In this section, we briefly introduce the necessary background for this paper. Firstly, we provide the notations used in this paper. Then, we provide a brief description of Sycon and the concept of a cube attack.
3.2. Sycon Authenticated Encryption with the Associated Data Algorithm Specification
Sycon is an authenticated encryption with an associated data (AEAD) cipher [
22]. AEAD is an encryption algorithm with a built-in integrity process using a secret key [
23]. AEAD usually performs better than using two separate cryptographic processes with two different secret keys. Sycon provides two authenticated encryption algorithms with associated data and one hash algorithm in a sponge structure. In this section, we specify the Sycon whose rate is 96.
Sycon consists of initialization, related data processing, encryption/decryption, and finalization. The initialization phase loads 128-bit keys, a 128-bit nonce, and a 64-bit initialization vector into the 320-bit state variable. Then, it conducts two permutation calls, truncating the key by 64 bits and XORing it. The relevant data processing is applied after the initialization phase, if the related data are not empty. Relevant data processing performs the permutation with the associated data (AD) and the current state as input. The relevant data processing will not perform if the relevant data are empty. In encryption/decryption, the encryption algorithm generates the ciphertext with the same length as the input plaintext. In this case, the size of the plaintext is a multiple of 96, and padding is performed if it is less than 96 bits. Then, we conduct the permutation to update the state. This process is repeated until all 96 bits of plaintext are processed. The finalization absorbs the key back into the state via a ratio of two permutation calls, and a 128-bit tag is output. A tag is a value that concatenates the contents of S2 and S3 among the state variables.
The state is XORed with a key or plaintext after permutation as shown in
Figure 1. The LSB 224 bits of the state are XORed with a domain separator. The domain separator of Sycon is as follows:
for initialization,
for AD processing,
for massage, and
for tag generations. If the additional data are empty,
is replaced by
.
Sycon permutation is an iterative computation in a round function. In the round function, Sycon uses a 320-bit state. In the state, the first 64/96 bits are user message bits along the rate. The round function (R) of the Sycon permutation consists of a sequence of three distinct transformations: SBox (SB), SubBlockDiffusion (SD), and AddRoundConstant (RC), i.e., . The -round permutation, denoted by , is constructed as .
The first layer is a nonlinear computation. Sycon’s round function is SPN. Thus, for nonlinear computation, Sycon uses 64 S-boxes. The process of the S-boxes in the equation is as follows:
The second layer is a diffusion layer that performs linear transformation on five 64-bit sub-blocks. The diffusion layer uses the following linear transformation:
The third layer is the add round constant layer. Round constants use a four-bit LFSR defined by the polynomial
. The LFSR status is expressed as
, where
. Starting from the initial state
, we generate a
round constant, where each state of the LFSR is given as a unique constant. The four-bit LFSR with status
is converted to a byte equal to
. The round constants are given in
Table 3.
3.3. Cube Attack
Let the cryptography algorithms be expressed with a polynomial f. The input of the cryptographic algorithm (e.g., plaintext, initial vector, nonce, associated authentication data) will be f’s input parameter, and the output of the cryptography algorithm (e.g., ciphertext, tag) will be the value of f’s computed result. If the block cipher has input as plaintext P, initial vector , and key K, and the output is ciphertext C, we can express the block cipher with , , , and , where , , and is a bit representation, respectively.
Degree The dense polynomial f of degree d has possible polynomials over GF(2). To eliminate the nonlinear terms on the polynomials, the attack needs to eliminate . Thus, when the degree becomes higher, it is hard to eliminate the nonlinear terms.
Cube Variables To eliminate the nonlinear terms from the polynomial f, an attacker needs to divide the polynomials f by the other polynomial t, whose degree is . If divided by , then f can be expressed as . In this term, t is bit cube variables.
Superpolys We assume that dense polynomial f divided by , , as above. In this term, is a superpoly with degree 1. In order to obtain a superpoly, the attacker can compute .
In a cube attack, finding cube variables is important, because when the degree of the polynomial becomes higher, an attacker needs more polynomials to use Gaussian elimination. When the cube variables are larger, the attacker breaks more rounds. Moreover, f can be divided by variables, and the quotient will be a degree 1 polynomial. A cube attack should first formulate the polynomial f. If f is not a dense polynomial, superpoly Q’s degree will be changed along the chosen cube variables. For example, when we define cube variables as , and if A is bits that multiplied with bits, then f could be . That is, the polynomial Q degree is . Thus, in order to obtain Q, the attacker needs to use fewer cube variables .
To make m independent polynomials, the attacker needs to analyze where there are no multiplication values between the target bits and the input bits that the attacker can control. The attacker will select the control bits that do not have multiplication with the target bits. The attacker can know whether multiplication will be computed by analyzing the cryptographic algorithms’ process. A typical example that has a multiplication step in a cryptography algorithm is an S-box. After the attacker finds the proper cube variables from the polynomials, a cube attack can decide the round that an attacker can use. Then, the cube attack is presented as follows:
Offline Phase The attacker computes and stores the . The targeted data bits can be expressed as linear polynomials . The attacker computes a linear polynomial from the Q values. The attacker assigns 0 except for the cube variables. Then, the attacker sets bit by bit on x. From the data, the attacker computes each coefficient of x.
Online Phase Considering the oracle as given, the attacker derives the cube sum of the oracle query results . From the polynomials saved in the offline phase, the attacker recovers target bits A. If A has variables, the attacker needs an cube sum result. The attacker computes the Gaussian elimination to obtain the recovered target bits.
Brute Force Phase If the cube variables are not enough to obtain all rounds or all target bits, the attacker performs a brute force attack on the remaining bits. For example, if the recovered bits are l bits and the targeted bits are m bits, the attacker performs a exhaustive search.