Fast Near Collision Attack on the Grain v1 Stream Cipher Bin Zhang - - PowerPoint PPT Presentation
Fast Near Collision Attack on the Grain v1 Stream Cipher Bin Zhang , Chao Xu and Willi Meier Chinese Academy of Sciences FHNW,Switzerland 02-05-2018 Bin Zhang , Chao Xu and Willi Meier ( Chinese Academy
Bin Zhang∗, Chao Xu∗ and Willi Meier∗∗
∗ Chinese Academy of Sciences ∗∗FHNW,Switzerland
02-05-2018
Bin Zhang∗, Chao Xu∗ and Willi Meier∗∗ (∗ Chinese Academy of Sciences ∗∗FHNW,Switzerland) Fast Near Collision Attack on the Grain v1 Stream Cipher 02-05-2018 1 / 45
1
Background and Motivation
2
Description of Grain v1
3
Preliminaries
4
Fast Near Collision Attacks: The General Framework
5
State Recovery Attacks on Grain v1
6
Conclusions
Bin Zhang∗, Chao Xu∗ and Willi Meier∗∗ (∗ Chinese Academy of Sciences ∗∗FHNW,Switzerland) Fast Near Collision Attack on the Grain v1 Stream Cipher 02-05-2018 2 / 45
As a rule of thumb, the internal state size of modern stream ciphers is at least twice as large as the key size, e.g., Grain v1 and Trivium. Grain v1 is one of the 7 finalists in the European eSTREAM project. Grain v1 has successfully withstood huge cryptanalysis efforts so far, especially in the single key model. Feature: large internal state + high number of initialization rounds + NFSR-based
Bin Zhang∗, Chao Xu∗ and Willi Meier∗∗ (∗ Chinese Academy of Sciences ∗∗FHNW,Switzerland) Fast Near Collision Attack on the Grain v1 Stream Cipher 02-05-2018 3 / 45
Widely studied in the domain of hash functions: near collision should be avoided. Introduced into the domain of stream ciphers at FSE 2013 and assigned with a different meaning: from the keystream to the unknown internal state. A state recovery attack on Grain v1 itself is obtained by manipulating from the reduced version experiments to the full version theoretical analysis. But, there are two assumptions involved, which are essential to the success of the attack. Previous near collision attacks leave some problems: high pre-processing and memory complexities, a large number of state variables and the non-fully resolved success rate issue.
Bin Zhang∗, Chao Xu∗ and Willi Meier∗∗ (∗ Chinese Academy of Sciences ∗∗FHNW,Switzerland) Fast Near Collision Attack on the Grain v1 Stream Cipher 02-05-2018 4 / 45
An entirely different strategy is proposed: without the previous assumptions and with an assured success rate. Combination of near collision property with the divide-and-conquer strategy. Aim to address the situation of facing a large number of variables and the non-linear state updating.
Bin Zhang∗, Chao Xu∗ and Willi Meier∗∗ (∗ Chinese Academy of Sciences ∗∗FHNW,Switzerland) Fast Near Collision Attack on the Grain v1 Stream Cipher 02-05-2018 5 / 45
Develop a new cryptanalytic method on stream ciphers to deal with the large number of variables and non-linear state updating, called fast near collision attack (FNCA). A general framework of FNCA is established: from pre-computation to
State/key recovery attack on Grain v1 in the single key model: all the complexity aspects and success probability could be determined. Simulations on Grain v1 itself whenever possible and a reduced version with a 40-bit LFSR and a 40-bit NFSR.
Bin Zhang∗, Chao Xu∗ and Willi Meier∗∗ (∗ Chinese Academy of Sciences ∗∗FHNW,Switzerland) Fast Near Collision Attack on the Grain v1 Stream Cipher 02-05-2018 6 / 45
Develop a new cryptanalytic method on stream ciphers to deal with the large number of variables and non-linear state updating, called fast near collision attack (FNCA). A general framework of FNCA is established: from pre-computation to
State/key recovery attack on Grain v1 in the single key model: all the complexity aspects and success probability could be determined. Simulations on Grain v1 itself whenever possible and a reduced version with a 40-bit LFSR and a 40-bit NFSR.
