpoly pI (x, v) of a cube indexed by a set I in the output bit function z(x, v) of a cipher based on the mixed integer linear programming (MILP)-aided division property
MILP has been applied to search characteristics in many cryptanalysis techniques such as differential cryptanalysis [SHW+14, SS14], impossible differential cryptanalysis [ST17] and integral cryptanalysis based on the division property [XZBL16]
Summary
The cube attack is a powerful cryptanalytic technique against stream ciphers proposed by Dinur and Shamir at Eurocrypt 2009 in [DS09]. In [TIHM17], by introducing the bit-based division property into cube attacks, Todo et al could exploit large cube sizes and theoretically evaluate the security of a stream cipher against cube attacks. Later in [WHT+18], the authors introduced several techniques to improve the division property based cube attacks proposed in [TIHM17]. Their techniques focused on finding proper assignments of noncube variables faster and reducing the complexity of recovering the superpoly. It was shown in [WHT+18] that the superpoly of a given 78-dimensional cube was dependent on at most one key variable for the 839-round Trivium. In [LYWL18], a correlation cube attack was applied to the 835-round Trivium which could recover about 5-bit key information with time complexity 244, using 245 keystream bits and preprocessing time 251
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
