Lnear Exenson Cube Aack on Sream Cphers Lren Dng Yongjuan Wang Zhufeng L (Language Engneerng Deparmen, Luo yang Unversy for Foregn Language, Luo yang cy, He nan Provnce, 47003, P. R. Chna) Absrac: Basng on he orgnal Cube aack, hs paper proposes an mproved mehod of Cube aack on sream cphers, whch makes mprovemen on he pre-processng phase of he orgnal aack. The new mehod can nduce maxerms of hgher-order from hose of lower-order by he rade-off beween me and space, hus recoverng more key bs and reducng he search complexy on hgher-dmenson. n hs paper, he mproved aack s appled o Ll-8 algorhm and reduced varans of Trvum algorhm. We can recover 88 key bs of Ll-8 algorhm whn me complexy of O( 4 ) and 48 key bs of Trvum algorhm can be recovered by cubes wh dmenson no larger han 8 when he nalzaon round s 576, he resuls are much beer han hose of he orgnal aacks. Keywords: Cube Aack, Sream Cpher, Lnear Exenson, Pre-processng, Trvum, Ll-8. nroducon n 008, Dnur and Shamr [] nroduced a deermnsc analyss mehod basng on algebrac heory,.e. Cube Aack. Cube aack s a knd of chosen planex aack, makes use of he fac ha he oupu of a cryposysem can be represened as a polynomal of publc varables and key bs. Theorecally, Cube aack can be appled o all cryposysems as long as hey can be represened as weakable polynomals. The algebrac degree of he maser polynomal can be decreased by choosng arbrary values for weakable varables. By dong so, he aacker can oban lnear equaons abou he key bs. Hence, he secury of a cryposysem s reduced o he problem of solvng a lnear equaon sysem. Alhough he specfc represenaon of a cryposysem s unknown, he aack can sll be appled o a black box. The performance of Cube aack agans sream cphers, block cphers and hash funcons s que well [,3,4].Therefore, Cube aack has acheved los of aenon snce s announcemen. However, here beng few lmaons of Cube aack. Frs of all, he algebrac degree of a ceran cryposysem should no be oo large, oherwse would be dffcul o search for lnear expressons on he pre-processng phase. As a resul, he performance of orgnal Cube aack agans NFSR based sream cphers and block cphers s lmed. Second, choosng he rgh cubes s me-consumng. f he choce s no proper or he search has no been done horoughly, he fnal resul of Cube aack would be weakened. Wh he research of Cube aack gong deeper, crypologss have come up wh several exended versons of Cube aack agans dfferen algorhms. n 00, Dnur and Shamr [5] proposed Dynamc Cube aack, whch s based on he analyss of he nernal srucure of a ceran cpher so ha he proper choce for he values of such dynamc varables can lower he algebrac degree of he maser polynomal. P. Mroczkowk [6] mproved he lneary es of Cube aack by exracng quadrac equaons. Yu Sun [7] made mprovemens on he search algorhm and lneary es so ha more han one lnear expressons can be exraced from only one cube wh he help of he rade-off beween me and space.
