On Stream Ciphers with Provable Beyond-the-Birthday-Bound Security against Time-Memory-Data Tradeoff Attacks
نویسندگان
چکیده
We propose and analyze the Lizard-construction, a way to construct keystream generator (KSG) based stream ciphers with provable 2 3 n-security with respect to generic time-memory-data tradeoff attacks. Note that for the vast majority of known practical KSG-based stream ciphers such attacks reduce the effective key length to the birthday bound n/2, where n denotes the inner state length of the underlying KSG. This implies that practical stream ciphers have to have a comparatively large inner state length (e.g., n = 288 bit for Trivium [6] and n = 160 bit for Grain v1 [16]). The Lizard-construction proposes a state initialization algorithm for stream ciphers working in packet mode (like the GSM cipher A5/1 or the Bluetooth cipher E0). The proposal is that for each packet i the packet initial state q init is computed from the secret session key k and the packet initial value IV i via q init = P (k⊕IV )⊕k, where P denotes a state mixing algorithm. Note that the recently published cipher Lizard (see [14]), a stream cipher having inner state length of only 121 bit, is a lightweight practical instantiation of our proposal, which is competitive w.r.t. the usual hardware and power consumption metrics. The main technical contribution of this paper is to introduce a formal ideal primitive model (in the sense of [12]) for KSG-based stream ciphers and to show the sharp 2 3 n-bound for the security of the Lizardconstruction against generic time-memory-data tradeoff attacks.
منابع مشابه
Analyzing Constructions for key-alternating Pseudorandom Functions with Applications to Stream Cipher Operation Modes
In the last years, much research work has been invested into the security analysis of key alternating ciphers in the random oracle model. These are pseudorandom permutations (PRPs), sometimes also called iterated Even-Mansour ciphers, which are defined by alternatingly adding n-bit sub-keys ki and calling public n-bit permutations Pi. Besides the fact, that results of this kind concern the fund...
متن کاملStream ciphers and the eSTREAM project
Stream ciphers are an important class of symmetric cryptographic algorithms. The eSTREAM project contributed significantly to the recent increase of activity in this field. In this paper, we present a survey of the eSTREAM project. We also review recent time/memory/data and time/memory/key trade-offs relevant for the generic attacks on stream ciphers.
متن کاملBeyond-Birthday-Bound Security Based on Tweakable Block Cipher
This paper studies how to build a 2n-bit block cipher which is hard to distinguish from a truly random permutation against attacks with q ≈ 2 queries, i.e., birthday attacks. Unlike previous approaches using pseudorandom functions, we present a simple and efficient proposal using a tweakable block cipher as an internal module. Our proposal is provably secure against birthday attacks, if underly...
متن کاملCryptanalytic Time-Memory-Data Tradeoffs for FX-Constructions with Applications to PRINCE and PRIDE
The FX-construction was proposed in 1996 by Kilian and Rogaway as a generalization of the DESX scheme. The construction increases the security of an n-bit core block cipher with a κ-bit key by using two additional n-bit masking keys. Recently, several concrete instances of the FX-construction were proposed, including PRINCE (proposed at Asiacrypt 2012) and PRIDE (proposed at CRYPTO 2014). These...
متن کاملLIZARD - A Lightweight Stream Cipher for Power-constrained Devices
Time-memory-data (TMD) tradeoff attacks limit the security level of many classical stream ciphers (like E0, A5/1, Trivium, Grain) to 2 n, where n denotes the inner state length of the underlying keystream generator. In this paper, we present Lizard, a lightweight stream cipher for power-constrained devices like passive RFID tags. Its hardware efficiency results from combining a Grain-like desig...
متن کامل