New Configurations of Grain Ciphers: Security Against Slide Attacks

Abstract

eSTREAM brought to the attention of the cryptographic community a number of stream ciphers including Grain v0 and its revised version Grain v1. The latter was selected as a finalist of the competition’s hardware-based portfolio. The Grain family includes two more instantiations, namely Grain-128 and Grain-128a.

The scope of our paper is to provide an insight on how to obtain secure configurations of the Grain family of stream ciphers. We propose different variants for Grain and analyze their security with respect to slide attacks. More precisely, as various attacks against initialization algorithms of Grain were discussed in the literature, we study the security impact of various parameters which may influence the LFSR’s initialization scheme.

Appendices

A Grain V1

In the case of Grain v1, \(n = 80\) and \(m = 64\). The padding value is \(P = \texttt {0xffff}\). The values IV and P are loaded in the LFSR using the function \(LoadIV(IV, P) = IV \Vert P\). Given \(S \in \{0,1\}^{80}\), we define \(ExtractIV(S) = MSB_{64}(S)\).

We denote by \(f_1(x)\) the primitive feedback of the LFSR:

$$\begin{aligned} f_1(x)=1 + x^{18} + x^{29} + x^{42} + x^{57} + x^{67} + x^{80}. \end{aligned}$$

We denote by \(g_1(x)\) the nonlinear feedback polynomial of the NFSR:

$$\begin{aligned} g_1(x)&= 1 + x^{18} + x^{20} + x^{28} + x^{35} + x^{43} + x^{47} + x^{52} + x^{59} + x^{66} + x^{71} + x^{80}\\&+ x^{17}x^{20} + x^{43}x^{47} + x^{65}x^{71} + x^{20}x^{28}x^{35} + x^{47}x^{52}x^{59} + x^{17}x^{35}x^{52}x^{71} \\&+ x^{20}x^{28}x^{43}x^{47} + x^{17}x^{20}x^{59}x^{65} + x^{17}x^{20}x^{28}x^{35}x^{43} + x^{47}x^{52}x^{59}x^{65}x^{71}\\&+ x^{28}x^{35}x^{43}x^{47}x^{52}x^{59}. \end{aligned}$$

The boolean filter function \(h_1(x_0,\ldots ,x_4)\) is

$$\begin{aligned} h_1(x_0,\ldots ,x_4)= & {} x_1 + x_4 + x_0x_3 + x_2x_3 + x_3x_4 + x_0x_1x_2 + x_0x_2x_3 + x_0x_2x_4 + x_1x_2x_4 + x_2x_3x_4. \end{aligned}$$

The output function is

$$ z_i^1 = \sum _{j \in \mathcal {A}_1} x_{i+j} + h_1(y_{i+3},y_{i+25},y_{i+46},y_{i+64},x_{i+63}), \text{ where } \mathcal {A}_1 = \{1,2,4,10,31,43,56\}.$$

B Grain-128

In the case of Grain-128, \(n = 128\) and \(m = 96\). The padding value is \(P = \texttt {0xffffffff}\). The values IV and P are loaded in the LFSR using the function \(LoadIV(IV, P) = IV \Vert P\). Given \(S \in \{0,1\}^{128}\), we define \(ExtractIV(S) = MSB_{96}(S)\).

We denote by \(f_{128}(x)\) the primitive feedback of the LFSR:

$$\begin{aligned} f_{128}(x)=1 + x^{32} + x^{47} + x^{58} + x^{90} + x^{121} + x^{128}. \end{aligned}$$

We denote by \(g_{128}(x)\) the nonlinear feedback polynomial of the NFSR:

$$\begin{aligned} g_{128}(x)&= 1 + x^{32} + x^{37} + x^{72} + x^{102} + x^{128} + x^{44}x^{60} + x^{61}x^{125}\\&+ x^{63}x^{67} + x^{69}x^{101} + x^{80}x^{88} + x^{110}x^{111} + x^{115}x^{117}. \end{aligned}$$

