fast near collision attack on the grain v1 stream cipher
play

Fast Near Collision Attack on the Grain v1 Stream Cipher Bin Zhang - PowerPoint PPT Presentation

Oct 23, 2023 •115 likes •596 views

Fast Near Collision Attack on the Grain v1 Stream Cipher Bin Zhang , Chao Xu and Willi Meier Chinese Academy of Sciences FHNW,Switzerland 02-05-2018 Bin Zhang , Chao Xu and Willi Meier ( Chinese Academy

  1. Fast Near Collision Attack on the Grain v1 Stream Cipher Bin Zhang ∗ , Chao Xu ∗ and Willi Meier ∗∗ ∗ Chinese Academy of Sciences ∗∗ FHNW,Switzerland 02-05-2018 Bin Zhang ∗ , Chao Xu ∗ and Willi Meier ∗∗ ( ∗ Chinese Academy of Sciences ∗∗ FHNW,Switzerland) Fast Near Collision Attack on the Grain v1 Stream Cipher 02-05-2018 1 / 45

  2. Outline Background and Motivation 1 Description of Grain v1 2 Preliminaries 3 Fast Near Collision Attacks: The General Framework 4 State Recovery Attacks on Grain v1 5 Conclusions 6 Bin Zhang ∗ , Chao Xu ∗ and Willi Meier ∗∗ ( ∗ Chinese Academy of Sciences ∗∗ FHNW,Switzerland) Fast Near Collision Attack on the Grain v1 Stream Cipher 02-05-2018 2 / 45

  3. The eSTREAM Project As a rule of thumb, the internal state size of modern stream ciphers is at least twice as large as the key size, e.g., Grain v1 and Trivium. Grain v1 is one of the 7 finalists in the European eSTREAM project. Grain v1 has successfully withstood huge cryptanalysis efforts so far, especially in the single key model. Feature: large internal state + high number of initialization rounds + NFSR-based Bin Zhang ∗ , Chao Xu ∗ and Willi Meier ∗∗ ( ∗ Chinese Academy of Sciences ∗∗ FHNW,Switzerland) Fast Near Collision Attack on the Grain v1 Stream Cipher 02-05-2018 3 / 45

  4. Near Collision Attacks Widely studied in the domain of hash functions: near collision should be avoided. Introduced into the domain of stream ciphers at FSE 2013 and assigned with a different meaning: from the keystream to the unknown internal state. A state recovery attack on Grain v1 itself is obtained by manipulating from the reduced version experiments to the full version theoretical analysis. But, there are two assumptions involved, which are essential to the success of the attack. Previous near collision attacks leave some problems: high pre-processing and memory complexities, a large number of state variables and the non-fully resolved success rate issue. Bin Zhang ∗ , Chao Xu ∗ and Willi Meier ∗∗ ( ∗ Chinese Academy of Sciences ∗∗ FHNW,Switzerland) Fast Near Collision Attack on the Grain v1 Stream Cipher 02-05-2018 4 / 45

  5. Fast Near Collision Attack An entirely different strategy is proposed: without the previous assumptions and with an assured success rate. Combination of near collision property with the divide-and-conquer strategy. Aim to address the situation of facing a large number of variables and the non-linear state updating. Bin Zhang ∗ , Chao Xu ∗ and Willi Meier ∗∗ ( ∗ Chinese Academy of Sciences ∗∗ FHNW,Switzerland) Fast Near Collision Attack on the Grain v1 Stream Cipher 02-05-2018 5 / 45

  6. Our Contributions Develop a new cryptanalytic method on stream ciphers to deal with the large number of variables and non-linear state updating, called fast near collision attack (FNCA). A general framework of FNCA is established: from pre-computation to online algorithms with theoretical analysis and extensive experiments. State/key recovery attack on Grain v1 in the single key model: all the complexity aspects and success probability could be determined. Simulations on Grain v1 itself whenever possible and a reduced version with a 40 -bit LFSR and a 40 -bit NFSR. Bin Zhang ∗ , Chao Xu ∗ and Willi Meier ∗∗ ( ∗ Chinese Academy of Sciences ∗∗ FHNW,Switzerland) Fast Near Collision Attack on the Grain v1 Stream Cipher 02-05-2018 6 / 45

  7. Our Contributions Develop a new cryptanalytic method on stream ciphers to deal with the large number of variables and non-linear state updating, called fast near collision attack (FNCA). A general framework of FNCA is established: from pre-computation to online algorithms with theoretical analysis and extensive experiments. State/key recovery attack on Grain v1 in the single key model: all the complexity aspects and success probability could be determined. Simulations on Grain v1 itself whenever possible and a reduced version with a 40 -bit LFSR and a 40 -bit NFSR. Bin Zhang ∗ , Chao Xu ∗ and Willi Meier ∗∗ ( ∗ Chinese Academy of Sciences ∗∗ FHNW,Switzerland) Fast Near Collision Attack on the Grain v1 Stream Cipher 02-05-2018 6 / 45

  8. Our Contributions Develop a new cryptanalytic method on stream ciphers to deal with the large number of variables and non-linear state updating, called fast near collision attack (FNCA). A general framework of FNCA is established: from pre-computation to online algorithms with theoretical analysis and extensive experiments. State/key recovery attack on Grain v1 in the single key model: all the complexity aspects and success probability could be determined. Simulations on Grain v1 itself whenever possible and a reduced version with a 40 -bit LFSR and a 40 -bit NFSR. Bin Zhang ∗ , Chao Xu ∗ and Willi Meier ∗∗ ( ∗ Chinese Academy of Sciences ∗∗ FHNW,Switzerland) Fast Near Collision Attack on the Grain v1 Stream Cipher 02-05-2018 6 / 45

  9. Our Contributions Develop a new cryptanalytic method on stream ciphers to deal with the large number of variables and non-linear state updating, called fast near collision attack (FNCA). A general framework of FNCA is established: from pre-computation to online algorithms with theoretical analysis and extensive experiments. State/key recovery attack on Grain v1 in the single key model: all the complexity aspects and success probability could be determined. Simulations on Grain v1 itself whenever possible and a reduced version with a 40 -bit LFSR and a 40 -bit NFSR. Bin Zhang ∗ , Chao Xu ∗ and Willi Meier ∗∗ ( ∗ Chinese Academy of Sciences ∗∗ FHNW,Switzerland) Fast Near Collision Attack on the Grain v1 Stream Cipher 02-05-2018 6 / 45

  10. Grain v1 One of the 7 finalists selected by the eSTREAM project. A bit-oriented stream cipher with a pair of linked shift registers: a 80 -bit LFSR into a 80 -bit NFSR.  NFSR LFSR   h x  No key recovery attack in the single key model has been found yet. Bin Zhang ∗ , Chao Xu ∗ and Willi Meier ∗∗ ( ∗ Chinese Academy of Sciences ∗∗ FHNW,Switzerland) Fast Near Collision Attack on the Grain v1 Stream Cipher 02-05-2018 7 / 45

