Observing biases in the state: case studies with Trivium and Trivia-SC

One generic model of stream cipher considers updating the states and then combining the state bits to produce the key-stream. In case there are biases in the state bits, that may be reflected on the key-stream bits resulting certain weaknesses (distinguisher and/or key recovery) of the cipher. In this context, we study the state biases as well as key-stream biases with great details. We first experiment with cube testers and heuristically obtain several distinguishers for Trivium running more than 800 rounds (maximum 829) with cube sizes not exceeding 27. Further, we apply our techniques to analyze Trivia-SC (the stream cipher used in TriviA-ck AEAD scheme, selected in second round of CAESAR competition) and obtain distinguishers till 950 rounds with a cube size of 25 only. On Trivia-SC, our results refute certain claims made by the designers against both cube and slide attacks. Our detailed empirical analysis provides new results in reduced-round cryptanalysis of Trivium and Trivia-SC.

[1]  Fabio Massacci,et al.  Using Walk-SAT and Rel-Sat for Cryptographic Key Search , 1999, IJCAI.

[2]  Bart Preneel,et al.  Analysis of Grain's Initialization Algorithm , 2008, AFRICACRYPT.

[3]  Alex Biryukov,et al.  Slid Pairs in Salsa20 and Trivium , 2008, INDOCRYPT.

[4]  Douglas R. Stinson,et al.  Cryptography: Theory and Practice , 1995 .

[5]  Zsolt Kukorelly The Piling-Up Lemma and Dependent Random Variables , 1999, IMACC.

[6]  Mahmoud Salmasizadeh,et al.  Superpoly algebraic normal form monomial test on Trivium , 2013, IET Inf. Secur..

[7]  Alex Biryukov,et al.  Slide Attacks , 1999, FSE.

[8]  Manuel Blum,et al.  Self-testing/correcting with applications to numerical problems , 1990, STOC '90.

[9]  Avik Chakraborti,et al.  TriviA: A Fast and Secure Authenticated Encryption Scheme , 2015, CHES.

[10]  Santanu Sarkar,et al.  Some observations on ACORN v 1 and Trivia-SC , 2015 .

[11]  Kenneth G. Paterson,et al.  Big Bias Hunting in Amazonia: Large-Scale Computation and Exploitation of RC4 Biases (Invited Paper) , 2014, ASIACRYPT.

[12]  Thomas Johansson,et al.  A Framework for Chosen IV Statistical Analysis of Stream Ciphers , 2007, INDOCRYPT.

[13]  Willi Meier,et al.  Cube Testers and Key Recovery Attacks on Reduced-Round MD6 and Trivium , 2009, FSE.

[14]  Peter Shiu,et al.  Cryptography: Theory and practice (3rd edn), by Douglas R. Stinson. Pp. 593. 2006. (hbk) £39.99. ISBN 1 58488 508 4 (Chapman and Hall / CRC). , 2007, The Mathematical Gazette.

[15]  Pierre-Alain Fouque,et al.  Improving Key Recovery to 784 and 799 rounds of Trivium using Optimized Cube Attacks , 2013, IACR Cryptol. ePrint Arch..

[16]  Seokhie Hong,et al.  Related-Key Chosen IV Attacks on Grain-v1 and Grain-128 , 2008, ACISP.

[17]  Alex Biryukov,et al.  Two Trivial Attacks on Trivium , 2007, IACR Cryptol. ePrint Arch..

[18]  Alex Biryukov,et al.  Advanced Slide Attacks , 2000, EUROCRYPT.

[19]  Santanu Sarkar,et al.  A Chosen IV Related Key Attack on Grain-128a , 2013, ACISP.

[20]  Willi Meier,et al.  Conditional Differential Cryptanalysis of Trivium and KATAN , 2011, Selected Areas in Cryptography.

[21]  Dongdai Lin,et al.  Searching cubes for testing Boolean functions and its application to Trivium , 2015, 2015 IEEE International Symposium on Information Theory (ISIT).

[22]  Gregory V. Bard,et al.  Algebraic and Slide Attacks on KeeLoq , 2008, FSE.

[23]  Adi Shamir,et al.  Cube Attacks on Tweakable Black Box Polynomials , 2009, IACR Cryptol. ePrint Arch..

[24]  Bin Zhang,et al.  Linear Cryptanalysis of FASER128/256 and TriviA-ck , 2014, INDOCRYPT.

[25]  Lars R. Knudsen,et al.  Truncated and Higher Order Differentials , 1994, FSE.

[26]  Eli Biham,et al.  Improved Slide Attacks , 2007, FSE.

[27]  Santanu Sarkar,et al.  New Distinguishers for Reduced Round Trivium and Trivia-SC using Cube Testers , 2015, IACR Cryptol. ePrint Arch..

[28]  Paul Stankovski,et al.  Greedy Distinguishers and Nonrandomness Detectors , 2010, INDOCRYPT.