Portal de Periódicos da CAPES

Algebraic method to recover superpolies in cube attacks

2020; Institution of Engineering and Technology; Volume: 14; Issue: 4 Linguagem: Inglês

10.1049/iet-ifs.2019.0323

1751-8717

Chen‐Dong Ye, Tian Tian,

Chaos-based Image/Signal Encryption

IET Information SecurityVolume 14, Issue 4 p. 430-441 Research ArticleFree Access Algebraic method to recover superpolies in cube attacks Chen-Dong Ye, Chen-Dong Ye PLA Strategic Support Force Information Engineering University, Zhengzhou, 450001 People's Republic of ChinaSearch for more papers by this authorTian Tian, Corresponding Author Tian Tian tiantian_d@126.com PLA Strategic Support Force Information Engineering University, Zhengzhou, 450001 People's Republic of ChinaSearch for more papers by this author Chen-Dong Ye, Chen-Dong Ye PLA Strategic Support Force Information Engineering University, Zhengzhou, 450001 People's Republic of ChinaSearch for more papers by this authorTian Tian, Corresponding Author Tian Tian tiantian_d@126.com PLA Strategic Support Force Information Engineering University, Zhengzhou, 450001 People's Republic of ChinaSearch for more papers by this author First published: 01 July 2020 https://doi.org/10.1049/iet-ifs.2019.0323Citations: 1AboutSectionsPDF ToolsRequest permissionExport citationAdd to favoritesTrack citation ShareShare Give accessShare full text accessShare full-text accessPlease review our Terms and Conditions of Use and check box below to share full-text version of article.I have read and accept the Wiley Online Library Terms and Conditions of UseShareable LinkUse the link below to share a full-text version of this article with your friends and colleagues. Learn more.Copy URL Share a linkShare onFacebookTwitterLinked InRedditWechat Abstract Cube attacks are an important type of key recovery attacks against nonlinear feedback shift register (NFSR)-based cryptosystems. The key step in cube attacks closely related to key recovery is recovering superpolies. However, in the previous cube attacks including original, division property based and correlation cube attacks, the algebraic normal form of superpolies could hardly be shown to be exact due to an unavoidable failure probability or a requirement of large time complexity. In this study, the authors propose an algebraic method aiming at recovering the exact algebraic normal forms of superpolies practically. The proposed method is developed based on the degree of evaluation method proposed by Liu in Crypto 2017. As an illustration, the authors apply the proposed method to Trivium. As a result, they recover the algebraic normal forms of some superpolies for the 818-, 835-, 837- and 838-round Trivium. Based on these superpolies, the authors could mount key-recovery attacks on 818-, 835-, 837- and 838-round Trivium with the worst complexity slightly lower than a brute-force attack. Besides, for the cube proposed by Liu in Crypto 2017 as a zero-sum distinguisher for the 838-round Trivium, it is proved that its superpoly is not zero-constant. Hopefully, the proposed method would provide some new insights on cube attacks against NFSR-based ciphers. 1 Introduction The cube attack was first proposed by Dinur and Shamir at Eurocrypt 2009 in [1]. Later, there were many improvements on it such as cube testers [2], dynamic cube attacks [3], conditional cube attacks [4, 5], division property based cube attacks (DPCAs) [6, 7] and correlation cube attacks (CCAs) [8]. Due to these improvements, cube attacks have become more and more powerful. In particular, it is one of the most important cryptanalytic tools against Trivium. In the original cube attacks (OCAs) [1, 9-11], the main aim is to find low-degree superpolies on key variables by performing experimental tests. In [1], the authors recovered 35 linear superpolies of the 767-round Trivium. In [9], quadraticity tests were first applied to the cube attacks against Trivium. As a result, the authors found 41 linear and 38 quadratic superpolies for the 709-round Trivium. In [10], the authors proposed two new ideas concerning cube attacks against Trivium. One was a recursive method to construct useful cubes. The other was simultaneously testing a lot of subcubes of a large cube using the Meobius transformation. They found 12 linear and 6 quadratic superpolies for the 799-round Trivium. In [11], by exploiting a kind of linearisation technique, the authors proposed a new framework to find non-linear superpolies with low complexities. As a result, they found six linear and two non-linear superpolies for the 802-round Trivium. In the above experimental cube attacks, it needs to test a large number of cubes to find desirable ones, while testing cubes of size >35 is time consuming. Hence, the sizes of cubes are typically confined to 40. In [6], Todo et al. introduced division property