Springer Nature is making SARS-CoV-2 and COVID-19 research free. View research | View latest news | Sign up for updates

Kite attack: reshaping the cube attack for a flexible GPU-based maxterm search

  • 146 Accesses


Dinur and Shamir’s cube attack has attracted significant attention in the literature. Nevertheless, the lack of implementations achieving effective results casts doubts on its practical relevance. On the theoretical side, promising results have been recently achieved leveraging on division trails. The present paper follows a more practical approach and aims at giving new impetus to this line of research by means of a cipher-independent flexible framework that is able to carry out the cube attack on GPU/CPU clusters. We address all issues posed by a GPU implementation, providing evidence in support of parallel variants of the attack and identifying viable directions for solving open problems in the future. We report the results of running our GPU-based cube attack against round-reduced versions of three well-known ciphers: Trivium, Grain-128 and SNOW 3G. Our attack against Trivium improves the state of the art, permitting full key recovery for Trivium reduced to (up to) 781 initialization rounds (out of 1152) and finding the first-ever maxterm after 800 rounds. In this paper, we also present the first standard cube attack (i.e., neither dynamic nor tester) to yield maxterms for Grain-128 up to 160 initialization rounds on non-programmable hardware. We include a thorough evaluation of the impact of system parameters and GPU architecture on the performance. Moreover, we demonstrate the scalability of our solution on multi-GPU systems. We believe that our extensive set of results can be useful for the cryptographic engineering community at large and can pave the way to further results in the area.

This is a preview of subscription content, log in to check access.

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11
Fig. 12


  1. 1.

    The standard assumption is \(\mathbf {v}_{\overline{I}} =\mathbf {0}\), but this is not actually required.

  2. 2.

    Here \(\mathbf {e} _i\) denotes the unit vector with all null coordinates except \(e_i=1\).

  3. 3.

    The work that here is assigned to a single thread can be actually split among any number of threads, reassembling the results at the end. We will not consider this possibility here for the sake of clarity.

  4. 4.

    8 physical cores per CPU—16 logical per CPU with hyperthreading.


  1. 1.

    Appendix to “Kite attack: reshaping the cube attack for a flexible GPU-based maxterm search”. http://www.cranic.it/cryptanalysis.html. Accessed 5 Feb 2019

  2. 2.

    Agnesse, A., Pedicini, M.: Cube attack in finite fields of higher order. In: Proceedings of 9th Australasian Information Security Conference, AISC’11, pp. 9–14. ACS, Inc. (2011)

  3. 3.

    Agostini, E., Bernaschi, M.: Bitcracker: Bitlocker meets GPUs. CoRR (2019). arXiv:1901.01337

  4. 4.

    Ahmadian, Z., Rasoolzadeh, S., Salmasizadeh, M., Aref, M.R.: Automated dynamic cube attack on block ciphers: cryptanalysis of SIMON and KATAN. IACR Cryptol. ePrint Arch. 2015, 40 (2015)

  5. 5.

    Ahmadzadeh, A., Hajihassani, O., Gorgin, S.: A high-performance and energy-efficient exhaustive key search approach via GPU on DES-like cryptosystems. J. Supercomput. (2017). https://doi.org/10.1007/s11227-017-2120-9

  6. 6.

    Aumasson, J.P., Dinur, I., Henzen, L., Meier, W., Shamir, A.: Efficient FPGA implementation of high-dimensional cube testers on the stream cipher Grain-128. In: IACR Cryptology ePrint Archive (2009)

  7. 7.

    Aumasson, J.P., Dinur, I., Meier, W., Shamir, A.: Cube testers and key recovery attacks on reduced-round MD6 and Trivium. In: FSE, pp. 1–22. Springer (2009)

  8. 8.

    Baksi, A., Maitra, S., Sarkar, S.: New distinguishers for reduced round Trivium and Trivia-SC using cube testers. In: WCC2015—9th International Workshop on Coding and Cryptography (2015)

  9. 9.

    Bernstein, D.J.: Why haven’t cube attacks broken anything? https://cr.yp.to/cubeattacks.html. Accessed 4 April 2018

  10. 10.

    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G., Van Keer, R.: CAESAR submission: Ketje v2. https://keccak.team/files/Ketjev2-doc2.0.pdf. Accessed 5 May 2019

  11. 11.

    Biryukov, A., Priemuth-Schmid, D., Zhang, B.: Multiset collision attacks on reduced-round SNOW 3G and SNOW 3G+. In: International Conference on Applied Cryptography and Network Security, ACNS 2010, pp. 139–153. Springer, Berlin (2010)

  12. 12.

    Blum, M., Luby, M., Rubinfeld, R.: Self-testing/correcting with applications to numerical problems. In: ACM Symposium on Theory of Computing, pp. 73–83. ACM (1990)

  13. 13.

    Chakraborti, A., Chattopadhyay, A., Hassan, M., Nandi, M.: TriviA and uTriviA: two fast and secure authenticated encryption schemes. J. Cryptogr. Eng. (2016). https://doi.org/10.1007/s13389-016-0137-2

  14. 14.

    Cianfriglia, M., Guarino, S.: Cryptanalysis on GPUs with the cube attack: design, optimization and performances gains. In: International Conference on High Performance Computing Simulation (HPCS), pp. 753–760 (2017). https://doi.org/10.1109/HPCS.2017.114

  15. 15.