Our work s based on he phenomenon poned ou by P. Mroczkowk n [6] ha alhough he cubes were chosen randomly, here was a way o oban new cubes from anoher one wh lnear expresson. n fac, for sream cphers wh shf regser, whose ransvy enables he lower-round o nfluence he hgher-round so ha d and d dmensonal cubes wll have some varables n common. Therefore, more cubes can be derved from one wh lnear expresson, hus obanng more lnear expressons. Movaed by he above observaons, hs paper proposes an mproved aack on sream cphers on he bass he orgnal Cube aack,.e. Lnear Exenson Cube Aack, whch makes use of hose common varables n wo dfferen dmensonal cubes and he rade-off beween me and space enables he aacker o nduce maxerms of hgher-order from hose of lower-order, hus recoverng more key bs and reducng he he search complexy on hgher-dmenson. To demonsrae he applcaon of he exended mehod, hs correspondence provdes Lnear Exenson Cube Aack agans Ll-8 algorhm and wo reduced varans of Trvum algorhm and he resuls are much beer han hose of he orgnal aacks. For Ll-8 algorhm, only O( 9 ) key sreams are needed o recover 88 key bs and he aack has me complexy less han O ( 4 ), whch s beer compared o O( 6 ) of he orgnal Cube aack. And s he bes aack agans Ll-8 o he bes of our knowledge. For Trvum algorhm, when he nalzaon round s 55, he orgnal Cube aack on he 55 h oupu b wh 4 dmensonal cubes can only recover 6 key bs, whle he mproved aack can drecly recover 3 key bs. When he nalzaon round s 576, applyng he mproved Cube aack o he 576 h oupu b, 48 key bs can be recovered by cubes wh dmenson no larger han 8, whle he orgnal Cube aack on several oupu bs n [4] can only recover 36 key bs by cubes wh dmenson no larger han 8. The organzaon of hs paper s as follows, n secon, he prelmnares and basc seps of Cube aack are revewed. Secon 3 conans he man conrbuon of hs paper, where he noon of Lnear Exenson Cube Aack and s deals are provded. To esfy he performance of he mproved aack, s appled o Ll-8 and wo reduced varans of Trvum algorhm n secon 4. A las, secon 5 s a bref summary of hs paper.. Revew on Cube Aack Cube aack regards he nvesgaed cryposysem as a polynomal P( v, abou he publc varables v v,..., v ) ( m and secre key bs k x,..., x ). Le {,..., k} {,,..., n} of he publc varables and ( n be he ndexes v be he produc of hese publc varables, hrough facorng he maser polynomal by he monomal, we have: P( v,..., vm, x,..., xn) P Q v,..., v, x,..., x ). S ( ) ( m n where P S ( ), whch s called he superpoly of common varables wh, does no have any v k, and each monomal erm n he resdue polynomal Q v,..., v, x,..., x ) ( m n msses a leas one varable from. m Denoe C {( v,..., vm) F v F, ; v 0, } as a Cube, apparenly, we have C. Summng
he polynomals when he publc varables v v,..., v } he cube, we have: { m P( v, ( v,..., vm ) C ( v,..., vm ) C ( v,..., v m ) C walkng over P S ( ) Q( v,..., v, x,..., ). m x n The feasbly of Cube aack manly depends on he followng observaons: Theorom [] For any polynomal P( v, and publc varable v v,..., v ), we have vc ( m P( v, PS ( )( v, mod. Proof: Each monomal erm n he resdue polynomal of P ( v,,ha s, Q( v,..., vm, x,..., xn) varable from msses a leas one, he value of each erm from Q( v, afer k mes compuaon s 0, hus Q ( v, 0. Nex, f and only f vc v,..., v k are all se o, he coeffcen of P S ( )( v, would be. # A erm s called