2017 2nd International Conference on Computer Science and Technology (CST 2017) ISBN: 978-1-60595-461-5
Cube Attacks on the Stream Cipher Grain-v1
Yong-juan WANG
a*, Shi-yi ZHANG
and Yang GAO
Luoyang Foreign Language University, Luoyang, Henan Province, China
*Corresponding author
Keywords: Algebra attack, Cube attack, Stream cipher, Grain-v1, Key recovery.
Abstract. The Cube Attack was introduced by Itai Dinur and Adi Shamir. As a known plaintext attack on symmetric primitives, it is efficient to stream cipher, block cipher and hash functions. In this paper, we proposed a new method to find all the cubes U which could produce linear relations, and it is applied to simplified Grain-v1 variants with 60, 65 initialization rounds, from which we can obtain at least 25, 11 key bits respectively. Our results show that the Grain-v1 with reduced initialization rounds can be broken with Cube Attack, andthe complexity is significantly lower than exhaustive search.
Introduction
At Crypto2008, the Cube Attack was introduced by Adi Shamir and his student as a known plaintext attack on symmetric primitives0. It is a major improvement over several previously published attacks of the same type, for example, Algebraic Initial Value Differential Attack (AIDA)0. In the key and public variables (plaintext or IV bits), if the output of cryptosystems can be represented by the polynomial
( ,
)
F K IV
overGF( )2 via skillfully choosing arbitrary values for the public variables,the attacker may be able to obtain some linear equations. Moreover, given sufficient number of equations, a secret key could be recovered through queries to black box polynomial with tweakable public variables under Cube Attack 0 (e.g. choosing plaintext or initial value), which is followed by solving a linear system of equations in the secret key variables. Cube Attacks can be applied to any block cipher, stream cipher, or MAC which is provided as a black box, even when nothing is known about its internal structure. At least one output bit can be represented by (an unknown) polynomial of relatively low degree in the secret and public variables, the attack has been applied to the ciphers MD6[3], Trivium0, Serpent0, Grain-1280, PHOTON0, Keccak0 and so on, and it works quite well.
The stream cipher Grain-v1 was proposed by Hell, Johansson, Maximov, and Meier0 , Christophe De Cannière, Ozgül Kücük and Bart Preneel analyzed the initialization algorithm of Grain, showed that a sliding property of the initialization algorithm, which resulted in a very efficient related–key attack, and developed a differential attack on the Grain-v1 which recovered one out of 29
keys, and required two related keys and 55
2 chosen pairs0. Yuseop lee, Kitae Jeong and Jaechul Sung extended the slide resynchronization attack and proposed related-key chosen IV attacks on Grain-v1, the attack recovered the secret key with 222.59
chosen IV s, 26.29
Differential Fault Attack, Near Collision Attack and Probabilistic Algebraic Attack also work on Grain-v1 with good results0.
In this paper we provided a new attack approach to the cryptanalyst, and pushed Cube Attack to the reduced variant of Grain-v1. Our results show that the Grain-v1 with reduced number of initialization rounds can be broken with complexity that is significantly faster than exhaustive search.
This paper is organized as follows. Following the introduction, we describe the Cube Attack in section 2. In section 3, we describe the stream cipher Grain-v1. In section 4, a new method to find all the cubes U is described and applied to the Grain-v1. In
section 5, an improvement is described and applied to the Grain-v1 again. Finally, we conclude the paper in section 6.
Cube Attack
First, we give a brief overview of the Cube attack0. Throughout this paper, all polynomials have coefficients in GF( )2 , let IV =( , , )v1 vm and K =( , , )x1 xn , F K IVi( , )=Yi
denote the i-th output bit, if
1 1
{ , , } { , , }
k
i i m
U = v v ⊂ v v has been chosen then i-th
output bit can been represented as
(
)
1 2
1 1 1 1 1
( , , , , , ) , , , , , ( , , , , , )
k
i n m i i i n n m
F x x v v =v v v P x x V +Q x x v v .