Bin Zhang∗, Chao Xu∗ and Willi Meier∗∗ (∗ Chinese Academy of Sciences ∗∗FHNW,Switzerland) Fast Near Collision Attack on the Grain v1 Stream Cipher 02-05-2018 6 / 45
Develop a new cryptanalytic method on stream ciphers to deal with the large number of variables and non-linear state updating, called fast near collision attack (FNCA). A general framework of FNCA is established: from pre-computation to
State/key recovery attack on Grain v1 in the single key model: all the complexity aspects and success probability could be determined. Simulations on Grain v1 itself whenever possible and a reduced version with a 40-bit LFSR and a 40-bit NFSR.
Bin Zhang∗, Chao Xu∗ and Willi Meier∗∗ (∗ Chinese Academy of Sciences ∗∗FHNW,Switzerland) Fast Near Collision Attack on the Grain v1 Stream Cipher 02-05-2018 6 / 45
Develop a new cryptanalytic method on stream ciphers to deal with the large number of variables and non-linear state updating, called fast near collision attack (FNCA). A general framework of FNCA is established: from pre-computation to
State/key recovery attack on Grain v1 in the single key model: all the complexity aspects and success probability could be determined. Simulations on Grain v1 itself whenever possible and a reduced version with a 40-bit LFSR and a 40-bit NFSR.
Bin Zhang∗, Chao Xu∗ and Willi Meier∗∗ (∗ Chinese Academy of Sciences ∗∗FHNW,Switzerland) Fast Near Collision Attack on the Grain v1 Stream Cipher 02-05-2018 6 / 45
One of the 7 finalists selected by the eSTREAM project. A bit-oriented stream cipher with a pair of linked shift registers: a 80-bit LFSR into a 80-bit NFSR.
NFSR LFSR
h x
No key recovery attack in the single key model has been found yet.
Bin Zhang∗, Chao Xu∗ and Willi Meier∗∗ (∗ Chinese Academy of Sciences ∗∗FHNW,Switzerland) Fast Near Collision Attack on the Grain v1 Stream Cipher 02-05-2018 7 / 45
Given (li, li+1, ..., li+79), the LFSR state updating: li+80 = li+62 ⊕ li+51 ⊕ li+38 ⊕ li+23 ⊕ li+13 ⊕ li. Given (ni, ni+1, ..., ni+79), the NFSR state updating:
ni+80 = li ⊕ ni+62 ⊕ ni+60 ⊕ ni+52 ⊕ ni+45 ⊕ ni+37 ⊕ ni+33 ⊕ ni+28 ⊕ ni+21 ⊕ ni+14 ⊕ ni+9 ⊕ ni ⊕ ni+63ni+60 ⊕ ni+37ni+33 ⊕ ni+15ni+9 ⊕ ni+60ni+52ni+45 ⊕ ni+33ni+28ni+21 ⊕ ni+63ni+45ni+28ni+9 ⊕ ni+60ni+52ni+37ni+33 ⊕ ni+63ni+60ni+21ni+15 ⊕ ni+63ni+60ni+52ni+45ni+37 ⊕ ni+33ni+28ni+21ni+15ni+9 ⊕ ni+52ni+45ni+37ni+33ni+28ni+21.
Bin Zhang∗, Chao Xu∗ and Willi Meier∗∗ (∗ Chinese Academy of Sciences ∗∗FHNW,Switzerland) Fast Near Collision Attack on the Grain v1 Stream Cipher 02-05-2018 8 / 45
h(x) = x1 ⊕ x4 ⊕ x0x3 ⊕ x2x3 ⊕ x3x4 ⊕ x0x1x2 ⊕ x0x2x3 ⊕ x0x2x4 ⊕ x1x2x4 ⊕ x2x3x4, which is chosen to be balanced and correlation immune of the first order with the variables (x0, x1, x2, x3, x4) → (li+3, li+25, li+46, li+64, ni+63). The keystream zi =
k∈A ni+k ⊕ h(li+3, li+25, li+46, li+64, ni+63),
where A = {1, 2, 4, 10, 31, 43, 56}. The details of the initialization phase are omitted here, the only property relevant to our work is that the initialization phase is invertible.
Bin Zhang∗, Chao Xu∗ and Willi Meier∗∗ (∗ Chinese Academy of Sciences ∗∗FHNW,Switzerland) Fast Near Collision Attack on the Grain v1 Stream Cipher 02-05-2018 9 / 45
d-near-collision
Two n-bit strings s, s′ are said to be d-near-collision, if wH(s ⊕ s′) ≤ d holds.