  11. Grain v1 Specification (1) Given ( l i , l i +1 , ..., l i +79 ) , the LFSR state updating: l i +80 = l i +62 ⊕ l i +51 ⊕ l i +38 ⊕ l i +23 ⊕ l i +13 ⊕ l i . Given ( n i , n i +1 , ..., n i +79 ) , the NFSR state updating: n i +80 = l i ⊕ n i +62 ⊕ n i +60 ⊕ n i +52 ⊕ n i +45 ⊕ n i +37 ⊕ n i +33 ⊕ n i +28 ⊕ n i +21 ⊕ n i +14 ⊕ n i +9 ⊕ n i ⊕ n i +63 n i +60 ⊕ n i +37 n i +33 ⊕ n i +15 n i +9 ⊕ n i +60 n i +52 n i +45 ⊕ n i +33 n i +28 n i +21 ⊕ n i +63 n i +45 n i +28 n i +9 ⊕ n i +60 n i +52 n i +37 n i +33 ⊕ n i +63 n i +60 n i +21 n i +15 ⊕ n i +63 n i +60 n i +52 n i +45 n i +37 ⊕ n i +33 n i +28 n i +21 n i +15 n i +9 ⊕ n i +52 n i +45 n i +37 n i +33 n i +28 n i +21 . Bin Zhang ∗ , Chao Xu ∗ and Willi Meier ∗∗ ( ∗ Chinese Academy of Sciences ∗∗ FHNW,Switzerland) Fast Near Collision Attack on the Grain v1 Stream Cipher 02-05-2018 8 / 45

  12. Grain v1 Specification (2) h ( x ) = x 1 ⊕ x 4 ⊕ x 0 x 3 ⊕ x 2 x 3 ⊕ x 3 x 4 ⊕ x 0 x 1 x 2 ⊕ x 0 x 2 x 3 ⊕ x 0 x 2 x 4 ⊕ x 1 x 2 x 4 ⊕ x 2 x 3 x 4 , which is chosen to be balanced and correlation immune of the first order with the variables ( x 0 , x 1 , x 2 , x 3 , x 4 ) → ( l i +3 , l i +25 , l i +46 , l i +64 , n i +63 ) . The keystream z i = � k ∈A n i + k ⊕ h ( l i +3 , l i +25 , l i +46 , l i +64 , n i +63 ) , where A = { 1 , 2 , 4 , 10 , 31 , 43 , 56 } . The details of the initialization phase are omitted here, the only property relevant to our work is that the initialization phase is invertible. Bin Zhang ∗ , Chao Xu ∗ and Willi Meier ∗∗ ( ∗ Chinese Academy of Sciences ∗∗ FHNW,Switzerland) Fast Near Collision Attack on the Grain v1 Stream Cipher 02-05-2018 9 / 45

  13. Basic Conceptions and Lemmas (1) d -near-collision Two n -bit strings s , s ′ are said to be d -near-collision, if w H ( s ⊕ s ′ ) ≤ d holds. Lemma Given two random sets A and B consisting of elements of n -bit length and a condition set D , then there exists a pair ( a, b ) ∈ ( A, B ) satisfying one of the conditions in D if | A | · | B | ≥ c · 2 n (1) | D | holds, where c is a constant that determines the existence probability of one good pair ( a, b ) . Bin Zhang ∗ , Chao Xu ∗ and Willi Meier ∗∗ ( ∗ Chinese Academy of Sciences ∗∗ FHNW,Switzerland) Fast Near Collision Attack on the Grain v1 Stream Cipher 02-05-2018 10 / 45

  14. Basic Conceptions and Lemmas (2) DTU Crypto group: from the random experiments with a modest size, i.e., for each c value, 100 strings of length 40 to 49 for d -values from 10 to 15 are generated, not in a real cipher setting.  0 . 606 if c = 1  Pr ( d-near-collision ) = 0 . 946 if c = 3 0 . 992 if c = 5.  Corollary For a specified cipher and a chosen constant c , let A and B be the internal state subsets associated with the observable keystream vectors, where each element of A and B is of n -bit length. If we choose | A | = 1 and | B | ≥ c · 2 n | D | , then there exists an element b i ∈ B such that the pair ( a, b i ) with the only element a ∈ A forms a d -near collision pair with a probability dependent on c . Bin Zhang ∗ , Chao Xu ∗ and Willi Meier ∗∗ ( ∗ Chinese Academy of Sciences ∗∗ FHNW,Switzerland) Fast Near Collision Attack on the Grain v1 Stream Cipher 02-05-2018 11 / 45

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

FSE 2013 Near Collision Attack on the Grain v1 Stream Cipher Bin Zhang and Zhenqi Li

FSE 2013 Near Collision Attack on the Grain v1 Stream Cipher Bin Zhang and Zhenqi Li

FSE 2013 Near Collision Attack on the Grain v1 Stream Cipher Bin Zhang and Zhenqi Li Institute of Information Engineering, Chinese Academy of Sciences, Beijing, 100093, China. Institute of Software, Chinese Academy of Sciences,

1.08k views • 97 slides
Experimentally Verifying a Complex Algebraic Attack on the Grain-128 Cipher Using Dedicated

Experimentally Verifying a Complex Algebraic Attack on the Grain-128 Cipher Using Dedicated

Experimentally Verifying a Complex Algebraic Attack on the Grain-128 Cipher Using Dedicated Reconfigurable Hardware SHARCS 2012 Washington D.C. Itai Dinur 1 , Tim Gneysu 2 , Christof Paar 2 , Adi Shamir 1 , and Ralf Zimmermann 2 1

754 views • 58 slides
An Improved Cryptanalysis of Lightweight Stream Cipher Grain-v1 Miodrag J. Mihaljevi 1 , Nishant

An Improved Cryptanalysis of Lightweight Stream Cipher Grain-v1 Miodrag J. Mihaljevi 1 , Nishant

An Improved Cryptanalysis of Lightweight Stream Cipher Grain-v1 Miodrag J. Mihaljevi 1 , Nishant Sinha 2 , Sugata Gangopadhyay 2 , Subhamoy Maitra 3 , Goutam Paul 3 and Kanta Matsuura 4 1 Mathematical Institute, Serbian Academy of Sciences and

809 views • 49 slides
A Differential Fault Attack on the Grain Family of Stream Ciphers Subhadeep Banik , Subhamoy

A Differential Fault Attack on the Grain Family of Stream Ciphers Subhadeep Banik , Subhamoy

A Differential Fault Attack on the Grain Family of Stream Ciphers Subhadeep Banik , Subhamoy Maitra, Santanu Sarkar Indian Statistical Institute Kolkata September 10, 2012 CHES 2012, Leuven Belgium GRAIN family of Stream Ciphers 2 of 32

506 views • 32 slides
Impossible plaintext cryptanalysis and probable-plaintext collision attacks of 64-bit block

Impossible plaintext cryptanalysis and probable-plaintext collision attacks of 64-bit block

Background Collision attack on CBC and CFB Impossible plaintext cryptanalysis of CTR Conclusions Impossible plaintext cryptanalysis and probable-plaintext collision attacks of 64-bit block cipher modes David McGrew mcgrew@cisco.com Fast

554 views • 43 slides
The Salsa20 stream cipher Salsa20: additive stream cipher, expanding key and nonce D. J.

The Salsa20 stream cipher Salsa20: additive stream cipher, expanding key and nonce D. J.

The Salsa20 stream cipher Salsa20: additive stream cipher, expanding key and nonce D. J. Bernstein into long stream of bytes Thanks to: to add to plaintext. University of Illinois at Chicago Key : 16 or 32 bytes. NSF CCR9983950 Same

714 views • 43 slides
ABC: A New Fast Flexible Stream Cipher Vladimir Anashin Andrey Bogdanov* Ilya Kizhvatov

ABC: A New Fast Flexible Stream Cipher Vladimir Anashin Andrey Bogdanov* Ilya Kizhvatov

ABC: A New Fast Flexible Stream Cipher Vladimir Anashin Andrey Bogdanov* Ilya Kizhvatov Russian State University for the Humanities Faculty of Information Security *Partially supported by the Institute for Experimental Mathematics, University

453 views • 19 slides
Cryptanalysis of PRINT CIPHER : The Invariant Subspace Attack Gregor Leander, Mohamed

Cryptanalysis of PRINT CIPHER : The Invariant Subspace Attack Gregor Leander, Mohamed

Description of PRINT CIPHER The Attack Relation To Truncated Differential Attack Conclusion Cryptanalysis of PRINT CIPHER : The Invariant Subspace Attack Gregor Leander, Mohamed Abdelraheem, Huda AlKhzaimi, and Erik Zenner DTU Mathematics

598 views • 37 slides
Comparison of Cipher implementations from cipher authors 256-bit stream ciphers D. J.

