Cube Attacks on Non-Blackbox Polynomials

Based on Division Property (Full Version)

Yosuke Todo1 , Takanori Isobe2 , Yonglin Hao3 , and Willi Meier4

1
NTT Secure Platform Laboratories, Tokyo 180-8585, Japan
[email protected]
2
University of Hyogo, Hyogo 650-0047, Japan
3
State Key Laboratory of Cryptology, P.O. Box 5159, Beijing 100878, China
4
FHNW, Windisch, Switzerland

Abstract. The cube attack is a powerful cryptanalytic technique and is especially powerful
against stream ciphers. Since we need to analyze the complicated structure of a stream cipher in
the cube attack, the cube attack basically analyzes it by regarding it as a blackbox. Therefore,
the cube attack is an experimental attack, and we cannot evaluate the security when the size
of cube exceeds an experimental range, e.g., 40. In this paper, we propose cube attacks on
non-blackbox polynomials. Our attacks are developed by using the division property, which
is recently applied to various block ciphers. The clear advantage is that we can exploit large
cube sizes because it never regards the cipher as a blackbox. We apply the new cube attack
to Trivium, Grain128a, ACORN and Kreyvium. As a result, the secret keys of 832-round
Trivium, 183-round Grain128a, 704-round ACORN and 872-round Kreyvium are recovered.
These attacks are the current best key-recovery attack against these ciphers.

Keywords: Cube attack, Stream cipher, Division property, Higher-order differential crypt-
analysis, MILP, Trivium, Grain128a, ACORN, Kreyvium

1 Introduction

Cube attack is one of general cryptanalytic techniques against symmetric-key cryptosystems pro-
posed by Dinur and Shamir [DS09]. Especially, the cube attack has been successfully applied to
various stream ciphers [ADMS09,DS11,FV13,DMP+ 15,SBD+ 16]. Let x and v be secret and public
variables of stream ciphers, respectively, and let f (x, v) be the first bit of key stream. Some bits in
v are active, where they take all possible combinations of values. The set of these values is denoted
as a cube, and the sum of f (x, v) over all values of the cube is evaluated. Then, this sum is also
represented as a polynomial whose inputs are x and v, and the polynomial is denoted as a superpoly
of the cube. The superpoly is more simplified than the original f (x, v), and secret variables x are
recovered by analyzing this simplified polynomial. Unfortunately, it is really difficult to analyze the
structure of the superpoly. Therefore, the target stream cipher f (x, v) is normally regarded as a
blackbox polynomial in the cube attack, and this blackbox polynomial is experimentally evaluated.
In the original paper of the cube attack [DS09], the authors introduced a linearity test to reveal the
structure of the superpoly. If the linearity test always passes, the Algebraic Normal Form (ANF) of
the superpoly is recovered by assuming that the superpoly is linear. Moreover, a quadraticity test
was introduced in [MS12], and the ANF of the superpoly is similarly recovered. The quadraticity test
was also used in the current best key-recovery attack against Trivium [FV13]. Note that they are
experimental cryptanalysis, and it is possible that cube attacks do not actually work. For example, if
the superpoly is a highly unbalanced function for specific variables, we cannot ignore the probability
that the linearity and quadraticity tests fail.
The difference between the cube attack and higher-order differential attack has been often dis-
cussed. The higher-order differential attack was proposed by Lai [Lai94]. Assuming the algebraic
2 Yosuke Todo, Takanori Isobe, Yonglin Hao, and Willi Meier

degree of f is at most d, Lai showed that the algebraic degree of the ith order difference is at most
d − i. Then, Knudsen showed the effectiveness of the higher-order differential attack on toy block
ciphers [Knu94]. Nowadays, many advanced techniques similar to the higher-order differential attack
have been developed to analyze block ciphers, e.g., integral attack [DKR97,Luc01,KW02].
The cube attack can in some way be seen as a type of higher-order differential attacks because it
also evaluates the behavior of higher-order difference. However, the most major difference between
the cube attack and common higher-order differential attack is whether or not secret variables are
directly recovered from the characteristic, and understanding this difference is very important to
consider key-recovery attacks against stream ciphers. When a block cipher is analyzed, attackers
first evaluate the algebraic degree of the reduced-round block cipher and construct a higher-order
differential characteristic, where the (d + 1)st order difference is always 0 if the degree is at most d.
Then, the key recovery is independently appended after the higher-order differential characteristic.
Namely, attackers guess round keys used in last several rounds and compute the (d + 1)th order
difference of ciphertexts of the reduced-round block cipher. If the correct round key is guessed, the
(d + 1)th order difference is always 0. In other words, if the (d + 1)st order difference is not 0, guessed
round keys are incorrect.
Note that we cannot use this strategy for the key-recovery attack against many stream ciphers
because the secret key is generally used during the initialization phase and is not involved when
generating a keystream, i.e. even if there is a distinguisher in the keystream, it cannot be directly
utilized for key recovery attacks by appending key recovery rounds in the key generation phase,
unlike key recovery attacks of block ciphers. To execute the key-recovery attack of stream ciphers,
we have to recover the secret key by using only key streams that attackers can observe. Therefore,
more advanced and complicated analyses are required than the simple degree estimation of the
common higher-order differential attack or square, saturation, and integral characteristics. In the
context of the cube attack, we have to analyze the ANF of the superpoly. It is unlikely to well
analyze because symmetric-key cryptosystems are complicated. Therefore, stream ciphers have been
experimentally analyzed in the cube attack.
Another important related work to understand this paper is the division property, which is a new
method to construct higher-order differential (integral) characteristics [Tod15b]. The division prop-
erty is the generalization of the integral property [KW02] that can also exploit the algebraic degree
at the same time, and it allows us to evaluate more accurate higher-order differential characteristics.
Moreover, the bit-based division property was introduced in [TM16], and three propagation rules for
basic operations, and, xor, and copy are shown. While arbitrary block ciphers are evaluated by using
the bit-based division property, it requires much time and memory complexity [TM16]. Therefore,
the application is first limited to block ciphers with small block length, like Simon32 or Simeck32.
In [XZBL16], Xiang et al. showed how to model the propagation of the bit-based division property
by using the mixed integer linear programming (MILP). Moreover, they showed that MILP solvers
can efficiently evaluate the propagation. To demonstrate the effectiveness, accurate propagations of
the bit-based division property for six lightweight block ciphers including Simon128 were shown.

Our Contribution. The most important step in a cube attack is the superpoly recovery. If the
superpoly is more efficiently recovered than the brute-force search, it brings some vulnerability of
symmetric-key ciphers. Superpolys are experimentally recovered in the conventional cube attack.
The advantage of such approach is that we do not need to analyze the structure of f in detail. On
the other hand, there are significant drawbacks in the experimental analysis.

– The size of a cube is limited to the experimental range because we have to compute the sum
of f over a cube. It may be possible that we try a cube whose size is at most 40 in current
computers, but it requires incredible effort in the aspect to both money and time. Therefore, it
is practically infeasible to execute the cube attack when the cube size exceeds 40.
 Cube Attacks on Non-Blackbox Polynomials Based on Division Property (Full Version) 3

Table 1. Summary of results. The time complexity in this table shows the time complexity to recover the
superpoly of a cube.

Applications # rounds cube size complexity key recovery reference

799 32 † practical X [FV13]

Trivium
832 72 277 X Sect. 5.1

177 33 practical [LM12]

Grain128a 108
183 92 2 speculative Sect. 5.2

503 5‡ practical ‡ X [SBD+ 16]

ACORN
704 64 2122 X Sect. 5.3

Kreyvium 872 85 2124 X Sect. 5.4

† 18 cubes whose size is from 32 to 37 are used, where the most efficient cube is shown to recover one bit of
the secret key.
‡ The attack against 477 rounds is mainly described for the practical attack in [SBD+ 16]. However, when
the goal is the superpoly recovery and to recover one bit of the secret key, 503 rounds are attacked.

– The prediction of the true security of target stream ciphers is an important motivation of crypt-
analyses. Since the evaluation is limited to the experimental range, it is difficult to predict the
impact of the cube attack under future high-performance computers.
– Since the stream cipher is regarded as a blackbox, the feedback to designers is limited.

To overcome these drawbacks, we propose the cube attack on non-blackbox polynomials.

Our analysis is based on the propagation of the (bit-based) division property, and as far as we
know, it is the first application of the division property to stream ciphers. Since the division property
is a tool to find higher-order differential characteristics, the trivial application is only useful to find
zero-sum integral distinguishers, where the sum of the first bit of the key stream over the cube is
always 0 for any secret key. As mentioned earlier, it is nontrivial to recover the secret key of stream
ciphers by using zero-sum integral distinguisher. Therefore, we propose a novel application of the
division property to recover the secret key. Our technique uses the division property to analyze the
ANF of f (x, v) by evaluating propagations from multiple input division property according to a
cube. Finally, we can evaluate secret variables that are not involved to the superpoly of the cube.
This allows us to compute the upper bound of the time complexity for the superpoly recovery. Note
that the superpoly recovery directly brings some vulnerability of symmetric-key ciphers, and we
discuss this issue in Sect. 4.
Let I be a set of cube indices. After the evaluation of the division property, we get a set of indices
J, where xj (j ∈ J) is involved to the superpoly. Then, the variation of the sum over the cube is at
most 2|J| for each constant part of public variables, where |J| denotes the size of J. All sums are
evaluated by guessing |J|-bit secret variables, and the time complexity to recover the ANF of the
superpoly is 2|I|+|J| encryptions. Finally, we query the encryption oracle and get the sum over the
cube. Then, we can get one polynomial about secret variables, and the secret variable is recovered
from the polynomial.
Table 1 shows the summary of applications. We applied our new cube attack to Trivium [CP06],
Grain128a [ÅHJM11], and ACORN [Wu16]. Trivium is part of the eSTREAM portfolio [est08], and
it is one of the most analyzed stream ciphers. The initialization is 1152 rounds. The secret key of
Trivium with 767 initialization rounds was recovered in the proposal paper of the cube attack [DS09].
Then, an improved cube attack was proposed in [FV13], and the secret key of Trivium with 799
initialization rounds is recovered. This is the current best key-recovery attack against Trivium.
4 Yosuke Todo, Takanori Isobe, Yonglin Hao, and Willi Meier

Our new cube attack recovers the secret key of Trivium with 832 initialization rounds. Grain128a
is a member of Grain family of stream ciphers and is standardized by ISO/IEC 29167-13 [ISO15].
The initialization is 256 rounds. The conditional differential cryptanalysis was applied to Grain128a,
and a distinguishing attack against Grain128a with 177 initialization rounds was shown under the
single-key setting [LM12]. On the other hand, the key-recovery attack is not known. Our new cube
attack recovers the secret key of Grain128a with 183 initialization rounds. Unfortunately, when
we applied our technique to practical cube attack, i.e., the cube size is small, we could not find
balanced superpoly. In such case, the size of recovered bit of information is smaller than 1 bit. Since
we cannot say that balanced superpoly is efficiently found in the large cube size, the feasibility of
the key recovery is speculative. However, 183 rounds are at least vulnerable because the superpoly
recovery is more efficient than the brute-force search. ACORN is an authenticated encryption and
one of the 3rd round candidates in CAESAR competition [cae14]. The structure is based on non-
linear feedback shift register (NLFSR) like Trivium and Grain. Before the output of key streams,
the secret key and initialization vector (iv) are sequentially XORed with the NLFSR, and then
associated data is sequentially XORed. In the nonce-respecting setting, we cannot select cube bits
from the associated data. Therefore, the initialization is regarded as 2048 rounds when there is no
associated data. The cube attack was applied in [SBD+ 16], and the secret key of ACORN with
503 initialization is recovered. Our new cube attack recovers the secret key of ACORN with 704
initialization rounds.

Update from Conference Version. The initial version of this work was presented at CRYPTO
2017 [TIHM17]. In this full version, we newly added the following contents.
– We newly applied our technique to Kreyvium [CCF+ 16]. As a result, we show a key recovery
attack against 872-round Kreyvium, which is currently the best key recovery attack. Please see
Sect. 5.4 in detail.
– We show a new method exploiting cube whose non-zero cube bits are filled up with 0. Let us
consider the and of two bits, i.e., x ∧ y = z, and assume that the division property of (x, y)
12 1
is represented as Da,b . Then there is a propagation such that the output bit z has Dd(a+b)/2e
1
normally. However, if either x or y is 0, the output z must be 0 and cannot have Dd(a+b)/2e . We
first evaluate 0-fixed state without using the division property, and then 0-fixed state is fed back
to the propagation of the division property. Namely, if either value a or b is 0, the propagation
is restricted. This technique is shown in Sect. 6 in detail.
– We compare our technique and Liu’s method [Liu17]. In the cube used in [Liu17], all non-cube
bits are filled up with 0. Therefore, for the fair comparison, we also use such cube. As a result,
we verified zero-sum distinguishers on 837-round Trivium and 872-round Kreyvium, which were
shown in [Liu17], by using our method.
Moreover, inspired by Liu’s cube, we also evaluated zero-sum distinguisher whose number of
cube bits is small and non-cube bits are fixed to 0. In the application to Trivium, we found that
there is a 838-round zero-sum distinguisher when there are 38 cube bits. Moreover, we found a
873-round zero-sum distinguisher of Kreyvium when the cube has 62 bits.
These results are shown in Sect. 6.1 and 6.2 in detail.
– By controlling values of non-cube bits, we can evaluate the property of the cube more accurately.
To show the effect, we apply this technique to Grain128a and reduce the time complexity for
182-round attack. This result is shown in Sect. 6.3 in detail.
– Liu evaluated the number of rounds on zero-sum distinguishers when all iv bits are chosen as
cube bits. Therefore, we also evaluated such cube by our method. While Liu showed that 793-
round Trivium has such zero-sum distinguishers, our method can show 839-round Trivium
has such zero-sum distinguisher. Moreover, the number of rounds on zero-sum distinguisher for
Kreyvium is improved from 862 to 897. This result implies that our method is more accurate
than Liu’s method. This result is shown in Sect. 7.4 in detail.
 Cube Attacks on Non-Blackbox Polynomials Based on Division Property (Full Version) 5

– We show a few techniques to accelerate the solving time of MILP. This result is shown in Sect. 7.5
in detail.