Lemma
Given two random sets A and B consisting of elements of n-bit length and a condition set D, then there exists a pair (a, b) ∈ (A, B) satisfying one of the conditions in D if |A| · |B| ≥ c · 2n |D| (1) holds, where c is a constant that determines the existence probability of
Bin Zhang∗, Chao Xu∗ and Willi Meier∗∗ (∗ Chinese Academy of Sciences ∗∗FHNW,Switzerland) Fast Near Collision Attack on the Grain v1 Stream Cipher 02-05-2018 10 / 45
DTU Crypto group: from the random experiments with a modest size, i.e., for each c value, 100 strings of length 40 to 49 for d-values from 10 to 15 are generated, not in a real cipher setting. Pr(d-near-collision) = 0.606 if c = 1 0.946 if c = 3 0.992 if c = 5.
Corollary
For a specified cipher and a chosen constant c, let A and B be the internal state subsets associated with the observable keystream vectors, where each element of A and B is of n-bit length. If we choose |A| = 1 and |B| ≥ c · 2n
|D|, then there exists an element bi ∈ B such that the pair (a, bi)
with the only element a ∈ A forms a d-near collision pair with a probability dependent on c.
Bin Zhang∗, Chao Xu∗ and Willi Meier∗∗ (∗ Chinese Academy of Sciences ∗∗FHNW,Switzerland) Fast Near Collision Attack on the Grain v1 Stream Cipher 02-05-2018 11 / 45
Definition
For a specified cipher, the subset x = (xi0, xi1, . . . , xin−1) of the full internal state associated with a given keystream vector z = (zj0, zj1, . . . , zjl−1) is called the restricted internal state associated with z.
Definition
Let z = (zj0, zj1, . . . , zjl−1) be the known keystream vector selected by the adversary, if l internal state bits in the restricted internal state x associated with z could be represented explicitly by z and the other bits in x, l is called the restricted BSW sampling resistance corresponding to (x, z).
Bin Zhang∗, Chao Xu∗ and Willi Meier∗∗ (∗ Chinese Academy of Sciences ∗∗FHNW,Switzerland) Fast Near Collision Attack on the Grain v1 Stream Cipher 02-05-2018 12 / 45
Identify a near collision in the whole internal state at different time instants and to restore the two involved states accordingly. Pre-compute the mapping from the specific KSDs to the possible ISDs of the full inner state with the sorted occurring probabilities. The crucial problem is to examine a large number of possible pairs whether they are truly near collision or not: in this process, strong wrong-candidate filter with a low complexity is needed. It is not easy to restore the NFSR state, even given the two specified keystream vectors and their corresponding ISD.
Bin Zhang∗, Chao Xu∗ and Willi Meier∗∗ (∗ Chinese Academy of Sciences ∗∗FHNW,Switzerland) Fast Near Collision Attack on the Grain v1 Stream Cipher 02-05-2018 13 / 45
Given z = (zj0, zj1, . . . , zjl−1) with zji (0 ≤ i ≤ l − 1) not necessarily being consecutive in the real keystream, the corresponding restricted internal state x for z is determined by the output function f together with its tap positions, and the state updating function g of the cipher, i.e., induced by the intrinsic structure of the cipher. Besides, from the keystream vector z, it is natural to look at the augmented function for z.
Definition
For a specified cipher with the output function f and the state updating function g, which outputs one keystream bit in one tick, the lth-order augmented function Af : F|x|
2
→ Fl
2 for a given (x, z) pair is defined as
Af(x) = (f(x), f(gi1(x)), . . . , f(gil−1(x))).
