Skip to main content
Springer Nature Link
Log in

An Improved Method for Evaluating Secret Variables and Its Application to WAGE

  • Conference paper
  • First Online:
Information Security and Cryptology (Inscrypt 2023)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 14526))

Included in the following conference series:

  • 416 Accesses

Abstract

The cube attack is a powerful cryptanalysis technique against symmetric ciphers, especially stream ciphers. The adversary aims to recover secret key bits by solving equations that involve the key. To simplify the equations, a set of plaintexts called a cube is summed up together. Traditional cube attacks use only linear or quadratic superpolies, and the size of cube is limited to an experimental range, typically around 40. However, cube attack based on division property, proposed by Todo et al. at CRYPTO 2017, overcomes these limitations and enables theoretical cube attacks on many lightweight stream ciphers. For a given cube I, they evaluate the set J of secret key bits involved in the superpoly and require \(2^{|I|+|J|}\) encryptions to recover the superpoly. However, the secret variables evaluation method proposed by Todo et al. sometimes becomes unresponsive and fails to solve within a reasonable time. In this paper, we propose an improvement to Todo’s method by breaking down difficult-to-solve problems into several smaller sub-problems. Our method retains the efficiency of Todo’s method while effectively avoiding unresponsive situations. We apply our method to the WAGE cipher, an NLFSR-based authenticated encryption algorithm and one of the second round candidates in the NIST LWC competition. Specifically, we successfully mount cube attacks on 29-round WAGE, as well as on 24-round WAGE with a sponge constraint. To the best of our knowledge, this is the first cube attack against the WAGE cipher, which provides a more accurate characterization of the WAGE’s resistance against algebraic attacks.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Abdelkhalek, A., Sasaki, Y., Todo, Y., Tolba, M., Youssef, A.M.: MILP modeling for (large) s-boxes to optimize probability of differential characteristics. IACR Trans. Symmetric Cryptol. 2017(4), 99–129 (2017). https://doi.org/10.13154/tosc.v2017.i4.99-129

  2. Ågren, M., Hell, M., Johansson, T., Meier, W.: Grain-128a: a new version of grain-128 with optional authentication. Int. J. Wirel. Mob. Comput. 5(1), 48–59 (2011). https://doi.org/10.1504/IJWMC.2011.044106

    Article  Google Scholar 

  3. AlTawy, R., Gong, G., Mandal, K., Rohit, R.: WAGE: an authenticated encryption with a twist. IACR Trans. Symmetric Cryptol. 2020(S1), 132–159 (2020). https://doi.org/10.13154/tosc.v2020.iS1.132-159

  4. De Canniére, C., Preneel, B.: Trivium. In: Robshaw, M., Billet, O. (eds.) New Stream Cipher Designs. LNCS, vol. 4986, pp. 244–266. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-68351-3_18

  5. Derbez, P., Fouque, P.: Increasing precision of division property. IACR Trans. Symmetric Cryptol. 2020(4), 173–194 (2020). https://doi.org/10.46586/tosc.v2020.i4.173-194

  6. Dinur, I., Shamir, A.: Cube attacks on tweakable black box polynomials. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 278–299. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-01001-9_16

    Chapter  Google Scholar 

  7. Fei, Y., et al.: Correlation power analysis and higher-order masking implementation of WAGE. In: Dunkelman, O., Jacobson, Jr., M.J., O’Flynn, C. (eds.) SAC 2020. LNCS, vol. 12804, pp. 593–614. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-81652-0_23

    Chapter  Google Scholar 

  8. Feng, X., Tian, Y., Wang, Y., Xu, S., Zhang, A.: Full linear integer inequality characterization of set over \(\mathbb{{Z}} _2^n\). CSTR:32003.36.ChinaXiv. 202210.00055.V2 (2023). http://www.chinaxiv.org/abs/202210.00055

  9. Gong, G., Youssef, A.M.: Cryptographic properties of the welch-gong transformation sequence generators. IEEE Trans. Inf. Theory 48(11), 2837–2846 (2002). https://doi.org/10.1109/TIT.2002.804043

    Article  MathSciNet  Google Scholar 

  10. Hao, Y., Leander, G., Meier, W., Todo, Y., Wang, Q.: Modeling for three-subset division property without unknown subset. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020. LNCS, vol. 12105, pp. 466–495. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45721-1_17

    Chapter  Google Scholar 

  11. Hu, K., Sun, S., Todo, Y., Wang, M., Wang, Q.: Massive superpoly recovery with nested monomial predictions. In: Tibouchi, M., Wang, H. (eds.) ASIACRYPT 2021. LNCS, vol. 13090, pp. 392–421. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-92062-3_14

    Chapter  Google Scholar 

  12. Hu, K., Sun, S., Wang, M., Wang, Q.: An algebraic formulation of the division property: revisiting degree evaluations, cube attacks, and key-independent sums. In: Moriai, S., Wang, H. (eds.) ASIACRYPT 2020. LNCS, vol. 12491, pp. 446–476. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64837-4_15

    Chapter  Google Scholar 

  13. Hu, K., Wang, Q., Wang, M.: Finding bit-based division property for ciphers with complex linear layers. IACR Trans. Symmetric Cryptol. 2020(1), 396–424 (2020). https://doi.org/10.13154/tosc.v2020.i1.396-424

  14. Knudsen, L., Wagner, D.: Integral cryptanalysis. In: Daemen, J., Rijmen, V. (eds.) FSE 2002. LNCS, vol. 2365, pp. 112–127. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45661-9_9

