1 Introduction

In modern cryptographic algorithms, security assumptions which follow the computational model are usually based on problems whose difficulty is provable.

Extensively used in many cryptographic applications, among the mathematical problems known to be difficult, a central question concerns how to find the solution to a system of polynomial equations. Solving large systems of multivariate polynomial equations reduces to a more general problem: how to represent in a “standard” way a (multivariable) polynomial ideal (see [23]).

The problem is simple if the degree of polynomials is one since essential algebraic tools (like Gaussian reduction) provide feasible resolution algorithms. However complexity rises quickly when degrees are higher than one; in fact, the problem becomes NP-complete also under basic assumptions, like quadratic equations in \({\mathbb {F}}_2\) only.

On the other hand, it is also true that any algorithm may be seen, extensionally, as a black box computing a boolean function. This is a fortiori true for cryptographic algorithms where outputs can be sketched as the bits generated by inputs evaluation regardless of the intrinsic structure of the algorithm itself. Moreover, under the coercion of domain and codomain having the algebraic structure of a finite field, such a representation of the algorithm can be built from the evaluation of enough points in the domain. This analysis paves the way for a wide variety of cryptanalysis techniques based on the reformulation of a cryptosystem as a polynomial function over \(\mathbb F_2\).

Many efforts were devoted in recent years to find efficient techniques to solve high-degree multivariate polynomial systems (see [71]). We annoverate Gröbner bases (see [5, 41, 70]) and linearisation techniques (see XL in [24] and XSL in [25]) as some of the most promising approaches actually fading after the same fate: Gröbner bases, in particular, despite being a very general and versatile solution, are unfeasible in many practical cases due to their computational cost.

Such failures led to the objective of finding useful algebraic relations between cryptographic schemes’ input and output as a research topic meagre in results for a number of years.

In 2009, however, everything changed as a novel approach introduced by Dinur and Shamir at Eurocrypt’09 brought nourishment to algebraic cryptanalysis research branch. In [31], the first paper of a long run, authors introduced the cube attack, a fresh technique employed to extract a linear system of equations from the polynomial specification of a given cryptosystem. In a few years, such a technique diversified to become a big family of attacks, consisting of many variants including property testers [7] and differential trails [112] amongst the others.

The newly born family was characterised by the just introduced concept of analysing a cypher as a black-box tweakable polynomial, a polynomial where some variables could be set at will during the attack; the target of the attack consists, in fact, in building multiple linear equations and collect them in a system that is easy-to-solve. We feel comfortable admitting that the valuable original idea here exploited is not the effort from the sole Dinur and Shamir. They surely have the merit of clearly pointing out crucial steps and making organised this technique in all its aspects; higher-order differential cryptanalysis mentioned by Lai [59] and Knudsen [58] in the 1990s probably contributed to its successful development, as well as Vielhaber’s AIDA (algebraic IV differential attacks) [104].

The scope of this paper is to give a wide view of the complex and entangled development of the cube attack family, by unravelling the various contributions and presenting them in a more cohesive view. The work is organised as a survey of the many concepts developed around the cube attack. Nevertheless, we work on all the examples of the application of the cube attack, to uniform to a common notation we introduced in [77].

In Sect. 2, we revise and extend our novel notation, already introduced in [77], and we revise the original cube attack applied on the binary field \(\mathbb F_2\). Then we extend it to a general finite field \({\mathbb {F}}_q\) and we provide some consideration on cube search.

Section 3 provides a summary of various techniques that fall in the macro-family of cube attacks, here divided into five main categories.

In Sect. 4, we revise the few attempts of implementing cube attack techniques, while we provide it with a Sect. 5, where we give a list of the best-known attacks on real-world ciphers due to the various families techniques.

Finally, we conclude this work with some considerations in Sect. 6 and we provide in “Appendix A” a spot “dive–in” into one of the most recent frameworks for cube attacks, implementing the kite attack.

2 The cube attack

2.1 Notation

Any field of research has its own nomenclature and cryptography makes no exception. However, cube attacks in particular never saw a common agreement on how to refer to its various key concepts. For this reason, each research line developed its own language and notation, often incoherent with the others. Do mind, as a simple example, that the name “Conditional Cube Attacks” is overloaded in literature: usually, it refers to an extension of “Cube Testers”, however, it is used also in relation to cube attacks where conditions are imposed a priori.

Diversity in notations makes it difficult to agree upon the specific novel contributions brought by each research; it is not unusual that concepts are claimed as novel and revolutionary, while simply being reformulations of already-known results.

We found this as a valid motivation to propose a novel nomenclature that encloses the various approaches of this field in [77]. In the following, we revise such a notation while enriching it to make it even more inclusive.

Usually, a cipher is a function f defined over \({\mathbb {F}}_q\) as:

$$\begin{aligned} \begin{matrix} f: & {\mathbb {F}}_q^n \times {\mathbb {F}}_q^m & \rightarrow & {\mathbb {F}}_q\\ & ({\underline{x}}, {\underline{v}}) & \mapsto & c \end{matrix}. \end{aligned}$$
(1)

where \({\underline{x}} = (x_1, \dots , x_{n}) \in {\mathbb {F}}_q^n\) represents a private key, \({\underline{v}} = (v_1, \dots , v_{m}) \in {\mathbb {F}}_q^m\) represents a public vector and c is the output value. It is possible to have vectors or stream of values as well (e.g., a keystream); in such cases, we consider a function f per output component.

In a natural way, we are able to reformulate the function f as its algebraic normal form (ANF) representation: a polynomial \(\mathfrak p\) defined in the equivalence classes of the polynomial ring with variables in \(x_1, \dots , x_n, v_1, \dots , v_m\) and coefficients in \({\mathbb {F}} _q\):

$$\begin{aligned} {\mathbb {F}}_{q}[x_{1},\dots , x_{n},v_{1}, \dots , v_{m}] \quad \text{ modulo }\quad x_1^q-x_1, \dots , x_n^q-x_n, v_1^q-v_1, \dots , v_m^q-v_m. \end{aligned}$$

We omit the modulus for the sake of readability by considering exponents of variables \(y_{i}^{e_i}\) in integers \(0\le e_i\le q-1\). We cast \(\mathfrak p \in {\mathbb {F}}_q[{\underline{x}}, {\underline{v}}]\) when it is important to distinguish between private and public part, and \(\mathfrak p \in {\mathbb {F}}_q[{\underline{y}}]\), when it is not (with \(y = (y_1, \dots , y_N), N=n+m\)).

In the following, we use capitalised I and J to identify sets of variable indices in \(\{1, \dots , n\}\), \(\{1, \dots , m\}\), or \(\{1, \dots , N\}\) (as it is clear from the context). Such sets are particularly useful when referring to monomials. This is particularly straightforward in the binary setting \(q = 2\) (see later in Sect. 2.3 for the same notation in fields of higher-order \(q = p^k > 2\)); in fact, monomials \(\mathfrak m_{} \in {\mathbb {F}}_{2}[{\underline{y}}]\) are in bijective correspondence with subsets \(I \subset \{1, \dots ,N\}\), \(|I| = d\) so that any index set I corresponds to a monomial:

$$\begin{aligned} \mathfrak m_{I}:= \prod _{i\in I} y_{i} \in {\mathbb {F}}_{2}[{\underline{y}}]\, \end{aligned}$$
(2)

where \(d:=deg(\mathfrak m_{I}) = |I|\).

We then introduce the following notations:

  • Zero vector (\({\underline{0}}\)) is a generic-length 0 vector, meaning that

    $$\begin{aligned} {\underline{y}} = {\underline{0}} \qquad \text {represents} \qquad {\underline{y}} = (0, \dots , 0) \end{aligned}$$

  • Unit vector (\({\underline{i}}\)) is a unitary basis vector, meaning that

    $$\begin{aligned} {\underline{y}} = {\underline{i}} \qquad \text {represents} \qquad {\underline{y}} = (0, \dots , 0, 1, 0, \dots , 0)\, \end{aligned}$$

    where the i-th variable only is set to 1.