Notes V ={ , , }\v1 vm U, P( )⋅ is linear polynomial in { , , }x1 xn ∪V, and does not
contain any common variable with
1, 2 , k
i i i
v v v , the polynomial Q misses at least one variable form
1, 2 , k
i i i
v v v . Let C be the set of points where the variables in{ , , }x1 xn ∪V are fixed and the variables in U are allowed to take all possible combination of values. Then
(
)
1 2
1 1 1 1 1
( , , , , , ) , , , , , ( , , , , , )
k
i n m i i i n n m
C C C
F x x v v = v v v P x x V + Q x x v v
. (1)Theorem1. For any polynomial Fi and subset U, ( ) ( ) mod 2
C
P ⋅ = ⋅P
.Proof. For the polynomial Q is such that none of the terms in Q have the monomial
1, 2 , k
i i i
v v v as a factor, summing each of terms in Q over all the 2k possible vectors,
the sum value is 0, hence 0
C
Q=
, on the other hand, the coefficient of ( )P ⋅ in the summation is 1 for only one case1 2 k 1
i i i
v =v =v = . # According to Theorem 1, then (1)
(
)
1 2
1 1 1 1
( , , , , , ) , , , , , ( , , , )
k
i n m i i i n n
C C C
F x x v v = v v v P x x V + Q=P x x V
.Brief Description of Grain-v1
Grain-v1 is one of the 3 final candidates of ECRYPT eStream project, which constants of a 80-bit LFSR, a 80-bit NFSR (both over GF( )2 ), and a Boolean function h x0( ).
denoted by b bi, i+1, , bi+79 . The feedback polynomial f x0( ) of the LFSR is a primitive
polynomial of degree 80. It is defined as
18 29 42 57 67 80
0( ) 1
f x = +x +x +x +x +x +x .
The NFSR feedback polynomial g x0( )is defined as
18 20 28 35 43 47 52 59 66 71 80
0
17 20 43 47 65 71 20 28 35 47 52 59 17 35 52 71 20 28 43 47
17 20 59 65 17 20 28 35 43 47 52 59 65 71 28 35 43 47 52 59
( ) 1
g x x x x x x x x x x x x
x x x x x x x x x x x x x x x x x x x x
x x x x x x x x x x x x x x x x x x x x
= + + + + + + + + + + +
+ + + + + +
+ + + +
The cipher output bit 0
t
Z is derived from the current LFSR and NFSR states with a filter function h x x x x x0( , , , , )0 1 2 3 4 as follows,
0
0( 3, 25, 46, 64, 63)
t i k i i i i i k A
Z b+ h s+ s+ s+ s+ b+
∈
=
+where A={1, 2, 4,10,31, 43,56}, the filter Boolean function h x x x x x0( , , , , )0 1 2 3 4 is
defined as
0( , , , , )0 1 2 3 4 1 4 0 3 2 3 3 4 0 1 2 0 2 3 0 2 4 1 2 4 2 3 4
h x x x x x = + +x x x x +x x +x x +x x x +x x x +x x x +x x x +x x x
Key Initialization
Given a 80-bit key and a 64-bit IV, one initializes Grain-v1 by filling the NFSR with key, and the LFSR with the IV, the remaining bits of the LFSR are filled with ones, then the mechanism is clocked 160 times without producing the output, h x0( ) is
feedback and XOR with the input both to the LFSR and the NFSR, in the key initialization phase, we can get the contents of the shift registers before the running key is generated.
Keystream Generation
[image:3.612.174.424.506.614.2]After the cipher is clocked 160 times, then the mechanism begins to produce output bits, see Figure 1.
Figure 1. Keystream Generation.
