Links between Division Property and Other Cube Attack Variants

A theoretically reliable key-recovery attack should evaluate not only the non-randomness for the correct key guess but also the randomness for the wrong ones as well. The former has always been the main focus but the absence of the latter can also cause self-contradicted results. In fact, the theoretic discussion of wrong key guesses is overlooked in quite some existing key-recovery attacks, especially the previous cube attack variants based on pure experiments. In this paper, we draw links between the division property and several variants of the cube attack. In addition to the zero-sum property, we further prove that the bias phenomenon, the non-randomness widely utilized in dynamic cube attacks and cube testers, can also be reflected by the division property. Based on such links, we are able to provide several results: Firstly, we give a dynamic cube key-recovery attack on full Grain-128. Compared with Dinur et al.’s original one, this attack is supported by a theoretical analysis of the bias based on a more elaborate assumption. Our attack can recover 3 key bits with a complexity 297.86 and evaluated success probability 99.83%. Thus, the overall complexity for recovering full 128 key bits is 2125. Secondly, now that the bias phenomenon can be efficiently and elaborately evaluated, we further derive new secure bounds for Grain-like primitives (namely Grain-128, Grain-128a, Grain-V1, Plantlet) against both the zero-sum and bias cube testers. Our secure bounds indicate that 256 initialization rounds are not able to guarantee Grain-128 to resist bias-based cube testers. This is an efficient tool for newly designed stream ciphers for determining the number of initialization rounds. Thirdly, we improve Wang et al.’s relaxed term enumeration technique proposed in CRYPTO 2018 and extend their results on Kreyvium and ACORN by 1 and 13 rounds (reaching 892 and 763 rounds) with complexities 2121.19 and 2125.54 respectively. To our knowledge, our results are the current best key-recovery attacks on these two primitives

Cube Attacks on Non-Blackbox Polynomials Based on Division Property (Full Version)

The cube attack is a powerful cryptanalytic technique and is especially powerful against stream ciphers. Since we need to analyze the complicated structure of a stream cipher in the cube attack, the cube attack basically analyzes it by regarding it as a blackbox. Therefore, the cube attack is an experimental attack, and we cannot evaluate the security when the size of cube exceeds an experimental range, e.g., 40. In this paper, we propose cube attacks on non-blackbox polynomials. Our attacks are developed by using the division property, which is recently applied to various block ciphers. The clear advantage is that we can exploit large cube sizes because it never regards the cipher as a blackbox. We apply the new cube attack to Trivium, Grain128a, ACORN and Kreyvium. As a result, the secret keys of 832-round Trivium, 183-round Grain128a, 704-round ACORN and 872-round Kreyvium are recovered. These attacks are the current best key-recovery attack against these ciphers

Improved Division Property Based Cube Attacks Exploiting Algebraic Properties of Superpoly (Full Version)

The cube attack is an important technique for the cryptanalysis of symmetric key primitives, especially for stream ciphers. Aiming at recovering some secret key bits, the adversary reconstructs a superpoly with the secret key bits involved, by summing over a set of the plaintexts/IV which is called a cube. Traditional cube attack only exploits linear/quadratic superpolies. Moreover, for a long time after its proposal, the size of the cubes has been largely confined to an experimental range, e.g., typically 40. These limits were first overcome by the division property based cube attacks proposed by Todo et al. at CRYPTO 2017. Based on MILP modelled division property, for a cube (index set) $I$, they identify the small (index) subset $J$ of the secret key bits involved in the resultant superpoly. During the precomputation phase which dominates the complexity of the cube attacks, $2^{|I|+|J|}$ encryptions are required to recover the superpoly. Therefore, their attacks can only be available when the restriction $|I|+|J|<n$ is met. In this paper, we introduced several techniques to improve the division property based cube attacks by exploiting various algebraic properties of the superpoly. 1. We propose the ``flag\u27\u27 technique to enhance the preciseness of MILP models so that the proper non-cube IV assignments can be identified to obtain a non-constant superpoly. 2. A degree evaluation algorithm is presented to upper bound the degree of the superpoly. With the knowledge of its degree, the superpoly can be recovered without constructing its whole truth table. This enables us to explore larger cubes $I$\u27s even if $|I|+|J|\geq n$. 3. We provide a term enumeration algorithm for finding the monomials of the superpoly, so that the complexity of many attacks can be further reduced. As an illustration, we apply our techniques to attack the initialization of several ciphers. To be specific, our key recovery attacks have mounted to 839-round TRIVIUM, 891-round Kreyvium, 184-round Grain-128a and 750-round ACORN respectively