2 Preliminaries
2.1 Mixed Integer Linear Programming
The deployment of the mixed integer linear programming (MILP) to cryptanalysis was shown by
Mouha et al. in [MWGP11]. Then, the MILP has been applied to search for differential [SHW+ 14b,SHW+ 14a],
linear [SHW+ 14a], impossible differential [CJF+ 16,ST16], zero-correlation linear [CJF+ 16], and inte-
gral characteristics with division property [XZBL16]. The use of MILP for the integral characteristic
with division property is expanded in this paper.
The MILP problem is an optimization or feasibility program where variables are restricted to
integers. We create an MILP model M, which consists of variables M.var, constraints M.con, and
an objective function M.obj. As an example, let us consider the following optimization program.
Example 1.
M.var ← x, y, z as binary.
M.con ← x + 2y + 3z ≤ 4
M.con ← x + y ≥ 1
M.obj ← maximize x + y + 2z
The answer of the model M is 3, where (x, y, z) = (1, 0, 1).
MILP solver can solve such optimization problem, and it returns infeasible if there is no feasible
solution. Moreover, if there is no objective function, the MILP solver only evaluates whether this
model is feasible or not.
We used Gurobi optimization as the solver in our experiments [Inc15].

2.2 Cube Attack

The cube attack is a key-recovery attack proposed by Dinur and Shamir in 2009 [DS09] and is the
extension of the higher-order differential cryptanalysis [Lai94].
Let x = (x1 , x2 , . . . , xn ) and v = (v1 , v2 , . . . , vm ) be n secret variables and m public variables,
respectively. Then, the symmetric-key cryptosystem is represented as f (x, v), where f denotes a
polynomial and the size of input and output is n + m bits and 1 bit, respectively. In the case of
stream ciphers, x is the secret key, v is the initialization vector (iv), and f (x, v) is the first bit of
the key stream. The core idea of the cube attack is to simplify the polynomial by computing the
higher-order differential of f (x, v) and to recover secret variables from the simplified polynomial.
For a set of indices I = {i1 , i2 , . . . , i|I| } ⊂ {1, 2, . . . , n}, which is referred as cube indices and
denote by tI the monomial as tI = vi1 · · · vi|I| . Then, we can decompose f (x, v) as
f (x, v) = tI · p(x, v) + q(x, v),
where p(x, v) is independent of {vi1 , vi2 , . . . , vi|I| } and the effective number of input variables of p
is n + m − |I| bits. Moreover, q(x, v) misses at least one variable from {vi1 , vi2 , . . . , vi|I| }.
Let CI , which is referred as a cube (defined by I), be a set of 2|I| values where variables in
{vi1 , vi2 , . . . , vi|I| } are taking all possible combinations of values, and all remaining variables are
fixed to some arbitrary values. Then the sum of f over all values of the cube CI is
M M M
f (x, v) = tI · p(x, v) + q(x, v)
CI CI CI

= p(x, v).
6 Yosuke Todo, Takanori Isobe, Yonglin Hao, and Willi Meier

The first term is reduced to p(x, v) because tI becomes 1 for only one case in CI . The second term
is always canceled out because q(x, v) misses at least one variable from {vi1 , vi2 , . . . , vi|I| }. Then,
p(x, v) is called the superpoly of the cube CI .

Blackbox Analysis. If the cube is appropriately chosen such that the superpoly is enough sim-
plified to recover secret variables, the cube attack succeeds. However, f (x, v) in real symmetric-key
cryptosystems is too complicated. Therefore, the cube attack regards f as a blackbox polynomial.
In the preprocessing phase, attackers first try out various cubes, change values of public and
secret variables, and analyze the feature of the superpoly. The goal of this phase is to reveal the
structure of p(x, v). Especially, the original cube attack searches for linear superpoly p(x, 0) by the
summation over the chosen cube. If the superpoly is linear,

p(x ⊕ x0 , 0) = p(x, 0) ⊕ p(x0 , 0) ⊕ p(0, 0)

always holds for arbitrary x and x0 . By repeating this linearity test enough, attackers can know
that the superpoly is linear with high probability, and the Algebraic Normal Form (ANF) of the
superpoly is recovered by assuming its linearity.
In the online phase, attackers query to an encryption oracle by controlling only public variables
and recover secret variables. Attackers evaluate the sum of f (x, v) over all values of the cube CI .
Since the sum is right hand side of the superpoly, the part of secret variables is recovered. Please
refer to [DS09] and [ADMS09] to well understand the principle of the cube attack.

2.3 Higher-Order Differential Cryptanalysis and Division Property

Underlying mathematical background of the cube attack is the same as that of the higher-order dif-
ferential attack. Unlike the cube attack, the common higher-order differential attack never regards
the block cipher as a blackbox polynomial. Attackers analyze the structure of a block cipher and
construct higher-order differential characteristics, where attackers prepare the set of chosen plain-
texts such that the sum of corresponding ciphertexts of reduced-round block cipher is 0. After the
proposal of the higher-order differential attack, many advanced techniques similar to the higher-
order differential attack have been developed to analyze block ciphers, e.g., square attack [DKR97],
saturation attack [Luc01], multi-set attack [BS01], and integral attack [KW02].

Division Property. At 2015, the division property, which is an improved technique to find higher-
order differential (integral) characteristics for iterated ciphers, was proposed in [Tod15b]. Then, the
bit-based variant was introduced in [TM16], and it is defined as follows5 .
Definition 1 ((Bit-Based) Division Property). Let X be a multiset whose elements take a value
of Fn2 . Let K be a set whose elements take an n-dimensional bit vector. When the multiset X has the
1n
division property DK , it fulfils the following conditions:
(
M
u unknown if there exist k ∈ K s.t. u  k,
x =
x∈X
0 otherwise,
Qn
where u  k if ui ≥ ki for all i, and xu = i=1 xui i .
We first evaluate the division property of the set of chosen plaintexts and then evaluate the division
property of the set of corresponding ciphertexts by evaluating the propagation for every round
function.
5
Two kinds of bit-based division property are proposed in [TM16]. In this paper, we only focus on the
conventional bit-based division property.
 Cube Attacks on Non-Blackbox Polynomials Based on Division Property (Full Version) 7

Some propagation rules for the division property are proven in [Tod15b,TM16]. Attackers deter-
mine indices I = {i1 , i2 , . . . , i|I| } ⊂ {1, 2, . . . , n} and prepare 2|I| chosen plaintexts where variables
indexed by I are taking all possible combinations of values. The division property of such chosen
n
plaintexts is Dk1 , where ki = 1 if i ∈ I and ki = 0 otherwise. Then, the propagation of the division
n
property from Dk1 is evaluated as

def
{k} = K0 → K1 → K2 → · · · → Kr ,

where DKi is the division property after i-round propagation. If the division property Kr does not
have an unit vector ei whose only ith element is 1, the ith bit of r-round ciphertexts is balanced.

Propagation of Division Property with MILP. Evaluating the propagation of the division
property is not easy because the size of Ki extremely increases. At ASIACRYPT 2016, Xiang et al.
showed that the propagation is efficiently evaluated by using MILP [XZBL16]. First, they introduced
the division trail as follows.
def
Definition 2 (Division Trail). Let us consider the propagation of the division property {k} =
K0 → K1 → K2 → · · · → Kr . Moreover, for any vector k∗i+1 ∈ Ki+1 , there must exist a vector k∗i ∈
Ki such that k∗i can propagate to k∗i+1 by the propagation rule of the division property. Furthermore,
for (k0 , k1 , . . . , kr ) ∈ (K0 × K1 × · · · × Kr ) if ki can propagate to ki+1 for all i ∈ {0, 1, . . . , r − 1},
we call (k0 → k1 → · · · → kr ) an r-round division trail.
k E
Let Ek be the target r-round iterated cipher. Then, if there are division trails k0 −−→ k r = ei ,
attackers cannot know whether the ith bit of r-round ciphertexts is balanced or not. On the other
Ek
hand, if we can prove that there is no division trail k0 −−→ ei , the ith bit of r-round ciphertexts is
always balanced. Therefore, we have to evaluate all possible division trails to verify whether each bit
of ciphertexts is balanced or not. In [Tod15b], [Tod15a], and [TM16], all possible division trails are
evaluated by using a breadth-first search. Unfortunately, such a search requires enormous memory
and time complexity. Therefore, it is practically infeasible to apply this method to iterated ciphers
whose block length is not small.
MILP can efficiently solve this problem. We generate an MILP model that covers all division
trails, and the solver evaluates the feasibility whether there are division trails from the input division
property to the output one or not. If the solver guarantees that there is no division trail, higher-order
differential (integral) characteristics are found.
Let copy, xor, and and be three fundamental operations, where 1 bit is copied into m bits in
copy, the xor of m bits is computed in xor, and the and of m bits is computed in and. Note that
MILP models for copy, xor, and and are sufficient to represent any circuit.
COP Y
Proposition 1 (MILP Model for COPY). Let a −−−−→ (b1 , b2 , . . . , bm ) be a division trail of
COPY. The following inequalities are sufficient to describe the propagation of the division property
for copy.
(
M.var ← a, b1 , b2 , . . . , bm as binary.
M.con ← a = b1 + b2 + · · · + bm

XOR
Proposition 2 (MILP Model for XOR). Let (a1 , a2 , . . . , am ) −−−→ b be a division trail of XOR.
The following inequalities are sufficient to describe the propagation of the division property for xor.
(
M.var ← a1 , a2 , . . . , am , b as binary.
M.con ← a1 + a2 + · · · + am = b
8 Yosuke Todo, Takanori Isobe, Yonglin Hao, and Willi Meier

AN D
Proposition 3 (MILP Model for AND). Let (a1 , a2 , . . . , am ) −−−→ b be a division trail of AND.
The following inequalities are sufficient to describe the propagation of the division property for and.
(
M.var ← a1 , a2 , . . . , am , b as binary.
M.con ← b ≥ ai for all i ∈ {1, 2, . . . , m}

To accept multiple inputs and outputs, three propositions are generalized from the original
ones shown in [XZBL16]. Moreover, Propositions 1 and 2 are also introduced in [SWW16]. Note
that Proposition 3 includes redundant propagations of the division property, but they do not affect
obtained characteristics.

3 How to Analyze Non-Blackbox Polynomials

The cube attack basically regards f (x, v) as a blackbox polynomial and analyzes it experimentally
because real f (x, v) are too complicated to analyze the structure in detail. Such experimental anal-
ysis is often advantageous but has significant drawbacks, e.g., the size of cube is limited to the
experimental range.
In this section, we propose a new technique to analyze the polynomial, where our technique
never regards the polynomial as a blackbox and can analyze the structure in detail. Accurately, we
propose a new application of the division property that enables us to analyze the Algebraic Normal
Form (ANF) coefficients of f . Secret variables that are not involved in the superpoly of a cube CI
are efficiently identified by using our new method. As a result, we can estimate the time complexity
that the ANF of the superpoly of a cube CI is recovered.

3.1 What is Guaranteed by Division Property

We first revisit the definition of the division property and consider what the division property can
do for stream ciphers.

Zero-Sum Integral Distinguisher. The trivial application is to find zero-sum integral distin-
guishers. Let us consider f (x, v) as a stream cipher, where x and v denote the secret and public
variables, respectively, and f is designed by using iterative structure. For a cube CI where the vari-
ables in {vi1 , vi2 , . . . , vi|I| } are taking all possible combinations of values, the propagation of the
division property enables us to evaluate whether or not the sum of f (x, v) over all values of the cube
CI is balanced. Therefore, if the goal of attackers is to find zero-sum integral distinguishers, we can
trivially use the division property.

