Cryptanalysis of the "Grain" family of stream ciphers

Let us have an NLFSR with the feedback function g(x) and an LFSR with the generating polynomial f(x). The function g(x) is a Boolean function on the state of the NLFSR and the LFSR, at any time instance t. Whenever the LFSR has good statistical properties, it is used for controlling the randomness of the NLFSR's state machine. In this paper we define and study the general class of "Grain" family of stream ciphers, where the keystream bits are generated by another Boolean function h(y) on the states of the NLFSR and the LFSR. We show that the cryptographic strength of this family is related to the general decoding problem, when a key-recovering attack is considered. A proper choice of the functions f(·), g(·) and h(·) could, potentially, give us a strong instance of a stream cipher. One of such stream ciphers Grain was recently proposed as a candidate for the European project ECRYPT in May, 2005. Grain uses the secret key of length 80 bits and its internal state is of size 160 bits. It was suggested as a fast and small primitive for efficient hardware implementation. In our work we propose the analysis of such structures in general, and, in particular, we give a linear distinguishing attack on Grain with time complexity O(254), when O(251) bits of the keystream is available. This is the first paper presenting an attack on Grain, and it reveals a leakage in the choice of the functions in this particular design instance.

[1]  Jovan Dj. Golic,et al.  A Fast Iterative Algorithm For A Shift Register Initial State Reconstruction Given The Nosiy Output Sequence , 1990, AUSCRYPT.

[2]  Walter T. Penzhorn,et al.  Computation of Low-Weight Parity Checks for Correlation Attacks on Stream Ciphers , 1995, IMACC.

[3]  Jovan Dj. Golic,et al.  Linear Statistical Weakness of Alleged RC4 Keystream Generator , 1997, EUROCRYPT.

[4]  Martin Hell,et al.  Grain: a stream cipher for constrained environments , 2007, Int. J. Wirel. Mob. Comput..

[5]  Alex Biryukov,et al.  Real Time Cryptanalysis of A5/1 on a PC , 2000, FSE.

[6]  Antoine Joux,et al.  Fast Correlation Attacks: An Algorithmic Point of View , 2002, EUROCRYPT.

[7]  Willi Meier,et al.  The Conditional Correlation Attack: A Practical Attack on Bluetooth Encryption , 2005, CRYPTO.

[8]  Fredrik Jönsson Some results on fast correlation attacks , 2002 .

[9]  Alexander Maximov,et al.  An Improved Correlation Attack on A5/1 , 2004, Selected Areas in Cryptography.

[10]  Thomas Siegenthaler,et al.  Correlation-immunity of nonlinear combining functions for cryptographic applications , 1984, IEEE Trans. Inf. Theory.

[11]  Thomas Siegenthaler,et al.  Decrypting a Class of Stream Ciphers Using Ciphertext Only , 1985, IEEE Transactions on Computers.

[12]  Willi Meier,et al.  Fast correlation attacks on certain stream ciphers , 1989, Journal of Cryptology.

[13]  Thomas Johansson,et al.  A New Simple Technique to Attack Filter Generators and Related Ciphers , 2004, Selected Areas in Cryptography.

[14]  Scott R. Fluhrer,et al.  Statistical Analysis of the Alleged RC4 Keystream Generator , 2000, FSE.

[15]  Mitsuru Matsui,et al.  Linear Cryptanalysis Method for DES Cipher , 1994, EUROCRYPT.

[16]  Thomas Johansson,et al.  On the complexity of some cryptographic problems based on the general decoding problem , 2002, IEEE Trans. Inf. Theory.

[17]  Thomas Johansson,et al.  Fast Correlation Attacks through Reconstruction of Linear Polynomials , 2000, CRYPTO.

[18]  Hideki Imai,et al.  Fast Correlation Attack Algorithm with List Decoding and an Application , 2001, FSE.

[19]  Claude E. Shannon,et al.  Communication theory of secrecy systems , 1949, Bell Syst. Tech. J..

[20]  Vincent Rijmen,et al.  The Design of Rijndael , 2002, Information Security and Cryptography.

[21]  Nigel P. Smart,et al.  Cryptography: An Introduction , 2004 .

[22]  Vladimir V. Chepyzhov,et al.  On A Fast Correlation Attack on Certain Stream Ciphers , 1991, EUROCRYPT.

[23]  Thomas Johansson,et al.  Fast Correlation Attacks Based on Turbo Code Techniques , 1999, CRYPTO.

[24]  Vladimir V. Chepyzhov,et al.  A Simple Algorithm for Fast Correlation Attacks on Stream Ciphers , 2000, FSE.

[25]  Adi Shamir,et al.  A Practical Attack on Broadcast RC4 , 2001, FSE.

[26]  Bart Preneel,et al.  A New Weakness in the RC4 Keystream Generator and an Approach to Improve the Security of the Cipher , 2004, FSE.