Keywords

1 Introduction

Cube attack is one of general cryptanalytic techniques against symmetric-key cryptosystems proposed by Dinur and Shamir [11]. Especially, the cube attack has been successfully applied to various stream ciphers [4, 10, 12, 14, 25]. Let \({\varvec{x}}\) and \({\varvec{v}}\) be secret and public variables of stream ciphers, respectively, and let \(f({\varvec{x}}, {\varvec{v}})\) be the first bit of key stream. Some bits in \({\varvec{v}}\) are active, where they take all possible combinations of values. The set of these values is denoted as a cube, and the sum of \(f({\varvec{x}}, {\varvec{v}})\) over all values of the cube is evaluated. Then, this sum is also represented as a polynomial whose inputs are \({\varvec{x}}\) and \({\varvec{v}}\), and the polynomial is denoted as a superpoly of the cube. The superpoly is more simplified than the original \(f({\varvec{x}}, {\varvec{v}})\), and secret variables \({\varvec{x}}\) are recovered by analyzing this simplified polynomial. Unfortunately, it is really difficult to analyze the structure of the superpoly. Therefore, the target stream cipher \(f({\varvec{x}}, {\varvec{v}})\) is normally regarded as a blackbox polynomial in the cube attack, and this blackbox polynomial is experimentally evaluated. In the original paper of the cube attack [11], the authors introduced a linearity test to reveal the structure of the superpoly. If the linearity test always passes, the Algebraic Normal Form (ANF) of the superpoly is recovered by assuming that the superpoly is linear. Moreover, a quadraticity test was introduced in [24], and the ANF of the superpoly is similarly recovered. The quadraticity test was also used in the current best key-recovery attack against Trivium [14]. Note that they are experimental cryptanalysis, and it is possible that cube attacks do not actually work. For example, if the superpoly is highly unbalanced function for specific variables, we cannot ignore the probability that the linearity and quadraticity tests fail.

The difference between the cube attack and higher-order differential attack has been often discussed. The higher-order differential attack was proposed by Lai [20]. Assuming the algebraic degree of f is at most d, Lai showed that the algebraic degree of the ith order difference is at most \(d-i\). Then, Knudsen showed the effectiveness of the higher-order differential attack on toy block ciphers [18]. Nowadays, many advanced techniques similar to the higher-order differential attack have been developed to analyze block ciphers, e.g., integral attack [8, 19, 22].

The cube attack can in some way be seen as a type of higher-order differential attacks because it also evaluates the behavior of higher-order difference. However, the most major difference between the cube attack and common higher-order differential attack is whether or not secret variables are directly recovered from the characteristic, and understanding this difference is very important to consider key-recovery attacks against stream ciphers. When a block cipher is analyzed, attackers first evaluate the algebraic degree of the reduced-round block cipher and construct a higher-order differential characteristic, where the \((d+1)\)th order difference is always 0 if the degree is at most d. Then, the key recovery is independently appended after the higher-order differential characteristic. Namely, attackers guess round keys used in last several rounds and compute the \((d+1)\)th order difference of ciphertexts of the reduced-round block cipher. If the correct round key is guessed, the \((d+1)\)th order difference is always 0. In other words, if the \((d+1)\)th order difference is not 0, guessed round keys are incorrect.

Note that we cannot use this strategy for the key-recovery attack against many stream ciphers because the secret key is generally used during the initialization phase and is not involved when generating a keystream, i.e. even if there is a distinguisher in the keystream, it cannot be directly utilized for key recovery attacks by appending key recovery rounds in the key generation phase, unlike key recovery attacks of block ciphers. To execute the key-recovery attack of stream ciphers, we have to recover the secret key by using only key streams that attackers can observe. Therefore, more advanced and complicated analyses are required than the simple degree estimation of the common higher-order differential attack or square, saturation, and integral characteristics. In the context of the cube attack, we have to analyze the ANF of the superpoly. It is unlikely to well analyze because symmetric-key cryptosystems are complicated. Therefore, stream ciphers have been experimentally analyzed in the cube attack.

Another important related work to understand this paper is the division property, which is a new method to construct higher-order differential (integral) characteristics [31]. The division property is the generalization of the integral property [19] that can also exploit the algebraic degree at the same time, and it allows us to evaluate more accurate higher-order differential characteristics. Moreover, the bit-based division property was introduced in [32], and three propagation rules for basic operations, and, xor, and copy are shown. While arbitrary block ciphers are evaluated by using the bit-based division property, it requires much time and memory complexity [32]. Therefore, the application is first limited to block ciphers with small block length, like Simon32 or Simeck32. In [34], Xiang et al. showed how to model the propagation of the bit-based division property by using the mixed integer linear programming (MILP). Moreover, they showed that MILP solvers can efficiently evaluate the propagation. To demonstrate the effectiveness, accurate propagations of the bit-based division property for six lightweight block ciphers including Simon128 were shown.

Our Contribution. The most important step in a cube attack is the superpoly recovery. If the superpoly is more efficiently recovered than the brute-force search, it brings some vulnerability of symmetric-key ciphers. Superpolys are experimentally recovered in the conventional cube attack. The advantage of such approach is that we do not need to analyze the structure of f in detail. On the other hand, there are significant drawbacks in the experimental analysis.

  • The size of a cube is limited to the experimental range because we have to compute the sum of f over a cube. It may be possible that we try a cube whose size is at most 40 in current computers, but it requires incredible effort in the aspect to both money and time. Therefore, it is practically infeasible to execute the cube attack when the cube size exceeds 40.

  • The prediction of the true security of target stream ciphers is an important motivation of cryptanalyses. Since the evaluation is limited to the experimental range, it is difficult to predict the impact of the cube attack under future high-performance computers.

  • Since the stream cipher is regarded as a blackbox, the feedback to designers is limited.

To overcome these drawbacks, we propose the cube attack on non-blackbox polynomials.

Our analysis is based on the propagation of the (bit-based) division property, and as far as we know, it is the first application of the division property to stream ciphers. Since the division property is a tool to find higher-order differential characteristics, the trivial application is only useful to find zero-sum integral distinguishers, where the sum of the first bit of the key stream over the cube is always 0 for any secret key. As mentioned earlier, it is nontrivial to recover the secret key of stream ciphers by using zero-sum integral distinguisher. Therefore, we propose a novel application of the division property to recover the secret key. Our technique uses the division property to analyze the ANF of \(f({\varvec{x}}, {\varvec{v}})\) by evaluating propagations from multiple input division property according to a cube. Finally, we can evaluate secret variables that are not involved to the superpoly of the cube. This allows us to compute the upper bound of the time complexity for the superpoly recovery. Note that the superpoly recovery directly brings some vulnerability of symmetric-key ciphers, and we discuss this issue in Sect. 4.

Let I be a set of cube indices. After the evaluation of the division property, we get a set of indices J, where \(x_j~(j \in J)\) is involved to the superpoly. Then, the variation of the sum over the cube is at most \(2^{|J|}\) for each constant part of public variables, where |J| denotes the size of J. All sums are evaluated by guessing |J|-bit secret variables, and the time complexity to recover the ANF of the superpoly is \(2^{|I|+|J|}\) encryptions. Finally, we query the encryption oracle and get the sum over the cube. Then, we can get one polynomial about secret variables, and the secret variable is recovered from the polynomial.

Table 1. Summary of results. The time complexity in this table shows the time complexity to recover the superpoly of a cube.
Full size table

Table 1 shows the summary of applications. We applied our new cube attack to Trivium [6], Grain128a [3], and ACORN [33]. Trivium is part of the eSTREAM portfolio [1], and it is one of the most analyzed stream ciphers. The initialization is 1152 rounds. The secret key of Trivium with 767 initialization rounds was recovered in the proposal paper of the cube attack [11]. Then, an improved cube attack was proposed in [14], and the secret key of Trivium with 799 initialization rounds is recovered. This is the current best key-recovery attack against Trivium. Our new cube attack recovers the secret key of Trivium with 832 initialization rounds. Grain128a is a member of Grain family of stream ciphers and is standardized by ISO/IEC 29167-13 [16]. The initialization is 256 rounds. The conditional differential cryptanalysis was applied to Grain128a, and a distinguishing attack against Grain128a with 177 initialization rounds was shown under the single-key setting [21]. On the other hand, the key-recovery attack is not known. Our new cube attack recovers the secret key of Grain128a with 183 initialization rounds. Unfortunately, when we applied our technique to practical cube attack, i.e., the cube size is small, we could not find balanced superpoly. In such case, the size of recovered bit of information is smaller than 1 bit. Since we cannot say that balanced superpoly is efficiently found in the large cube size, the feasibility of the key recovery is speculative. However, 183 rounds are at least vulnerable because the superpoly recovery is more efficient than the brute-force search. ACORN is an authenticated encryption and one of the 3rd round candidates in CAESAR competition [2]. The structure is based on non-linear feedback shift register (NLFSR) like Trivium and Grain. Before the output of key streams, the secret key and initialization vector (iv) are sequentially XORed with the NLFSR, and then associated data is sequentially XORed. In the nonce-respecting setting, we cannot select cube bits from the associated data. Therefore, the initialization is regarded as 2048 rounds when there is no associated data. The cube attack was applied in [25], and the secret key of ACORN with 503 initialization is recovered. Our new cube attack recovers the secret key of ACORN with 704 initialization rounds.

