Cube Testers and Key Recovery Attacks on Reduced-Round MD6 and Trivium

  • Jean-Philippe Aumasson
  • Itai Dinur
  • Willi Meier
  • Adi Shamir
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5665)


CRYPTO 2008 saw the introduction of the hash function MD6 and of cube attacks, a type of algebraic attack applicable to cryptographic functions having a low-degree algebraic normal form over GF(2). This paper applies cube attacks to reduced round MD6, finding the full 128-bit key of a 14-round MD6 with complexity 222 (which takes less than a minute on a single PC). This is the best key recovery attack announced so far for MD6. We then introduce a new class of attacks called cube testers, based on efficient property-testing algorithms, and apply them to MD6 and to the stream cipher Trivium. Unlike the standard cube attacks, cube testers detect nonrandom behavior rather than performing key extraction, but they can also attack cryptographic schemes described by nonrandom polynomials of relatively high degree. Applied to MD6, cube testers detect nonrandomness over 18 rounds in 217 complexity; applied to a slightly modified version of the MD6 compression function, they can distinguish 66 rounds from random in 224 complexity. Cube testers give distinguishers on Trivium reduced to 790 rounds from random with 230 complexity and detect nonrandomness over 885 rounds in 227, improving on the original 767-round cube attack.


Hash Function Stream Cipher Compression Function Algebraic Attack Online Phase 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Alon, N., Kaufman, T., Krivelevich, M., Litsyn, S., Ron, D.: Testing low-degree polynomials over GF(2). In: Arora, S., Jansen, K., Rolim, J.D.P., Sahai, A. (eds.) RANDOM 2003 and APPROX 2003. LNCS, vol. 2764, pp. 188–199. Springer, Heidelberg (2003)Google Scholar
  2. 2.
    Aumasson, J.-P., Meier, W.: Analysis of multivariate hash functions. In: Nam, K.-H., Rhee, G. (eds.) ICISC 2007. LNCS, vol. 4817, pp. 309–323. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  3. 3.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Keccak specifications. Submission to NIST 2008 (2008),
  4. 4.
    Billet, O., Robshaw, M.J.B., Peyrin, T.: On building hash functions from multivariate quadratic equations. In: Pieprzyk, J., Ghodosi, H., Dawson, E. (eds.) ACISP 2007. LNCS, vol. 4586, pp. 82–95. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  5. 5.
    Blum, M., Luby, M., Rubinfeld, R.: Self-testing/correcting with applications to numerical problems. In: STOC, pp. 73–83. ACM, New York (1990)Google Scholar
  6. 6.
    De Cannière, C., Preneel, B.: Trivium. In: Robshaw, M.J.B., Billet, O. (eds.) New Stream Cipher Designs. LNCS, vol. 4986, pp. 244–266. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  7. 7.
    Crutchfield, C.Y.: Security proofs for the MD6 hash function mode of operation. Master’s thesis, Massachusetts Institute of Technology (2008)Google Scholar
  8. 8.
    Dinur, I., Shamir, A.: Cube attacks on tweakable black box polynomials. IACR ePrint Archive, Report 2008/385, version 20080914:160327 (2008),
  9. 9.
    Dinur, I., Shamir, A.: Cube attacks on tweakable black box polynomials. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 278–299. Springer, Heidelberg (2009); see also [8]CrossRefGoogle Scholar
  10. 10.
    Englund, H., Johansson, T., Turan, M.S.: A framework for chosen IV statistical analysis of stream ciphers. In: Srinathan, K., Rangan, C.P., Yung, M. (eds.) INDOCRYPT 2007. LNCS, vol. 4859, pp. 268–281. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  11. 11.
    Filiol, E.: A new statistical testing for symmetric ciphers and hash functions. In: Deng, R.H., Qing, S., Bao, F., Zhou, J. (eds.) ICICS 2002. LNCS, vol. 2513, pp. 342–353. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  12. 12.
