Extended cubes: enhancing the cube attack by extracting low-degree non-linear equations

In this paper, we propose an efficient method for extracting simple low-degree equations (e.g. quadratic ones) in addition to the linear ones, obtainable from the original cube attack by Dinur and Shamir at EUROCRYPT 2009. This extended cube attack can be successfully applied even to cryptosystems in which the original cube attack may fail due to the attacker's inability in finding sufficiently many independent linear equations. As an application of our extended method, we exhibit a side channel cube attack against the PRESENT block cipher using the Hamming weight leakage model. Our side channel attack improves upon the previous work of Yang, Wang and Qiao at CANS 2009 from two aspects. First, we use the Hamming weight leakage model which is a more relaxed leakage assumption, supported by many previously known practical results on side channel attacks, compared to the more challenging leakage assumption that the adversary has access to the "exact" value of the internal state bits as used by Yang et al. Thanks to applying the extended cube method, our attack has also a reduced complexity compared to that of Yang et al. Namely, for PRESENT-80 (80-bit key variant) as considered by Yang et al., our attack has a time complexity 216 and data complexity of about 213 chosen plaintexts; whereas, that of Yang et al. has time complexity of 232 and needs about 215 chosen plaintexts. Furthermore, our method directly applies to PRESENT-128 (i.e. 128-bit key variant) with time complexity of 264 and the same data complexity of 213 chosen plaintexts.