2017 2nd International Conference on Computer Science and Technology (CST 2017) ISBN: 978-1-60595-461-5
Cube Attacks on the Stream Cipher Grain-v1
Yong-juan WANGa*, Shi-yi ZHANG and Yang GAO Luoyang Foreign Language University, Luoyang, Henan Province, China [email protected] *Corresponding author
Keywords: Algebra attack, Cube attack, Stream cipher, Grain-v1, Key recovery.
Abstract. The Cube Attack was introduced by Itai Dinur and Adi Shamir. As a known plaintext attack on symmetric primitives, it is efficient to stream cipher, block cipher and hash functions. In this paper, we proposed a new method to find all the cubes U which could produce linear relations, and it is applied to simplified Grain-v1 variants with 60, 65 initialization rounds, from which we can obtain at least 25, 11 key bits respectively. Our results show that the Grain-v1 with reduced initialization rounds can be broken with Cube Attack, and the complexity is significantly lower than exhaustive search.
Introduction At Crypto2008, the Cube Attack was introduced by Adi Shamir and his student as a known plaintext attack on symmetric primitives0. It is a major improvement over several previously published attacks of the same type, for example, Algebraic Initial Value Differential Attack (AIDA)0. In the key and public variables (plaintext or IV bits), if the output of cryptosystems can be represented by the polynomial FKIV(, ) overGF()2 via skillfully choosing arbitrary values for the public variables, the attacker may be able to obtain some linear equations. Moreover, given sufficient number of equations, a secret key could be recovered through queries to black box polynomial with tweakable public variables under Cube Attack 0 (e.g. choosing plaintext or initial value), which is followed by solving a linear system of equations in the secret key variables. Cube Attacks can be applied to any block cipher, stream cipher, or MAC which is provided as a black box, even when nothing is known about its internal structure. At least one output bit can be represented by (an unknown) polynomial of relatively low degree in the secret and public variables, the attack has been applied to the ciphers MD6[3], Trivium0, Serpent0, Grain-1280, PHOTON0, Keccak0 and so on, and it works quite well. The stream cipher Grain-v1 was proposed by Hell, Johansson, Maximov, and Meier0 , Christophe De Cannière, Ozgül Kücük and Bart Preneel analyzed the initialization algorithm of Grain, showed that a sliding property of the initialization algorithm, which resulted in a very efficient related–key attack, and developed a 9 differential attack on the Grain-v1 which recovered one out of 2 keys, and required 55 two related keys and 2 chosen pairs0. Yuseop lee, Kitae Jeong and Jaechul Sung extended the slide resynchronization attack and proposed related-key chosen IV 22.59 attacks on Grain-v1, the attack recovered the secret key with 2 chosen IV s, 226.29 -bit keystream sequences and 222.9 computational complexity[0. In recent years,
290
Differential Fault Attack, Near Collision Attack and Probabilistic Algebraic Attack also work on Grain-v1 with good results0. In this paper we provided a new attack approach to the cryptanalyst, and pushed Cube Attack to the reduced variant of Grain-v1. Our results show that the Grain-v1 with reduced number of initialization rounds can be broken with complexity that is significantly faster than exhaustive search. This paper is organized as follows. Following the introduction, we describe the Cube Attack in section 2. In section 3, we describe the stream cipher Grain-v1. In section 4, a new method to find all the cubes U is described and applied to the Grain-v1. In section 5, an improvement is described and applied to the Grain-v1 again. Finally, we conclude the paper in section 6.