The boolean filter function \(h_{128}(x_0,\ldots ,x_8)\) is

$$\begin{aligned} h_{128}(x_0,\ldots ,x_8)= & {} x_0x_1 + x_2x_3 + x_4x_5 + x_6x_7 + x_0x_4x_8. \end{aligned}$$

The output function is

$$\begin{aligned} z_i^{128} = \sum _{j \in \mathcal {A}_{128}} x_{i+j} + y_{i+93} + h_{128}(x_{i+12},y_{i+8},y_{i+13},y_{i+20},x_{i+95},y_{i+42},y_{i+60},y_{i+79},y_{i+95}), \end{aligned}$$

where \(\mathcal {A}_{128} = \{2,15,36,45,64,73,89\}\).

C Grain-128a

In the case of Grain-128a, \(n = 128\) and \(m = 96\). The padding value is \(P = \texttt {0xfffffffe}\). The values IV and P are loaded in the LFSR using the function \(LoadIV(IV, P) = IV \Vert P\). Given \(S \in \{0,1\}^{128}\), we define \(ExtractIV(S) = MSB_{96}(S)\).

We denote by \(f_{128a}(x)\) the primitive feedback of the LFSR:

$$\begin{aligned} f_{128a}(x)=1 + x^{32} + x^{47} + x^{58} + x^{90} + x^{121} + x^{128}. \end{aligned}$$

We denote by \(g_{128a}(x)\) the nonlinear feedback polynomial of the NFSR:

$$\begin{aligned} g_{128a}(x)&= 1 + x^{32} + x^{37} + x^{72} + x^{102} + x^{128} +\ x^{44}x^{60} + x^{61}x^{125} + x^{63}x^{67} + x^{69}x^{101} \\&+ x^{80}x^{88} + x^{110}x^{111} + x^{115}x^{117} +\ x^{46}x^{50}x^{58} + x^{103}x^{104}x^{106} + x^{33}x^{35}x^{36}x^{40}. \end{aligned}$$

The boolean filter function \(h_{128a}(x_0,\ldots ,x_8)\) is

$$\begin{aligned} h_{128a}(x_0,\ldots ,x_8) = x_0x_1 + x_2x_3 + x_4x_5 + x_6x_7 + x_0x_4x_8. \end{aligned}$$

The output function is

$$\begin{aligned} z_i^{128a} = \sum _{j \in \mathcal {A}_{128a}} x_{i+j} + y_{i+93} + h_{128a}(x_{i+12},y_{i+8},y_{i+13},y_{i+20},x_{i+95},y_{i+42},y_{i+60},y_{i+79},y_{i+94}), \end{aligned}$$

where \(\mathcal {A}_{128a} = \{2,15,36,45,64,73,89\}\).

D Examples

Within Tables 6, 7 8, the padding is written in blue, while the red text denotes additional data necessary to mount the proposed attacks. Test vectors presented in this section are expressed as hexadecimal strings. For simplicity, we omit the \(\texttt{0x}\) prefix.

Table 6. Examples of generic attacks.

Table 7. Examples of compact padding attacks (index \(i=1\)).

Table 8. Examples of fragmented padding attacks (index \(i=1\)).

E Propagation of Single Bit Differentials

Parameters. In Theorem 4, let \(q_2 = 96\) for Grain v1⁶ and \(q_2 = 160\) for Grain-128 and Grain-128a⁷ (Tables 9, 10, 11, 12, 13 and 14).

Table 9. Propagation of a single bit differential in the case of Grain v1’s LFSR.

Table 10. Propagation of a single bit differential in the case of Grain v1’s NFSR.

Table 11. Propagation of a single bit differential in the case of Grain-128’s LFSR.

Table 12. Propagation of a single bit differential in the case of Grain-128’s NFSR.

Table 13. Propagation of a single bit differential in the case of Grain-128a’s LFSR.

Table 14. Propagation of a single bit differential in the case of Grain-128a’s NFSR.

F Algorithms