Security Analysis of WAGE Against Division Property Based Cube Attack

In recent years, as more Internet of Things (IoT) devices are connected to the internet, lightweight cryptography has become more and more important. WAGE is a LFSR-based authenticated encryption algorithm and one of the candidates in the NIST standard Lightweight Cryptography competition. It offers 128-bit security. In the literature, the best cryptanalytic estimates available for WAGE pertain to a correlation power attack that recovers the secret key up to 12 out of 111 rounds. In this paper, we evaluate the security of this cipher following the (bit-based) division property based cube attack using mixed-integerlinear-programming (MILP) models. Specifically, we investigate the security of the nonlinear feedback based initialization phase. To the best of our knowledge, our attack is the first one that investigates the security of the nonlinear feedback-based initialization phase of WAGE cipher. Theoretically, the results of our attack enable us to recover the secret key up to the reduced 18-round of the initialization phase utilizing 2123 time complexity and 26.32 keystream bits.