2017 2nd International Conference on Computer Science and Technology (CST 2017) ISBN: 978-1-60595-461-5 Cube Attacks on the Stream Cipher Grain-v1 Yong-juan WANGa*, Shi-yi ZHANG and Yang GAO Luoyang Foreign Language University, Luoyang, Henan Province, China [email protected] *Corresponding author Keywords: Algebra attack, Cube attack, Stream cipher, Grain-v1, Key recovery. Abstract. The Cube Attack was introduced by Itai Dinur and Adi Shamir. As a known plaintext attack on symmetric primitives, it is efficient to stream cipher, block cipher and hash functions. In this paper, we proposed a new method to find all the cubes U which could produce linear relations, and it is applied to simplified Grain-v1 variants with 60, 65 initialization rounds, from which we can obtain at least 25, 11 key bits respectively. Our results show that the Grain-v1 with reduced initialization rounds can be broken with Cube Attack, and the complexity is significantly lower than exhaustive search. Introduction At Crypto2008, the Cube Attack was introduced by Adi Shamir and his student as a known plaintext attack on symmetric primitives0. It is a major improvement over several previously published attacks of the same type, for example, Algebraic Initial Value Differential Attack (AIDA)0. In the key and public variables (plaintext or IV bits), if the output of cryptosystems can be represented by the polynomial FKIV(, ) overGF()2 via skillfully choosing arbitrary values for the public variables, the attacker may be able to obtain some linear equations. Moreover, given sufficient number of equations, a secret key could be recovered through queries to black box polynomial with tweakable public variables under Cube Attack 0 (e.g. choosing plaintext or initial value), which is followed by solving a linear system of equations in the secret key variables. Cube Attacks can be applied to any block cipher, stream cipher, or MAC which is provided as a black box, even when nothing is known about its internal structure. At least one output bit can be represented by (an unknown) polynomial of relatively low degree in the secret and public variables, the attack has been applied to the ciphers MD6[3], Trivium0, Serpent0, Grain-1280, PHOTON0, Keccak0 and so on, and it works quite well. The stream cipher Grain-v1 was proposed by Hell, Johansson, Maximov, and Meier0 , Christophe De Cannière, Ozgül Kücük and Bart Preneel analyzed the initialization algorithm of Grain, showed that a sliding property of the initialization algorithm, which resulted in a very efficient related–key attack, and developed a differential attack on the Grain-v1 which recovered one out of 29 keys, and required 55 two related keys and 2 chosen pairs0. Yuseop lee, Kitae Jeong and Jaechul Sung extended the slide resynchronization attack and proposed related-key chosen IV 22.59 attacks on Grain-v1, the attack recovered the secret key with 2 chosen IV s, 226.29 -bit keystream sequences and 222.9 computational complexity[0. In recent years, 290 Differential Fault Attack, Near Collision Attack and Probabilistic Algebraic Attack also work on Grain-v1 with good results0. In this paper we provided a new attack approach to the cryptanalyst, and pushed Cube Attack to the reduced variant of Grain-v1. Our results show that the Grain-v1 with reduced number of initialization rounds can be broken with complexity that is significantly faster than exhaustive search. This paper is organized as follows. Following the introduction, we describe the Cube Attack in section 2. In section 3, we describe the stream cipher Grain-v1. In section 4, a new method to find all the cubes U is described and applied to the Grain-v1. In section 5, an improvement is described and applied to the Grain-v1 again. Finally, we conclude the paper in section 6. Cube Attack First, we give a brief overview of the Cube attack0. Throughout this paper, all polynomials = = = have coefficients in GF()2 , let IVv(,1 , vm ) and K (,xx1 ,n ), FKIVii(, ) Y denote the i -th output bit, if Uv=⊂{,,}{,,} v v v has been chosen then i -th ii1 k 1 m output bit can been represented as =+ Fx(,,,,,) xv v vv , , vPx() ,,, xV Qx (,,,,,) xv v . inmiiin1112 k 1 11 nm = ⋅ ∪ Notes Vv{,1 , vUm }\ , P() is linear polynomial in {,x1 ,xVn } , and does not contain any common variable with vv,, v , the polynomial Q misses at least one ii12 ik variable form vv,, v . Let C be the set of points where the variables ii12 ik ∪ in{,x1 ,xVn } are fixed and the variables in U are allowed to take