a maxerm f s superpoly s a lnear polynomal whle no a consan. Example : Le P( v, v, v3, x, x, x3) vv x vv x3 v v x v v x, where v, v, ) 3 ( v3 beng he publc varables and ( x, x, x3) beng he key. And defne ={,}, hrough facorng he maser polynomal by he monomal have: P( v, v, v3, x, x, x3) v v x x ) v v x x. ( 3 3, we C {(0,0,0),(,0,0),(0,,0),(,0,0)}, by summng he polynomal over hs cube, we have: P v, v, v, x, x, x ) ( 3 3 vc P S ( )( v3, x, x, x3) x x3. Cube aack consss of wo phases, he preprocessng phase and he on-lne phase. Durng he pre-processng phase, he aacker can arbrarly assgn values o boh he publc varables and he key bs, and choose approprae cubes o do he compuaon. Then he lneary es s appled o es wheher he superpoly s lnear or no. The man purpose of hs phase s o exrac lnear expressons abou he key bs as many as possble. Durng he on-lne phase, he aacker can only conrol he publc varables, hrough whch he can conduc he cube sum over he same cube n order o oban he value of he rgh sde of a ceran expresson. The man purpose of hs phase s o esablsh lnear equaons. Due o he selecon of dfferen cubes, he can esablsh a sysem of lnear equaons. A las, he key bs are recovered by solvng he equaon sysem. 3. Lnear Exenson Cube Aack 3. The Man Observaon When comes o he shf regser, a hgher-poson of a lower-round wll become a lower-poson of a hgher-round wh he exenson of round self. Therefore, he exsence of common varables beween he maser polynomals before and afer he exenson s ceran. Usng hese common varables o consruc new 3
cubes, he aacker can analyss he arge cryposysem of hgher rounds on he bass of he aack resuls of a lower round. Movaed by he above observaon, hs paper proposes Lnear Exenson Cube Aack agans sream cphers. The man dea of hs exended aack s o make mprovemen on he pre-processng phase of he orgnal aack. Thanks o he ransvy of he shf regser, by he rade-off beween me and space, maxerms of degree d can be derved from hose maxerms of degree d, hus obanng more lnear expressons so ha more key bs can be recovered. To demonsrae he man conrbuon, defnons and examples are gven as follows. Defnon Le N {,,..., n},,,, }, U, k, defne { k he maxerm as v v facorng he maser polynomal by we have: where P v k, hrough, PS ( Q. Le vs ) s N \, P P S ( ), Q denoes he maser polynomal afer exenson, monomal -me exended maxerm of deg( P S ( ) ). Example : P v, v, v, v, x, x, x, P ( 3 4 3 x4) vv v3x4 vv v3 vv3x vv3 x vv x3 xx v vv3( x4 ) vv3x vv3 x vv x3 xx ( v, v, v3, v4, x, x, x3, x4) vv v3v4x vv v3 vv3x vv3 x vv x3 xx s called he P denoes he maser polynomal afer exenson, le {,,3 }, we have maxerm as vv v3 accordng o, f le {,,3,4 }, hen v v v v s also a maxerm 3 4 accordng o, so s called he -me exended maxerm of. Noe ha, o conduc he Lnear Exenson Cube Aack, he arge cryposysem should be exended frs so ha he algebrac degree of maser polynomal would ncrease. For exenson here, mples one round as well as several rounds, he exsence of -me exended maxerm holds rue for boh condons. The followng of hs secon dscusses he exsence of -me exended maxerm under he exenson of round. Theorom P(x) denoes he maser polynomal of a cryposysem, hrough facorng P(x) by maxerm, we have: P( x) P Q, P ( x) S ( ) denoes he polynomal afer exenson by one round, hen he -me exended maxerm of s exsed by he possbly of f sasfes ha P ( x) P S ( ) Q, where deg( P S ( )),and can be represened as v a l( x) g( x), where deg( l( x)) and a. Proof: Snce s a maxerm of P (x), we have: P( x) P Q. Assumng ha v S ( ) a s a -me exended maxerm of, where a accordng o defnon, hen we have P ( x) P S ( ) Q, where deg( P S ( )). Obvously, he followng equaons hold rue: P ( x) v P S ( ) Q 3 P Noe ha, a ( x) P S ( ) Q va \ Q, v, hen we have: a Q g x) ( Q 4 \ Q 5 and Subsue 5 no 3, hen combne wh 4, we have: 4