    Fischer, S., Khazaei, S., Meier, W.: Chosen IV statistical analysis for key recovery attacks on stream ciphers. In: Vaudenay, S. (ed.) AFRICACRYPT 2008. LNCS, vol. 5023, pp. 236–245. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  13. 13.
    Kaufman, T., Ron, D.: Testing polynomials over general fields. In: FOCS, pp. 413–422. IEEE Computer Society, Los Alamitos (2004)Google Scholar
  14. 14.
    Kaufman, T., Sudan, M.: Algebraic property testing: the role of invariance. In: Ladner, R.E., Dwork, C. (eds.) STOC, pp. 403–412. ACM, New York (2008)Google Scholar
  15. 15.
    Khazaei, S., Meier, W.: New directions in cryptanalysis of self-synchronizing stream ciphers. In: Chowdhury, D.R., Rijmen, V., Das, A. (eds.) INDOCRYPT 2008. LNCS, vol. 5365, pp. 15–26. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  16. 16.
    Knudsen, L.R.: Truncated and higher order differentials. In: Preneel, B. (ed.) FSE 1994. LNCS, vol. 1008, pp. 196–211. Springer, Heidelberg (1995)CrossRefGoogle Scholar
  17. 17.
    Lucks, S.: The saturation attack - a bait for Twofish. In: Matsui, M. (ed.) FSE 2001. LNCS, vol. 2355, pp. 1–15. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  18. 18.
    Martin, J.W.: ESSENCE: A candidate hashing algorithm for the NIST competition. Submission to NIST (2008)Google Scholar
  19. 19.
    Maximov, A., Biryukov, A.: Two trivial attacks on Trivium. In: Adams, C.M., Miri, A., Wiener, M.J. (eds.) SAC 2007. LNCS, vol. 4876, pp. 36–55. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  20. 20.
    McDonald, C., Charnes, C., Pieprzyk, J.: Attacking Bivium with MiniSat. eSTREAM, ECRYPT Stream Cipher Project, Report 2007/040 (2007)Google Scholar
  21. 21.
    O’Neil, S.: Algebraic structure defectoscopy. IACR ePrint Archive, Report 2007/378 (2007),
  22. 22.
    Pasalic, E.: Transforming chosen iv attack into a key differential attack: how to break TRIVIUM and similar designs. IACR ePrint Archive, Report 2008/443 (2008),
  23. 23.
    Raddum, H.: Cryptanalytic results on Trivium. eSTREAM, ECRYPT Stream Cipher Project, Report 2005/001 (2006)Google Scholar
  24. 24.
    Rivest, R.L.: The MD6 hash function. Invited talk at CRYPTO 2008 (2008),
  25. 25.
    Rivest, R.L., Agre, B., Bailey, D.V., Crutchfield, C., Dodis, Y., Fleming, K.E., Khan, A., Krishnamurthy, J., Lin, Y., Reyzin, L., Shen, E., Sukha, J., Sutherland, D., Tromer, E., Yin, Y.L.: The MD6 hash function – a proposal to NIST for SHA-3,
  26. 26.
    Rubinfeld, R., Sudan, M.: Robust characterizations of polynomials with applications to program testing. SIAM J. Comput. 25(2), 252–271 (1996)MathSciNetCrossRefzbMATHGoogle Scholar
  27. 27.
    Saarinen, M.-J.O.: Chosen-IV statistical attacks on eStream ciphers. In: Malek, M., Fernández-Medina, E., Hernando, J. (eds.) SECRYPT, pp. 260–266. INSTICC Press (2006)Google Scholar
  28. 28.
    Samorodnitsky, A.: Low-degree tests at large distances. In: Johnson, D.S., Feige, U. (eds.) STOC, pp. 506–515. ACM, New York (2007)Google Scholar
  29. 29.
    Shamir, A.: How to solve it: New techniques in algebraic cryptanalysis. Invited talk at CRYPTO 2008 (2008)Google Scholar
  30. 30.
    Tao, T.: The dichotomy between structure and randomness, arithmetic progressions, and the primes. In: International Congress of Mathematicians, pp. 581–608. European Mathematical Society (2006)Google Scholar
  31. 31.
    Turan, M.S., Kara, O.: Linear approximations for 2-round Trivium. eSTREAM, ECRYPT Stream Cipher Project, Report 2007/008 (2007)Google Scholar
  32. 32.
    Vielhaber, M.: Breaking ONE.FIVIUM by AIDA an algebraic IV differential attack. IACR ePrint Archive, Report 2007/413 (2007),

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • Jean-Philippe Aumasson
    • 1
  • Itai Dinur
    • 2
  • Willi Meier
    • 1
  • Adi Shamir
    • 2
  1. 1.FHNWWindischSwitzerland
  2. 2.Computer Science DepartmentThe Weizmann InstituteRehovotIsrael

Personalised recommendations