Links between Division Property and Other Cube Attack Variants

A theoretically reliable key-recovery attack should evaluate not only the non-randomness for the correct key guess but also the randomness for the wrong ones as well. The former has always been the main focus but the absence of the latter can also cause self-contradicted results. In fact, the theoretic discussion of wrong key guesses is overlooked in quite some existing key-recovery attacks, especially the previous cube attack variants based on pure experiments. In this paper, we draw links between the division property and several variants of the cube attack. In addition to the zero-sum property, we further prove that the bias phenomenon, the non-randomness widely utilized in dynamic cube attacks and cube testers, can also be reflected by the division property. Based on such links, we are able to provide several results: Firstly, we give a dynamic cube key-recovery attack on full Grain-128. Compared with Dinur et al.’s original one, this attack is supported by a theoretical analysis of the bias based on a more elaborate assumption. Our attack can recover 3 key bits with a complexity 297.86 and evaluated success probability 99.83%. Thus, the overall complexity for recovering full 128 key bits is 2125. Secondly, now that the bias phenomenon can be efficiently and elaborately evaluated, we further derive new secure bounds for Grain-like primitives (namely Grain-128, Grain-128a, GrainV1, Plantlet) against both the zero-sum and bias cube testers. Our secure bounds indicate that 256 initialization rounds are not able to guarantee Grain-128 to resist bias-based cube testers. This is an efficient tool for newly designed stream ciphers for determining the number of initialization rounds. Thirdly, we improve Wang et al.’s relaxed term enumeration technique proposed in CRYPTO 2018 and extend their results on Kreyvium and ACORN by 1 and 13 rounds (reaching 892 and 763 rounds) with complexities 2121.19 and 2125.54 respectively. To our knowledge, our results are the current best key-recovery attacks on these two primitives.

[1]  Santanu Sarkar,et al.  Observing biases in the state: case studies with Trivium and Trivia-SC , 2017, Des. Codes Cryptogr..

[2]  Martin Hell,et al.  Grain-128a: a new version of Grain-128 with optional authentication , 2011, Int. J. Wirel. Mob. Comput..

[3]  Martin Hell,et al.  A Stream Cipher Proposal: Grain-128 , 2006, 2006 IEEE International Symposium on Information Theory.

[4]  Shahram Khazaei,et al.  Chosen IV Statistical Analysis for Key Recovery Attacks on Stream Ciphers , 2008, AFRICACRYPT.

[5]  Willi Meier,et al.  Efficient FPGA Implementations of High-Dimensional Cube Testers on the Stream Cipher Grain-128 , 2009, IACR Cryptol. ePrint Arch..

[6]  Kai Zhang,et al.  A Practical Method to Recover Exact Superpoly in Cube Attack , 2019, IACR Cryptol. ePrint Arch..

[7]  Lei Hu,et al.  Towards Finding the Best Characteristics of Some Bit-oriented Block Ciphers and Automatic Enumeration of ( Related-key ) Differential and Linear Characteristics with Predefined Properties , 2015 .

[8]  Yu Sasaki,et al.  New Impossible Differential Search Tool from Design and Cryptanalysis Aspects - Revealing Structural Properties of Several Ciphers , 2017, EUROCRYPT.

[9]  Willi Meier,et al.  A Key-recovery Attack on 855-round Trivium , 2018, IACR Cryptol. ePrint Arch..

[10]  Ling Qin,et al.  Cube-like Attack on Round-Reduced Initialization of Ketje Sr , 2017, IACR Trans. Symmetric Cryptol..

[11]  Adi Shamir,et al.  Cube Attacks on Tweakable Black Box Polynomials , 2009, IACR Cryptol. ePrint Arch..

[12]  Keting Jia,et al.  New Automatic Search Tool for Impossible Differentials and Zero-Correlation Linear Approximations , 2016, IACR Cryptol. ePrint Arch..

[13]  Tian Tian,et al.  Revisit Division Property Based Cube Attacks: Key-Recovery or Distinguishing Attacks? , 2019, IACR Cryptol. ePrint Arch..

[14]  Anne Canteaut,et al.  Stream Ciphers: A Practical Solution for Efficient Homomorphic-Ciphertext Compression , 2016, Journal of Cryptology.

[15]  Qingju Wang,et al.  Zero-Sum Partitions of PHOTON Permutations , 2018, IACR Cryptol. ePrint Arch..

[16]  Frederik Armknecht,et al.  On Ciphers that Continuously Access the Non-Volatile Key , 2017, IACR Trans. Symmetric Cryptol..

[17]  Xiaoyun Wang,et al.  Improved Conditional Cube Attacks on Keccak Keyed Modes with MILP Method , 2017, ASIACRYPT.

[18]  Yosuke Todo,et al.  Improved Integral Attack on HIGHT , 2017, ACISP.

[19]  Thomas Johansson,et al.  A Framework for Chosen IV Statistical Analysis of Stream Ciphers , 2007, INDOCRYPT.