  • Unit vector set (\({\underline{I}}\)) is the set of unit vectors obtained from the indices \(i \in I\); namely, the underlined notation is mapped through I, i.e.

    $$\begin{aligned} {\underline{I}}:= \{ {\underline{i}} | i\in I\}. \end{aligned}$$

  • Explicit concat (\(\,{:}{:}\,\)) is the concatenation notation (omitted when it is not necessary), meaning that:

    $$\begin{aligned} (1,1,0)\,{:}{:}\,(1,0,1) = (1,1,0,1,0,1). \end{aligned}$$

  • Vector copy (\({\underline{y}}^l\)) is the notation to l-times repeat y, meaning that

    $$\begin{aligned} {\underline{y}}^3 = {\underline{y}} \,{:}{:}\, {\underline{y}} \,{:}{:}\, {\underline{y}}. \end{aligned}$$

    Do also note that \({\underline{x}} = {\underline{0}}\) is equivalent to \({\underline{x}} = 0^n\).

  • Addition (\(+\)) is the component wise sum meaning that

    $$\begin{aligned} (1,1,0)+(1,0,1) = (2,1,1). \end{aligned}$$

    The sum behaviour depends on the underlying finite field; e.g. in \({\mathbb {F}} _2\), it operates as the xor, meaning that

    $$\begin{aligned} 1\ 1\ 0 + 1\ 0\ 1 = 0\ 1\ 1 \, \end{aligned}$$

    where we write binary vectors as bit sequences.

    Do also note that the following equality always holds:

    $$\begin{aligned} {\underline{x}}\,{:}{:}\,{\underline{v}} = {\underline{x}}\,{:}{:}\,0^m + 0^n\,{:}{:}\,{\underline{v}} \end{aligned}$$

  • Polynomial mapping \(\mathfrak p(S)\) is a compact notation for applying a polynomial or a function through a set, as it occurs to unit vector sets, meaning that

    $$\begin{aligned} \mathfrak p(S) = \{\mathfrak p(s) \mid s \in S\}. \end{aligned}$$
    (3)

  • Partial assignment (\({\underline{y}}{[I\rightarrow {\underline{a}}]}\)) is a compact notation to perform the assignment of specific variables to the values given in \({\underline{a}}=\left({a_{1}}, \dots , a_{|I|}\right)\), meaning that

    $$\begin{aligned} {\underline{y}}{[I\rightarrow {\underline{a}}]} \qquad \text{ represents the assignments} \qquad y_i = a_{j_i}\, \quad i \in I,\end{aligned}$$
    (4)

    where \(i \in I\) is mapped to the corresponding element index \(j_i\) respecting the natural numbers ordering. The partial assignment is particularly useful when it is combined with (3) to perform partial polynomial evaluationsFootnote 1:

    $$\begin{aligned} \mathfrak p({\underline{y}}{[I\rightarrow {\underline{a}}]}) = \mathfrak p(\alpha _1, \dots , \alpha _N)\, \qquad \text{ where } \quad \alpha _i = {\left\{ \begin{array}{ll} a_{j_i} & \text{ if } i \in I\\ y_i & \text{ otherwise } \end{array}\right. }. \end{aligned}$$

    The same notation also applies when considering public and private variables separately; consider the following polynomial:

    $$\begin{aligned} \mathfrak p(x_1, x_2, x_3, v_1, v_2, v_3) = x_1x_2 + v_1v_2 + x_1v_3 + x_2v_2 \in {\mathbb {F}}_q[{\underline{x}}, {\underline{v}}]\, \end{aligned}$$

    then, given two index sets \(J = \{1\}\) and \(I = \{1,3\}\), and two vectors \({\underline{a}} = (1)\) and \({\underline{b}} = (1,0)\) we have that \(\mathfrak p({\underline{x}}[J\rightarrow \underline{a}]\,{:}{:}\,{\underline{v}}[I\rightarrow {\underline{b}}])\) evaluates to:

    $$\begin{aligned} \mathfrak p({\underline{x}}[\{1\}\rightarrow (1)]\,{:}{:}\,{\underline{v}}[\{1,3\}\rightarrow (1,0)]) = x_2 + v_2 + x_2v_2. \end{aligned}$$

  • Cube notation (\({\underline{y}}{[I\rightarrow A]}\)) defines a set of copies of the vector \({\underline{y}}\) where components specified by I are assigned to every possible value in a given set A, meaning that:

    $$\begin{aligned} {\underline{y}}[I\rightarrow A] := \{{\underline{y}}[I\rightarrow {\underline{a}}],\ \text{ for } \text{ all } {\underline{a}} \in A \}. \end{aligned}$$

    The size \(d = |I|\) is called dimension of the cube and each vector in A has exactly d components. Usually, the set A is built as a cartesian product of binary assignments per each variable:

    $$\begin{aligned} A = A_1 \times A_2 \times \dots \times A_d \, \qquad A_i = \{0, a_i\}, \quad a_i \in {\mathbb {F}} _q. \end{aligned}$$

    The name cube is further legitimised if we consider the case \(A = {\mathbb {F}}_2^d = \{0, 1\}^{d}\). In fact, \({\mathbb {F}}_2^d\) represents a canonical hyper-cube of dimension d, a very common choice for cube attacks; hence, we omit the A and we write:

    $$\begin{aligned} {\underline{y}}[I]:= {\underline{y}}[I\rightarrow {\mathbb {F}}_2^d] = \{{\underline{y}}[I\rightarrow {\underline{a}}],\ \text{ for } \text{ all } {\underline{a}} \in \{0, 1\}^d \}. \end{aligned}$$
    (5)

    To further clarify this cardinal notion, we provide the following two examples whose pictorial representation can be found in Fig. 1:

    $$\begin{aligned} \begin{aligned} {\underline{y}}[\{2, 4, 5\}]&= \{y_1\,{:}{:}\,z_2\,{:}{:}\,y_3\,{:}{:}\,z_4\,{:}{:}\, z_5\,{:}{:}\,y_6\,{:}{:}\,\dots \,{:}{:}\,y_N,\\ \text{ for } \text{ all } {\underline{z}}&= \{z_2, z_4, z_5\} \in \{0,1\}^3\}. \end{aligned} \end{aligned}$$

    and

    $$\begin{aligned} \begin{aligned} {\underline{y}}[\{2, 4\}\rightarrow (\{0, 1\}\times \{0, 3\})]&= \{y_1\,{:}{:}\,z_2\,{:}{:}\,y_3\,{:}{:}\,z_4\,{:}{:}\,y_5\,{:}{:}\,\dots \,{:}{:}\,y_N,\\ \text{ for } \text{ all } z_2 \in \{0,1\}, z_4&\in \{0, 3\}\}. \end{aligned} \end{aligned}$$

  • Sum reduce (\(\sum S\)) is a compact notation for the sum of all the elements within a set S, namely

    $$\begin{aligned} \sum S := \sum _{s \in S} s. \end{aligned}$$

    The notation fits particularly well with cubes notation:

    $$\begin{aligned} \sum {\underline{y}}[I] = \sum _{{\underline{z}} \in {\underline{y}}[I]} {\underline{z}}\ = \sum _{{\underline{a}} \in \{0,1\}^d}{\underline{y}}[I\rightarrow {\underline{a}}]. \end{aligned}$$

