Degree Evaluation of NFSR-Based Cryptosystems

In this paper, we study the security of NFSR-based cryptosystems from the algebraic degree point of view. We first present a general framework of iterative estimation of algebraic degree for NFSR-based cryptosystems, by exploiting a new technique, called numeric mapping. Then based on this general framework we propose a concrete and efficient algorithm to find an upper bound on the algebraic degree for Trivium-like ciphers. Our algorithm has linear time complexity and needs a negligible amount of memory. As illustrations, we apply it to Trivium, Kreyvium and TriviA-SC, and reveal various upper bounds on the algebraic degree of these ciphers by setting different input variables. By this algorithm, we can make use of a cube with any size in cube testers, which is generally believed to be infeasible for an NFSR-based cryptosystem before. Due to the high efficiency of our algorithm, we can exhaust a large set of the cubes with large size. As such, we obtain the best known distinguishing attacks on reduced Trivium and TriviA-SC as well as the first cryptanalysis of Kreyvium. Our experiments on Trivium show that our algorithm is not only efficient in computation but also accurate in estimation of attacked rounds. The best cubes we have found for Kreyvium and TriviA-SC are both of size larger than 60. To the best of our knowledge, our tool is the first formalized and systematic one for finding an upper bound on the algebraic degree of an NFSR-based cryptosystem, and this is the first time that a cube of size beyond practical computations can be used in cryptanalysis of an NFSR-based cryptosystem. It is also potentially useful in the future applications to key recovery attacks and more cryptographic primitives.

[1]  Nicolas Courtois Fast Algebraic Attacks on Stream Ciphers with Linear Feedback , 2003, CRYPTO.

[2]  Josef Pieprzyk,et al.  Cryptanalysis of Block Ciphers with Overdefined Systems of Equations , 2002, ASIACRYPT.

[3]  Avik Chakraborti,et al.  TriviA: A Fast and Secure Authenticated Encryption Scheme , 2015, CHES.

[4]  Pierre-Alain Fouque,et al.  Improving Key Recovery to 784 and 799 rounds of Trivium using Optimized Cube Attacks , 2013, IACR Cryptol. ePrint Arch..

[5]  Dongdai Lin,et al.  Searching cubes for testing Boolean functions and its application to Trivium , 2015, 2015 IEEE International Symposium on Information Theory (ISIT).

[6]  Adi Shamir,et al.  Efficient Algorithms for Solving Overdefined Systems of Multivariate Polynomial Equations , 2000, EUROCRYPT.

[7]  Markku-Juhani O. Saarinen Chosen-IV Statistical Attacks on eStream Ciphers , 2006, SECRYPT.

[8]  Yosuke Todo,et al.  Cube Attacks on Non-Blackbox Polynomials Based on Division Property , 2018, IEEE Trans. Computers.

[9]  Adi Shamir,et al.  Cube Attacks on Tweakable Black Box Polynomials , 2009, IACR Cryptol. ePrint Arch..

[10]  David A. Wagner,et al.  Integral Cryptanalysis , 2002, FSE.

[11]  Anne Canteaut,et al.  Stream Ciphers: A Practical Solution for Efficient Homomorphic-Ciphertext Compression , 2016, FSE.

[12]  Martin Hell,et al.  Grain-128a: a new version of Grain-128 with optional authentication , 2011, Int. J. Wirel. Mob. Comput..

[13]  Willi Meier,et al.  Conditional Differential Cryptanalysis of Trivium and KATAN , 2011, Selected Areas in Cryptography.

[14]  Xuejia Lai Higher Order Derivatives and Differential Cryptanalysis , 1994 .

[15]  Willi Meier,et al.  Fast Algebraic Attacks on Stream Ciphers with Linear Feedback , 2003, CRYPTO.

[16]  Marian Srebrny,et al.  Cube Attacks and Cube-Attack-Like Cryptanalysis on the Round-Reduced Keccak Sponge Function , 2015, EUROCRYPT.

[17]  Willi Meier,et al.  Cube Testers and Key Recovery Attacks on Reduced-Round MD6 and Trivium , 2009, FSE.

[18]  Christophe De Cannière,et al.  KATAN and KTANTAN - A Family of Small and Efficient Hardware-Oriented Block Ciphers , 2009, CHES.

[19]  Mahmoud Salmasizadeh,et al.  Superpoly algebraic normal form monomial test on Trivium , 2013, IET Inf. Secur..

[20]  Christophe De Cannière,et al.  Trivium: A Stream Cipher Construction Inspired by Block Cipher Design Principles , 2006, ISC.

[21]  Adi Shamir,et al.  An Experimentally Verified Attack on Full Grain-128 Using Dedicated Reconfigurable Hardware , 2011, IACR Cryptol. ePrint Arch..

[22]  Thomas Johansson,et al.  A Framework for Chosen IV Statistical Analysis of Stream Ciphers , 2007, INDOCRYPT.

[23]  Yosuke Todo,et al.  Bit-Based Division Property and Application to Simon Family , 2016, FSE.

[24]  Anne Canteaut,et al.  On the Influence of the Algebraic Degree of $F^{-1}$ on the Algebraic Degree of $G \circ F$ , 2013, IEEE Transactions on Information Theory.

[25]  Yosuke Todo,et al.  Structural Evaluation by Generalized Integral Property , 2015, EUROCRYPT.

[26]  Paul Stankovski,et al.  Greedy Distinguishers and Nonrandomness Detectors , 2010, INDOCRYPT.

[27]  Martin Hell,et al.  The Grain Family of Stream Ciphers , 2008, The eSTREAM Finalists.

[28]  Matthew J. B. Robshaw,et al.  New Stream Cipher Designs: The eSTREAM Finalists , 2008 .

[29]  Anne Canteaut,et al.  Degree of Composition of Highly Nonlinear Functions and Applications to Higher Order Differential Cryptanalysis , 2002, EUROCRYPT.

[30]  Adi Shamir,et al.  Breaking Grain-128 with Dynamic Cube Attacks , 2011, IACR Cryptol. ePrint Arch..

[31]  Caroline Fontaine Nonlinear Feedback Shift Register , 2011, Encyclopedia of Cryptography and Security.

[32]  Willi Meier,et al.  Quark: A Lightweight Hash , 2010, Journal of Cryptology.

[33]  Santanu Sarkar,et al.  Observing biases in the state: case studies with Trivium and Trivia-SC , 2017, Des. Codes Cryptogr..

[34]  Martin Hell,et al.  A Stream Cipher Proposal: Grain-128 , 2006, 2006 IEEE International Symposium on Information Theory.

[35]  Shahram Khazaei,et al.  Chosen IV Statistical Analysis for Key Recovery Attacks on Stream Ciphers , 2008, AFRICACRYPT.

[36]  Bin Zhang,et al.  Linear Cryptanalysis of FASER128/256 and TriviA-ck , 2014, INDOCRYPT.

[37]  Lars R. Knudsen,et al.  Truncated and Higher Order Differentials , 1994, FSE.

[38]  Anne Canteaut,et al.  Higher-Order Differential Properties of Keccak and Luffa , 2011, FSE.

[39]  Willi Meier,et al.  Efficient FPGA Implementations of High-Dimensional Cube Testers on the Stream Cipher Grain-128 , 2009, IACR Cryptol. ePrint Arch..

[40]  Alex Biryukov,et al.  Two Trivial Attacks on Trivium , 2007, IACR Cryptol. ePrint Arch..

[41]  Toshinobu Kaneko,et al.  Higher Order Differential Attak of CAST Cipher , 1998, FSE.