to cube attacks. For a cube I, by solving the corresponding mixed integer linear programming (MILP) models built according to the propagation rules of division property, they could identify a set of key variables which includes the key variables appearing in the superpoly . Then, by constructing the truth tables of corresponding to randomly chosen assignments of non-cube variables, they attempted to find a proper one ensuring that was non-constant. Finally, they recovered by its truth table. Due to division property and the power of MILP solvers, large cubes could be explored. For example, in [6], it was shown that the superpoly of a given 72-dimensional cube was dependent on at most five key variables for the 832-round Trivium. In [7], the authors improved the work in [6] in finding proper non-cube variables assignment and reducing the complexity of recovering the superpoly. It was shown in [7] that the superpoly of a given 78-dimensional cube was dependent on at most one key variable for the 839-round Trivium. For DPCAs, the advantage is that large cubes could be explored and the complexity of recovering superpolies could be estimated theoretically. The implicit disadvantage is that the theory of division property could not ascertain that a superpoly for a cube is non-constant. Hence the key recovery attacks on the 832-round Trivium in [6] and on the 839-round Trivium in [7] are only possible which may be only a distinguisher. In [12], the authors proposed a method to recover the superpoly of a cube with the help of bit-based division property. According to the results of [12], the superpoly of the cube proposed in [7] to attack the 839-round Trivium is zero-constant. Besides, for the cube given in [6] to attack the 832-round Trivium, they found an assignment to non-cube initialisation vector (IV) variables which ensures the corresponding superpoly is non-constant. However, the complexity of the method proposed in [12] largely depends on the number of key variables appearing in the superpoly, and so it is not suitable to recover superpolies which include many key variables. Furthermore, in [12], the authors did not establish new attacks on Trivium variants with >832 initialisation rounds. In [13], the authors also proposed a method to recover the exact superpoly with the help of bit-based division property. As a result, for the cube given in [6] to attack the 832-round Trivium, they recover the exact algebraic normal form (ANF) of the superpoly given by . With this exact ANF, they could obtain two equations on key variables and so they could improve the attack on the 832-round Trivium. Furthermore, the authors proved that the attacks proposed in [7] for 833, 835, 836, 839-round Trivium are distinguishing attacks only. In [8], the authors proposed the CCAs. For a cube , the authors first tried to find a set of low-degree polynomials G, called a basis, such that the superpoly could be factored into formally. Then, by exploiting the correlation relations between the low-degree basis G and the superpoly , they could obtain a set of probabilistic equations on the secret key variables since is unknown. It was reported in [8] that five key variables of the 835-round Trivium could be recovered with time complexity, keystream bits, and preprocessing time. In [14], Fu et al. gave a dedicated attack on the 855-round Trivium which somewhat resembled dynamic cube attacks. Their main idea is finding a simple polynomial such that the output bit polynomial z could be formally represented as where is complex while is a low-degree polynomial on IV variables compared with z. Consequently, will be a low-degree polynomial on IV variables. Then they guessed some secret key expressions involved in . For a group of right guesses, will be a low-degree polynomial on IV variables. Otherwise, is expected to be a high-degree polynomial. They declared that three secret key bits could be recovered for the 855-round Trivium with the online complexity of . A shortage of the attack described in [14] is that no estimation was given on the successful probability for wrong guesses. However, in [15], the authors pointed out that the attacks in [14] are questionable. More specifically, the attack against 721-Trivium was experimentally verified to fail and some complexity analysis also indicated that the 855-round attack was questionable. 