Cube Attacks on Non-Blackbox Polynomials Based on Division Property

  • Yosuke Todo
  • Takanori Isobe
  • Yonglin Hao
  • Willi Meier
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10403)

Abstract

The cube attack is a powerful cryptanalytic technique and is especially powerful against stream ciphers. Since we need to analyze the complicated structure of a stream cipher in the cube attack, the cube attack basically analyzes it by regarding it as a blackbox. Therefore, the cube attack is an experimental attack, and we cannot evaluate the security when the size of cube exceeds an experimental range, e.g., 40. In this paper, we propose cube attacks on non-blackbox polynomials. Our attacks are developed by using the division property, which is recently applied to various block ciphers. The clear advantage is that we can exploit large cube sizes because it never regards the cipher as a blackbox. We apply the new cube attack to Trivium, Grain128a, and ACORN. As a result, the secret keys of 832-round Trivium, 183-round Grain128a, and 704-round ACORN are recovered. These attacks are the current best key-recovery attack against these ciphers.

Keywords

Cube attack Stream cipher Division property Higher-order differential cryptanalysis MILP Trivium Grain128a ACORN 

References

  1. 1.
    eSTREAM: the ECRYPT stream cipher project (2008). http://www.ecrypt.eu.org/stream/
  2. 2.
    CAESAR: Competition for authenticated encryption: Security, applicability, and robustness (2014). https://competitions.cr.yp.to/caesar.html
  3. 3.
    Ågren, M., Hell, M., Johansson, T., Meier, W.: Grain-128a: a new version of grain-128 with optional authentication. IJWMC 5(1), 48–59 (2011)CrossRefGoogle Scholar
  4. 4.
    Aumasson, J.-P., Dinur, I., Meier, W., Shamir, A.: Cube testers and key recovery attacks on reduced-round MD6 and Trivium. In: Dunkelman, O. (ed.) FSE 2009. LNCS, vol. 5665, pp. 1–22. Springer, Heidelberg (2009). doi:10.1007/978-3-642-03317-9_1 CrossRefGoogle Scholar
  5. 5.
    Biryukov, A., Shamir, A.: Structural cryptanalysis of SASAS. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 395–405. Springer, Heidelberg (2001). doi:10.1007/3-540-44987-6_24 CrossRefGoogle Scholar
  6. 6.
    Cannière, C.D., Preneel, B.: Trivium specifications (2006). http://www.ecrypt.eu.org/stream/p.3ciphers/trivium/trivium_p.3.pdf. eSTREAM portfolio, Profile 2 (HW)
  7. 7.
    Cui, T., Jia, K., Fu, K., Chen, S., Wang, M.: New automatic search tool for impossible differentials and zero-correlation linear approximations (2016). http://eprint.iacr.org/2016/689
  8. 8.
    Daemen, J., Knudsen, L., Rijmen, V.: The block cipher Square. In: Biham, E. (ed.) FSE 1997. LNCS, vol. 1267, pp. 149–165. Springer, Heidelberg (1997). doi:10.1007/BFb0052343 CrossRefGoogle Scholar
  9. 9.
    Dinur, I., Güneysu, T., Paar, C., Shamir, A., Zimmermann, R.: An experimentally verified attack on full grain-128 using dedicated reconfigurable hardware. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 327–343. Springer, Heidelberg (2011). doi:10.1007/978-3-642-25385-0_18 CrossRefGoogle Scholar
  10. 10.
    Dinur, I., Morawiecki, P., Pieprzyk, J., Srebrny, M., Straus, M.: Cube attacks and cube-attack-like cryptanalysis on the round-reduced Keccak sponge function. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 733–761. Springer, Heidelberg (2015). doi:10.1007/978-3-662-46800-5_28 Google Scholar
  11. 11.
    Dinur, I., Shamir, A.: Cube attacks on tweakable black box polynomials. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 278–299. Springer, Heidelberg (2009). doi:10.1007/978-3-642-01001-9_16 CrossRefGoogle Scholar
  12. 12.
    Dinur, I., Shamir, A.: Breaking Grain-128 with dynamic cube attacks. In: Joux, A. (ed.) FSE 2011. LNCS, vol. 6733, pp. 167–187. Springer, Heidelberg (2011). doi:10.1007/978-3-642-21702-9_10 CrossRefGoogle Scholar
  13. 13.
    Fischer, S., Khazaei, S., Meier, W.: Chosen IV statistical analysis for key recovery attacks on stream ciphers. In: Vaudenay, S. (ed.) AFRICACRYPT 2008. LNCS, vol. 5023, pp. 236–245. Springer, Heidelberg (2008). doi:10.1007/978-3-540-68164-9_16 CrossRefGoogle Scholar
  14. 14.
    Fouque, P.-A., Vannet, T.: Improving key recovery to 784 and 799 rounds of Trivium using optimized cube attacks. In: Moriai, S. (ed.) FSE 2013. LNCS, vol. 8424, pp. 502–517. Springer, Heidelberg (2014). doi:10.1007/978-3-662-43933-3_26 Google Scholar
  15. 15.
    Gurobi Optimization Inc.: Gurobi optimizer 6.5. Official webpage (2015). http://www.gurobi.com/
  16. 16.
    ISO/IEC: JTC1: ISO/IEC 29167-13: Information technology - automatic identification and data capture techniques - part 13: Crypto suite Grain-128a security services for air interface communications (2015)Google Scholar
  17. 17.