    Shorten summation notation can be used to derive the characteristic vector of an index set too, meaning that

    $$\begin{aligned} {\underline{y}} = \sum {\underline{I}} \qquad \text{ represents } \qquad {\underline{y}} = (y_1, \dots , y_N) \qquad y_i = {\left\{ \begin{array}{ll} 1 & \text{ if } i \in I\\ 0 & \text{ otherwise }\end{array}\right. }. \end{aligned}$$

  • Cube & partial assignment (\({\underline{y}}{[J\rightarrow {\underline{a}}, I]}\)) is a compact notation to perform both partial assignment and cube evaluation \(I\cap J = \emptyset\), namely:

    $$\begin{aligned} {\underline{y}}{[J\rightarrow {\underline{a}}, I]} \qquad \text{ represents }\qquad {\underline{y}}[J \rightarrow {\underline{a}}, I \rightarrow {\mathbb {F}}_2^{d}]. \end{aligned}$$

    Do mind that, as we certify at the end of this section, it is common to have the variables with indices in \(I^\textsf{c} = \{1, \dots , N\}\backslash I\) set to zero. In such a case, do note that the following equality holds:

    $$\begin{aligned} {\underline{y}}[I^\textsf{c} \rightarrow 0^{N - d}, I] = {\underline{0}}[I]. \end{aligned}$$
    (6)

  • Cube & partial assignment in \({\mathbb {F}}_2\) (\(\underline{y}{[I_0, I_1, I]}\)) is an even more compact notation applicable in \({\mathbb {F}}_2\) to perform both partial assignment and cube evaluation. In \({\mathbb {F}}_2\), in fact, each variable can only be set to either 0 or 1, therefore it makes sense to distinguish three sets: the set (\(I_0\)) of indices of variables substituted by 0, the set (\(I_1\)) of indices variables substituted by 1 and the set of indices I of cube variables. We can then shorten the previous notation as follows:

    $$\begin{aligned} {\underline{y}}[I_0, I_1, I] = {\underline{y}}[I_0 \rightarrow 0^{|I_0|}, I_1 \rightarrow 1^{|I_1|}, I]. \end{aligned}$$

    In general, \(I_{0} \cup I_{1} \cup I \ne \{1,\dots , N\}\) therefore the result can still depend of some variables. If it is not the case, however, we remove the set \(I_0\) from the list, since it can be derived from the context, therefore writing:

    $$\begin{aligned} {\underline{y}}[I_1, I] = {\underline{y}}[ (I_1 \cup I)^\textsf{c} \rightarrow {\underline{0}}, I_1 \rightarrow 1^{|I_1|}, I] = {\underline{0}}[I_1 \rightarrow 1^{|I_1|}, I]. \end{aligned}$$

    Finally, if \(I_1 = \emptyset\) (\(I_0 = \{1, \dots , N\}\backslash I = I^\textsf{c}\)), we adopt the strategy of (6):

    $$\begin{aligned} {\underline{y}}[I^\textsf{c}, \emptyset , I] = {\underline{y}}[\emptyset , I] = {\underline{0}}[I] \end{aligned}$$

  • Monomial generation (\({\underline{y}}^{{\underline{s}}}\)) is a notation to generate a monomial from a characteristic vector \({\underline{s}} = (s_1, \dots , s_N), s_i \in \{0, 1\}\), in other words:

    $$\begin{aligned} {\underline{y}}^{{\underline{s}}} = \prod _{i \in \{1, \dots , N\}} y_i^{s_i}. \end{aligned}$$

    Note that (2) can be written this way as well:

    $$\begin{aligned} \mathfrak m_{I} = {\underline{y}}^{\sum {\underline{I}}}. \end{aligned}$$

  • Monomial set generation (\({\underline{y}}^{S}\)) is the natural mapping of the previous notation to a set S of vectors in \({\mathbb {Z}} ^N\), in other words:

    $$\begin{aligned} {\underline{y}}^{S} = \{{\underline{y}}^{{\underline{s}}} \mid {\underline{s}} \in S\}. \end{aligned}$$

  • Note that \({\underline{y}}^{{\underline{I}}}\) by monomial set generation is the set of variables \(y_i\) such that \(i\in I\). This notation is particularly useful in the Division Property setting since, fusing the notation with (5), we get the set of all monomials which divide the monomial \(\mathfrak m_{I}\):

    $$\begin{aligned} {\underline{y}}^{{\underline{0}}[I]} = \{{\underline{y}}^{{\underline{s}}} \mid {\underline{s}} = (s_1, \dots , s_N) \text{ where } s_i \in \{0, 1\} \text{ if } i \in I \text{ and } s_i = 0 \text{ if } i\not \in I \}. \end{aligned}$$

  • Monomials assignments \(({\mathfrak {m}} {[\circ ]})\) all the assignment notations given for sets of variables are still valid also for monomials, like the partial assignment \({\mathfrak {m}}[I\rightarrow {\underline{a}}]\), the cube operator \({\mathfrak {m}}[I\rightarrow A]\) and their combinations.

Fig. 1
figure 1

Pictorial representation of the cubes \({\underline{y}}[\{2, 4, 5\}]\) (on the left) and \({\underline{y}}[\{2, 4\}\rightarrow (\{0, 1\}\times \{0, 3\})]\) (on the right) where dots represent points of the cube. One sample point is highlighted and explicitly identified

Full size image

2.2 Cube attack forefather

Shamir and Dinur introduced in [31] the cube attack by considering any encryption function represented as a polynomial \(\mathfrak p\) on the binary field \({\mathbb {F}}_2\). This is a very convenient setting since \(z^2 = z\) and \(z + z = 0\) for any \(z \in {\mathbb {F}}_2\) and, as in (2), each monomial can be represented by the set of indices of its variables. The attack splits into a key-independent (offline) phase and a key-specific (online) phase.

During the offline phase, the attacker has access to an oracle ciphering machine for \(\mathfrak p\) and can set \({\underline{x}}\) and \({\underline{v}}\) at will; the goal of this phase is to find appropriate values of \({\underline{v}}\) to get at least n independent linear equations on the \({\underline{x}}\) unknowns. The online phase takes place when the defender sets a specific key vector \(\underline{x}\). Once again, we suppose the attacker as able to set the public vector \({\underline{v}}\) at will: this assumption requires either a chosen plaintext setting (as it could be for Message Authentication Code generation) or enough spoofing time on randomly generated \({\underline{v}}\) (as it could be for authentication challenges, e.g., in Wi-Fi handshaking). The goal of this phase is to reconstruct the n equations found during the off-line phase and solve the corresponding linear system to retrieve (a portion of) \({\underline{x}}\).

We now describe the two phases in detail.

2.2.1 Offline phase

Let \(\mathfrak m_{I}\) be the monomial generated by a set of variable indices \(I \subseteq \{1, \dots , N\}\), \(|I| = d\). In actual applications, I should address public variables only (\(I \subseteq \{1, \dots , m\}\)); however, since the methodology we are now describing is general, we prefer (also for ease of notation) to consider I as referring to both private and public variables.

Given the cipher \(\mathfrak p\) and the monomial \(\mathfrak m_{I}\), according the Division Algorithm there exist \(\mathfrak q_I\) and \(\mathfrak r_I\) such that:

$$\begin{aligned} \mathfrak p({\underline{y}}) = \mathfrak m_{I} \cdot \mathfrak q_I({\underline{y}}) + \mathfrak r_I({\underline{y}}) \, \end{aligned}$$
(7)

where none of the monomials in the reminder \(\mathfrak r_I\) is divisible by \(\mathfrak m_{I}\) (all of them miss at least a variable from \({\underline{y}}^{{\underline{I}}}\)) and none of the variables \(\underline{y}^{{\underline{I}}}\) can be found in the quotient \(\mathfrak q_I\) (since all of the variables in \(\mathfrak p\) are of degree 1).

