Cube testers and key recovery attacks on reduced-round MD6 and trivium

Jean Philippe Aumasson, Itai Dinur, Willi Meier, Adi Shamir

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

129 Scopus citations


CRYPTO 2008 saw the introduction of the hash function MD6 and of cube attacks, a type of algebraic attack applicable to cryptographic functions having a low-degree algebraic normal form over GF(2). This paper applies cube attacks to reduced round MD6, finding the full 128-bit key of a 14-round MD6 with complexity 222 (which takes less than a minute on a single PC). This is the best key recovery attack announced so far for MD6. We then introduce a new class of attacks called cube testers, based on efficient property-testing algorithms, and apply them to MD6 and to the stream cipher Trivium. Unlike the standard cube attacks, cube testers detect nonrandom behavior rather than performing key extraction, but they can also attack cryptographic schemes described by nonrandom polynomials of relatively high degree. Applied to MD6, cube testers detect nonrandomness over 18 rounds in 217 complexity; applied to a slightly modified version of the MD6 compression function, they can distinguish 66 rounds from random in 224 complexity. Cube testers give distinguishers on Trivium reduced to 790 rounds from random with 2 30 complexity and detect nonrandomness over 885 rounds in 2 27, improving on the original 767-round cube attack.

Original languageEnglish
Title of host publicationFast Software Encryption - 16th International Workshop, FSE 2009, Revised Selected Papers
Number of pages22
StatePublished - 2 Nov 2009
Externally publishedYes
Event16th International Workshop on Fast Software Encryption, FSE 2009 - Leuven, Belgium
Duration: 22 Feb 200925 Feb 2009

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume5665 LNCS
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349


Conference16th International Workshop on Fast Software Encryption, FSE 2009

ASJC Scopus subject areas

  • Theoretical Computer Science
  • General Computer Science


Dive into the research topics of 'Cube testers and key recovery attacks on reduced-round MD6 and trivium'. Together they form a unique fingerprint.

Cite this