A New Distinguishing Attack on Grain-V1 with 111 Initialization Rounds
|
摘要
The Grain-v1 stream cipher has been selected in the eS TREAM hardware finalists. In this paper, the authors derive a new distinguishing attack on Grain-v1 with 111 initialization rounds in a single-key setting. To achieve this goal, the authors present two delicate strategies targeting an obvious distinguishing probability of the output difference of reduced Grain-v1. The authors show that conditional differential cryptanalysis of reduced Grain-v1 with 111 initialization rounds could mount a distinguishing attack with success probability about 0.8281 for all secret keys. It is also shown that when the attacking round further increases to 112 and 113, the distributions of the output differences are nearly random. Thus far, to the best of the authors' knowledge, the attack on Grain-v1 with 111 initialization rounds is the best single-key cryptanalytic result for reduced versions of Grain-v1 in terms of the number of attacking rounds.
The Grain-v1 stream cipher has been selected in the eS TREAM hardware finalists. In this paper, the authors derive a new distinguishing attack on Grain-v1 with 111 initialization rounds in a single-key setting. To achieve this goal, the authors present two delicate strategies targeting an obvious distinguishing probability of the output difference of reduced Grain-v1. The authors show that conditional differential cryptanalysis of reduced Grain-v1 with 111 initialization rounds could mount a distinguishing attack with success probability about 0.8281 for all secret keys. It is also shown that when the attacking round further increases to 112 and 113, the distributions of the output differences are nearly random. Thus far, to the best of the authors' knowledge, the attack on Grain-v1 with 111 initialization rounds is the best single-key cryptanalytic result for reduced versions of Grain-v1 in terms of the number of attacking rounds.
The Grain-v1 stream cipher has been selected in the eS TREAM hardware finalists. In this paper, the authors derive a new distinguishing attack on Grain-v1 with 111 initialization rounds in a single-key setting. To achieve this goal, the authors present two delicate strategies targeting an obvious distinguishing probability of the output difference of reduced Grain-v1. The authors show that conditional differential cryptanalysis of reduced Grain-v1 with 111 initialization rounds could mount a distinguishing attack with success probability about 0.8281 for all secret keys. It is also shown that when the attacking round further increases to 112 and 113, the distributions of the output differences are nearly random. Thus far, to the best of the authors' knowledge, the attack on Grain-v1 with 111 initialization rounds is the best single-key cryptanalytic result for reduced versions of Grain-v1 in terms of the number of attacking rounds.
引文
[1]Hell M,Johansson T,and Meier W,Grain:A stream cipher for constrained environments,International Journal of Wireless and Mobile Computing(IJWMC),2007,2(1):86-93.
[2]Bj?rstad T E,Cryptanalysis of Grain using Time/Memory/Data tradeoffs,2008,available at:http://www.ecrypt.eu.org/stream/grainp3.html,2016.
[3]Mihaljevic M J,Gangopadhyay S,Paul G,et al.,Internal state recovery of Grain-v1 employing normality order of the filter function,IET Inf.Secur.,2012,6(2):55-64.
[4]Ding L,Jin C H,Guan J,et al,New state recovery attacks on the Grain v1 stream cipher,China Communications,2016,13(11):180-188.
[5]Rahimi M,Barmshory M,Mansouri M H,et al.,Dynamic cube attack on Grain-v1,IET Inf.Secur.,2016,10(4):165-172.
[6]Knellwolf S,Meier W and Naya-Plasencia M,Conditional differential cryptanalysis of NLFSR-based cryptosystems,Proc.Advances in Cryptology-ASIACRYPT 2010,2010(LNCS 6477):130-145.
[7]Banik S,Some insights into differential cryptanalysis of Grain v1,Proc.Information Security and Privacy-19th Australasian Conf.,ACISP,2014,2014(LNCS 8544):34-49.
[8]Banik S,Conditional differential cryptanalysis of 105 round Grain v1,Cryptogr.Commun.,2016,8(1):113-137.
[9]Sarkar S,A new distinguisher on Grain v1 for 106 rounds,Proc.11th Int.Conf.Informatino System Security,India,2015.
[10]Ma Z,Tian T,and Qi W F,Improved conditional differential attacks on Grain v1,IET Inf.Secur.,2017,11(1):46-53.
[11]Watanabe Y,Todo Y,and Morii M,New conditional differential cryptanalysis for NLFSR-based stream ciphers and application to Grain v1,2016 11th Asia Joint Conference on Information Security(AsiaJCIS),2016,00:115-123,doi:10.1109/AsiaJCIS.2016.26.