Cube Attack First, we give a brief overview of the Cube attack0. Throughout this paper, all polynomials = = = have coefficients in GF()2 , let IVv(,1 , vm ) and K (,xx1 ,n ), FKIVii(, ) Y denote the i -th output bit, if Uv=⊂{,,}{,,} v v v has been chosen then i -th ii1 k 1 m output bit can been represented as Fx(,,,,,) xv v=+ vv , , vPx() ,,, xV Qx (,,,,,) xv v . inmiiin1112 k 1 11 nm = ⋅ ∪ Notes Vv{,1 , vUm }\ , P() is linear polynomial in {,x1 ,xVn } , and does not contain any common variable with vv,, v , the polynomial Q misses at least one ii12 ik variable form vv,, v . Let C be the set of points where the variables ii12 ik ∪ in{,x1 ,xVn } are fixed and the variables in U are allowed to take all possible combination of values. Then F (,,,,,)xxvv=+ vvvPxxVQxxvv , ,() ,,, (,,,,,). (1) inmiiin1112 k 1 11 nm CC C ⋅= ⋅ Theorem1. For any polynomial Fi and subset U , PP() ()mod2. C Proof. For the polynomial Q is such that none of the terms in Q have the monomial vv,, v as a factor, summing each of terms in Q over all the 2k possible vectors, ii12 ik the sum value is 0, hence Q = 0 , on the other hand, the coefficient of P (⋅ ) in the C summation is 1 for only one case vvv===1. # iii12k According to Theorem 1, then (1)
Fx(,,,,,) x v v=+ v , v , vPx() ,,, xV Q= Px (,,,) xV. inmiiin1112 k 1 1n CC C
Brief Description of Grain-v1 Grain-v1 is one of the 3 final candidates of ECRYPT eStream project, which constants of a 80-bit LFSR, a 80-bit NFSR (both over GF()2 ), and a Boolean function hx0 ().
The content of the LFSR is denoted by sii,,,ss++179 i , and the content of the NFSR is
291 denoted by bbii,,,++179 b i . The feedback polynomial f0 ()x of the LFSR is a primitive polynomial of degree 80. It is defined as =++++++18 29 42 57 67 80 f0 ()x 1 xxxxxx.
The NFSR feedback polynomial g0 ()x is defined as =+18 + 20 + 28 + 35 + 43 + 47 + 52 + 59 + 66 + 71 + 80 gx0 () 1 xxxxxxxxxxx x17xxxxxxxxxxxxxxxxxxx 20+++ 43 47 65 71 20 28 35 + 47 52 59 + 17 35 52 71 + 20 28 43 47 ++xxxx17 20 59 65 xxxxx 17 20 28 35 43 + xxxxx 47 52 59 65 71 + xxxxxx 28 35 43 47 52 59
0 The cipher output bit Zt is derived from the current LFSR and NFSR states with a filter function hxxxxx001234(,,,,)as follows, 0 =+ Zbhssssbtikiiiii +0(,,,,) +++++ 3 25 46 64 63 kA∈ = where A {1,2,4,10,31,43,56}, the filter Boolean function hxxxxx001234(,,,,)is defined as =+++++ + + + + h0(,,,,) x 0 x 1 x 2 x 3 x 4 x 1 x 4 xx 03 xx 23 xx 34 xxx 012 xxx 023 xxx 024 xxx 124 xxx 234
Key Initialization Given a 80-bit key and a 64-bit IV , one initializes Grain-v1 by filling the NFSR with key, and the LFSR with the IV , the remaining bits of the LFSR are filled with ones, then the mechanism is clocked 160 times without producing the output, hx0 () is feedback and XOR with the input both to the LFSR and the NFSR, in the key initialization phase, we can get the contents of the shift registers before the running key is generated. Keystream Generation After the cipher is clocked 160 times, then the mechanism begins to produce output bits, see Figure 1.
Figure 1. Keystream Generation.
