Cryptanalysis of Lightweight WG-8 Stream Cipher

WG-8 is a new lightweight variant of the well-known Welch-Gong (WG) stream cipher family, and takes an 80-bit secret key and an 80-bit initial vector (IV) as inputs. So far no attack on the WG-8 stream cipher has been published except the attacks by the designers. This paper shows that there exist Key-IV pairs for WG-8 that can generate keystreams, which are exact shifts of each other throughout the keystream generation. By exploiting this slide property, an effective key recovery attack on WG-8 in the related key setting is proposed, which has a time complexity of 253.32 and requires 252 chosen IVs. The attack is minimal in the sense that it only requires one related key. Furthermore, we present an efficient key recovery attack on WG-8 in the multiple related key setting. As confirmed by the experimental results, our attack recovers all 80 bits of WG-8 in on a PC with 2.5-GHz Intel Pentium 4 processor. This is the first time that a weakness is presented for WG-8, assuming that the attacker can obtain only a few dozen consecutive keystream bits for each IV. Finally, we give a new Key/IV loading proposal for WG-8, which takes an 80-bit secret key and a 64-bit IV as inputs. The new proposal keeps the basic structure of WG-8 and provides enough resistance against our related key attacks.

[1]  Bart Preneel,et al.  Analysis of Grain's Initialization Algorithm , 2008, AFRICACRYPT.

[2]  Jongsung Kim,et al.  HIGHT: A New Block Cipher Suitable for Low-Resource Device , 2006, CHES.

[3]  Ron Steinfeld,et al.  Security Evaluation of Rakaposhi Stream Cipher , 2013, ISPEC.

[4]  Christophe De Cannière,et al.  KATAN and KTANTAN - A Family of Small and Efficient Hardware-Oriented Block Ciphers , 2009, CHES.

[5]  Andrey Bogdanov,et al.  spongent: A Lightweight Hash Function , 2011, CHES.

[6]  Lin Ding,et al.  Related key chosen IV attacks on Decim v2 and Decim-128 , 2012, Math. Comput. Model..

[7]  Chae Hoon Lim,et al.  mCrypton - A Lightweight Block Cipher for Security of Low-Cost RFID Tags and Sensors , 2005, WISA.

[8]  Steve Babbage,et al.  The MICKEY Stream Ciphers , 2008, The eSTREAM Finalists.

[9]  Guang Gong,et al.  WG: A family of stream ciphers with designed randomness properties , 2008, Inf. Sci..

[10]  S. Kyoji,et al.  Piccolo: An Ultra-Lightweight Blockcipher , 2011 .

[11]  Amr M. Youssef,et al.  Cryptographic properties of the Welch-Gong transformation sequence generators , 2002, IEEE Trans. Inf. Theory.

[12]  Matthew J. B. Robshaw,et al.  PRINTcipher: A Block Cipher for IC-Printing , 2010, CHES.

[13]  Anne Canteaut,et al.  PRINCE - A Low-latency Block Cipher for Pervasive Computing Applications (Full version) , 2012, IACR Cryptol. ePrint Arch..

[14]  Wenling Wu,et al.  LBlock: A Lightweight Block Cipher , 2011, ACNS.

[15]  Yee Wei Law,et al.  KLEIN: A New Family of Lightweight Block Ciphers , 2010, RFIDSec.

[16]  Martin Hell,et al.  The Grain Family of Stream Ciphers , 2008, The eSTREAM Finalists.

[17]  Kazuhiko Minematsu,et al.  $\textnormal{\textsc{TWINE}}$ : A Lightweight Block Cipher for Multiple Platforms , 2012, Selected Areas in Cryptography.

[18]  Santanu Sarkar,et al.  A Chosen IV Related Key Attack on Grain-128a , 2013, ACISP.

[19]  Willi Meier,et al.  Quark: A Lightweight Hash , 2010, Journal of Cryptology.

[20]  Thomas Peyrin,et al.  The PHOTON Family of Lightweight Hash Functions , 2011, IACR Cryptol. ePrint Arch..

[21]  Guang Gong,et al.  WG-8: A Lightweight Stream Cipher for Resource-Constrained Smart Devices , 2015, EAI Endorsed Trans. Security Safety.

[22]  Seokhie Hong,et al.  Related-Key Chosen IV Attacks on Grain-v1 and Grain-128 , 2008, ACISP.

[23]  Ron Steinfeld,et al.  Cryptanalysis of WG-7: a lightweight stream cipher , 2012, Cryptography and Communications.

[24]  Andrey Bogdanov,et al.  PRESENT: An Ultra-Lightweight Block Cipher , 2007, CHES.

[25]  Kritika Jain,et al.  TWIS - A Lightweight Block Cipher , 2009, ICISS.

[26]  Lin Ding,et al.  Related Key Chosen IV Attack on Grain-128a Stream Cipher , 2013, IEEE Transactions on Information Forensics and Security.

[27]  Martin Hell,et al.  A New Version of Grain-128 with Authentication , 2011 .

[28]  Thomas Peyrin,et al.  The LED Block Cipher , 2011, IACR Cryptol. ePrint Arch..

[29]  Guang Gong,et al.  A Lightweight Stream Cipher WG-7 for RFID Encryption and Authentication , 2010, 2010 IEEE Global Telecommunications Conference GLOBECOM 2010.

[30]  Lin Ding,et al.  Cryptanalysis of Loiss Stream Cipher , 2012, Comput. J..

[31]  Shinsaku Kiyomoto,et al.  The rakaposhi Stream Cipher , 2009, ICICS.

[32]  Jean-Jacques Quisquater,et al.  Related-Key and Slide Attacks : Analysis , Connections , and Improvements − Extended Abstract − , 2002 .

[33]  Babak Sadeghiyan,et al.  MIBS: A New Lightweight Block Cipher , 2009, CANS.

[34]  Masakatu Morii,et al.  Slide Cryptanalysis of Lightweight Stream Cipher RAKAPOSHI , 2012, IWSEC.