Abstract
The cube attack is a powerful cryptanalytic tool for the analysis of stream ciphers, which until recently were investigated in a blackbox scenario with a minimal consideration to their internal and polynomial structures. In this paper, we analyze the lightweight stream cipher WG-5, which offers 80-bit security, using cube attacks in a non-blackbox polynomial setting employing the division property. WG-5 is a lightweight instantiation of the eSTREAM submission Welch-Gong stream cipher which provides mathematically proven random properties for its generated keystream. Our cube attack is automated using Mixed Integer Linear Programming models to theoretically bound the complexity of the superpoly recovery. The results of such an attack enable us to recover the secret key of WG-5 after 24 rounds of initialization utilizing \(2^{6.32}\) keystream bits in \(2^{76.81}\) time. Our attack on WG-5 has significantly lower data complexity than the algebraic attacks presented in the literature, albeit higher in computational complexity, it fits a more realistic scenario where large amount of data is hard to collect in lightweight constrained applications. Moreover, our attack is the first one to investigate the nonlinear feedback-based initialization phase of WG-5. Hence, such results are considered the best cryptanalytic ones in the case that the cipher runs a nonlinear key generation phase. Finally, our results are interesting in the sense that they enable us to argue how the design choices of WG-5 hinder the extension of cube attacks to more rounds in contrast to Grain 128a and Trivium, where such attacks can cover more than half of the number of initialization rounds.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
“unknown” in Definition 1 means the xor sum can be 0 or 1 with probability \(p\ne 1\).
- 2.
We use decimation 3 as the degree of each of the component functions for WGP is 4, whereas it is 3 for decimation 1.
- 3.
\(f:\mathbb {F}_2^n\rightarrow \mathbb {F}_2\) is almost balanced if \(f=0\) for \(\approx 2^{n-1}\) values and \(f=1\) for the remaining values.
- 4.
Step 1.2 is computationally feasible because of MILP.
References
Gurobi: MILP optimizer. http://www.gurobi.com/
SageMath. http://www.sagemath.org/
eSTREAM: the ECRYPT stream cipher project (2008)
Aagaard, M.D., Gong, G., Mota, R.K.: Hardware implementations of the WG-5 cipher for passive rfid tags. In: 2013 IEEE International Symposium on Hardware-Oriented Security and Trust (HOST), pp. 29–34 (2013)
Armknecht, F., Mikhalev, V.: On lightweight stream ciphers with shorter internal states. In: Leander, G. (ed.) FSE 2015. LNCS, vol. 9054, pp. 451–470. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48116-5_22
Aumasson, J.-P., Dinur, I., Meier, W., Shamir, A.: Cube testers and key recovery attacks on reduced-round MD6 and trivium. In: Dunkelman, O. (ed.) FSE 2009. LNCS, vol. 5665, pp. 1–22. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-03317-9_1
Babbage, S., Dodd, M.: The MICKEY stream ciphers. In: Robshaw, M., Billet, O. (eds.) New Stream Cipher Designs. LNCS, vol. 4986, pp. 191–209. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-68351-3_15
De Cannière, C.: Trivium: a stream cipher construction inspired by block cipher design principles. In: Katsikas, S.K., López, J., Backes, M., Gritzalis, S., Preneel, B. (eds.) ISC 2006. LNCS, vol. 4176, pp. 171–186. Springer, Heidelberg (2006). https://doi.org/10.1007/11836810_13
Dinur, I., Shamir, A.: Cube attacks on tweakable blackbox polynomials. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 278–299. Springer, Heidelberg (2009)
Dinur, I., Shamir, A.: Breaking Grain-128 with dynamic cube attacks. In: Joux, A. (ed.) FSE 2011. LNCS, vol. 6733, pp. 167–187. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-21702-9_10
Fouque, P.-A., Vannet, T.: Improving key recovery to 784 and 799 rounds of trivium using optimized cube attacks. In: Moriai, S. (ed.) FSE 2013. LNCS, vol. 8424, pp. 502–517. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-43933-3_26
Gong, G., Youssef, A.M.: Cryptographic properties of the Welch-Gong transformation sequence generators. IEEE Trans. Inf. Theor. 48(11), 2837–2846 (2002)
Hamann, M., Krause, M., Meier, W.: Lizard: a lightweight stream cipher for power-constrained devices. IACR Trans. Symmetric Crypt. 2017(1), 45–79 (2017)
Hell, M., Johansson, T., Maximov, A., Meier, W.: A stream cipher proposal: Grain-128. In: IEEE International Symposium on Information Theory, pp. 1614–1618 (2006)
Knudsen, L., Wagner, D.: Integral cryptanalysis. In: Daemen, J., Rijmen, V. (eds.) FSE 2002. LNCS, vol. 2365, pp. 112–127. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45661-9_9