Analysis of ANF Coefficients. Even if we can find a zero-sum integral distinguisher on stream
ciphers, it is nontrivial to recover secret variables unlike block ciphers. Therefore, new techniques
are required for the extension to the key-recovery attack.
We propose a novel application of the division property, where the division property is not used
to find zero-sum integral distinguishers but used to analyze the ANF coefficients of f . Since our
goal is to analyze the ANF coefficients, we do not need to distinguish public variables from secret
ones. For the simplicity of notation, we consider f (x) instead of f (x, v), and the ANF of f (x) is
represented as follows.
M
f (x) = afu · xu ,
u∈Fn
2

where afu ∈ F2 denotes the ANF coefficients. Then, the following Lemma is derived.
 Cube Attacks on Non-Blackbox Polynomials Based on Division Property (Full Version) 9

Lemma 1. Let f (x) be a polynomial from Fn2 to F2 and afu ∈ F2 (u ∈ Fn2 ) be the ANF coefficients.
f
→ 1, afu
Let k be an n-dimensional bit vector. Then, assuming there is no division trail such that k −
is always 0 for u  k.

Proof. According to k, we first decompose f (x) into

M M
f (x) = afu · xu ⊕ afu · xu ,
u∈Fn
2 |uk u∈Fn
2 |u6k
M M
= xk · afu · xu⊕k ⊕ afu · xu .
u∈Fn
2 |uk u∈Fn
2 |u6k

f
Assume that there is no division trail such that k − → 1. Then, no division trail guarantees that the
sum of f (x) over all values of the cube CI is always balanced independent of xi (i ∈ {1, 2, . . . , n}−I).
Namely,
 
M M M
f (x) = xk · afu · xu⊕k 
CI CI u∈Fn
2 |uk
M
= afu · xu⊕k = 0
u∈Fn
2 |uk

holds independent of xi (i ∈ {1, 2, . . . , n} − I). It holds only if afu is always 0 for all u such that
u  k. t
u

Lemma 1 is very important observation for our attack.

3.2 Superpoly Recovery

The most important part of a cube attack is to recover the superpoly, and we simply call it the
superpoly recovery in this paper. Since public variables v are known and chosen for attackers, the
ANF of pv (x) = p(v, x) is evaluated, and the goal is to recover pv (x) whose v is fixed. Once the
superpoly pv (x) is recovered, attackers query the cube to an encryption oracle and compute the
sum of f (x, v) over the cube. Then, attackers can get one polynomial about secret variables, and
the secret variables are recovered from the polynomial.
The size of secret variables recovered from one superpoly depends on the structure of the su-
perpoly pv (x). If a balanced superpoly is used, one bit of information in involved secret variables
is always recovered. If an unbalanced superpoly is used, the size of recovered secret variables is less
than 1 bit but some information of secret variables is leaked to attackers. Moreover, it is possible
to recover more bits of information in secret variables by exploiting multiple cubes. As an extreme
case, if the superpoly is constant function, no secret variable is recovered, but it trivially implies
constant-sum integral distinguishers. Therefore, the superpoly recovery directly brings vulnerability
of symmetric-key cryptosystems, and some information of secret variables is always recovered unless
the superpoly is constant function.

Previous Method to Recover Superpoly. The previous cube attack experimentally recovered
the superpoly of a cube whose size is feasible for current computer. Therefore, not every superpoly
can be evaluated. Linearity and quadraticity tests are repeated, and the superpoly is regarded as the
linear or quadratic polynomial if these tests are sufficiently passes. Then, assuming the superpoly is
linear or quadratic, the superpoly is recovered.
10 Yosuke Todo, Takanori Isobe, Yonglin Hao, and Willi Meier

Analyze ANF Coefficients of Superpoly by Division Property. Lemma 1 implies that the
division property can be used as a tool to analyze ANF coefficients of the superpoly. The following
proposition is shown from Lemma 1 and is useful to evaluate the upper bound of the complexity to
recover the ANF of the superpoly.
Proposition 4. Let f (x, v) be a polynomial, where x and v denote the secret and public variables,
respectively. For a set of indices I = {i1 , i2 , . . . , i|I| } ⊂ {1, 2, . . . , m}, let CI be a set of 2|I| values
where the variables in {vi1 , vi2 , . . . , vi|I| } are taking all possible combinations of values. Let kI be
an m-dimensional bit vector such that v kI = tI = vi1 vi2 · · · vi|I| , i.e. ki = 1 if i ∈ I and ki = 0
f
otherwise. Assuming there is no division trail such that (ej , kI ) −
→ 1, xj is not involved in the
superpoly of the cube CI .

Proof. The ANF of f (x, v) is represented as follows.

M u
f (x, v) = afu · (xkv) ,
u∈Fn+m
2

where afu ∈ F2 denotes the ANF coefficients. The polynomial f (x, v) is decomposed into
M u
M u
f (x, v) = afu · (xkv) ⊕ afu · (xkv)
u∈Fn+m
2 |u(0kkI ) u∈Fn+m
2 |u6(0kkI )
u⊕(0kkI ) (0ku)
M M
= tI · afu · (xkv) ⊕ afu · (xkv)
u∈Fn+m
2 |u(0kkI ) u∈Fn+m
2 |u6(0kkI )

= tI · p(x, v) ⊕ q(x, v).

Therefore, the superpoly p(x, v) is represented as

u⊕(0kkI )
M
p(x, v) = afu · (xkv) .
u∈Fn+m
2 |u(0kkI )

f
→ 1, afu = 0 for u  (ej kkI ) because of Lemma 1. Therefore,
If there is no division trail (ej kkI ) −
M
p(x, v) = afu · (xkv)u⊕(0kkI ) .
u∈Fn+m
2 |u(0kkI ),uj =0

This superpoly is independent of xj because uj is always 0 and (xj )0 = 1. t

u

We can evaluate which secret variables are involved to the superpoly of a given cube, and Algo-
rithm 1 shows the algorithm supported by MILP. The input M is an MILP model, where the target
stream cipher is represented by the context of the division property. How to construct M for each
specific stream cipher is shown in each application in Sect. 5. First, we pick MILP variables x and v
from M, where x and v correspond to MILP variables for secret and public variables, respectively.
As an example, in Algorithm 2 for Trivium, let x = (s01 , s02 , . . . , s080 ) and v = (s093 , s094 , . . . , s0172 ).
Then, to represent the input division property, elements of v indexed by I are constrained by 1,
and the others are constrained by 0. Since at least one element in secret variables is additionally
constrained to 1 in our cube attack, the sum of x is constrained to 1. Next, we solve this MILP
model
L by using the solver. If M is infeasible, there is no involved secret variables in superpoly and
CI f (x, v) = p(x, v) is always constant. If M is feasible, we can get a satisfying division trail and
pick an index j ∈ {1, 2, . . . , n} such that xj = 1 in the division trail. Then, xj is involved to the
superpoly and the index j is stored to a set J. Once we detect that xj is involved, we additionally
 Cube Attacks on Non-Blackbox Polynomials Based on Division Property (Full Version) 11

Algorithm 1 Evaluate secret variables by MILP

1: procedure attackFramework(MILP model M, cube indices I)
2: Let x be n MILP variables of M corresponding to secret variables.
3: Let v be m MILP variables of M corresponding to public variables.
4: M.con ← vi = 1 for all i ∈ I
5: M.con ← vP i = 0 for all i ∈ ({1, 2, . . . , m} − I)
6: M.con ← n i=1 xi = 1
7: do
8: solve MILP model M
9: if M is feasible then
10: pick index j ∈ {1, 2, . . . , n} s.t. xj = 1
11: J = J ∪ {j}
12: M.con ← xj = 0
13: end if
14: while M is feasible
15: return J
16: end procedure

constrain xj = 0. By repeating this procedure, we can get the set J whose elements are an index of
secret variables involved to the superpoly.
After the analysis of the superpoly by using Algorithm 1, we know that only xj (j ∈ J) are
involved to the superpoly of the cube CI . Attackers choose a value in constant part of iv and
prepare the cube CI by flipping bits in I. They then recover the superpoly by trying out all possible
combinations of secret variables {xj1 , xj2 , . . . , xj|J| }. The time complexity to recover the superpoly
is 2|I|+|J| . Therefore, if |I| + |J| is smaller than the security bit level, we can efficiently recover the
superpoly.

4 Toward Key Recovery

The time complexity to recover the superpoly is estimated in Sect. 3. As described in Sect. 3, the
superpoly recovery directly brings vulnerability of stream ciphers. On the other hand, if our goal is
to recover secret variables, we have to find a preferable superpoly that is close to balancedness for
secret variables. Under the condition that we already get the cube index I and index of involved
secret variables J by using Algorithm 1, our attack strategy to recover secret variables consists of
three phases: offline phase, online phase, and brute-force search phase.

1. Offline phase. The goal of this phase is to find a preferable superpoly. Attackers choose a
value in the constant part of iv, and prepare a cube by flipping bits in I. They then compute
L
CI f (x, v) = pv (x) in local, where all possible combinations of secret variables {xj1 , xj2 , . . . , xj|J| }
are tried out, and the superpoly is recovered. Finally, we search for the preferable superpoly by
changing the constant part of iv.
2. Online phase. The goal of this phase is to recover the part of secret variables by using the
preferable superpoly. After the balanced superpoly is given, attackers query the cube CI to
encryption oracle and get one bit pv (x). Then, we get one polynomial about involved secret
variables, and the half of values in involved secret variables is discarded because the superpoly
is balanced.
3. Brute-force search phase. Attackers guess the remaining secret variables to recover the entire
value in secret variables.

We cannot know whether the superpoly is balanced or not unless it is actually recovered, and
the actual superpoly recovery requires 2|I|+|J| time complexity. Therefore, if |I| + |J| exceeds the
12 Yosuke Todo, Takanori Isobe, Yonglin Hao, and Willi Meier

experimental range, it is practically infeasible to search for preferable superpolys. As a consequence,

we introduce the following two assumptions about collecting preferable superpolys.
Assumption 1 (Strong Assumption) For a cube CI , there are many values in the constant part
of iv whose corresponding superpoly is balanced.
Assumption 2 (Weak Assumption) For a cube CI , there are many values in the constant part
of iv whose corresponding superpoly is not a constant function.
Assumption 2 is weaker than Assumption 1 because the superpoly satisfying Assumption 1 always
holds Assumption 2. As long as Assumption 2 holds, the size of recovered secret variables is less
than 1 bit but some secret information is at least leaked to attackers. If Assumption 1 holds and
such superpoly is used in the online phase, values in involved secret variables are divided in exactly
half, i.e., pv (x) is 0 for 2|J|−1 values and is 1 for the others. Therefore, we can recover one bit of
information in secret variables.

4.1 Evaluating Time Complexity.

Assuming that Assumption 1 holds, we show the time complexity to recover the entire secret key.
Then, the time complexity of the offline phase is estimated as k × 2|I|+|J| , where k denotes the
required number of trials for finding a preferable superpoly. Note that we can expect that such
superpoly can be reasonably found with high probability without trying out all possible values in
involved secret variables. We evaluate a part of values in involved secret variables at random and
check whether pv (x) is almost balanced or not. If the output is highly biased for x, the superpoly
pv is not preferable and changes to other values in the constant part of iv. The complexity of this
method is O(2|I| ). Once we find an almost preferable superpoly, we entirely try out 2|J| values in
secret variables.
Even if the preferable superpoly is used, the size of recovered secret information is at most 1 bit.
Therefore, when only one cube is used, the time complexity of the brute-force search phase is 2κ−1 ,
where κ denotes the security bit level. Therefore, the total time complexity is
k × 2|I|+|J| + 2|I| + 2κ−1 , (1)
From Eq. (1), when |I|+|J| = κ−1, the total time complexity is greater than 2κ because k is at least
1. Therefore, such cube is not applied to the key-recovery attack. Moreover, when |I| + |J| = κ − 2,
this attack is valid only if the best case (k = 1), where a preferable superpoly is found in the first
trial.
If only one cube is exploited, the dominant time complexity is always that for the brute-force
search phase. When ` cubes are found in the evaluation phase and all found cubes are exploited, the
total time complexity is reduced to
 
` × k × 2|I|+|J| + 2|I| + 2κ−` .

However, this paper only focuses on the case that only one cube is exploited for the simplicity. Note
that the detection of one cube brings at least cryptographic vulnerability.

5 Applications
We apply our general attack method to four NLFSE-based ciphers. The first target is Trivium
[CP06], which is one of eSTREAM portfolio [est08] and one of the most analyzed stream ciphers.
Another target is Grain128a [ÅHJM11], which is standardized by ISO/IEC 29167-13 [ISO15]. The
3rd application is ACORN [Wu16], which is one of the 3rd round CAESAR candidates [cae14], and
its design is based on stream ciphers. The final application is Kreyvium [CCF+ 16], a stream cipher
proposed at FSE’16 sharing many similarities with Trivium.
 Cube Attacks on Non-Blackbox Polynomials Based on Division Property (Full Version) 13

5.1 Application to Trivium

zi

Fig. 1. Structure of Trivium

Specification. Trivium is an NLFSR-based stream cipher, and the internal state is represented
by 288-bit state (s1 , s2 , . . . , s288 ). Figure 1 shows the state update function of Trivium. The 80-bit
key is loaded to the first register, and the 80-bit iv is loaded to the second register. The other state
bits are set to 0 except the least three bits in the third register. Namely, the initial state bits are
represented as
(s1 , s2 , . . . , s93 ) = (K1 , K2 , . . . , K80 , 0, . . . , 0),
(s94 , s95 , . . . , s177 ) = (IV1 , IV2 , . . . , IV80 , 0, . . . , 0),
(s178 , s279 , . . . , s288 ) = (0, 0, . . . , 0, 1, 1, 1).
The pseudo code of the update function is given as follows.
t1 ← s66 ⊕ s93
t2 ← s162 ⊕ s177
t3 ← s243 ⊕ s288
z ← t1 ⊕ t2 ⊕ t3
t1 ← t1 ⊕ s91 · s92 ⊕ s171
t2 ← t2 ⊕ s175 · s176 ⊕ s264
t3 ← t3 ⊕ s286 · s287 ⊕ s69
(s1 , s2 , . . . , s93 ) ← (t3 , s1 , . . . , s92 )
(s94 , s95 , . . . , s177 ) ← (t1 , s94 , . . . , s176 )
(s178 , s279 , . . . , s288 ) ← (t2 , s178 , . . . , s287 )
Here z denotes the 1-bit key stream. First, in the initialization, the state is updated 4 × 288 = 1152
times without producing an output. After the initialization, one bit key stream is produced by every
update function.

