Paper 2009/497

Cube Attack on Courtois Toy Cipher

Piotr Mroczkowski and Janusz Szmidt


Abstract. The cube attack has been introduced by Itai Dinur and Adi Shamir [8] as a known plaintext attack on symmetric primitives. The attack has been applied to reduced variants of the stream ciphers Trivium [3, 8] and Grain-128 [2], reduced to three rounds variant of the block cipher Serpent [9] and reduced version of the hash function MD6 [3]. In the special case the attack has appeared in the M. Vielhaber ePrint articles [13, 14], where it has been named AIDA (Algebraic Initial Value Differential Attack ) and applied to the modified versions of Trivium. In this paper, we present the experimental results of application the cube attack to four rounds of the Courtois Toy Cipher (CTC) with the full recovery of 120-bit key. After that we extend the attack to five rounds by applying the meet-in-the-middle principle. Key words: Cube attack, symmetric primitives, Boolean polynomials, CTC, the meet-in-the-middle method

Available format(s)
Secret-key cryptography
Publication info
Published elsewhere. Unknown where it was published
Cube attacksymmetric primimitivesBoolean polynomialsCTCthe meet-in-the-middle-attack.
Contact author(s)
j szmidt @ neostrada pl
2009-10-14: received
Short URL
Creative Commons Attribution


      author = {Piotr Mroczkowski and Janusz Szmidt},
      title = {Cube Attack on Courtois Toy Cipher},
      howpublished = {Cryptology ePrint Archive, Paper 2009/497},
      year = {2009},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.