Applying cube attacks to stream ciphers in realistic scenarios

Cube attacks were introduced in Dinur and Shamir (2009) as a cryptanalytic technique that requires only black box access to the underlying cryptosystem. The attack exploits the existence of low degree polynomial representation of a single output bit (as a function of the key and plaintext bits) in order to recover the secret key. Although cube attacks can be applied in principle to almost any cryptosystem, most block ciphers iteratively apply a highly non-linear round function (based on Sboxes or arithmetic operations) a large number of times which makes them resistant to cube attacks. On the other hand, many stream ciphers (such as Trivium (De Cannière and Preneel 2008)), are built using linear or low degree components and are natural targets for cube attacks. In this paper, we describe in detail how to apply cube attacks to stream ciphers in various settings with different assumptions on the target stream cipher and on the data available to the attacker.

[1]  Xuejia Lai Higher Order Derivatives and Differential Cryptanalysis , 1994 .

[2]  Adi Shamir,et al.  Generic Analysis of Small Cryptographic Leaks , 2010, 2010 Workshop on Fault Diagnosis and Tolerance in Cryptography.

[3]  Irving S. Reed,et al.  A class of multiple-error-correcting codes and the decoding scheme , 1954, Trans. IRE Prof. Group Inf. Theory.

[4]  J. Pachares A table of bias levels useful in radar detection problems , 1958, IRE Trans. Inf. Theory.

[5]  Michael Vielhaber Breaking ONE.FIVIUM by AIDA an Algebraic IV Differential Attack , 2007, IACR Cryptol. ePrint Arch..

[6]  Dana Ron,et al.  Testing Monotonicity , 2000, Comb..

[7]  Adi Shamir,et al.  Efficient Algorithms for Solving Overdefined Systems of Multivariate Polynomial Equations , 2000, EUROCRYPT.

[8]  Simon Litsyn,et al.  Breaking the Epsilon-Soundness Bound of the Linearity Test over GF(2) , 2008, SIAM J. Comput..

[9]  Jean Charles Faugère,et al.  A new efficient algorithm for computing Gröbner bases without reduction to zero (F5) , 2002, ISSAC '02.

[10]  Daniel A. Spielman,et al.  Efficient erasure correcting codes , 2001, IEEE Trans. Inf. Theory.

[11]  Philippe Gaborit,et al.  Efficient erasure list-decoding of Reed-Muller codes , 2006, 2006 IEEE International Symposium on Information Theory.

[12]  Adi Shamir,et al.  Cube Attacks on Tweakable Black Box Polynomials , 2009, IACR Cryptol. ePrint Arch..

[13]  Manuel Blum,et al.  Self-testing/correcting with applications to numerical problems , 1990, STOC '90.

[14]  Willi Meier,et al.  Cube Testers and Key Recovery Attacks on Reduced-Round MD6 and Trivium , 2009, FSE.