Design and analysis of small-state grain-like stream ciphers

Abstract

Time-memory-data (TMD) tradeoff attacks limit the security level of many classical stream ciphers to the birthday bound. Very recently, a new field of research has emerged, which searches for so-called small-state stream ciphers that try to overcome this limitation. In this paper, existing designs and known analysis of small-state stream ciphers are revisited and new insights on distinguishers and key recovery are derived based on TMD tradeoff attacks. A particular result is the transfer of a generic distinguishing attack suggested in 2007 by Englund et al. to this new class of lightweight ciphers. Our analysis shows that the initial hope of achieving full security against TMD tradeoff attacks by continuously using the secret key has failed. In particular, we provide generic distinguishers for Plantlet and Fruit with complexity significantly smaller than that of exhaustive key search. However, by studying the assumptions underlying the applicability of these attacks, we are able to come up with a new design idea for small-state stream ciphers, which might allow to finally achieve full security against TMD tradeoff attacks. Another contribution of this paper is the first key recovery attack against the most recent version of Fruit. We show that there are at least 2⁶⁴ weak keys, each of which does not provide 80-bit security as promised by designers.

Appendix: Shrunk Fruit v1

In the following, we present an overview over Shrunk Fruit v1, our ‘halved’ variant of Fruit v1 that we used for the experiments described in Section 3.1.3. As compared to Fruit v1, which has a key size of 80 bits and an IV size of 70 bits, Shrunk Fruit v1 uses 40-bit keys and 35-bit IVs. The sizes of the NFSR and the LFSR were also shrunk from 37 to 19 bits and from 43 to 21 bits, respectively. For the specifications of the new FSRs as well as for the key schedule and the output function, we did our very best to retain the properties of the original cipher and, in particular, not to introduce new weaknesses. To that extent, we actually even kept the number and degree of terms in the key schedule, output and feedback functions of the original Fruit v1. Instead, we just squeezed the corresponding tap indices to fit the new FSRs. In consequence, Shrunk Fruit v1 is probably even stronger (against non-generic attacks) than one would expect from a truly halved variant. Other important properties such as the use of a maximum-period LFSR were also transferred from Fruit v1 to Shrunk Fruit v1. The size of the counter C r was only reduced by one bit, because in Fruit v1, seven bits are required to index 80 key bits and, consequently, in Shrunk Fruit v1, six bits are now required to index the 40 key bits.

Please find below a full specification of Shrunk Fruit v1 in bullet point form:

• Input: 40-bit key K := (k ₀…k ₃₉), 35-bit initialization vector I V := (v ₀…v ₃₄)

• Keystream Limit per IV: 2²¹ bit (due to the 21-bit maximum-period LFSR; corresponds to the limit of 2⁴³ bit and the 43-bit maximum-period LFSR in Fruit v1)

• 6-bit Counter:

  $$C_{r} = \left( {c_{t}^{1}}, {c_{t}^{2}}, {c_{t}^{3}}, {c_{t}^{4}}, {c_{t}^{5}}, {c_{t}^{6}}\right)$$

• Key Schedule:

  $$\begin{array}{@{}rcl@{}} k^{\prime}_{t} &=& k_{s} \cdot k_{y + 32} \oplus k_{u + 36} \cdot k_{p} \oplus k_{q + 16} \oplus k_{r + 32}\\ s &=& \left( {c_{t}^{1}}, {c_{t}^{2}}, {c_{t}^{3}}, {c_{t}^{4}}, {c_{t}^{5}}\right)\\ y &=& \left( {c_{t}^{4}}, {c_{t}^{5}}\right)\\ u &=& \left( {c_{t}^{5}}, {c_{t}^{6}}\right)\\ p &=& \left( {c_{t}^{1}}, {c_{t}^{2}}, {c_{t}^{3}}, {c_{t}^{4}}\right)\\ q &=& \left( {c_{t}^{2}}, {c_{t}^{3}}, {c_{t}^{4}}, {c_{t}^{5}}\right)\\ r &=& \left( {c_{t}^{4}}, {c_{t}^{5}}, {c_{t}^{6}}\right) \end{array} $$

• 19-bit NFSR:

  $$\begin{array}{@{}rcl@{}} n_{t + 19} &=&k^{\prime}_{t} \oplus l_{t} \oplus {c_{t}^{4}} \oplus n_{t} \oplus n_{t + 5} \oplus n_{t + 10} \oplus n_{t + 6} \cdot n_{t + 2}\\ &\oplus& n_{t + 8} \cdot n_{t + 13} \oplus n_{t + 3} \cdot n_{t + 11} \cdot n_{t + 15}\\ &\oplus& n_{t + 4} \cdot n_{t + 9} \oplus n_{t + 14} \cdot n_{t + 15} \cdot n_{t + 16} \cdot n_{t + 17} \end{array} $$

• 21-bit LFSR (a maximum-period LFSR like in Fruit v1):

  $$l_{t + 21} = l_{t} \oplus l_{t + 4} \oplus l_{t + 9} \oplus l_{t + 12} \oplus l_{t + 14} \oplus l_{t + 17} $$

• Keybit z _t :

  $$\begin{array}{@{}rcl@{}} h_{t} &=&l_{t + 3} \cdot l_{t + 7} \oplus l_{t + 1} \cdot l_{t + 11} \oplus n_{t + 18} \cdot l_{t + 13}\\ &\oplus& l_{t + 5} \cdot l_{t + 16} \oplus n_{t + 1} \cdot n_{t + 17} \cdot l_{t + 20} \end{array} $$
  $$\begin{array}{@{}rcl@{}} z_{t} &=& h_{t} \oplus n_{t} \oplus n_{t + 3} \oplus n_{t + 7} \oplus n_{t + 9} \oplus n_{t + 12}\\ &&n_{t + 14} \oplus n_{t + 18} \oplus l_{t + 19} \end{array} $$

• I V ^′ (extension of 35-bit IV to 65 bits; corresponds to the extension of the 70-bit IV to 130 bits in Fruit v1):

  $$IV^{\prime} := 10000 v_{0} v_{1} {\ldots} v_{33} v_{34} 000 {\ldots} 000$$

• Key Loading:

  $$\begin{array}{@{}rcl@{}} \left( n_{0},\ldots,n_{18}\right) &:=& \left( k_{0},\ldots,k_{18}\right)\\ \left( l_{0},\ldots,l_{20}\right) &:=& \left( k_{19},\ldots,k_{39}\right) \end{array} $$

• Key Schedule Counter Initialization:

  $$\left( {c_{0}^{1}}, {c_{0}^{2}}, {c_{0}^{3}}, {c_{0}^{4}}, {c_{0}^{5}}, {c_{0}^{6}}\right) := \left( 0,\ldots,0\right)$$

• Initialization Procedure:

  • 65 IV loading and mixing steps as described in the Fruit v1 paper [24] (there: 130 steps)

  • Set

    $$\left( c_{65}^{1}, c_{65}^{2}, c_{65}^{3}, c_{65}^{4}, c_{65}^{5}, c_{65}^{6}\right) := \left( n_{65},n_{66},n_{67},n_{68},n_{69},l_{65}\right) $$

    and then l ₆₅ := 1.

  • Clock 40 times as described in the Fruit v1 paper paper (there: 80 times).

• Output: The first keystream bit that is output is z ₁₀₅ .