2 Preliminaries

2.1 Mixed Integer Linear Programming

The deployment of the mixed integer linear programming (MILP) to cryptanalysis was shown by Mouha et al. in [23]. Then, the MILP has been applied to search for differential [28, 29], linear [28], impossible differential [7, 26], zero-correlation linear [7], and integral characteristics with division property [34]. The use of MILP for the integral characteristic with division property is expanded in this paper.

The MILP problem is an optimization or feasibility program where variables are restricted to integers. We create an MILP model \(\mathcal {M}\), which consists of variables \(\mathcal {M}.var\), constraints \(\mathcal {M}.con\), and an objective function \(\mathcal {M}.obj\). As an example, let us consider the following optimization program.

Example 1

$$\begin{aligned} \mathcal {M}.var&\leftarrow x,y,z \text{ as } \text{ binary. } \\ \mathcal {M}.con&\leftarrow x + 2 y + 3 z \le 4 \\ \mathcal {M}.con&\leftarrow x + y \ge 1 \\ \mathcal {M}.obj&\leftarrow \text{ maximize } x + y + 2z \end{aligned}$$

The answer of the model \(\mathcal {M}\) is 3, where \((x,y,z)=(1,0,1)\).

MILP solver can solve such optimization problem, and it returns infeasible if there is no feasible solution. Moreover, if there is no objective function, the MILP solver only evaluates whether this model is feasible or not.

We used Gurobi optimization as the solver in our experiments [15].

2.2 Cube Attack

The cube attack is a key-recovery attack proposed by Dinur and Shamir in 2009 [11] and is the extension of the higher-order differential cryptanalysis [20].

Let \({\varvec{x}} = (x_1,x_2,\ldots ,x_n)\) and \({\varvec{v}} = (v_1,v_2,\ldots ,v_m)\) be n secret variables and m public variables, respectively. Then, the symmetric-key cryptosystem is represented as \(f({\varvec{x}}, {\varvec{v}})\), where f denotes a polynomial and the size of input and output is \(n+m\) bits and 1 bit, respectively. In the case of stream ciphers, \({\varvec{x}}\) is the secret key, \({\varvec{v}}\) is the initialization vector (iv), and \(f({\varvec{x}}, {\varvec{v}})\) is the first bit of the key stream. The core idea of the cube attack is to simplify the polynomial by computing the higher-order differential of \(f({\varvec{x}}, {\varvec{v}})\) and to recover secret variables from the simplified polynomial.

For a set of indices \(I=\{i_1,i_2,\ldots ,i_{|I|}\} \subset \{1,2,\ldots ,n\}\), which is referred as cube indices and denote by \(t_I\) the monomial as \(t_I = v_{i_1} \cdots v_{i_{|I|}}\). Then, we can decompose \(f({\varvec{x}}, {\varvec{v}})\) as

$$\begin{aligned} f({\varvec{x}}, {\varvec{v}}) = t_I \cdot p({\varvec{x}}, {\varvec{v}}) + q({\varvec{x}}, {\varvec{v}}), \end{aligned}$$

where \(p({\varvec{x}}, {\varvec{v}})\) is independent of \(\{v_{i_1},v_{i_2},\ldots ,v_{i_{|I|}}\}\) and the effective number of input variables of p is \(n+m-|I|\) bits. Moreover, \(q({\varvec{x}}, {\varvec{v}})\) misses at least one variable from \(\{v_{i_1},v_{i_2},\ldots ,v_{i_{|I|}}\}\).

Let \(C_I\), which is referred as a cube (defined by I), be a set of \(2^{|I|}\) values where variables in \(\{v_{i_1},v_{i_2},\ldots ,v_{i_{|I|}}\}\) are taking all possible combinations of values, and all remaining variables are fixed to some arbitrary values. Then the sum of f over all values of the cube \(C_I\) is

$$\begin{aligned} \bigoplus _{C_I} f({\varvec{x}}, {\varvec{v}})&= \bigoplus _{C_I} t_I \cdot p({\varvec{x}}, {\varvec{v}}) + \bigoplus _{C_I} q({\varvec{x}}, {\varvec{v}}) \\&=p({\varvec{x}}, {\varvec{v}}). \end{aligned}$$

The first term is reduced to \(p({\varvec{x}}, {\varvec{v}})\) because \(t_I\) becomes 1 for only one case in \(C_I\). The second term is always canceled out because \(q({\varvec{x}}, {\varvec{v}})\) misses at least one variable from \(\{v_{i_1},v_{i_2},\ldots ,v_{i_{|I|}}\}\). Then, \(p({\varvec{x}}, {\varvec{v}})\) is called the superpoly of the cube \(C_I\).

Blackbox Analysis. If the cube is appropriately chosen such that the superpoly is enough simplified to recover secret variables, the cube attack succeeds. However, \(f({\varvec{x}}, {\varvec{v}})\) in real symmetric-key cryptosystems is too complicated. Therefore, the cube attack regards f as a blackbox polynomial.

In the preprocessing phase, attackers first try out various cubes, change values of public and secret variables, and analyze the feature of the superpoly. The goal of this phase is to reveal the structure of \(p({\varvec{x}}, {\varvec{v}})\). Especially, the original cube attack searches for linear superpoly \(p({\varvec{x}}, {\varvec{0}})\) by the summation over the chosen cube. If the superpoly is linear,

$$\begin{aligned} p({\varvec{x}} \oplus {\varvec{x}}', {\varvec{0}}) = p({\varvec{x}},{\varvec{0}}) \oplus p({\varvec{x}}',{\varvec{0}}) \oplus p({\varvec{0}},{\varvec{0}}) \end{aligned}$$

always holds for arbitrary \({\varvec{x}}\) and \({\varvec{x}}'\). By repeating this linearity test enough, attackers can know that the superpoly is linear with high probability, and the Algebraic Normal Form (ANF) of the superpoly is recovered by assuming its linearity.

In the online phase, attackers query to an encryption oracle by controlling only public variables and recover secret variables. Attackers evaluate the sum of \(f({\varvec{x}}, {\varvec{v}})\) over all values of the cube \(C_I\). Since the sum is right hand side of the superpoly, the part of secret variables is recovered. Please refer to [4, 11] to well understand the principle of the cube attack.

2.3 Higher-Order Differential Cryptanalysis and Division Property

Underlying mathematical background of the cube attack is the same as that of the higher-order differential attack. Unlike the cube attack, the common higher-order differential attack never regards the block cipher as a blackbox polynomial. Attackers analyze the structure of a block cipher and construct higher-order differential characteristics, where attackers prepare the set of chosen plaintexts such that the sum of corresponding ciphertexts of reduced-round block cipher is 0. After the proposal of the higher-order differential attack, many advanced techniques similar to the higher-order differential attack have been developed to analyze block ciphers, e.g., square attack [8], saturation attack [22], multi-set attack [5], and integral attack [19].

Division Property. At 2015, the division property, which is an improved technique to find higher-order differential (integral) characteristics for iterated ciphers, was proposed in [31]. Then, the bit-based variant was introduced in [32], and it is defined as followsFootnote 1.

Definition 1

((Bit-Based) Division Property). Let \(\mathbb {X}\) be a multiset whose elements take a value of \(\mathbb {F}_2^n\). Let \(\mathbb {K}\) be a set whose elements take an n-dimensional bit vector. When the multiset \(\mathbb {X}\) has the division property \(\mathcal{D}_\mathbb {K}^{1^n}\), it fulfils the following conditions:

$$\begin{aligned} \bigoplus _{{\varvec{x}} \in \mathbb {X}} {\varvec{x}}^{{\varvec{u}}} = {\left\{ \begin{array}{ll} \mathrm{unknown} &{} {if~there~exist }\, {\varvec{k}} \in \mathbb {K} \text{ s.t. } {\varvec{u}} \succeq {\varvec{k}}, \\ 0 &{} {otherwise}, \end{array}\right. } \end{aligned}$$

where \({\varvec{u}} \succeq {\varvec{k}}\) if \(u_i \ge k_i\) for all i, and \({\varvec{x}}^{{\varvec{u}}}=\prod _{i=1}^{n} x_i^{u_i}\).

We first evaluate the division property of the set of chosen plaintexts and then evaluate the division property of the set of corresponding ciphertexts by evaluating the propagation for every round function.

