Abstract

Cube attacks are an important type of key recovery attacks against stream ciphers. In particular, they are shown to be powerful against Trivium-like ciphers. Traditional cube attacks are experimental attacks which could only exploit cubes of size less than 40. At CRYPTO 2017, division property based cube attacks were proposed by Todo et al., and an advantage of introducing the division property to cube attacks is that large cube sizes which are beyond the experimental range could be explored, and so powerful theoretical attacks were mounted on many lightweight stream ciphers.In this paper, we revisit the division property based cube attacks. There is an important assumption, called Weak Assumption, proposed in division property based cube attacks to support the effectiveness of key recovery. Todo et al. in CRYPTO 2017 said that the Weak Assumption was expected to hold for theoretically recovered superpolies of Trivium according to some experimental results on small cubes. In this paper, it is shown that the Weak Assumption often fails in cube attacks against Trivium, and moreover a new method to recover the exact superpoly of a given cube is developed based on the bit-based division property. With our method, for the cube I proposed by Todo et al. at CRYPTO 2017 to attack the 832-round Trivium, we recover its superpoly pI(x, v) = v68v78 · (x58⊕v70) · (x59x60⊕x34⊕x61). Furthermore, we prove that some best key recovery results given at CRYPTO 2018 on Trivium are actually distinguishing attacks. Hopefully this paper gives some new insights on accurately recovering the superpolies with the bit-based division property and also attract some attention on the validity of division property based cube attacks against stream ciphers.

Highlights

  • The cube attack is a powerful cryptanalytic technique against stream ciphers proposed by Dinur and Shamir at Eurocrypt 2009 in [DS09]

  • We propose a new method to recover the superpoly pI (x, v) of a cube indexed by a set I in the output bit function z(x, v) of a cipher based on the mixed integer linear programming (MILP)-aided division property

  • MILP has been applied to search characteristics in many cryptanalysis techniques such as differential cryptanalysis [SHW+14, SS14], impossible differential cryptanalysis [ST17] and integral cryptanalysis based on the division property [XZBL16]

Read more

Summary

Introduction

The cube attack is a powerful cryptanalytic technique against stream ciphers proposed by Dinur and Shamir at Eurocrypt 2009 in [DS09]. In [TIHM17], by introducing the bit-based division property into cube attacks, Todo et al could exploit large cube sizes and theoretically evaluate the security of a stream cipher against cube attacks. Later in [WHT+18], the authors introduced several techniques to improve the division property based cube attacks proposed in [TIHM17]. Their techniques focused on finding proper assignments of noncube variables faster and reducing the complexity of recovering the superpoly. It was shown in [WHT+18] that the superpoly of a given 78-dimensional cube was dependent on at most one key variable for the 839-round Trivium. In [LYWL18], a correlation cube attack was applied to the 835-round Trivium which could recover about 5-bit key information with time complexity 244, using 245 keystream bits and preprocessing time 251

Motivations
Our Contributions
Organization
Mixed Integer Linear Programming
Cube Attacks
The Bit-Based Division Property
Cube Attacks Combining with the Bit-based Division Property
Towards Recovering the Superpoly
Two Useful Lemmas
A New Method to Recover Superpolies
Experimental Results
Specification of Trivium
Discarding Terms with Degree Evaluation Methods
The Concrete Attacking Algorithm for Trivium
Experimental Verification
Key Recovery Attacks on Trivium
Conclusion
A The Technique of Removing Invalid Division Trails and Its Error
B Expressing the Polynomial on Earlier Internal state Variables

Talk to us

Join us for a 30 min session where you can share your feedback and ask us any queries you have

Schedule a call

Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.