A New Version of Grain-128 with Authentication Martin Agren 1 - - PowerPoint PPT Presentation

a new version of grain 128 with authentication
SMART_READER_LITE
LIVE PREVIEW

A New Version of Grain-128 with Authentication Martin Agren 1 - - PowerPoint PPT Presentation

Nov 25, 2022 193 likes •448 views

A New Version of Grain-128 with Authentication Martin Agren 1 Martin Hell 1 Thomas Johansson 1 Willi Meier 2 1 Lund University, Sweden 2 FHNW, Switzerland 110216 / Lyngby Outline 1 Introduction Motivation and Goals 2 The Old Grain-128 The

slide-1
SLIDE 1

A New Version of Grain-128 with Authentication

Martin ˚ Agren1 Martin Hell1 Thomas Johansson1 Willi Meier2

1 Lund University, Sweden 2 FHNW, Switzerland 110216 / Lyngby

slide-2
SLIDE 2

Outline

1 Introduction

Motivation and Goals

2 The Old Grain-128

The Algorithm Attacks and Observations

3 The New Grain-128a

The New Grain-128a Authentication

4 Conclusion

  • M. ˚

Agren, M. Hell, T. Johansson, W. Meier, Lund University and FHNW 2 / 16

slide-3
SLIDE 3

Outline

1 Introduction

Motivation and Goals

2 The Old Grain-128

The Algorithm Attacks and Observations

3 The New Grain-128a

The New Grain-128a Authentication

4 Conclusion

  • M. ˚

Agren, M. Hell, T. Johansson, W. Meier, Lund University and FHNW 3 / 16

slide-4
SLIDE 4

Motivation and Goals

◮ Grain-128 is lightweight but some

nonlinearities are too lightweight.

◮ Some applications need built-in authentication ◮ . . . but leaving it out should be possible. ◮ Allow for easy updating of existing implementations. ◮ . . . and trust!

  • M. ˚

Agren, M. Hell, T. Johansson, W. Meier, Lund University and FHNW 4 / 16

slide-5
SLIDE 5

Outline

1 Introduction

Motivation and Goals

2 The Old Grain-128

The Algorithm Attacks and Observations

3 The New Grain-128a

The New Grain-128a Authentication

4 Conclusion

  • M. ˚

Agren, M. Hell, T. Johansson, W. Meier, Lund University and FHNW 5 / 16

slide-6
SLIDE 6

The Old Grain-128

NFSR LFSR g f h

◮ 128-bit key, 96-bit IV. ◮ An LFSR provides a large period. ◮ An NFSR with degree two updates the state nonlinearly. ◮ An output function of degree three produces nonlinear output. ◮ State bits are added linearly to ensure resiliency. ◮ Initialize in 256 rounds: feed output into the registers. ◮ Make faster by duplicating Boolean functions.

  • M. ˚

Agren, M. Hell, T. Johansson, W. Meier, Lund University and FHNW 6 / 16

slide-7
SLIDE 7

IV Padding Sliding Property

NFSR LFSR g f h

◮ The 96-bit IV goes into a 128-bit register and is padded with

  • 111. . . 111. With high probability, a shifted key and a shifted

IV will produce the exact same keystream, only with a shift. [K¨ u¸ c¨ uk06], [DeCaK¨ uPre08]

◮ Related-key Chosen-IV. [LeeJeongSungHong08]

  • M. ˚

Agren, M. Hell, T. Johansson, W. Meier, Lund University and FHNW 7 / 16

slide-8
SLIDE 8

Too Little Nonlinearity or Initialization

◮ Cube, 237/256 [AumDinHenMeiSha09] ◮ Maxterm, 256/256 [Stankovski10]

Looking at the first keystream bits, the equations, in unknown key bits, are not complicated enough.

  • M. ˚

Agren, M. Hell, T. Johansson, W. Meier, Lund University and FHNW 8 / 16

slide-9
SLIDE 9

Too Little Nonlinearity and Similar Bits

◮ Chosen-IV (cube): Assuming ten specific key bits to be

zero, the equations simplify “enough”. [DinSha11]

  • M. ˚

Agren, M. Hell, T. Johansson, W. Meier, Lund University and FHNW 9 / 16

slide-10
SLIDE 10

Too Little Nonlinearity and Similar Bits

◮ Chosen-IV (cube): Assuming ten specific key bits to be

zero, the equations simplify “enough”. [DinSha11] NFSR LFSR g f h

◮ Also, bi+95 and si+95 are multiplied together. During

initialization, they are too similar, meaning the complexity doesn’t grow as much as wanted.