We call \(\mathfrak q_I\) the superpoly of I in \(\mathfrak p\) and, if \(\mathfrak q_I\) is linear, we refer to \(\mathfrak m_{I}\) as a d-degree maxterm of \(\mathfrak p\).

In particular, applying \(\mathfrak p\) to the cube \({\underline{y}}[I]\) exterminates the reminder \(\mathfrak r_I\) while keeping (when \(\underline{y}[I\rightarrow 1^d]\)) a single instance of the superpoly \(\mathfrak q_I\). We then claim:

Proposition 1

(cfr. [31]) The superpoly \(\mathfrak q_I\), defined in (7), can be retrieved as:

$$\begin{aligned} \mathfrak q_I({\underline{y}}) = \sum \mathfrak p({\underline{y}}[I]). \end{aligned}$$
(8)

Surprisingly, provided that \(\mathfrak m_{I}\) is a maxterm, (8) gives us a method to numerically determine the ANF of \(\mathfrak q_I\), even when \(\mathfrak p\) is given as a black-box. In fact, since \(\mathfrak q_I\) is linear it does not contain any of the variables \({\underline{y}}^{{\underline{I}}}\) and its ANF is given by:

$$\begin{aligned} \mathfrak q_I = a_0 + \sum _{j \not \in I} a_j y_j, \qquad a_j \in \{0, 1\}. \end{aligned}$$
(9)

We then claim:

Proposition 2

(cfr. [31]) Let \(\mathfrak q_I\) be the superpoly defined in (7). Its coefficients, as defined in (9) are given by

$$\begin{aligned} a_0 = \sum \mathfrak p({\underline{0}}[I]) \qquad \text{ and }\qquad a_j = \sum \mathfrak p({\underline{j}}[I]) - a_0. \end{aligned}$$
(10)

As stated above, the linear relations we are building are exploited later in the online phase, where the attacker’s aim is to retrieve the private key \({\underline{x}}\). For this reason, cube variables I are in general chosen amongst the public ones (\(I \subset \{1, \dots , m\}\)), while the remaining ones (\(I^\textsf{c} = \{1, \dots , m\} \backslash I\)) are usually tweaked to zero or to any other value \({\underline{s}}\) to lower the complexity of the resulting system [34]. In this case, the ANF of \(\mathfrak p\) assumes the following form:

$$\begin{aligned} \mathfrak p({\underline{x}} \,{:}{:}\, {\underline{v}}[I^\textsf{c} \rightarrow {\underline{s}}]) = \mathfrak m_{I} \cdot \mathfrak q_{I, {\underline{s}}}({\underline{x}}) + \mathfrak r_{I, {\underline{s}}}({\underline{x}} \,{:}{:}\, {\underline{v}}[I^\textsf{c} \rightarrow {\underline{s}}])\, \end{aligned}$$

and, therefore, the superpoly only depends on the private key vector \({\underline{x}}\):

$$\begin{aligned} \mathfrak q_{I, {\underline{s}}}({\underline{x}}) = \sum \mathfrak p({\underline{x}} \,{:}{:}\, {\underline{v}}[I^\textsf{c} \rightarrow {\underline{s}}, I]). \end{aligned}$$

where (10) assume the following form:

$$\begin{aligned} a_0 = \sum \mathfrak p({\underline{0}} \,{:}{:}\, {\underline{v}}[I^\textsf{c} \rightarrow {\underline{s}}, I]) \qquad \text{ and }\qquad a_j = \sum \mathfrak p({\underline{j}} \,{:}{:}\, {\underline{v}}[I^\textsf{c} \rightarrow {\underline{s}}, I]) - a_0. \end{aligned}$$
(11)

In particular, when \({\underline{s}} = {\underline{0}}\), we omit to report the subscript \({\underline{s}}\), obtaining:

$$\begin{aligned} \mathfrak q_I({\underline{x}}) = \sum \mathfrak p({\underline{x}} \,{:}{:}\, {\underline{0}}[I])\,\qquad a_0 = \sum \mathfrak p({\underline{0}} \,{:}{:}\, {\underline{0}}[I]) \,\qquad a_j = \sum \mathfrak p({\underline{j}} \,{:}{:}\, {\underline{0}}[I]) - a_0. \end{aligned}$$

2.2.2 Online phase

In online phase we suppose the unknown key \({\underline{x}} = \underline{k}\) to be set and secret while the public vector \({\underline{v}}\) to be settable at will. Online phase is made of two parts: (i) for each maxterm \(\mathfrak m_{I}\) found in the offline phase, let us obtain an evaluation of the superpoly \(\mathfrak q_I\) via

$$\begin{aligned} b_{I, {\underline{s}}} = \mathfrak q_{I, {\underline{s}}}({\underline{k}}) = \sum \mathfrak p({\underline{k}} \,{:}{:}\, {\underline{v}}[I^\textsf{c} \rightarrow {\underline{s}}, I]) \end{aligned}$$

and (ii) solving the corresponding linear equations system with \({\underline{x}}\) as unknown variables, yielded by

$$\begin{aligned} a_0 + \sum a_i\cdot k_i = b_{I, {\underline{s}}}. \end{aligned}$$

The complexity of the first part depends on the size and the number of the cubes, as well as on the practical difficulty to set \(\underline{v}\). The second part can be tackled by means of basic linear algebra algorithms in order to retrieve the full key or a portion of it (depending on the number of independent equations found); gaussian elimination algorithm requires e.g., \({\mathcal {O}}(n^3)\) steps.

Both parts of the online phase, despite being computationally intense, are computationally bounded by the complexity of the offline one. Therefore, being able to carry out the offline phase actually breaks (or weakens) a specific cipher in all of its instances.

2.3 Cube attack in higher order fields

As we highlight in the previous section, the standard cube attack works when polynomials are given over the binary field \({\mathbb {F}}_2\). This restriction is required to prove (8) which is crucial to the cube attack and derives from fundamental equations in the binary field, namely \(y^2 = y\) and \(y+y=0\).

When we place the encryption function in the finite field \({\mathbb {F}}_q\) those equations assume a different form that depends on the order q and on the characteristic p i.e., if \(q = p^k\), then \(y^q = y\) and \(p \cdot y = 0\). Consequently, monomials are no longer one-to-one with the indices sets since each variable can have exponent up to \(q-1\). A monomial is therefore defined by a vector \({\underline{s}} = (s_1, \dots , s_N)\) of exponents where \(s_i \in {\mathbb {Z}}_q\), obtaining the following equation equivalent to (2):

$$\begin{aligned} \mathfrak m_{{\underline{s}}} = {\underline{y}}^{{\underline{s}}} \, \end{aligned}$$
(12)

where the set of variables involved are, as always, denoted by I, namely:

$$\begin{aligned} I = \{i \in \{1, \dots , N\} \mid s_i \ne 0\}. \end{aligned}$$

Given a cipher \(\mathfrak p\) and a monomial \(\mathfrak m_{{\underline{s}}}\), we can derive via Division Algorithm an equation analogous to (7), namely

$$\begin{aligned} \mathfrak p({\underline{y}}) = \mathfrak m_{{\underline{s}}} \cdot \mathfrak q_{{\underline{s}}}({\underline{y}}) + \mathfrak r_{{\underline{s}}}({\underline{y}}) + \mathfrak r_{I}({\underline{y}}) \, \end{aligned}$$
(13)

where none of the monomials in the reminder is divisible by \(\mathfrak m_{{\underline{s}}}\). Though, such monomials can contain some of the variables \({\underline{y}}^{{\underline{I}}}\), therefore, in order to resemble an analogy with \({\mathbb {F}} _2\), it makes sense to divide the reminder into two parts: monomials that do contain all the variables from I (\(\mathfrak r_{{\underline{s}}}\)) and monomials that do not (\(\mathfrak r_{I}\)).

