A TMDTO Attack Against Lizard

Lizard is a very recently proposed lightweight stream cipher that claims 60 bit security against distinguishing (related to state recovery) and 80 bit security against key recovery attack. This cipher has 121 bit state size. In this paper, we first note that using <inline-formula><tex-math notation="LaTeX">$\psi$</tex-math><alternatives> <inline-graphic xlink:href="maitra-ieq1-2773062.gif"/></alternatives></inline-formula> key stream bits one can recover <inline-formula><tex-math notation="LaTeX">$\psi$</tex-math><alternatives> <inline-graphic xlink:href="maitra-ieq2-2773062.gif"/></alternatives></inline-formula> unknown bits of the state when <inline-formula><tex-math notation="LaTeX">$\tau$</tex-math><alternatives> <inline-graphic xlink:href="maitra-ieq3-2773062.gif"/></alternatives></inline-formula> state bits are fixed to a specific pattern. This is made possible by guessing the remaining state bits. We present certain values of <inline-formula><tex-math notation="LaTeX">$\psi, \tau$</tex-math><alternatives> <inline-graphic xlink:href="maitra-ieq4-2773062.gif"/></alternatives></inline-formula> based on the state size that helps in mounting a generic conditional TMDTO attack following the BSW sampling. For Lizard, we obtain the preprocessing complexity as <inline-formula><tex-math notation="LaTeX">$2^{67}$</tex-math><alternatives> <inline-graphic xlink:href="maitra-ieq5-2773062.gif"/></alternatives></inline-formula>, and the maximum of Data, Time and Memory complexity during the online phase as <inline-formula><tex-math notation="LaTeX">$2^{54}$</tex-math> <alternatives><inline-graphic xlink:href="maitra-ieq6-2773062.gif"/></alternatives></inline-formula>. The parameters in the online phase are significantly less than <inline-formula><tex-math notation="LaTeX">$2^{60}$</tex-math> <alternatives><inline-graphic xlink:href="maitra-ieq7-2773062.gif"/></alternatives></inline-formula>.

[1]  Martin E. Hellman,et al.  A cryptanalytic time-memory trade-off , 1980, IEEE Trans. Inf. Theory.

[2]  Santanu Sarkar,et al.  A Differential Fault Attack on Plantlet , 2017, IEEE Transactions on Computers.

[3]  Jovan Dj. Golic,et al.  Cryptanalysis of Alleged A5 Stream Cipher , 1997, EUROCRYPT.

[4]  Bin Zhang,et al.  Another Tradeoff Attack on Sprout-Like Stream Ciphers , 2015, ASIACRYPT.

[5]  Alex Biryukov,et al.  Real Time Cryptanalysis of A5/1 on a PC , 2000, FSE.

[6]  Takanori Isobe,et al.  Some cryptanalytic results on Lizard , 2017, IACR Cryptol. ePrint Arch..

[7]  Bin Zhang,et al.  Time-Memory-Data Tradeoff Attacks against Small-State Stream Ciphers , 2017, IACR Cryptol. ePrint Arch..

[8]  Palash Sarkar,et al.  New Applications of Time Memory Data Tradeoffs , 2005, ASIACRYPT.

[9]  J. Golic,et al.  Cryptanalysis of Alleged A 5 Stream Cipher , 2000 .

[10]  Frederik Armknecht,et al.  On Lightweight Stream Ciphers with Shorter Internal States , 2015, FSE.

[11]  Willi Meier,et al.  LIZARD - A Lightweight Stream Cipher for Power-constrained Devices , 2017, IACR Trans. Symmetric Cryptol..

[12]  Alex Biryukov,et al.  Cryptanalytic Time/Memory/Data Tradeoffs for Stream Ciphers , 2000, ASIACRYPT.

[13]  Orhun Kara,et al.  Practical Cryptanalysis of Full Sprout with TMD Tradeoff Attacks , 2015, SAC.

[14]  María Naya-Plasencia,et al.  Cryptanalysis of Full Sprout , 2015, Annual International Cryptology Conference.

[15]  Frederik Armknecht,et al.  On Ciphers that Continuously Access the Non-Volatile Key , 2017, IACR Trans. Symmetric Cryptol..