Improved Division Property Based Cube Attacks Exploiting Algebraic Properties of Superpoly

The cube attack is an important technique for the cryptanalysis of symmetric key primitives, especially for stream ciphers. Aiming at recovering some secret key bits, the adversary reconstructs a superpoly with the secret key bits involved, by summing over a set of the plaintexts/IV which is called a cube. Traditional cube attack only exploits linear/quadratic superpolies. Moreover, for a long time after its proposal, the size of the cubes has been largely confined to an experimental range, e.g., typically 40. These limits were first overcome by the division property based cube attacks proposed by Todo et al. at CRYPTO 2017. Based on MILP modelled division property, for a cube (index set) II, they identify the small (index) subset JJ of the secret key bits involved in the resultant superpoly. During the precomputation phase which dominates the complexity of the cube attacks, 2|I|+|J|2|I|+|J| encryptions are required to recover the superpoly. Therefore, their attacks can only be available when the restriction |I|+|J|<n|I|+|J|<n is met. In this paper, we introduced several techniques to improve the division property based cube attacks by exploiting various algebraic properties of the superpoly. 1. We propose the ``flag'' technique to enhance the preciseness of MILP models so that the proper non-cube IV assignments can be identified to obtain a non-constant superpoly. 2. A degree evaluation algorithm is presented to upper bound the degree of the superpoly. With the knowledge of its degree, the superpoly can be recovered without constructing its whole truth table. This enables us to explore larger cubes II's even if |I|+|J|≥n|I|+|J|≥n. 3. We provide a term enumeration algorithm for finding the monomials of the superpoly, so that the complexity of many attacks can be further reduced. As an illustration, we apply our techniques to attack the initialization of several ciphers. To be specific, our key recovery attacks have mounted to 839-round TRIVIUM, 891-round Kreyvium, 184-round Grain-128a and 750-round ACORN respectively

Key Filtering in Cube Attacks from the Implementation Aspect

In cube attacks, key filtering is a basic step of identifying the correct key candidates by referring to the truth tables of superpolies. When terms of superpolies get massive, the truth table lookup complexity of key filtering increases significantly. In this paper, we propose the concept of implementation dependency dividing all cube attacks into two categories: implementation dependent and implementation independent. The implementation dependent cube attacks can only be feasible when the assumption that one encryption oracle query is more complicated than one table lookup holds. On the contrary, implementation independent cube attacks remain feasible in the extreme case where encryption oracles are implemented in the full codebook manner making one encryption query equivalent to one table lookup. From this point of view, we scrutinize existing cube attack results of stream ciphers Trivium, Grain-128AEAD, Acorn and Kreyvium. As a result, many of them turn out to be implementation dependent. Combining with the degree evaluation and divide-and-conquer techniques used for superpoly recovery, we further propose new cube attack results on Kreyvium reduced to 898, 899 and 900 rounds. Such new results not only mount to the maximal number of rounds so far but also are implementation independent

Fault Attack on ACORN v3

Fault attack is one of the most efficient side channel attacks and has attracted much attention in recent public cryptographic literatures. In this work we introduce a fault attack on the authenticated cipher ACORN v3. Our attack is done under the assumption that a fault is injected into an initial state of ACORN v3 randomly, and contains two main steps: fault locating and equation solving. At the first step, we introduce concepts of unique set and non-unique set, where differential strings belonging to unique sets can determine the fault location uniquely. For strings belonging to non-unique sets, we use some strategies to increase the probability of determining the fault location uniquely to almost 1. At the second step, we demonstrate several ways of retrieving equations, and then obtain the initial state by solving equations with the guess-and-determine method. With $n$ fault experiments, we can recover the initial state with time complexity $c \cdot2^{146.5-3.52\cdot n}$, where $c$ is the time complexity of solving linear equations and $26<n<43$. We also apply the attack to ACORN v2, which shows that, comparing with ACORN v2, the tweaked version ACORN v3 is more vulnerable against the fault attack

