References
Dinur I, Shamir A. Cube attacks on tweakable black box polynomials. In: Proceedings of International Conference on the Theory and Applications of Cryptographic Techniques, Cologne, 2009. 278–299
Huang S Y, Wang X Y, Xu G W, et al. Conditional cube attack on reduced-round keccak sponge function. In: Proceedings of International Conference on the Theory and Applications of Cryptographic Techniques, Paris, 2017. 259–288
Todo Y, Morii M. Bit-based division property and application to simon family. In: Proceedings of Fast Software Encryption, Bochum, 2016. 357–377
Sun B, Hai X, Zhang W Y et al. New observation on division property. Sci China Inf Sci, 2017, 60: 098102
Xiang Z J, Zhang W T, Bao Z Z, et al. Applying MILP method to searching integral distinguishers based on division property for 6 lightweight block ciphers. In: Proceedings of International Conference on the Theory and Application of Cryptology and Information Security, Hanoi, 2016. 648–678
Li Y B, Wang M Q. Cryptanalysis of MORUS. Des Codes Cryptogr, 2019, 87: 1035–1058
Shi D P, Sun S W, Sasaki Y, et al. Correlation of quadratic boolean functions: cryptanalysis of all versions of full MORUS. In: Proceedings of International Cryptology Conference, Santa Barbara, 2019. 180–209
Todo Y, Isobe T, Hao Y L, et al. Cube attacks on nonblackbox polynomials based on division property. In: Proceedings of International Cryptology Conference, Santa Barbara, 2017. 250–279
Ashur T, Eichlseder M, Lauridsen M M, et al. Cryptanalysis of MORUS. In: Proceedings of International Conference on the Theory and Application of Cryptology and Information Security, Brisbane, 2018. 35–64
Acknowledgements
This work was supported by National Natural Science Foundation of China (Grant No. 61802119).
Author information
Authors and Affiliations
Corresponding author
Additional information
Conclusion
This study introduces a new method to efficiently search for cubes in the preprocessing phase of cube attack based on division property. We observed that the high-degree monomials present in the second stage can help the attackers identify cube variables. If the cube variables are selected from the corresponding positions indicated by those high-degree monomials, there is a high probability to result in linear superpolys. For this method to be proven effective, we applied it to two authenticated encryptions, MORUS and Gimli, and we reached the longest rounds under practical attack scenario for both ciphers.
Rights and permissions
About this article
Cite this article
Chen, S., Xiang, Z., Zeng, X. et al. Cube attacks on round-reduced MORUS and Gimli. Sci. China Inf. Sci. 65, 119101 (2022). https://doi.org/10.1007/s11432-019-2742-6
Received:
Revised:
Accepted:
Published:
DOI: https://doi.org/10.1007/s11432-019-2742-6