Dinur and Shamir claimed in [31] the possibility of extending the attack to a generic field, however, the first proof of this approach can be found in [3] due to Agnesse and Pedicini. Their main contribution consists of reworking Proposition 1 to extend it by considering the relation given by (13):

Proposition 3

(cfr. [3]) Given a set \({\underline{s}}\) of exponents working on the variables defined by I, the superpoly defined in (7) can be retrieved as:

$$\begin{aligned} \mathfrak q_I({\underline{y}}) = \mathfrak q_{{\underline{s}}}({\underline{y}}[I\rightarrow 1^d]) + \mathfrak r^I_{{\underline{s}}}({\underline{y}}[I\rightarrow 1^d]) = \sum \mathfrak p( {\underline{y}}[I]^0)- \sum \mathfrak p( {\underline{y}}[I]^1)\, \end{aligned}$$
(14)

where the set \({\underline{y}}[I]\) is partitioned as \(\underline{y}[I] = {\underline{y}}[I]^0 \cup {\underline{y}}[I]^1\) and \({\underline{y}}[I]^0\) contains those vectors with the same parity as \({\underline{y}}[I \rightarrow 1^d]\).

The parity of \({\underline{y}}[I \rightarrow 1^d]\) is a symbolic parity since it depends on the values assigned to \(I^\textsf{c}\) variables, namely:

$$\begin{aligned} {\underline{y}}[I]^0 = \{{\underline{a}} \in {\underline{y}}[I] \mid {\underline{a}}[I^\textsf{c}\rightarrow {\underline{0}}] = d \mod 2\}. \end{aligned}$$

This key concept is resumed in 2012 Vargiu Master Thesis [103] and later expanded in [76] where Onofri presented many proofs and computational bounds when \(\mathfrak m_{{\underline{s}}}\) is chosen as in standard cube attack, i.e. \(s_i = 1, i \in I\), see also [13]. If this condition holds, in fact, the cube attack straightforward extends from \({\mathbb {F}} _2\) to \({\mathbb {F}} _q\) up to a factor \(-1\) (which depends on the parity of the specific element within the cube evaluation); in fact \(\mathfrak r^I = 0\), then (14) shortens to

$$\begin{aligned} \mathfrak q_I({\underline{y}}) = \mathfrak q_{{\underline{s}}}({\underline{y}}) = \sum \mathfrak p({\underline{y}}[I]^0) - \sum \mathfrak p({\underline{y}}[I]^1) \end{aligned}$$
(15)

and, in particular, we can state, analogously to Proposition 2, that

Proposition 4

(cfr. [76]) For any polynomial \(\mathfrak p\) in \({\mathbb {F}}_q[{\underline{x}}]\) and cube I yielding a maxterm \(\mathfrak m_{I}\), the superpoly has ANF

$$\begin{aligned} \mathfrak q_I({\underline{y}}) = a_0 + \sum _{j \not \in I} a_j y_j, \qquad a_j \in {\mathbb {F}} _q. \end{aligned}$$

Coefficients can be numerically evaluated by

$$\begin{aligned} a_0 = \sum \mathfrak p( {\underline{0}}[I]^0) - \sum \mathfrak p( {\underline{0}}[I]^1) \quad \text{ and } \quad a_j = \sum \mathfrak p( {\underline{j}}[I]^0) - \sum \mathfrak p( {\underline{j}}[I]^1) - a_0. \end{aligned}$$

An analogous approach to [3] to extend cube attack in higher order fields can be found in [83], where authors fuse standard cube attack with higher order differentiation technique introduced by Lai in [59]. The key concepts are, to the best of our knowledge, totally comparable; however, the processing is performed under the point of view of differentiation techniques. Here, the main contribution is given by the following observation:

Proposition 5

(cfr. [83])

$$\begin{aligned} \mathfrak q_I = \varDelta ^{(\sum {\underline{m}})}_{{\underline{m}} \times {\underline{I}}} \mathfrak p \end{aligned}$$
(16)

where we are denoting with \({\underline{m}} \times {\underline{I}}\) the multiset of single-variable single-step differentiation:

$$\begin{aligned} {\underline{m}} \times {\underline{I}} = \{{\underline{i}} \text{ taken } m_i \text{ times }\}_{i\in I} \end{aligned}$$
(17)

and the \(\varDelta ^{(k)}\) notation is the standard definition of multi-differentiation:

$$\begin{aligned} \varDelta ^{(k)}_{\underline{a_1}, \dots , \underline{a_k}} \mathfrak p = \varDelta _{\underline{a_1}} \dots \varDelta _{\underline{a_k}} \mathfrak p \end{aligned}$$
(18)

and the standard differentiation is given by

$$\begin{aligned} \varDelta _{{\underline{a}}}\mathfrak p({\underline{y}}) = \mathfrak p({\underline{y}} + {\underline{a}}) - \mathfrak p({\underline{y}}). \end{aligned}$$
(19)

2.4 Searching for cubes

A cardinal point of the cube attack is to efficiently determine if (9) holds, or, in other words, whether the superpoly \(\mathfrak q_{I}\) is linear or not. Two main approaches are used in this context: (i) retrieve the maximum degree \(\delta\) of \(\mathfrak p\) and then consider cubes of dimension \(d = \delta -1\) or (ii) employ stochastic tests to guess the linearity of \(\mathfrak q_I\).

The first approach was firstly introduced and used in [30], where Dinur et al. applied it to attack Keccak sponge functions; however, it has limited applications since correctly determining the degree is hard when the \(\mathfrak p\) is complex. As we see later in the next section, this approach is often reversed instead, employing the cube attack itself to probabilistically determine \(\delta\) (see [7]).

The latter approach is the widely used instead. In the original paper [31], Dinur and Shamir employed the Bloom-Luby-Rubinfeld Test from [15], a linearity test originally developed as a self-testing/correcting with applications algorithm. Later, a novel test optimised by reusing computations is proposed in [34]. In this sense, however, a notable contribution is by Winter, Salagean, and Phan who proposed in [111] an improved linearity test based on higher-order differentiation, enhanced by the Moebius transform. Srinivasan et al. propose instead a three-steps algorithm in [87], where filters are applied one after the other to “prove” the linearity of a given black box polynomial at a computational cost of \({\mathcal {O}}(2^{d+1}(n^2+n))\).

Testing the linearity of randomly chosen superpolies \(\mathfrak q_I\) proves however, to be inefficient. For this reason, in [31], variables with indices in I were originally picked accordingly to a random walk on the monomial lattice. “Moving” aleatory, however, does not guarantee a success, therefore efforts were devoted to find a pattern to efficiently select monomials \(\mathfrak m_{I}\) while looking for the maxterms. Aumasson et al. proposed in [6] an evolutionary algorithm to search for cubes that maximise the number of rounds after which the superpoly is still unbalanced. Also Wang et al. in [110] propose a new methodology to find more linear equations from the same cube set. Following this trend, Cianfriglia et al. developed in [20] a CUDA framework to parallel control all the cubes within a specific kite shaped region of the lattice (see “Appendix A”).

However, sophisticated algorithms were also developed to avoid manipulating such large cubes directly. Stankowski in [88], for example, introduced a greedy bit set algorithm with \({\mathcal {O}}(2^{n+c})\) complexity, later expanded in [53].

By talking about heuristics, cryptographers also tried to reduce the density of the ANFs empirically: two examples can be found in [42, 69].

Following a different research path, more recently, Ye and Tian developed in [117] a novel algebraic criterion to recover the exact superpoly of useful cubes while Rohit et al. introduced in [81] a technique called partial polynomial multiplication to obtain complex cubes by multiplying some specific sets of partial polynomials (the degree-homogeneous) from lower round computations.

3 Cube attacks family

The cube attack is a powerful but expensive approach to break ciphers. The idea behind is, however, very solid and flexible and can be combined with many different other approaches to enhance their efficiency. Figure 2 presents various branches traversed by cube attacks.

