Applying cube attacks to stream ciphers in realistic scenarios

Cube attacks were introduced in Dinur and Shamir (2009) as a cryptanalytic technique that requires only black box access to the underlying cryptosystem. The attack exploits the existence of low degree polynomial representation of a single output bit (as a function of the key and plaintext bits) in order to recover the secret key. Although cube attacks can be applied in principle to almost any cryptosystem, most block ciphers iteratively apply a highly non-linear round function (based on Sboxes or arithmetic operations) a large number of times which makes them resistant to cube attacks. On the other hand, many stream ciphers (such as Trivium (De Cannière and Preneel 2008)), are built using linear or low degree components and are natural targets for cube attacks. In this paper, we describe in detail how to apply cube attacks to stream ciphers in various settings with different assumptions on the target stream cipher and on the data available to the attacker.