Some propagation rules for the division property are proven in [31, 32]. Attackers determine indices \(I=\{i_1, i_2, \ldots , i_{|I|}\} \subset \{1,2,\ldots ,n\}\) and prepare \(2^{|I|}\) chosen plaintexts where variables indexed by I are taking all possible combinations of values. The division property of such chosen plaintexts is \(\mathcal{D}_{{\varvec{k}}}^{1^n}\), where \(k_i=1\) if \(i \in I\) and \(k_i=0\) otherwise. Then, the propagation of the division property from \(\mathcal{D}_{{\varvec{k}}}^{1^n}\) is evaluated as

$$\begin{aligned} \{{\varvec{k}}\} \overset{\underset{\mathrm {def}}{}}{=} \mathbb {K}_0 \rightarrow \mathbb {K}_1 \rightarrow \mathbb {K}_2 \rightarrow \cdots \rightarrow \mathbb {K}_r, \end{aligned}$$

where \(\mathcal{D}_{\mathbb {K}_i}\) is the division property after i-round propagation. If the division property \(\mathbb {K}_r\) does not have an unit vector \({\varvec{e}}_i\) whose only ith element is 1, the ith bit of r-round ciphertexts is balanced.

Propagation of Division Property with MILP. Evaluating the propagation of the division property is not easy because the size of \(\mathbb {K}_i\) extremely increases. At ASIACRYPT 2016, Xiang et al. showed that the propagation is efficiently evaluated by using MILP [34]. First, they introduced the division trail as follows.

Definition 2

(Division Trail). Let us consider the propagation of the division property \(\{{\varvec{k}}\} \overset{\underset{\mathrm {def}}{}}{=} \mathbb {K}_0 \rightarrow \mathbb {K}_1 \rightarrow \mathbb {K}_2 \rightarrow \cdots \rightarrow \mathbb {K}_r\). Moreover, for any vector \({\varvec{k}}^*_{i+1} \in \mathbb {K}_{i+1}\), there must exist a vector \({\varvec{k}}^*_{i} \in \mathbb {K}_{i}\) such that \({\varvec{k}}^*_{i}\) can propagate to \({\varvec{k}}^*_{i+1}\) by the propagation rule of the division property. Furthermore, for \(({\varvec{k}}_0, {\varvec{k}}_1,\ldots , {\varvec{k}}_r) \in (\mathbb {K}_0 \times \mathbb {K}_1 \times \cdots \times \mathbb {K}_r)\) if \({\varvec{k}}_{i}\) can propagate to \({\varvec{k}}_{i+1}\) for all \(i \in \{0,1,\ldots ,r-1\}\), we call \(({\varvec{k}}_0 \rightarrow {\varvec{k}}_1 \rightarrow \cdots \rightarrow {\varvec{k}}_r)\) an r-round division trail.

Let \(E_k\) be the target r-round iterated cipher. Then, if there are division trails \({\varvec{k}}_0 \xrightarrow {E_k} {\varvec{k}}_r={\varvec{e}}_i\), attackers cannot know whether the ith bit of r-round ciphertexts is balanced or not. On the other hand, if we can prove that there is no division trail \({\varvec{k}}_0 \xrightarrow {E_k} {\varvec{e}}_i\), the ith bit of r-round ciphertexts is always balanced. Therefore, we have to evaluate all possible division trails to verify whether each bit of ciphertexts is balanced or not. In [30,31,32], all possible division trails are evaluated by using a breadth-first search. Unfortunately, such a search requires enormous memory and time complexity. Therefore, it is practically infeasible to apply this method to iterated ciphers whose block length is not small.

MILP can efficiently solve this problem. We generate an MILP model that covers all division trails, and the solver evaluates the feasibility whether there are division trails from the input division property to the output one or not. If the solver guarantees that there is no division trail, higher-order differential (integral) characteristics are found.

Let copy, xor, and and be three fundamental operations, where 1 bit is copied into m bits in copy, the xor of m bits is computed in xor, and the and of m bits is computed in and. Note that MILP models for copy, xor, and and are sufficient to represent any circuit.

Proposition 1

(MILP Model for COPY). Let \(a \xrightarrow {COPY} (b_1,b_2,\ldots ,b_m)\) be a division trail of COPY. The following inequalities are sufficient to describe the propagation of the division property for copy.

$$\begin{aligned} {\left\{ \begin{array}{ll} \mathcal {M}.var \leftarrow a,b_1,b_2,\ldots ,b_m \, { as\, binary.} \\ \mathcal {M}.con \leftarrow a = b_1 + b_2 + \cdots + b_m \end{array}\right. } \end{aligned}$$

Proposition 2

(MILP Model for XOR). Let \((a_1, a_2, \ldots , a_m) \xrightarrow {XOR} b\) be a division trail of XOR. The following inequalities are sufficient to describe the propagation of the division property for xor.

$$\begin{aligned} {\left\{ \begin{array}{ll} \mathcal {M}.var \leftarrow a_1,a_2,\ldots ,a_m,b \, { as \, binary.} \\ \mathcal {M}.con \leftarrow a_1 + a_2 + \cdots + a_m = b \end{array}\right. } \end{aligned}$$

Proposition 3

(MILP Model for AND). Let \((a_1, a_2, \ldots , a_m) \xrightarrow {AND} b\) be a division trail of AND. The following inequalities are sufficient to describe the propagation of the division property for and.

$$\begin{aligned} {\left\{ \begin{array}{ll} \mathcal {M}.var \leftarrow a_1,a_2,\ldots ,a_m,b \, { as \, binary.} \\ \mathcal {M}.con \leftarrow b \ge a_i \text{ for } \text{ all } i\in \{1,2,\ldots ,m\} \end{array}\right. } \end{aligned}$$

To accept multiple inputs and outputs, three propositions are generalized from the original ones shown in [34]. Moreover, Propositions 1 and 2 are also introduced in [27]. Note that Proposition 3 includes redundant propagations of the division property, but they do not affect obtained characteristics.

3 How to Analyze Non-Blackbox Polynomials

The cube attack basically regards \(f({\varvec{x}}, {\varvec{v}})\) as a blackbox polynomial and analyzes it experimentally because real \(f({\varvec{x}}, {\varvec{v}})\) are too complicated to analyze the structure in detail. Such experimental analysis is often advantageous but has significant drawbacks, e.g., the size of cube is limited to the experimental range.

In this section, we propose a new technique to analyze the polynomial, where our technique never regards the polynomial as a blackbox and can analyze the structure in detail. Accurately, we propose a new application of the division property that enables us to analyze the Algebraic Normal Form (ANF) coefficients of f. Secret variables that are not involved in the superpoly of a cube \(C_I\) are efficiently identified by using our new method. As a result, we can estimate the time complexity that the ANF of the superpoly of a cube \(C_I\) is recovered.

3.1 What Is Guaranteed by Division Property

We first revisit the definition of the division property and consider what the division property can do for stream ciphers.

Zero-Sum Integral Distinguisher. The trivial application is to find zero-sum integral distinguishers. Let us consider \(f({\varvec{x}}, {\varvec{v}})\) as a stream cipher, where \({\varvec{x}}\) and \({\varvec{v}}\) denote the secret and public variables, respectively, and f is designed by using iterative structure. For a cube \(C_I\) where the variables in \(\{v_{i_1}, v_{i_2}, \ldots , v_{i_{|I|}}\}\) are taking all possible combinations of values, the propagation of the division property enables us to evaluate whether or not the sum of \(f({\varvec{x}}, {\varvec{v}})\) over all values of the cube \(C_I\) is balanced. Therefore, if the goal of attackers is to find zero-sum integral distinguishers, we can trivially use the division property.

Analysis of ANF Coefficients. Even if we can find a zero-sum integral distinguisher on stream ciphers, it is nontrivial to recover secret variables unlike block ciphers. Therefore, new techniques are required for the extension to the key-recovery attack.

We propose a novel application of the division property, where the division property is not used to find zero-sum integral distinguishers but used to analyze the ANF coefficients of f. Since our goal is to analyze the ANF coefficients, we do not need to distinguish public variables from secret ones. For the simplicity of notation, we consider \(f({\varvec{x}})\) instead of \(f({\varvec{x}}, {\varvec{v}})\), and the ANF of \(f({\varvec{x}})\) is represented as follows.

$$\begin{aligned} f({\varvec{x}})&= \bigoplus _{ {\varvec{u}} \in \mathbb {F}_2^{n}} a_{{\varvec{u}}}^f \cdot {{\varvec{x}}}^{{\varvec{u}}}, \end{aligned}$$

where \(a_{{\varvec{u}}}^f \in \mathbb {F}_2\) denotes the ANF coefficients. Then, the following Lemma is derived.

Lemma 1

Let \(f({\varvec{x}})\) be a polynomial from \(\mathbb {F}_2^n\) to \(\mathbb {F}_2\) and \(a_{{\varvec{u}}}^f\in \mathbb {F}_2\,({\varvec{u}} \in \mathbb {F}_2^n)\) be the ANF coefficients. Let \({\varvec{k}}\) be an n-dimensional bit vector. Then, assuming there is no division trail such that \({\varvec{k}} \xrightarrow {f} 1\), \(a_{{\varvec{u}}}^f\) is always 0 for \({\varvec{u}} \succeq {\varvec{k}}\).

