Improved Graph-Based Model for Recovering Superpoly on Trivium

Abstract

Recovering superpoly for a given cube is the key step in cube attacks - an algebraic cryptanalysis method for symmetric ciphers. Since 2015, division property, monomial prediction, and enhanced techniques have been proposed to recover the exact superpoly by converting the problem into Mixed Integer Linear Programming (MILP) model, whose feasible solutions should be enumerated exactly. To penetrate more rounds, cryptanalysts try their best to reduce the scale of deduced MILP model to alleviate the bottleneck of computational cost for solving the model. In this paper, we investigate the graph-based modeling approach proposed in SAC 2021 to further reduce the number of feasible solutions for the model to handle and reduce the model’s scale in cube attacks on Trivium. Specifically, we develop an algorithm to search for pruning patterns and reveal a budget way to add the constraints concerning pruning patterns, thus eliminating a large number of solutions by adding fewer additional constraints. Under our measurement method, the pruning efficiency of added constraints is improved by 7 to 10 times more effective than in previous work. We also embed this modified graph-based model to the nested superpoly recovery framework proposed in ASIACRYPT 2021 and improve graph-based cube attack on Trivium by one round. The improved graph-based model performs better than monomial prediction with nested framework on 842- and 843-round cube attack of Trivium.

Appendices

A Discussion About Delaune et al. ’s Work

1.1 A.1 Pruning Patterns

Fig. 9.

3 consecutive bits pattern.

Delaune et al. [4] presented four pruning patterns but they only apply the three consecutive bits pattern shown in Fig. 9 in the MILP model. The nodes and edges in Fig. 9 can be described as :

• \(V = \{x_1, x_2, x_3, y_1, y_2, y_3, y_4\}\),

• \(E = \{\langle x_1, y_1 \rangle , \langle x_1, y_2 \rangle , \langle x_2, y_2 \rangle , \langle x_2, y_3 \rangle , \langle x_2, y_4 \rangle , \langle x_3, y_3 \rangle , \langle x_3, y_4 \rangle \}\).

In Fig. 9, three adjacent nodes in register C point to four adjacent nodes in B through the long edge and red edges. If the left subgraph of Fig. 9 appears as a part of a trail \(\mathcal {T}\), the right subgraph must appear in the same part in another trail \(\mathcal {T}'\) that indicates the same monomial with \(\mathcal {T}\). So we can utilize extra constraints to discard both \(\mathcal {T}\) and \(\mathcal {T}'\).

Since the equality of doubling edges, we can simplify the E as:

• \(E = \{\langle x_1, y_2 \rangle , \langle x_2, y_2 \rangle , \langle x_2, y_4 \rangle , \langle x_3, y_4 \rangle \}\).

Let \(X_{(x, y)} \in \{0, 1\}\) be the indicator variable for whether an edge from x to y appears in a trail. Then, by imposing

$$\begin{aligned} X_{(x_1,y_2)} + X_{(x_2,y_2)} + X_{(x_2,y_4)} + X_{(x_3,y_4)} \le 2 \end{aligned}$$

(11)

the two patterns Fig. 9 are eliminated simultaneously.

However, if the constraint in Eq. (11) is imposed on consecutive bits odd number of trails will be eliminated which is disastrous for recovering the exact ANF of superpoly. Figure 10 shows a situation that when the constraint is imposed on two consecutive groups of nodes (indicated by red shade and green shade respectively), three trails are eliminated. The reason is that when all 9 nodes are active in a feasible trail and \(x_4\) takes the quadratic term edges, subgraphs eliminated by the first inequation and the second inequation have an intersection - subfigure denoted by . A more complex example that involves 11 nodes is given in Fig 11. The solution of Delaune et al. is to enable the intersection pattern to be feasible. Accordingly, the constraint should be modified to

$$\begin{aligned} 2X_{(x_1, y_2)} + 2X_{(x_2, y_2)} + X_{(x_2, y_4)} + 2X_{(x_3, y_4)} - X_{(x_4, y_4)} \le 4. \end{aligned}$$

(12)

The modified constraint will retain subgraphs denoted by .

Fig. 10.

3-bits window sliding lead to 3 (odd) trails are pruned.

Fig. 11.

3-bits window sliding lead to 5 trails are pruned.

1.2 A.2 Discussion on Patterns with 3 Layers

Delaune mentioned that they faced many problems while coding the four pruning patterns and decided to take pattern 2 (the three consecutive bits pattern) only. They also mentioned that we have to take care \(A_{309}\), \(A_{308}\), and \(A_{307}\) in Fig. 12 are not used in any other part of the trail. Once the intermediate nodes are used, we may cut odd number of trails. We show an example in Fig. 13 to explain the problem in more detail. The right part of Fig. 12 will never work if the edge \(\langle A_{307}, C_{197} \rangle \) must be activated. That means this pattern can only prune odd trails but not even.

Fig. 12.

Pattern with 3 layers.

Fig. 13.

\(A_{307}\) is used in other part of a trail.

B 2-Layer Patterns Discovered

Figure 14 shows all 2-layer patterns discovered by Algorithm 2. We label these patterns with A through K, except for 3CBP, which is the same as Pattern 2 in [4].

Fig. 14.

2-layer Patterns (to cont.).

C Data About All Patterns on 839- to 841-Round Cube Attack

(See Table 3).

Table 3. Solutions (#Sol), pruning constraints (#PC), and PTCR of all pruning patterns on 839-, 840-, and 841-round Trivium cube attacks.