1.1 Our contributions In this paper, we propose an algebraic method to recover superpolies in cube attacks, which improves the OCAs in recovering the superpolies with proved correctness and overcoming the low-degree restriction. The basic idea of our attacks is, by making use of internal state bit variables , dividing the polynomial representation of an r -round cipher into an -round polynomial representation and an -round polynomial representation such that . Then it is possible for us to compute superpolies algebraically for a class of cubes which are called useful cubes in the rest of this paper. The criterion of a useful cube plays a key role in calculating superpolies in practice. In particular, for a useful cube I, to compute the superpoly of I in the polynomial for a term appearing in the ANF of , it is only necessary to know the maximum degree terms in each for . Hence a superpoly could be computed in practice and so is the targeted superpoly in which is equal to the summation of all possible . As an illustration, we apply our method to the round-reduced Trivium, and we obtain the following results. For Trivium variants with 800–832 initialisation rounds, we randomly test 10,000 cubes of size 33–36, and obtain about 175 useful cubes for each variant in average. This indicates that useful cubes exist widely. We recover the superpolies of some useful cubes for the 818-, 835-, 837- and 838-round Trivium. With these recovered superpolies, we could establish the following attacks. o for the 818-round Trivium, with the superpolies , , and , we could mount a key-recovery attack. The worst case is that all the values of , , , are found to be zeroes during the online phase, and the attack complexity of the worst case is about . Otherwise, we could recover a key with a complexity not larger than . o for the 835-round Trivium, with the superpolies , , and , we could mount a key-recovery attack. The worst case is that all the values of , , , are found to be zeroes during the online phase, and the attack complexity of the worst case is about . Otherwise, we could recover a key with a complexity not larger than . o for the 837-round Trivium, with the superpoly , we could mount a key-recovery attack. When the value of is found to be zero during the online phase, the attack complexity of this case is about . Otherwise, we could recover a key with a complexity of about . o For the 838-round Trivium, with the superpoly , we could mount a key-recovery attack. When the value of is found to be zero during the online phase, the attack complexity of this case is about . Otherwise, we could recover a key with a complexity of about . We further compare our attacks with the OCAs, the DPCAs, and CCAs. First, our attacks can recover the superpoly exactly. Second, we can attack Trivium variants with high rounds using cubes of the relative small sizes, i.e. we can reach the 838-round Trivium with cubes of sizes 36–37. Compared with OCAs, we can improve >30 rounds at the cost of increasing the sizes of cubes slightly. In DPCAs, they need cubes of sizes over to attack Trivium variants with > initialisation rounds. In CCAs, they can attack the 835-round Trivium with cubes of sizes 36–37, but they cannot recover the exact superpoly of a cube and the correlation probability is computed experimentally. We summarise these comparisons in Table 1, where the ‘attack complexity’ is the complexity of recovering the entire key. Table 1. Comparisons with previous cube attacks Attacks #Rounds/cube size Attack complexity Ref. OCA 767/28–31 [1] 799/32–37 [10] 802/34–36 [11] DPCA 832/72 [6, 16, 12] [13] 833/73–74 a [7] 835/77 836/78 839/78 CCA 805/28 [8] 835/36–37 our method 818/33 Sect.4 835/35 837/36–37 838/36–37 ‘a’ indicates that the corresponding attacks are distinguishing attacks. 1.2 Organisation The rest of this paper is organised as follows. In Section 2, we give some necessary introductions on cube attacks, the numeric mapping method, and the IV representation techniques. In Section 3, we show the general idea of our attacks. In Section 4, we apply our attacks to Trivium. Finally, Section 5 concludes this paper. 2 Preliminaries 2.1 Boolean functions and algebraic degree A Boolean function on n variables is a mapping from to , where is the finite field of two elements and is an n -dimensional vector space over . A Boolean function f can be represented by a polynomial on n variables over , which is called the ANF of f. In this paper, is called a term of f. The algebraic degree of a Boolean function is denoted by and defined as where is the Hamming Weight of c. In this paper, we also care about the algebraic degree of f on a subset I of , which is denoted by and defined as where . 