all possible combination of values. Then F (,,,,,)xxvv=+ vvvPxxVQxxvv , ,() ,,, (,,,,,). (1) inmiiin1112 k 1 11 nm CC C ⋅= ⋅ Theorem1. For any polynomial Fi and subset U , PP() ()mod2. C Proof. For the polynomial Q is such that none of the terms in Q have the monomial vv,, v as a factor, summing each of terms in Q over all the 2k possible vectors, ii12 ik the sum value is 0, hence Q = 0 , on the other hand, the coefficient of P(⋅ ) in the C summation is 1 for only one case vvv===1. # iii12k According to Theorem 1, then (1) Fx(,,,,,) x v v=+ v , v , vPx() ,,, xV Q= Px (,,,) xV. inmiiin1112 k 1 1n CC C Brief Description of Grain-v1 Grain-v1 is one of the 3 final candidates of ECRYPT eStream project, which constants of a 80-bit LFSR, a 80-bit NFSR (both over GF()2 ), and a Boolean function hx0 (). The content of the LFSR is denoted by sii,,,ss++179 i , and the content of the NFSR is 291 denoted by bbii,,,++179 b i . The feedback polynomial f0 ()x of the LFSR is a primitive polynomial of degree 80. It is defined as =++++++18 29 42 57 67 80 f0 ()x 1 xxxxxx. The NFSR feedback polynomial g0 ()x is defined as =+18 + 20 + 28 + 35 + 43 + 47 + 52 + 59 + 66 + 71 + 80 gx0 () 1 xxxxxxxxxxx x17xxxxxxxxxxxxxxxxxxx 20+++ 43 47 65 71 20 28 35 + 47 52 59 + 17 35 52 71 + 20 28 43 47 ++xxxx17 20 59 65 xxxxx 17 20 28 35 43 + xxxxx 47 52 59 65 71 + xxxxxx 28 35 43 47 52 59 0 The cipher output bit Zt is derived from the current LFSR and NFSR states with a filter function hxxxxx001234(,,,,)as follows, 0 =+ Zbhssssbtikiiiii +0(,,,,) +++++ 3 25 46 64 63 kA∈ = where A {1,2,4,10,31,43,56}, the filter Boolean function hxxxxx001234(,,,,)is defined as =+++++ + + + + h0(,,,,) x 0 x 1 x 2 x 3 x 4 x 1 x 4 xx 03 xx 23 xx 34 xxx 012 xxx 023 xxx 024 xxx 124 xxx 234 Key Initialization Given a 80-bit key and a 64-bit IV , one initializes Grain-v1 by filling the NFSR with key, and the LFSR with the IV , the remaining bits of the LFSR are filled with ones, then the mechanism is clocked 160 times without producing the output, hx0 () is feedback and XOR with the input both to the LFSR and the NFSR, in the key initialization phase, we can get the contents of the shift registers before the running key is generated. Keystream Generation After the cipher is clocked 160 times, then the mechanism begins to produce output bits, see Figure 1. Figure 1. Keystream Generation. Cube Attack on Grain-v1 The main goal of Cube Attack is to find sufficiently U , then we may be able to obtain linearity polynomials P()⋅ . Through query to the cipher obtain the value of P()⋅ , and with sufficient number of linearly independent relations in the key bits, 292 the attacker can easily recover the key K via Gaussian elimination. Cube Attack is split into two stages: The Preprocessing Stage In order to find U , we use a linearity check approach, the IV s are formed by allowing variables in U to take all possible combinations of values while keeping variables in VIVU= \ fixed to 0. After the selection of U , then we take 100 random pairs of keys (,)X Y and check whether += + + Fiiii(,)(,)(,)(0,)X Y IV F X IV F Y IV F IV . (2) IV∈∈∈∈ C IV C IV C IV C If (2) is satisfied for all the 100 random pairs, then the polynomial P()⋅ is assumed to be linear in key bits 0. The randomized algorithm presented in 0 to find U starting with randomly chosen p(1)≥ variables and use a linearity test to check whether P()⋅ is linear. If U is too small, then P()⋅ is likely to be a nonlinear polynomial in the secret variables. In this case, the attacker adds a public variable to U and checks again. If U is too large, then P(⋅ ) will be a constant. And in this case, the attacker drops one of the public variables form U and checks again. The first problem of this algorithm is that not all U are tested, for it is chosen randomly and starting from a random set of variables. The chances of getting U are not expected to be high. So we select U by adding IV variables one by one. This process can generate all the U which could produce linear relations P()⋅ . See Figure 2. Figure 2 The approach selecting IV . For each of U satisfied linearity check, we need to compute corresponding P()⋅ . This involves finding the coefficients of L for n , and each L has n +1 coefficients including the constant term. To find them, we need to compute the sum FKIV(, )for n +1 keys : x = 0,ee , , e− , where e is the vector with the i -th i 01 n 1 i C component is 1 and the rest are 0.
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages7 Page
-
File Size-