Paper 2022/1218
Stretching Cube Attacks: Improved Methods to Recover Massive Superpolies
Abstract
Cube attacks exploit the algebraic properties of symmetric ciphers by recovering a special polynomial, the superpoly, and subsequently the secret key. When the algebraic normal forms of the corresponding Boolean functions are not available, the division property based approach allows to recover the exact superpoly in a clever way. However, the computational cost to recover the superpoly becomes prohibitive as the number of rounds of the cipher increases. For example, the nested monomial predictions (NMP) proposed at ASIACRYPT 2021 stuck at round 845 for Trivium. To alleviate the bottleneck of the NMP technique, i.e., the unsolvable model due to the excessive number of monomial trails, we shift our focus to the so-called valuable terms of a specific middle round that contribute to the superpoly. Two new techniques are introduced, namely, Non-zero Bit-based Division Property (NBDP) and Core Monomial Prediction (CMP), both of which result in a simpler MILP model compared to the MILP model of MP. It can be shown that the CMP technique offers a substantial improvement over the monomial prediction technique in terms of computational complexity of recovering valuable terms. Combining the divide-and-conquer strategy with these two new techniques, we catch the valuable terms more effectively and thus avoid wasting computational resources on intermediate terms contributing nothing to the superpoly. As an illustration of the power of our techniques, we apply our framework to Trivium, Grain, Kreyvium and Acorn. As a result, the computational cost of earlier attacks can be significantly reduced and the exact ANFs of the superpolies for 846-, 847- and 848-round Trivium, 192-round Grain, 895-round Kreyvium and 776-round Acorn can be recovered in practical time, even though the superpoly of 848-round Trivium contains over 500 million terms; this corresponds to respectively 3, 1, 1 and 1 rounds more than the previous best results. Moreover, by investigating the internal properties of Möbius transformation, we show how to perform key recovery using superpolies involving full key bits, which leads to the best key recovery attacks on the targeted ciphers.
Metadata
- Available format(s)
- Category
- Secret-key cryptography
- Publication info
- A minor revision of an IACR publication in ASIACRYPT 2022
- Keywords
- Cube Attack Superpoly Trivium Grain-128AEAD Acorn Kreyvium Division Property Monomial Prediction
- Contact author(s)
-
hejiahui2020 @ mail sdu edu cn
kai hu @ ntu edu sg
bart preneel @ esat kuleuven be
mqwang @ sdu edu cn - History
- 2022-09-21: last of 2 revisions
- 2022-09-14: received
- See all versions
- Short URL
- https://ia.cr/2022/1218
- License
-
CC BY
BibTeX
@misc{cryptoeprint:2022/1218, author = {Jiahui He and Kai Hu and Bart Preneel and Meiqin Wang}, title = {Stretching Cube Attacks: Improved Methods to Recover Massive Superpolies}, howpublished = {Cryptology {ePrint} Archive, Paper 2022/1218}, year = {2022}, url = {https://eprint.iacr.org/2022/1218} }