Observations on the Dynamic Cube Attack of 855-Round TRIVIUM from Crypto'18

Recently, another kind of dynamic cube attack is proposed by Fu et al.. With some key guesses and a transformation in the output bit, they claim that, when the key guesses are correct, the degree of the transformed output bit can drop so signi cantly that the cubes of lower dimension can not exist, making the output bit vulnerable to the zerosum cube tester using slightly higher dimensional cubes. They applied their method to 855-round Trivium. In order to verify the correctness of their result, they even proposed a practical attack on 721-round Trivium claiming that the transformed output bit after 721-rounds of initialization does not contain cubes of dimensions 31 and below. However, the degree evaluation algorithm used by Fu et al. is innovative and complicated, and its complexity is not given. Their algorithm can only be implemented on huge clusters and cannot be veri ed by existing theoretic tools. In this paper, we theoretically analyze the dynamic cube attack method given by Fu et al. using the division property and MILP modeling technique. Firstly, we draw links between the division property and Fu et al.'s dynamic cube attack so that their method can be described as a theoretically well founded and computationally economic MILP-aided divisionproperty-based cube attack. With the MILP model drawn according to the division property, we analyzed the 721-round Trivium in detail and nd some interesting results: 1. The degree evaluation using our MILP method is more accurate than that of Fu et al.'s. Fu et al. prove that the degree of pure z is 40 while our method gives 29. We practically proved the correctness of our method by trying thousands of random keys, random 30dimensional cubes and random assignments to non-cube IVs nding that the summations are constantly 0. 2. For the transformed output bit (1 + s 1 ) · z, we proved the same degree 31 as Fu et al. and we also nd 32-dimensional cubes have zero-sum property for correct key guesses. But since the degree of pure z is only 29, the 721-round practical attack on Trivium is violating the principle of Fu et al.'s work: after the transformation in the output bit, when the key guesses are correct, the degree of the transformed output bit has not dropped but risen. 3. Now that the degree theoretic foundation of the 721-round attack has been violated, we also nd out that the key-recovery attack cannot be carried out either. We theoretically proved and practically veri ed that no matter the key guesses are correct or incorrect, the summation over 32-dimensional cube are always 0. So, no key bit can be recovered at all. All these analysis on 721-round Trivium can be veri ed practically and we open our C++ source code for implementation as well. Secondly, we revisit their 855-round result. Our MILP model reveal that the 855-round result su ers from the same problems with its 721-round counterpart. We provide theoretic evidence that, after their transformation, the degree of the output bit is more likely to rise rather than drop. Furthermore, since Fu et al.'s degree evaluation is written in an unclear manner and no complexity analysis is given, we rewrite the algorithm according to their main ideas and supplement a detailed complexity analysis. Our analysis indicates that a precise evaluation to the degree requires complexities far beyond practical reach. We also demonstrate that further abbreviation to our rewritten algorithm can result in wrong evaluation. This might be the reason why Fu et al. give such a degree evaluation. This is also an additional argument against Fu et al.'s dynamic cube attack method. Thirdly, the selection of Fu et al.'s cube dimension is also questionable. According to our experiments and existing theoretic results, there is high risk that the correct key guesses and wrong ones share the same zerosum property using Fu et al.'s cube testers. As a remedy, we suggest that concrete cubes satisfying particular conditions should be identi ed rather than relying on the IV-degree drop hypothesis. To conclude, Fu et al.'s dynamic cube attack on 855-round Trivium is questionable. 855-round as well as 840-and-up-round Trivium should still be open for further convincible cryptanalysis.

[1]  Yu Sasaki,et al.  New Impossible Differential Search Tool from Design and Cryptanalysis Aspects - Revealing Structural Properties of Several Ciphers , 2017, EUROCRYPT.

[2]  Dongdai Lin,et al.  Correlation Cube Attacks: From Weak-Key Distinguisher to Key Recovery , 2018, IACR Cryptol. ePrint Arch..

[3]  Willi Meier,et al.  A Key-recovery Attack on 855-round Trivium , 2018, IACR Cryptol. ePrint Arch..

[4]  Qingju Wang,et al.  Zero-Sum Partitions of PHOTON Permutations , 2018, IACR Cryptol. ePrint Arch..

[5]  Wei Wang,et al.  MILP-Aided Bit-Based Division Property for Primitives with Non-Bit-Permutation Linear Layers , 2016, IACR Cryptol. ePrint Arch..

[6]  Pierre-Alain Fouque,et al.  Improving Key Recovery to 784 and 799 rounds of Trivium using Optimized Cube Attacks , 2013, IACR Cryptol. ePrint Arch..

[7]  Leonie Ruth Simpson,et al.  Investigating Cube Attacks on the Authenticated Encryption Stream Cipher ACORN , 2016, ATIS.

[8]  Yosuke Todo,et al.  Improved Division Property Based Cube Attacks Exploiting Algebraic Properties of Superpoly , 2018, IEEE Transactions on Computers.

[9]  Yosuke Todo,et al.  Cube Attacks on Non-Blackbox Polynomials Based on Division Property , 2018, IEEE Transactions on Computers.

[10]  Yosuke Todo,et al.  Improved Integral Attack on HIGHT , 2017, ACISP.

[11]  Thomas Johansson,et al.  A Framework for Chosen IV Statistical Analysis of Stream Ciphers , 2007, INDOCRYPT.

[12]  Yonglin Hao Predicting the number of different dimensional cubes: theoretically evaluate the secure bound of cryptographic primitives against the balance testers , 2016, IET Inf. Secur..

[13]  Shahram Khazaei,et al.  Chosen IV Statistical Analysis for Key Recovery Attacks on Stream Ciphers , 2008, AFRICACRYPT.

[14]  Ling Qin,et al.  Cube-like Attack on Round-Reduced Initialization of Ketje Sr , 2017, IACR Trans. Symmetric Cryptol..

[15]  A. Shamir,et al.  An Experimentally Veri ed Attack on Full Grain-128 Using Dedicated Recon gurable Hardware , 2011 .

[16]  Adi Shamir,et al.  Cube Attacks on Tweakable Black Box Polynomials , 2009, IACR Cryptol. ePrint Arch..

[17]  Lei Hu,et al.  Automatic Enumeration of (Related-key) Differential and Linear Characteristics with Predefined Properties and Its Applications , 2014, IACR Cryptol. ePrint Arch..

[18]  Adi Shamir,et al.  Breaking Grain-128 with Dynamic Cube Attacks , 2011, IACR Cryptol. ePrint Arch..

[19]  Lei Hu,et al.  Automatic Security Evaluation and (Related-key) Differential Characteristic Search: Application to SIMON, PRESENT, LBlock, DES(L) and Other Bit-Oriented Block Ciphers , 2014, ASIACRYPT.

[20]  Yosuke Todo,et al.  Bit-Based Division Property and Application to Simon Family , 2016, FSE.

[21]  Marian Srebrny,et al.  Cube Attacks and Cube-Attack-Like Cryptanalysis on the Round-Reduced Keccak Sponge Function , 2015, EUROCRYPT.

[22]  Michael Vielhaber Breaking ONE.FIVIUM by AIDA an Algebraic IV Differential Attack , 2007, IACR Cryptol. ePrint Arch..

[23]  Willi Meier,et al.  Cube Testers and Key Recovery Attacks on Reduced-Round MD6 and Trivium , 2009, FSE.

[24]  Meiqin Wang,et al.  Conditional Cube Attack on Reduced-Round Keccak Sponge Function , 2017, EUROCRYPT.

[25]  Xiaoyun Wang,et al.  Conditional Cube Attack on Round-Reduced ASCON , 2017, IACR Trans. Symmetric Cryptol..

[26]  Keting Jia,et al.  New Automatic Search Tool for Impossible Differentials and Zero-Correlation Linear Approximations , 2016, IACR Cryptol. ePrint Arch..

[27]  Yosuke Todo,et al.  Structural Evaluation by Generalized Integral Property , 2015, EUROCRYPT.

[28]  Xiaoyun Wang,et al.  Improved Conditional Cube Attacks on Keccak Keyed Modes with MILP Method , 2017, ASIACRYPT.

[29]  Yosuke Todo Integral Cryptanalysis on Full MISTY1 , 2015, CRYPTO.

[30]  Dawu Gu,et al.  Differential and Linear Cryptanalysis Using Mixed-Integer Linear Programming , 2011, Inscrypt.

[31]  Wei Wang,et al.  Automatic Search of Bit-Based Division Property for ARX Ciphers and Word-Based Division Property , 2017, ASIACRYPT.

[32]  Markku-Juhani O. Saarinen Chosen-IV Statistical Attacks on eStream Ciphers , 2006, SECRYPT.

[33]  Dongdai Lin,et al.  Applying MILP Method to Searching Integral Distinguishers Based on Division Property for 6 Lightweight Block Ciphers , 2016, ASIACRYPT.