# Applying cube attacks to stream ciphers in realistic scenarios

• Published:

## Abstract

Cube attacks were introduced in Dinur and Shamir (2009) as a cryptanalytic technique that requires only black box access to the underlying cryptosystem. The attack exploits the existence of low degree polynomial representation of a single output bit (as a function of the key and plaintext bits) in order to recover the secret key. Although cube attacks can be applied in principle to almost any cryptosystem, most block ciphers iteratively apply a highly non-linear round function (based on Sboxes or arithmetic operations) a large number of times which makes them resistant to cube attacks. On the other hand, many stream ciphers (such as Trivium (De Cannière and Preneel 2008)), are built using linear or low degree components and are natural targets for cube attacks. In this paper, we describe in detail how to apply cube attacks to stream ciphers in various settings with different assumptions on the target stream cipher and on the data available to the attacker.

This is a preview of subscription content, log in via an institution to check access.

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

## Notes

1. Throughout this paper, we refer to all polynomials of degree 1 as linear polynomials. Thus, we do not distinguish between affine polynomials in which the value of the free coefficient is one, and polynomials of degree 1 in which the value of this coefficient is zero.

2. We note that although trivial equations do not give information about the secret key, they can be used in order to distinguish the cipher from a random function [1].

3. When considering a big cube of dimension 2d + k and its subcubes of dimension d − 1, there are k + 1 variables which define the big cube, whose value stay constant in each subcube. The number of subcubes is $$\binom{d+k}{d-1}$$, if we only consider subcubes for which the constant value for the k + 1 variables is zero.

4. We use the standard notion of distance between functions (which is used in many papers, such as [9]), i.e., the fraction of the domain on which the functions differ.

5. Analyzing how the previous choices of equations in B influence the probability that the next equation will increase the rank of B seems difficult, and thus we provide a worst-case analysis.

## References

1. Aumasson, J.-P., Dinur, I., Meier, W., Shamir, A.: Cube testers and key recovery attacks on reduced-round MD6 and trivium. In: Dunkelman, O. (ed.) FSE. Lecture Notes in Computer Science, vol. 5665, pp. 1–22. Springer (2009)

2. Blum, M., Luby, M., Rubinfeld, R.: Self-testing/correcting with applications to numerical problems. In: STOC, pp. 73–83. ACM (1990)

3. Courtois, N., Klimov, A., Patarin, J., Shamir, A.: Efficient algorithms for solving overdefined systems of multivariate polynomial equations. In: Preneel, B. (ed.) EUROCRYPT. Lecture Notes in Computer Science, vol. 1807, pp. 392–407. Springer (2000)

4. De Cannière, C., Preneel, B.: Trivium. In: New Stream Cipher Designs. LNCS, vol. 4986, pp. 84–97. Springer (2008)

5. Dinur, I., Shamir, A.: Cube attacks on tweakable black box polynomials. In: Joux, A. (ed.) EUROCRYPT. Lecture Notes in Computer Science, vol. 5479, pp. 278–299. Springer (2009)

6. Dinur, I., Shamir, A.: Generic analysis of small cryptographic leaks. In: Breveglieri, L., Joye, M., Koren, I., Naccache, D., Verbauwhede, I. (eds.) FDTC, IEEE Computer Society, pp. 39–48 (2010)

7. Faugère, J.C.: A new efficient algorithm for computing Grø”bner bases without reduction to zero (F5). In: Proceedings of the 2002 International Symposium on Symbolic and Algebraic Computation, ISSAC ’02, pp. 75–83. ACM, New York, NY, USA (2002)

8. Gaborit, P., Ruatta, O.: Efficient erasure list-decoding of Reed-Muller codes. In: 2006 IEEE International Symposium on Information Theory, pp. 148–152 (2006)

9. Goldreich, O., Goldwasser, S., Lehman, E., Ron, D., Samorodnitsky, A.: Testing monotonicity. Combinatorica 20(3), 301–337 (2000)

10. Kaufman, T., Litsyn, S., Xie, N.: Breaking the epsilon-soundness bound of the linearity test over GF(2). SIAM J. Comput. 39(5), 1988–2003 (2010)

11. Lai, X.: Higher order derivatives and differential cryptanalysis. In: “Symposium on Communication, Coding and Cryptography” in honor of James L. Massey on the Occasion of his 60’th Birthday, pp. 227–233 (1994)

12. Luby, M., Mitzenmacher, M., Shokrollahi, M.A., Spielman, D.A.: Efficient erasure correcting codes. IEEE Trans. Inf. Theory 47(2), 569–584 (2001)

13. Reed, I.S.: A class of multiple-error-correcting codes and the decoding scheme. IEEE Trans. Inf. Theory 4(4), 38–49 (1954)

14. Vielhaber, M.: Breaking ONE.FIVIUM by AIDA an Algebraic IV Differential Attack. Cryptology ePrint Archive, Report 2007/413 (2007)

## Acknowledgements

The authors thank the anonymous referees for their very helpful comments on earlier versions of this paper.

