2009
DOI: 10.1007/978-3-642-01001-9_16
|View full text |Cite
|
Sign up to set email alerts
|

Cube Attacks on Tweakable Black Box Polynomials

Abstract: Abstract. Almost any cryptographic scheme can be described by tweakable polynomials over GF (2), which contain both secret variables (e.g., key bits) and public variables (e.g., plaintext bits or IV bits). The cryptanalyst is allowed to tweak the polynomials by choosing arbitrary values for the public variables, and his goal is to solve the resultant system of polynomial equations in terms of their common secret variables. In this paper we develop a new technique (called a cube attack ) for solving such tweaka… Show more

Help me understand this report

Search citation statements

Order By: Relevance

Paper Sections

Select...
2
1
1
1

Citation Types

1
361
0
3

Year Published

2009
2009
2023
2023

Publication Types

Select...
8
1
1

Relationship

1
9

Authors

Journals

citations
Cited by 319 publications
(365 citation statements)
references
References 22 publications
1
361
0
3
Order By: Relevance
“…3 can be more efficiently solved by more advanced techniques like the F4-or F5-algorithm or cube attacks [8,9,5,6]. If one could generate convincing evidence that such algorithms cannot beat our linearization attack, then (n, k, L) ++ -protocols with the above parameters could be seriously considered for practical use.…”
Section: Resultsmentioning
confidence: 99%
“…3 can be more efficiently solved by more advanced techniques like the F4-or F5-algorithm or cube attacks [8,9,5,6]. If one could generate convincing evidence that such algorithms cannot beat our linearization attack, then (n, k, L) ++ -protocols with the above parameters could be seriously considered for practical use.…”
Section: Resultsmentioning
confidence: 99%
“…In this scenario we can generate multiple output bits of a stream cipher using the same key but different initialization vectors (IVs). In a nutshell, cube attacks simplify the encryption function by generating the sum over this function for all 0/1-combinations of some IV variables as described in [18,30]. They recover the full key of a 799 round-reduced variant of Trivium in 2 62 computations guessing 62 variables.…”
Section: Related Workmentioning
confidence: 99%
“…However, Trivium without key initialisation, as well as its reduced versions Bivium-A and Bivium-B with a 177-bit internal state, admit attacks faster than exhaustive key search. Cryptanalytic results on Trivium and Bivium have been presented in [12,22,23,24,41,42,47,51].…”
Section: Triviummentioning
confidence: 99%