MILP Model. TriviumEval in Algorithm 2 generates MILP model M as the input of Algorithm 1,
and the model M can evaluate all division trails for Trivium whose initialization rounds are reduced
14 Yosuke Todo, Takanori Isobe, Yonglin Hao, and Willi Meier

Algorithm 2 MILP model of division property for Trivium

1: procedure TriviumCore(M, x, i1 , i2 , i3 , i4 , i5 )
2: M.var ← yi1 , yi2 , yi3 , yi4 , yi5 , z1 , z2 , z3 , z4 , a as binary
3: M.con ← yij = xij − zj for all j ∈ {1, 2, 3, 4}
4: M.con ← a ≥ z3
5: M.con ← a ≥ z4
6: M.con ← yi5 = xi5 + a + z1 + z2
7: for all i ∈ {1, 2, . . . , 288} w/o i1 , i2 , i3 , i4 , i5 do
8: yi = xi
9: end for
10: return (M, y)
11: end procedure
1: procedure TriviumEval(round R)
2: Prepare empty MILP Model M
3: M.var ← s0i for i ∈ {1, 2, . . . , 288}
4: for r = 1 to R do
5: (M, x) = TriviumCore(M, sr−1 , 66, 171, 91, 92, 93)
6: (M, y) = TriviumCore(M, x, 162, 264, 175, 176, 177)
7: (M, z) = TriviumCore(M, y, 243, 69, 286, 287, 288)
8: sr = z ≫ 1
9: end for
10: for all i ∈ {1, 2, . . . , 288} w/o 66, 93, 162, 177, 243, 288 do
11: M.con ← sR i = 0
12: end for
13: M.con ← (sR R R R R
66 + s93 + s162 + s177 + s243 + s288 ) = 1
R

14: return M
15: end procedure

to R. TriviumCore in Algorithm 2 generates MILP variables and constraints for each update function
of register. Since one TriviumCore creates 10 MILP variables and 7 constraints, one update function
creates 30 MILP variables and 21 constraints. Therefore, generated MILP model M consists of
288 + 30R MILP variables and 21R + 282 + 1 MILP constraints. Note that constraints by the input
division property are operated by Algorithm 1.

Table 2. Involved secret variables in the superpoly of the cube C{1,11,21,31,41,51,61,71} .

# rounds involved secret variables J size of J

576 48, 73, 74, 75 4
577 40, 65, 66, 67 4
583 48, 50, 62, 63, 66, 73, 74, 75, 76, 77 10
584 48, 50, 60, 61, 66, 67, 73, 74, 75, 76, 77 11
586 20, 30, 40, 45, 46, 47, 55, 56, 57, 58, 61, 65, 66, 67 14
587 30, 55, 56, 57, 58 5
590 60 1
591 23, 24, 25, 66, 67 5
592 ··· 25
593 ··· 57
594 ··· 47
 Cube Attacks on Non-Blackbox Polynomials Based on Division Property (Full Version) 15

Experimental Verification. We implemented the MILP model M for the propagation of the
division property on Trivium and evaluated involved secret variables by using Algorithm 1, where
Gurobi optimizer [Inc15] was used as the solver of MILP. Before the theoretical evaluation, we verify
our attack and implementation by using small cube as I = {1, 11, 21, 31, 41, 51, 61, 71}. Table 2
summarizes involved secret variables from 576 to 594 rounds.
Example 2 (Verification of Our Attack against 590-round Trivium). We actually execute the offline
phase against 590-round Trivium, and only K60 is involved to the superpoly. We randomly chose 100
superpolys by changing the constant part of iv and evaluated the sum of the cube. As a result, the
sum is always 0 independent of K60 in 42 superpolys, where 0x00CA6124DE5F12043D62 is its example
of the constant part of iv. Moreover, the sum corresponds to the value of K60 in 22 superpolys, where
0x2F0881B93B251C7079F2 is its example. Then, the ANF of the superpoly is represented as
pv (x) = x60 .
Finally, the sum corresponds to the value of K60 ⊕1 in 36 superpolys, where 0x5745A1944411D1374828
is its example. Then, the ANF of the superpoly is represented as
pv (x) = x60 ⊕ 1.
Balanced superpolys are preferable, and we found 22 + 36 = 58 such superpolys. Therefore, the
required number of trials for finding preferable superpolys is about k = 2.
Example 3 (Verification of Our Attack against 591-round Trivium). We execute the offline phase
against 591-round Trivium, and K23 , K24 , K25 , K66 , K67 are involved to the superpoly. Similarly
to the attack against 590 rounds, we randomly chose 100 superpolys by changing the constant part
of iv and evaluated the sum of the given cube. As a result, the sum is always 0 independent of 5
involved secret variables in 64 superpolys, where 0x39305FDD295BDACD2FBE is its example of the
constant part of iv. There are 11 superpolys such that the sum is 1 only when
K23 kK24 kK25 kK66 kK67 ∈ {00, 05, 08, 0D, 10, 15, 19, 1C}
as the hexadecimal notation, where 0x03CC37748E34C601ADF5 is its example of the constant part
of iv. Then, the ANF of the superpoly is represented as
pv (x) = (x66 ⊕ 1)(x23 x24 ⊕ x25 ⊕ x67 ⊕ 1).
There are 9 superpolys such that the sum is 1 when
K23 kK24 kK25 kK66 kK67 ∈ {02, 07, 0A, 0F, 12, 17, 1B, 1E}
as the hexadecimal notation, where 0x78126459CB2384E6CCCE is its example of the constant part
of iv. Then, the ANF of the superpoly is represented as
pv (x) = x66 (x23 x24 ⊕ x25 ⊕ x67 ⊕ 1).
Moreover, there are 16 superpolys such that the sum is 1 when the value of K23 kK24 kK25 kK66 kK67
belongs to
{00, 02, 05, 07, 08, 0A, 0D, 0F, 10, 12, 15, 17, 19, 1B, 1C, 1E}
as the hexadecimal notation, where 0x644BD671BE0C9241481A is its example of the constant part
of iv. Then, the ANF of the superpoly is represented as
pv (x) = x23 x24 ⊕ x25 ⊕ x67 ⊕ 1,
and this superpoly is balanced. Note that x66 is not involve to this superpoly. Balanced superpolys
are preferable, and we found 16 such superpolys. Therefore, the required number of trials for finding
preferable superpolys is about k = 6.
16 Yosuke Todo, Takanori Isobe, Yonglin Hao, and Willi Meier

Table 3. Summary of theoretical cube attacks on Trivium. The time complexity in this table shows the
time complexity to recover the superpoly.

#rounds |I| involved secret variables J time complexity

800 44 8, 33, 34, 35, 48, 59, 60, 61, 64, 73, 74, 75 244+12 = 256
802 46 32, 34, 57, 58, 59, 60, 61, 62 246+8 = 254
805 49 14, 39, 40, 41, 42, 44, 46, 58, 67,...,73 249+15 = 264
806 51 42, 67, 68, 69 251+4 = 255
808 52 26, 28, 40, 51, 52, 53, 54, 55, 58, 65, 66, 67 252+12 = 264
809 53 24, 26, 36, 38, 40, 49,...,56, 58, 61,...,67, 77,...,80 253+25 = 278
814 54 32, 34, 57, 58, 59, 60, 61 254+7 = 261
816 55 6, 31, 32, 33, 48, 50, 52, 57,...,60, 62, 73,...,79 255+19 = 274
818 58 34, 59, 60, 61 258+4 = 262
819 61 15, 17, 40, 41, 42, 43, 44, 58 261+8 = 269
820 62 15, 26, 40, 41, 42, 51, 52, 53 262+8 = 270
822 64 42, 67, 68, 69 264+4 = 268
825 65 52, 54, 66, 77, 78, 79, 80 265+7 = 272
829 66 23, 25, 26, 27, 36, 42, 56, 67, 68, 69 266+10 = 276
830 69 1, 37, 42, 56, 67, 68, 69 269+7 = 276
831 71 49, 74, 75, 76 271+4 = 275
832 72 34, 58, 59, 60, 61 272+5 = 277

For any size of cube |I|, the odd index 1, 3, . . . , 79 and even index 2, 4, . . . , 2(|I| − 40) is chosen as cube
indices.

Theoretical Results. As experimental verification shows, Assumption 1 holds for Trivium in small
example. Therefore, we can expect that theoretically recovered superpolys also fulfill Assumption 1.
Cube indices are chosen as the following in our experiments: the odd index 1, 3, . . . , 2|I| − 1 is
chosen, and the even index 2, 4, . . . , 2(|I|−40) is additionally chosen. Then, we exhaustively evaluated
involved secret variables, and Table 3 summarizes the result in our theoretical cube attack. Table 3
shows indices of involved secret variables and the time complexity for the superpoly recovery against
Trivium with at least 800 initialization rounds. Since the previous best key-recovery attack is 799
rounds, all results at least improve the current best key-recovery attack. Under the condition that
the time complexity for the superpoly recovery is less than 279 , the largest number of initialization
rounds that we can attack is 832 rounds. Compared with previous best key-recovery attack, it
updates 832 − 799 = 33 rounds.
We do not have plausible evidence that our
choice of cube indices is appropriate, and the choice
80
is still difficult because we need to try out |I| cubes when we want to evaluate all cubes whose size
is |I|. How to choose appropriate cubes is left as an open question.

5.2 Application to Grain128a

Specification. Grain128a is one of Grain family of NLFSR-based stream ciphers, and the internal
state is represented by two 128-bit states, (b0 , b1 , . . . , b127 ) and (s0 , s1 , . . . , s127 ). The 128-bit key is
loaded to the first register b, and the 96-bit iv is loaded to the second register s. The other state
bits are set to 1 except the least one bit in the second register. Namely, the initial state bits are
represented as

(b0 , b1 , . . . , b127 ) = (K1 , K2 , . . . , K128 ),

(s0 , s1 , . . . , s127 ) = (IV1 , IV2 , . . . , IV96 , 1, . . . , 1, 0).
 Cube Attacks on Non-Blackbox Polynomials Based on Division Property (Full Version) 17

g f
24 5 6

b0 b127 s0 s127
7 2 7 1

zi
Fig. 2. Structure of Grain128a

The pseudo code of the update function in the initialization is given as follows.

g ← b0 + b26 + b56 + b91 + b96

+ b3 b67 + b11 b13 + b17 b18 + b27 b59 + b40 b48 + b61 b65 + b68 b84 (2)
+ b88 b92 b93 b95 + b22 b24 b25 + b70 b78 b82 .
f ← s0 + s7 + s38 + s70 + s81 + s96 (3)
h ← b12 s8 + s13 s20 + b95 s42 + s60 s79 + b12 b95 s94 (4)
X
z ← h + s93 + bj (5)
j∈A

(b0 , b1 , . . . , b127 ) ← (b1 , . . . , b127 , g + s0 + z)

(s0 , s1 , . . . , s127 ) ← (s1 , . . . , s127 , f + z)

Here, A = {2, 15, 36, 45, 64, 73, 89}. First, in the initialization, the state is updated 256 times without
producing an output. After the initialization, the update function is tweaked such that z is not fed
to the state, and z is used as a key stream. Figure 2 shows the state update function of Grain128a.

MILP Model. Grain128aEval in Algorithm 3 generates MILP model M as the input of Algo-
rithm 1, and the model M can evaluate all division trails for Grain128a whose initialization rounds
are reduced to R. funcZ generates MILP variables and constraints for Eq. (4) and Eq. (5), and it
consists of 45 MILP variables and 32 MILP constraints. funcG generates MILP variables and con-
straints for Eq. (2), and it consists of 70 MILP variables and 55 MILP constraints. funcF generates
MILP variables and constraints for Eq. (3), and it consists of 13 MILP variables and 7 MILP con-
straints. As a result, the MILP model for every round consists of 45 + 70 + 13 + 4 = 132 MILP
variables and 32 + 55 + 7 + 4 = 98 MILP constraints. Therefore, generated MILP model M consists
of 256 + 45 + 132R MILP variables and 98R + 32 + 256 + 1 MILP constraints. Note that constraints
by the input division property are operated by Algorithm 1.

Experimental Verification. We implemented the MILP model M for the propagation of the
division property on Grain128a and evaluated involved secret variables by using Algorithm 1. To
verify our attack and implementation, the offline phase is executed by using small cube as I =
{1, 2, . . . , 9}.
18 Yosuke Todo, Takanori Isobe, Yonglin Hao, and Willi Meier

Algorithm 3 MILP model for the initialization of Grain128a

1: procedure Grain128aEval(round R)
2: Prepare empty MILP Model M
3: M.var ← b0i for i ∈ {0, 1, . . . , 127} as binary
4: M.var ← s0i for i ∈ {0, 1, . . . , 127} as binary
5: for r = 1 to R do
6: (M, b0 , s0 , z) = funcZ(M, br−1 , sr−1 )
7: M.var ← zg , zf as binary
8: M.con ← z = zg + zf
9: (M, b00 , g) = funcG(M, b0 )
10: (M, s00 , f ) = funcF(M, s0 )
11: for i = 0 to 126 do
12: bri = b00i+1
13: sri = s00i+1
14: end for
15: M.var ← br127 , sr127 as binary
16: M.con ← b000 = 0
17: M.con ← br127 = g + s000 + zg
18: M.con ← sr127 = f + zf
19: end for
20: (M, b0 , s0 , z) = funcZ(M, bR , sR )
21: for all i ∈ {0, 1, . . . , 127} do
22: M.con ← b0i = 0
23: M.con ← s0i = 0
24: end for
25: M.con ← z = 1
26: return M
27: end procedure

Example 4 (Verification of Our Attack against 106-round Grain128a). The cube C{1,2,3,...,9} brings
the superpoly that involves only seven secret variables, (K46 , K53 , K85 , K119 , K122 , K126 , and K127 ),
and this result comes out of Algorithm 1. In our experiments, the Hamming weight of all superpolys
pv (x) is only 4. Specifically, in arbitrary iv satisfying IV76 = 0, pv (x) is 1 only when the involved
secret variables are represented as
(K46 , K53 , K85 , K119 , K122 , K126 , K127 ) =(∗, 1, 0, 1, 1, 1, 1) or
(∗, 0, 1, 1, 1, 1, 1),
where ∗ is any bit. Moreover, in arbitrary iv satisfying IV76 = 1, pv (x) is 1 only when the involved
secret variables are represented as
(K46 , K53 , K85 , K119 , K122 , K126 , K127 ) =(∗, 1, 0, 1, 0, 1, 1) or
(∗, 0, 1, 1, 0, 1, 1).
Namely, the superpoly is represented as
pv (x) = (x53 ⊕ x85 ) · x119 · (x122 ⊕ v76 ) · x126 · x127 .
This superpoly is independent of x46 . Moreover, it is not balanced, and the Hamming weight of
pv (x) is 2 for six involved input bits. Therefore, the recovered bit of information in secret variables
is represented as
 2 62 
log2 2 × 26 + (62 × 26 )  ≈ 0.09.


 26 
 Cube Attacks on Non-Blackbox Polynomials Based on Division Property (Full Version) 19

Table 4. Summary of theoretical cube attacks on Grain128a. The time complexity in this table shows the
time complexity to recover the superpoly.

#rounds |I| involved secret variables J time complexity

36, 40, 51, 52, 53, 54, 55, 56, 61, 62, 88+18
182 88 † 2 = 2106
69, 79, 81, 82, 121, 122, 126, 127
48, 49, 50, 51, 52, 54, 55, 61, 63, 83, 92+16
183 92 ‡ 2 = 2108
84, 90, 93, 95, 120, 128

† Following set of indices I = {1, ..., 40, 42, 44, . . . , 51, 53, ..., 87, 89, 91, 93, 95} is used as the cube.
‡ Following set of indices I = {1, ..., 51, 53, ..., 91, 93, 95} is used as the cube.

Double bit of information can be recovered by flipping the bit IV76 , but the recovered information
is still smaller than 1.

Theoretical Results. We cannot find superpolys satisfying Assumption 1 in our experiments using
small cube. On the other hand, Assumption 2 holds. Therefore, we can expect that theoretically re-
covered superpolys also fulfill Assumption 2, and it leaks at least some information in secret variables
which is smaller than 1 bit. Moreover, by collecting these superpolys, we can expect that multiple
bits of information in secret variables are recovered.
Table 4 shows indices of involved secret variables and the time complexity for the superpoly
recovery against Grain128a. Since the previous best attack is 177 rounds in the single-key setting,
all results at least improve the current best key-recovery attack. Under the condition that the time
complexity for the superpoly recovery is less than 2127 , the largest number of initialization rounds
that we can attack is 183 rounds. Compared with previous best distinguishing attack, it updates
183 − 177 = 6 rounds. Moreover it allows for some key recovery.

5.3 Application to ACORN

Specification. ACORN is an authenticated encryption and one of the 3rd round candidates in
CAESAR competition. The structure is based on NLFSR, and the internal state is represented by
293-bit state (S0 , S1 , . . . , S292 ). There are two component functions, ks = KSG128(S) and f =
F BK128(S), in the update function, and each is defined as

ks = S12 ⊕ S154 ⊕ maj(S235 , S61 , S193 ) ⊕ ch(S230 , S111 , S66 ),

f = S0 ⊕ S̃107 ⊕ maj(S244 , S23 , S160 ) ⊕ (ca ∧ S196 ) ⊕ (cb ∧ ks),

where ks is used as the key stream, and maj and ch are defined as

maj(x, y, z) = (x ∧ y) ⊕ (x ∧ z) ⊕ (y ∧ z),
ch(x, y, z) = (x ∧ y) ⊕ ((x ⊕ 1) ∧ z).
20 Yosuke Todo, Takanori Isobe, Yonglin Hao, and Willi Meier

Then, the update function is given as follows.

S289 ← S289 ⊕ S235 ⊕ S230
S230 ← S230 ⊕ S196 ⊕ S193
S193 ← S193 ⊕ S160 ⊕ S154
S154 ← S154 ⊕ S111 ⊕ S107
S107 ← S107 ⊕ S66 ⊕ S61
S61 ← S61 ⊕ S23 ⊕ S0
ks = KSG128(S)
f = F BK128(S, ca, cb)
(S0 , S1 , . . . , S291 , S292 ) ← (S1 , S2 , . . . , S292 , f ⊕ m)
The 293-bit state is first initialized to 0. Second, 128-bit secret key is sequentially loaded to the
NLFSR via m. Third, 128-bit initialization vector is sequentially loaded to the NLFSR via m.
Fourth, 128-bit secret key is sequentially loaded to the NLFSR via m twelve times. The constant
bits ca and cb are always 1 in the initial 1792 rounds. The associated data is always loaded before the
output of the key stream, but we do not care about this process in this paper because the number
of rounds that we can attack is smaller than 1792 rounds. Figure 3 shows the structure of ACORN.
Please refer to [Wu16] in detail.

m
0 23 60 61 66 106 107 111 153 154 160 192 193 196 229 230 235 288 289 292

Fig. 3. Structure of ACORN

MILP Model. ACORNEval in Algorithm 4 generates MILP model M as the input of Algorithm 1,
and the model M can evaluate all division trails for ACORN whose initialization rounds are reduced
to R. xorFB generates MILP variables and constraints for feed-back function with XOR. ksg128 and
fbk128 generates MILP variables and constraints for KSG128 and F BK128, respectively.
If there are zero constant bit in input of KSG128 and F BK128, the propagation of the division
property for two functions ksg128 and fbk128 is limited. For example, when maj(x, y, z) is computed
under the condition y = z = 0, this function is represented as
maj(x, 0, 0) = 0,
and the division property of x never propagates to the output of maj. Such limitations of the
propagation only happens in the first several rounds because the state S is initialized to 0. To
control this behavior, there is the current number of rounds as the input of ksg128 and fbk128.
Note that constraints by the input division property are operated by Algorithm 1.

Experimental Verification. We implemented the MILP model M for the propagation of the
division property on ACORN and evaluated involved secret variables by using Algorithm 1. We
searched the small cube such that |I| + |J| is practically feasible, and the following small cube
C{1,2,3,4,5,8,20,125,126,127,128}
is used to verify our attack and implementation.
 Cube Attacks on Non-Blackbox Polynomials Based on Division Property (Full Version) 21

Algorithm 4 MILP model for the initialization of ACORN

1: procedure ACORNEval(round R)
2: Prepare empty MILP Model M
3: M.var ← Ki for i ∈ {1, 2, . . . , 128} as binary
4: M.var ← IVi for i ∈ {1, 2, . . . , 128} as binary
5: M.var ← Si0 for i ∈ {0, 1, . . . , 292} as binary
6: for r = 1 to R do
7: (M, T ) = xorFB(M, S r−1 , 289, 235, 230)
8: (M, U ) = xorFB(M, T , 230, 196, 193)
9: (M, V ) = xorFB(M, U , 193, 160, 154)
10: (M, W ) = xorFB(M, V , 154, 111, 107)
11: (M, X) = xorFB(M, W , 107, 66, 61)
12: (M, Y ) = xorFB(M, X, 61, 23, 0)
13: (M, Z, ks) = ksg128(M, Y , r)
14: (M, A, f ) = fbk128(M, Z, r)
15: for i = 0 to 291 do
16: Sir = Ai+1
17: end for
r
18: M.var ← S292 as binary
19: if 128 < r ≤ 256 then
r
20: M.con ← S292 = f ⊕ IVr−128
21: else
22: M.var ← T Kr as binary
r
23: M.con ← S292 = f ⊕ T Kr
24: end if
25: end for
26: for i = 0 to 127 do P
27: M.con ← Ki = j T Ki+128×j
28: end for
29: (M, T ) = xorFB(M, S R , 289, 235, 230)
30: (M, U ) = xorFB(M, T , 230, 196, 193)
31: (M, V ) = xorFB(M, U , 193, 160, 154)
32: (M, W ) = xorFB(M, V , 154, 111, 107)
33: (M, X) = xorFB(M, W , 107, 66, 61)
34: (M, Y ) = xorFB(M, X, 61, 23, 0)
35: (M, Z, ks) = ksg128(M, Y )
36: for i = 0 to 292 do
37: M.con ← Zi = 0
38: end for
39: M.con ← ks = 1
40: return M
41: end procedure

Example 5 (Verification of Our Attack against 517-round ACORN). The cube C{1,2,3,4,5,8,20,125,126,127,128}
brings the superpoly that involves only nine secret variables, (K6 , K8 , K10 , K11 , K12 , K15 , K16 , K45 ,
and K49 ), and this result comes out of Algorithm 1. We try out 100 randomly chosen constant part
of iv. As a result, all superpolys pv (x) are balanced independent of the value of the constant part
of iv. Specifically, pv (x) corresponds to the sum of involved secret variables. Namely, the superpoly
is represented as

pv (x) = x6 ⊕ x8 ⊕ x10 ⊕ x11 ⊕ x12 ⊕ x15 ⊕ x16 ⊕ x45 ⊕ x49 .

22 Yosuke Todo, Takanori Isobe, Yonglin Hao, and Willi Meier

Table 5. Summary of theoretical cube attacks on ACORN. The time complexity in this table shows the
time complexity to recover the superpoly.

#rounds |I| involved secret variables J time complexity

1, 2, 3, 5, 6, 7, 8, 9, 10, 11,
12, 13, 15, 16, 18, 19, 20, 21, 22, 23,
647 35 † 24, 25, 26, 27, 28, 29, 31, 32, 33, 35, 235+43 = 278
40, 45, 49, 52, 55, 57, 60, 61, 62, 65,
66, 94, 99
1, 2,...,39, 41,...,49, 52,...,69,
649 35 † 235+74 = 2109
78, 86, 96, 97, 98, 100, 101, 102
1,...,12, 14,...21, 23,...,38, 40,...44,
704 64 ‡ 48, 49, 50, 54, 58, 60, 63, 64, 65, 68, 264+58 = 2122
69, 71, 74, 75, 97, 102, 108

† Following set of indices I = {1, 2, . . . , 16, 22, 29, 31, 113, 114, . . . , 128} is used as the cube.
‡ Following set of indices I = {1, 2, . . . , 32, 97, 98, . . . , 128} is used as the cube.

Theoretical Results. As experimental verification shows, Assumption 1 holds for ACORN in small
example. Therefore, we can expect that theoretically recovered superpolys also fulfill Assumption 1.
Table 5 shows indices of involved secret variables and the time complexity for the superpoly
recovery against ACORN. Since the previous best attack is 503 rounds, all results at least improve
the current best key-recovery attack. As far as we searched various cubes, the largest number of
initialization rounds that we can attack is 704 rounds, where the cube size is 64 and the number
of involved secret variables is 58. Compared with previous best key-recovery attack, it updates
704 − 503 = 201 rounds.

