Applying cube attacks to stream ciphers in realistic scenarios

Abstract

Cube attacks were introduced in Dinur and Shamir (2009) as a cryptanalytic technique that requires only black box access to the underlying cryptosystem. The attack exploits the existence of low degree polynomial representation of a single output bit (as a function of the key and plaintext bits) in order to recover the secret key. Although cube attacks can be applied in principle to almost any cryptosystem, most block ciphers iteratively apply a highly non-linear round function (based on Sboxes or arithmetic operations) a large number of times which makes them resistant to cube attacks. On the other hand, many stream ciphers (such as Trivium (De Cannière and Preneel 2008)), are built using linear or low degree components and are natural targets for cube attacks. In this paper, we describe in detail how to apply cube attacks to stream ciphers in various settings with different assumptions on the target stream cipher and on the data available to the attacker.

Appendix: Simulations of generalized linearity tests

In this section, we present simulation results which compare the independent BLR tests and the generalized linearity tests described in Sections 3.2 and 4. The basic simulation procedure checks which one of the two preprocessing methods is able to detect the most non-linear superpolys induced by an arbitrary big cube of dimension k. Given the specification of the underlying cipher, the results of this basic procedure depend on the selected big cube, and on the keys that are chosen at random by each one of the two preprocessing methods. Thus, we iterate the basic simulation procedure several times in order to estimate the probability that that our generalized linearity test performs better than independent BLR tests, using about the same number of cipher evaluations.

The framework of the basic simulation procedure is independent of the underlying cipher. The procedure is given a black box which evaluates an output bit of the cipher for a choice of the public and private variables, and in addition it is given the parameters d, k, ℓ₁ and ℓ₂:

1. 1.

   Randomly choose k public variables for the big cube.

2. 2.

   Using the fixed zero key, evaluate the \(\binom{k}{d-1}\) superpolys by summing on all cube of dimension d − 1 induced by the big cube (while the remaining public variables are fixed to zero).

3. 3.

   Perform ℓ₁ independent BLR tests:

   1. (a)

      Randomly choose ℓ₁ pairs of keys.

   2. (b)

      For each pair of keys (x, y), evaluate the \(\binom{k}{d-1}\) superpolys at the 3 keys \({\boldsymbol{x}},{\boldsymbol{y}},{\boldsymbol{x}} + {\boldsymbol{y}}\).

   3. (c)

      for each superpoly, test whether \(p_{I}[{\bf{0}}] + p_{I}[{\boldsymbol{x}}] + p_{I}[{\boldsymbol{y}}] = p_{I}[{\boldsymbol{x}} + {\boldsymbol{y}}]\), and if not, mark it as non-linear.

   4. (d)

      Let NL ₁ be the number of superpolys that are marked as non-linear after the 11 BLR tests.

4. 4.

   Perform ℓ₂ generalized linearity tests:

   1. (a)

      Select uniformly at random a linearly independent basis of keys of size ℓ₂, \({\boldsymbol{x_1}},...,{\boldsymbol{x_{\ell_2}}}\).

   2. (b)

      evaluate the \(\binom{k}{d-1}\) superpolys at all keys of the subspace induced by the basis.

   3. (c)

      For each of the \(2^{\ell_2}-1-\ell_2\) keys in the linear subspace (which are not zero or the selected basis vectors), perform a generalized linearity test on each of the superpolys, and mark as non-linear a superpoly which fails at least one test.

   4. (d)

      Let NL ₂ be the number of superpolys that are marked as non-linear after all the generalized linearity tests.

5. 5.

   Output NL ₁ and NL ₂.

We performed simulations on a reduced variant of the stream cipher Trivium [4] with 672 initialization rounds. As specified in [5], many maxterms exist for small cubes of dimension d − 1 = 12, and thus we chose d = 13. In addition, we chose k = 22, and so we test \(\binom{22}{12}=646646\) superpolys for linearity.

The values of ℓ₁ and ℓ₂ need to be large enough to ensure that we perform significantly more generalized linearity tests than BLR tests using about the same number of superpoly evaluations. On the other hand, if we perform too many linearity tests, both preprocessing methods will detect almost all the non-linear superpolys, and the comparison will be useless. In our simulations, a reasonable choice is ℓ₁ = 11 and ℓ₂ = 5 (i.e., we perform 2⁵ − 1 − 5 = 26 generalized linearity tests). Note that a single execution of the basic simulation procedure evaluates each superpoly 1 + 11 · 3 = 34 times for the BLR tests, and a slightly smaller number of 2⁵ = 32 times for the generalized linearity tests.

In total, we executed the basic simulation procedure 100 times. Even though the generalized linearity tests require slightly less superpoly evaluations, they were able to detect more non-linear functions than the BLR tests in 96 executions of the basic procedure. Thus, the results of our simulations clearly justify using generalized linearity tests in practice.