MILP-Based Cube Attack on the Reduced-Round WG-5 Lightweight Stream Cipher

The cube attack is a powerful cryptanalytic tool for the analysis of stream ciphers, which until recently were investigated in a blackbox scenario with a minimal consideration to their internal and polynomial structures. In this paper, we analyze the lightweight stream cipher WG-5, which offers 80-bit security, using cube attacks in a non-blackbox polynomial setting employing the division property. WG-5 is a lightweight instantiation of the eSTREAM submission Welch-Gong stream cipher which provides mathematically proven random properties for its generated keystream. Our cube attack is automated using Mixed Integer Linear Programming models to theoretically bound the complexity of the superpoly recovery. The results of such an attack enable us to recover the secret key of WG-5 after 24 rounds of initialization utilizing \(2^{6.32}\) keystream bits in \(2^{76.81}\) time. Our attack on WG-5 has significantly lower data complexity than the algebraic attacks presented in the literature, albeit higher in computational complexity, it fits a more realistic scenario where large amount of data is hard to collect in lightweight constrained applications. Moreover, our attack is the first one to investigate the nonlinear feedback-based initialization phase of WG-5. Hence, such results are considered the best cryptanalytic ones in the case that the cipher runs a nonlinear key generation phase. Finally, our results are interesting in the sense that they enable us to argue how the design choices of WG-5 hinder the extension of cube attacks to more rounds in contrast to Grain 128a and Trivium, where such attacks can cover more than half of the number of initialization rounds.

[1]  Adi Shamir,et al.  Cube Attacks on Tweakable Black Box Polynomials , 2009, IACR Cryptol. ePrint Arch..

[2]  Yosuke Todo,et al.  Cube Attacks on Non-Blackbox Polynomials Based on Division Property , 2018, IEEE Trans. Computers.

[3]  Dongdai Lin,et al.  Applying MILP Method to Searching Integral Distinguishers Based on Division Property for 6 Lightweight Block Ciphers , 2016, ASIACRYPT.

[4]  Vahid Aminghafari,et al.  Fruit: ultra-lightweight stream cipher with shorter internal state , 2016, IACR Cryptol. ePrint Arch..

[5]  Guang Gong,et al.  WG: A family of stream ciphers with designed randomness properties , 2008, Inf. Sci..

[6]  Christophe De Cannière,et al.  Trivium: A Stream Cipher Construction Inspired by Block Cipher Design Principles , 2006, ISC.

[7]  Willi Meier,et al.  LIZARD - A Lightweight Stream Cipher for Power-constrained Devices , 2017, IACR Trans. Symmetric Cryptol..

[8]  Yosuke Todo,et al.  Bit-Based Division Property and Application to Simon Family , 2016, FSE.

[9]  Xuejia Lai Higher Order Derivatives and Differential Cryptanalysis , 1994 .

[10]  Claude Carlet,et al.  Towards Stream Ciphers for Efficient FHE with Low-Noise Ciphertexts , 2016, EUROCRYPT.

[11]  David A. Wagner,et al.  Integral Cryptanalysis , 2002, FSE.

[12]  Frederik Armknecht,et al.  On Lightweight Stream Ciphers with Shorter Internal States , 2015, FSE.

[13]  Pierre-Alain Fouque,et al.  Improving Key Recovery to 784 and 799 rounds of Trivium using Optimized Cube Attacks , 2013, IACR Cryptol. ePrint Arch..

[14]  Willi Meier,et al.  Cube Testers and Key Recovery Attacks on Reduced-Round MD6 and Trivium , 2009, FSE.

[15]  Nicky Mouha,et al.  Report on Lightweight Cryptography , 2017 .

[16]  Guang Gong,et al.  Hardware implementations of the WG-5 cipher for passive RFID tags , 2013, 2013 IEEE International Symposium on Hardware-Oriented Security and Trust (HOST).

[17]  Yosuke Todo,et al.  Structural Evaluation by Generalized Integral Property , 2015, EUROCRYPT.

[18]  Adi Shamir,et al.  Breaking Grain-128 with Dynamic Cube Attacks , 2011, IACR Cryptol. ePrint Arch..

[19]  Martin Hell,et al.  A Stream Cipher Proposal: Grain-128 , 2006, 2006 IEEE International Symposium on Information Theory.

[20]  Ron Steinfeld,et al.  Cryptanalysis of WG-7: a lightweight stream cipher , 2012, Cryptography and Communications.

[21]  Frederik Armknecht,et al.  On Ciphers that Continuously Access the Non-Volatile Key , 2017, IACR Trans. Symmetric Cryptol..

[22]  Steve Babbage,et al.  The MICKEY Stream Ciphers , 2008, The eSTREAM Finalists.

[23]  Amr M. Youssef,et al.  Cryptographic properties of the Welch-Gong transformation sequence generators , 2002, IEEE Trans. Inf. Theory.

[24]  Sondre RØnjom Improving algebraic attacks on stream ciphers based on linear feedback shift register over $$\mathbb {F}_{2^k}$$F2k , 2017 .