Bin Zhang∗, Chao Xu∗ and Willi Meier∗∗ (∗ Chinese Academy of Sciences ∗∗FHNW,Switzerland) Fast Near Collision Attack on the Grain v1 Stream Cipher 02-05-2018 14 / 45
Algorithm 1 FNCA Parameters: index: the concrete value of a KSD prefix: the concrete value of a keystream vector Offline: for each combination of (index, prefix) do Construct the table T[index, prefix], projecting from the KSD index to all the possible ISDs sorted by the occurring rates end for Input: A keystream segment ztotal = (zj0, zj1, . . . , zjl−1, zjl, . . . , zjl+γ) Online: Recover the full internal state xfull matching with ztotal 1: Divide ztotal into α overlapping parts zi (1 ≤ i ≤ α) and a suffix zµ 2: for i = 1 to α do 3: get the candidates list Li of the restricted internal state xi for zi 4: end for 5: Merge Lis to get a candidate list for the possible partial state xmerge 6: for each candidate of xmerge do 7: restore xfull and test the consistency with the suffix zµ
Bin Zhang∗, Chao Xu∗ and Willi Meier∗∗ (∗ Chinese Academy of Sciences ∗∗FHNW,Switzerland) Fast Near Collision Attack on the Grain v1 Stream Cipher 02-05-2018 15 / 45
Lemma
For a specified cipher and two keystream vectors zi and z′
i, the KSD
∆zi = zi ⊕ z′
i only depends on the ISD ∆xi = xi ⊕ x′ i and the values of xi
and x′
i, whatever the difference and the values in ¯
xi, the other parts of the whole internal state. How to efficiently get the candidates for each restricted internal state and further to filter out those wrong values as much as possible in each case? How to efficiently merge these partial states together without the
we need to carefully control the increasing speed of the possible candidates during the merging phase. We need to find some very efficient method to restore the other parts
routine
Bin Zhang∗, Chao Xu∗ and Willi Meier∗∗ (∗ Chinese Academy of Sciences ∗∗FHNW,Switzerland) Fast Near Collision Attack on the Grain v1 Stream Cipher 02-05-2018 16 / 45
Algorithm 2 Constructing the differential table T[index, prefix] 1: for each ISD ∆x s.t. wH(∆x) ≤ d do 2: for i = 1 to N1 do 3: determine whether ∆x could generate the specified KSD index 4: if yes then 5: for j = 1 to N2 do 6: generate random x s.t. Af(x) = prefix and form the pair (x, x ⊕ ∆x) 7: compute z = Af(x) and z′ = Af(x ⊕ ∆x) 8: count the number of times counter that ∆z = z ⊕ z′ = index 9: store the ratio counter/N2 with ∆x in T[index, prefix] 10: Sort the ISDs according to the occurring rates
Bin Zhang∗, Chao Xu∗ and Willi Meier∗∗ (∗ Chinese Academy of Sciences ∗∗FHNW,Switzerland) Fast Near Collision Attack on the Grain v1 Stream Cipher 02-05-2018 17 / 45
Table: The summary of the pre-computation phase of Grain v1 for 2-bit keystream vector with the 23 original variables
(index, prefix) |T| Prdivs (index, prefix) |T| Prdivs (0x0, 0x0) 16126 0.314426 (0x2, 0x0) 16106 0.319008 (0x0, 0x1) 16126 0.314434 (0x2, 0x1) 16106 0.318892 (0x0, 0x2) 16126 0.314504 (0x2, 0x2) 16106 0.318934 (0x0, 0x3) 16126 0.314504 (0x2, 0x3) 16106 0.318955 (0x1, 0x0) 16106 0.318958 (0x3, 0x0) 16044 0.311827 (0x1, 0x1) 16106 0.319050 (0x3, 0x1) 16044 0.311839 (0x1, 0x2) 16106 0.318896 (0x3, 0x2) 16044 0.311979 (0x1, 0x3) 16106 0.318928 (0x3, 0x3) 16044 0.311833
Bin Zhang∗, Chao Xu∗ and Willi Meier∗∗ (∗ Chinese Academy of Sciences ∗∗FHNW,Switzerland) Fast Near Collision Attack on the Grain v1 Stream Cipher 02-05-2018 18 / 45
Definition
For each T[index, prefix], let |T| be the number of ISDs in the table, the diversified probability of this table is defined as Prdivs =
|T|
, where ∆x ranges over all the possible ISDs in the table.
Corollary
From Table 2, if the index is fixed, then the 4 Prdivss corresponding to different prefixes are approximately the same, i.e., the 4 T tables have almost the same reducing effect for filtering out wrong candidates.
