Skip to main content

Modeling for Three-Subset Division Property Without Unknown Subset

Improved Cube Attacks Against Trivium and Grain-128AEAD

Part of the Lecture Notes in Computer Science book series (LNSC,volume 12105)

Abstract

A division property is a generic tool to search for integral distinguishers, and automatic tools such as MILP or SAT/SMT allow us to evaluate the propagation efficiently. In the application to stream ciphers, it enables us to estimate the security of cube attacks theoretically, and it leads to the best key-recovery attacks against well-known stream ciphers. However, it was reported that some of the key-recovery attacks based on the division property degenerate to distinguishing attacks due to the inaccuracy of the division property. Three-subset division property (without unknown subset) is a promising method to solve this inaccuracy problem, and a new algorithm using automatic tools for the three-subset division property was recently proposed at Asiacrypt2019. In this paper, we first show that this state-of-the-art algorithm is not always efficient and we cannot improve the existing key-recovery attacks. Then, we focus on the feature of the three-subset division property without unknown subset and propose another new efficient algorithm using automatic tools. Our algorithm is more efficient than existing algorithms, and it can improve existing key-recovery attacks. In the application to Trivium, we show a 841-round key-recovery attack. We also show that a 855-round key-recovery attack, which was proposed at CRYPTO2018, has a critical flaw and does not work. As a result, our 841-round attack becomes the best key-recovery attack. In the application to Grain-128AEAD, we show that the known 184-round key-recovery attack degenerates to distinguishing attacks. Then, the distinguishing attacks are improved up to 189 rounds, and we also show the best key-recovery attack against 190 rounds.

Keywords

  • Stream ciphers
  • Cube attack
  • Division property
  • Three-subset division property
  • MILP
  • Trivium
  • Grain-128AEAD

This is a preview of subscription content, access via your institution.

Buying options

Chapter
USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-3-030-45721-1_17
  • Chapter length: 30 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
eBook
USD   109.00
Price excludes VAT (USA)
  • ISBN: 978-3-030-45721-1
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Softcover Book
USD   149.99
Price excludes VAT (USA)
Fig. 1.
Fig. 2.
Fig. 3.

Notes

  1. 1.

    They showed that the superpoly of 842-round Trivium can be recovered with the complexity \(2^{32}\), but the unit of the complexity is the breadth-first search algorithm with pruning technique. Even one unit requires to solve many MILPs, and the complexity of the algorithm is not bounded. Therefore, unlike the previous theoretical cube attack [11, 12], we cannot guarantee that it is faster than the exhaustive search.

  2. 2.

    The same idea was already described in [17] although the authors did not use the idea in their model.

  3. 3.

    Our model is very similar to the model for variant three-subset division property proposed in [16], but there are two differences. First, we do not treat the unknown subset. Second, the goal of our model is to enumerate all feasible solutions, but the goal in [16] is to evaluate the feasibility of the model.

  4. 4.

    In [20], the authors showed that the degree of \((1 + s_{94}^{290}) z_{721}\) is bounded by 32 when the correct \(s_{94}^{290}\) is guessed. However, Hao et al. pointed out that the degree is bounded by 32 even if we guess \(s_{94}^{290}\) with incorrect secret key, as a consequence we cannot distinguish the correct key from the wrong keys [24]. Response to this error, Fu et al. reproduced the practical example for 721-round Trivium  [25].

  5. 5.

    The first bit of IV is included in the cube index. When the target is Grain-128a, this attack requires queries to both authentication and encryption-only modes. Note that the first bit of IV can also be active in Grain-128AEAD.