P S ( ) Q vap vap ( v P a S ( ) S ( ) S ( ) S ( ) Q g( x) Q g( x)) Q n concluson, P va P S ( ) g( x) mees he crera for he exsence of. # Corollary P(x) denoes he maser polynomal of a cryposysem and denoes one of s maxerms, le P ( x) be he polynomal afer he exenson of r( r n) round, hen he -me exended maxerm of s exsed by he possbly of f sasfes he crera n Theorom. Proof: Accordng o he proof of Theorom, he mes of exenson would no make any dfferences on he exsence of. # Noe ha, alhough he exsence of -me exended maxerm s no srcly relaed o he mes of exenson, s mpossble o fnd maxerm hrough ncreasng he cubes by one when he algebrac degree of maser polynomal goes oo large afer several rounds of exenson. Example 3: P( x,..., x x x x x x x x x x 5) 3 3 4 4 x x3( x x4) xx4 x5 P P( x,..., x5, x6) x3x 4( x x5) xx 5x6 x3x 4( x x5) xx 5( x xx 3 xx 3x4 x x4x 5) x3x x x5) x xx 3x5 xx 3x4x 5 x x x x xx 3x4( x5) x3x 4x5 x xx 3x5 x xx 4x5 x x [ x ( x x ) x x ] x x x x x x x 3 4 5 5 3 4 5 5 4 5 4 5 P denoes he maser polynomal afer exenson, noe ha x x 3 s a maxerm of P, here exss x4, whch sasfes he crera n Theorom, beng he -me exended maxerm of. 3. Aack Procedure Compared o he orgnal Cube aack, he Lnear Exenson Cube Aack makes mprovemen on he pre-processng phase. Cube aack consss of wo phases, pre-processng phase and on-lne phase. The mproved aack, whch makes use of he cubes wh lnear expressons, consss of he orgnal pre-processng phase, he mproved pre-processng phase and on-lne phase. The followng fgures reveal he dfference beween he wo versons of Cube aack: Fgure Procedures of Orgnal Cube Aack Fgure Procedures of Lnear Exenson Cube Aack As s shown above, he deals of he mproved aack dsplay as follows: Phase, he orgnal pre-processng phase. n hs phase, he aacker can arbrarly choose values for boh publc varables and key bs n order o fnd proper cubes. () Choose he nal dmenson as d and walk over all of he d dmensonal cubes; () Sum over each cubes and use lneary es o fnd maxerms; (3) Calculae algebrac normal forms for each lnear expresson. Phase, he mproved pre-processng phase. The aack can 5
search d dmensonal cubes on he bass of he resuls of he orgnal pre-processng phase. () Sore all of he d dmensonal cubes obaned va phase ; () Exend he nvesgaed cryposysem by exenson of round or choosng he nex oupu b; (3) Exend each maxerm of degree d respecvely. Frsly, modfy each varable of he d dmensonal cube accordng o he regulaon of he arge algorhm. The modfcaon here means ncrease by one (or r ), decrease by one (or r ) or say he same for each varable. Secondly, add a new varable from he publc varables o se o form a new cube; (4) Sum over he new d dmensonal cube and use lneary es o fnd maxerms; (5) Calculae algebrac normal forms for each lnear expresson; (6) Tesfy he lnear dependence of lnear expressons by Gaussan elmnaon. Phase 3, he on-lne phase. Accordng o he cubes obaned by phase and phase, he aacker can choose values