2.2 Description of Trivium Trivium is a bit oriented synchronous stream cipher designed by Cannière and Preneel, which is one of eSTREAM hardware-oriented portfolio ciphers. It accepts an 80-bit key and an 80-bit initialisation vector. For a more detailed and formal description, we refer the reader to [17]. The main building block of Trivium is a 288-bit Galois non-linear feedback shift register with three registers. In every clock cycle, there are three bits of the internal state updated by quadratic feedback functions and all the other bits of the internal state are updated by shifting. The internal state of Trivium, denoted by , is initialised by loading an 80-bit secret key and an 80-bit IV into the register, and setting all the remaining bits to 0 except for the last three bits of the third register. Then, the algorithm would not output any keystream bit until the internal state has updated 1152 rounds, see Algorithm 1 (Fig. 1) for details. Fig. 1Open in figure viewerPowerPoint Algorithm 1: Pseudo-code of Trivium 2.3 Superpoly The concept of superpoly was first proposed in [1]. Let , be an m -variable polynomial and be a subset of . Denote , the product of variables in I. Then it is clear that the following representation for f is unique, where does not contain any common variable with and every term in is not divisible by . The polynomial is called the superpoly of in f. For the sake of convenience, we denote by in the following paper. 2.4 Cube attacks The idea of the cube attack was first proposed by Dinur and Shamir in [1]. In the cube attack against stream ciphers, an output bit z is described as a tweakable polynomial f on key variables and public IV variables , where n and m are positive integers, i.e. Let I be a subset containing d public variables called cube variables, where . Without loss of generality, we assume that . Let us denote (1)the superpoly of in f under the condition that all m IV variables are set to 0 except the d variables in I. Let be a set of assignments for IV variables containing m -tuples in which the variables in I are assigned to all the possible combinations of 0/1 while all the other IV variables, called non-cube IV variables, are assigned to constants. The set is called a d -dimensional cube defined by I. In this paper, we set all the non-cube IV variables to 0's and call I a cube for simplicity. A key observation in cube attacks is that the summation of f over all the possible vectors in leads to , i.e. (2)If is not a constant polynomial, then this means that by choosing IVs, one can obtain an equation in key variables. Otherwise, (2) provides a distinguisher on the cipher. Hence an attacker in cube attacks focuses on recovering . Since f is treated as a black-box polynomial, in practice is not algebraically calculated from (1). Hence, OCAs resort to low-degree polynomial tests with a certain failure probability. 2.5 Numeric mapping The numeric mapping was first introduced by Liu in [18], which was the core technique of the degree evaluation method for NFSR-based cryptosystems in [18]. Let be an m -variable Boolean function. The numeric mapping, denoted by DEG, is defined as follows: where , is the set of all m -variable Boolean functions. With the numeric mapping, the numeric degree of a composite function can be defined. Assume that are n -variable Boolean functions and is a composite function. The numeric degree h is defined as , where and . Furthermore, if we have for , then it can be seen that where . Based on the numeric mapping, in [18], Liu proposed an iterative algorithm for giving an upper bound on the algebraic degree of the output bit after r rounds for a Trivium-like cipher. In this algorithm, they first initialised the degrees of the initial internal state bits and then iteratively estimated the algebraic degree of the internal state bits at time instance t for . Thus, the estimated degree of the output bit could be calculated according to the output function. Moreover, when estimating the algebraic degree of the update bits, the author treated the product of two adjacent internal state bits as a whole and recursively expressed these two bits to obtain a more accurate estimation. 2.6 IV representation The IV representation was first proposed by Fu et al. in [19], which was used to determine the non-existence of some IV terms in the output bit of Grain-128. For a stream cipher with m IV variables, i.e. , and n key variables, i.e. , an internal state bit (or the output bit) s can be seen as a polynomial on key and IV variables, i.e. The IV representation of a term is defined as Based on the definition of IV representation of a term, the IV representation of s is defined as follows 3 An algebraic method to recover superpolies Recall that in an OCA, a desirable superpoly is not algebraically computed from (1), since the output bit polynomial is treated as a black-box polynomial. Hence OCAs resort to low-degree polynomial tests such as Blum-Luby-Rubinfeld (BLR) linearity tests with a certain failure probability. Consequently, previously recovered superpolies in OCAs are convincing but without proved correctness. In this section, we shall give an algebraic method to recover superpolies in cube attacks against an NFSR-based stream cipher. In Section 3.1, we describe the rationality of our idea and the general framework for realising the idea. Then to make our idea practical, we introduce a new criterion of useful cubes in Section 3.2. Consequently, an algorithm is proposed to find useful cubes efficiently in Section 3.3. Finally, in Section 3.4, for a useful cube, we show how to recover its superpoly as well as some auxiliary techniques. 