More Balanced Polynomials: Cube Attacks on 810- and 825-Round Trivium with Practical Complexities

Hao Lei; Jiahui He; Kai Hu; Meiqin Wang

Paper 2023/1237

More Balanced Polynomials: Cube Attacks on 810- and 825-Round Trivium with Practical Complexities

Hao Lei

Jiahui He, School of Cyber Science and Technology, Shandong University, Qingdao, Shandong, China, Key Laboratory of Cryptologic Technology and Information Security, Ministry of Education, Shandong University, Jinan, China

Kai Hu, School of Physical and Mathematical Sciences, Nanyang Technological University

Meiqin Wang, School of Cyber Science and Technology, Shandong University, Qingdao, Shandong, China, Key Laboratory of Cryptologic Technology and Information Security, Ministry of Education, Shandong University, Jinan, China, Quan Cheng Shandong Laboratory, Jinan, China

Abstract

The key step of the cube attack is to recover the special polynomial, the superpoly, of the target cipher. In particular, the balanced superpoly, in which there exists at least one secret variable as a single monomial and none of the other monomials contain this variable, can be exploited to reveal one-bit information about the key bits. However, as the number of rounds grows, it becomes increasingly difficult to find such balanced superpolies. Consequently, traditional methods of searching for balanced superpolies soon hit a bottleneck. Aiming at performing a cube attack on more rounds of Trivium with a practical complexity, in this paper, we present three techniques to obtain sufficient balanced polynomials. 1. Based on the structure of Trivium, we propose a variable substitution technique to simplify the superpoly. 2. Obtaining the additional balanced polynomial by combining two superpolies to cancel the two-degree terms. 3. We propose an experimental approach to construct high-quality large cubes which may contain more subcubes with balanced superpolies and a heuristic search strategy for their subcubes whose superpolies are balanced. To illustrate the power of our techniques, we search for balanced polynomials for 810- and 825-round Trivium. As a result, we can mount cube attacks against 810- and 825-round Trivium with the time complexity of $2^{44.17}$ and $2^{53.17}$ round-reduced Trivium initializations, respectively, which can be verified in 48 minutes and 18 days on a PC with one A100 GPU. For the same level of time complexity, this improves the previous best results by $2$ and $5$ rounds, respectively.

Metadata

Available format(s): PDF
Category: Secret-key cryptography
Publication info: Preprint.
Keywords: Trivium cube attack key-recovery attack division property
Contact author(s): leihao @ mail sdu edu cn
hejiahui2020 @ mail sdu edu cn
kai hu @ ntu edu sg
mqwang @ sdu edu cn
History: 2023-09-21: revised; 2023-08-16: received; See all versions
Short URL: https://ia.cr/2023/1237
License: CC BY

BibTeX

@misc{cryptoeprint:2023/1237,
      author = {Hao Lei and Jiahui He and Kai Hu and Meiqin Wang},
      title = {More Balanced Polynomials: Cube Attacks on 810- and 825-Round Trivium with Practical Complexities},
      howpublished = {Cryptology ePrint Archive, Paper 2023/1237},
      year = {2023},
      note = {\url{https://eprint.iacr.org/2023/1237}},
      url = {https://eprint.iacr.org/2023/1237}
}