  • M. ˚

Agren, M. Hell, T. Johansson, W. Meier, Lund University and FHNW 9 / 16

slide-11
SLIDE 11

Outline

1 Introduction

Motivation and Goals

2 The Old Grain-128

The Algorithm Attacks and Observations

3 The New Grain-128a

The New Grain-128a Authentication

4 Conclusion

  • M. ˚

Agren, M. Hell, T. Johansson, W. Meier, Lund University and FHNW 10 / 16

slide-12
SLIDE 12

Changes from Grain-128

NFSR LFSR g f h Grain-128 with changes:

◮ Pad the IV with 111. . . 110. ◮ NFSR has nonlinearity four. ◮ Change a tap into the output function:

bi+95, si+94, so that we don’t multiply bits that are “similar”.

  • M. ˚

Agren, M. Hell, T. Johansson, W. Meier, Lund University and FHNW 11 / 16

slide-13
SLIDE 13

Authentication

The above algorithm is used to produce pre-output stream. Use different parts of it for different things:

◮ Encryption ◮ Authentication

  • M. ˚

Agren, M. Hell, T. Johansson, W. Meier, Lund University and FHNW 12 / 16

slide-14
SLIDE 14

Authentication

The above algorithm is used to produce pre-output stream. Use different parts of it for different things:

◮ Encryption ◮ Authentication

Key IV Message Pre-output generator z0z1 . . . z63 . . . . . . z64+2iz65+2i . . . MAC mi ci Ciphertext t Tag

  • M. ˚

Agren, M. Hell, T. Johansson, W. Meier, Lund University and FHNW 12 / 16

slide-15
SLIDE 15

Authentication

Accumulator Shift register . . . mi bits from pre-output

◮ A Wegman-Carter approach. ◮ Initialize both registers with pre-output bits. ◮ We multiply the message bit vector by a Toeplitz matrix.

  • M. ˚

Agren, M. Hell, T. Johansson, W. Meier, Lund University and FHNW 13 / 16

slide-16
SLIDE 16

Authentication

Accumulator Shift register . . . mi bits from pre-output

◮ A Wegman-Carter approach. ◮ Initialize both registers with pre-output bits. ◮ We multiply the message bit vector by a Toeplitz matrix. ◮ PS is the prob. that an attack succeeds. ◮ With perfectly random input to the shift register, PS = 2−32. ◮ We have PS < 2−32 + 2ǫ. [Krawczyk95], [˚

AHJ11], [Maximov06]

  • M. ˚

Agren, M. Hell, T. Johansson, W. Meier, Lund University and FHNW 13 / 16

slide-17
SLIDE 17

Hardware Characteristics

Several nice aspects:

◮ We can still increase the speed up to 32x. ◮ We can leave out the authentication. ◮ . . . or part of it. w-bit tags for 2−w.

  • M. ˚

Agren, M. Hell, T. Johansson, W. Meier, Lund University and FHNW 14 / 16

slide-18
SLIDE 18

Hardware Characteristics

Several nice aspects:

◮ We can still increase the speed up to 32x. ◮ We can leave out the authentication. ◮ . . . or part of it. w-bit tags for 2−w.

The cheapest one — a version that produces one bit per clock:

◮ Grain-128: 2133 gate equivalents ◮ Grain-128a: 2243 gate equivalents; a five per cent increase

(as a bonus, we initialize faster.) Adding authentication, we’d get a total of 2867 gate equivalents.

  • M. ˚

Agren, M. Hell, T. Johansson, W. Meier, Lund University and FHNW 14 / 16

slide-19
SLIDE 19

Outline

1 Introduction

Motivation and Goals

2 The Old Grain-128

The Algorithm Attacks and Observations

3 The New Grain-128a

The New Grain-128a Authentication

4 Conclusion

  • M. ˚

Agren, M. Hell, T. Johansson, W. Meier, Lund University and FHNW 15 / 16

slide-20
SLIDE 20

Conclusion

Grain-128a

◮ is at least as secure than Grain-128, ◮ resists all current cryptanalysis on Grain-128, ◮ has optional authentication, ◮ is still hardware-efficient.

  • M. ˚

Agren, M. Hell, T. Johansson, W. Meier, Lund University and FHNW 16 / 16

slide-21
SLIDE 21

Conclusion

Thank you!

  • M. ˚

Agren, M. Hell, T. Johansson, W. Meier, Lund University and FHNW 16 / 16

slide-22
SLIDE 22
  • M. ˚

Agren, M. Hell, T. Johansson, W. Meier, Lund University and FHNW 16 / 16

slide-23
SLIDE 23

On Cube/Maxterm/AIDA/...

bitset size number of rounds

5 10 15 20 25 30 35 40 50 100 150 200 256

How does a greedy strategy aid in finding good bitsets? Upper curve: Stankovski’s on Grain-128. Lower curve: Ours on the pre-output of Grain-128a.

  • M. ˚

Agren, M. Hell, T. Johansson, W. Meier, Lund University and FHNW 16 / 16