Advertisement

A Key-Recovery Attack on 855-round Trivium

  • Ximing Fu
  • Xiaoyun Wang
  • Xiaoyang Dong
  • Willi Meier
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10992)

Abstract

In this paper, we propose a key-recovery attack on Trivium reduced to 855 rounds. As the output is a complex Boolean polynomial over secret key and IV bits and it is hard to find the solution of the secret keys, we propose a novel nullification technique of the Boolean polynomial to reduce the output Boolean polynomial of 855-round Trivium. Then we determine the degree upper bound of the reduced nonlinear boolean polynomial and detect the right keys. These techniques can be applicable to most stream ciphers based on nonlinear feedback shift registers (NFSR). Our attack on 855-round Trivium costs time complexity \(2^{77}\). As far as we know, this is the best key-recovery attack on round-reduced Trivium. To verify our attack, we also give some experimental data on 721-round reduced Trivium.

Keywords

Trivium Nullification technique Polynomial reduction IV representation Key-recovery attack 

Notes

Acknowledgement

The authors would like to thank anonymous reviewers for their helpful comments. We also thank National Supercomputing Center in Wuxi for their support of Sunway TaihuLight, which is the most powerful supercomputer. This work was supported by the National Key Research and Development Program of China (Grant No. 2017YFA0303903), and National Cryptography Development Fund (No. MMJJ20170121), and Zhejiang Province Key R&D Project (No. 2017C01062).