Proof

According to \({\varvec{k}}\), we first decompose \(f({\varvec{x}})\) into

$$\begin{aligned} f({\varvec{x}})&= \bigoplus _{ {\varvec{u}} \in \mathbb {F}_2^{n} | {\varvec{u}} \succeq {\varvec{k}}} a_{{\varvec{u}}}^f \cdot {{\varvec{x}}}^{{\varvec{u}}} \oplus \bigoplus _{ {\varvec{u}} \in \mathbb {F}_2^{n} | {\varvec{u}} \not \succeq {\varvec{k}}} a_{{\varvec{u}}}^f \cdot {{\varvec{x}}}^{{\varvec{u}}}, \\&= {\varvec{x}}^{{\varvec{k}}} \cdot \bigoplus _{ {\varvec{u}} \in \mathbb {F}_2^{n} | {\varvec{u}} \succeq {\varvec{k}}} a_{{\varvec{u}}}^f \cdot {{\varvec{x}}}^{{\varvec{u}} \oplus {\varvec{k}}} \oplus \bigoplus _{ {\varvec{u}} \in \mathbb {F}_2^{n} | {\varvec{u}} \not \succeq {\varvec{k}}} a_{{\varvec{u}}}^f \cdot {{\varvec{x}}}^{{\varvec{u}}}. \end{aligned}$$

Assume that there is no division trail such that \({\varvec{k}} \xrightarrow {f} 1\). Then, no division trail guarantees that the sum of \(f({\varvec{x}})\) over all values of the cube \(C_I\) is always balanced independent of \(x_i~(i \in \{1,2,\ldots ,n\}-I)\). Namely,

$$\begin{aligned} \bigoplus _{C_I}f({\varvec{x}})&= \bigoplus _{C_I} \left( {\varvec{x}}^{{\varvec{k}}} \cdot \bigoplus _{ {\varvec{u}} \in \mathbb {F}_2^{n} | {\varvec{u}} \succeq {\varvec{k}}} a_{{\varvec{u}}}^f \cdot {{\varvec{x}}}^{{\varvec{u}} \oplus {\varvec{k}}} \right) \\&= \bigoplus _{ {\varvec{u}} \in \mathbb {F}_2^{n} | {\varvec{u}} \succeq {\varvec{k}}} a_{{\varvec{u}}}^f \cdot {{\varvec{x}}}^{{\varvec{u}} \oplus {\varvec{k}}} = 0 \end{aligned}$$

holds independent of \(x_i~(i \in \{1,2,\ldots ,n\}-I)\). It holds only if \(a_{{\varvec{u}}}^f\) is always 0 for all \({\varvec{u}}\) such that \({\varvec{u}} \succeq {\varvec{k}}\).    \(\square \)

Lemma 1 is very important observation for our attack.

3.2 Superpoly Recovery

The most important part of a cube attack is to recover the superpoly, and we simply call it the superpoly recovery in this paper. Since public variables \({\varvec{v}}\) are known and chosen for attackers, the ANF of \(p_{{\varvec{v}}}({\varvec{x}})=p({\varvec{v}}, {\varvec{x}})\) is evaluated, and the goal is to recover \(p_{{\varvec{v}}}({\varvec{x}})\) whose \({\varvec{v}}\) is fixed. Once the superpoly \(p_{{\varvec{v}}}({\varvec{x}})\) is recovered, attackers query the cube to an encryption oracle and compute the sum of \(f({\varvec{x}}, {\varvec{v}})\) over the cube. Then, attackers can get one polynomial about secret variables, and the secret variables are recovered from the polynomial.

The size of secret variables recovered from one superpoly depends on the structure of the superpoly \(p_{{\varvec{v}}}({\varvec{x}})\). If a balanced superpoly is used, one bit of information in involved secret variables is always recovered. If an unbalanced superpoly is used, the size of recovered secret variables is less than 1 bit but some information of secret variables is leaked to attackers. Moreover, it is possible to recover more bits of information in secret variables by exploiting multiple cubes. As an extreme case, if the superpoly is constant function, no secret variable is recovered, but it trivially implies constant-sum integral distinguishers. Therefore, the superpoly recovery directly brings vulnerability of symmetric-key cryptosystems, and some information of secret variables is always recovered unless the superpoly is constant function.

Previous Method to Recover Superpoly. The previous cube attack experimentally recovered the superpoly of a cube whose size is feasible for current computer. Therefore, not every superpoly can be evaluated. Linearity and quadraticity tests are repeated, and the superpoly is regarded as the linear or quadratic polynomial if these tests are sufficiently passes. Then, assuming the superpoly is linear or quadratic, the superpoly is recovered.

Analyze ANF Coefficients of Superpoly by Division Property. Lemma 1 implies that the division property can be used as a tool to analyze ANF coefficients of the superpoly. The following proposition is shown from Lemma 1 and is useful to evaluate the upper bound of the complexity to recover the ANF of the superpoly.

Proposition 4

Let \(f({\varvec{x}}, {\varvec{v}})\) be a polynomial, where \({\varvec{x}}\) and \({\varvec{v}}\) denote the secret and public variables, respectively. For a set of indices \(I = \{i_1 ,i_2 ,\ldots ,i_{|I|} \} \subset \{1,2,\ldots ,m\}\), let \(C_I\) be a set of \(2^{|I|}\) values where the variables in \(\{v_{i_1} ,v_{i_2} ,\ldots , v_{i_{|I|}} \}\) are taking all possible combinations of values. Let \({\varvec{k}}_I\) be an m-dimensional bit vector such that \({\varvec{v}}^{{\varvec{k}}_I} = t_I = v_{i_1} v_{i_2} \cdots v_{i_{|I|}}\), i.e. \(k_i=1\) if \(i \in I\) and \(k_i=0\) otherwise. Assuming there is no division trail such that \(({\varvec{e}}_j, {\varvec{k}}_I) \xrightarrow {f} 1\), \(x_j\) is not involved in the superpoly of the cube \(C_I\).

Proof

The ANF of \(f({\varvec{x}}, {\varvec{v}})\) is represented as follows.

$$\begin{aligned} f({\varvec{x}}, {\varvec{v}})&= \bigoplus _{ {\varvec{u}} \in \mathbb {F}_2^{n+m}} a_{{\varvec{u}}}^f \cdot {({\varvec{x}} \Vert {\varvec{v}})}^{{\varvec{u}}}, \end{aligned}$$

where \(a_{{\varvec{u}}}^f \in \mathbb {F}_2\) denotes the ANF coefficients. The polynomial \(f({\varvec{x}}, {\varvec{v}})\) is decomposed into

$$\begin{aligned} f({\varvec{x}}, {\varvec{v}})&= \bigoplus _{ {\varvec{u}} \in \mathbb {F}_2^{n+m} | {\varvec{u}} \succeq ({\mathbf {0}} \Vert {\varvec{k}}_I)} a_{{\varvec{u}}}^f \cdot {({\varvec{x}} \Vert {\varvec{v}})}^{{\varvec{u}}} \oplus \bigoplus _{ {\varvec{u}} \in \mathbb {F}_2^{n+m} | {\varvec{u}} \not \succeq ({\mathbf {0}} \Vert {\varvec{k}}_I)} a_{{\varvec{u}}}^f \cdot {({\varvec{x}} \Vert {\varvec{v}})}^{{\varvec{u}}} \\&= t_I \cdot \bigoplus _{ {\varvec{u}} \in \mathbb {F}_2^{n+m} | {\varvec{u}} \succeq ({\mathbf {0}} \Vert {\varvec{k}}_I)} a_{{\varvec{u}}}^f \cdot {({\varvec{x}} \Vert {\varvec{v}})}^{{\varvec{u}} \oplus ({\mathbf {0}} \Vert {\varvec{k}}_I)} \oplus \bigoplus _{ {\varvec{u}} \in \mathbb {F}_2^{n+m} | {\varvec{u}} \not \succeq ({\mathbf {0}} \Vert {\varvec{k}}_I)} a_{{\varvec{u}}}^f \cdot {({\varvec{x}} \Vert {\varvec{v}})}^{({\mathbf {0}} \Vert {\varvec{u}})} \\&= t_I \cdot p({\varvec{x}}, {\varvec{v}}) \oplus q({\varvec{x}}, {\varvec{v}}). \end{aligned}$$

Therefore, the superpoly \(p({\varvec{x}}, {\varvec{v}})\) is represented as

$$\begin{aligned} p({\varvec{x}}, {\varvec{v}}) = \bigoplus _{ {\varvec{u}} \in \mathbb {F}_2^{n+m} | {\varvec{u}} \succeq ({\mathbf {0}} \Vert {\varvec{k}}_I)} a_{{\varvec{u}}}^f \cdot {({\varvec{x}} \Vert {\varvec{v}})}^{{\varvec{u}} \oplus ({\mathbf {0}} \Vert {\varvec{k}}_I)}. \end{aligned}$$