Cube Attack on Grain-v1
The main goal of Cube Attack is to find sufficiently U, then we may be able to obtain linearity polynomials P( )⋅ . Through query to the cipher obtain the value of
( )
the attacker can easily recover the key K via Gaussian elimination. Cube Attack is split into two stages:
The Preprocessing Stage
In order to find U , we use a linearity check approach, the IV s are formed by allowing variables in U to take all possible combinations of values while keeping variables in V =IV U\ fixed to 0. After the selection of U , then we take 100 random pairs of keys ( , )X Y and check whether
( , ) ( , ) ( , ) (0, )
i i i i
IV C IV C IV C IV C
F X Y IV F X IV F Y IV F IV
∈ ∈ ∈ ∈
+ = + +
. (2)If (2) is satisfied for all the 100 random pairs, then the polynomial P( )⋅ is assumed to be linear in key bits 0. The randomized algorithm presented in 0 to find U starting with randomly chosen p( 1)≥ variables and use a linearity test to check whether P( )⋅
is linear. If U is too small, then P( )⋅ is likely to be a nonlinear polynomial in the
[image:4.612.205.404.385.596.2]secret variables. In this case, the attacker adds a public variable to U and checks again. If U is too large, then ( )P ⋅ will be a constant. And in this case, the attacker drops one of the public variables form Uand checks again. The first problem of this algorithm is that not all Uare tested, for it is chosen randomly and starting from a random set of variables. The chances of getting U are not expected to be high. So we select U by adding IV variables one by one. This process can generate all the U which could produce linear relations ( )P ⋅ . See Figure 2.
Figure 2 The approach selecting IV.
For each of U satisfied linearity check, we need to compute corresponding P( )⋅ .
This involves finding the coefficients of L for n, and each L has n+1 coefficients including the constant term. To find them, we need to compute the sum
( , )
i C
F K IV
for n+1 keys : x=0, , ,e e0 1en−1, where ei is the vector with the i-thto 0. The program was executed on an Genuine Intel (R) processor with a CPU 1.83Ghz and 760MB of RAM. We pushed the attack on the Grain-v1 variant which uses 60 initialization rounds and chose U =1, 2,3, 4 (because of the limitation of hardware, we limited U to a maximum of 4 ), we can obtain at least 25 linear relations. With the same approach, we can obtain at least 11 linear relations when the Grain-v1 is initialized 65 rounds.
The Online Stage
We can obtain 25 linear equations, and compute the sum i( , )
C
F K IV
for 25 linear relations P( )⋅ , such we easily recover 25 key bits via Gaussian elimination. The complexity of the attack is (2 )55O since it is dominated by an exhaustive search for
the 80 25 55− = key bits. Meanwhile we can recover 11 key bits, the complexity of the attack is (2 )69
O .
Finally we randomly take 80 key bits and 64 IVbits, when the Grain-v1 initialize 10 rounds, we compare the 25 keys which we recovered using the above result with the truth value. By making 5000 tests, the probability of success is about 50%.
Remark 1. In the process of actual testing, when U =1, 2,3, 4, we only did a part of the testing due to the limitation of hardware. If all the testing is completed, more key bits will probably be recovered. Therefore we mention “at least” in this article.
Improved Cube Attack on Grain-v1
In section 4.1, we randomly take 100 random pairs of keys ( , )X Y and check
whether
( , ) ( , ) ( , ) (0, )
i i i i
IV C IV C IV C IV C
F X Y IV F X IV F Y IV F IV
∈ + = ∈ + ∈ + ∈
.If it is satisfied for all the 100 random pairs, we then assume to obtain a linear polynomialP( )⋅ in key bits. Now we try to select 40 fixed pairs of keys, ( , )e e0 1 ,
2 3
( , )e e , ...( ,e78 e79), and check whether
2 2 1 2 2 1
( , ) ( , ) ( , ) (0, )
i j j i j i j i IV C IV C IV C IV C
F e e + IV F e IV F e + IV F IV
∈ ∈ ∈ ∈
+ = + +
, (3)where j=0,1, 2, 39 , e2j (and e2j+1) is the vector where the2j-th (and 2j+1-th)
component is 1 and the rest are 0. If (3) is satisfied for all the 40 fixed pairs, we then assume to obtain a linearity polynomial ( )P ⋅ , the approach finding U is the same to the section 4.1. Then we test again and obtain at least 42, 37 linear relations when the Grain-v1 is initialized 60, 65 rounds, through the process of which they require 29,
8
2 keystream bits respectively. The complexity of the attacks is (2 )38
O and O(2 )43 .