Cube Attack on Grain-v1 The main goal of Cube Attack is to find sufficiently U , then we may be able to obtain linearity polynomials P()⋅ . Through query to the cipher obtain the value of P()⋅ , and with sufficient number of linearly independent relations in the key bits,
292
the attacker can easily recover the key K via Gaussian elimination. Cube Attack is split into two stages: The Preprocessing Stage In order to find U , we use a linearity check approach, the IV s are formed by allowing variables in U to take all possible combinations of values while keeping variables in VIVU= \ fixed to 0. After the selection of U , then we take 100 random pairs of keys (,)X Y and check whether += + + Fiiii(,)(,)(,)(0,)X Y IV F X IV F Y IV F IV . (2) IV∈∈∈∈ C IVC IV C IV C If (2) is satisfied for all the 100 random pairs, then the polynomial P()⋅ is assumed to be linear in key bits 0. The randomized algorithm presented in 0 to find U starting with randomly chosen p(1)≥ variables and use a linearity test to check whether P()⋅ is linear. If U is too small, then P()⋅ is likely to be a nonlinear polynomial in the secret variables. In this case, the attacker adds a public variable to U and checks again. If U is too large, then P (⋅ ) will be a constant. And in this case, the attacker drops one of the public variables form U and checks again. The first problem of this algorithm is that not all U are tested, for it is chosen randomly and starting from a random set of variables. The chances of getting U are not expected to be high. So we select U by adding IV variables one by one. This process can generate all the U which could produce linear relations P()⋅ . See Figure 2.
Figure 2 The approach selecting IV . For each of U satisfied linearity check, we need to compute corresponding P()⋅ . This involves finding the coefficients of L for n , and each L has n +1 coefficients including the constant term. To find them, we need to compute the sum FKIV(, ) + = 0, , , i for n 1 keys : x ee01 en− 1, where ei is the vector with the i -th C component is 1 and the rest are 0. The IV s are formed by allowing variables in U to take all possible combination of values while keeping variables in VIVU= \ fixed
293 to 0. The program was executed on an Genuine Intel (R) processor with a CPU 1.83Ghz and 760MB of RAM. We pushed the attack on the Grain-v1 variant which uses 60 initialization rounds and chose U = 1, 2, 3, 4 (because of the limitation of hardware, we limited U to a maximum of 4 ), we can obtain at least 25 linear relations. With the same approach, we can obtain at least 11 linear relations when the Grain-v1 is initialized 65 rounds.
The Online Stage
We can obtain 25 linear equations, and compute the sum FKIVi (, ) for 25 linear C relations P()⋅ , such we easily recover 25 key bits via Gaussian elimination. The complexity of the attack is O(255 ) since it is dominated by an exhaustive search for the 80−= 25 55 key bits. Meanwhile we can recover 11 key bits, the complexity of the attack is O(269 ). Finally we randomly take 80 key bits and 64 IV bits, when the Grain-v1 initialize 10 rounds, we compare the 25 keys which we recovered using the above result with the truth value. By making 5000 tests, the probability of success is about 50%. Remark 1. In the process of actual testing, when U = 1, 2, 3, 4 , we only did a part of the testing due to the limitation of hardware. If all the testing is completed, more key bits will probably be recovered. Therefore we mention “at least” in this article.
Improved Cube Attack on Grain-v1 In section 4.1, we randomly take 100 random pairs of keys (,)XY and check whether += + + Fiiii(,)(,)(,)(0,)X Y IV F X IV F Y IV F IV . IV∈∈∈∈ C IV C IV C IV C If it is satisfied for all the 100 random pairs, we then assume to obtain a linear ⋅ polynomial P() in key bits. Now we try to select 40 fixed pairs of keys, (,)ee01,
(,)ee23, ... (,)ee78 79 , and check whether += + + FeeIVFeIVFeIVFIVij(,)(,)(,)(0,)221 j++ij2 ij21 i , (3) IV∈∈∈∈ C IV C IV C IV C = + where j 0,1, 2, 39 , e2 j (and e21j+ ) is the vector where the 2 j -th (and 21j -th) component is 1 and the rest are 0. If (3) is satisfied for all the 40 fixed pairs, we then assume to obtain a linearity polynomial P (⋅ ), the approach finding U is the same to the section 4.1. Then we test again and obtain at least 42, 37 linear relations when the Grain-v1 is initialized 60, 65 rounds, through the process of which they require 29 , 28 keystream bits respectively. The complexity of the attacks is O(238 ) and O(243 ) . By making 5000 tests with the new approach, the probability of success in recovering the keys is also about 50%. Remark 2. When U = 1, 2, 3, 4 , we only did a part of the testing due to the limitation of hardware. If all the testing is completed, the testing result will probably be better. Therefore we mention “at least” in this article.
