Modeling for Three-Subset Division Property Without Unknown Subset

Hao, Yonglin; Leander, Gregor; Meier, Willi; Todo, Yosuke; Wang, Qingju

doi:10.1007/978-3-030-45721-1_17

Modeling for Three-Subset Division Property Without Unknown Subset

Improved Cube Attacks Against Trivium and Grain-128AEAD

Yonglin Hao¹⁰,
Gregor Leander¹¹,
Willi Meier¹²,
Yosuke Todo¹³ &
Qingju Wang¹⁴

Conference paper
First Online: 01 May 2020

1738 Accesses
11 Citations

Part of the Lecture Notes in Computer Science book series (LNSC,volume 12105)

Abstract

A division property is a generic tool to search for integral distinguishers, and automatic tools such as MILP or SAT/SMT allow us to evaluate the propagation efficiently. In the application to stream ciphers, it enables us to estimate the security of cube attacks theoretically, and it leads to the best key-recovery attacks against well-known stream ciphers. However, it was reported that some of the key-recovery attacks based on the division property degenerate to distinguishing attacks due to the inaccuracy of the division property. Three-subset division property (without unknown subset) is a promising method to solve this inaccuracy problem, and a new algorithm using automatic tools for the three-subset division property was recently proposed at Asiacrypt2019. In this paper, we first show that this state-of-the-art algorithm is not always efficient and we cannot improve the existing key-recovery attacks. Then, we focus on the feature of the three-subset division property without unknown subset and propose another new efficient algorithm using automatic tools. Our algorithm is more efficient than existing algorithms, and it can improve existing key-recovery attacks. In the application to Trivium, we show a 841-round key-recovery attack. We also show that a 855-round key-recovery attack, which was proposed at CRYPTO2018, has a critical flaw and does not work. As a result, our 841-round attack becomes the best key-recovery attack. In the application to Grain-128AEAD, we show that the known 184-round key-recovery attack degenerates to distinguishing attacks. Then, the distinguishing attacks are improved up to 189 rounds, and we also show the best key-recovery attack against 190 rounds.

Keywords

Stream ciphers
Cube attack
Division property
Three-subset division property
MILP
Trivium
Grain-128AEAD

This is a preview of subscription content, access via your institution.

Chapter: USD 29.95; Price excludes VAT (USA)

eBook: USD 109.00; Price excludes VAT (USA)

Softcover Book: USD 149.99; Price excludes VAT (USA)

Learn about institutional subscriptions

Notes

1.
They showed that the superpoly of 842-round Trivium can be recovered with the complexity \(2^{32}\), but the unit of the complexity is the breadth-first search algorithm with pruning technique. Even one unit requires to solve many MILPs, and the complexity of the algorithm is not bounded. Therefore, unlike the previous theoretical cube attack [11, 12], we cannot guarantee that it is faster than the exhaustive search.
2.
The same idea was already described in [17] although the authors did not use the idea in their model.
3.
Our model is very similar to the model for variant three-subset division property proposed in [16], but there are two differences. First, we do not treat the unknown subset. Second, the goal of our model is to enumerate all feasible solutions, but the goal in [16] is to evaluate the feasibility of the model.
4.
In [20], the authors showed that the degree of \((1 + s_{94}^{290}) z_{721}\) is bounded by 32 when the correct \(s_{94}^{290}\) is guessed. However, Hao et al. pointed out that the degree is bounded by 32 even if we guess \(s_{94}^{290}\) with incorrect secret key, as a consequence we cannot distinguish the correct key from the wrong keys [24]. Response to this error, Fu et al. reproduced the practical example for 721-round Trivium [25].
5.
The first bit of IV is included in the cube index. When the target is Grain-128a, this attack requires queries to both authentication and encryption-only modes. Note that the first bit of IV can also be active in Grain-128AEAD.