[20]  Pierre-Alain Fouque,et al.  Improving Key Recovery to 784 and 799 rounds of Trivium using Optimized Cube Attacks , 2013, IACR Cryptol. ePrint Arch..

[21]  Yosuke Todo Integral Cryptanalysis on Full MISTY1 , 2015, CRYPTO.

[22]  Leonie Ruth Simpson,et al.  Investigating Cube Attacks on the Authenticated Encryption Stream Cipher ACORN , 2016, ATIS.

[23]  Markku-Juhani O. Saarinen Chosen-IV Statistical Attacks on eStream Ciphers , 2006, SECRYPT.

[24]  Meicheng Liu,et al.  Degree Evaluation of NFSR-Based Cryptosystems , 2017, CRYPTO.

[25]  Meiqin Wang,et al.  Conditional Cube Attack on Reduced-Round Keccak Sponge Function , 2017, EUROCRYPT.

[26]  Kai Zhang,et al.  MILP Method of Searching Integral Distinguishers Based on Division Property Using Three Subsets , 2018, IACR Cryptol. ePrint Arch..

[27]  Xiaoyun Wang,et al.  Conditional Cube Attack on Round-Reduced ASCON , 2017, IACR Trans. Symmetric Cryptol..

[28]  Martin Hell,et al.  Grain: a stream cipher for constrained environments , 2007, Int. J. Wirel. Mob. Comput..

[29]  Dongdai Lin,et al.  Applying MILP Method to Searching Integral Distinguishers Based on Division Property for 6 Lightweight Block Ciphers , 2016, ASIACRYPT.

[30]  Dongdai Lin,et al.  Correlation Cube Attacks: From Weak-Key Distinguisher to Key Recovery , 2018, IACR Cryptol. ePrint Arch..

[31]  Yosuke Todo,et al.  Cube Attacks on Non-Blackbox Polynomials Based on Division Property , 2018, IEEE Transactions on Computers.

[32]  Yosuke Todo,et al.  Observations on the Dynamic Cube Attack of 855-Round TRIVIUM from Crypto'18 , 2018, IACR Cryptol. ePrint Arch..

[33]  Willi Meier,et al.  Cube Testers and Key Recovery Attacks on Reduced-Round MD6 and Trivium , 2009, FSE.

[34]  Yosuke Todo,et al.  Improved Division Property Based Cube Attacks Exploiting Algebraic Properties of Superpoly , 2018, IEEE Transactions on Computers.

[35]  Willi Meier,et al.  A Refinement of "A Key-recovery Attack on 855-round Trivium" From CRYPTO 2018 , 2018, IACR Cryptol. ePrint Arch..

[36]  María Naya-Plasencia,et al.  Conditional Differential Cryptanalysis of NLFSR-Based Cryptosystems , 2010, ASIACRYPT.

[37]  Adi Shamir,et al.  An Experimentally Verified Attack on Full Grain-128 Using Dedicated Reconfigurable Hardware , 2011, IACR Cryptol. ePrint Arch..

[38]  Kai Hu,et al.  Automatic Search for A Variant of Division Property Using Three Subsets (Full Version) , 2019, IACR Cryptol. ePrint Arch..

[39]  Yosuke Todo,et al.  Structural Evaluation by Generalized Integral Property , 2015, EUROCRYPT.

[40]  Adi Shamir,et al.  Breaking Grain-128 with Dynamic Cube Attacks , 2011, IACR Cryptol. ePrint Arch..

[41]  Lei Hu,et al.  Automatic Security Evaluation and (Related-key) Differential Characteristic Search: Application to SIMON, PRESENT, LBlock, DES(L) and Other Bit-Oriented Block Ciphers , 2014, ASIACRYPT.

[42]  Dawu Gu,et al.  Differential and Linear Cryptanalysis Using Mixed-Integer Linear Programming , 2011, Inscrypt.

[43]  Wei Wang,et al.  Automatic Search of Bit-Based Division Property for ARX Ciphers and Word-Based Division Property , 2017, ASIACRYPT.

[44]  Yosuke Todo,et al.  Bit-Based Division Property and Application to Simon Family , 2016, FSE.

[45]  Dongdai Lin,et al.  Searching cubes for testing Boolean functions and its application to Trivium , 2015, 2015 IEEE International Symposium on Information Theory (ISIT).

[46]  Marian Srebrny,et al.  Cube Attacks and Cube-Attack-Like Cryptanalysis on the Round-Reduced Keccak Sponge Function , 2015, EUROCRYPT.

[47]  Michael Vielhaber Breaking ONE.FIVIUM by AIDA an Algebraic IV Differential Attack , 2007, IACR Cryptol. ePrint Arch..

[48]  Wei Wang,et al.  MILP-Aided Bit-Based Division Property for Primitives with Non-Bit-Permutation Linear Layers , 2016, IACR Cryptol. ePrint Arch..