References

  1. Knudsen, L., Wagner, D.: Integral cryptanalysis. In: Daemen, J., Rijmen, V. (eds.) FSE 2002. LNCS, vol. 2365, pp. 112–127. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45661-9_9

    CrossRef  Google Scholar 

  2. Daemen, J., Knudsen, L., Rijmen, V.: The block cipher Square. In: Biham, E. (ed.) FSE 1997. LNCS, vol. 1267, pp. 149–165. Springer, Heidelberg (1997). https://doi.org/10.1007/BFb0052343

    CrossRef  Google Scholar 

  3. Lai, X.: Higher order derivatives and differential cryptanalysis. In: Blahut, R.E., Costello, D.J., Maurer, U., Mittelholzer, T. (eds.) Communications and Cryptography. SECS, vol. 276, pp. 227–233. Springer, Boston (1994). https://doi.org/10.1007/978-1-4615-2694-0_23

    CrossRef  Google Scholar 

  4. Todo, Y.: Structural evaluation by generalized integral property. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015, Part I. LNCS, vol. 9056, pp. 287–314. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46800-5_12

    CrossRef  Google Scholar 

  5. Todo, Y.: Integral cryptanalysis on full MISTY1. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015, Part I. LNCS, vol. 9215, pp. 413–432. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-47989-6_20

    CrossRef  Google Scholar 

  6. Sasaki, Y., Todo, Y.: New differential bounds and division property of Lilliput: block cipher with extended generalized Feistel network. In: Avanzi, R., Heys, H. (eds.) SAC 2016. LNCS, vol. 10532, pp. 264–283. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-69453-5_15

    CrossRef  Google Scholar 

  7. Todo, Y., Morii, M.: Bit-based division property and application to Simon family. In: Peyrin, T. (ed.) FSE 2016. LNCS, vol. 9783, pp. 357–377. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-52993-5_18

    CrossRef  Google Scholar 

  8. Sugio, N., Igarashi, Y., Kaneko, T., Higuchi, K.: New integral characteristics of KASUMI derived by division property. In: Choi, D., Guilley, S. (eds.) WISA 2016. LNCS, vol. 10144, pp. 267–279. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-56549-1_23

    CrossRef  Google Scholar 

  9. Xiang, Z., Zhang, W., Bao, Z., Lin, D.: Applying MILP method to searching integral distinguishers based on division property for 6 lightweight block ciphers. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016, Part I. LNCS, vol. 10031, pp. 648–678. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53887-6_24

    CrossRef  Google Scholar 

  10. Sun, L., Wang, W., Wang, M.: Automatic search of bit-based division property for ARX ciphers and word-based division property. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017, Part I. LNCS, vol. 10624, pp. 128–157. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70694-8_5

    CrossRef  Google Scholar 

  11. Todo, Y., Isobe, T., Hao, Y., Meier, W.: Cube attacks on non-blackbox polynomials based on division property. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017, Part III. LNCS, vol. 10403, pp. 250–279. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63697-9_9

    CrossRef  Google Scholar 

  12. Wang, Q., Hao, Y., Todo, Y., Li, C., Isobe, T., Meier, W.: Improved division property based cube attacks exploiting algebraic properties of superpoly. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018, Part I. LNCS, vol. 10991, pp. 275–305. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96884-1_10

    CrossRef  Google Scholar 

  13. Bernstein, D.J., et al.: Gimli: a cross-platform permutation. In: Fischer, W., Homma, N. (eds.) CHES 2017. LNCS, vol. 10529, pp. 299–320. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-66787-4_15

    CrossRef  Google Scholar 

  14. Banik, S., Pandey, S.K., Peyrin, T., Sasaki, Y., Sim, S.M., Todo, Y.: GIFT: a small present - towards reaching the limit of lightweight encryption. In: Fischer, W., Homma, N. (eds.) CHES 2017. LNCS, vol. 10529, pp. 321–345. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-66787-4_16

    CrossRef  Google Scholar 

  15. Wang, Q., Liu, Z., Varıcı, K., Sasaki, Y., Rijmen, V., Todo, Y.: Cryptanalysis of reduced-round SIMON32 and SIMON48. In: Meier, W., Mukhopadhyay, D. (eds.) INDOCRYPT 2014. LNCS, vol. 8885, pp. 143–160. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-13039-2_9

    CrossRef  Google Scholar 

  16. Hu, K., Wang, M.: Automatic search for a variant of division property using three subsets. In: Matsui, M. (ed.) CT-RSA 2019. LNCS, vol. 11405, pp. 412–432. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-12612-4_21

