Abstract
eSTREAM brought to the attention of the cryptographic community a number of stream ciphers including Grain v0 and its revised version Grain v1. The latter was selected as a finalist of the competition’s hardware-based portfolio. The Grain family includes two more instantiations, namely Grain-128 and Grain-128a.
The scope of our paper is to provide an insight on how to obtain secure configurations of the Grain family of stream ciphers. We propose different variants for Grain and analyze their security with respect to slide attacks. More precisely, as various attacks against initialization algorithms of Grain were discussed in the literature, we study the security impact of various parameters which may influence the LFSR’s initialization scheme.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
eSTREAM: the ECRYPT Stream Cipher Project. www.ecrypt.eu.org/stream/
NIST SP 800-22: Download Documentation and Software. https://csrc.nist.gov/Projects/Random-Bit-Generation/Documentation-and-Software
The GNU Multiple Precision Arithmetic Library. https://gmplib.org/
Aumasson, J.P., Dinur, I., Henzen, L., Meier, W., Shamir, A.: Efficient FPGA implementations of high-dimensional cube testers on the stream cipher grain-128 (2009). https://eprint.iacr.org/2009/218.pdf
Banik, S., Maitra, S., Sarkar, S.: Some results on related key-IV pairs of grain. In: Bogdanov, A., Sanadhya, S. (eds.) SPACE 2012. LNCS, pp. 94–110. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-34416-9_7
Banik, S., Maitra, S., Sarkar, S., Meltem Sönmez, T.: A Chosen IV related key attack on grain-128a. In: Boyd, C., Simpson, L. (eds.) ACISP 2013. LNCS, vol. 7959, pp. 13–26. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-39059-3_2
Berbain, C., Gilbert, H., Maximov, A.: Cryptanalysis of grain. In: Robshaw, M. (ed.) FSE 2006. LNCS, vol. 4047, pp. 15–29. Springer, Heidelberg (2006). https://doi.org/10.1007/11799313_2
De Cannière, C., Küçük, Ö., Preneel, B.: Analysis of grain’s initialization algorithm. In: Vaudenay, S. (ed.) AFRICACRYPT 2008. LNCS, vol. 5023, pp. 276–289. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-68164-9_19
Dinur, I., Güneysu, T., Paar, C., Shamir, A., Zimmermann, R.: An experimentally verified attack on full grain-128 using dedicated reconfigurable hardware. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 327–343. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25385-0_18
Dinur, I., Shamir, A.: Breaking grain-128 with dynamic cube attacks. In: Joux, A. (ed.) FSE 2011. LNCS, vol. 6733, pp. 167–187. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-21702-9_10
Hell, M., Johansson, T., Maximov, A., Meier, W.: A stream cipher proposal: grain-128. In: International Symposium on Information Theory - ISIT 2006, pp. 1614–1618. IEEE (2006)
Hell, M., Johansson, T., Meier, W.: Grain - a stream cipher for constrained environments. Technical report 010 (2005). eCRYPT Stream Cipher Project Report
Hell, M., Johansson, T., Meier, W.: Grain: a stream cipher for constrained environments. Int. J. Wirel. Mob. Comput. 2(1), 86–93 (2007)
Khazaei, S., Hassanzadeh, M., Kiaei, M.: Distinguishing attack on grain. Technical report 071 (2005). eCRYPT Stream Cipher Project Report
Knellwolf, S., Meier, W., Naya-Plasencia, M.: Conditional differential cryptanalysis of NLFSR-based cryptosystems. In: Abe, M. (ed.) ASIACRYPT 2010. LNCS, vol. 6477, pp. 130–145. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-17373-8_8
Küçük, Ö.: Slide resynchronization attack on the initialization of grain 1.0 (2006). http://www.ecrypt.eu.org/stream
Maimuţ, D.: Authentication and Encryption protocols: design, attacks and algorithmic improvements. Ph.D. thesis, École normale supérieure (2015)
Ågren, M., Hell, M., Johansson, T., Meier, W.: Grain-128a: a new version of grain-128 with optional authentication. Int. J. Wirel. Mob. Comput. 5(1), 48–59 (2011)
Stankovski, P.: Greedy distinguishers and nonrandomness detectors. In: Gong, G., Gupta, K.C. (eds.) INDOCRYPT 2010. LNCS, vol. 6498, pp. 210–226. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-17401-8_16
Zhang, H., Wang, X.: Cryptanalysis of stream cipher grain family (2009). https://eprint.iacr.org/2009/109.pdf
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A Grain V1
In the case of Grain v1, \(n = 80\) and \(m = 64\). The padding value is \(P = \texttt {0xffff}\). The values IV and P are loaded in the LFSR using the function \(LoadIV(IV, P) = IV \Vert P\). Given \(S \in \{0,1\}^{80}\), we define \(ExtractIV(S) = MSB_{64}(S)\).