Design and Cryptanalysis of Lightweight Symmetric Key Primitives

The need for lightweight cryptographic primitives to replace the traditional standardized primitives such as AES, SHA-2 and SHA-3, which are unrealistic in constrained environments, has been anticipated by the cryptographic community for over a decade and half. Such an anticipation came to reality by the apparent proliferation of Radio Frequency Identifiers (RFIDs), Internet of Things (IoT), smart devices and sensor networks in our daily lives. All these devices operate in constrained environments and require reasonable efficiency with low implementation costs and sufficient security. Accordingly, designing lightweight symmetric key cryptographic primitives and analyzing the state-of-the-art algorithms is an active area of research for both academia and industry, which is directly followed by the ongoing National Institute of Standards and Technology’s lightweight cryptography (NIST LWC) standardization project. In this thesis, we focus on the design and security analysis of such primitives. First, we present the design of four lightweight cryptographic permutations, namely sLiSCP, sLiSCP-light, ACE and WAGE. At a high level, these permutations adopt a Nonlinear Feedback Shift Register (NLFSR) based design paradigm. sLiSCP, sLiSCP-light and ACE use reduced-round Simeck block cipher, while WAGE employs Welch-Gong (WG) permutation and two 7-bit sboxes over the finite field $F_{2^7}$ as their underlying nonlinear components. We discuss their design rationale and analyze the security with respect to differential and linear, integral and symmetry based distinguishers using automated tools such as Mixed Integer Linear Programming (MILP) and SAT/SMT solvers. Second, we show the applications of these permutations to achieve Authenticated Encryption with Associated Data (AEAD), Message Authentication Code (MAC), Pseudorandom Bit Generator (PRBG) and Hash functionalities. We introduce the idea of the unified round function, which, when combined in a sponge mode can provide all the aforementioned functionalities with the same circuitry. We give concrete instantiations of several AEAD and hash schemes with varying security levels, e.g., 80, 96, 112 and 128 bits. Next, we present Spoc, a new AEAD mode of operation which offers higher security guarantees compared to traditional sponge-based AEAD schemes with smaller states. We instantiate Spoc with sLiSCP-light permutation and propose another two lightweight AEAD algorithms. Notably, 4 of our proposed schemes, namely ACE, Spix, Spoc and WAGE are round 2 candidates of NIST’s LWC project. Finally, we present cryptanalytic results on some lightweight ciphers. We first analyze the nonlinear initialization phase of WG-5 stream cipher using the division property based cube attack, and give a key recovery attack on 24 (out of 64) rounds with data and time complexities $2^{6.32}$ and $2^{76:81}$, respectively. Next, we propose a novel property of block ciphers called correlated sequences and show its applications to meet-in-the-middle attack. Consequently, we give the best key recovery attacks (up to 27 out of 32 rounds in a single key setting) on Simon and Simeck ciphers with block and key sizes 32 and 64 bits, respectively. The attack requires 3 known plaintext-ciphertext pairs and has a time complexity close to average exhaustive search. It is worth noting that variants of WG-5 and Simeck are the core components of aforementioned AEAD and hash schemes. Lastly, we present practical forgery attacks on Limdolen and HERN which are round 1 candidates of NIST LWC project. We show the existence of structural weaknesses which could be exploited to forge any message with success probability of 1. For Limdolen, we require the output of a single encryption query while for HERN we need at most 4 encryption queries for a valid forgery. Following our attack, both designs are eliminated from second round

Ten years of cube attacks

In 2009, Dinur and Shamir proposed the cube attack, an algebraic cryptanalysis technique that only requires black box access to a target cipher. Since then, this attack has received both many criticisms and endorsements from crypto community; this work aims at revising and collecting the many attacks that have been proposed starting from it. We categorise all of these attacks in five classes; for each class, we provide a brief summary description along with the state-of-the-art references and the most recent cryptanalysis results. Furthermore, we extend and refine the new notation we proposed in 2021 and we use it to provide a consistent definition for each attack family. Finally, in the appendix, we provide an in-depth description of the kite attack framework, a cipher independent tool we firstly proposed in 2018 that implements the kite attack on GPUs. To prove its effectiveness, we use Mickey2.0 as a use case, showing how to embed it in the framework