If there is no division trail \(( {\varvec{e}}_j \Vert {\varvec{k}}_I) \xrightarrow {f} 1\), \(a_{{\varvec{u}}}^f = 0\) for \({\varvec{u}} \succeq ({\varvec{e}}_j \Vert {\varvec{k}}_I)\) because of Lemma 1. Therefore,

$$\begin{aligned} p({\varvec{x}}, {\varvec{v}}) = \bigoplus _{ {\varvec{u}} \in \mathbb {F}_2^{n+m} | {\varvec{u}} \succeq ({\mathbf {0}} \Vert {\varvec{k}}_I), u_j = 0} a_{{\varvec{u}}}^f \cdot ({\varvec{x}} \Vert {\varvec{v}})^{{\varvec{u}} \oplus ({\mathbf {0}} \Vert {\varvec{k}}_I)}. \end{aligned}$$

This superpoly is independent of \(x_j\) because \(u_j\) is always 0 and \((x_j)^0=1\).    \(\square \)

figure a

We can evaluate which secret variables are involved to the superpoly of a given cube, and Algorithm 1 shows the algorithm supported by MILP. The input \(\mathcal {M}\) is an MILP model, where the target stream cipher is represented by the context of the division property. How to construct \(\mathcal {M}\) for each specific stream cipher is shown in each application in Sect. 5. First, we pick MILP variables \({\varvec{x}}\) and \({\varvec{v}}\) from \(\mathcal {M}\), where \({\varvec{x}}\) and \({\varvec{v}}\) correspond to MILP variables for secret and public variables, respectively. As an example, in Algorithm 2 for Trivium, let \({\varvec{x}} = (s_1^0, s_2^0, \ldots , s_{80}^0)\) and \({\varvec{v}} = (s_{93}^0, s_{94}^0, \ldots , s_{172}^0)\). Then, to represent the input division property, elements of \({\varvec{v}}\) indexed by I are constrained by 1, and the others are constrained by 0. Since at least one element in secret variables is additionally constrained to 1 in our cube attack, the sum of \({\varvec{x}}\) is constrained to 1. Next, we solve this MILP model by using the solver. If \(\mathcal {M}\) is infeasible, there is no involved secret variables in superpoly and \(\bigoplus _{C_I}f({\varvec{x}}, {\varvec{v}})=p({\varvec{x}}, {\varvec{v}})\) is always constant. If \(\mathcal {M}\) is feasible, we can get a satisfying division trail and pick an index \(j \in \{1,2,\ldots ,n\}\) such that \(x_j=1\) in the division trail. Then, \(x_j\) is involved to the superpoly and the index j is stored to a set J. Once we detect that \(x_j\) is involved, we additionally constrain \(x_j = 0\). By repeating this procedure, we can get the set J whose elements are an index of secret variables involved to the superpoly.

After the analysis of the superpoly by using Algorithm 1, we know that only \(x_j~(j \in J)\) are involved to the superpoly of the cube \(C_I\). Attackers choose a value in constant part of iv and prepare the cube \(C_I\) by flipping bits in I. They then recover the superpoly by trying out all possible combinations of secret variables \(\{x_{j_1}, x_{j_2}, \ldots , x_{j_{|J|}}\}\). The time complexity to recover the superpoly is \(2^{|I|+|J|}\). Therefore, if \(|I|+|J|\) is smaller than the security bit level, we can efficiently recover the superpoly.

4 Toward Key Recovery

The time complexity to recover the superpoly is estimated in Sect. 3. As described in Sect. 3, the superpoly recovery directly brings vulnerability of stream ciphers. On the other hand, if our goal is to recover secret variables, we have to find a preferable superpoly that is close to balancedness for secret variables. Under the condition that we already get the cube index I and index of involved secret variables J by using Algorithm 1, our attack strategy to recover secret variables consists of three phases: offline phase, online phase, and brute-force search phase.

  1. 1.

    Offline phase. The goal of this phase is to find a preferable superpoly. Attackers choose a value in the constant part of iv, and prepare a cube by flipping bits in I. They then compute \(\bigoplus _{C_I} f({\varvec{x}}, {\varvec{v}})=p_{{\varvec{v}}}({\varvec{x}})\) in local, where all possible combinations of secret variables \(\{x_{j_1}, x_{j_2}, \ldots , x_{j_{|J|}}\}\) are tried out, and the superpoly is recovered. Finally, we search for the preferable superpoly by changing the constant part of iv.

  2. 2.

    Online phase. The goal of this phase is to recover the part of secret variables by using the preferable superpoly. After the balanced superpoly is given, attackers query the cube \(C_I\) to encryption oracle and get one bit \(p_{{\varvec{v}}}({\varvec{x}})\). Then, we get one polynomial about involved secret variables, and the half of values in involved secret variables is discarded because the superpoly is balanced.

  3. 3.

    Brute-force search phase. Attackers guess the remaining secret variables to recover the entire value in secret variables.

We cannot know whether the superpoly is balanced or not unless it is actually recovered, and the actual superpoly recovery requires \(2^{|I|+|J|}\) time complexity. Therefore, if \(|I|+|J|\) exceeds the experimental range, it is practically infeasible to search for preferable superpolys. As a consequence, we introduce the following two assumptions about collecting preferable superpolys.

Assumption 1

(Strong Assumption). For a cube \(C_I\), there are many values in the constant part of iv whose corresponding superpoly is balanced.

Assumption 2

(Weak Assumption). For a cube \(C_I\), there are many values in the constant part of iv whose corresponding superpoly is not a constant function.

Assumption 2 is weaker than Assumption 1 because the superpoly satisfying Assumption 1 always holds Assumption 2. As long as Assumption 2 holds, the size of recovered secret variables is less than 1 bit but some secret information is at least leaked to attackers. If Assumption 1 holds and such superpoly is used in the online phase, values in involved secret variables are divided in exactly half, i.e., \(p_{{\varvec{v}}}({\varvec{x}})\) is 0 for \(2^{|J|-1}\) values and is 1 for the others. Therefore, we can recover one bit of information in secret variables.

4.1 Evaluating Time Complexity

Assuming that Assumption 1 holds, we show the time complexity to recover the entire secret key. Then, the time complexity of the offline phase is estimated as \(k \times 2^{|I|+|J|}\), where k denotes the required number of trials for finding a preferable superpoly. Note that we can expect that such superpoly can be reasonably found with high probability without trying out all possible values in involved secret variables. We evaluate a part of values in involved secret variables at random and check whether \(p_{{\varvec{v}}}({\varvec{x}})\) is almost balanced or not. If the output is highly biased for \({\varvec{x}}\), the superpoly \(p_{{\varvec{v}}}\) is not preferable and changes to other values in the constant part of iv. The complexity of this method is \(O(2^{|I|})\). Once we find an almost preferable superpoly, we entirely try out \(2^{|J|}\) values in secret variables.

Even if the preferable superpoly is used, the size of recovered secret information is at most 1 bit. Therefore, when only one cube is used, the time complexity of the brute-force search phase is \(2^{\kappa -1}\), where \(\kappa \) denotes the security bit level. Therefore, the total time complexity is

$$\begin{aligned} k \times 2^{|I|+|J|} + 2^{|I|} + 2^{\kappa - 1}, \end{aligned}$$
(1)

From Eq. (1), when \(|I|+|J|=\kappa -1\), the total time complexity is greater than \(2^\kappa \) because k is at least 1. Therefore, such cube is not applied to the key-recovery attack. Moreover, when \(|I|+|J|=\kappa -2\), this attack is valid only if the best case (\(k=1\)), where a preferable superpoly is found in the first trial.

If only one cube is exploited, the dominant time complexity is always that for the brute-force search phase. When \(\ell \) cubes are found in the evaluation phase and all found cubes are exploited, the total time complexity is reduced to

$$\begin{aligned} \ell \times \left( k \times 2^{|I|+|J|} + 2^{|I|} \right) + 2^{\kappa - \ell }. \end{aligned}$$

However, this paper only focuses on the case that only one cube is exploited for the simplicity. Note that the detection of one cube brings at least cryptographic vulnerability.

5 Applications

We apply our general attack method to three NLFSE-based ciphers. The first target is Trivium [6], which is one of eSTREAM portfolio [1] and one of the most analyzed stream ciphers. Another target is Grain128a [3], which is standardized by ISO/IEC 29167-13 [16]. The final application is ACORN [33], which is one of the 3rd round CAESAR candidates [2], and its design is based on stream ciphers.

