MILP-Based Cube Attack on the Reduced-Round WG-5 Lightweight Stream Cipher

Abstract

The cube attack is a powerful cryptanalytic tool for the analysis of stream ciphers, which until recently were investigated in a blackbox scenario with a minimal consideration to their internal and polynomial structures. In this paper, we analyze the lightweight stream cipher WG-5, which offers 80-bit security, using cube attacks in a non-blackbox polynomial setting employing the division property. WG-5 is a lightweight instantiation of the eSTREAM submission Welch-Gong stream cipher which provides mathematically proven random properties for its generated keystream. Our cube attack is automated using Mixed Integer Linear Programming models to theoretically bound the complexity of the superpoly recovery. The results of such an attack enable us to recover the secret key of WG-5 after 24 rounds of initialization utilizing \(2^{6.32}\) keystream bits in \(2^{76.81}\) time. Our attack on WG-5 has significantly lower data complexity than the algebraic attacks presented in the literature, albeit higher in computational complexity, it fits a more realistic scenario where large amount of data is hard to collect in lightweight constrained applications. Moreover, our attack is the first one to investigate the nonlinear feedback-based initialization phase of WG-5. Hence, such results are considered the best cryptanalytic ones in the case that the cipher runs a nonlinear key generation phase. Finally, our results are interesting in the sense that they enable us to argue how the design choices of WG-5 hinder the extension of cube attacks to more rounds in contrast to Grain 128a and Trivium, where such attacks can cover more than half of the number of initialization rounds.

Appendices

A MILP Models for WG-5 Components

B A Generic Algorithm for the Evaluation of the Involved Secret Variables in a Superpoly [25]

C Description of Grain128a and Trivium

Grain128a is a NLFSR based stream cipher of Grain family with two 128-bit states represented by \((b_0, b_1, \ldots , b_{127})\) and \((s_0, s_1, \ldots , s_{127})\). The state is loaded with 128-bit key and 96-bit IV as follows \((b_0, b_1, \ldots , b_{127}) = (k_0, k_1, \ldots , k_{127})\) and \((s_0, s_1, \ldots , s_{127}) = (iv_0, iv_1, \ldots , iv_{95}, 1,\ldots , 1, 0)\). The initialization phase runs for 256 rounds with the state update function given by

$$\begin{aligned} \begin{aligned}&g \leftarrow {} b_0 + b_{26} + b_{56} + b_{91} + b_{96} + b_3b_{67} + b_{11}b_{13} \\&\quad + b_{17}b_{18} + b_{27}b_{59} + b_{40}b_{48} + b_{61}b_{65} + b_{68}b_{84} \\&\quad +b_{88}b_{92}b_{93}b_{95} + b_{22}b_{24}b_{25} + b_{70}b_{78}b_{82} \\&f \leftarrow {} s_0 + s_{7} + s_{38} + s_{70} + s_{81} + s_{96} \\&h \leftarrow {}b_{12}s_8 + s_{13}s_{20} + b_{95}s_{42} + s_{60}s_{79} + b_{12}b_{95}s_{94} \\&z \leftarrow {}h + s_{93} + b_2 + b_{15} + b_{36} + b_{45} + b_{64} + b_{73} + b_{89} \\&(b_0, b_1, \ldots , b_{127})\leftarrow (b_1, b_2, \ldots , b_{127}, g+s_0+z) \\&(s_0, s_1, \ldots , s_{127})\leftarrow (s_1, s_2, \ldots , s_{127}, f+z). \end{aligned} \end{aligned}$$

During the KSG phase, z is not feedback to the state and directly used as the keystream bit.

Trivium is also an NLFSR based stream cipher with state size 288. The 80-bit key and 80-bit IV are loaded into the state as follows \((s_0, s_1, \ldots , s_{92}) = (k_0, k_1, \ldots , k_{79},0,\ldots ,0)\), \((s_{93}, s_{94}, \ldots , s_{176}) = (iv_0, iv_1, \ldots , iv_{79}, 0,\ldots , 0)\) and \((s_{177}, s_{178}, \ldots , s_{287}) =(0,0,\ldots ,0, 1,1,1)\). The state update function of Trivium is given by

$$\begin{aligned} \begin{aligned}&t_1 \leftarrow s_{65} + s_{92} \\&t_2 \leftarrow s_{161} + s_{176} \\&t_3 \leftarrow s_{242} + s_{287} \\&z \leftarrow t_1 + t_2 + t_3\ \\&t_1 \leftarrow t_1 + s_{90}s_{91} + s_{170} \\&t_2 \leftarrow t_2 + s_{174}s_{175} + s_{263} \\&t_3 \leftarrow t_3 + s_{285}s_{286} + s_{68} \\&(s_0, s_1, \ldots , s_{92}) \leftarrow (t_3, s_0, \ldots , s_{91})\\&(s_{93}, s_1, \ldots , s_{176}) \leftarrow (t_1, s_{93}, \ldots , s_{175})\\&(s_{177}, s_1, \ldots , s_{287}) \leftarrow (t_2, s_{177}, \ldots , s_{286}). \end{aligned} \end{aligned}$$

The initialization phase runs for 1152 rounds without producing an output while z is used as the keystream bit during KSG phase.