for he publc varables o oban he value of he rgh sde of each expresson. A las, he key bs are recovered by solvng he lnear equaons sysem. Specal aenon should be pad o he followng seps: () The exenson of he argeed algorhm s necessary afer walkng over all of he d dmensonal cubes snce here s no -me exended maxerms under he same polynomal; () There s no need for Gaussan elmnaon afer walkng over all of he d dmensonal cubes snce lnearly ndependen expressons can be derved from lnearly dependen ones. Therefore, Gaussan elmnaon s nroduced afer he exenson n he mproved aack. The pseudo-code of he mproved pre-processng phase s as follows: Algorhm :The mproved Pre-processng Phase npu:v ;// se of publc varables, v denoes each varable T ;// se of maxerms of degree d, R ;// number of round exenson r 0 ;// nalzaon of round exenson Oupu:lnear expressons repea r ; repea Choose an whch has no been chosen from T ; repea Modfy each varable n Choose a Sum over ; nroduce lneary es; unl Walk over V ; unl Walk over T ; unl ; denoes each maxerm v whch has no been chosen from V,.e. { v }; 6
r R ; Fgure 3 The Pseudo-code of he mproved Pre-processng Phase 4. The Applcaon of Lneary Exenson Cube Aack To demonsrae he applcaon of he exended mehod, hs correspondence provdes Lnear Exenson Cube Aack agans Ll-8 algorhm and wo reduced varans of Trvum algorhm when he nalzaon round s 55 and 576 by usng he personal compuer equpped wh -5 CPU,.7GHz domnan frequency and GB RAM. 4. Aack : Ll-8 4.. Bref nroducon of Ll-8 Algorhm Ll-8 [0] s one of he canddae algorhms of NESSE. The clock-conrolled algorhm s consss of wo lnear feedback shf regsers, a lnear funcon and a non-lnear funcon, where one LFSR s used o clock conrol and he oher o generae key sream. The followng fgure dsplays n deal: Fgure 4 The Srucure of Ll-8 Algorhm LFSRc conans 39 bs for clock conrollng, k, c () ( c ( ) 4 ) s generaed by f c, where f c ( x, x0) x x0. LFSRd conans 89 bs for key sream generaon, n 0, and he 0 npu posons of f d, wh he algebrac degree of 6, he nonlneary of 480 and correlaon mmuny of 3, are (0,,3, 7,,0,30,44,65,80). 4.. Aack Procedure Sep, nalzaon. Snce LFSRc does no drecly conrol he b generaon, aackng agans LFSR a common choce. To make he exended Cube aack possble, an nalzaon process s nroduced o Ll-8 o make sure ha he nal vecor and key bs are blended horoughly. Sep, choose annhlaor. Accordng o he resul of algebrac aack n [8], g( x) x44x80 s one of he annhlaors of fd whch render deg( f d g) 4 nsead of 8. Sep 3, choose nal dmenson of cubes and he oupu b. n hs paper, he 0 h d s oupu b s aacked and we search cubes wh he dmenson of o oban lnear expressons hanks o he annhlaor whch reduces he algebrac degree of maser polynomal o 4. Sep 4, -me exenson of -degree maxerms. () Bound he exenson of round as ; () choose one dmensonal cube a me unl hey are walked over; (3) modfy each varable n he cube accordng o he algorhm; (4) choose one number a me from 0 o 87 o form a new 3 dmensonal cube ; (5) sum over he new cube and exrac lnear expresson by lneary es; (6) exend he algorhm by one round unl mees he bound. 4..3 Aack Resul We found 6 cubes wh he dmenson of whn seconds when he nalzaon round s bounded from 76 o 78. Wha was more, on he mproved pre-processng phase, only 9 -degree 7