5.4 Application to Kreyvium

Specification. Kreyvium is designed for the use of fully homomorphic encryption, and the structure
is inspired from Trivium. Kreyvium consists of five registers and three ones in the middle correspond
to Trivium. Therefore, the modification is only the top and bottom registers. Figure 4 shows the
state update function of Trivium. While Trivium claims 80-bit security and accepts 80-bit iv,
Kreyvium claims 128-bit security and accepts 128-bit iv. To achieve this property, the initial loading
is completely different from the case of Trivium.
The 128-bit key is loaded to the first register, and (K1 , . . . , K93 ) is loaded to the second register.
The 128-bit iv is loaded to the fifth register, and (IV1 , . . . , IV84 ) and (IV85 , . . . , IV128 ) are loaded to
the third and fourth registers, respectively. The remaining state bits in the fourth register are set to
1 except the last bit. Namely, the initial state bits are represented as

∗ ∗
(IV127 , IV126 , . . . , IV0∗ ) = (IV1 , IV2 , . . . , IV128 ),
(s1 , s2 , . . . , s93 ) = (K1 , K2 , . . . , K93 ),
(s94 , s95 , . . . , s177 ) = (IV1 , IV2 , . . . , IV84 ),
(s178 , s279 , . . . , s288 ) = (IV85 , IV86 , . . . , IV128 , 1, 1, . . . , 1, 0),
∗ ∗
(K127 , K126 , . . . , K0∗ ) = (K1 , K2 , . . . , K128 ),
 Cube Attacks on Non-Blackbox Polynomials Based on Division Property (Full Version) 23

zi

Fig. 4. Structure of Kreyvium

The pseudo code of the update function is given as follows.

t1 ← s66 ⊕ s93
t2 ← s162 ⊕ s177
t3 ← s243 ⊕ s288 ⊕ K0∗
z ← t1 ⊕ t2 ⊕ t3
t1 ← t1 ⊕ s91 · s92 ⊕ s171 ⊕ IV0∗
t2 ← t2 ⊕ s175 · s176 ⊕ s264
t3 ← t3 ⊕ s286 · s287 ⊕ s69
(s1 , s2 , . . . , s93 ) ← (t3 , s1 , . . . , s92 )
(s94 , s95 , . . . , s177 ) ← (t1 , s94 , . . . , s176 )
(s178 , s279 , . . . , s288 ) ← (t2 , s178 , . . . , s287 )
∗ ∗
(K127 , K126 , . . . , K0∗ ) ← (K0∗ , K127
∗ ∗
, K126 , . . . , K1∗ )
∗ ∗
(IV127 , IV126 , . . . , IV0∗ ) ← (IV0∗ , IV127
∗ ∗
, IV126 , . . . , IV1∗ )

Here z denotes the 1-bit key stream. First, in the initialization, the state is updated 4 × 288 = 1152
times without producing an output. After the initialization, one bit key stream is produced by every
update function.

MILP Model. The core function for Kreyvium is identical to that of Trivium but the initial
division property is more complicated. Kreyvium has 128 secret key bits K1 , . . . , K128 , 128 iv bits
IV1 , . . . , IV128 and 288-128-93=67 constant 0/1 state bits. So Algorithm 1 requires x, v of lengths 128
and 128+67=195, respectively. Then, for R-round Kreyvium, R iv bits IV1 , . . . , IV128 , IV1 , . . . , IV1+(R mod 128)
24 Yosuke Todo, Takanori Isobe, Yonglin Hao, and Willi Meier

Table 6. Summary of theoretical cube attacks on Kreyvium. The time complexity in this table shows the
time complexity to recover the superpoly.

#rounds |I| involved secret variables J time complexity

849 61, Eq. (6) 47, 49, 51, 53, 55, 64, 66, 72, 73, 74, 75, 76, 77, 78, 79, 80, 261+23 = 284
81, 82, 89, 90, 91, 92, 93 (|J| = 23)
872 85, Eq. (7) 5, 6, 20, 21, 22, 30, 31, 37, 39, 40, 41, 49, 53, 54, 56, 57, 285+39 = 2124
58, 63, 64, 65, 66, 67, 74, 75, 76, 89, 91, 92, 93, 96, 98, 99,
100, 108, 122, 123, 124, 125, 126 (|J| = 39)

will be output by the register IV ∗ ; R + 1 key bits K1 , . . . , K128 , K1 , . . . , K1+(R+1 mod 128) will be
output by the register K ∗ . All these bits will be used in the updating function or output function.
So, we need to use the COPY rule to generate the division property of these bits before doing the
evaluations of the round functions. We detail the whole process in Algorithm 5. This algorithm
generates MILP model M as the input of Algorithm 1, and the model M can evaluate all division
trails for Kreyvium whose initialization rounds are reduced to R.

Experimental Verification. Identical to Trivium, we use the cube I = {1, 11, 21, 31, 41, 51, 61, 71}
to verify our attack and implementation.
Example 6 (Verification of Our Attack against 576-round Kreyvium). The cube I brings the super-
poly that involves 4 secret variables, J = {48, 73, 74, 75}. When the non-active IVs are assigned
to values such as 0x613fa9ca,0x5068e953,0xe0f73db6,0xc8c3491f, the ANF of the superpoly is
represented as
pv (x) = x48 ⊕ x73 x74 ⊕ x75 .
When the non-active values are assigned to values such as 0x66b4ece3,0xca7ee516,0xf9249367,0x1c1be1ec,
the superpoly is represented as
pv (x) = x48 ⊕ x73 x74 ⊕ x75 + 1.

Theoretical Results. In [Liu17], Meicheng Liu gave a 61-dimensional cube as

I = {1, 3, 5, 7, 9, 11, 13, 15, 17, 19, 21, 23, 25, 27, 30, 32, 34, 37, 39, 41, 43, 45, 47, 49,
51, 53, 55, 58, 60, 62, 64, 66, 68, 70, 73, 75, 77, 79, 81, 83, 85, 87, 89, 91, 93, 95, 97, (6)
99, 101, 103, 105, 108, 110, 112, 114, 116, 118, 120, 123, 125, 127},
He found that when all non-active IVs are set to 0, the cube can be used as a zero-sum distinguisher
for 872-round Kreyvium. Using our technique, we can turn his cube into a key-recovery attack on
849-round Kreyvium. Note that our cube attack does not restrict non-active bits to 0, and we show
the case of 0-fixed cube in Sect. 6 in detail.
Table 6 shows indices of involved secret variables and the time complexity for the superpoly
recovery against Kreyvium. When Liu’s cube is used, the corresponding superpoly involves 23 key
bits. We also select a 85-dimensional cube as
I = {1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 20, 22, 24, 26, 28, 30, 32, 34,
36, 38, 40, 42, 44, 46, 48, 50, 52, 54, 56, 58, 60, 62, 64, 66, 68, 70, 72, 74, 76, 78, 80, 82, (7)
84, 85, 86, 87, 88, 89, 90, 91, 92, 93, 94, 95, 96, 97, 98, 99, 100, 101, 102, 103, 104, 105,
106, 107, 108, 109, 111, 113, 115, 117, 119, 121, 123, 125, 127},
 Cube Attacks on Non-Blackbox Polynomials Based on Division Property (Full Version) 25

Algorithm 5 MILP model of division property for Kreyvium

1: procedure KeyIvUpdate(M, x)
2: M.var ← y, z as binary
3: M.con ← x0 = y + z
4: x0 = y
5: x=x≫1
6: return (M, x, z)
7: end procedure
1: procedure KreyviumEval(round R)
2: Prepare empty MILP Model M
3: M.var ← xi for i ∈ {1, 2, . . . , 128}. . Secret variables
4: M.var ← vi for i ∈ {1, 2, . . . , 128}. . Public variables
5: M.var ← s0i for i ∈ {1, 2, . . . , 288}.
6: M.var ← IVi0 for i ∈ {1, 2, . . . , 128}.
7: M.var ← Ki0 for i ∈ {1, 2, . . . , 128}.
8: for i = 1 to 128 do
9: if i ≤ 93 then
10: M.con ← s0i + K128−i 0
= xi .
11: else
0
12: M.con ← K128−i = xi .
13: end if
14: end for
15: for i = 1 to 128 do
16: M.con ← s093+i + IV128−i 0
= vi .
17: end for
18: for r = 1 to R do
19: (M, x) = TriviumCore(M, sr−1 , 66, 171, 91, 92, 93)
20: (M, IV r , v ∗ ) = KeyIvUpdate(M, IV r−1 )
21: M.var ← t1
22: M.con ← t1 = x93 + v ∗
23: x93 = t1 . Update the 93rd entry of x
24: (M, y) = TriviumCore(M, x, 162, 264, 175, 176, 177)
25: (M, z) = TriviumCore(M, y, 243, 69, 286, 287, 288)
26: (M, K r , k∗ ) = KeyIvUpdate(M, K r−1 )
27: M.var ← t3
28: M.con ← t3 = z288 + k∗
29: z288 = t3 . Update the 288th entry of z
30: sr = z ≫ 1
31: end for
32: for all i ∈ {1, 2, . . . , 288} w/o 66, 93, 162, 177, 243, 288 do
33: M.con ← sR i = 0
34: end for
35: for all i ∈ {1, 2, . . . , 128} do
36: M.con ← KiR = 0
37: M.con ← IViR = 0
38: end for
∗
39: M.con ← (sr66 + sr93 + sr162 + sr177 + sr243 + sr288 + kR+1 )=1
40: return M
41: end procedure
26 Yosuke Todo, Takanori Isobe, Yonglin Hao, and Willi Meier

and it can attack 872-round Kreyvium. Since the number of involved keys is |J| = 39, the complexity
is 285+39 = 2124 . This is the current best key-recovery attack on Kreyvium to our knowledge.

6 Exploiting Cube whose Non-Cube Bits Fill Up With 0

Most previous cube attacks [DS09,FV13,Liu17] are setting non-cube iv bits to constant-0. It is widely
believed and experimentally verified that such a setting can often mount to more rounds than the
case that non-cube bits take random values. We can also exploit such constant-0 bits and bring
more powerful cube attacks. On the downside, since all non-active iv bits are set to constant-0, we
cannot collect many superpolys by changing the non-cube bits, and the two assumptions introduced
in this paper become speculative. However, as we said in previous section, the superpoly recovery
immediately brings vulnerability like the distinguisher or key recovery. The main idea is to control
the propagation of the division property, and the same technique was applied to ACORN already.
In the previous MILP model, the initial bit-based division property of the cube bits are set to
1, while the division property of the non-cube iv bits, constant state bits or even secret key bits is
all set to 0. In other words, bits whose division property is 0 are regarded as secret constant bits.
However if we know that the constant bit is always 0, e.g., we can choose constant 0 as non-cube iv
bits, we can evaluate the propagation more accurately. For the simplicity, we explain the behavior
by using the case of
COPY+AND : (s1 , s2 ) → (s1 , s2 , s1 ∧ s2 ). (8)
From the division property view, let the initial division property be (x1 , x2 ), we first apply the COPY
COP Y COP Y
rule to both bits and acquire (y1 , y2 , z1 , z2 ), where x1 −−−−→ (y1 , z1 ) and x2 −−−−→ (y2 , z2 ). Then
AN D
the AND rule is applied for z1 and z2 and acquire (y1 , y2 , a), where (y1 , y2 ) −−−→ a. Such division
trail satisfies following linear inequalities.

M.con ← xi = yi + zi for i = 1, 2

M.con ← a ≥ z1

M.con ← a ≥ z2


Assuming that either s1 or s2 of (8) is 0, (s1 ∧ s2 ) is always 0. In other words, the division
property of (s1 ∧ s2 ) must be 0. Therefore, following propagations satisfying the basic propagation
rule are never happened.
COP Y +AN D
(1, 0) −−−−−−−−−→ (0, 0, 1),
COP Y +AN D
(0, 1) −−−−−−−−−→ (0, 0, 1).
To prohibit the propagation above, we add
M.con ← a = 0
when either s1 or s2 is 0. Note that the judgment whether s1 or s2 is 0 or not is done outside of
the MILP model for the division property. In real, once differences from cube bits are fully diffused,
constant-0 state bits disappear. Therefore, this evaluation is very easy and efficient because it is the
same as the evaluation of the full diffusion. As a result. this modification can further improve the
preciseness of our MILP model.

6.1 Application to Trivium

In the case of Trivium, we first evaluate whether sri is fixed to 0 in initial several hundred rounds.
Then, TriviumCore is modified to Algorithm 6, where the division property of si3 and si4 never
propagates to yi5 if either si3 and si4 is 0. This property is easily modeled by adding the constraint
a = 0.
 Cube Attacks on Non-Blackbox Polynomials Based on Division Property (Full Version) 27

Algorithm 6 MILP model that exploits constant-0 bit

1: procedure TriviumCore(M, x, i1 , i2 , i3 , i4 , i5 )
2: M.var ← yi1 , yi2 , yi3 , yi4 , yi5 , z1 , z2 , z3 , z4 , a as binary
3: M.con ← yij = xij − zj for all j ∈ {1, 2, 3, 4}
4: M.con ← a ≥ z3
5: M.con ← a ≥ z4
6: if we know either si3 = 0 or si4 = 0 then
7: M.con ← a = 0
8: end if
9: M.con ← yi5 = xi5 + a + z1 + z2
10: for all i ∈ {1, 2, . . . , 288} w/o i1 , i2 , i3 , i4 , i5 do
11: yi = xi
12: end for
13: return (M, y)
14: end procedure

Table 7. Results and Comparison with Liu’s method.

Applications # rounds cube size type method

837 37, Eq. (9) zero-sum distinguisher Both Liu’s method [Liu17] and ours
Trivium 838 38, Eq. (10) zero-sum distinguisher Ours
842 37, Eq. (9) biased sum Experimental result [Liu17]

872 61, Eq. (6) zero-sum distinguisher Both Liu’s method [Liu17] and ours
Kreyvium
873 62, Eq. (11) zero-sum distinguisher Ours

‡ The attack against 477 rounds is mainly described for the practical attack in [SBD+ 16]. However, when
the goal is the superpoly recovery and to recover one bit of the secret key, 503 rounds are attacked.

Comparison with Liu’s Method. We applied this technique to Trivium. Very recently, Liu
showed a new algorithm to guarantee the upper bound of the algebraic degree on NFSR-based
ciphers [Liu17]. He evaluated a cube shown as

I = {1, 3, 5, 7, 9, 11, 13, 16, 18, 20, 22, 24, 26, 28, 31, 33, 35, 37, 39, 41, 43, (9)
46, 48, 50, 52, 54, 56, 58, 61, 63, 65, 67, 69, 71, 73, 76, 80},

where non-cube cube bits are filled with 0. Then Liu showed that 837-round Trivium has zero-sum
cube distinguisher. We also evaluated the same cube by using our method, and it guaranteed that
the first keystream bit is balanced up to the same number of rounds. Further we evaluated a cube
as

I = {1, 3, 5, 7, 9, 11, 13, 16, 18, 20, 22, 24, 26, 28, 31, 33, 35, 37, 39, 41, 43, (10)
46, 48, 50, 52, 54, 56, 58, 61, 63, 65, 67, 69, 71, 73, 76, 78, 80},

where IV78 is additionally chosen as cube bits from Eq.(9). This result derives 1-round longer zero-
sum distinguisher from Liu’s result. Liu showed 832-round distinguisher, where the probability that
the sum of the first key stream bit is 1 is 0.27. This distinguisher is experimental and constructed
based on Liu’s cube as Eq.( 9). Therefore, there is the possibility that we can find longer distinguisher
based on the cube as Eq.(10).
28 Yosuke Todo, Takanori Isobe, Yonglin Hao, and Willi Meier

Table 8. Modified attack on 182-round Grain128a.

#rounds |I| involved secret variables J time complexity

36, 40, 51, 52, 53, 56, 61, 62, 88+14
182 88 † 2 = 2102
69, 79, 81, 82, 122, 127

† I = {1, ..., 40, 42, 44, . . . , 51, 53, ..., 87, 89, 91, 93, 95}

6.2 Application to Kreyvium

In Sect. 5.4, we can only prove that [Liu17]’s 61-dimensional cube has zero-sum for at most 848
rounds. However when we identify the non-active iv bits as constant-0 and eliminate the corre-
sponding COPY+AND operations, we are able to prove the zero-sum property for 872 rounds,
which is the same result as [Liu17]. In fact, with non-cube iv bits assigned to constant 0, we can eas-
ily break the 872-round barricade by using higher dimensional cubes. For example, we can construct
a 62-dimensional cube as

I = {1, 3, 5, 6, 7, 9, 11, 13, 15, 17, 19, 21, 23, 25, 27, 30, 32, 34, 37, 39, 41, 43, 45, 47, 49,
51, 53, 55, 58, 60, 62, 64, 66, 68, 70, 73, 75, 77, 79, 81, 83, 85, 87, 89, 91, 93, 95, 97, (11)
99, 101, 103, 105, 108, 110, 112, 114, 116, 118, 120, 123, 125, 127},

where IV6 is additionally chosen as cube bits. We can prove that such a cube has zero-sum property
for round 873 when non-cube iv bits are set to 0. These results are summarized in Table 7.

6.3 Application to Grain128a

For Grain-128a, it is noticeable that the initial s127 is a constant-0 bit. This bit has involved in
many COPY+AND operations in the first 128 initialization rounds. By specifying and ignoring
these operations, we find that some key bits are eliminated from the previous deduced superpolies.
For the 106-round attack in Example 4, the previous method claims that 7 secret key bits K46 ,
K53 , K85 , K119 , K127 are involved in the superpoly. After we specify s127 = 0 and ignored all the
related COPY+AND division property propagations, we find that the involved key bits are in fact
K53 , K85 , K119 , K127 , K46 is excluded. This explains why x46 is independent to the superpoly for
any iv settings.
For the 182-round attack in Table 4, we re-evaluated the involved secret variables J and erased
4 indices 54,55,121,126. So the complexity of this attack is lowered by 24 to 2102 . We rewrite the
modified 182-round attack in Table 8.

7 Discussions
7.1 Validity of Assumption 1 and 2
Whether the two assumptions hold depends on the structure of analyzed ciphers. In the three
applications shown in this paper, we could easily find balanced superpoly for Trivium and ACORN
by actually evaluating the offline phase using small cube. Therefore, we can expect that Assumption 1
holds in theoretical recovered superpolys for these two ciphers. On the other hand, we could not
find balanced superpolys for Grain128a. This implies that Assumption 1 does not hold in theoretical
recovered superpolys for Grain128a. However, since we could easily find non-constant superpolys,
we can expect that Assumption 2 holds.
Note that Assumption 1 is introduced to estimate the time complexity to recover the entire secret
key, and some information of secret variables is leaked to attackers even if only Assumption 2 holds.
 Cube Attacks on Non-Blackbox Polynomials Based on Division Property (Full Version) 29

Moreover, even if both assumptions do not hold, the recovered superpoly is useful for distinguishing
attacks. Therefore, if the superpoly recovery is more efficient than the brute-force attack, it imme-
diately brings some vulnerability of symmetric-key cryptosystems. Therefore, the time complexity
for the superpoly recovery discussed in this paper is very important.
Conventional cube attacks also have a similar assumption because they experimentally verify
whether the superpoly is linear, quadratic, or not. For example, in [DS09], the authors judged that
the superpoly is linear if the superpoly passes at least 100 linearity tests. Moreover, Fouque and
Vannet also introduced heuristic linearity and quadraticity tests in [FV13], where the superpoly is
judged as linear and quadratic if it passes constant-order linearity and quadraticity tests, respectively.
These constant-order tests may fail if there are terms of the superpoly that are highly biased. For
example, assuming that the superpoly is represented as K1 + f (K2 , K3 , K4 , ..., K32 ) where f is
unbalanced, the test used in previous cube attacks may judge the superpoly as K1 in error. Namely,
the conventional cube attack also assumes that the superpoly is balanced for each involved secret
variables, and it fails to recover secret variables if this assumption is incorrect.

7.2 Multiple-Bits Recovery from One Cube Only

There is a possibility that we can recover multiple bits from a given cube by changing a value in
constant part of iv. Indeed, Example 3 recovers more than one bit of information in secret variables
by using an v = 0x03CC37748E34C601ADF5 or v = 0x78126459CB2384E6CCCE together with v =
0x644BD671BE0C9241481A. Moreover, two bits of information in secret variables are recovered if we
find two independent balanced superpolys. On the other hand, the superpoly must be simplified
enough for the key recovery. While we may be able to recover multiple bits only from one cube by
changing values of the constant part of iv when the number of involved secret variables is high, we
cannot claim that there are many independent balanced superpolys when the number of involved
secret variables is small. Therefore, we do not claim that multiple bits are recovered from one cube
by changing values of the constant part of iv.

7.3 Comparison with Previous Techniques

There is previous work that exploits non-randomness in high degree monomial structure in the ANF
for the key recovery of stream ciphers: In [FKM08], it is examined if every key bit in the parametrized
expression of a coefficient of some high degree monomial in iv bits does occur, or more generally,
how much influence each key bit does have on the value of the coefficient. If a coefficient depends
on less than all key bits, this fact is exploited to filter those keys which do not satisfy the imposed
value for the coefficient. As opposed to the present work, this method is mostly statistical in nature,
whereas division property is fully algebraic.
Secondly, in [KMN10], conditions are identified on the internal state to obtain a deterministic
differential characteristic for some large number of rounds. Depending on whether these conditions
involve public variables only, or also key variables, distinguishing and partial key-recovery attacks
are derived. The technique is extended to (conditional) higher order differentials and enables to
distinguish reduced round versions of some stream ciphers, and to recover parts of the key. Again,
this method is quite different from the methods of this paper, and is not purely algebraic.
A third more recent approach is dynamic cube attack [DS11]. In contrast to standard cube
attack that finds the key by solving a system of (linear) equations in the key bits, dynamic cube
attack recovers the secret key by exploiting distinguishers obtained from cube testers. Dynamic
cube attacks aim at creating lower degree representations of the given cipher. This method has
been successfully applied to break the stream cipher Grain-128 [DGP+ 11]. All the previous methods
share the restriction that they are experimental rather than theoretical, i.e., they are dependent on
computing with cubes as large as practically feasible.
30 Yosuke Todo, Takanori Isobe, Yonglin Hao, and Willi Meier

Table 9. Results and Comparison with Liu’s method.

Applications # rounds cube size type method

793 80 zero-sum distinguisher Liu’s method [Liu17]

Trivium
839 80 zero-sum distinguisher Ours

862 128 zero-sum distinguisher Liu’s method [Liu17]

Kreyvium
897 128 zero-sum distinguisher Ours

‡ The attack against 477 rounds is mainly described for the practical attack in [SBD+ 16]. However, when
the goal is the superpoly recovery and to recover one bit of the secret key, 503 rounds are attacked.

7.4 Comparison with Liu’s Method when Maximum Cube is Applied

In [Liu17], Liu evaluated the number of rounds on zero-sum distinguisher when all iv bits are active.
To compare with Liu’s method, we also evaluated such cubes for both Trivium and Kreyvium, and
Table 9 shows the comparison between Liu’s method and our method. While Liu’s method guarantees
that the first key-stream bit of 793-round Trivium is balanced, our method can guarantee that the
first key-stream bit of 839-round Trivium is balanced. Moreover, the number of rounds on zero-
sum distinguisher for Kreyvium is also improved from 862 to 897. From their comparisons, we can
conclude that our method is more accurate than Liu’s algorithm. On the other hand, since we need
to ask for the help of solvers, Liu’s method is more efficient than our method.

7.5 Accelerating Solving Time of MILP

We show techniques to accelerate the solving time of MILP. The effectiveness of these techniques is
verified by Gurobi optimizer experimentally.

Dummy Objective Function. Unlike the evaluation of the differential and linear characteris-
tics [SHW+ 14b,SHW+ 14a,SHW+ 14a], the MILP model does not require an objective function in
the evaluation of our cube attack. However, we know that good “dummy” objective function some-
times helps Gurobi to speed up.
For example, let us consider the case of Trivium. Then we do not introduce any objective
function because we only evaluate the feasibility. To accelerate the solving time, we may add the
following dummy objective function
288
R/2
X
M.obj ← maximize si
i=1

as an example, where we maximize the sum of the division property in the half number of rounds.
Note that the maximized value has no meaning, and we only know whether the model is feasible or
not. Therefore, once the MILP solver can find one feasible solution, we terminate the solver.

Use of Lazy Constraints. In Algorithm 1, we have to solve MILP model repeatedly until the
model becomes infeasible. Then the MILP model is refreshed every time it finds a feasible solution,
which may be a waste of time. To accelerate the total solving time, we cut found solutions by “lazy
constraints.” In our implementation, we used C++ API in Gurobi.
The lazy constraintsPare generally used to add “new constraint” during the optimization. In our
m
case, we first constrain i=1 xi = 1, and when we find one instance where xj is involved, we remove
 Cube Attacks on Non-Blackbox Polynomials Based on Division Property (Full Version) 31

the instance using addLazy constraint as xj = 0. Finally, the code stops when the model is infeasible.
When we try this technique in Gurobi, this dramatically accelerates the solving time. Therefore, we
suggest the implementation with lazy constraints if possible.

8 Conclusion

This paper revisited the cube attack proposed by Dinur and Shamir at Eurocrypt 2009. The con-
ventional cube attack regards a target symmetric-key cryptosystem as a blackbox polynomial and
analyzes the polynomial experimentally. Therefore, it is practically infeasible to evaluate the security
when the size of cube exceeds the experimental size. In this paper, we proposed the cube attack on
non-blackbox polynomials, and it enables the cube attack to exploit a large cube size. Our method
was developed by the division property, and as far as we know, this is the first application of the
division property to stream ciphers. The trivial application brings only zero-sum integral distinguish-
ers, and it is non-trivial to recover the secret key of stream ciphers by using the distinguisher. The
novel application of the division property was proposed, where it is used to analyze the Algebraic
Normal Form coefficients of polynomials. As a result, we can estimate the time complexity for the
superpoly recovery. Then, the superpoly recovery immediately brings the vulnerability. We applied
the new technique to Trivium, Grain128a, and ACORN, and the superpoly of 832-round Trivium,
183-round Grain128a, and 704-round ACORN are more efficiently recovered than the brute-force
search. For Trivium and ACORN, we can expect that the recovered superpoly is useful for the
key recovery attack, and they bring the current best key-recovery attacks. On the other hand, for
Grain128a, we cannot expect that the recovered superpoly is balanced, and then the recovered bit of
information may be significantly small. Therefore, the feasibility of the key recovery is speculative,
but 183 rounds are at least vulnerable. We expect that our new tool becomes a new generic tool to
measure the security of stream ciphers.