    CrossRef  Google Scholar 

  17. Wang, S., Hu, B., Guan, J., Zhang, K., Shi, T.: MILP-aided method of searching division property using three subsets and applications. In: Galbraith, S.D., Moriai, S. (eds.) ASIACRYPT 2019, Part III. LNCS, vol. 11923, pp. 398–427. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-34618-8_14

    CrossRef  Google Scholar 

  18. Dinur, I., Shamir, A.: Cube attacks on tweakable black box polynomials. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 278–299. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-01001-9_16

    CrossRef  Google Scholar 

  19. Ye, C.D., Tian, T.: Revisit division property based cube attacks: key-recovery or distinguishing attacks? IACR Trans. Symm. Cryptol. 2019(3), 81–102 (2019)

    Google Scholar 

  20. Fu, X., Wang, X., Dong, X., Meier, W.: A key-recovery attack on 855-round Trivium. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018, Part II. LNCS, vol. 10992, pp. 160–184. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96881-0_6

    CrossRef  Google Scholar 

  21. Hamann, M., Krause, M.: On stream ciphers with provable beyond-the-birthday-bound security against time-memory-data tradeoff attacks. Cryptogr. Commun. 10(5), 959–1012 (2018). https://doi.org/10.1007/s12095-018-0294-5

    MathSciNet  CrossRef  MATH  Google Scholar 

  22. Todo, Y., Isobe, T., Meier, W., Aoki, K., Zhang, B.: Fast correlation attack revisited - cryptanalysis on full Grain-128a, Grain-128, and Grain-v1. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018, Part II. LNCS, vol. 10992, pp. 129–159. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96881-0_5

    CrossRef  Google Scholar 

  23. Cannière, C.D., Preneel, B.: Trivium specifications. eSTREAM portfolio, Profile 2 (HW) (2006)

    Google Scholar 

  24. Hao, Y., Jiao, L., Li, C., Meier, W., Todo, Y., Wang, Q.: Observations on the dynamic cube attack of 855-round TRIVIUM from Crypto ’18. Cryptology ePrint Archive, Report 2018/972 (2018). https://eprint.iacr.org/2018/972

  25. Fu, X., Wang, X., Dong, X., Meier, W., Hao, Y., Zhao, B.: A refinement of “a key-recovery attack on 855-round Trivium” from crypto 2018. Cryptology ePrint Archive, Report 2018/999 (2018). https://eprint.iacr.org/2018/999

  26. Hell, M., Johansson, T., Meier, W., Sönnerup, J., Yoshida, H.: Grain-128AEAD: a lightweight AEAD stream cipher. Lightweight Cryptography (LWC) Standardization (2019)

    Google Scholar 

  27. Ågren, M., Hell, M., Johansson, T., Meier, W.: Grain-128a: a new version of Grain-128 with optional authentication. IJWMC 5(1), 48–59 (2011)

    CrossRef  Google Scholar 

Download references

Acknowledgement

The authors thank the anonymous Eurocrypt 2020 reviewers for careful reading and many helpful comments. Yonglin Hao is supported by National Key Research and Development Program of China (No. 2018YFA0306404). Gregor Leander is supported by the Deutsche Forschungsgemeinschaft (DFG, German Research Foundation) under Germany’s Excellence Strategy - EXC 2092 CASA - 390781972. Qingju Wang is funded by the University of Luxembourg Internal Research Project (IRP) FDISC.

Author information

Authors and Affiliations

Authors

Corresponding authors

Correspondence to Yonglin Hao or Yosuke Todo .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and Permissions

Copyright information

© 2020 International Association for Cryptologic Research

About this paper

Verify currency and authenticity via CrossMark

Cite this paper

Hao, Y., Leander, G., Meier, W., Todo, Y., Wang, Q. (2020). Modeling for Three-Subset Division Property Without Unknown Subset. In: Canteaut, A., Ishai, Y. (eds) Advances in Cryptology – EUROCRYPT 2020. EUROCRYPT 2020. Lecture Notes in Computer Science(), vol 12105. Springer, Cham. https://doi.org/10.1007/978-3-030-45721-1_17

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-45721-1_17

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-45720-4

  • Online ISBN: 978-3-030-45721-1

  • eBook Packages: Computer ScienceComputer Science (R0)