maxerms are needed o exend enough 3 dmensonal maxerms, wh whch 88 lnearly dependen expressons can be obaned. The cubes used for exenson are as follows: Round Cube Oupu b Round Cube Oupu b 78 {3,45} 0 77 {,44} 0 76 {,50} 0 76 {,65} 0 76 {,50} 0 76 {3,50} 0 76 {4,38} 0 76 {5,56} 0 76 {8,56} 0 76 {,} 0 76 {,5} 0 76 {8,57} 0 76 {38,6} 0 76 {3,47} 0 76 {3,58} 0 76 {,65} 0 76 {3,65} 0 76 {6,65} 0 76 {8,65} 0 Table -degree maxerms used for exenson Lnear Exenson Cube Aack oal me complexy of our aack s searches 3 dmensonal cubes on he less han O ( ). And s daa bass of dmensonal cubes, whch complexy s O( ) snce he 88 lnear dramacally reduces he search scale on 3 dmensonal cubes. Only 987 expressons are obaned from 5 cubes mes compuaon are needed o exrac wh he dmenson of and 83 cubes enough expressons so ha he me wh he dmenson of 3. complexy of he mproved aack on Compared o he prevous aacks on Ll-8, our aack s he bes as he pre-processng phase s O( ) and he followng able dsplays: Tme and Space Aack [] 46 Key sream Algebra Aack [8] 8 Fas Algebra Aack [] 60 Cube Aack [3] 6 Pre-processng 48 On-lne DES 57 34 Our Aack 9 3 0 48 Toal complexy DES 57 34 6 4 Table Complexy of varous aacks on Ll-8 V s 80 bs and he nal key s also 80 bs. Durng he nalzaon, he nernal sae s updaed for 5 rounds. The 88 bs of s nernal sae sore n 3 nonlnear feedback shf regser wh dfferen lengh. The followng fgure dsplays n deal: 4. Aack : Reduced Varans of Trvum 4.. Bref nroducon of Trvum Algorhm Trvum [] s one of he canddae algorhms of estream. The lengh of 8
Fgure 5 The Srucure of Trvum Algorhm The feedback o each regser consss of a nonlnear combnaon of bs from dfferen regsers. The oupu b of each round s a lnear combnaon of sx sae bs, wo aken from each regser. we search cubes wh he dmenson no larger han 7. Sep, choose he oupu b. When he nalzaon round s 55, we apply he mproved aack o he 4.. Aack Procedure 55 h oupu b. On he orgnal Sep, choose nal dmenson of cubes. When he nalzaon round s pre-processng phase, 8 cubes wh he dmenson of 4 can be obaned whou 55, we randomly search 4 dmensonal Gaussan elmnaon and hey are cubes for maxerms and lnear exended on he mproved expressons. When he nalzaon pre-processng phase. The cubes are as round s 576, accordng o paper [4], follows: Cube Expresson Cube Expresson {0,3,4,70} x 57 {,,38,74} x63 {3,3,7,75} x 6 {34,6,67,75} x54 {5,6,3,57} x 7 {4,50,7,75} x6 {,40,4,68} x 7 {,6,35,45} x47 Table 3 Orgnal Resuls on he 55 h Oupu B When he nalzaon round s 576, whou Gaussan elmnaon and hey we apply he mproved aack o he are exended on he mproved 576 h oupu b. On he orgnal pre-processng phase. The cubes are as pre-processng phase, 0 cubes wh he follows: dmenson of 6 or 7 can be obaned Cube Expresson Cube Expresson {,3,35,47,68,77} x 55 {5,7,7,54,58,74} x9 {9,5,,40,67,69} x 56 {4,33,4,46,68,76} x0 {,6,3,36,38,57} x 6 {,30,34,45,5,66} x9 {8,0,53,56,76,78} x x4 {8,0,8,6,30,73} x 6 {,3,37,56,60,67,77} x9 {7,9,3,5,50,55,7} x 7 {,9,,,,4,69} x6 x67 {0,,3,4,9,55,6} x 59 {9,34,44,57,65,68,78} x57 {,8,0,5,35,5,70} x 57 {8,8,6,3,37,63,64} x0 {4,0,3,58,64,68,7} x 4 {0,3,3,34,53,58,74} x9 9