Bin Zhang∗, Chao Xu∗ and Willi Meier∗∗ (∗ Chinese Academy of Sciences ∗∗FHNW,Switzerland) Fast Near Collision Attack on the Grain v1 Stream Cipher 02-05-2018 19 / 45
Algorithm 3 The refined self-contained method 1: Initialize i = 0 2: while i ≤ c · 2n
|D| do
3: load x with a new random value so that it generates z ⊕ index 4: for each possible ISD ∆x in T[index, z ⊕ index] do 5: compute x′ = x ⊕ ∆x 6: if x′ generates z then 7: put x′ into the candidates list L 8: end if 9: end for 10: i = i + 1 11: end while
The original self-contained method was proposed by DTU Crypto group
Bin Zhang∗, Chao Xu∗ and Willi Meier∗∗ (∗ Chinese Academy of Sciences ∗∗FHNW,Switzerland) Fast Near Collision Attack on the Grain v1 Stream Cipher 02-05-2018 20 / 45
Theorem
Let b be the number of all the possible values that can be hit and a = c · 2n
|D| · |T| · Pdivs, then after one invoking of Algorithm 3, the
mathematical expectation of the final number r of hitting values in the list is E[r] =
a
b
r
a
r
ba , (1) where a
r
b
r
coefficient and r! is the factorial.
Bin Zhang∗, Chao Xu∗ and Willi Meier∗∗ (∗ Chinese Academy of Sciences ∗∗FHNW,Switzerland) Fast Near Collision Attack on the Grain v1 Stream Cipher 02-05-2018 21 / 45
Algorithm 4 Distilling the candidates Parameter: a well chosen constant β 1: for i = 1 to β do 2: run Algorithm 3 to get the candidates list Li 3: end for 4: Initialize a list U and let U = L1 5: for i = 2 to β do 6: intersect U with Li, i.e., U ← U ∩ Li
Theorem
The expected number of candidates in the list U in Algorithm 4 after β − 1 steps of intersection is |U1| · ( E[r]
b )β−1, where |U1| = |L1| is the
number of candidates that are present in the first list L1 and E[r] is the expected number of hitting values in one singe invoking of the self-contained method in Algorithm 3.
Bin Zhang∗, Chao Xu∗ and Willi Meier∗∗ (∗ Chinese Academy of Sciences ∗∗FHNW,Switzerland) Fast Near Collision Attack on the Grain v1 Stream Cipher 02-05-2018 22 / 45
Algorithm 5 Improving the existence probability of the correct x Parameter: a well chosen constant γ 1: for i = 1 to γ do 2: run Algorithm 4 to get the candidates list Ui 3: end for 4: Initialize a list V and let V = U1 5: for i = 2 to γ do 6: union V with Ui, i.e., V ← V ∪ Ui
Theorem
Let the expected number of candidates in list V in Algorithm 5 after i (1 ≤ i ≤ γ) steps of union be Fi, then the following relation holds Fi+1 = Fi + |Ui+1| −
|Ui+1|
Fi
j
Fi+1−Fi
|Ui+1|−j
|Ui+1|
(2) where |F1| = |U1|.
Bin Zhang∗, Chao Xu∗ and Willi Meier∗∗ (∗ Chinese Academy of Sciences ∗∗FHNW,Switzerland) Fast Near Collision Attack on the Grain v1 Stream Cipher 02-05-2018 23 / 45
Theorem
Let the candidates list for xi be Vi, then when merging the candidates list Vi for xi and Vi+1 for xi+1 to cover an union state xi ∪ xi+1, the expected number of candidates for the union state xi ∪ xi+1 is E[|Vxi∪xi+1|] = |Vi| · |Vi+1| |Vi ∩ Vi+1| , where Vxi∪xi+1 is the candidates list for the union state xi ∪ xi+1.
Corollary
In the merging process of Algorithm 1, let MA and MB be two partial internal states, each merged from possibly several restricted internal states respectively, then when merging MA and MB together, the expected number of candidates for the union state MA ∪ MB is E[|MA ∪ MB|] = |MA|·|MB|
|MA∩MB| .
Bin Zhang∗, Chao Xu∗ and Willi Meier∗∗ (∗ Chinese Academy of Sciences ∗∗FHNW,Switzerland) Fast Near Collision Attack on the Grain v1 Stream Cipher 02-05-2018 24 / 45
Theorem
Let the probability that the correct value of the restricted internal state x will exist in V be Prx, then we have Prx = 1 − (1 − (Pc)β)γ, where Pc is the probability that the correct value of the restricted internal state x exist in U for one single invoking of Algorithm 3. Based on the above theoretical framework of FNCA, we will develop a state recovery attack against Grain v1 in the single key model.