Lai, X.: Higher order derivatives and differential cryptanalysis. In: Blahut, R.E., Costello, D.J., Maurer, U., Mittelholzer, T. (eds.) Communications and Cryptography 1994. LNCS, vol. 276, pp. 227–233. Springer, MA (1994). https://doi.org/10.1007/978-1-4615-2694-0_23
McKay, K., Bassham, L., Sönmez Turan, M., Mouha, N.: Report on lightweight cryptography (NISTIR8114) (2017)
Méaux, P., Journault, A., Standaert, F.-X., Carlet, C.: Towards stream ciphers for efficient FHE with low-noise ciphertexts. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016, Part I. LNCS, vol. 9665, pp. 311–343. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49890-3_13
Mikhalev, V., Armknecht, F., Müller, C.: On ciphers that continuously access the non-volatile key. IACR Trans. Symmetric Crypt. 2017(2), 52–79 (2017)
Nawaz, Y., Gong, G.: Wg: a family of stream ciphers with designed randomness properties. Inf. Sci. 178(7), 1903–1916 (2008)
Orumiehchiha, M.A., Pieprzyk, J., Steinfeld, R.: Cryptanalysis of WG-7: a lightweight stream cipher. Crypt. Commun. 4(3–4), 277–285 (2012)
Rohit, R., AlTawy, R., Gong, G.: MILP-based cube attack on the reduced-round WG-5 lightweight stream sipher. The University of Waterloo CACR Archive, Technical report CACR 2017-06 (2017). http://cacr.uwaterloo.ca/techreports/2017/cacr2017-06.pdf
Rønjom, S.: Improving algebraic attacks on stream ciphers based on linear feedback shift register over \(\mathbb{F}_{2^K}\). Des. Codes Crypt. 82(1–2), 27–41 (2017)
Todo, Y.: Structural evaluation by generalized integral property. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015, Part I. LNCS, vol. 9056, pp. 287–314. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46800-5_12
Todo, Y., Isobe, T., Hao, Y., Meier, W.: Cube attacks on non-blackbox polynomials based on division property. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017, Part III. LNCS, vol. 10403, pp. 250–279. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63697-9_9
Todo, Y., Morii, M.: Bit-based division property and application to Simon family. In: Peyrin, T. (ed.) FSE 2016. LNCS, vol. 9783, pp. 357–377. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-52993-5_18
Vahid Amin Ghafari, H.H., Chen, Y.: Fruit: Ultra-lightweight stream cipher with shorter internal state. Cryptology ePrint Archive, Report 2016/355 (2016). http://eprint.iacr.org/2016/355
Xiang, Z., Zhang, W., Bao, Z., Lin, D.: Applying MILP method to searching integral distinguishers based on division property for 6 lightweight block ciphers. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016, Part I. LNCS, vol. 10031, pp. 648–678. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53887-6_24
Acknowledgment
We would like to thank the reviewers of IMACC 2017 for their valuable comments that helped improve the quality of the paper. This work is supported by the National Institute of Standards and Technology (NIST) and Natural Sciences and Engineering Research Council of Canada (NSERC).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A MILP Models for WG-5 Components
B A Generic Algorithm for the Evaluation of the Involved Secret Variables in a Superpoly [25]
C Description of Grain128a and Trivium
Grain128a is a NLFSR based stream cipher of Grain family with two 128-bit states represented by \((b_0, b_1, \ldots , b_{127})\) and \((s_0, s_1, \ldots , s_{127})\). The state is loaded with 128-bit key and 96-bit IV as follows \((b_0, b_1, \ldots , b_{127}) = (k_0, k_1, \ldots , k_{127})\) and \((s_0, s_1, \ldots , s_{127}) = (iv_0, iv_1, \ldots , iv_{95}, 1,\ldots , 1, 0)\). The initialization phase runs for 256 rounds with the state update function given by
During the KSG phase, z is not feedback to the state and directly used as the keystream bit.
Trivium is also an NLFSR based stream cipher with state size 288. The 80-bit key and 80-bit IV are loaded into the state as follows \((s_0, s_1, \ldots , s_{92}) = (k_0, k_1, \ldots , k_{79},0,\ldots ,0)\), \((s_{93}, s_{94}, \ldots , s_{176}) = (iv_0, iv_1, \ldots , iv_{79}, 0,\ldots , 0)\) and \((s_{177}, s_{178}, \ldots , s_{287}) =(0,0,\ldots ,0, 1,1,1)\). The state update function of Trivium is given by
The initialization phase runs for 1152 rounds without producing an output while z is used as the keystream bit during KSG phase.
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Rohit, R., AlTawy, R., Gong, G. (2017). MILP-Based Cube Attack on the Reduced-Round WG-5 Lightweight Stream Cipher. In: O'Neill, M. (eds) Cryptography and Coding. IMACC 2017. Lecture Notes in Computer Science(), vol 10655. Springer, Cham. https://doi.org/10.1007/978-3-319-71045-7_17
Download citation
DOI: https://doi.org/10.1007/978-3-319-71045-7_17
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-71044-0
Online ISBN: 978-3-319-71045-7
eBook Packages: Computer ScienceComputer Science (R0)