TY - GEN
T1 - Cube testers and key recovery attacks on reduced-round MD6 and trivium
AU - Aumasson, Jean Philippe
AU - Dinur, Itai
AU - Meier, Willi
AU - Shamir, Adi
PY - 2009/11/2
Y1 - 2009/11/2
N2 - CRYPTO 2008 saw the introduction of the hash function MD6 and of cube attacks, a type of algebraic attack applicable to cryptographic functions having a low-degree algebraic normal form over GF(2). This paper applies cube attacks to reduced round MD6, finding the full 128-bit key of a 14-round MD6 with complexity 222 (which takes less than a minute on a single PC). This is the best key recovery attack announced so far for MD6. We then introduce a new class of attacks called cube testers, based on efficient property-testing algorithms, and apply them to MD6 and to the stream cipher Trivium. Unlike the standard cube attacks, cube testers detect nonrandom behavior rather than performing key extraction, but they can also attack cryptographic schemes described by nonrandom polynomials of relatively high degree. Applied to MD6, cube testers detect nonrandomness over 18 rounds in 217 complexity; applied to a slightly modified version of the MD6 compression function, they can distinguish 66 rounds from random in 224 complexity. Cube testers give distinguishers on Trivium reduced to 790 rounds from random with 2 30 complexity and detect nonrandomness over 885 rounds in 2 27, improving on the original 767-round cube attack.
AB - CRYPTO 2008 saw the introduction of the hash function MD6 and of cube attacks, a type of algebraic attack applicable to cryptographic functions having a low-degree algebraic normal form over GF(2). This paper applies cube attacks to reduced round MD6, finding the full 128-bit key of a 14-round MD6 with complexity 222 (which takes less than a minute on a single PC). This is the best key recovery attack announced so far for MD6. We then introduce a new class of attacks called cube testers, based on efficient property-testing algorithms, and apply them to MD6 and to the stream cipher Trivium. Unlike the standard cube attacks, cube testers detect nonrandom behavior rather than performing key extraction, but they can also attack cryptographic schemes described by nonrandom polynomials of relatively high degree. Applied to MD6, cube testers detect nonrandomness over 18 rounds in 217 complexity; applied to a slightly modified version of the MD6 compression function, they can distinguish 66 rounds from random in 224 complexity. Cube testers give distinguishers on Trivium reduced to 790 rounds from random with 2 30 complexity and detect nonrandomness over 885 rounds in 2 27, improving on the original 767-round cube attack.
UR - http://www.scopus.com/inward/record.url?scp=70350385117&partnerID=8YFLogxK
U2 - 10.1007/978-3-642-03317-9_1
DO - 10.1007/978-3-642-03317-9_1
M3 - Conference contribution
AN - SCOPUS:70350385117
SN - 3642033164
SN - 9783642033162
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 1
EP - 22
BT - Fast Software Encryption - 16th International Workshop, FSE 2009, Revised Selected Papers
T2 - 16th International Workshop on Fast Software Encryption, FSE 2009
Y2 - 22 February 2009 through 25 February 2009
ER -