Improved Degree Evaluation and Superpoly Recovery methods with Application to Trivium
Cube attack is one powerful method in the cryptanalysis of NFSR-based ciphers. In this paper, we propose an improved degree evaluation method and a superpoly recovery technique, both of which are important in the cube attack. The algebraic degree of the cryptosystem could be not only used to judge whether the superpoly is zero, but also used to search for good cube indices set, and the estimation of which has always been a topic of concern in algebraic attacks. To improve accuracy of degree evaluation, we introduce the concept of vector degree for a Boolean function and propose the vector numeric mapping technique which aims to describe the propagation of the vector degree. Recovering superpoly of the cube is the key step in the preprocessing phase of cube attack. Three-subset division property without unknown subset has been an efficient tool in recovering the exact superpoly by studying the division trails. It is convenient to use off-the-shelf MILP solver to search all division trails by transforming the division property into a MILP model. But when there are too many division trails, it is difficult to find all solutions by a MILP solver. We propose a method to simplify this problem through combining the algebraic representations of the middle-round states in the iterative process of a cipher. Thanks to the introduction of some new variables instead of complex expressions of key bits and elimination of some trails in the middle round, the number of solutions for a MILP model will be greatly reduced. To verify the effectiveness of our methods, we apply them to the Trivium stream cipher. We find three cubes both of which have distinguisher till 840 rounds. We also put forward 843 and 844-round key-recovery attacks against Trivium with time complexity at most 2^79.2 and 2^79.4, respectively.
READ FULL TEXT