## Author information

Authors

### Corresponding author

Correspondence to Itai Dinur.

## Appendix: Simulations of generalized linearity tests

### Appendix: Simulations of generalized linearity tests

In this section, we present simulation results which compare the independent BLR tests and the generalized linearity tests described in Sections 3.2 and 4. The basic simulation procedure checks which one of the two preprocessing methods is able to detect the most non-linear superpolys induced by an arbitrary big cube of dimension k. Given the specification of the underlying cipher, the results of this basic procedure depend on the selected big cube, and on the keys that are chosen at random by each one of the two preprocessing methods. Thus, we iterate the basic simulation procedure several times in order to estimate the probability that that our generalized linearity test performs better than independent BLR tests, using about the same number of cipher evaluations.

The framework of the basic simulation procedure is independent of the underlying cipher. The procedure is given a black box which evaluates an output bit of the cipher for a choice of the public and private variables, and in addition it is given the parameters d, k, ℓ1 and ℓ2:

1. 1.

Randomly choose k public variables for the big cube.

2. 2.

Using the fixed zero key, evaluate the $$\binom{k}{d-1}$$ superpolys by summing on all cube of dimension d − 1 induced by the big cube (while the remaining public variables are fixed to zero).

3. 3.

Perform ℓ1 independent BLR tests:

1. (a)

Randomly choose ℓ1 pairs of keys.

2. (b)

For each pair of keys (x, y), evaluate the $$\binom{k}{d-1}$$ superpolys at the 3 keys $${\boldsymbol{x}},{\boldsymbol{y}},{\boldsymbol{x}} + {\boldsymbol{y}}$$.

3. (c)

for each superpoly, test whether $$p_{I}[{\bf{0}}] + p_{I}[{\boldsymbol{x}}] + p_{I}[{\boldsymbol{y}}] = p_{I}[{\boldsymbol{x}} + {\boldsymbol{y}}]$$, and if not, mark it as non-linear.

4. (d)

Let NL 1 be the number of superpolys that are marked as non-linear after the 11 BLR tests.

4. 4.

Perform ℓ2 generalized linearity tests:

1. (a)

Select uniformly at random a linearly independent basis of keys of size ℓ2, $${\boldsymbol{x_1}},...,{\boldsymbol{x_{\ell_2}}}$$.

2. (b)

evaluate the $$\binom{k}{d-1}$$ superpolys at all keys of the subspace induced by the basis.

3. (c)

For each of the $$2^{\ell_2}-1-\ell_2$$ keys in the linear subspace (which are not zero or the selected basis vectors), perform a generalized linearity test on each of the superpolys, and mark as non-linear a superpoly which fails at least one test.

4. (d)

Let NL 2 be the number of superpolys that are marked as non-linear after all the generalized linearity tests.

5. 5.

Output NL 1 and NL 2.

We performed simulations on a reduced variant of the stream cipher Trivium [4] with 672 initialization rounds. As specified in [5], many maxterms exist for small cubes of dimension d − 1 = 12, and thus we chose d = 13. In addition, we chose k = 22, and so we test $$\binom{22}{12}=646646$$ superpolys for linearity.

The values of ℓ1 and ℓ2 need to be large enough to ensure that we perform significantly more generalized linearity tests than BLR tests using about the same number of superpoly evaluations. On the other hand, if we perform too many linearity tests, both preprocessing methods will detect almost all the non-linear superpolys, and the comparison will be useless. In our simulations, a reasonable choice is ℓ1 = 11 and ℓ2 = 5 (i.e., we perform 25 − 1 − 5 = 26 generalized linearity tests). Note that a single execution of the basic simulation procedure evaluates each superpoly 1 + 11 · 3 = 34 times for the BLR tests, and a slightly smaller number of 25 = 32 times for the generalized linearity tests.

In total, we executed the basic simulation procedure 100 times. Even though the generalized linearity tests require slightly less superpoly evaluations, they were able to detect more non-linear functions than the BLR tests in 96 executions of the basic procedure. Thus, the results of our simulations clearly justify using generalized linearity tests in practice.

## Rights and permissions

Reprints and permissions

Dinur, I., Shamir, A. Applying cube attacks to stream ciphers in realistic scenarios. Cryptogr. Commun. 4, 217–232 (2012). https://doi.org/10.1007/s12095-012-0068-4