Related Key Chosen IV Attack on Grain-128a Stream Cipher

The well-known stream cipher Grain-128 is a variant version of Grain v1 with 128-bit secret key. Grain v1 is a stream cipher which has successfully been chosen as one of seven finalists by European eSTREAM project. Yet Grain-128 is vulnerable against some recently introduced attacks. A new version of Grain-128 with authentication, named Grain-128a, is proposed by Ågren, Hell, Johansson, and Meier. The designers claimed that Grain-128a is strengthened against all known attacks and observations on the original Grain-128. So far there exists no attack on Grain-128a except a differential fault attack by Banik, Maitra, and Sarkar. In this paper, we give some observations on Grain-128a, and then propose a related key chosen IV attack on Grain-128a based on these observations. Our attack can recover the 128-bit secret key of Grain-128a with a computational complexity of <formula formulatype="inline"> <tex Notation="TeX">$2^{96.322} $</tex></formula>, requiring <formula formulatype="inline"> <tex Notation="TeX">$2^{96} $</tex></formula> chosen IVs and <formula formulatype="inline"><tex Notation="TeX">$2^{103.613} $</tex> </formula> keystream bits. The success probability of our attack is 0.632. This related key attack is “minimal” in the sense that it only requires two related keys. The result shows that our attack is much better than an exhaustive key search in the related key setting.

[1]  Hideki Imai,et al.  Generic cryptographic weakness of k-normal Boolean functions in certain stream ciphers and cryptanalysis of grain-128 , 2012, Period. Math. Hung..

[2]  Amr M. Youssef,et al.  On the sliding property of SNOW 3 G and SNOW 2.0 , 2011, IET Inf. Secur..

[3]  Bart Preneel,et al.  Related-Key Attacks on the Py-Family of Ciphers and an Approach to Repair the Weaknesses , 2007, INDOCRYPT.

[4]  Santanu Sarkar,et al.  A Differential Fault Attack on the Grain Family of Stream Ciphers , 2012, CHES.

[5]  Martin Hell,et al.  A New Version of Grain-128 with Authentication , 2011 .

[6]  Martin Hell,et al.  Grain-128a: a new version of Grain-128 with optional authentication , 2011, Int. J. Wirel. Mob. Comput..

[7]  Stefan Lucks Ciphers Secure against Related-Key Attacks , 2004, FSE.

[8]  Eli Biham,et al.  New types of cryptanalytic attacks using related keys , 1994, Journal of Cryptology.

[9]  Martin Hell,et al.  A Stream Cipher Proposal: Grain-128 , 2006, 2006 IEEE International Symposium on Information Theory.

[10]  Lin Ding,et al.  Related key chosen IV attacks on Decim v2 and Decim-128 , 2012, Math. Comput. Model..

[11]  María Naya-Plasencia,et al.  Conditional Differential Cryptanalysis of NLFSR-Based Cryptosystems , 2010, ASIACRYPT.

[12]  Lin Ding,et al.  New Results of Related-key Attacks on All Py-Family of Stream Ciphers , 2012, J. Univers. Comput. Sci..

[13]  Yvo Desmedt,et al.  Related-Key Differential Cryptanalysis of 192-bit Key AES Variants , 2003, Selected Areas in Cryptography.

[14]  Mihir Bellare,et al.  A Theoretical Treatment of Related-Key Attacks: RKA-PRPs, RKA-PRFs, and Applications , 2003, EUROCRYPT.

[15]  Seokhie Hong,et al.  Related-Key Chosen IV Attacks on Grain-v1 and Grain-128 , 2008, ACISP.

[16]  Bruce Schneier,et al.  Related-key cryptanalysis of 3-WAY, Biham-DES, CAST, DES-X, NewDES, RC2, and TEA , 1997, ICICS.

[17]  Martin Hell,et al.  Grain: a stream cipher for constrained environments , 2007, Int. J. Wirel. Mob. Comput..

[18]  Bruce Schneier,et al.  Key-Schedule Cryptanalysis of IDEA, G-DES, GOST, SAFER, and Triple-DES , 1996, CRYPTO.

[19]  Willi Meier,et al.  Efficient FPGA Implementations of High-Dimensional Cube Testers on the Stream Cipher Grain-128 , 2009, IACR Cryptol. ePrint Arch..

[20]  Lin Ding,et al.  Cryptanalysis of Loiss Stream Cipher , 2012, Comput. J..

[21]  Adi Shamir,et al.  An Experimentally Verified Attack on Full Grain-128 Using Dedicated Reconfigurable Hardware , 2011, IACR Cryptol. ePrint Arch..

[22]  Bart Preneel,et al.  Analysis of Grain's Initialization Algorithm , 2008, AFRICACRYPT.

[23]  Guan,et al.  Related-Key Chosen IV Attack on K2 , 2011 .

[24]  Paul Stankovski,et al.  Greedy Distinguishers and Nonrandomness Detectors , 2010, INDOCRYPT.

[25]  Adi Shamir,et al.  Breaking Grain-128 with Dynamic Cube Attacks , 2011, IACR Cryptol. ePrint Arch..