By making 5000 tests with the new approach, the probability of success in recovering the keys is also about 50%.
Conclusions
In this paper, the simplified Grain-v1 variants have been cryptanalyzed using Cube Attack. We proposed a new approach to find all the cubes U which can produce linear relations, then it is applied to Grain-v1 with 60, 65 initialization rounds and the attack works quite well. Furthermore, in section 5, we develop an improvement and make tests again. And the complexity of the improved attack is reduced to 238 and
43
2 respectively for Grain-v1 with 60, 65 initialization rounds respectively.
References
[1] I. Dinur and A. Shamir. Cube Attacks on Tweakable Black Box Polynomials. EUROCRYPT 2009, 2009, 5479: 278-299.
[2] M. Vielhaber. Breaking ONE.FIVIUM by AIDA: An Algebraic IV Differential Attack. Cryptology ePrint Archive Report. 2007. http://eprint.iacr.org/2007/413. [3] J. P. Aumasson, I. Dinur, L. Henzen, et al. Cube Testers and Key Recovery Attacks on Reduced-Round MD6 and Trivium. Fast Software Encryption, O. Dunkelman Springer, 2009.
[4] S. Bedi and N. R. Pillai. Cube attacks on Trivium. Cryptotogy ePrint Archive Report. 2009. http://eprint.iacr.org/2009/015.
[5] I. Dinur, A. Shamir. Side Channel Cube Attacks on Block Ciphers. IACR Cryptology ePrint, 2009, http://eprint.iacr.org/2009/127.
[6] M. Hell, T. Johansson and W. Meier Grain. A stream cipher for constrained environments. IJWMC, 2007, 2(1): 86-93.
[7] Lu C. Y., Lin Y. W., Jen S. M., et al. Cryptanalysis on PHOTON hash function using cube attack, 2012.
[8] I. Dinur, P. Morawiecki, J. Pieprzyk, et al. Cube Attacks and Cube-Attack-Like Cryptanalysis on the Round-Reduced Keccak Sponge Function. Advances in Cryptology -- EUROCRYPT 2015. Springer Berlin Heidelberg, 2015:733-761. [9] C. Berbain, H. Gilbert and A. Maximov. Cryptanalysis of Grain. Fast Software Encryption, 2006: 15-29.
[10] Christope De Cannière, Ozgül Kücük and Bart Preneel. Analysis of Grain, s initialization algorithm. SASC, 2008.
[11] A. Biryukov and D. Wagner. Slide Attacks. Fast Software Encryption, 1999, 245-249.
[12] E. Biham and A. Shamir. Differential Cryptanalysis of the Data Encryption Standard. Springer-Verlag, 1993.
[13] K. Shahram, H. Mehdi and K. Mohammad. Distinguishing attack on Grain ECRYPT Stream Cipher Project Report. 2005, http://www.ecrypt.eu.org/stream/ papersdir/071.pdf.
[15] Zhang B., Li Z., Feng D., et al. Near Collision Attack on the Grain v1 Stream Cipher. Fast Software Encryption, 2014: 518-538.
[16] P. Datta, D. Roy and S. Mukhopadhyay. A Probabilistic Algebraic Attack on the Grain Family of Stream Ciphers. Network and System Security, 2014: 558-565. [17] S. Banik, S. Maitra, S. Sarkar. A Differential Fault Attack on the Grain Family of Stream Ciphers. International Conference on Cryptographic Hardware and Embedded Systems, Springer-Verlag, 2012:122-139.