[12]Zhang B,Li Z,Feng D,et al.,Near collision attack on the Grain v1 stream cipher,Proc.20th Int.Workshop,FSE 2013,Singapore,2013,2013(LNCS 8424):518-538.
[13]Banik S,Maitra S,and Sarkar S,A differential fault attack on the Grain family of stream ciphers,Proc.Cryptographic Hardware and Embedded Systems-CHES 2012,Belgium,2012,2012(LNCS7428):122-139.
[14]Banik S,Maitra S,and Sarkar S,A differential fault attack on the Grain family under reasonable assumptions,Proc.Progress in Cryptology-INDOCRYPT 2012,India,2012,2012(LNCS 7668):191-208.
[15]Banik S,Maitra S,and Sarkar S,Differential fault attack against Grain family with very few faults and minimal assumptions,IEEE T.Comput.,2016,64(6):1647-1657.
[16]Canniére C D,Kü?ük?,and Preneel B,Analysis of Grain’s initialization algorithm,Proc.Progress in Cryptology-AFRICACRYPT 2008,Morocco,2008,2008(LNCS 5023):276-289.
[17]Lee Y,Jeong K,Sung J,et al.,Related-key chosen IV attacks on Grain-v1 and Grain-128,Proc.Inormation Security and Privacy,13th Australasian Conf.,ACISP 2008,Australia,2008,2008(LNCS 5107):321-335.
[2]Bj?rstad T E,Cryptanalysis of Grain using Time/Memory/Data tradeoffs,2008,available at:http://www.ecrypt.eu.org/stream/grainp3.html,2016.
[3]Mihaljevic M J,Gangopadhyay S,Paul G,et al.,Internal state recovery of Grain-v1 employing normality order of the filter function,IET Inf.Secur.,2012,6(2):55-64.
[4]Ding L,Jin C H,Guan J,et al,New state recovery attacks on the Grain v1 stream cipher,China Communications,2016,13(11):180-188.
[5]Rahimi M,Barmshory M,Mansouri M H,et al.,Dynamic cube attack on Grain-v1,IET Inf.Secur.,2016,10(4):165-172.
[6]Knellwolf S,Meier W and Naya-Plasencia M,Conditional differential cryptanalysis of NLFSR-based cryptosystems,Proc.Advances in Cryptology-ASIACRYPT 2010,2010(LNCS 6477):130-145.
[7]Banik S,Some insights into differential cryptanalysis of Grain v1,Proc.Information Security and Privacy-19th Australasian Conf.,ACISP,2014,2014(LNCS 8544):34-49.
[8]Banik S,Conditional differential cryptanalysis of 105 round Grain v1,Cryptogr.Commun.,2016,8(1):113-137.
[9]Sarkar S,A new distinguisher on Grain v1 for 106 rounds,Proc.11th Int.Conf.Informatino System Security,India,2015.
[10]Ma Z,Tian T,and Qi W F,Improved conditional differential attacks on Grain v1,IET Inf.Secur.,2017,11(1):46-53.
[11]Watanabe Y,Todo Y,and Morii M,New conditional differential cryptanalysis for NLFSR-based stream ciphers and application to Grain v1,2016 11th Asia Joint Conference on Information Security(AsiaJCIS),2016,00:115-123,doi:10.1109/AsiaJCIS.2016.26.
[12]Zhang B,Li Z,Feng D,et al.,Near collision attack on the Grain v1 stream cipher,Proc.20th Int.Workshop,FSE 2013,Singapore,2013,2013(LNCS 8424):518-538.
[13]Banik S,Maitra S,and Sarkar S,A differential fault attack on the Grain family of stream ciphers,Proc.Cryptographic Hardware and Embedded Systems-CHES 2012,Belgium,2012,2012(LNCS7428):122-139.
[14]Banik S,Maitra S,and Sarkar S,A differential fault attack on the Grain family under reasonable assumptions,Proc.Progress in Cryptology-INDOCRYPT 2012,India,2012,2012(LNCS 7668):191-208.
[15]Banik S,Maitra S,and Sarkar S,Differential fault attack against Grain family with very few faults and minimal assumptions,IEEE T.Comput.,2016,64(6):1647-1657.
[16]Canniére C D,Kü?ük?,and Preneel B,Analysis of Grain’s initialization algorithm,Proc.Progress in Cryptology-AFRICACRYPT 2008,Morocco,2008,2008(LNCS 5023):276-289.
[17]Lee Y,Jeong K,Sung J,et al.,Related-key chosen IV attacks on Grain-v1 and Grain-128,Proc.Inormation Security and Privacy,13th Australasian Conf.,ACISP 2008,Australia,2008,2008(LNCS 5107):321-335.