References

Knudsen, L., Wagner, D.: Integral cryptanalysis. In: Daemen, J., Rijmen, V. (eds.) FSE 2002. LNCS, vol. 2365, pp. 112–127. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45661-9_9
CrossRef Google Scholar
Daemen, J., Knudsen, L., Rijmen, V.: The block cipher Square. In: Biham, E. (ed.) FSE 1997. LNCS, vol. 1267, pp. 149–165. Springer, Heidelberg (1997). https://doi.org/10.1007/BFb0052343
CrossRef Google Scholar
Lai, X.: Higher order derivatives and differential cryptanalysis. In: Blahut, R.E., Costello, D.J., Maurer, U., Mittelholzer, T. (eds.) Communications and Cryptography. SECS, vol. 276, pp. 227–233. Springer, Boston (1994). https://doi.org/10.1007/978-1-4615-2694-0_23
CrossRef Google Scholar
Todo, Y.: Structural evaluation by generalized integral property. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015, Part I. LNCS, vol. 9056, pp. 287–314. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46800-5_12
CrossRef Google Scholar
Todo, Y.: Integral cryptanalysis on full MISTY1. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015, Part I. LNCS, vol. 9215, pp. 413–432. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-47989-6_20
CrossRef Google Scholar
Sasaki, Y., Todo, Y.: New differential bounds and division property of Lilliput: block cipher with extended generalized Feistel network. In: Avanzi, R., Heys, H. (eds.) SAC 2016. LNCS, vol. 10532, pp. 264–283. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-69453-5_15
CrossRef Google Scholar
Todo, Y., Morii, M.: Bit-based division property and application to Simon family. In: Peyrin, T. (ed.) FSE 2016. LNCS, vol. 9783, pp. 357–377. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-52993-5_18
CrossRef Google Scholar
Sugio, N., Igarashi, Y., Kaneko, T., Higuchi, K.: New integral characteristics of KASUMI derived by division property. In: Choi, D., Guilley, S. (eds.) WISA 2016. LNCS, vol. 10144, pp. 267–279. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-56549-1_23
CrossRef Google Scholar
Xiang, Z., Zhang, W., Bao, Z., Lin, D.: Applying MILP method to searching integral distinguishers based on division property for 6 lightweight block ciphers. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016, Part I. LNCS, vol. 10031, pp. 648–678. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53887-6_24
CrossRef Google Scholar
Sun, L., Wang, W., Wang, M.: Automatic search of bit-based division property for ARX ciphers and word-based division property. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017, Part I. LNCS, vol. 10624, pp. 128–157. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70694-8_5
CrossRef Google Scholar
Todo, Y., Isobe, T., Hao, Y., Meier, W.: Cube attacks on non-blackbox polynomials based on division property. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017, Part III. LNCS, vol. 10403, pp. 250–279. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63697-9_9
CrossRef Google Scholar
Wang, Q., Hao, Y., Todo, Y., Li, C., Isobe, T., Meier, W.: Improved division property based cube attacks exploiting algebraic properties of superpoly. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018, Part I. LNCS, vol. 10991, pp. 275–305. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96884-1_10
CrossRef Google Scholar
Bernstein, D.J., et al.: Gimli: a cross-platform permutation. In: Fischer, W., Homma, N. (eds.) CHES 2017. LNCS, vol. 10529, pp. 299–320. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-66787-4_15
CrossRef Google Scholar
Banik, S., Pandey, S.K., Peyrin, T., Sasaki, Y., Sim, S.M., Todo, Y.: GIFT: a small present - towards reaching the limit of lightweight encryption. In: Fischer, W., Homma, N. (eds.) CHES 2017. LNCS, vol. 10529, pp. 321–345. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-66787-4_16
CrossRef Google Scholar
Wang, Q., Liu, Z., Varıcı, K., Sasaki, Y., Rijmen, V., Todo, Y.: Cryptanalysis of reduced-round SIMON32 and SIMON48. In: Meier, W., Mukhopadhyay, D. (eds.) INDOCRYPT 2014. LNCS, vol. 8885, pp. 143–160. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-13039-2_9
CrossRef Google Scholar
Hu, K., Wang, M.: Automatic search for a variant of division property using three subsets. In: Matsui, M. (ed.) CT-RSA 2019. LNCS, vol. 11405, pp. 412–432. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-12612-4_21
CrossRef Google Scholar
Wang, S., Hu, B., Guan, J., Zhang, K., Shi, T.: MILP-aided method of searching division property using three subsets and applications. In: Galbraith, S.D., Moriai, S. (eds.) ASIACRYPT 2019, Part III. LNCS, vol. 11923, pp. 398–427. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-34618-8_14
CrossRef Google Scholar
Dinur, I., Shamir, A.: Cube attacks on tweakable black box polynomials. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 278–299. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-01001-9_16
CrossRef Google Scholar
Ye, C.D., Tian, T.: Revisit division property based cube attacks: key-recovery or distinguishing attacks? IACR Trans. Symm. Cryptol. 2019(3), 81–102 (2019)
Google Scholar
Fu, X., Wang, X., Dong, X., Meier, W.: A key-recovery attack on 855-round Trivium. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018, Part II. LNCS, vol. 10992, pp. 160–184. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96881-0_6
CrossRef Google Scholar
Hamann, M., Krause, M.: On stream ciphers with provable beyond-the-birthday-bound security against time-memory-data tradeoff attacks. Cryptogr. Commun. 10(5), 959–1012 (2018). https://doi.org/10.1007/s12095-018-0294-5
MathSciNet CrossRef MATH Google Scholar
Todo, Y., Isobe, T., Meier, W., Aoki, K., Zhang, B.: Fast correlation attack revisited - cryptanalysis on full Grain-128a, Grain-128, and Grain-v1. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018, Part II. LNCS, vol. 10992, pp. 129–159. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96881-0_5
CrossRef Google Scholar
Cannière, C.D., Preneel, B.: Trivium specifications. eSTREAM portfolio, Profile 2 (HW) (2006)
Google Scholar
Hao, Y., Jiao, L., Li, C., Meier, W., Todo, Y., Wang, Q.: Observations on the dynamic cube attack of 855-round TRIVIUM from Crypto ’18. Cryptology ePrint Archive, Report 2018/972 (2018). https://eprint.iacr.org/2018/972
Fu, X., Wang, X., Dong, X., Meier, W., Hao, Y., Zhao, B.: A refinement of “a key-recovery attack on 855-round Trivium” from crypto 2018. Cryptology ePrint Archive, Report 2018/999 (2018). https://eprint.iacr.org/2018/999
Hell, M., Johansson, T., Meier, W., Sönnerup, J., Yoshida, H.: Grain-128AEAD: a lightweight AEAD stream cipher. Lightweight Cryptography (LWC) Standardization (2019)
Google Scholar
Ågren, M., Hell, M., Johansson, T., Meier, W.: Grain-128a: a new version of Grain-128 with optional authentication. IJWMC 5(1), 48–59 (2011)
CrossRef Google Scholar