Fig. 2
figure 2

The cube attack family

Full size image

3.1 Dynamic cube attack and cube testers

The first approach in this sense can be found in [7] where cube building is mixed with efficient property-testers in order to detect non-randomness in cryptographic primitives (or mount cipher distinguishers). The cube framework can, in fact, be exploited in order to test global properties of a black-box polynomial without retrieving the formal expression of the polynomial.

Such strategy is under the name of Cube Testers and combines a property tester on the superpoly (for some property \({\mathcal {P}}\)) with a statistical decision rule that probabilistically recognises whenever the superpoly is \(\delta\)-far from \({\mathcal {P}}\). Namely, the linearity test exploited in the canonical cube attack is itself a cube tester; other examples of properties realisable as cube testers are polynomial randomness (i.e. the superpoly coefficients are balanced) and the test of presence of neutral variables (i.e. the superpoly does not depend of such a variable).

Cube testers are the basis to create flexible distinguishers as can be seen in [9] first and in [84] later, where authors develop, relying on [88], distinguishers for Trivium based ciphers; however, cube testers main contribution to cryptanalysis can be found in [33] where they are exploited to create Dynamic Cube Attacks. The main observation here is that the resistance of many ciphers to cube testers depends on a few number of non-linear operations that usually take place in the latest stages of the encryption process; this is especially true if inputs variables are not mixed enough during the encryption process. Such a behaviour reflects in very few high-order monomials in the ANF of \(\mathfrak p\) that, if identified at the early stages of the encryption process, can be efficiently killed by vanishing specific input bits—often called Dynamic variables. Such dynamic variables, forming a disjoint set from cube variables, usually belong both to public and private ones: the public ones can be set at will during online phases; private ones must instead be guessed and, in particular, these guesses can be confirmed or refuted by cube testers themselves. This, therefore, allows the cryptographer to eventually retrieve key bits without solving any algebraic system at the cost of a more complex offline phase.

Effective usage of this approach can be found, for example, in [79] where authors attack a reduced version of Simon lightweight cipher by using deterministic distinguishers based on cube testers, or in [10] where the author proposes a bi-dimensional dynamic cube attack against 105 rounds Grain v1 that retrieves nine secret-key-bits of the cipher.

A similar approach is also developed in [49] on Keccak sponge functions, where authors combine cube testers with bit-tracing method (see [109]) to create Conditional Cube Testers. Here authors impose a further classification of cube variables, dividing those that mix together after the second encryption round (conditional cube variables) from those that are not multiplied with each other after the first round and are not multiplied with any conditional cube variable after the second round (ordinary cube variables).

The same approach is further improved firstly in [62], where the limitation that no mutual multiplication between cube variables occurs in the first round is removed, and then in [67], where more constraints on the number of conditions involving the secret bits are added.

Conditional cube testers were also fused with Mixed Integer Linear Programming by Li et al. in [61] and [14], by Song et al. in [85, 86] and, more recently, by Zhao et al. in [123] where ciphers of the Keccak family were attacked.

Many efforts focussed recently on novel methods for finding cube testers. A possible strategy is to esteem the probability for the superpoly in selected rounds, as in [26]. Another interesting approach can be found in [113] where Liu et al. extended its numeric mapping method for estimating the algebraic degree of NFSR-based cryptosystems (presented in [68]) with the works [53, 88] by Stankowsky et al.

Liu’s numeric mapping method was also employed in a more recent work by Kesarwani et al. where, in [55], the authors propose a new algorithm for cube generation following the research branch of [84].

3.2 Exploiting of non-linear equations

As we pointed out in the previous section, linearity is not the only property we can require on the degree of the superpoly. In particular, we can consider maxterms up to a certain small degree and still recover a polynomial system whose resolution is feasible.

As an example, Mroczkowski and Szmidt propose in [74] an improvement to the cube attack concerning both linear and quadratic equations. They employed a Quadracity Test to retain discarded non-linear equations and use key bits obtained via linear equations to solve “by hand” the quadratic ones. This solution highly enhances the number of key bits the attacker can recover while still limiting the cube search phase: in their application to Trivium-709, for example, they claim no brute-force is needed to recover the whole key.

Combining the ideas of [74] with their previous work [110], Wang et al. proposed in [28] a new methodology which makes use of those common variables in two different dimensional cubes to induce maxterms of higher-order from those of lower-order, thus recovering more key bits and reducing the search complexity.

It is also worth of mention the work by Ye and Tian [115], where an experimental approach is employed against Trivium-like ciphers. The authors focus on improving nonlinear superpolys recovery by means of linearisation techniques. Under this setting, several linear and quadratic superpolys are claimed for the 802-round Trivium as well as the possibility of finding a quadratic superpoly for Kreyvium is shown. Relying on specific features discovered on Trivium also an enhanced method to attack Trivium-like ciphers is presented, claiming a generic method of choosing useful nonlinear key expressions.

Clearly, the higher degree equation found this way can be used in many different ways; two more interesting approaches on this side are given by Sun and Guan in [91] where cube attacks are exploited to find new linear relations for linear cryptanalysis purposes and by Eskandari and Ghaemi Bafghi in [39] where non-linear equations are treated as linear equations with noise to attack KATAN lightweight cipher.

3.3 Cube attacks on side channel attacks

The original version of cube attack has no free quarters for uncertainty or measurement errors. However, cube attacks have a natural error correction mechanism (see [32]): by considering a cube K large enough during the offline phase and by evaluating all of its sub-cubes \(I\subset K\) yielding linear relations it is in fact possible to gather redundant linear equations. In the online phase, assuming a per-round leakage with uncertainty (as it happens when Hamming weight only is available), the summation of all the leaked bits from a specific sub-cube assignment yields a new linear equation in the \({\underline{x}}\) with a known term depending on the assignment of the known leaked bits. These new relations can be equated to the corresponding linear combination of key variables \({\underline{k}}\) pre-evaluated during the offline phase, obtaining a linear system of equations in the \({\underline{x}}\) and \({\underline{k}}\) variables that the attacker can exploit.

This approach was applied to many block ciphers by exploiting their specific structure starting from [32], where many linear relations were found for Serpent and AES. Later the same year also Yang et al. used this approach to analyse PRESENT Lightweight cipher in [114].

The same approach led Abdul-Latip et al. to produce two works: in [2] they halved the complexity of NOEKEON block cipher by considering a single bit information leakage from the internal state after the second round; in [1], the authors modified the cube attack used in [114] by employing some low-degree non-linear equation (e.g. quadratic equations) to exploit leakages on PRESENT.

The theory from the previous section was also combined with side channel cube attacks by Fan and Gong in [40] where the security of the Hummingbird-2 cipher (an ultra-lightweight cryptographic algorithm) is discussed. In particular, they describe an efficient term-by-term quadraticity test for extracting simple quadratic equations besides linear ones to be exploited along with the bit-leakage model in a fast GPU model.

Concurrently, also Zhao et al. produced an attack to PRESENT in [122] relying on [114] where a two-layer “divide and conquer” strategy is used concurrently with a sliding window approach and an iterated version of the attack is proposed. Their iterative method was further refined in [121] where the authors also propose a model based on non-linear equations.

During the same year, the full version of LBlock was also attacked by means of these techniques in [50].

Li et al. also approached side channel cube attacks on PRESENT the same year in [64] after their preliminary work on LBlock of the year before [66]. However, their work focussed on data refinement employing the maximum likelihood decoding algorithm in order to correct the side channel outputs by considering it as a linear code transmitted through a binary symmetric channel with crossover probability depending on the accuracy of the measurements. A 50% success rate is achieved in [65] even when data are more than 40% dirty.