3.1 Overview of our method We represent the superpoly of a cube by internal state bits for the target cipher. Let us fix a time instance which is less than the number of initialisation rounds and denote the internal state bits of the target cipher at the time instance t by , where N is the internal state size of the target cipher. Then an output bit z of the target cipher also can be described by a polynomial on , i.e. (3)where . Furthermore, note that each internal state bit could be represented by a polynomial on key and IV variables, i.e. (4)Taking (4) into (3) yields (5)Following from (5), the superpoly of I in z can be computed as (6)For the sake of convenience, we simply denote by in the rest of the paper. Then (6) implies that (7)Note that with is a term of . If we denote all terms of by , i.e. then it follows from (7) that (8)This indicates that if we could compute the superpoly of in for every term of , then their summation is the desirable superpoly in cube attacks. In the following paper, we shall recover based on the equality (8). Hence it is clear that the superpolies recovered with our method will be correct with probability 1. In specific, for a given set I of cube variables and a time instance t, there are three main steps Step 1: Compute the ANF of . Step 2: For each term , compute the superpoly Step 3: Compute We give some explanations for our method. First, all the non-cube IV variables are set to 0. That is to say, is a polynomial on variables consisting of n key variables and d cube variables, . Second, the choice of the time instance t obeys the following two rules Rule 1: One can compute the ANF of , where is treated as a bit variable. As t decreases, the ANF of will become more and more complex. Rule 2: For i from 1 to N, one can compute the ANF of . As t increases, the ANF of will become more and more complex. Third, we point out that to compute is a difficult problem in this framework even when the above two rules are satisfied since it is difficult to compute the complete ANF of the product when treating as a polynomial on key and IV variables. To solve this problem, in Section 3.2, we give a criterion to choose useful cubes for which we could compute in practice without completely expanding the product in its ANF. 3.2 New criterion of useful cubes Let be as in the previous subsection. To compute , we use the following expression (9)where runs through independently for . The difficulty of computing (9) lies in that there are too many products, say , need to compute. If is not divisible by , then we have which implies that has no contribution to . Hence an effective should satisfy that is divisible by . To make this point clear we rewrite (9) as (10)where runs through independently for . To reduce the number of effective terms or summation in (10) we propose a criterion for useful cubes in this subsection. To characterise a useful cube, we shall give some definitions first. Definition 1.Let I be a set of cube variables, and . If a term satisfies , then u is called a maximum degree term of on I. A maximum degree term of on I is a term whose degree on I attains the maximum. It is obvious that a maximum degree term of is not unique. For example, and . Then and are maximum degree terms of whose degrees on I are 2. Definition 2.Let I be a set of cube variables and . For a term , if then u is called a tight term for I. The following property gives a relationship between tight terms and maximum degree terms concerning the right hand side of (10). Property 1.Let I be a set of cube variables and be a tight term for I. If is divisible by where for , then is a maximum degree term of on I. Let be a tight term for I. Due to Property 1, when computing , we only need to consider maximum degree terms of on I. Moreover, maximum degree terms are usually a very small part of . Thus, in this case, the computation of could be simplified greatly. Example 1.Let , , , , , and . Then it can be seen that is a tight term for I. However, is not a tight term for I. The sets of maximum degree terms of and are and , respectively. According to Property 1, we have which could be computed only using the maximum degree terms of and . Based on the concept of tight terms, we propose a new criterion of useful cubes. Criterion 1.Let I be a set of cube variables and . If every term satisfies (11)then I is called a useful cube. In Criterion 1, if , then is a tight term of for I; otherwise we have which implies that is not divisible by , and so Therefore, this criterion implies that every term u of is either a tight term or Accordingly for a useful cube I, we simply have (12)It can be seen that the computation of is relatively easier for a useful cube I. In the next subsection, we will show how to pick up useful cubes. 