Cube Testers and Key Recovery Attacks on Reduced-Round MD6 and Trivium

CRYPTO 2008 saw the introduction of the hash function MD6 and of cube attacks, a type of algebraic attack applicable to cryptographic functions having a low-degree algebraic normal form over GF(2). This paper applies cube attacks to reduced round MD6, finding the full 128-bit key of a 14-round MD6 with complexity 2\^22 (which takes less than a minute on a single PC). This is the best key recovery attack announced so far for MD6. We then introduce a new class of attacks called cube testers, based on efficient property-testing algorithms, and apply them to MD6 and to the stream cipher Trivium. Unlike the standard cube attacks, cube testers detect nonrandom behavior rather than performing key extraction, but they can also attack cryptographic schemes described by nonrandom polynomials of relatively high degree. Applied to MD6, cube testers detect nonrandomness over 18 rounds in 2\^17 complexity; applied to a slightly modified version of the MD6 compression function, they can distinguish 66 rounds from random in 2\^24 complexity. Cube testers give distinguishers on Trivium reduced to 790 rounds from random with 2^30 complexity and detect nonrandomness over 885 rounds in 2\^27, improving on the original 767-round cube attack.

[1]  Lars R. Knudsen,et al.  Truncated and Higher Order Differentials , 1994, FSE.

[2]  Stefan Lucks The Saturation Attack - A Bait for Twofish , 2000, FSE.

[3]  Shahram Khazaei,et al.  New Directions in Cryptanalysis of Self-Synchronizing Stream Ciphers , 2008, INDOCRYPT.

[4]  Eric Filiol,et al.  A New Statistical Testing for Symmetric Ciphers and Hash Functions , 2002, ICICS.

[5]  Sean O'Neil Algebraic Structure Defectoscopy , 2007, IACR Cryptol. ePrint Arch..

[6]  Adi Shamir,et al.  Cube Attacks on Tweakable Black Box Polynomials , 2009, IACR Cryptol. ePrint Arch..

[7]  Terence Tao,et al.  The dichotomy between structure and randomness, arithmetic progressions, and the primes , 2005, math/0512114.

[8]  Manuel Blum,et al.  Self-testing/correcting with applications to numerical problems , 1990, STOC '90.

[9]  Alex Biryukov,et al.  Two Trivial Attacks on Trivium , 2007, IACR Cryptol. ePrint Arch..

[10]  Ronitt Rubinfeld,et al.  Robust Characterizations of Polynomials with Applications to Program Testing , 1996, SIAM J. Comput..

[11]  Markku-Juhani O. Saarinen Chosen-IV Statistical Attacks on eStream Ciphers , 2006, SECRYPT.

[12]  Madhu Sudan,et al.  Algebraic property testing: the role of invariance , 2008, Electron. Colloquium Comput. Complex..

[13]  Dana Ron,et al.  Testing Polynomials over General Fields , 2006, SIAM J. Comput..

[14]  Alex Samorodnitsky,et al.  Low-degree tests at large distances , 2006, STOC '07.

[15]  Thomas Peyrin,et al.  On Building Hash Functions from Multivariate Quadratic Equations , 2007, ACISP.

[16]  Christopher Yale Crutchfield Security Proofs for the MD6 Hash Function Mode of Operation , 2008 .

[17]  Thomas Johansson,et al.  A Framework for Chosen IV Statistical Analysis of Stream Ciphers , 2007, INDOCRYPT.

[18]  Michael Vielhaber Breaking ONE.FIVIUM by AIDA an Algebraic IV Differential Attack , 2007, IACR Cryptol. ePrint Arch..

[19]  Shahram Khazaei,et al.  Chosen IV Statistical Analysis for Key Recovery Attacks on Stream Ciphers , 2008, AFRICACRYPT.

[20]  Noga Alon,et al.  Testing Low-Degree Polynomials over GF(2( , 2003, RANDOM-APPROX.

[21]  Meltem Sönmez Turan,et al.  Linear Approximations for 2-round Trivium , 2007 .

[22]  Willi Meier,et al.  Analysis of Multivariate Hash Functions , 2007, ICISC.

[23]  Ronald L. Rivest The MD 6 hash function A proposal to NIST for SHA-3 , 2008 .