Paper 2024/342

Massive Superpoly Recovery with a Meet-in-the-middle Framework -- Improved Cube Attacks on Trivium and Kreyvium

Jiahui He, Shandong University
Kai Hu, Shandong University, Nanyang Technological University
Hao Lei, Shandong University
Meiqin Wang, Shandong University
Abstract

The cube attack extracts the information of secret key bits by recovering the coefficient called superpoly in the output bit with respect to a subset of plaintexts/IV, which is called a cube. While the division property provides an efficient way to detect the structure of the superpoly, superpoly recovery could still be prohibitively costly if the number of rounds is sufficiently high. In particular, Core Monomial Prediction (CMP) was proposed at ASIACRYPT 2022 as a scaled-down version of Monomial Prediction (MP), which sacrifices accuracy for efficiency but ultimately gets stuck at 848 rounds of \trivium. In this paper, we provide new insights into CMP by elucidating the algebraic meaning to the core monomial trails. We prove that it is sufficient to recover the superpoly by extracting all the core monomial trails, an approach based solely on CMP, thus demonstrating that CMP can achieve perfect accuracy as MP does. We further reveal that CMP is still MP in essence, but with variable substitutions on the target function. Inspired by the divide-and-conquer strategy that has been widely used in previous literature, we design a meet-in-the-middle (MITM) framework, in which the CMP-based approach can be embedded to achieve a speedup. To illustrate the power of these new techniques, we apply the MITM framework to \trivium, \grain and \kreyvium. As a result, not only can the previous computational cost of superpoly recovery be reduced (e.g., 5x faster for superpoly recovery on 192-round \grain), but we also succeed in recovering superpolies for up to 851 rounds of \trivium and up to 899 rounds of \kreyvium. This surpasses the previous best results by respectively 3 and 4 rounds. Using the memory-efficient M\"obius transform proposed at EUROCRYPT 2021, we can perform key recovery attacks on target ciphers, even though the superpoly may contain over $2^{40}$ monomials. This leads to the best cube attacks on the target ciphers.

Metadata
Available format(s)
PDF
Category
Attacks and cryptanalysis
Publication info
A minor revision of an IACR publication in EUROCRYPT 2024
Keywords
Cube AttackSuperpolyTriviumGrainKreyviumDivision PropertyMonomial PredictionCore Monomial Prediction
Contact author(s)
hejiahui2020 @ mail sdu edu cn
kai hu @ sdu edu cn
leihao @ mail sdu edu cn
mqwang @ sdu edu cn
History
2024-05-11: last of 4 revisions
2024-02-27: received
See all versions
Short URL
https://ia.cr/2024/342
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2024/342,
      author = {Jiahui He and Kai Hu and Hao Lei and Meiqin Wang},
      title = {Massive Superpoly Recovery with a Meet-in-the-middle Framework -- Improved Cube Attacks on Trivium and Kreyvium},
      howpublished = {Cryptology {ePrint} Archive, Paper 2024/342},
      year = {2024},
      url = {https://eprint.iacr.org/2024/342}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.