References

ADMS09. Jean-Philippe Aumasson, Itai Dinur, Willi Meier, and Adi Shamir. Cube testers and key recovery
attacks on reduced-round MD6 and Trivium. In Orr Dunkelman, editor, FSE, volume 5665 of
LNCS, pages 1–22. Springer, 2009.
ÅHJM11. Martin Ågren, Martin Hell, Thomas Johansson, and Willi Meier. Grain-128a: a new version of
grain-128 with optional authentication. IJWMC, 5(1):48–59, 2011.
BS01. Alex Biryukov and Adi Shamir. Structural cryptanalysis of SASAS. In Birgit Pfitzmann, editor,
EUROCRYPT, volume 2045 of LNCS, pages 394–405. Springer, 2001.
cae14. CAESAR: Competition for authenticated encryption: Security, applicability, and robustness,
2014.
CCF+ 16. Anne Canteaut, Sergiu Carpov, Caroline Fontaine, Tancrède Lepoint, Marı́a Naya-Plasencia,
Pascal Paillier, and Renaud Sirdey. Stream ciphers: A practical solution for efficient
homomorphic-ciphertext compression. In Thomas Peyrin, editor, FSE, volume 9783 of LNCS,
pages 313–333. Springer, 2016.
CJF+ 16. Tingting Cui, Keting Jia, Kai Fu, Shiyao Chen, and Meiqin Wang. New automatic search tool
for impossible differentials and zero-correlation linear approximations, 2016.
CP06. Christophe De Cannière and Bart Preneel. Trivium specifications, 2006. eSTREAM portfolio,
Profile 2 (HW).
DGP+ 11. Itai Dinur, Tim Güneysu, Christof Paar, Adi Shamir, and Ralf Zimmermann. An experimentally
verified attack on full Grain-128 using dedicated reconfigurable hardware. In Dong Hoon Lee
and Xiaoyun Wang, editors, ASIACRYPT, volume 7073 of LNCS, pages 327–343. Springer,
2011.
DKR97. Joan Daemen, Lars R. Knudsen, and Vincent Rijmen. The block cipher Square. In Eli Biham,
editor, FSE, volume 1267 of LNCS, pages 149–165. Springer, 1997.
32 Yosuke Todo, Takanori Isobe, Yonglin Hao, and Willi Meier

DMP+ 15. Itai Dinur, Pawel Morawiecki, Josef Pieprzyk, Marian Srebrny, and Michal Straus. Cube attacks
and cube-attack-like cryptanalysis on the round-reduced Keccak sponge function. In Elisabeth
Oswald and Marc Fischlin, editors, EUROCRYPT Part I, volume 9056 of LNCS, pages 733–761.
Springer, 2015.
DS09. Itai Dinur and Adi Shamir. Cube attacks on tweakable black box polynomials. In Antoine Joux,
editor, EUROCRYPT, volume 5479 of LNCS, pages 278–299. Springer, 2009.
DS11. Itai Dinur and Adi Shamir. Breaking Grain-128 with dynamic cube attacks. In Antoine Joux,
editor, FSE, volume 6733 of LNCS, pages 167–187. Springer, 2011.
est08. eSTREAM: the ECRYPT stream cipher project, 2008.
FKM08. Simon Fischer, Shahram Khazaei, and Willi Meier. Chosen IV statistical analysis for key recovery
attacks on stream ciphers. In Serge Vaudenay, editor, AFRICACRYPT, volume 5023 of LNCS,
pages 236–245. Springer, 2008.
FV13. Pierre-Alain Fouque and Thomas Vannet. Improving key recovery to 784 and 799 rounds of
trivium using optimized cube attacks. In Shiho Moriai, editor, FSE, volume 8424 of LNCS,
pages 502–517. Springer, 2013.
Inc15. Gurobi Optimization Inc. Gurobi optimizer 6.5. Official webpage, http://www.gurobi.com/,
2015.
ISO15. ISO/IEC. JTC1: ISO/IEC 29167-13: Information technology – automatic identification and
data capture techniques – part 13: Crypto suite grain-128a security services for air interface
communications, 2015.
KMN10. Simon Knellwolf, Willi Meier, and Marı́a Naya-Plasencia. Conditional differential cryptanalysis
of NLFSR-based cryptosystems. In Masayuki Abe, editor, ASIACRYPT, volume 6477 of LNCS,
pages 130–145. Springer, 2010.
Knu94. Lars R. Knudsen. Truncated and higher order differentials. In Bart Preneel, editor, FSE, volume
1008 of LNCS, pages 196–211. Springer, 1994.
KW02. Lars R. Knudsen and David Wagner. Integral cryptanalysis. In Joan Daemen and Vincent
Rijmen, editors, FSE, volume 2365 of LNCS, pages 112–127. Springer, 2002.
Lai94. Xuejia Lai. Higher order derivatives and differential cryptanalysis. In Communications and
Cryptography, volume 276 of The Springer International Series in Engineering and Computer
Science, pages 227–233, 1994.
Liu17. Meicheng Liu. Degree evaluation of NFSR-based cryptosystems. In Jonathan Katz and Hovav
Shacham, editors, CRYPTO Part III, volume 10403 of LNCS, pages 227–249. Springer, 2017.
LM12. Michael Lehmann and Willi Meier. Conditional differential cryptanalysis of Grain-128a. In Josef
Pieprzyk, Ahmad-Reza Sadeghi, and Mark Manulis, editors, CANS, volume 7712 of LNCS, pages
1–11. Springer, 2012.
Luc01. Stefan Lucks. The saturation attack - A bait for Twofish. In Mitsuru Matsui, editor, FSE,
volume 2355 of LNCS, pages 1–15. Springer, 2001.
MS12. Piotr Mroczkowski and Janusz Szmidt. The cube attack on stream cipher Trivium and quadratic-
ity tests. Fundam. Inform., 114(3-4):309–318, 2012.
MWGP11. Nicky Mouha, Qingju Wang, Dawu Gu, and Bart Preneel. Differential and linear cryptanalysis
using mixed-integer linear programming. In Chuankun Wu, Moti Yung, and Dongdai Lin,
editors, Inscrypt, volume 7537 of LNCS, pages 57–76. Springer, 2011.
SBD+ 16. Md. Iftekhar Salam, Harry Bartlett, Ed Dawson, Josef Pieprzyk, Leonie Simpson, and Ken-
neth Koon-Ho Wong. Investigating cube attacks on the authenticated encryption stream cipher
ACORN. In Lynn Batten and Gang Li, editors, ATIS, volume 651 of CCIS, pages 15–26.
Springer, 2016.
SHW+ 14a. Siwei Sun, Lei Hu, Meiqin Wang, Peng Wang, Kexin Qiao, Xiaoshuang Ma, Danping Shi, and
Ling Song. Towards finding the best characteristics of some bit-oriented block ciphers and
automatic enumeration of (related-key) differential and linear characteristics with predefined
properties, 2014.
SHW+ 14b. Siwei Sun, Lei Hu, Peng Wang, Kexin Qiao, Xiaoshuang Ma, and Ling Song. Automatic se-
curity evaluation and (related-key) differential characteristic search: Application to SIMON,
PRESENT, LBlock, DES(L) and other bit-oriented block ciphers. In Palash Sarkar and Tetsu
Iwata, editors, ASIACRYPT Part I, volume 8873 of LNCS, pages 158–178. Springer, 2014.
ST16. Yu Sasaki and Yosuke Todo. New impossible differential search tool from design and cryptanal-
ysis aspects, 2016. this paper is accepted in Eurocrypt 2017.
 Cube Attacks on Non-Blackbox Polynomials Based on Division Property (Full Version) 33

SWW16. Ling Sun, Wei Wang, and Meiqin Wang. MILP-aided bit-based division property for primitives
with non-bit-permutation linear layers, 2016.
TIHM17. Yosuke Todo, Takanori Isobe, Yonglin Hao, and Willi Meier. Cube attacks on non-blackbox poly-
nomials based on division property. In Jonathan Katz and Hovav Shacham, editors, CRYPTO
Part III, volume 10403 of LNCS, pages 250–279. Springer, 2017.
TM16. Yosuke Todo and Masakatu Morii. Bit-based division property and application to Simon family.
In Thomas Peyrin, editor, FSE, volume 9783 of LNCS, pages 357–377. Springer, 2016.
Tod15a. Yosuke Todo. Integral cryptanalysis on full MISTY1. In Rosario Gennaro and Matthew Rob-
shaw, editors, CRYPTO Part I, volume 9215 of LNCS, pages 413–432. Springer, 2015.
Tod15b. Yosuke Todo. Structural evaluation by generalized integral property. In Elisabeth Oswald and
Marc Fischlin, editors, EUROCRYPT Part I, volume 9056 of LNCS, pages 287–314. Springer,
2015.
Wu16. Hongjun Wu. Acorn v3, 2016. Submission to CAESAR competition.
XZBL16. Zejun Xiang, Wentao Zhang, Zhenzhen Bao, and Dongdai Lin. Applying MILP method to
searching integral distinguishers based on division property for 6 lightweight block ciphers. In
Jung Hee Cheon and Tsuyoshi Takagi, editors, ASIACRYPT Part I, volume 10031 of LNCS,
pages 648–678. Springer, 2016.
34 Yosuke Todo, Takanori Isobe, Yonglin Hao, and Willi Meier

A Components of MILP model for Division Property in Grain128a

This appendix shows components of MILP model for division property in Grain128a.

Algorithm 7 MILP model for XOR and AND in Grain128a

1: procedure AND(M, b, s, I, J)
2: M.var ← b0i , xi for all i ∈ I as binary
3: M.var ← s0j , yj for all j ∈ J as binary
4: M.var ← z as binary
5: M.con ← b0i = bi − xi for all i ∈ I
6: M.con ← s0j = sj − yj for all j ∈ J
7: M.con ← z ≥ xi for all i ∈ I
8: M.con ← z ≥ yj for all j ∈ J
9: for all i ∈ {0, 1, . . . , 127} − I do
10: b0i = bi
11: end for
12: for all j ∈ {0, 1, . . . , 127} − J do
13: s0i = si
14: end for
15: return (M, b0 , s0 , z)
16: end procedure
1: procedure XOR(M, b, s, I, J)
2: M.var ← b0i , xi for all i ∈ I as binary
3: M.var ← s0j , yj for all j ∈ J as binary
4: M.var ← z as binary
5: M.con ← b0i = bi − xi for all i ∈ I
6: M.con ← s0j =P sj − yj forPall j ∈ J
7: M.con ← z = i∈I xi + j∈J yj
8: for all i ∈ {0, 1, . . . , 127} − I do
9: b0i = bi
10: end for
11: for all j ∈ {0, 1, . . . , 127} − J do
12: s0i = si
13: end for
14: return (M, b0 , s0 , z)
15: end procedure
 Cube Attacks on Non-Blackbox Polynomials Based on Division Property (Full Version) 35

Algorithm 8 MILP model for NLFSR and LFSR in Grain128a

1: procedure funcZ(M, b, s)
2: (M, b1 , s1 , a1 ) = AND(M, b, s, {12}, {8})
3: (M, b2 , s2 , a2 ) = AND(M, b1 , s1 , φ, {13, 20})
4: (M, b3 , s3 , a3 ) = AND(M, b2 , s2 , {95}, {42})
5: (M, b4 , s4 , a4 ) = AND(M, b3 , s3 , φ, {60, 79})
6: (M, b5 , s5 , a5 ) = AND(M, b4 , s4 , {12, 95}, {94})
7: (M, b6 , s6 , x) = XOR(M, b5 , s5 , {2, 15, 36, 45, 64, 73, 89}, {93})
8: M.var ← z as binary
M.con ← z = x + 5i=1 ai
P
9:
10: return (M, b6 , s6 , z)
11: end procedure
1: procedure funcF(M, s)
2: (M, φ, s1 , f ) = XOR(M, φ, s, φ, {0, 7, 38, 70, 81, 96})
3: return (M, s1 , f )
4: end procedure
1: procedure funcG(M, b)
2: (M, b1 , φ, a1 ) = AND(M, b, φ, {3, 67}, φ)
3: (M, b2 , φ, a2 ) = AND(M, b1 , φ, {11, 13}, φ)
4: (M, b3 , φ, a3 ) = AND(M, b2 , φ, {17, 18}, φ)
5: (M, b4 , φ, a4 ) = AND(M, b3 , φ, {27, 59}, φ)
6: (M, b5 , φ, a5 ) = AND(M, b4 , φ, {40, 48}, φ)
7: (M, b6 , φ, a6 ) = AND(M, b5 , φ, {61, 65}, φ)
8: (M, b7 , φ, a7 ) = AND(M, b6 , φ, {68, 84}, φ)
9: (M, b8 , φ, a8 ) = AND(M, b7 , φ, {88, 92, 93, 95}, φ)
10: (M, b9 , φ, a9 ) = AND(M, b8 , φ, {22, 24, 25}, φ)
11: (M, b10 , φ, a10 ) = AND(M, b9 , φ, {70, 78, 82}, φ)
12: (M, b11 , φ, x) = XOR(M, b10 , φ, {0, 26, 56, 91, 96}, φ)
13: M.var ← g as binary
M.con ← g = x + 10
P
14: i=1 ai
15: return (M, b11 , g)
16: end procedure