A Cube Attack on a Reduced-Round Sycon

The cube attack was proposed at the 2009 Eurocrypt. The attack derives linear polynomials for specific output bits of a BlackBox cipher. Cube attacks target recovery keys or secret states. In this paper, we present a cube attack on a 5-round Sycon permutation and a 6-round Sycon permutation with a 320-bit state, whose rate occupies 96 bits, and whose capacity is 224 bits. We found cube variables related to a superpoly with a secret state. Within the cube variables, we recovered 32 bits of the secret state. The target algorithm was Sycon with 5-round and 6-round versions of permutation. For the 5-round Sycon, we found a cube variable and recovered a state with a total of (Formula presented.) Sycon computations and (Formula presented.) bits of memory. For the 6-round Sycon, we found cube variables and recovered a state with a total of (Formula presented.) Sycon computations and (Formula presented.) bits of memory. When using brute force in a 5-round attack, (Formula presented.) operations were required, but the cube attack proposed in this paper had (Formula presented.) offline operations, and (Formula presented.) operations were required. When using brute force in a 6-round attack, (Formula presented.) operations were required, but the cube attack proposed in this paper required (Formula presented.) offline operations, and (Formula presented.) operations were required. For both attacks, offline could be used continuously after performing only once. To the best of our knowledge, this is the first cube attack on Sycon.