Fig. 1.
figure 1

Structure of Trivium

Full size image

5.1 Application to Trivium

Specification. Trivium is an NLFSR-based stream cipher, and the internal state is represented by 288-bit state \((s_1,s_2,\ldots ,s_{288})\). Figure 1 shows the state update function of Trivium. The 80-bit key is loaded to the first register, and the 80-bit IV is loaded to the second register. The other state bits are set to 0 except the least three bits in the third register. Namely, the initial state bits are represented as

$$\begin{aligned} (s_1, s_2, \ldots , s_{93})&= (K_1, K_2, \ldots , K_{80}, 0, \ldots , 0), \\ (s_{94}, s_{95}, \ldots , s_{177})&= (IV_1, IV_2, \ldots , IV_{80}, 0, \ldots , 0), \\ (s_{178}, s_{279}, \ldots , s_{288})&= (0, 0, \ldots , 0, 1, 1, 1). \end{aligned}$$

The pseudo code of the update function is given as follows.

$$\begin{aligned}&t_1 \leftarrow s_{66} \oplus s_{93} \\&t_2 \leftarrow s_{162} \oplus s_{177} \\&t_3 \leftarrow s_{243} \oplus s_{288} \\&z \leftarrow t_1 \oplus t_2 \oplus t_3 \\&t_1 \leftarrow t_1 \oplus s_{91} \cdot s_{92} \oplus s_{171}\\&t_2 \leftarrow t_2 \oplus s_{175} \cdot s_{176} \oplus s_{264}\\&t_3 \leftarrow t_3 \oplus s_{286} \cdot s_{287} \oplus s_{69}\\&(s_1, s_2, \ldots , s_{93}) \leftarrow (t_3, s_1, \ldots , s_{92}) \\&(s_{94}, s_{95}, \ldots , s_{177}) \leftarrow (t_1, s_{94}, \ldots , s_{176}) \\&(s_{178}, s_{279}, \ldots , s_{288}) \leftarrow (t_2, s_{178}, \ldots , s_{287}) \end{aligned}$$

Here z denotes the 1-bit key stream. First, in the key initialization, the state is updated \(4 \times 288 = 1152\) times without producing an output. After the key initialization, one bit key stream is produced by every update function.

figure b

MILP Model. TriviumEval in Algorithm 2 generates MILP model \(\mathcal {M}\) as the input of Algorithm 1, and the model \(\mathcal {M}\) can evaluate all division trails for Trivium whose initialization rounds are reduced to R. TriviumCore in Algorithm 2 generates MILP variables and constraints for each update function of register. Since one TriviumCore creates 10 MILP variables and 7 constraints, one update function creates 30 MILP variables and 21 constraints. Therefore, generated MILP model \(\mathcal {M}\) consists of \(288+30R\) MILP variables and \(21R+282+1\) MILP constraints. Note that constraints by the input division property are operated by Algorithm 1.

Table 2. Involved secret variables in the superpoly of the cube \(C_{\{ 1, 11, 21, 31, 41, 51, 61, 71 \}}\).
Full size table

Experimental Verification. We implemented the MILP model \(\mathcal {M}\) for the propagation of the division property on Trivium and evaluated involved secret variables by using Algorithm 1, where Gurobi optimizer [15] was used as the solver of MILP. Before the theoretical evaluation, we verify our attack and implementation by using small cube as \(I = \{ 1, 11, 21, 31, 41, 51, 61, 71 \}\). Table 2 summarizes involved secret variables from 576 to 594 rounds.

Example 2

(Verification of Our Attack against 590-round Trivium ). We actually execute the offline phase against 590-round Trivium, and only \(K_{60}\) is involved to the superpoly. We randomly chose 100 superpolys by changing the constant part of iv and evaluated the sum of the cube. As a result, the sum is always 0 independent of \(K_{60}\) in 42 superpolys, where \(\mathtt{0x00CA6124DE5F12043D62}\) is its example of the constant part of iv. Moreover, the sum corresponds to the value of \(K_{60}\) in 22 superpolys, where 0x2F0881B93B251C7079F2 is its example. Then, the ANF of the superpoly is represented as

$$\begin{aligned} p_{{\varvec{v}}}({\varvec{x}}) = x_{60}. \end{aligned}$$

Finally, the sum corresponds to the value of \(K_{60} \oplus 1\) in 36 superpolys, where 0x5745A1944411D1374828 is its example. Then, the ANF of the superpoly is represented as

$$\begin{aligned} p_{{\varvec{v}}}({\varvec{x}}) = x_{60} \oplus 1. \end{aligned}$$

Balanced superpolys are preferable, and we found \(22+36=58\) such superpolys. Therefore, the required number of trials for finding preferable superpolys is about \(k=2\).

Example 3

(Verification of Our Attack against 591-round Trivium ). We execute the offline phase against 591-round Trivium, and \(K_{23},K_{24},K_{25},K_{66},K_{67}\) are involved to the superpoly. Similarly to the attack against 590 rounds, we randomly chose 100 superpolys by changing the constant part of iv and evaluated the sum of the given cube. As a result, the sum is always 0 independent of 5 involved secret variables in 64 superpolys, where \(\mathtt{0x39305FDD295BDACD2FBE}\) is its example of the constant part of iv. There are 11 superpolys such that the sum is 1 only when

$$\begin{aligned} K_{23}\Vert K_{24}\Vert K_{25}\Vert K_{66}\Vert K_{67} \in \mathtt{\{00,05,08,0D,10,15,19,1C\}} \end{aligned}$$

as the hexadecimal notation, where \(\mathtt{0x03CC37748E34C601ADF5}\) is its example of the constant part of iv. Then, the ANF of the superpoly is represented as

$$\begin{aligned} p_{{\varvec{v}}}({\varvec{x}}) = (x_{66} \oplus 1)(x_{23}x_{24} \oplus x_{25} \oplus x_{67}\oplus 1). \end{aligned}$$

There are 9 superpolys such that the sum is 1 when

$$\begin{aligned} K_{23}\Vert K_{24}\Vert K_{25}\Vert K_{66}\Vert K_{67} \in \mathtt \{02,07,0A,0F,12,17,1B,1E\} \end{aligned}$$

as the hexadecimal notation, where \(\mathtt{0x78126459CB2384E6CCCE}\) is its example of the constant part of iv. Then, the ANF of the superpoly is represented as

$$\begin{aligned} p_{{\varvec{v}}}({\varvec{x}}) = x_{66}(x_{23}x_{24} \oplus x_{25} \oplus x_{67} \oplus 1). \end{aligned}$$

Moreover, there are 16 superpolys such that the sum is 1 when the value of \(K_{23}\Vert K_{24}\Vert K_{25}\Vert K_{66}\Vert K_{67}\) belongs to

$$\begin{aligned} \mathtt{\{00,02,05,07,08,0A,0D,0F,10,12,15,17,19,1B,1C,1E\}} \end{aligned}$$

as the hexadecimal notation, where \(\mathtt{0x644BD671BE0C9241481A}\) is its example of the constant part of iv. Then, the ANF of the superpoly is represented as

$$\begin{aligned} p_{{\varvec{v}}}({\varvec{x}}) = x_{23}x_{24} \oplus x_{25} \oplus x_{67} \oplus 1, \end{aligned}$$

and this superpoly is balanced. Note that \(x_{66}\) is not involve to this superpoly. Balanced superpolys are preferable, and we found 16 such superpolys. Therefore, the required number of trials for finding preferable superpolys is about \(k=6\).

Table 3. Summary of theoretical cube attacks on Trivium. The time complexity in this table shows the time complexity to recover the superpoly.
Full size table

Theoretical Results. As experimental verification shows, Assumption 1 holds for Trivium in small example. Therefore, we can expect that theoretically recovered superpolys also fulfill Assumption 1.

Cube indices are chosen as the following in our experiments: the odd index \(1,3,\ldots ,2|I|-1\) is chosen, and the even index \(2,4,\ldots ,2(|I|-40)\) is additionally chosen. Then, we exhaustively evaluated involved secret variables, and Table 3 summarizes the result in our theoretical cube attack. Table 3 shows indices of involved secret variables and the time complexity for the superpoly recovery against Trivium with at least 800 initialization rounds. Since the previous best key-recovery attack is 799 rounds, all results at least improve the current best key-recovery attack. Under the condition that the time complexity for the superpoly recovery is less than \(2^{79}\), the largest number of initialization rounds that we can attack is 832 rounds. Compared with previous best key-recovery attack, it updates \(832-799=33\) rounds.

We do not have plausible evidence that our choice of cube indices is appropriate, and the choice is still difficult because we need to try out \(\left( {\begin{array}{c}80\\ |I|\end{array}}\right) \) cubes when we want to evaluate all cubes whose size is |I|. How to choose appropriate cubes is left as an open question.