3.4 Meet in the middle techniques

One more interesting approach to the cube attack is the possibility to fuse it with meet-in-the-middle techniques. Firstly suggested in the original paper [31], the first implementation of this approach is to the iconic 120-bit Courtois Toy cipher (CTC) due to Mroczkowski and Szmidt in [72]. Here the offline phase is performed against four rounds of encryption, by recovering many linear equations as usual (here more than 600 linear equations were found). In the online phase, however, the defender encrypts the messages with a five-round encryption. The explicit inversion is therefore performed by obtaining the ciphertext bits after four rounds of encryption by means of equations in the key bits as unknowns and ciphertext bits as known variables. Due to the simplicity of the encryption round rule, these equations are linear in the key bits so, by equating these polynomials to the one gathered in the offline phase, the result is still a linear system that can be solved as in usual cube attack approaches.

Later on, just mimicking what they did earlier in [72], the authors extended the technique to 255-bit Courtois Toy cipher 2 in [73].

A different approach about dynamic cube attack on stream ciphers that is somehow related to MitM techniques can also be found in [4]. Here Ahmadian et al. proceed in the opposite direction to usual MitM, by explicitly splitting the cipher into three sections computed independently: an upper extension part, an intermediate section where cube variables are chosen, and a lower extension part.

3.5 Cube attacks based on division property

Finally, one of the most recent and promising extensions of cube attack family consists in fusing it with the division property, a tool originally introduced by Todo in [97] (later formalised in [98]) as an improvement over Integral Cryptanalysis (see [57]). A multiset A with elements in \({\mathbb {F}}_2^N\) is said to have the division property \({\mathcal {D}}_k^{N}\), with \(0\le k \le N\), if:

$$\begin{aligned} deg({\underline{y}}^{{\underline{s}}}) = \sum {\underline{s}} < k \quad \text{ implies } \quad \sum {\underline{y}}^{{\underline{s}}}[\{1, \dots , N\}\rightarrow A] = 0 \, \end{aligned}$$

at the varying of \(s \in {\mathbb {Z}} _2^N\).

Before pairing it with cube attacks, the concept was firstly extended at FSE 2016, where Todo and Morii in [101] applied it to SIMONs family, introducing the conventional bit-based division property (CBDP) and the bit-based division property using three subsets (BDPT) and exploiting for the first time the zero-sum property: this solution was more robust than the classical division property, even though it was not efficient enough to carry out a feasible attack.

In order to overcome the efficiency issue, Xiang et al. introduced in [112] the division trails i.e. the propagation of the division property through the rounds of the cipher, along with an approach to evaluate them through MILP (Mixed Integer Linear Programming) models, hence enabling faster computations. More formally, given R rounds of a cipher, an input \({\underline{y}}\) generates, for each round r, an internal state \({\underline{y}}^{(r)}\). Analogously, a set A with elements in \({\mathbb {F}} _2^N\), generates R sets \((A^{(0)} = A, A^{(1)}, \dots , A^{(R-1)})\), where \(A^{(r)} = \{{\underline{y}}^{(r)} \mid {\underline{y}} \in A\}\). A division trail for the set A is a vector \({\underline{k}} = (k_0, \dots , k_{R-1})\), with \(0\le k_r\le N\), such that the division property \({\mathcal {D}}_{k_r}^N\) holds for the set \(A^{(r)}\), for all \(0 \le r < R\). By analysing the round function of the cipher, we can build relations between elements of a trail (i.e., study the propagation of the division property): by writing such relations in a MILP way (relying on the three basic operations of and, xor and copy) we obtain a system of linear inequalities which solutions correspond to valid trails.

The introduction of MILP models allowed Todo et Al. in [99] to efficiently apply Division Property along with cube attack, exploiting the CBDP: the non-blackbox representation of the cipher allowed, jointly with the efficient MILP interpretation of the division trail, to obtain unexpected results, hence enabling the authors to break 832-round Trivium. Further results on Trivium were obtained firstly the following year at Crypto’18, where Wang Q. et al. improved the attack up to 839 rounds in [105], and later in 2019 by Wang S. et al. in [107] where, using BDPT, the authors were able to recover the superpolies of 832- and 839-round Trivium with a reduced computational time. It is also worth noticing that, later that year, Ye and Tian showed using MILP-based division property in [116] that many of the key-recovery attacks to Trivium presented at Crypto’18 were also distinguishing attacks.

In [46], Wang et al. introduced a new algorithm to find better cubes: to do so, they used a particular MILP model to find division trails based on SAT from [89] and on the flag technique from [106].

The MILP approach made BDPT exploitable in feasible time too, as it is shown more recently in [45] where up to 841-round of Trivium were successfully broken thanks to a careful selection of which differential trail are found in even number and whose evaluation can be hence safely skipped since their contribution nullifies in the resulting ANF; approaches from [45, 106] well combine together, as it can be seen in [54].

Later, Wang et al. introduced in [108] a novel algebraic version of the division property under the name of monomial prediction, also showing its strict similarities with BDPT itself: here, the state variables \({\underline{y}}^{(r)} = (y^{(r)}_0, y^{(r)}_1, \dots )\) of round r are considered as polynomial components \(y^{(r)}_i = \mathfrak p_{r, i}(\underline{y}^{(r-1)})\) representing the update function of the i-th component of the state at round r depending on state components at round \(r-1\) (hence, \(\mathfrak p\) can be obtained iterating composition of \(\mathfrak p_{r, i}\), round-by-round); these formal relations are then exploited to determine whether specific input state variables \(y_i^{(0)}\) (or, possibly monomials \(\mathfrak s\) in the \({\underline{y}}^{(0)}\) variables) do or do not propagate to the upcoming rounds. This task can be achieved by analysing round-by-round whether \(\mathfrak p_{r, i}\) does contain first-degree monomials \(y^{(r-1)}_{j}\) for some j or does not, that is, considering the set \(P_{r,i}\) of the monomials \(\mathfrak p_{r, i}\) is made of (namely, such that \(\mathfrak p_{r,i} = \sum P_{r,i}\)), we say that \(y^{(r-1)}_{j}\) is monomial predicted at round r if:

$$\begin{aligned} y^{(r-1)}_{j} \in P_{r, i} \qquad \text{ for } \text{ some } \text{ component } j \text{ of } \text{ the } \text{ state } \text{ at } \text{ round } r-1. \end{aligned}$$
(20)

A set of variables \((y^{(0)}_{i_0}, y^{(1)}_{i_1}, \dots , y^{(R-1)}_{i_{R-1}})\) such that (20) pairwise holds (i.e., \(y^{(r-1)}_{i_{r-1}}\) is monomial predicted in \(y^{(r)}_{i_{r}}\)) is said a monomial trail. We then claim:

Proposition 6

(cfr. [108]) A given first-round state variable \(y^{(0)}_{i_0}\) can be found in \(\mathfrak p_{r, i_r}\) if and only if the number of monomial trails connecting them is odd.

The same proposition holds if considering monomials \(\mathfrak s^{(0)}\) in \({\underline{y}}^{(0)}\) variables too.

Given a cube I, Proposition 6 gives us a method to evaluate the superpoly \(\mathfrak q_{I}\) of the cube attack by exploiting the monomial trails and, hence, by adopting efficient MILP models. In fact, if we consider the set P of all monomials \(\mathfrak p\) is made of (namely, \(\mathfrak p=\sum P\)), we can then reformulate (7) as follows:

$$\begin{aligned} \mathfrak q_I=\sum M, \qquad M = ({\underline{y}}^{{\underline{0}}[I \rightarrow 1^d, I^\textsf{c}]}\cap P)/\mathfrak m_{I} = \{\mathfrak m_{} \in {\underline{y}}^{{\underline{0}}[I^\textsf{c}]} \mid \mathfrak m_{} \cdot \mathfrak m_{I}\in P\}. \end{aligned}$$

The speed-up obtained via MILP modelling, allowed the authors to break Trivium reduced up to 842-rounds [108].