Bin Zhang∗, Chao Xu∗ and Willi Meier∗∗ (∗ Chinese Academy of Sciences ∗∗FHNW,Switzerland) Fast Near Collision Attack on the Grain v1 Stream Cipher 02-05-2018 25 / 45
zi =
k∈A ni+k ⊕ h(li+3, li+25, li+46, li+64, ni+63), where
A = {1, 2, 4, 10, 31, 43, 56}. each keystream bit zi is dependent on 12 binary variables, of which 7 bits from the NFSR form the linear masking bit
k∈A ni+k, 4 bits
from the LFSR and ni+63 from the NFSR are involved in the filter function h. Inefficient for a straightforward FNCA on Grain v1. Let xi = ni+1 ⊕ ni+2 ⊕ ni+4 ⊕ ni+10 ⊕ ni+31 ⊕ ni+43 ⊕ ni+56, then we have zi = xi ⊕ h(li+3, li+25, li+46, li+64, ni+63).
Bin Zhang∗, Chao Xu∗ and Willi Meier∗∗ (∗ Chinese Academy of Sciences ∗∗FHNW,Switzerland) Fast Near Collision Attack on the Grain v1 Stream Cipher 02-05-2018 26 / 45
Algorithm 6 The pre-computation after rewriting variables Parameter: matrix P1 of size 2l × V (n, d) with P1[i][j] = 0 if the ISD j could generate the KSD i and 0 otherwise 1: Initialize the table T[index, prefix] 2: for each possible value of x do 3: for each ISD ∆x s.t. wH(∆x) ≤ d do 4: determine whether fsr(x) = prefix and fsr(x ⊕ ∆x) = prefix ⊕ index 5: if yes then P1[index][∆x] = P1[index][∆x] + 1 6: for each ISD ∆x s.t. wH(∆x) ≤ d do 7: set P1[index][∆x]/|x| as the occurring rate of ∆x 8: Sort the ISDs according to the occurring rates
Bin Zhang∗, Chao Xu∗ and Willi Meier∗∗ (∗ Chinese Academy of Sciences ∗∗FHNW,Switzerland) Fast Near Collision Attack on the Grain v1 Stream Cipher 02-05-2018 27 / 45
Table: The complete Pre-computation distribution of the full Grain v1 after rewriting variables when d = 3
(index, prefix) Prob. number (0x0, ∗) 1 1
1 2
44
1 4
69
1 8
54
1 16
8 (0x1, ∗) (0x2, ∗)
3 4
3
1 2
22
3 8
27
1 4
63
3 16
8
1 8
27 (0x3, ∗)
9 16
8
3 8
54
1 4
63
Bin Zhang∗, Chao Xu∗ and Willi Meier∗∗ (∗ Chinese Academy of Sciences ∗∗FHNW,Switzerland) Fast Near Collision Attack on the Grain v1 Stream Cipher 02-05-2018 28 / 45
Corollary
For the pre-computation table of Grain v1 after rewriting variables, we have Prdivs = 0.269886, if index = 0x0 0.293333, if index=0x1 0.293333, if index=0x2 0.324000, if index=0x3. Thus, we choose index = 0x0.
Bin Zhang∗, Chao Xu∗ and Willi Meier∗∗ (∗ Chinese Academy of Sciences ∗∗FHNW,Switzerland) Fast Near Collision Attack on the Grain v1 Stream Cipher 02-05-2018 29 / 45
Table: The correspondence between the constant c and the existence probability for index = 0x0 c 5 6 7 8 9 10 Pc 0.757137 0.816551 0.860638 0.89502 0.92114 0.94644 c 11 12 13 14 15 16 Pc 0.95423 0.96573 0.97567 0.98021 0.985524 0.989411
Corollary
For Grain v1 when c = 10 and l = 2, the configuration that the resultant candidate list V is of size 848 with the average probability of 0.896456 for the correct restricted internal state being in V is non-random.
