Cryptology ePrint Archive: Report 2020/441

Modeling for Three-Subset Division Property without Unknown Subset

Yonglin Hao and Gregor Leander and Willi Meier and Yosuke Todo and Qingju Wang

Abstract: A division property is a generic tool to search for integral distinguishers, and automatic tools such as MILP or SAT/SMT allow us to evaluate the propagation efficiently. In the application to stream ciphers, it enables us to estimate the security of cube attacks theoretically, and it leads to the best key-recovery attacks against well-known stream ciphers. However, it was reported that some of the key-recovery attacks based on the division property degenerate to distinguishing attacks due to the inaccuracy of the division property. Three-subset division property (without unknown subset) is a promising method to solve this inaccuracy problem, and a new algorithm using automatic tools for the three-subset division property was recently proposed at Asiacrypt2019.

In this paper, we first show that this state-of-the-art algorithm is not always efficient and we cannot improve the existing key-recovery attacks. Then, we focus on the feature of the three-subset division property without unknown subset and propose another new efficient algorithm using automatic tools. Our algorithm is more efficient than existing algorithms, and it can improve existing key-recovery attacks. In the application to Trivium, we show an 842-round key-recovery attack. We also show that an 855-round key-recovery attack, which was proposed at CRYPTO2018, has a critical flaw and does not work. As a result, our 842-round attack becomes the best key-recovery attack. In the application to Grain-128AEAD, we show that the known 184-round key-recovery attack degenerates to distinguishing attacks. Then, the distinguishing attacks are improved up to 189 rounds, and we also show the best key-recovery attack against 190 rounds. In the application to ACORN, we prove that the 772-round key-recovery attack at ISC2019 is in fact a constant-sum distinguisher. We then give new key-recovery attacks mounting to 773- and 774-round ACORN. We also verify the current best key-recovery attack on 892-round Kreyvium and recover the exact superpoly.

Category / Keywords: secret-key cryptography / stream ciphers, cube attack, division property, three-subset division property, MILP, Trivium, Grain-128AEAD, ACORN, Kreyvium

Original Publication (with major differences): IACR-EUROCRYPT-2020

Date: received 16 Apr 2020

Contact author: todo yosuke at gmail com

Available format(s): PDF | BibTeX Citation

Version: 20200419:155027 (All versions of this report)

Short URL: ia.cr/2020/441


[ Cryptology ePrint archive ]