References

  1. 1.
    Aumasson, J.-P., Dinur, I., Meier, W., Shamir, A.: Cube testers and key recovery attacks on reduced-round MD6 and Trivium. In: Dunkelman, O. (ed.) FSE 2009. LNCS, vol. 5665, pp. 1–22. Springer, Heidelberg (2009).  https://doi.org/10.1007/978-3-642-03317-9_1CrossRefGoogle Scholar
  2. 2.
    De Cannière, C., Preneel, B.: Trivium. In: Robshaw, M., Billet, O. (eds.) New Stream Cipher Designs. LNCS, vol. 4986, pp. 244–266. Springer, Heidelberg (2008).  https://doi.org/10.1007/978-3-540-68351-3_18CrossRefGoogle Scholar
  3. 3.
    Dinur, I., Güneysu, T., Paar, C., Shamir, A., Zimmermann, R.: An experimentally verified attack on full grain-128 using dedicated reconfigurable hardware. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 327–343. Springer, Heidelberg (2011).  https://doi.org/10.1007/978-3-642-25385-0_18CrossRefGoogle Scholar
  4. 4.
    Dinur, I., Shamir, A.: Cube attacks on tweakable black box polynomials. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 278–299. Springer, Heidelberg (2009).  https://doi.org/10.1007/978-3-642-01001-9_16CrossRefGoogle Scholar
  5. 5.
    Dinur, I., Shamir, A.: Breaking grain-128 with dynamic cube attacks. In: Joux, A. (ed.) FSE 2011. LNCS, vol. 6733, pp. 167–187. Springer, Heidelberg (2011).  https://doi.org/10.1007/978-3-642-21702-9_10CrossRefGoogle Scholar
  6. 6.
    Englund, H., Johansson, T., Sönmez Turan, M.: A framework for chosen IV statistical analysis of stream ciphers. In: Srinathan, K., Rangan, C.P., Yung, M. (eds.) INDOCRYPT 2007. LNCS, vol. 4859, pp. 268–281. Springer, Heidelberg (2007).  https://doi.org/10.1007/978-3-540-77026-8_20CrossRefGoogle Scholar
  7. 7.
    Fischer, S., Khazaei, S., Meier, W.: Chosen IV statistical analysis for key recovery attacks on stream ciphers. In: Vaudenay, S. (ed.) AFRICACRYPT 2008. LNCS, vol. 5023, pp. 236–245. Springer, Heidelberg (2008).  https://doi.org/10.1007/978-3-540-68164-9_16CrossRefGoogle Scholar
  8. 8.
    Fouque, P.-A., Vannet, T.: Improving key recovery to 784 and 799 rounds of Trivium using optimized cube attacks. In: Moriai, S. (ed.) FSE 2013. LNCS, vol. 8424, pp. 502–517. Springer, Heidelberg (2014).  https://doi.org/10.1007/978-3-662-43933-3_26CrossRefGoogle Scholar
  9. 9.
    Fu, X., Wang, X., Chen, J.: Determining the nonexistent terms of non-linear multivariate polynomials: how to break grain-128 more efficiently. IACR Cryptology ePrint Archive 2017, 412 (2017). http://eprint.iacr.org/2017/412
  10. 10.
    International Organization for Standardization (ISO): ISO/IEC 29192–3:2012, Information technology - Security techniques - Lightweight cryptography - Part 3: Stream ciphers (2012)Google Scholar
  11. 11.
    Knellwolf, S., Meier, W., Naya-Plasencia, M.: Conditional differential cryptanalysis of NLFSR-based cryptosystems. In: Abe, M. (ed.) ASIACRYPT 2010. LNCS, vol. 6477, pp. 130–145. Springer, Heidelberg (2010).  https://doi.org/10.1007/978-3-642-17373-8_8CrossRefGoogle Scholar
  12. 12.
    Knellwolf, S., Meier, W., Naya-Plasencia, M.: Conditional differential cryptanalysis of Trivium and KATAN. In: Miri, A., Vaudenay, S. (eds.) SAC 2011. LNCS, vol. 7118, pp. 200–212. Springer, Heidelberg (2012).  https://doi.org/10.1007/978-3-642-28496-0_12CrossRefGoogle Scholar
  13. 13.
    Knudsen, L.R.: Truncated and higher order differentials. In: Preneel, B. (ed.) FSE 1994. LNCS, vol. 1008, pp. 196–211. Springer, Heidelberg (1995).  https://doi.org/10.1007/3-540-60590-8_16CrossRefGoogle Scholar
  14. 14.
    Knudsen, L., Wagner, D.: Integral cryptanalysis. In: Daemen, J., Rijmen, V. (eds.) FSE 2002. LNCS, vol. 2365, pp. 112–127. Springer, Heidelberg (2002).  https://doi.org/10.1007/3-540-45661-9_9CrossRefGoogle Scholar
  15. 15.
    Lai, X.: Higher order derivatives and differential cryptanalysis. In: Blahut, R.E., Costello, D.J., Maurer, U., Mittelholzer, T. (eds.) Communications and Cryptography, pp. 227–233. Springer, Boston (1994).  https://doi.org/10.1007/978-1-4615-2694-0_23CrossRefGoogle Scholar
  16. 16.
    Liu, M.: Degree evaluation of NFSR-based cryptosystems. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10403, pp. 227–249. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-63697-9_8CrossRefGoogle Scholar
  17. 17.
    Liu, M., Yang, J., Wang, W., Lin, D.: Correlation cube attacks: from weak-key distinguisher to key recovery. Cryptology ePrint Archive, Report 2018/158 (2018). https://eprint.iacr.org/2018/158CrossRefGoogle Scholar
  18. 18.
    Todo, Y.: Structural evaluation by generalized integral property. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 287–314. Springer, Heidelberg (2015).  https://doi.org/10.1007/978-3-662-46800-5_12CrossRefGoogle Scholar
  19. 19.
    Todo, Y., Isobe, T., Hao, Y., Meier, W.: Cube attacks on non-blackbox polynomials based on division property. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10403, pp. 250–279. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-63697-9_9CrossRefGoogle Scholar
  20. 20.
    Wang, X., Yin, Y.L., Yu, H.: Finding collisions in the full SHA-1. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 17–36. Springer, Heidelberg (2005).  https://doi.org/10.1007/11535218_2CrossRefGoogle Scholar
  21. 21.
    Wang, X., Yu, H.: How to break MD5 and other hash functions. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 19–35. Springer, Heidelberg (2005).  https://doi.org/10.1007/11426639_2CrossRefGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2018

Authors and Affiliations

  • Ximing Fu
    • 1
  • Xiaoyun Wang
    • 2
    • 3
    • 4
  • Xiaoyang Dong
    • 2
  • Willi Meier
    • 5
  1. 1.Department of Computer Science and TechnologyTsinghua UniversityBeijingChina
  2. 2.Institute for Advanced StudyTsinghua UniversityBeijingChina
  3. 3.School of MathematicsShandong UniversityJinanChina
  4. 4.Key Laboratory of Cryptologic Technology and Information Security, Ministry of EducationShandong UniversityJinanChina
  5. 5.FHNWWindischSwitzerland

Personalised recommendations