A New Version of Grain-128 with Authentication Martin ˚ Agren 1 Martin Hell 1 Thomas Johansson 1 Willi Meier 2 1 Lund University, Sweden 2 FHNW, Switzerland 110216 / Lyngby
Outline 1 Introduction Motivation and Goals 2 The Old Grain-128 The Algorithm Attacks and Observations 3 The New Grain-128a The New Grain-128a Authentication 4 Conclusion M. ˚ Agren, M. Hell, T. Johansson, W. Meier, Lund University and FHNW 2 / 16
Outline 1 Introduction Motivation and Goals 2 The Old Grain-128 The Algorithm Attacks and Observations 3 The New Grain-128a The New Grain-128a Authentication 4 Conclusion M. ˚ Agren, M. Hell, T. Johansson, W. Meier, Lund University and FHNW 3 / 16
Motivation and Goals ◮ Grain-128 is lightweight but some nonlinearities are too lightweight. ◮ Some applications need built-in authentication ◮ . . . but leaving it out should be possible. ◮ Allow for easy updating of existing implementations. ◮ . . . and trust! M. ˚ Agren, M. Hell, T. Johansson, W. Meier, Lund University and FHNW 4 / 16
Outline 1 Introduction Motivation and Goals 2 The Old Grain-128 The Algorithm Attacks and Observations 3 The New Grain-128a The New Grain-128a Authentication 4 Conclusion M. ˚ Agren, M. Hell, T. Johansson, W. Meier, Lund University and FHNW 5 / 16
The Old Grain-128 g f NFSR LFSR h ◮ 128-bit key, 96-bit IV. ◮ An LFSR provides a large period. ◮ An NFSR with degree two updates the state nonlinearly. ◮ An output function of degree three produces nonlinear output. ◮ State bits are added linearly to ensure resiliency. ◮ Initialize in 256 rounds: feed output into the registers. ◮ Make faster by duplicating Boolean functions. M. ˚ Agren, M. Hell, T. Johansson, W. Meier, Lund University and FHNW 6 / 16
IV Padding Sliding Property g f NFSR LFSR h ◮ The 96-bit IV goes into a 128-bit register and is padded with 111. . . 111. With high probability, a shifted key and a shifted IV will produce the exact same keystream, only with a shift. [K¨ u¸ c¨ uk06], [DeCaK¨ uPre08] ◮ Related-key Chosen-IV. [LeeJeongSungHong08] M. ˚ Agren, M. Hell, T. Johansson, W. Meier, Lund University and FHNW 7 / 16
Too Little Nonlinearity or Initialization ◮ Cube, 237/256 [AumDinHenMeiSha09] ◮ Maxterm, 256/256 [Stankovski10] Looking at the first keystream bits, the equations, in unknown key bits, are not complicated enough. M. ˚ Agren, M. Hell, T. Johansson, W. Meier, Lund University and FHNW 8 / 16
Too Little Nonlinearity and Similar Bits ◮ Chosen-IV (cube): Assuming ten specific key bits to be zero, the equations simplify “enough”. [DinSha11] M. ˚ Agren, M. Hell, T. Johansson, W. Meier, Lund University and FHNW 9 / 16
Too Little Nonlinearity and Similar Bits ◮ Chosen-IV (cube): Assuming ten specific key bits to be zero, the equations simplify “enough”. [DinSha11] g f NFSR LFSR h ◮ Also, b i +95 and s i +95 are multiplied together. During initialization, they are too similar, meaning the complexity doesn’t grow as much as wanted. M. ˚ Agren, M. Hell, T. Johansson, W. Meier, Lund University and FHNW 9 / 16
Outline 1 Introduction Motivation and Goals 2 The Old Grain-128 The Algorithm Attacks and Observations 3 The New Grain-128a The New Grain-128a Authentication 4 Conclusion M. ˚ Agren, M. Hell, T. Johansson, W. Meier, Lund University and FHNW 10 / 16
Changes from Grain-128 g f NFSR LFSR h Grain-128 with changes: ◮ Pad the IV with 111. . . 11 0 . ◮ NFSR has nonlinearity four . ◮ Change a tap into the output function: b i +95 , s i + 94 , so that we don’t multiply bits that are “similar”. M. ˚ Agren, M. Hell, T. Johansson, W. Meier, Lund University and FHNW 11 / 16
Authentication The above algorithm is used to produce pre-output stream . Use different parts of it for different things: ◮ Encryption ◮ Authentication M. ˚ Agren, M. Hell, T. Johansson, W. Meier, Lund University and FHNW 12 / 16
Authentication The above algorithm is used to produce pre-output stream . Use different parts of it for different things: ◮ Encryption ◮ Authentication m i c i Message Ciphertext Key Pre-output t Tag MAC generator IV z 0 z 1 . . . z 63 . . . . . . z 64+2 i z 65+2 i . . . M. ˚ Agren, M. Hell, T. Johansson, W. Meier, Lund University and FHNW 12 / 16
Authentication Accumulator m i . . . bits from pre-output Shift register ◮ A Wegman-Carter approach. ◮ Initialize both registers with pre-output bits. ◮ We multiply the message bit vector by a Toeplitz matrix. M. ˚ Agren, M. Hell, T. Johansson, W. Meier, Lund University and FHNW 13 / 16
Authentication Accumulator m i . . . bits from pre-output Shift register ◮ A Wegman-Carter approach. ◮ Initialize both registers with pre-output bits. ◮ We multiply the message bit vector by a Toeplitz matrix. ◮ P S is the prob. that an attack succeeds. ◮ With perfectly random input to the shift register, P S = 2 − 32 . ◮ We have P S < 2 − 32 + 2 ǫ . [Krawczyk95], [˚ AHJ11], [Maximov06] M. ˚ Agren, M. Hell, T. Johansson, W. Meier, Lund University and FHNW 13 / 16
Hardware Characteristics Several nice aspects: ◮ We can still increase the speed up to 32x. ◮ We can leave out the authentication. ◮ . . . or part of it. w -bit tags for 2 − w . M. ˚ Agren, M. Hell, T. Johansson, W. Meier, Lund University and FHNW 14 / 16
Hardware Characteristics Several nice aspects: ◮ We can still increase the speed up to 32x. ◮ We can leave out the authentication. ◮ . . . or part of it. w -bit tags for 2 − w . The cheapest one — a version that produces one bit per clock: ◮ Grain-128: 2133 gate equivalents ◮ Grain-128a: 2243 gate equivalents; a five per cent increase (as a bonus, we initialize faster.) Adding authentication, we’d get a total of 2867 gate equivalents. M. ˚ Agren, M. Hell, T. Johansson, W. Meier, Lund University and FHNW 14 / 16
Outline 1 Introduction Motivation and Goals 2 The Old Grain-128 The Algorithm Attacks and Observations 3 The New Grain-128a The New Grain-128a Authentication 4 Conclusion M. ˚ Agren, M. Hell, T. Johansson, W. Meier, Lund University and FHNW 15 / 16
Conclusion Grain-128a ◮ is at least as secure than Grain-128, ◮ resists all current cryptanalysis on Grain-128, ◮ has optional authentication, ◮ is still hardware-efficient. M. ˚ Agren, M. Hell, T. Johansson, W. Meier, Lund University and FHNW 16 / 16
Conclusion Thank you! M. ˚ Agren, M. Hell, T. Johansson, W. Meier, Lund University and FHNW 16 / 16
M. ˚ Agren, M. Hell, T. Johansson, W. Meier, Lund University and FHNW 16 / 16
On Cube/Maxterm/AIDA/... number of rounds 256 200 150 100 50 bitset size 5 10 15 20 25 30 35 40 How does a greedy strategy aid in finding good bitsets? Upper curve: Stankovski’s on Grain-128. Lower curve: Ours on the pre-output of Grain-128a. M. ˚ Agren, M. Hell, T. Johansson, W. Meier, Lund University and FHNW 16 / 16
Recommend
More recommend