Fig. 2.
figure 2

Structure of Grain128a

Full size image

5.2 Application to Grain128a

Specification. Grain128a is one of Grain family of NLFSR-based stream ciphers, and the internal state is represented by two 128-bit states, \((b_0,b_1,\ldots ,b_{127})\) and \((s_0,s_1,\ldots ,s_{127})\). The 128-bit key is loaded to the first register \({\varvec{b}}\), and the 96-bit IV is loaded to the second register \({\varvec{s}}\). The other state bits are set to 1 except the least one bit in the second register. Namely, the initial state bits are represented as

$$\begin{aligned} (b_0, b_1, \ldots , b_{127})&= (K_1, K_2, \ldots , K_{128}),\\ (s_0, s_1, \ldots , s_{127})&= (IV_1, IV_2, \ldots , IV_{96}, 1, \ldots , 1, 0). \end{aligned}$$

The pseudo code of the update function in the initialization is given as follows.

$$\begin{aligned}&g \leftarrow b_0 + b_{26} + b_{56} + b_{91} + b_{96} \nonumber \\&\qquad +\,b_{3}b_{67} + b_{11}b_{13} + b_{17}b_{18} + b_{27}b_{59} + b_{40}b_{48} + b_{61}b_{65} + b_{68}b_{84} \nonumber \\&\qquad +\,b_{88}b_{92}b_{93}b_{95} + b_{22}b_{24}b_{25} + b_{70}b_{78}b_{82}. \end{aligned}$$
(2)
$$\begin{aligned}&f \leftarrow s_0 + s_{7} + s_{38} + s_{70} + s_{81} + s_{96} \end{aligned}$$
(3)
$$\begin{aligned}&h \leftarrow b_{12} s_{8} + s_{13} s_{20} + b_{95} s_{42} + s_{60} s_{79} + b_{12} b_{95} s_{94} \end{aligned}$$
(4)
$$\begin{aligned}&z \leftarrow h + s_{93} + \sum _{j \in A} b_{j} \end{aligned}$$
(5)
$$\begin{aligned}&(b_0, b_1, \ldots , b_{127}) \leftarrow (b_1, \ldots , b_{127}, g + s_0 + z ) \\&(s_0, s_1, \ldots , s_{127}) \leftarrow (s_1, \ldots , s_{127}, f + z) \end{aligned}$$

Here, \(A = \{2, 15, 36, 45, 64, 73, 89\}\). First, in the key initialization, the state is updated 256 times without producing an output. After the key initialization, the update function is tweaked such that z is not fed to the state, and z is used as a key stream. Figure 2 shows the state update function of Grain128a.

figure c

MILP Model. Grain128aEval in Algorithm 3 generates MILP model \(\mathcal {M}\) as the input of Algorithm 1, and the model \(\mathcal {M}\) can evaluate all division trails for Grain128a whose initialization rounds are reduced to R. funcZ generates MILP variables and constraints for Eqs. (4) and (5), and it consists of 45 MILP variables and 32 MILP constraints. funcG generates MILP variables and constraints for Eq. (2), and it consists of 70 MILP variables and 55 MILP constraints. funcF generates MILP variables and constraints for Eq. (3), and it consists of 13 MILP variables and 7 MILP constraints. As a result, the MILP model for every round consists of \(45+70+13+4=132\) MILP variables and \(32+55+7+4=98\) MILP constraints. Therefore, generated MILP model \(\mathcal {M}\) consists of \(256+45+132R\) MILP variables and \(98R+32+256+1\) MILP constraints. Note that constraints by the input division property are operated by Algorithm 1.

Experimental Verification. We implemented the MILP model \(\mathcal {M}\) for the propagation of the division property on Grain128a and evaluated involved secret variables by using Algorithm 1. To verify our attack and implementation, the offline phase is executed by using small cube as \(I = \{ 1, 2, \ldots , 9 \}\).

Example 4

(Verification of Our Attack against 106-round Grain128a). The cube \(C_{\{ 1, 2, 3, \ldots , 9 \}}\) brings the superpoly that involves only seven secret variables, (\(K_{46}\), \(K_{53}\), \(K_{85}\), \(K_{119}\), \(K_{122}\), \(K_{126}\), and \(K_{127}\)), and this result comes out of Algorithm 1. In our experiments, the Hamming weight of all superpolys \(p_{{\varvec{v}}}({\varvec{x}})\) is only 4. Specifically, in arbitrary iv satisfying \(IV_{76}=0\), \(p_{{\varvec{v}}}({\varvec{x}})\) is 1 only when the involved secret variables are represented as

$$\begin{aligned} (K_{46},K_{53},K_{85},K_{119},K_{122},K_{126},K_{127})=&(*,1,0,1,1,1,1) ~\mathrm{or} \\&(*,0,1,1,1,1,1), \end{aligned}$$

where \(*\) is any bit. Moreover, in arbitrary iv satisfying \(IV_{76}=1\), \(p_{{\varvec{v}}}({\varvec{x}})\) is 1 only when the involved secret variables are represented as

$$\begin{aligned} (K_{46},K_{53},K_{85},K_{119},K_{122},K_{126},K_{127})=&(*,1,0,1,0,1,1) ~\mathrm{or} \\&(*,0,1,1,0,1,1). \end{aligned}$$

Namely, the superpoly is represented as

$$\begin{aligned} p_{{\varvec{v}}}({\varvec{x}}) = (x_{53} \oplus x_{85}) \cdot x_{119} \cdot (x_{122} \oplus v_{76}) \cdot x_{126} \cdot x_{127}. \end{aligned}$$

This superpoly is independent of \(x_{46}\). Moreover, it is not balanced, and the Hamming weight of \(p_{{\varvec{v}}}({\varvec{x}})\) is 2 for six involved input bits. Therefore, the recovered bit of information in secret variables is represented as

$$\begin{aligned} \left| \log _2 \left( \frac{2 \times \frac{2}{2^6} + (62 \times \frac{62}{2^6})}{2^6} \right) \right| \approx 0.09. \end{aligned}$$

Double bit of information can be recovered by flipping the bit \(IV_{76}\), but the recovered information is still smaller than 1.

Theoretical Results. We cannot find superpolys satisfying Assumption 1 in our experiments using small cube. On the other hand, Assumption 2 holds. Therefore, we can expect that theoretically recovered superpolys also fulfill Assumption 2, and it leaks at least some information in secret variables which is smaller than 1 bit. Moreover, by collecting these superpolys, we can expect that multiple bits of information in secret variables are recovered.

Table 4. Summary of theoretical cube attacks on Grain128a. The time complexity in this table shows the time complexity to recover the superpoly.
Full size table

Table 4 shows indices of involved secret variables and the time complexity for the superpoly recovery against Grain128a. Since the previous best attack is 177 rounds in the single-key setting, all results at least improve the current best key-recovery attack. Under the condition that the time complexity for the superpoly recovery is less than \(2^{127}\), the largest number of initialization rounds that we can attack is 183 rounds. Compared with previous best distinguishing attack, it updates \(183-177=6\) rounds. Moreover it allows for some key recovery.

5.3 Application to ACORN

Specification. ACORN is an authenticated encryption and one of the 3rd round candidates in CAESAR competition. The structure is based on NLFSR, and the internal state is represented by 293-bit state \((S_0,S_1,\ldots ,S_{292})\). There are two component functions, \(ks = KSG128(S)\) and \(f = FBK128(S)\), in the update function, and each is defined as

$$\begin{aligned} ks&= S_{12} \oplus S_{154} \oplus maj(S_{235}, S_{61}, S_{193}) \oplus ch(S_{230}, S_{111}, S_{66}), \\ f&= S_0 \oplus \tilde{S}_{107} \oplus maj(S_{244}, S_{23}, S_{160}) \oplus (ca \wedge S_{196}) \oplus (cb \wedge ks), \end{aligned}$$

where ks is used as the key stream, and maj and ch are defined as

$$\begin{aligned} maj(x, y, z)&= (x \wedge y) \oplus (x \wedge z) \oplus (y \wedge z), \\ ch(x, y, z)&= (x \wedge y) \oplus ((x \oplus 1) \wedge z). \end{aligned}$$

Then, the update function is given as follows.

$$\begin{aligned}&S_{289} \leftarrow S_{289} \oplus S_{235} \oplus S_{230} \\&S_{230} \leftarrow S_{230} \oplus S_{196} \oplus S_{193} \\&S_{193} \leftarrow S_{193} \oplus S_{160} \oplus S_{154} \\&S_{154} \leftarrow S_{154} \oplus S_{111} \oplus S_{107} \\&S_{107} \leftarrow S_{107} \oplus S_{66} \oplus S_{61} \\&S_{61} \leftarrow S_{61} \oplus S_{23} \oplus S_{0} \\&ks = KSG128(S) \\&f = FBK128(S,ca,cb) \\&(S_0, S_1, \ldots , S_{291}, S_{292}) \leftarrow (S_1, s_2, \ldots , S_{292}, f \oplus m) \end{aligned}$$

The 293-bit state is first initialized to \({\mathbf 0}\). Second, 128-bit secret key is sequentially loaded to the NLFSR via m. Third, 128-bit initialization vector is sequentially loaded to the NLFSR via m. Fourth, 128-bit secret key is sequentially loaded to the NLFSR via m twelve times. The constant bits ca and cb are always 1 in the initial 1792 rounds. The associated data is always loaded before the output of the key stream, but we do not care about this process in this paper because the number of rounds that we can attack is smaller than 1792 rounds. Figure 3 shows the structure of ACORN. Please refer to [33] in detail.