294
Conclusions In this paper, the simplified Grain-v1 variants have been cryptanalyzed using Cube Attack. We proposed a new approach to find all the cubes U which can produce linear relations, then it is applied to Grain-v1 with 60, 65 initialization rounds and the attack works quite well. Furthermore, in section 5, we develop an improvement and make tests again. And the complexity of the improved attack is reduced to 238 and 243 respectively for Grain-v1 with 60, 65 initialization rounds respectively.
References [1] I. Dinur and A. Shamir. Cube Attacks on Tweakable Black Box Polynomials. EUROCRYPT 2009, 2009, 5479: 278-299. [2] M. Vielhaber. Breaking ONE.FIVIUM by AIDA: An Algebraic IV Differential Attack. Cryptology ePrint Archive Report. 2007. http://eprint.iacr.org/2007/413. [3] J. P. Aumasson, I. Dinur, L. Henzen, et al. Cube Testers and Key Recovery Attacks on Reduced-Round MD6 and Trivium. Fast Software Encryption, O. Dunkelman Springer, 2009. [4] S. Bedi and N. R. Pillai. Cube attacks on Trivium. Cryptotogy ePrint Archive Report. 2009. http://eprint.iacr.org/2009/015. [5] I. Dinur, A. Shamir. Side Channel Cube Attacks on Block Ciphers. IACR Cryptology ePrint, 2009, http://eprint.iacr.org/2009/127. [6] M. Hell, T. Johansson and W. Meier Grain. A stream cipher for constrained environments. IJWMC, 2007, 2(1): 86-93. [7] Lu C. Y., Lin Y. W., Jen S. M., et al. Cryptanalysis on PHOTON hash function using cube attack, 2012. [8] I. Dinur, P. Morawiecki, J. Pieprzyk, et al. Cube Attacks and Cube-Attack-Like Cryptanalysis on the Round-Reduced Keccak Sponge Function. Advances in Cryptology -- EUROCRYPT 2015. Springer Berlin Heidelberg, 2015:733-761. [9] C. Berbain, H. Gilbert and A. Maximov. Cryptanalysis of Grain. Fast Software Encryption, 2006: 15-29. [10] Christope De Cannière, Ozgül Kücük and Bart Preneel. Analysis of Grain, s initialization algorithm. SASC, 2008. [11] A. Biryukov and D. Wagner. Slide Attacks. Fast Software Encryption, 1999, 245-249. [12] E. Biham and A. Shamir. Differential Cryptanalysis of the Data Encryption Standard. Springer-Verlag, 1993. [13] K. Shahram, H. Mehdi and K. Mohammad. Distinguishing attack on Grain ECRYPT Stream Cipher Project Report. 2005, http://www.ecrypt.eu.org/stream/ papersdir/071.pdf. [14] Y. Lee, K. Jeong, J. Sung and S. Hong. Related –key Chosen IV attack on Grain-v1 and Grain -128. ACISP, 2008, 5107: 321-335.
295 [15] Zhang B., Li Z., Feng D., et al. Near Collision Attack on the Grain v1 Stream Cipher. Fast Software Encryption, 2014: 518-538. [16] P. Datta, D. Roy and S. Mukhopadhyay. A Probabilistic Algebraic Attack on the Grain Family of Stream Ciphers. Network and System Security, 2014: 558-565. [17] S. Banik, S. Maitra, S. Sarkar. A Differential Fault Attack on the Grain Family of Stream Ciphers. International Conference on Cryptographic Hardware and Embedded Systems, Springer-Verlag, 2012:122-139. [18] M. Piotr, S. Janusz. The Cube Attack on Courtois Toy Cipher, 2009, http://eprint.iacr.org/2009/497.pdf.
296