Fast Near Collision Attack on the Grain v1 Stream Cipher Bin Zhang ∗ , Chao Xu ∗ and Willi Meier ∗∗ ∗ Chinese Academy of Sciences ∗∗ FHNW,Switzerland 02-05-2018 Bin Zhang ∗ , Chao Xu ∗ and Willi Meier ∗∗ ( ∗ Chinese Academy of Sciences ∗∗ FHNW,Switzerland) Fast Near Collision Attack on the Grain v1 Stream Cipher 02-05-2018 1 / 45
Outline Background and Motivation 1 Description of Grain v1 2 Preliminaries 3 Fast Near Collision Attacks: The General Framework 4 State Recovery Attacks on Grain v1 5 Conclusions 6 Bin Zhang ∗ , Chao Xu ∗ and Willi Meier ∗∗ ( ∗ Chinese Academy of Sciences ∗∗ FHNW,Switzerland) Fast Near Collision Attack on the Grain v1 Stream Cipher 02-05-2018 2 / 45
The eSTREAM Project As a rule of thumb, the internal state size of modern stream ciphers is at least twice as large as the key size, e.g., Grain v1 and Trivium. Grain v1 is one of the 7 finalists in the European eSTREAM project. Grain v1 has successfully withstood huge cryptanalysis efforts so far, especially in the single key model. Feature: large internal state + high number of initialization rounds + NFSR-based Bin Zhang ∗ , Chao Xu ∗ and Willi Meier ∗∗ ( ∗ Chinese Academy of Sciences ∗∗ FHNW,Switzerland) Fast Near Collision Attack on the Grain v1 Stream Cipher 02-05-2018 3 / 45
Near Collision Attacks Widely studied in the domain of hash functions: near collision should be avoided. Introduced into the domain of stream ciphers at FSE 2013 and assigned with a different meaning: from the keystream to the unknown internal state. A state recovery attack on Grain v1 itself is obtained by manipulating from the reduced version experiments to the full version theoretical analysis. But, there are two assumptions involved, which are essential to the success of the attack. Previous near collision attacks leave some problems: high pre-processing and memory complexities, a large number of state variables and the non-fully resolved success rate issue. Bin Zhang ∗ , Chao Xu ∗ and Willi Meier ∗∗ ( ∗ Chinese Academy of Sciences ∗∗ FHNW,Switzerland) Fast Near Collision Attack on the Grain v1 Stream Cipher 02-05-2018 4 / 45
Fast Near Collision Attack An entirely different strategy is proposed: without the previous assumptions and with an assured success rate. Combination of near collision property with the divide-and-conquer strategy. Aim to address the situation of facing a large number of variables and the non-linear state updating. Bin Zhang ∗ , Chao Xu ∗ and Willi Meier ∗∗ ( ∗ Chinese Academy of Sciences ∗∗ FHNW,Switzerland) Fast Near Collision Attack on the Grain v1 Stream Cipher 02-05-2018 5 / 45
Our Contributions Develop a new cryptanalytic method on stream ciphers to deal with the large number of variables and non-linear state updating, called fast near collision attack (FNCA). A general framework of FNCA is established: from pre-computation to online algorithms with theoretical analysis and extensive experiments. State/key recovery attack on Grain v1 in the single key model: all the complexity aspects and success probability could be determined. Simulations on Grain v1 itself whenever possible and a reduced version with a 40 -bit LFSR and a 40 -bit NFSR. Bin Zhang ∗ , Chao Xu ∗ and Willi Meier ∗∗ ( ∗ Chinese Academy of Sciences ∗∗ FHNW,Switzerland) Fast Near Collision Attack on the Grain v1 Stream Cipher 02-05-2018 6 / 45
Our Contributions Develop a new cryptanalytic method on stream ciphers to deal with the large number of variables and non-linear state updating, called fast near collision attack (FNCA). A general framework of FNCA is established: from pre-computation to online algorithms with theoretical analysis and extensive experiments. State/key recovery attack on Grain v1 in the single key model: all the complexity aspects and success probability could be determined. Simulations on Grain v1 itself whenever possible and a reduced version with a 40 -bit LFSR and a 40 -bit NFSR. Bin Zhang ∗ , Chao Xu ∗ and Willi Meier ∗∗ ( ∗ Chinese Academy of Sciences ∗∗ FHNW,Switzerland) Fast Near Collision Attack on the Grain v1 Stream Cipher 02-05-2018 6 / 45
Our Contributions Develop a new cryptanalytic method on stream ciphers to deal with the large number of variables and non-linear state updating, called fast near collision attack (FNCA). A general framework of FNCA is established: from pre-computation to online algorithms with theoretical analysis and extensive experiments. State/key recovery attack on Grain v1 in the single key model: all the complexity aspects and success probability could be determined. Simulations on Grain v1 itself whenever possible and a reduced version with a 40 -bit LFSR and a 40 -bit NFSR. Bin Zhang ∗ , Chao Xu ∗ and Willi Meier ∗∗ ( ∗ Chinese Academy of Sciences ∗∗ FHNW,Switzerland) Fast Near Collision Attack on the Grain v1 Stream Cipher 02-05-2018 6 / 45
Our Contributions Develop a new cryptanalytic method on stream ciphers to deal with the large number of variables and non-linear state updating, called fast near collision attack (FNCA). A general framework of FNCA is established: from pre-computation to online algorithms with theoretical analysis and extensive experiments. State/key recovery attack on Grain v1 in the single key model: all the complexity aspects and success probability could be determined. Simulations on Grain v1 itself whenever possible and a reduced version with a 40 -bit LFSR and a 40 -bit NFSR. Bin Zhang ∗ , Chao Xu ∗ and Willi Meier ∗∗ ( ∗ Chinese Academy of Sciences ∗∗ FHNW,Switzerland) Fast Near Collision Attack on the Grain v1 Stream Cipher 02-05-2018 6 / 45
Grain v1 One of the 7 finalists selected by the eSTREAM project. A bit-oriented stream cipher with a pair of linked shift registers: a 80 -bit LFSR into a 80 -bit NFSR. NFSR LFSR h x No key recovery attack in the single key model has been found yet. Bin Zhang ∗ , Chao Xu ∗ and Willi Meier ∗∗ ( ∗ Chinese Academy of Sciences ∗∗ FHNW,Switzerland) Fast Near Collision Attack on the Grain v1 Stream Cipher 02-05-2018 7 / 45
Grain v1 Specification (1) Given ( l i , l i +1 , ..., l i +79 ) , the LFSR state updating: l i +80 = l i +62 ⊕ l i +51 ⊕ l i +38 ⊕ l i +23 ⊕ l i +13 ⊕ l i . Given ( n i , n i +1 , ..., n i +79 ) , the NFSR state updating: n i +80 = l i ⊕ n i +62 ⊕ n i +60 ⊕ n i +52 ⊕ n i +45 ⊕ n i +37 ⊕ n i +33 ⊕ n i +28 ⊕ n i +21 ⊕ n i +14 ⊕ n i +9 ⊕ n i ⊕ n i +63 n i +60 ⊕ n i +37 n i +33 ⊕ n i +15 n i +9 ⊕ n i +60 n i +52 n i +45 ⊕ n i +33 n i +28 n i +21 ⊕ n i +63 n i +45 n i +28 n i +9 ⊕ n i +60 n i +52 n i +37 n i +33 ⊕ n i +63 n i +60 n i +21 n i +15 ⊕ n i +63 n i +60 n i +52 n i +45 n i +37 ⊕ n i +33 n i +28 n i +21 n i +15 n i +9 ⊕ n i +52 n i +45 n i +37 n i +33 n i +28 n i +21 . Bin Zhang ∗ , Chao Xu ∗ and Willi Meier ∗∗ ( ∗ Chinese Academy of Sciences ∗∗ FHNW,Switzerland) Fast Near Collision Attack on the Grain v1 Stream Cipher 02-05-2018 8 / 45
Grain v1 Specification (2) h ( x ) = x 1 ⊕ x 4 ⊕ x 0 x 3 ⊕ x 2 x 3 ⊕ x 3 x 4 ⊕ x 0 x 1 x 2 ⊕ x 0 x 2 x 3 ⊕ x 0 x 2 x 4 ⊕ x 1 x 2 x 4 ⊕ x 2 x 3 x 4 , which is chosen to be balanced and correlation immune of the first order with the variables ( x 0 , x 1 , x 2 , x 3 , x 4 ) → ( l i +3 , l i +25 , l i +46 , l i +64 , n i +63 ) . The keystream z i = � k ∈A n i + k ⊕ h ( l i +3 , l i +25 , l i +46 , l i +64 , n i +63 ) , where A = { 1 , 2 , 4 , 10 , 31 , 43 , 56 } . The details of the initialization phase are omitted here, the only property relevant to our work is that the initialization phase is invertible. Bin Zhang ∗ , Chao Xu ∗ and Willi Meier ∗∗ ( ∗ Chinese Academy of Sciences ∗∗ FHNW,Switzerland) Fast Near Collision Attack on the Grain v1 Stream Cipher 02-05-2018 9 / 45
Basic Conceptions and Lemmas (1) d -near-collision Two n -bit strings s , s ′ are said to be d -near-collision, if w H ( s ⊕ s ′ ) ≤ d holds. Lemma Given two random sets A and B consisting of elements of n -bit length and a condition set D , then there exists a pair ( a, b ) ∈ ( A, B ) satisfying one of the conditions in D if | A | · | B | ≥ c · 2 n (1) | D | holds, where c is a constant that determines the existence probability of one good pair ( a, b ) . Bin Zhang ∗ , Chao Xu ∗ and Willi Meier ∗∗ ( ∗ Chinese Academy of Sciences ∗∗ FHNW,Switzerland) Fast Near Collision Attack on the Grain v1 Stream Cipher 02-05-2018 10 / 45
Basic Conceptions and Lemmas (2) DTU Crypto group: from the random experiments with a modest size, i.e., for each c value, 100 strings of length 40 to 49 for d -values from 10 to 15 are generated, not in a real cipher setting. 0 . 606 if c = 1 Pr ( d-near-collision ) = 0 . 946 if c = 3 0 . 992 if c = 5. Corollary For a specified cipher and a chosen constant c , let A and B be the internal state subsets associated with the observable keystream vectors, where each element of A and B is of n -bit length. If we choose | A | = 1 and | B | ≥ c · 2 n | D | , then there exists an element b i ∈ B such that the pair ( a, b i ) with the only element a ∈ A forms a d -near collision pair with a probability dependent on c . Bin Zhang ∗ , Chao Xu ∗ and Willi Meier ∗∗ ( ∗ Chinese Academy of Sciences ∗∗ FHNW,Switzerland) Fast Near Collision Attack on the Grain v1 Stream Cipher 02-05-2018 11 / 45
Recommend
More recommend