An Experimentally Verified Attack on Full Grain-128 Using Dedicated Reconfigurable Hardware

In this paper we describe the first single-key attack which can recover the full key of the full version of Grain-128 for arbitrary keys by an algorithm which is significantly faster than exhaustive search (by a factor of about 238). It is based on a new version of a cube tester, which uses an improved choice of dynamic variables to eliminate the previously made assumption that ten particular key bits are zero. In addition, the new attack is much faster than the previous weak-key attack, and has a simpler key recovery process. Since it is extremely difficult to mathematically analyze the expected behavior of such attacks, we implemented it on RIVYERA, which is a new massively parallel reconfigurable hardware, and tested its main components for dozens of random keys. These tests experimentally verified the correctness and expected complexity of the attack, by finding a very significant bias in our new cube tester for about 7.5% of the keys we tested. This is the first time that the main components of a complex analytical attack are successfully realized against a full-size cipher with a special-purpose machine. Moreover, it is also the first attack that truly exploits the configurable nature of an FPGA-based cryptanalytical hardware.

[1]  Martin Hell,et al.  A Stream Cipher Proposal: Grain-128 , 2006, 2006 IEEE International Symposium on Information Theory.

[2]  Shahram Khazaei,et al.  Chosen IV Statistical Analysis for Key Recovery Attacks on Stream Ciphers , 2008, AFRICACRYPT.

[3]  Mitsuru Matsui,et al.  The First Experimental Cryptanalysis of the Data Encryption Standard , 1994, CRYPTO.

[4]  John Gilmore,et al.  Cracking DES - secrets of encryption research, wiretap politics and chip design: how federal agencies subvert privacy , 1998 .

[5]  Adi Shamir,et al.  Cube Attacks on Tweakable Black Box Polynomials , 2009, IACR Cryptol. ePrint Arch..

[6]  Paul Stankovski,et al.  Greedy Distinguishers and Nonrandomness Detectors , 2010, INDOCRYPT.

[7]  Michael Vielhaber Breaking ONE.FIVIUM by AIDA an Algebraic IV Differential Attack , 2007, IACR Cryptol. ePrint Arch..

[8]  Tim Güneysu,et al.  Cryptanalysis with COPACOBANA , 2008, IEEE Transactions on Computers.

[9]  Bart Preneel,et al.  Analysis of Grain's Initialization Algorithm , 2008, AFRICACRYPT.

[10]  Stephen Budiansky,et al.  Battle of Wits: The Complete Story of Codebreaking in World War II , 2000 .

[11]  Willi Meier,et al.  Efficient FPGA Implementations of High-Dimensional Cube Testers on the Stream Cipher Grain-128 , 2009, IACR Cryptol. ePrint Arch..

[12]  Thomas Johansson,et al.  A Framework for Chosen IV Statistical Analysis of Stream Ciphers , 2007, INDOCRYPT.

[13]  Xuejia Lai Higher Order Derivatives and Differential Cryptanalysis , 1994 .

[14]  María Naya-Plasencia,et al.  Conditional Differential Cryptanalysis of NLFSR-Based Cryptosystems , 2010, ASIACRYPT.

[15]  Antoine Joux,et al.  Algorithmic Cryptanalysis , 2009 .

[16]  Willi Meier,et al.  Cube Testers and Key Recovery Attacks on Reduced-Round MD6 and Trivium , 2009, FSE.

[17]  Seokhie Hong,et al.  Related-Key Chosen IV Attacks on Grain-v1 and Grain-128 , 2008, ACISP.

[18]  Adi Shamir,et al.  Breaking Grain-128 with Dynamic Cube Attacks , 2011, IACR Cryptol. ePrint Arch..

[19]  Tim Güneysu,et al.  Three Years of Evolution : Cryptanalysis with COPACOBANA , 2009 .