Observations on the Dynamic Cube Attack of 855-Round TRIVIUM from Crypto\u2718

Recently, another kind of dynamic cube attack is proposed by Fu et al. With some key guesses and a transformation in the output bit, they claim that, when the key guesses are correct, the degree of the transformed output bit can drop so significantly that the cubes of lower dimension can not exist, making the output bit vulnerable to the zero-sum cube tester using slightly higher dimensional cubes. They applied their method to 855-round TRIVIUM. In order to verify the correctness of their result, they even proposed a practical attack on 721-round TRIVIUM claiming that the transformed output bit after 721-rounds of initialization does not contain cubes of dimensions 31 and below. However, the degree evaluation algorithm used by Fu et al. is innovative and complicated, and its complexity is not given. Their algorithm can only be implemented on huge clusters and cannot be verified by existing theoretic tools. In this paper, we theoretically analyze the dynamic cube attack method given by Fu et al. using the division property and MILP modeling technique. Firstly, we draw links between the division property and Fu et al.\u27s dynamic cube attack so that their method can be described as a theoretically well founded and computationally economic MILP-aided division-property-based cube attack. With the MILP model drawn according to the division property, we analyzed the 721-round TRIVIUM in detail and find some interesting results: \begin&#8203;{enumerate} \item The degree evaluation using our MILP method is more accurate than that of Fu et al.\u27s. Fu et al. prove that the degree of pure z721z721 is 40 while our method gives 29. We practically proved the correctness of our method by trying thousands of random keys, random 30-dimensional cubes and random assignments to non-cube IVs finding that the summations are constantly 0. \item For the transformed output bit (1+s2901)&#8901;z721(1+s1290)&#8901;z721, we proved the same degree 31 as Fu et al. and we also find 32-dimensional cubes have zero-sum property for correct key guesses. But since the degree of pure z721z721 is only 29, the 721-round practical attack on TRIVIUM is violating the principle of Fu et al.\u27s work: after the transformation in the output bit, when the key guesses are correct, the degree of the transformed output bit has not dropped but risen. \item Now that the degree theoretic foundation of the 721-round attack has been violated, we also find out that the key-recovery attack cannot be carried out either. We theoretically proved and practically verified that no matter the key guesses are correct or incorrect, the summation over 32-dimensional cube are always 0. So, no key bit can be recovered at all. \end{enumerate} All these analysis on 721-round TRIVIUM can be verified practically and we open our C++ source code for implementation as well. Secondly, we revisit their 855-round result. Our MILP model reveal that the 855-round result suffers from the same problems with its 721-round counterpart. We provide theoretic evidence that, after their transformation, the degree of the output bit is more likely to rise rather than drop. Furthermore, since Fu \etal\u27s degree evaluation is written in an unclear manner and no complexity analysis is given, we rewrite the algorithm according to their main ideas and supplement a detailed complexity analysis. Our analysis indicates that a precise evaluation to the degree requires complexities far beyond practical reach. We also demonstrate that further abbreviation to our rewritten algorithm can result in wrong evaluation. This might be the reason why Fu \etal give such a degree evaluation. This is also an additional argument against Fu \etal\u27s dynamic cube attack method. Thirdly, the selection of Fu \etal\u27s cube dimension is also questionable. According to our experiments and existing theoretic results, there is high risk that the correct key guesses and wrong ones share the same zero-sum property using Fu \etal\u27s cube testers. As a remedy, we suggest that concrete cubes satisfying particular conditions should be identified rather than relying on the IV-degree drop hypothesis. To conclude, Fu \etal\u27s dynamic cube attack on 855-round TRIVIUM is questionable. 855-round as well as 840-and-up-round TRIVIUM should still be open for further convincible cryptanalysis

Fault Attack on the Authenticated Cipher ACORN v2

Fault attack is an efficient cryptanalysis method against cipher implementations and has attracted a lot of attention in recent public cryptographic literatures. In this work we introduce a fault attack on the CAESAR candidate ACORN v2. Our attack is done under the assumption of random fault injection into an initial state of ACORN v2 and contains two main steps: fault locating and equation solving. At the first step, we first present a fundamental fault locating method, which uses 99-bit output keystream to determine the fault injected location with probability 97.08%. And then several improvements are provided, which can further increase the probability of fault locating to almost 1. As for the system of equations retrieved at the first step, we give two solving methods at the second step, that is, linearization and guess-and-determine. The time complexity of our attack is not larger than c·2179.19-1.76N at worst, where N is the number of fault injections such that 31≤N≤88 and c is the time complexity of solving linear equations. Our attack provides some insights into the diffusion ability of such compact stream ciphers