{,3,7,30,35,45,65} x 6 x67 {7,8,6,9,57,6,77} x64 Table 4 Orgnal Resuls on he 576 h Oupu B Sep 3, -me exenson of () Bound he exenson of round as -degree maxerms. 5 and exend he algorhm by round; () choose one dmensonal cube a me from able (able 3) unl hey are walked over; (3) modfy each varable n he cube accordng o he algorhm; (4) choose one number a me from 0 o 79 o form a new 3 dmensonal cube ; (5) sum over he new cube and conduc lneary; (6) exend he algorhm by one round unl mees he bound. 4..3 Aack Resul When he nalzaon round s 55, 8 5-dmensonal cubes can be obaned afer Gaussan elmnaon by exendng he 8 4-dmensonal cubes n able 3. And 3 key bs can be drecly recovered alogeher. The exended cubes are as follows: Cube Expresson B Cube Expresson B {,5,6,7,7} x54 56 {3,6,7,73,4} x6 57 {5,8,9,75,7} x7 59 {5,8,9,75,36} x38 x6 59 {3,3,40,76,39} x65 57 {4,4,4,77,43} 47 58 {4,4,4,77,44} x46 58 {4,4,4,77,67} 56 58 {4,4,4,77,68} x55 58 {5,5,4,78,56} x 59 {4,4,73,76,3} x60 56 {4,4,73,76,4} x6 56 {5,5,74,77,} x64 57 {5,5,74,77,} x64x63 57 {36,64,69,77,0} x58 57 {36,64,69,77,} x66 57 {38,66,7,79,0} x53x68 59 {38,66,7,79,3} x3 59 {35,63,68,76,44} x48 56 {9,30,35,6,7} x37 57 {30,3,36,6,38} x55x66 58 {30,3,36,6,39} x5 58 {8,54,76,79,78} x0 59 {3,4,43,69,4} x0 56 {4,4,44,70,56} x 57 {5,43,45,7,3} x65 58 {6,0,39,49,5} x53 59 {7,,40,50,8} x5 530 Table 5 The Exended Cubes on he 55 h Oupu B When he nalzaon round s 576, 6 key bs can be drecly recovered and a lnear equaon abou anoher key bs can be obaned by exendng hose aack on hs oupu b can only recover 3 bs and oban a lnear equaon abou anoher key bs. The exended cubes are as follows: cubes n able 3, whle he orgnal Cube Expresson B {3,33,36,48,69,78,6} x56 577 {4,34,37,49,70,79,9} x57 {6,8,8,55,59,75,6} x 56 577 {4,0,6,45,7,74,43} x6 58 {6,35,44,48,70,78,7} x39 x57 {6,35,44,48,70,78,37} x {6,35,44,48,70,78,57} x39 {,3,,9,33,76,65} x54 579 {,4,4,30,34,77,6} x64 580 {7,7,8,44,5,64,59} x48 0
{0,0,3,47,54,67,} x 58 {0,0,3,47,54,67,6} x65 58 {9,,5,7,5,57,73,0} x39 {9,,5,7,5,57,73,8} x39x4 {0,,6,8,53,58,74,0} x55 579 {,3,7,9,54,59,75,7} x5 580 {4,5,39,58,6,69,79,40} x68 {4,5,39,58,6,69,79,74} x58 {,,4,5,30,56,63,9} x60 577 {5,,4,9,39,55,74,54} x 580 {8,4,7,6,68,7,75,4} x6 580 {4,6,30,33,38,48,68,39} x7 579 Table 6 The Exended Cubes on he 576 h Oupu B Combned wh Bed s resul n [4], we can mproved he fnal resul by applyng he Lnear Exenson Cube Aack o only one oupu b. 48 key bs can be drecly recovered by cubes wh dmenson no larger han 8, whle he orgnal Cube aack can only recover 36 key bs on he same condon. Wh he help of 0-dmensonal cubes, he orgnal Cube aack can only recover 45 key bs. The followng able dsplays he resuls n deal: Bed s Ours Bed Ours Dmenson 0 8 8 0 Key Bs 45bs 48bs 36bs 55bs Table 7 Comparson of Resuls Noe ha, hs paper conduc he new mehod of Cube aack on he 576 h oupu b wh boundary of cube dmenson, more oupu bs and larger dmensonal cubes can be mplemened n fuure work and he more han 55 key bs should be recovered. 4.3 Analyss Lnear Exenson Cube Aack can mprove he complexy n wo ways, one s ha more key bs can be recovered so ha he complexy of brue force aack s mproved. The oher s ha he search scale on hgher rounds s narrowed. nsead of walkng over all of he d dmensonal cubes, he aacker only need o search on a relavely smaller scale. Assumng here are m publc varables alogeher, maxerms of degree d can be obaned by he orgnal aack, hen he search scale on d dmenson s d O( ( m d)) nsead of O ( ). 