"Cube" cryptanalysis?

Greg Rose ggr at qualcomm.com
Wed Aug 20 17:40:29 EDT 2008

James Muir wrote:
> Greg Rose wrote:
>> Basically, any calculation with inputs and outputs can be represented as
>>  an (insanely complicated and probably intractable) set of binary
>> multivariate polynomials. So long as the degree of the polynomials is
>> not too large, the method allows most of the nonlinear terms to be
>> cancelled out, even though the attacker can't possibly handle them. Then
>> you solve a tractable system of linear equations to recover key (or
>> state) bits.
> I would like to know how Dinur and Shamir's work differs from Courtois'
> previous work on Algebraic cryptanalysis of block ciphers.  It is a
> refinement of Courtois' technique?  Greg, do you, or someone else have
> some insight on this?

I spent about an hour trying to come up with a short but legible 
explanation of the technique, and failed. Sorry about that. I can 
visualize it, and could probably reproduce Adi's drawings on a 
whiteboard, but not with typing. The following is as close as I could come.

Basically the method focuses on terms of the polynomial in which only 
one secret bit of the key appears, and many of the non-secret bits. 
Using chosen (or lucky) plaintexts, vary all but one of the non-secret 
bits, and sum the output bits (mod 2, that is, XOR). Fix the other 
non-secret bit to 1. Now all the terms that involve less than the full 
complement of non-secret bits will appear an even number of times in the 
sum, and because it is mod 2, they will all cancel out! The only terms 
that will be left are the ones with one secret bit, and all ones for the 
non-secret bits... but that is linear in the secret bit! So what you are 
left with is a simple, linear, polynomial relating unknown (key) bits. 
Gather enough such equations, just a few more than the number of key 
bits will do, and solve the linear system in trivial time. Note that you 
had to have 2^(d-2) chosen plaintexts to sum over for each of the 
equations... that's where the complexity comes from. The attack is 
called Cube because in the case where d=4, each time you sum over all of 
the varying known bits, it can be visualized as the face of a cube, the 
corners of which are the possibilities for the 3 known inputs.

Hope that helps. Note that the formula I typed from memory for the 
complexity was wrong... it's O(n * 2^(d-2)), if the above is correct.

For anything more than this, you'll have to wait for the paper.


The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list