Comparison of Cipher implementations from cipher authors 256-bit stream ciphers D. J.

Comparison of Cipher implementations from cipher authors 256-bit stream ciphers D. J. Bernstein Timing tools Thanks to: (De Canni` ere) University of Illinois at Chicago Denmark Technical University

602 views • 13 slides
Summary We present a new stream cipher Spritz (generating a pseudo-random stream of

Summary We present a new stream cipher Spritz (generating a pseudo-random stream of

S PRITZ A SPONGY RC4- LIKE STREAM CIPHER AND HASH FUNCTION Ronald L. Rivest 1 Jacob C. N. Schuldt 2 1 Vannevar Bush Professor of EECS MIT CSAIL Cambridge, MA 02139 rivest@mit.edu 2 Research Institute for Secure Systems AIST, Japan

603 views • 37 slides
Improved Cryptanalysis of Py Paul Crowley LShift Ltd State of the Art in Stream Ciphers 2006 Py

Improved Cryptanalysis of Py Paul Crowley LShift Ltd State of the Art in Stream Ciphers 2006 Py

Py SPP attack Improving on the attack Improved Cryptanalysis of Py Paul Crowley LShift Ltd State of the Art in Stream Ciphers 2006 Py SPP attack Improving on the attack Py eSTREAM entrant by Eli Biham and Jennifer Seberry Fast in

870 views • 38 slides
PRF , Block Ciphers MAC Lecture 6 One-time CPA-secure RECALL SKE with a Stream-Cipher m

PRF , Block Ciphers MAC Lecture 6 One-time CPA-secure RECALL SKE with a Stream-Cipher m

PRF , Block Ciphers MAC Lecture 6 One-time CPA-secure RECALL SKE with a Stream-Cipher m (stream) Enc One-time Encryption with a stream-cipher: SC K Generate a one-time pad from a short seed Can share just the seed as the key Mask

1.33k views • 102 slides
Stream Cipher One-time pad secure, however key as long as message Obtain efficient cipher if we

Stream Cipher One-time pad secure, however key as long as message Obtain efficient cipher if we

Stream Cipher One-time pad secure, however key as long as message Obtain efficient cipher if we replace key with sequence which behaves as sequence of random numbers Algorithms which produce pseudo-random strings are called pseudo-random

367 views • 19 slides
T-79.159 Cryptography and Data Security Lecture 4: 4.1 Stream ciphers 4.2 Block cipher

T-79.159 Cryptography and Data Security Lecture 4: 4.1 Stream ciphers 4.2 Block cipher

T-79.159 Cryptography and Data Security Lecture 4: 4.1 Stream ciphers 4.2 Block cipher confidentiality modes of operation Kaufman et al: Ch 4 Stallings: Ch 6, Ch 3 1 Stream ciphers Stream ciphers are generally faster than block

535 views • 12 slides
ChaCha20 and Poly1305 Cipher Suites for TLS Adam Langley Wan-Teh Chang Outline ChaCha20

ChaCha20 and Poly1305 Cipher Suites for TLS Adam Langley Wan-Teh Chang Outline ChaCha20

ChaCha20 and Poly1305 Cipher Suites for TLS Adam Langley Wan-Teh Chang Outline ChaCha20 stream cipher Poly1305 authenticator ChaCha20+Poly1305 AEAD construction TLS cipher suites Performance ChaCha20 stream cipher

648 views • 12 slides
Linear Cryptanalysis of Stream Ciphers T-79.514 Special Course on Cryptology Seminar talk Emilia