Further recent work on monomial prediction is by Hu et al. in [47] where the authors describe a novel technique under the name of nested monomial prediction to efficiently evaluate the ANF of massive polynomials. In particular, a temporal-complexity pre-evaluation is performed to decide whether a given intermediate state variable should be further expanded or not. Key recovery technique is further enhanced as well by the application of the Möbius transformation.

Division property is also linked with other kinds of cube attacks, such as dynamic cube attacks: in [44], Hao et al. introduced on one hand a heuristic algorithm using flag technique division property that permits to find superpolies with low bias, on the other hand, a new MILP model method for division property using nullification strategies. With this approach, it was possible to define a new dynamic cube attack on Grain-128 with a success probability of 99.83% and to use the new MILP modelling to attack 892 rounds of Kreyvium.

DP was also used to design a heuristic algorithm to find valuable cubes, as defined in [92] (i.e., cubes whose superpoly has (at least) a balanced secret variable), that proved to be effective against Trivium and Kreyvium, actually elevating by one round (up to 843 and 893 rounds respectively) the attacks proposed by Hao et al. in [45] and Hu et al. in [48].

4 Frameworks and implementations

Since its very first introduction, cube attack was presented not only as a theoretical attack, but also as a practical methodology to break real-world ciphers.

For this reason, Aumasson et al. built in [6] a first cube tester framework on field-programmable gate array (FPGA) capable of attacking 237 rounds in Grain-128 (out of 256) in \(2^{54}\) cipher runs. The idea behind this implementation is hereafter to split the computation into an input generator, an output collector and a controller unit that employs an evolutionary algorithm for cube searching.

Later FPGA implementation of dynamic cube attacks can also be found in [29] (later revised in [43]) where the RIVYERA computing system is adopted.

The main contribution of previous approaches was however given by the possibility of simultaneously evaluating multiple instances of the cipher in order to fraction execution times. Following this trend, GPUs were for example employed to test SHA-3 candidates against unbalances, as reported in [52].

Cipher evaluations occurring in cube construction are highly related one to the other and often repeated. In [18,19,20], the Cranic Computing groupFootnote 2 worked out a complete refactoring of the computation on GPUs in view of repurposing of values already computed. Their main contributions are in the organisation of the cube attack as a Time Memory Data Trade-off algorithm, named kite attack, to optimise the computation in accord with the structure of GPU memory layers. The development of a CUDA framework for the cube attack resulted in an open source framework enabling the finding of an 800-rounds superpoly in Trivium [21].

As highlighted by Zhu et al. in [124], the framework development is a key point not only to check attacks feasibility, but also to show the correctness of many unfitting assumptions cryptographers may claim. In particular, their contribution is under a python-based web application (unfortunately no longer accessible by now) to test cube attacks-like (in particular linearity of given superpoly) on different ciphers (Trivium only was implemented, however, simple extensions could be made to integrate other ciphers).

Amongst the most interesting published frameworks, there is also the one for nested monomial prediction by Hu et al. introduced in [47] and discussed in Sect. 3.5.

Other notable cube attacks implementations are introduced in [4] as we discuss earlier in Sect. 3.4 and in [50] where Islam et al. develop a GUI toolkit which can load a stream or a block cipher and can check its resistance against the cube attack.

Ye and Tian introduced in [118] a framework for Trivium efficient key-recovery where Stankovski’s greedy bit set algorithm fuses with division property and the Improved Moebius Transformation to construct potentially good cubes. Building upon their idea, very recently Che and Tian developed in [17] a framework (whose implementation is online available) to find well-balanced superpoly.

Concurrently, Delaune et al. propose in [27] a novel model based on a digraph representation of the cube. Authors claim the graph structure handles some of the monomial cancellations more easily than those based on division property, hence improving timing results. Model implementation is proposed and implemented (online available) in both MILP and Constrained Programming.

Finally, code for the approach adopted by Sun in [92] and by Baudrin et al. in [11] are supplied as well.

5 Applications

The cube attack family focussed since its beginning on stream ciphers like Trivium (Kreyvium, Quavium, ...) and Grain (Grain-v1, Grain-128, ...). We report the respective main results in Tables 1 and 2.

Table 1 Results on Trivium cipher
Full size table
Table 2 Results on Grain-128 and Grain-v1 ciphers
Full size table

Also PRESENT cipher is entitled of an honourable mention, as many developments in side-channel cube attacks were performed on this cipher. Table 3 reports principal contributions.

Table 3 Key recovery results via side channel attack on PRESENT cipher with key length of 80 and 128 bit
Full size table

More recently, much interest was devoted to the lightweight cipher Ascon, one of the finalists of the NIST lightweight cryptography standardisation process that uses a total of 30 rounds of permutations divided into 12/6/12 rounds of initialisation/plaintext processing/finalisation. Different work focused on the different phases of the cipher, actually mounting key-recovery attacks on the initialisation phase, state recovery attacks on plaintext processing phase, forgery attacks on the finalisation phase, or distinguishers on the global permutation function. Many of the recent works assume collateral conditions like the usage of a weak key or the nonce-misuse setting, i.e., a key/nonce pair is reused many times to encrypt (contrary to the recommendations of the designers). Table 4 reports principal contributions, with a notable notion of [36], where the authors design a hardware Trojan to reduce the number of initialisation rounds to make cube attack-based key-recovery feasible in 94 s on average.

Table 4 Results on Ascon-128 lightweight cipher
Full size table

Even if cube attacks work on ciphers by considering them as black-box polynomials and therefore are suitable to attack nearly any cryptosystem, they can also exploit specific cipher vulnerabilities. It is the case, for example, of the work performed by Dinur and Shamir first, and by many other cryptographers later, on Keccak family (Ketje, Keyak, ...). In Table 5, we report principal results obtained against Keccak sponge function.

Table 5 Results on Keccak sponge function
Full size table

Many other cipher were attacked via cube family. It is the case of e.g., lightweight and ultra-lightweight ciphers like SIMONs ([79, 101], ...), Simeck ([120]) KATAN ([56, 108], ...), Subterranean 2.0 ([67]), Hitag2 ([90]), LBlock ([50], ...), Hummingbird-2 ([40]), TinyJAMBU ([37, 38, 94]), MORUS ([46]), Lizard ([54]), and many others.

6 Conclusions

In this paper, we revise and improve a novel notation for the cube attack family. We employ the new notation to analyse and provide a cohesive review of the state-of-the-art for this wide family of cryptanalysis techniques.

We discuss the original Dinur and Shamir’s attack in \({\mathbb {F}}_2\) and we extend it to a generic finite field \({\mathbb {F}}_q\), also describing recent methodologies employed to find cubes. We summarise the family of attacks in five principal research branches: (i) Cube Testers and their extensions (Dynamic and Conditional Cube Attacks), (ii) Cube Attacks with non-linear equations, (iii) Cube Attacks with information leakages, (iv) Meet in the Middle cube attacks, and (v) Cube Attacks based on the Division Property and its extensions (based on Division Trails and Monomial Prediction). For what concerns the latter, we also, focus on formalising the contributions with the introduced notation, lightening the wordiness of the original one. Later we provide an overview of the few frameworks and implementations currently available. We devote a single appendix to describe in detail our framework implementation of the Kite Attack, where we also present Mickey2.0 as a test case. Finally, we resume by convenient tables all of (to the best of our knowledge) the most significant results obtained through the various approaches applied to the principal attacked ciphers, namely: Trivium, Grain, PRESENT, and Keccak. We believe that cube attacks, in particular, combined with Division Property approaches, still have a long road to run across.