Breaking Grain-128 with Dynamic Cube Attacks

We present a new variant of cube attacks called a dynamic cube attack. Whereas standard cube attacks [4] find the key by solving a system of linear equations in the key bits, the new attack recovers the secret key by exploiting distinguishers obtained from cube testers. Dynamic cube attacks can create lower degree representations of the given cipher, which makes it possible to attack schemes that resist all previously known attacks. In this paper we concentrate on the well-known stream cipher Grain-128 [6], on which the best known key recovery attack [15] can recover only 2 key bits when the number of initialization rounds is decreased from 256 to 213. Our first attack runs in practical time complexity and recovers the full 128-bit key when the number of initialization rounds in Grain-128 is reduced to 207. Our second attack breaks a Grain-128 variant with 250 initialization rounds and is faster than exhaustive search by a factor of about 228. Finally, we present an attack on the full version of Grain-128 which can recover the full key but only when it belongs to a large subset of 2-10 of the possible keys. This attack is faster than exhaustive search over the 2118 possible keys by a factor of about 215. All of our key recovery attacks are the best known so far, and their correctness was experimentally verified rather than extrapolated from smaller variants of the cipher. This is the first time that a cube attack was shown to be effective against the full version of a well known cipher which resisted all previous attacks.

[1]  Adi Shamir,et al.  Cube Attacks on Tweakable Black Box Polynomials , 2009, IACR Cryptol. ePrint Arch..

[2]  Bart Preneel,et al.  Analysis of Grain's Initialization Algorithm , 2008, AFRICACRYPT.

[3]  Martin Hell,et al.  A Stream Cipher Proposal: Grain-128 , 2006, 2006 IEEE International Symposium on Information Theory.

[4]  Shahram Khazaei,et al.  Chosen IV Statistical Analysis for Key Recovery Attacks on Stream Ciphers , 2008, AFRICACRYPT.

[5]  Thomas Johansson,et al.  A Framework for Chosen IV Statistical Analysis of Stream Ciphers , 2007, INDOCRYPT.

[6]  Willi Meier,et al.  Efficient FPGA Implementations of High-Dimensional Cube Testers on the Stream Cipher Grain-128 , 2009, IACR Cryptol. ePrint Arch..

[7]  Mitsuru Matsui,et al.  Linear Cryptanalysis Method for DES Cipher , 1994, EUROCRYPT.

[8]  Eli Biham,et al.  Differential cryptanalysis of DES-like cryptosystems , 1990, Journal of Cryptology.

[9]  Antoine Joux,et al.  Algorithmic Cryptanalysis , 2009 .

[10]  Willi Meier,et al.  Cube Testers and Key Recovery Attacks on Reduced-Round MD6 and Trivium , 2009, FSE.

[11]  Xuejia Lai Higher Order Derivatives and Differential Cryptanalysis , 1994 .

[12]  Christophe De Cannière,et al.  Trivium: A Stream Cipher Construction Inspired by Block Cipher Design Principles , 2006, ISC.

[13]  Paul Stankovski,et al.  Greedy Distinguishers and Nonrandomness Detectors , 2010, INDOCRYPT.

[14]  María Naya-Plasencia,et al.  Conditional Differential Cryptanalysis of NLFSR-Based Cryptosystems , 2010, ASIACRYPT.

[15]  Seokhie Hong,et al.  Related-Key Chosen IV Attacks on Grain-v1 and Grain-128 , 2008, ACISP.

[16]  Michael Vielhaber Breaking ONE.FIVIUM by AIDA an Algebraic IV Differential Attack , 2007, IACR Cryptol. ePrint Arch..