A Chosen IV Related Key Attack on Grain-128a
نویسندگان
چکیده
Due to the symmetric padding used in the stream cipher Grain v1 and Grain-128, it is possible to find Key-IV pairs that gener ate shifted keystreams efficiently. Based on this observation, Lee et al. presented a chosen IV related key attack on Grain v1 and Grain-128 at ACISP 2008. Later, the designers introduced Grain-128a having an asymmetric padding. As a result, the existing idea of chosen IV related key attack does not work on this new design. In this paper, we present a key recovery attack on Grain-128a, in a chosen IV related key setting. · 2 We show that using around γ (γ is a experimentally determined constant and it is sufficient to estimate it as 2) related keys and γ · 2 chosen IVs, it is possible to obtain 32 · γ simple nonlinear equations and solve them to recover the secret key in Grain-128a.
منابع مشابه
A Differential Fault Attack on Grain-128a Using MACs
The 32-bit MAC of Grain-128a is a linear combination of the first 64 and then the alternative keystream bits. In this paper we describe a successful differential fault attack on Grain-128a, in which we recover the secret key by observing the correct and faulty MACs of certain chosen messages. The attack works due to certain properties of the Boolean functions and corresponding choices of the ta...
متن کاملNecessary conditions for designing secure stream ciphers with the minimal internal states
After the introduction of some stream ciphers with the minimal internal state, the design idea of these ciphers (i.e. the design of stream ciphers by using a secret key, not only in the initialization but also permanently in the keystream generation) has been developed. The idea lets to design lighter stream ciphers that they are suitable for devices with limited resources such as RFID, WSN. We...
متن کاملChosen IV Statistical Analysis for Key Recovery Attacks on Stream Ciphers
A recent framework for chosen IV statistical distinguishing analysis of stream ciphers is exploited and formalized to provide new methods for key recovery attacks. As an application, a key recovery attack on simplified versions of two eSTREAM Phase 3 candidates is given: For Grain-128 with IV initialization reduced to up to 180 of its 256 iterations, and for Trivium with IV initialization reduc...
متن کاملFault analysis and weak key-IV attack on Sprout
Armknecht and Mikhalev proposed a new stream cipher ‘Sprout’ based on the design specification of the stream cipher, Grain-128a. Sprout has shorter state size than Grain family with a round key function. The output of the round key function is XOR’ed with the feedback bit of the NFSR of the cipher. In this paper, we propose a new fault attack on Sprout by injecting a single bit fault after the ...
متن کاملKey recovery attacks on Grain family using BSW sampling and certain weaknesses of the filtering function
A novel internal state recovery attack on the whole Grain family of ciphers is proposed in this work. It basically uses the ideas of BSW sampling along with employing a weak placement of the tap positions of the driving LFSRs. The currently best known complexity trade-offs are obtained, and due to the structure of Grain family these attacks are also key recovery attacks. It is shown that the in...
متن کامل