    Cianfriglia, M., Guarino, S., Bernaschi, M., Lombardi, F., Pedicini, M.: A novel GPU-based implementation of the cube attack. In: Applied Cryptography and Network Security: 15th International Conference, ACNS 2017, Kanazawa, Japan, 10–12 July 2017, Proceedings, pp. 184–207. Springer (2017)

  16. 16.

    Dinur, I., Güneysu, T., Paar, C., Shamir, A., Zimmermann, R.: An experimentally verified attack on full Grain-128 using dedicated reconfigurable hardware. In: International Conference on The Theory and Application of Cryptology and Information Security, ASIACRYPT’11, pp. 327–343. Springer, Berlin (2011). https://doi.org/10.1007/978-3-642-25385-0_18

  17. 17.

    Dinur, I., Shamir, A.: Cube attacks on tweakable black box polynomials. In: Advances in Cryptology-EUROCRYPT 2009, pp. 278–299. Springer (2009)

  18. 18.

    Dinur, I., Shamir, A.: Breaking Grain-128 with dynamic cube attacks. In: FSE 2011, pp. 167–187. Springer, Berlin (2011)

  19. 19.

    Dinur, I., Shamir, A.: Applying cube attacks to stream ciphers in realistic scenarios. Cryptogr. Commun. 4(3–4), 217–232 (2012)

  20. 20.

    Dong, X., Li, Z., Wang, X., Qin, L.: Cube-like attack on round-reduced initialization of Ketje Sr. IACR Trans. Symmetric Cryptol. 2017(1), 259–280 (2017). https://doi.org/10.13154/tosc.v2017.i1.259-280

  21. 21.

    Fan, X., Gong, G.: On the security of Hummingbird-2 against side channel cube attacks. In: Proceedings of the 4th WEWoRC Workshop, pp. 18–29. Springer, Berlin (2012)

  22. 22.

    Fouque, P.A., Vannet, T.: Improving key recovery to 784 and 799 rounds of Trivium using optimized cube attacks. FSE 2013, Revised Selected Papers, pp. 502–517 (2014)

  23. 23.

    Hellman, M.: A cryptanalytic time-memory trade-off. IEEE Trans. Inf. Theor. 26(4), 401–406 (2006). https://doi.org/10.1109/TIT.1980.1056220

  24. 24.

    Huo, X., Krishnamoorthy, S., Agrawal, G.: Efficient scheduling of recursive control flow on GPUs. In: Proceedings of the 27th International ACM Conference on Supercomputing, ICS’13, pp. 409–420. ACM, New York, NY, USA (2013). https://doi.org/10.1145/2464996.2479870

  25. 25.

    Milo, F., Bernaschi, M., Bisson, M.: A fast, GPU based, dictionary attack to OpenPGP secret keyrings. J. Syst. Softw. 84(12), 2088–2096 (2011)

  26. 26.

    O’Neil, S.: Algebraic structure defectoscopy. In: Tools for Cryptanalysis 2007 Workshop (2007). http://eprint.iacr.org/2007/378

  27. 27.

    Orhanou, G., Youssef, B.: SNOW 3G stream cipher operation and complexity study. Contemp. Eng. Sci. 3, 97–111 (2010)

  28. 28.

    Quedenfeld, F.M., Wolf, C.: Algebraic properties of the cube attack. IACR Cryptol. ePrint Arch. 2013, 800 (2013)

  29. 29.

    Samorodnitsky, A., Trevisan, L.: A PCP characterization of NP with optimal amortized query complexity. In: Proceedings of the ACM Symposium on ToC, pp. 191–199. ACM (2000)

  30. 30.

    Srinivasan, C., Pillai, U.U., Lakshmy, K., Sethumadhavan, M.: Cube attack on stream ciphers using a modified linearity test. J. Discrete Math. Sci. Cryptogr. 18(3), 301–311 (2015)

  31. 31.

    Using shared memory in CUDA C/C++. https://devblogs.nvidia.com/using-shared-memory-cuda-cc/. Accessed 4 Nov 2019

  32. 32.

    Vielhaber, M.: Breaking ONE.FIVIUM by AIDA an algebraic IV differential attack. In: IACR Eprint archive (2007). http://eprint.iacr.org/2007/413. Accessed 5 May 2019

  33. 33.

    Winter, R., Salagean, A., Phan, R.C.W.: Comparison of cube attacks over different vector spaces. In: IMACC 2015, pp. 225–238. Springer, New York (2015)

  34. 34.

    Zhang, H., Wang, X.: Cryptanalysis of stream cipher Grain Family. In: IACR Cryptology ePrint Archive, vol. 2009, p. 109 (2009)

  35. 35.

    Zhang, S., Chen, G., Li, J.: Cube attack on reduced-round Quavium. ICMII-15 Advances in Computer Science Research (2015). https://doi.org/10.2991/icmii-15.2015.25

Download references

Author information

Correspondence to Marco Cianfriglia.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Tables of maxterms and superpolys

Tables of maxterms and superpolys

See Tables 2, 3, 4, and 5.

Table 2 Superpolys after 781 initialization rounds of Trivium
Table 3 Maxterms and superpolys after 799 initialization rounds of Trivium
Table 4 Maxterms and superpolys after 800 initialization rounds of Trivium
Table 5 Maxterms and superpolys after 160 initialization rounds of Grain-128

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Cianfriglia, M., Guarino, S., Bernaschi, M. et al. Kite attack: reshaping the cube attack for a flexible GPU-based maxterm search. J Cryptogr Eng 9, 375–392 (2019). https://doi.org/10.1007/s13389-019-00217-3

Download citation


  • Cube attack
  • Algebraic attacks
  • Graphics processing unit