An improved degree evaluation method of NFSR-based cryptosystems

Abstract

In this paper, we study the algebraic degree evaluation of NFSR-based cryptosystems. The degree evaluation method based on the numeric mapping proposed by Liu at CRYPTO 2017 is very fast and could be applied to a cube of any size. The numeric degree of \(f_1(\varvec{x},\varvec{v})\times f_2(\varvec{x},\varvec{v})\) is estimated as \(D_1+D_2\), where \(D_1\) and \(D_2\) are the numeric degrees of \(f_1\) and \(f_2\) respectively and the algebraic degree of a function is no more than its numeric degree. It can be observed that some variables may be counted twice in \(D_1+D_2\) and the precise of the numerical mapping heavily depends on how many variables are counted redundantly. When applied to an iterative cryptosystem, such redundances will accumulate during iteratively computing numeric degrees. This is an important factor accounting for the difference between the numeric degree and the algebraic degree of a cryptosystem. To reduce this difference, a new framework on the degree evaluation algorithm based on the numeric mapping is proposed. The main idea is to identify variables which are repeatedly counted in the numeric mapping and eliminate the redundant degrees on these variables. As illustrations, a concrete algorithm on Trivium-like ciphers is given which is shown to be useful in correlation cube attacks and the zero-sum distinguisher search. For correlation cube attacks on 835-round Trivium, we find some more useful cubes so that we could recover about 1.5 more bits at a cost of \(2^{40.7}\). Furthermore, we find several cubes leading to zero-sum distinguishers for Kreyvium variants with from 875 to 880 initialization rounds.

Appendix

1.1 A. The details of the procedure DegEva

In this subsection, based on the work in Ref. [23], we present the details of the procedure DegEva, which are shown in Algorithms 3 and 4. In procedure DegEva, procedure \(\text {DegMul}(g_\lambda ^{(t)})\) is called for \(\lambda \in \{A,B,C\}\). For simplicity, we only present \(\text {DegMul}(g_A^{(t)})\) in Algorithm 4 since the other two are similar.

1.2 B. The cubes, equations and probabilities

In this subsection, for the cubes used to enhance the attacks on the 835-round Trivium, we present the corresponding equations and the correlation probability. When exploiting the correlation probability, we test not only the simple expressions in the low-degree basis set, but also some other simple expressions. Namely, given a useful cube C, for each expression in the set

$$\begin{aligned} \Omega =\{f_i=k_i|0\le i\le 79\}\cup \{g_i=k_{i+25}k_{i+26}\oplus k_{i}\oplus k_{i+27}\Vert 0\le i\le 52\}\cup \{k_{78}k_{79}\oplus k_{53}\}, \end{aligned}$$

we calculate the its correlation probability with the superpoly. As a result, we could obtained more equations. We summarize our results in Table 8. In the third column of Table 8, the expressions in purple are the extra equation which are not in the low-degree basis set.

Table 8 Useful cubes in correlation cube attacks (Color table online)