Linear Cryptanalysis of Stream Ciphers T-79.514 Special Course on Cryptology Seminar talk Emilia

Linear Cryptanalysis of Stream Ciphers T-79.514 Special Course on Cryptology Seminar talk Emilia K asper 1 Overview Basic concept of correlation attacks on stream ciphers A correlation attack on the GSM cipher A5/1 A correlation

256 views • 22 slides
The NIDS Cluster: Scalable, Stateful Network Intrusion Detection on Commodity Hardware Matthias

The NIDS Cluster: Scalable, Stateful Network Intrusion Detection on Commodity Hardware Matthias

The NIDS Cluster: Scalable, Stateful Network Intrusion Detection on Commodity Hardware Matthias Vallentin 1 , Robin Sommer 2,3, Jason Lee 2 , Craig Leres 2 Vern Paxson 3,2 , and Brian Tierney 2 1 TU Mnchen 2 Lawrence Berkeley National

409 views • 25 slides
Use Cases Reference: Craig Larman, Applying UML and Patterns, Ch. 6 Use Case What it is:

Use Cases Reference: Craig Larman, Applying UML and Patterns, Ch. 6 Use Case What it is:

Use Cases Reference: Craig Larman, Applying UML and Patterns, Ch. 6 Use Case What it is: Text story Widely used to discover and record (mostly functional) requirements What is it about: Some actor(s) using a system to meet

430 views • 30 slides
Biology: dompanine TD() Using a longer trajectory rather than single step: For a single step:

Biology: dompanine TD() Using a longer trajectory rather than single step: For a single step:

TD learning Biology: dompanine TD() Using a longer trajectory rather than single step: For a single step: The expected total Return from S on is: R(S) = r + V(S) For two steps: TD() n-step return at time t: Using a trajectory of

679 views • 32 slides
Opera.ng Systems History and Overview Por%ons of this material courtesy Profs. Wong and Stark

Opera.ng Systems History and Overview Por%ons of this material courtesy Profs. Wong and Stark

CSE 306: Opera.ng Systems Opera.ng Systems History and Overview Por%ons of this material courtesy Profs. Wong and Stark CSE 306: Opera.ng Systems So what is an OS? 2-2 CSE 306: Opera.ng Systems One view of an OS 2-3 CSE 306: Opera.ng

1.88k views • 55 slides
PRanking with Ranking Koby Crammer Technion Israel Institute of Technology Based on joint

PRanking with Ranking Koby Crammer Technion Israel Institute of Technology Based on joint

PRanking with Ranking Koby Crammer Technion Israel Institute of Technology Based on joint work with Yoram Singer at the Hebrew University of Jerusalem Problem Machine Prediction Users Rating Ranking 3 3 0 3 1 Loss Ranking

596 views • 41 slides
MySQL X Protocol Talking to MySQL Directly over the Wire Simon J Mudd

MySQL X Protocol Talking to MySQL Directly over the Wire Simon J Mudd

MySQL X Protocol Talking to MySQL Directly over the Wire Simon J Mudd <simon.mudd@booking.com> Percona Live Europe Amsterdam 5 th October 2016 Content What is MySQL X protocol How does it work Building Drivers

793 views • 60 slides
Public comments Application driven programs Programmatic design Local government

Public comments Application driven programs Programmatic design Local government

Public comments Application driven programs Programmatic design Local government input Informational workshops Media outreach Homeowners Assistance Outreach Billboards, rolling buses, TV/radio/print, grassroots

442 views • 13 slides
Stream Processing Optimizations Scott Schneider IBM Thomas J. Watson Research Center New York,

Stream Processing Optimizations Scott Schneider IBM Thomas J. Watson Research Center New York,

Stream Processing Optimizations Scott Schneider IBM Thomas J. Watson Research Center New York, USA Martin Hirzel IBM Thomas J. Watson Research Center New York, USA Bu ra Gedik Computer Engineering Department Bilkent University Ankara,

913 views • 66 slides

More recommend