Download references

Acknowledgement

The authors thank the anonymous Eurocrypt 2020 reviewers for careful reading and many helpful comments. Yonglin Hao is supported by National Key Research and Development Program of China (No. 2018YFA0306404). Gregor Leander is supported by the Deutsche Forschungsgemeinschaft (DFG, German Research Foundation) under Germany’s Excellence Strategy - EXC 2092 CASA - 390781972. Qingju Wang is funded by the University of Luxembourg Internal Research Project (IRP) FDISC.

Author information

Authors and Affiliations

State Key Laboratory of Cryptology, P.O. Box 5159, Beijing, 100878, China
Yonglin Hao
Horst Görtz Institute for IT Security, Ruhr University Bochum, Bochum, Germany
Gregor Leander
FHNW, Windisch, Switzerland
Willi Meier
NTT Secure Platform Laboratories, Tokyo, 180-8585, Japan
Yosuke Todo
SnT, University of Luxembourg, Esch-sur-Alzette, Luxembourg
Qingju Wang

Authors

Yonglin Hao
View author publications
You can also search for this author in PubMed Google Scholar
Gregor Leander
View author publications
You can also search for this author in PubMed Google Scholar
Willi Meier
View author publications
You can also search for this author in PubMed Google Scholar
Yosuke Todo
View author publications
You can also search for this author in PubMed Google Scholar
Qingju Wang
View author publications
You can also search for this author in PubMed Google Scholar

Corresponding authors

Correspondence to Yonglin Hao or Yosuke Todo .

Editor information

Editors and Affiliations

Équipe-projet COSMIQ, Inria, Paris, France
Anne Canteaut
Computer Science Department, Technion, Haifa, Israel
Yuval Ishai

Rights and permissions

Reprints and Permissions

Copyright information

About this paper

Cite this paper

Hao, Y., Leander, G., Meier, W., Todo, Y., Wang, Q. (2020). Modeling for Three-Subset Division Property Without Unknown Subset. In: Canteaut, A., Ishai, Y. (eds) Advances in Cryptology – EUROCRYPT 2020. EUROCRYPT 2020. Lecture Notes in Computer Science(), vol 12105. Springer, Cham. https://doi.org/10.1007/978-3-030-45721-1_17

Download citation

DOI: https://doi.org/10.1007/978-3-030-45721-1_17
Published: 01 May 2020
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-45720-4
Online ISBN: 978-3-030-45721-1
eBook Packages: Computer ScienceComputer Science (R0)

Published in cooperation with
International Association for Cryptologic Research