Paper 2022/1218

Stretching Cube Attacks: Improved Methods to Recover Massive Superpolies

Jiahui He, School of Cyber Science and Technology, Shandong University, Qingdao, Shandong, China. Key Laboratory of Cryptologic Technology and Information Security, Ministry of Education, Shandong University, Jinan, China.
Kai Hu, School of Physical and Mathematical Sciences, Nanyang Technological University, Singapore.
Bart Preneel, imec-COSIC, KU Leuven, Leuven, Belgium.
Meiqin Wang, School of Cyber Science and Technology, Shandong University, Qingdao, Shandong, China. Key Laboratory of Cryptologic Technology and Information Security, Ministry of Education, Shandong University, Jinan, China. Quan Cheng Shandong Laboratory, Jinan, China.
Abstract

Cube attacks exploit the algebraic properties of symmetric ciphers by recovering a special polynomial, the superpoly, and subsequently the secret key. When the algebraic normal forms of the corresponding Boolean functions are not available, the division property based approach allows to recover the exact superpoly in a clever way. However, the computational cost to recover the superpoly becomes prohibitive as the number of rounds of the cipher increases. For example, the nested monomial predictions (NMP) proposed at ASIACRYPT 2021 stuck at round 845 for Trivium. To alleviate the bottleneck of the NMP technique, i.e., the unsolvable model due to the excessive number of monomial trails, we shift our focus to the so-called valuable terms of a specific middle round that contribute to the superpoly. Two new techniques are introduced, namely, Non-zero Bit-based Division Property (NBDP) and Core Monomial Prediction (CMP), both of which result in a simpler MILP model compared to the MILP model of MP. It can be shown that the CMP technique offers a substantial improvement over the monomial prediction technique in terms of computational complexity of recovering valuable terms. Combining the divide-and-conquer strategy with these two new techniques, we catch the valuable terms more effectively and thus avoid wasting computational resources on intermediate terms contributing nothing to the superpoly. As an illustration of the power of our techniques, we apply our framework to Trivium, Grain, Kreyvium and Acorn. As a result, the computational cost of earlier attacks can be significantly reduced and the exact ANFs of the superpolies for 846-, 847- and 848-round Trivium, 192-round Grain, 895-round Kreyvium and 776-round Acorn can be recovered in practical time, even though the superpoly of 848-round Trivium contains over 500 million terms; this corresponds to respectively 3, 1, 1 and 1 rounds more than the previous best results. Moreover, by investigating the internal properties of Möbius transformation, we show how to perform key recovery using superpolies involving full key bits, which leads to the best key recovery attacks on the targeted ciphers.

Metadata
Available format(s)
PDF
Category
Secret-key cryptography
Publication info
A minor revision of an IACR publication in ASIACRYPT 2022
Keywords
Cube Attack Superpoly Trivium Grain-128AEAD Acorn Kreyvium Division Property Monomial Prediction
Contact author(s)
hejiahui2020 @ mail sdu edu cn
kai hu @ ntu edu sg
bart preneel @ esat kuleuven be
mqwang @ sdu edu cn
History
2022-09-21: last of 2 revisions
2022-09-14: received
See all versions
Short URL
https://ia.cr/2022/1218
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2022/1218,
      author = {Jiahui He and Kai Hu and Bart Preneel and Meiqin Wang},
      title = {Stretching Cube Attacks: Improved Methods to Recover Massive Superpolies},
      howpublished = {Cryptology {ePrint} Archive, Paper 2022/1218},
      year = {2022},
      url = {https://eprint.iacr.org/2022/1218}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.