3.3 Algorithm to find useful cubes In this subsection, we discuss how to find useful cubes efficiently. According to rule 1, we assume that is known, and so is known. It can be seen from Criterion 1 that to judge whether I is useful we need to calculate for every term in . This is, in essence, a degree evaluation problem. On one hand, to quickly judge whether a cube is useful, we need an efficient degree evaluation algorithm. On the other hand, to accurately identify a useful cube, we need an accurate degree evaluation algorithm since a useful cube may be missed if the estimated degrees are far from real degrees. Considering these issues, we choose to use the idea of numeric mapping proposed in [18]. Details are given in Algorithm 2 (see Fig. 2). As for the definition and methodology of numeric mapping and numeric degree please refer to [18] and Section 2. Fig. 2Open in figure viewerPowerPoint Algorithm 2: Finding useful cubes with degree evaluation The general idea of Algorithm 2 is first computing the numeric degree of on I for denoted by and then computing the numeric degree for each term by If holds for every term , then we regard I as a useful cube in Algorithm 2. Since the algebraic degree of is always less than or equal to the numeric degree of , i.e. , it follows that a cube outputted by Algorithm 2 satisfies Criterion 1. 3.4 Recover the exact superpoly of a useful cube After finding a useful cube I, we can recover the corresponding superpoly by (12). The critical part of this phase is calculating the superpoly of in each tight term for I. We present the details in Algorithms 3 and 4 (see Figs. 3 and 4). Fig. 3Open in figure viewerPowerPoint Algorithm 3: Recover the exact superpoly of a useful cube Fig. 4Open in figure viewerPowerPoint Algorithm 4: Recover the superpoly of I in a tight term Let be a tight term for I. In Algorithm 3, the procedure RecoverCoefficient is called to compute . Following from (12), is the summation of where is divisible by and is a maximum degree term of for . Hence, we need to find all such products of maximum degree terms of to obtain . In RecoverCoefficient, it can be done in the following three steps. Collect and preprocess the maximum degree terms: The first step is to collect and preprocess the maximum degree terms of for . Assume that the maximum degree terms of are stored in , where MDT is a list of sets and represents the j -th set in MDT. Our goal is to find all the combinations such that is divisible by . Let be the IV representation of for . Then, if is divisible by , then (the IV variables except cube variables are set to 0). Therefore, we apply the Reduce operation to for . In the Reduce operation, we first do IV representation for each term in , and so we could obtain a multi-set , where is the IV representation of u. Then, we could obtain a set from , where only one of the repeated terms in are kept. For simplicity, is called a set of reduced maximum degree terms in the rest of this paper. In this paper, a combination satisfying is called a valid combination. It can be seen that, by finding all the valid combinations, we could deduce all the combinations such that is divisible by . Note that would be much smaller than , since () may have many terms whose results of IV representation are the same. Thus, the complexity could be reduced dramatically. Find all the valid combinations: Accordingly, the second step is to find all the valid combinations. Although would be much smaller than , it may still be very large. Hence, we would not check each combination directly, where for . Instead, we pick up elements from RMDT gradually to form a full combination. Moreover, we propose the following two strategies to throw away some invalid combinations in advance. To illustrate these two strategies, assume that we have picked up the first d elements of a combination, i.e. . Strategy 1: If , then we would throw away all the combinations whose first d components are . Let be a combination such that the condition in Strategy 1 is satisfied. Then Namely, . Hence, combinations satisfying the condition in Strategy 1 are not valid ones and should be thrown away. Strategy 2. For some , if each term satisfies that , then we would throw away all the combinations whose first d components are . Let be a combination such that the condition in Strategy 2 is satisfied. Without loss of generality, we assume that . Then Namely, . Hence, combinations satisfying the condition in Strategy 2 are not valid ones and should be thrown away. If the chosen first d components do not satisfy the condition in Strategy 1 nor the condition in Strategy 2, then we would pick up the -th component from . Note that, S