Abstract
Cube attacks were introduced in Dinur and Shamir (2009) as a cryptanalytic technique that requires only black box access to the underlying cryptosystem. The attack exploits the existence of low degree polynomial representation of a single output bit (as a function of the key and plaintext bits) in order to recover the secret key. Although cube attacks can be applied in principle to almost any cryptosystem, most block ciphers iteratively apply a highly nonlinear round function (based on Sboxes or arithmetic operations) a large number of times which makes them resistant to cube attacks. On the other hand, many stream ciphers (such as Trivium (De Cannière and Preneel 2008)), are built using linear or low degree components and are natural targets for cube attacks. In this paper, we describe in detail how to apply cube attacks to stream ciphers in various settings with different assumptions on the target stream cipher and on the data available to the attacker.
Similar content being viewed by others
Notes
Throughout this paper, we refer to all polynomials of degree 1 as linear polynomials. Thus, we do not distinguish between affine polynomials in which the value of the free coefficient is one, and polynomials of degree 1 in which the value of this coefficient is zero.
We note that although trivial equations do not give information about the secret key, they can be used in order to distinguish the cipher from a random function [1].
When considering a big cube of dimension 2^{d + k} and its subcubes of dimension d − 1, there are k + 1 variables which define the big cube, whose value stay constant in each subcube. The number of subcubes is \(\binom{d+k}{d1}\), if we only consider subcubes for which the constant value for the k + 1 variables is zero.
We use the standard notion of distance between functions (which is used in many papers, such as [9]), i.e., the fraction of the domain on which the functions differ.
Analyzing how the previous choices of equations in B influence the probability that the next equation will increase the rank of B seems difficult, and thus we provide a worstcase analysis.
References
Aumasson, J.P., Dinur, I., Meier, W., Shamir, A.: Cube testers and key recovery attacks on reducedround MD6 and trivium. In: Dunkelman, O. (ed.) FSE. Lecture Notes in Computer Science, vol. 5665, pp. 1–22. Springer (2009)
Blum, M., Luby, M., Rubinfeld, R.: Selftesting/correcting with applications to numerical problems. In: STOC, pp. 73–83. ACM (1990)
Courtois, N., Klimov, A., Patarin, J., Shamir, A.: Efficient algorithms for solving overdefined systems of multivariate polynomial equations. In: Preneel, B. (ed.) EUROCRYPT. Lecture Notes in Computer Science, vol. 1807, pp. 392–407. Springer (2000)
De Cannière, C., Preneel, B.: Trivium. In: New Stream Cipher Designs. LNCS, vol. 4986, pp. 84–97. Springer (2008)
Dinur, I., Shamir, A.: Cube attacks on tweakable black box polynomials. In: Joux, A. (ed.) EUROCRYPT. Lecture Notes in Computer Science, vol. 5479, pp. 278–299. Springer (2009)
Dinur, I., Shamir, A.: Generic analysis of small cryptographic leaks. In: Breveglieri, L., Joye, M., Koren, I., Naccache, D., Verbauwhede, I. (eds.) FDTC, IEEE Computer Society, pp. 39–48 (2010)
Faugère, J.C.: A new efficient algorithm for computing Grø”bner bases without reduction to zero (F5). In: Proceedings of the 2002 International Symposium on Symbolic and Algebraic Computation, ISSAC ’02, pp. 75–83. ACM, New York, NY, USA (2002)
Gaborit, P., Ruatta, O.: Efficient erasure listdecoding of ReedMuller codes. In: 2006 IEEE International Symposium on Information Theory, pp. 148–152 (2006)
Goldreich, O., Goldwasser, S., Lehman, E., Ron, D., Samorodnitsky, A.: Testing monotonicity. Combinatorica 20(3), 301–337 (2000)
Kaufman, T., Litsyn, S., Xie, N.: Breaking the epsilonsoundness bound of the linearity test over GF(2). SIAM J. Comput. 39(5), 1988–2003 (2010)
Lai, X.: Higher order derivatives and differential cryptanalysis. In: “Symposium on Communication, Coding and Cryptography” in honor of James L. Massey on the Occasion of his 60’th Birthday, pp. 227–233 (1994)
Luby, M., Mitzenmacher, M., Shokrollahi, M.A., Spielman, D.A.: Efficient erasure correcting codes. IEEE Trans. Inf. Theory 47(2), 569–584 (2001)
Reed, I.S.: A class of multipleerrorcorrecting codes and the decoding scheme. IEEE Trans. Inf. Theory 4(4), 38–49 (1954)
Vielhaber, M.: Breaking ONE.FIVIUM by AIDA an Algebraic IV Differential Attack. Cryptology ePrint Archive, Report 2007/413 (2007)
Acknowledgements
The authors thank the anonymous referees for their very helpful comments on earlier versions of this paper.
Author information
Authors and Affiliations
Corresponding author
Appendix: Simulations of generalized linearity tests
Appendix: Simulations of generalized linearity tests
In this section, we present simulation results which compare the independent BLR tests and the generalized linearity tests described in Sections 3.2 and 4. The basic simulation procedure checks which one of the two preprocessing methods is able to detect the most nonlinear superpolys induced by an arbitrary big cube of dimension k. Given the specification of the underlying cipher, the results of this basic procedure depend on the selected big cube, and on the keys that are chosen at random by each one of the two preprocessing methods. Thus, we iterate the basic simulation procedure several times in order to estimate the probability that that our generalized linearity test performs better than independent BLR tests, using about the same number of cipher evaluations.
The framework of the basic simulation procedure is independent of the underlying cipher. The procedure is given a black box which evaluates an output bit of the cipher for a choice of the public and private variables, and in addition it is given the parameters d, k, ℓ_{1} and ℓ_{2}:

1.
Randomly choose k public variables for the big cube.

2.
Using the fixed zero key, evaluate the \(\binom{k}{d1}\) superpolys by summing on all cube of dimension d − 1 induced by the big cube (while the remaining public variables are fixed to zero).

3.
Perform ℓ_{1} independent BLR tests:

(a)
Randomly choose ℓ_{1} pairs of keys.

(b)
For each pair of keys (x, y), evaluate the \(\binom{k}{d1}\) superpolys at the 3 keys \({\boldsymbol{x}},{\boldsymbol{y}},{\boldsymbol{x}} + {\boldsymbol{y}}\).

(c)
for each superpoly, test whether \(p_{I}[{\bf{0}}] + p_{I}[{\boldsymbol{x}}] + p_{I}[{\boldsymbol{y}}] = p_{I}[{\boldsymbol{x}} + {\boldsymbol{y}}]\), and if not, mark it as nonlinear.

(d)
Let NL _{1} be the number of superpolys that are marked as nonlinear after the 11 BLR tests.

(a)

4.
Perform ℓ_{2} generalized linearity tests:

(a)
Select uniformly at random a linearly independent basis of keys of size ℓ_{2}, \({\boldsymbol{x_1}},...,{\boldsymbol{x_{\ell_2}}}\).

(b)
evaluate the \(\binom{k}{d1}\) superpolys at all keys of the subspace induced by the basis.

(c)
For each of the \(2^{\ell_2}1\ell_2\) keys in the linear subspace (which are not zero or the selected basis vectors), perform a generalized linearity test on each of the superpolys, and mark as nonlinear a superpoly which fails at least one test.

(d)
Let NL _{2} be the number of superpolys that are marked as nonlinear after all the generalized linearity tests.

(a)

5.
Output NL _{1} and NL _{2}.
We performed simulations on a reduced variant of the stream cipher Trivium [4] with 672 initialization rounds. As specified in [5], many maxterms exist for small cubes of dimension d − 1 = 12, and thus we chose d = 13. In addition, we chose k = 22, and so we test \(\binom{22}{12}=646646\) superpolys for linearity.
The values of ℓ_{1} and ℓ_{2} need to be large enough to ensure that we perform significantly more generalized linearity tests than BLR tests using about the same number of superpoly evaluations. On the other hand, if we perform too many linearity tests, both preprocessing methods will detect almost all the nonlinear superpolys, and the comparison will be useless. In our simulations, a reasonable choice is ℓ_{1} = 11 and ℓ_{2} = 5 (i.e., we perform 2^{5} − 1 − 5 = 26 generalized linearity tests). Note that a single execution of the basic simulation procedure evaluates each superpoly 1 + 11 · 3 = 34 times for the BLR tests, and a slightly smaller number of 2^{5} = 32 times for the generalized linearity tests.
In total, we executed the basic simulation procedure 100 times. Even though the generalized linearity tests require slightly less superpoly evaluations, they were able to detect more nonlinear functions than the BLR tests in 96 executions of the basic procedure. Thus, the results of our simulations clearly justify using generalized linearity tests in practice.
Rights and permissions
About this article
Cite this article
Dinur, I., Shamir, A. Applying cube attacks to stream ciphers in realistic scenarios. Cryptogr. Commun. 4, 217–232 (2012). https://doi.org/10.1007/s1209501200684
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s1209501200684