We denote by \(f_1(x)\) the primitive feedback of the LFSR:
We denote by \(g_1(x)\) the nonlinear feedback polynomial of the NFSR:
The boolean filter function \(h_1(x_0,\ldots ,x_4)\) is
The output function is
B Grain-128
In the case of Grain-128, \(n = 128\) and \(m = 96\). The padding value is \(P = \texttt {0xffffffff}\). The values IV and P are loaded in the LFSR using the function \(LoadIV(IV, P) = IV \Vert P\). Given \(S \in \{0,1\}^{128}\), we define \(ExtractIV(S) = MSB_{96}(S)\).
We denote by \(f_{128}(x)\) the primitive feedback of the LFSR:
We denote by \(g_{128}(x)\) the nonlinear feedback polynomial of the NFSR:
The boolean filter function \(h_{128}(x_0,\ldots ,x_8)\) is
The output function is
where \(\mathcal {A}_{128} = \{2,15,36,45,64,73,89\}\).
C Grain-128a
In the case of Grain-128a, \(n = 128\) and \(m = 96\). The padding value is \(P = \texttt {0xfffffffe}\). The values IV and P are loaded in the LFSR using the function \(LoadIV(IV, P) = IV \Vert P\). Given \(S \in \{0,1\}^{128}\), we define \(ExtractIV(S) = MSB_{96}(S)\).
We denote by \(f_{128a}(x)\) the primitive feedback of the LFSR:
We denote by \(g_{128a}(x)\) the nonlinear feedback polynomial of the NFSR:
The boolean filter function \(h_{128a}(x_0,\ldots ,x_8)\) is
The output function is
where \(\mathcal {A}_{128a} = \{2,15,36,45,64,73,89\}\).
D Examples
Within Tables 6, 7 8, the padding is written in blue, while the red text denotes additional data necessary to mount the proposed attacks. Test vectors presented in this section are expressed as hexadecimal strings. For simplicity, we omit the \(\texttt{0x}\) prefix.
E Propagation of Single Bit Differentials
Parameters. In Theorem 4, let \(q_2 = 96\) for Grain v1Footnote 6 and \(q_2 = 160\) for Grain-128 and Grain-128aFootnote 7 (Tables 9, 10, 11, 12, 13 and 14).
F Algorithms
Rights and permissions
Copyright information
© 2022 Springer Nature Switzerland AG
About this paper
Cite this paper
Maimuţ, D., Teşeleanu, G. (2022). New Configurations of Grain Ciphers: Security Against Slide Attacks. In: Ryan, P.Y., Toma, C. (eds) Innovative Security Solutions for Information Technology and Communications. SecITC 2021. Lecture Notes in Computer Science, vol 13195. Springer, Cham. https://doi.org/10.1007/978-3-031-17510-7_18
Download citation
DOI: https://doi.org/10.1007/978-3-031-17510-7_18
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-17509-1
Online ISBN: 978-3-031-17510-7
eBook Packages: Computer ScienceComputer Science (R0)