5. Concluson C m Movaed by he observaon n [6], hs paper proposes an mproved aack on sream cphers basng on he orgnal Cube aack,.e. he Lnear Exenson Cube Aack, whch makes mprovemen on he pre-processng phase of he orgnal aack and he rade-off beween me and space enables he aacker o nduce maxerms of hgher-order from hose of lower-order, hus recoverng more key bs and mprovng he search complexy on hgher-dmenson. Ths paper provdes Lnear Exenson Cube Aack agans Ll-8 algorhm and wo reduced varans of Trvum algorhm. For Ll-8 algorhm, only O( 9 ) key sreams are needed o recover 88 key bs and he aack has me complexy less han O ( 4 ). s he bes aack on Ll-8 o he bes of our knowledge. For Trvum algorhm, 48 key bs can be recovered by cubes wh dmenson no larger han 8 when he nalzaon round s 576, he resuls
are much beer han hose of he orgnal aacks. We also fnd wo neresng phenomena durng our expermens. Frs, he mproved Cube aack s appled o Trvum algorhm when he nalzaon round s 67, 9 key bs can be drecly recovered by he mproved aack on he 67 h oupu b, whch s more han Dnur and Shamr s aack on he same oupu b n []. However, he performance s no sparkle compared o varans of lower round. Here we propose an open problem abou enhancng he performance of he Lnear Exenson Cube Aack agans cphers wh complex nalzaon. Second, he algebrac degree of a ceran monomal may ncrease by a( a ) afer -round exenson. Hence, he exenson from d o d can also be mproved o d a, whch exends he aack by addng a new ndexes no a cube and searchng for lnear expressons. Therefore, he mprovemen of Lnear Exenson Cube Aack s also consderable n fuure research. A las, accordng o our expermens and resuls, we should say ha our new mehod of Cube aack s effcen and of ceran mporance, especally wh he applcaon of lghwegh crypography.
References []. Dnur, Shamr A. Cube Aack on Tweakable Black box polynomals[a]. Advances n Crypology-EUROCRYPT 009[C]. Sprnger Berln Hedelberg, 009: 78-99. []. Perre Alan Fouque, Thomas Vanne. mprovng Key Recovery o 784 and 799 rounds of Trvum usng Opmzed Cube Aacks[EB/OL]. n Fas Sofware Encrypon 03. hp://fse03.spms.nu.edu.sg:80. [3]. Xnje Zhao, Tao Wang, Shze Guo.mproved Sde Channel Cube Aacks on PRESENT [EB/OL]. Crypology eprn Archve, 0. hp://eprn.acr.org/0/65. [4]. Aumasson J P, Meer W, Dnur. Cube Tesers and Key Recovery Aacks on Reduced Round MD6 and Trvum[A]. Fas Sofware Encrypon[C]. Sprnger Berln Hedelberg, 009: -. [5]. Dnur, Shamr A. Breakng Gran-8 wh Dynamc Cube Aacks[A]. Fas Sofware Encrypon[C]. Sprnger Berln Hedelberg, 0: 67-87. [6]. Mroczkowsk P, Szmd J. The Cube Aack on Sream Cpher Trvum and Quadracy Tess[J]. Fundamena nformacae, 0, 4(3): 309-38. [7]. Yu Sun, Yongjuan Wang. Cube Aack and s mprovemen[j]. Compuer Scence, 0, 39(00): 77-80. [8]. Ncolas T. Couros, Wll Meer. Algebrac Aacks on Sream Cphers wh Lnear Feedback[A]. Advances n Crypology-EUROCRYPT 003[C]. Sprnger Berln Hedelberg, 003: 345-359. [9]. Guo L, We Wang, Yongjuan Wang. Cube Aack on Ll-8 Algorhm[J]. Advanced Cpher Sudy, 0,. [0].E. Dawson, A. Clark, J. Golc e al. The Ll-8 Keysream Generaor[C]. Proceedngs of Frs NESSE Workshop, 000. []. Markku-Juhan Olav Saarnen: A Tme-Memory Trade-off Aack Agans LL-8[A]. FSE 00[C], LNCS 365, Sprnger, 00: 3-36. [].Ncolas T. Couros. Fas Algebrac Aacks on Sream Cphers wh Lnear Feedback[A]. Advances Crypology-CRYPTO n 003[C]. Sprnger Berln Hedelberg, 003: 76-94. [3].Guo L, We Wang, Yongjuan Wang. Cube Aack on Ll-8 Algorhm[J]. Research of Enhanced Cphers, 00(). 3
[4].Bed, S.S., Plla, N.R. Cube Aacks on Trvum[EB/OL]. Crypology eprn Archve, 009. hp://eprn.acr.org/009/05. 4