    Chapter  Google Scholar 

  15. Lai, X.: Higher order derivatives and differential cryptanalysis. In: Communications and Cryptography: Two Sides of One Tapestry, pp. 227–233 (1994)

    Google Scholar 

  16. Li, T., Sun, Y.: Superball: a new approach for MILP modelings of boolean functions. IACR Trans. Symmetric Cryptol. 2022(3), 341–367 (2022). https://doi.org/10.46586/tosc.v2022.i3.341-367

  17. Mandal, K., Gong, G., Fan, X., Aagaard, M.D.: Optimal parameters for the WG stream cipher family. Cryptogr. Commun. 6(2), 117–135 (2014). https://doi.org/10.1007/s12095-013-0091-0

    Article  Google Scholar 

  18. Nawaz, Y., Gong, G.: WG: a family of stream ciphers with designed randomness properties. Inf. Sci. 178(7), 1903–1916 (2008). https://doi.org/10.1016/j.ins.2007.12.002

    Article  MathSciNet  Google Scholar 

  19. Sasaki, Yu., Todo, Y.: New impossible differential search tool from design and cryptanalysis aspects. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10212, pp. 185–215. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-56617-7_7

    Chapter  Google Scholar 

  20. Sun, L., Wang, W., Wang, M.: Automatic search of bit-based division property for arx ciphers and word-based division property. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10624, pp. 128–157. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70694-8_5

    Chapter  Google Scholar 

  21. Sun, S., Hu, L., Wang, P., Qiao, K., Ma, X., Song, L.: Automatic security evaluation and (Related-key) differential characteristic search: application to SIMON, PRESENT, LBlock, DES(L) and other bit-oriented block ciphers. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8873, pp. 158–178. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-45611-8_9

    Chapter  Google Scholar 

  22. The Sage Developers: SageMath, the Sage Mathematics Software System (Version 9.1) (2020). https://www.sagemath.org

  23. Todo, Y.: Structural evaluation by generalized integral property. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 287–314. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46800-5_12

    Chapter  Google Scholar 

  24. Todo, Y., Isobe, T., Hao, Y., Meier, W.: Cube attacks on non-blackbox polynomials based on division property. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10403, pp. 250–279. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63697-9_9

    Chapter  Google Scholar 

  25. Todo, Y., Morii, M.: Bit-based division property and application to Simon family. In: Peyrin, T. (ed.) FSE 2016. LNCS, vol. 9783, pp. 357–377. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-52993-5_18

    Chapter  Google Scholar 

  26. Wang, Q., Hao, Y., Todo, Y., Li, C., Isobe, T., Meier, W.: Improved division property based cube attacks exploiting algebraic properties of superpoly. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018. LNCS, vol. 10991, pp. 275–305. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96884-1_10

    Chapter  Google Scholar 

  27. Wang, S., Hu, B., Guan, J., Zhang, K., Shi, T.: MILP-aided method of searching division property using three subsets and applications. In: Galbraith, S.D., Moriai, S. (eds.) ASIACRYPT 2019. LNCS, vol. 11923, pp. 398–427. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-34618-8_14

    Chapter  Google Scholar 

  28. Xiang, Z., Zhang, W., Bao, Z., Lin, D.: Applying MILP method to searching integral distinguishers based on division property for 6 lightweight block ciphers. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10031, pp. 648–678. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53887-6_24

    Chapter  Google Scholar 

  29. Ye, C., Tian, T.: Revisit division property based cube attacks: key-recovery or distinguishing attacks? IACR Trans. Symmetric Cryptol. 2019(3), 81–102 (2019). https://doi.org/10.13154/tosc.v2019.i3.81-102

  30. Ye, C.-D., Tian, T.: A practical key-recovery attack on 805-round trivium. In: Tibouchi, M., Wang, H. (eds.) ASIACRYPT 2021. LNCS, vol. 13090, pp. 187–213. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-92062-3_7

    Chapter  Google Scholar 

Download references

Acknowledgements

We are grateful to Xiutao Feng and Shengyuan Xu for their valuable suggestions on FLIIC. We also thank the anonymous reviewers for their helpful comments. The work of Deng Tang was supported in part by the National Key Research and Development Project 2020YFA0712300 and NSFC (No. 62272303).

Author information

Authors and Affiliations

  1. Shanghai Jiao Tong University, Shanghai, 200240, China

    Weizhe Wang, Haoyang Wang & Deng Tang

Authors
  1. Weizhe Wang
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Haoyang Wang
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Deng Tang
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Deng Tang .

Editor information

Editors and Affiliations

  1. Shandong University, Jinan, China

    Chunpeng Ge

  2. Columbia University, New York, NY, USA

    Moti Yung

Rights and permissions

Reprints and permissions

Copyright information

© 2024 The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd.

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Wang, W., Wang, H., Tang, D. (2024). An Improved Method for Evaluating Secret Variables and Its Application to WAGE. In: Ge, C., Yung, M. (eds) Information Security and Cryptology. Inscrypt 2023. Lecture Notes in Computer Science, vol 14526. Springer, Singapore. https://doi.org/10.1007/978-981-97-0942-7_18

Download citation

  • DOI: https://doi.org/10.1007/978-981-97-0942-7_18

  • Published:

  • Publisher Name: Springer, Singapore

  • Print ISBN: 978-981-97-0941-0

  • Online ISBN: 978-981-97-0942-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation