Some cryptanalytic results on Lizard

Lizard is a lightweight stream cipher proposed by Hamann, Krause and Meier in IACR ToSC 2017. It has a Grain-like structure with two state registers of size 90 and 31 bits. The cipher uses a 120 bit secret key and a 64 bit IV. The authors claim that Lizard provides 80-bit security against key recovery attacks and a 60-bit security against distinguishing attacks. In this paper, we present an assortment of results and observations on Lizard. First, we show that by doing $2^58$ random trials it is possible to find a set of 2 64 triplets (K, IV 0 , IV 1 ) such that the Key-IV pairs (K, IV 0 ) and (K, IV 1 ) produce identical keystream bits. Second, we show that by performing only around 2 28 random trials it is possible to obtain $2^64$ Key-IV pairs (K 0 , IV 0 ) and (K 1 , IV 1 ) that produce identical keystream bits. Thereafter, we show that one can construct a distinguisher for Lizard based on IVs that produce shifted keystream sequences. The process takes around $2^{51.5}$ random IV encryptions (with encryption required to produce $2^{18}$ keystream bits) and around $2^{76.6}$ bits of memory. Next, we propose a key recovery attack on a version of Lizard with the number of initialization rounds reduced to 223 (out of 256) based on IV collisions. We then outline a method to extend our attack to 226 rounds. Our results do not affect the security claims of the designers.

[1]  Steve Babbage,et al.  The MICKEY Stream Ciphers , 2008, The eSTREAM Finalists.

[2]  Subhadeep Banik,et al.  Some Results on Sprout , 2015, INDOCRYPT.

[3]  Frederik Armknecht,et al.  On Ciphers that Continuously Access the Non-Volatile Key , 2017, IACR Trans. Symmetric Cryptol..

[4]  Martin Hell,et al.  A Stream Cipher Proposal: Grain-128 , 2006, 2006 IEEE International Symposium on Information Theory.

[5]  Willi Meier,et al.  Quark: A Lightweight Hash , 2010, Journal of Cryptology.

[6]  Willi Meier,et al.  LIZARD - A Lightweight Stream Cipher for Power-constrained Devices , 2017, IACR Trans. Symmetric Cryptol..

[7]  H. Fredricksen A Survey of Full Length Nonlinear Shift Register Cycle Algorithms , 1982 .

[8]  María Naya-Plasencia,et al.  Cryptanalysis of Full Sprout , 2015, Annual International Cryptology Conference.

[9]  Ronald L. Rivest,et al.  Spritz - a spongy RC4-like stream cipher and hash function , 2016, IACR Cryptol. ePrint Arch..

[10]  Solomon W. Golomb,et al.  Shift Register Sequences , 1981 .

[11]  Santanu Sarkar,et al.  Differential Fault Attack against Grain Family with Very Few Faults and Minimal Assumptions , 2015, IEEE Transactions on Computers.

[12]  Bin Zhang,et al.  Another Tradeoff Attack on Sprout-Like Stream Ciphers , 2015, ASIACRYPT.

[13]  Martin Hell,et al.  Grain: a stream cipher for constrained environments , 2007, Int. J. Wirel. Mob. Comput..

[14]  Alex Biryukov,et al.  Cryptanalytic Time/Memory/Data Tradeoffs for Stream Ciphers , 2000, ASIACRYPT.

[15]  Orhun Kara,et al.  Practical Cryptanalysis of Full Sprout with TMD Tradeoff Attacks , 2015, SAC.

[16]  Frederik Armknecht,et al.  On Lightweight Stream Ciphers with Shorter Internal States , 2015, FSE.

[17]  Donghoon Chang,et al.  RC4-Hash: A New Hash Function Based on RC4 , 2006, INDOCRYPT.

[18]  Martin Hell,et al.  A New Version of Grain-128 with Authentication , 2011 .

[19]  Martin Hell,et al.  Grain-128a: a new version of Grain-128 with optional authentication , 2011, Int. J. Wirel. Mob. Comput..