Fig. 3.
figure 3

Structure of ACORN

Full size image
figure d

MILP Model. ACORNEval in Algorithm 4 generates MILP model \(\mathcal {M}\) as the input of Algorithm 1, and the model \(\mathcal {M}\) can evaluate all division trails for ACORN whose initialization rounds are reduced to R. xorFB generates MILP variables and constraints for feed-back function with XOR. ksg128 and fbk128 generates MILP variables and constraints for KSG128 and FBK128, respectively.

If there are zero constant bit in input of KSG128 and FBK128, the propagation of the division property for two functions ksg128 and \(\mathtt{fbk128}\) is limited. For example, when maj(xyz) is computed under the condition \(y=z=0\), this function is represented as

$$\begin{aligned} maj(x,0,0) = 0, \end{aligned}$$

and the division property of x never propagates to the output of maj. Such limitations of the propagation only happens in the first several rounds because the state \({\varvec{S}}\) is initialized to \({\mathbf 0}\). To control this behavior, there is the current number of rounds as the input of ksg128 and fbk128. Note that constraints by the input division property are operated by Algorithm 1.

Experimental Verification. We implemented the MILP model \(\mathcal {M}\) for the propagation of the division property on ACORN and evaluated involved secret variables by using Algorithm 1. We searched the small cube such that \(|I|+|J|\) is practically feasible, and the following small cube

$$\begin{aligned} C_{\{1,2,3,4,5,8,20,125,126,127,128\}} \end{aligned}$$

is used to verify our attack and implementation.

Example 5

(Verification of Our Attack against 517-round ACORN). The cube \(C_{\{1,2,3,4,5,8,20,125,126,127,128\}}\) brings the superpoly that involves only nine secret variables, (\(K_{6}\), \(K_{8}\), \(K_{10}\), \(K_{11}\), \(K_{12}\), \(K_{15}\), \(K_{16}\), \(K_{45}\), and \(K_{49}\)), and this result comes out of Algorithm 1. We try out 100 randomly chosen constant part of iv. As a result, all superpolys \(p_{{\varvec{v}}}({\varvec{x}})\) are balanced independent of the value of the constant part of iv. Specifically, \(p_{{\varvec{v}}}({\varvec{x}})\) corresponds to the sum of involved secret variables. Namely, the superpoly is represented as

$$\begin{aligned} p_{{\varvec{v}}}({\varvec{x}}) = x_{6} \oplus x_{8} \oplus x_{10} \oplus x_{11} \oplus x_{12} \oplus x_{15} \oplus x_{16} \oplus x_{45} \oplus x_{49}. \end{aligned}$$

Theoretical Results. As experimental verification shows, Assumption 1 holds for ACORN in small example. Therefore, we can expect that theoretically recovered superpolys also fulfill Assumption 1.

Table 5. Summary of theoretical cube attacks on ACORN. The time complexity in this table shows the time complexity to recover the superpoly.
Full size table

Table 5 shows indices of involved secret variables and the time complexity for the superpoly recovery against ACORN. Since the previous best attack is 503 rounds, all results at least improve the current best key-recovery attack. As far as we searched various cubes, the largest number of initialization rounds that we can attack is 704 rounds, where the cube size is 64 and the number of involved secret variables is 58. Compared with previous best key-recovery attack, it updates \(704-503=201\) rounds.

6 Discussions

6.1 Validity of Assumptions 1 and 2

Whether the two assumptions hold depends on the structure of analyzed ciphers. In the three applications shown in this paper, we could easily find balanced superpoly for Trivium and ACORN by actually evaluating the offline phase using small cube. Therefore, we can expect that Assumption 1 holds in theoretical recovered superpolys for these two ciphers. On the other hand, we could not find balanced superpolys for Grain128a. This implies that Assumption 1 does not hold in theoretical recovered superpolys for Grain128a. However, since we could easily find non-constant superpolys, we can expect that Assumption 2 holds.

Note that Assumption 1 is introduced to estimate the time complexity to recover the entire secret key, and some information of secret variables is leaked to attackers even if only Assumption 2 holds. Moreover, even if both assumptions do not hold, the recovered superpoly is useful for distinguishing attacks. Therefore, if the superpoly recovery is more efficient than the brute-force attack, it immediately brings some vulnerability of symmetric-key cryptosystems. Therefore, the time complexity for the superpoly recovery discussed in this paper is very important.

Conventional cube attacks also have similar assumption because they experimentally verify whether the superpoly is linear, quadratic, or not. For example, in [11], the authors judged that the superpoly is linear if the superpoly passes at least 100 linearity tests. Moreover, Fouque and Vannet also introduced heuristic linearity and quadraticity tests in [14], where the superpoly is judged as linear and quadratic if it passes constant-order linearity and quadraticity tests, respectively. These constant-order tests may fail if there are terms of the superpoly that are highly biased. For example, assuming that the superpoly is represented as \(K_1+f(K_2,K_3,K_4,...,K_{32})\) where f is unbalanced, the test used in previous cube attacks may judge the superpoly as \(K_1\) in error. Namely, the conventional cube attack also assumes that the superpoly is balanced for each involved secret variables, and it fails to recover secret variables if this assumption is incorrect.

6.2 Multiple-Bits Recovery only from One Cube

There is a possibility that we can recover multiple bits from given cube by changing a value in constant part of iv. Indeed, Example 3 recovers more than one bit of information in secret variables by using an \({\varvec{v}} = \mathtt{0x03CC37748E34C601ADF5}\) or \({\varvec{v}} = \mathtt{0x78126459CB2384E6CCCE}\) together with \({\varvec{v}}=\mathtt{0x644BD671BE0C9241481A}\). Moreover, two bits of information in secret variables are recovered if we find two independent balanced superpolys. On the other hand, the superpoly must be enough simplified for the key recovery. While we may be able to recover multiple bits only from one cube by changing values of the constant part of iv when the number of involved secret variables is high, we cannot claim that there are many independent balanced superpolys when the number of involved secret variables is small. Therefore, we do not claim that multiple bits are recovered from one cube by changing values of the constant part of iv.

6.3 Comparison with Previous Techniques

There is previous work that exploits non-randomness in high degree monomial structure in the ANF for the key recovery of stream ciphers: In [13], it is examined if every key bit in the parametrized expression of a coefficient of some high degree monomial in iv bits does occur, or more generally, how much influence each key bit does have on the value of the coefficient. If a coefficient depends on less than all key bits, this fact is exploited to filter those keys which do not satisfy the imposed value for the coefficient. As opposed to the present work, this method is mostly statistical in nature, whereas division property is fully algebraic.

Secondly, in [17], conditions are identified on the internal state to obtain a deterministic differential characteristic for some large number of rounds. Depending on whether these conditions involve public variables only, or also key variables, distinguishing and partial key-recovery attacks are derived. The technique is extended to (conditional) higher order differentials and enables to distinguish reduced round versions of some stream ciphers, and to recover parts of the key. Again, this method is quite different from the methods of this paper, and is not purely algebraic.

A third more recent approach is dynamic cube attack [12]. In contrast to standard cube attack that finds the key by solving a system of (linear) equations in the key bits, dynamic cube attack recovers the secret key by exploiting distinguishers obtained from cube testers. Dynamic cube attacks aim at creating lower degree representations of the given cipher. This method has been successfully applied to break the stream cipher Grain-128 [9]. All the previous methods share the restriction that they are experimental rather than theoretical, i.e., they are dependent on computing with cubes as large as practically feasible.

7 Conclusion

This paper revisited the cube attack proposed by Dinur and Shamir at Eurocrypt 2009. The conventional cube attack regards a target symmetric-key cryptosystem as a blackbox polynomial and analyzes the polynomial experimentally. Therefore, it is practically infeasible to evaluate the security when the size of cube exceeds the experimental size. In this paper, we proposed the cube attack on non-blackbox polynomials, and it leads the cube attack exploiting large number of cube size. Our method was developed by the division property, and as far as we know, this is the first application of the division property to stream ciphers. The trivial application brings only zero-sum integral distinguishers, and it is non-trivial to recover the secret key of stream ciphers by using the distinguisher. The novel application of the division property was proposed, where it is used to analyze the Algebraic Normal Form coefficients of polynomials. As a result, we can estimate the time complexity for the superpoly recovery. Then, the superpoly recovery immediately brings the vulnerability. We applied the new technique to Trivium, Grain128a, and ACORN, and the superpoly of 832-round Trivium, 183-round Grain128a, and 704-round ACORN are more efficiently recovered than the brute-force search. For Trivium and ACORN, we can expect that the recovered superpoly is useful for the key recovery attack, and they bring the current best key-recovery attacks. On the other hand, for Grain128a, we cannot expect that the recovered superpoly is balanced, and then the recovered bit of information may be significantly small. Therefore, the feasibility of the key recovery is speculative, but 183 rounds are at least vulnerable. We expect that our new tool becomes a new generic tool to measure the security of stream ciphers.