    Knellwolf, S., Meier, W., Naya-Plasencia, M.: Conditional differential cryptanalysis of NLFSR-based cryptosystems. In: Abe, M. (ed.) ASIACRYPT 2010. LNCS, vol. 6477, pp. 130–145. Springer, Heidelberg (2010). doi:10.1007/978-3-642-17373-8_8 CrossRefGoogle Scholar
  18. 18.
    Knudsen, L.R.: Truncated and higher order differentials. In: Preneel, B. (ed.) FSE 1994. LNCS, vol. 1008, pp. 196–211. Springer, Heidelberg (1995). doi:10.1007/3-540-60590-8_16 CrossRefGoogle Scholar
  19. 19.
    Knudsen, L., Wagner, D.: Integral cryptanalysis. In: Daemen, J., Rijmen, V. (eds.) FSE 2002. LNCS, vol. 2365, pp. 112–127. Springer, Heidelberg (2002). doi:10.1007/3-540-45661-9_9 CrossRefGoogle Scholar
  20. 20.
    Lai, X.: Higher order derivatives and differential cryptanalysis. In: Blahut, R.E., Costello, D.J., Maurer, U., Mittelholzer, T. (eds.) Communications and Cryptography. The Springer International Series in Engineering and Computer Science, vol. 276, pp. 227–233. Springer, Boston (1994)Google Scholar
  21. 21.
    Lehmann, M., Meier, W.: Conditional differential cryptanalysis of Grain-128a. In: Pieprzyk, J., Sadeghi, A.-R., Manulis, M. (eds.) CANS 2012. LNCS, vol. 7712, pp. 1–11. Springer, Heidelberg (2012). doi:10.1007/978-3-642-35404-5_1 CrossRefGoogle Scholar
  22. 22.
    Lucks, S.: The saturation attack — a bait for Twofish. In: Matsui, M. (ed.) FSE 2001. LNCS, vol. 2355, pp. 1–15. Springer, Heidelberg (2002). doi:10.1007/3-540-45473-X_1 CrossRefGoogle Scholar
  23. 23.
    Mouha, N., Wang, Q., Gu, D., Preneel, B.: Differential and linear cryptanalysis using mixed-integer linear programming. In: Wu, C.-K., Yung, M., Lin, D. (eds.) Inscrypt 2011. LNCS, vol. 7537, pp. 57–76. Springer, Heidelberg (2012). doi:10.1007/978-3-642-34704-7_5 CrossRefGoogle Scholar
  24. 24.
    Mroczkowski, P., Szmidt, J.: The cube attack on stream cipher Trivium and quadraticity tests. Fundam. Inform. 114(3–4), 309–318 (2012)MathSciNetMATHGoogle Scholar
  25. 25.
    Salam, M.I., Bartlett, H., Dawson, E., Pieprzyk, J., Simpson, L., Wong, K.K.-H.: Investigating cube attacks on the authenticated encryption stream cipher ACORN. In: Batten, L., Li, G. (eds.) ATIS 2016. CCIS, vol. 651, pp. 15–26. Springer, Singapore (2016). doi:10.1007/978-981-10-2741-3_2 Google Scholar
  26. 26.
    Sasaki, Y., Todo, Y.: New impossible differential search tool from design and cryptanalysis aspects - revealing structural properties of several ciphers. In: EUROCRYPT (3), pp. 185–215 (2017). doi:10.1007/978-3-319-56617-7_7
  27. 27.
    Sun, L., Wang, W., Wang, M.: MILP-aided bit-based division property for primitives with non-bit-permutation linear layers (2016). http://eprint.iacr.org/2016/811
  28. 28.
    Sun, S., Hu, L., Wang, M., Wang, P., Qiao, K., Ma, X., Shi, D., Song, L.: Towards finding the best characteristics of some bit-oriented block ciphers and automatic enumeration of (related-key) differential and linear characteristics with predefined properties (2014a). http://eprint.iacr.org/2014/747
  29. 29.
    Sun, S., Hu, L., Wang, P., Qiao, K., Ma, X., Song, L.: Automatic security evaluation and (related-key) differential characteristic search: application to SIMON, PRESENT, LBlock, DES(L) and other bit-oriented block ciphers. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8873, pp. 158–178. Springer, Heidelberg (2014). doi:10.1007/978-3-662-45611-8_9 Google Scholar
  30. 30.
    Todo, Y.: Integral cryptanalysis on full MISTY1. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9215, pp. 413–432. Springer, Heidelberg (2015). doi:10.1007/978-3-662-47989-6_20 CrossRefGoogle Scholar
  31. 31.
    Todo, Y.: Structural evaluation by generalized integral property. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 287–314. Springer, Heidelberg (2015). doi:10.1007/978-3-662-46800-5_12 Google Scholar
  32. 32.
    Todo, Y., Morii, M.: Bit-based division property and application to Simon family. In: Peyrin, T. (ed.) FSE 2016. LNCS, vol. 9783, pp. 357–377. Springer, Heidelberg (2016). doi:10.1007/978-3-662-52993-5_18 CrossRefGoogle Scholar
  33. 33.
    Wu, H.: Acorn v3 (2016). Submission to CAESAR competitionGoogle Scholar
  34. 34.
    Xiang, Z., Zhang, W., Bao, Z., Lin, D.: Applying MILP method to searching integral distinguishers based on division property for 6 lightweight block ciphers. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10031, pp. 648–678. Springer, Heidelberg (2016). doi:10.1007/978-3-662-53887-6_24 CrossRefGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2017

Authors and Affiliations

  • Yosuke Todo
    • 1
  • Takanori Isobe
    • 2
  • Yonglin Hao
    • 3
  • Willi Meier
    • 4
  1. 1.NTT Secure Platform LaboratoriesTokyoJapan
  2. 2.University of HyogoHyogoJapan
  3. 3.Department of Computer Science and TechnologyTsinghua UniversityBeijingChina
  4. 4.FHNWWindischSwitzerland

Personalised recommendations