Bin Zhang∗, Chao Xu∗ and Willi Meier∗∗ (∗ Chinese Academy of Sciences ∗∗FHNW,Switzerland) Fast Near Collision Attack on the Grain v1 Stream Cipher 02-05-2018 30 / 45
Table: The target keystream equations first exploited in our attack
1 : x0 ⊕ h(l3, l25, l46, l64, n63) = z0 2 : x1 ⊕ h(l4, l26, l47, l65, n64) = z1 3 : x2 ⊕ h(l5, l27, l48, l66, n65) = z2 4 : x3 ⊕ h(l6, l28, l49, l67, n66) = z3 5 : x4 ⊕ h(l7, l29, l50, l68, n67) = z4 6 : x5 ⊕ h(l8, l30, l51, l69, n68) = z5 7 : x6 ⊕ h(l9, l31, l52, l70, n69) = z6 8 : x7 ⊕ h(l10, l32, l53, l71, n70) = z7 eqns. 9 : x8 ⊕ h(l11, l33, l54, l72, n71) = z8 10 : x9 ⊕ h(l12, l34, l55, l73, n72) = z9 11 : x10 ⊕ h(l13, l35, l56, l74, n73) = z10 12 : x11 ⊕ h(l14, l36, l57, l75, n74) = z11 13 : x12 ⊕ h(l15, l37, l58, l76, n75) = z12 14 : x13 ⊕ h(l16, l38, l59, l77, n76) = z13 15 : x14 ⊕ h(l17, l39, l60, l78, n77) = z14 16 : x15 ⊕ h(l18, l40, l61, l79, n78) = z15 17 : x16 ⊕ h(l19, l41, l62, l80, n79) = z16 18 : x17 ⊕ h(l20, l42, l63, l81, n80) = z17 19 : x18 ⊕ h(l21, l43, l64, l82, n81) = z18 20 : x19 ⊕ h(l22, l44, l65, l83, n82) = z19
Bin Zhang∗, Chao Xu∗ and Willi Meier∗∗ (∗ Chinese Academy of Sciences ∗∗FHNW,Switzerland) Fast Near Collision Attack on the Grain v1 Stream Cipher 02-05-2018 31 / 45
Algorithm 7 The online attack on the full Grain v1 1: Apply FNCA to x∗ to restore the input variables 2: for each candidate of x∗ do 3: use the statistical test in Section 5.4 to check the candidate 4: for the passed ones do 5: recover the remaining NFSR state, shown in Section 5.4 6: for each candidate of xfull do 7: check the consistency with the available keystream
Bin Zhang∗, Chao Xu∗ and Willi Meier∗∗ (∗ Chinese Academy of Sciences ∗∗FHNW,Switzerland) Fast Near Collision Attack on the Grain v1 Stream Cipher 02-05-2018 32 / 45
z List merging Probability. 1. (z0, z1)
848·848 25
= 214.4558 (z1, z2) 0.8964563 = 2−0.473086 (z0, z2)
848·214.4558 210
= 214.1837 2. (z1, z2)
214.1837·214.1837 210
= 218.3674 (z2, z3) 0.8964562·3+1 = 2−1.10387 (z1, z3)
218.3674·848 210
= 218.0953 3. (z0, · · · , z3)
218.0953·218.0953 215
= 221.1906 (z1, · · · , z4) 0.8964562·7+1 = 2−2.36543 (z0, z4)
221.1906·848 210
= 220.9185 4. (z0, · · · , z4)
220.9185·220.9185 220
= 221.837 (z1, · · · , z5) 0.8964562·15+1 = 2−4.88855 (z0, z5)
221.837·848 210
= 221.5649 5. . . . . . . . . . 9. (z0, · · · , z9)
2−1.97104·221.5649 225
= 2−5.40614 (z5, · · · , z10) 0.896456191+31+1 = 2−35.1661 (z0, z10)
2−5.40614·848 210
= 2−5.67822 Bin Zhang∗, Chao Xu∗ and Willi Meier∗∗ (∗ Chinese Academy of Sciences ∗∗FHNW,Switzerland) Fast Near Collision Attack on the Grain v1 Stream Cipher 02-05-2018 33 / 45
z List merging Probability. 10. (z0, · · · , z10)
2−5.67262·221.5649 225
= 2−9.11332 (z6, · · · , z11) 0.896456223+31+1 = 2−40.2123 (z0, z11)
2−9.11332·848 210
= 2−9.3854 11. (z0, · · · , z11)
2−9.3854·220.9185 220
= 2−8.4669 (z8, · · · , z12) 0.896456255+15+1 = 2−42.7354 (z0, z12)
2−8.4669·848 210
= 2−8.73898 12. (z0, · · · , z12)
2−8.73898·220.9185 220
= 2−7.82048 (z9, · · · , z13) 0.896456271+15+1 = 2−45.2586 (z0, z2)
2−7.82048·848 210
= 2−8.09256 15. . . . . . . . . . 18. (z0, · · · , z18)
23.84674·218.0953 215
= 26.94204 (z16, · · · , z19) 0.896456335+7+1 = 2−54.0895 (z0, z19)
26.94204·848 210
= 26.66996 Bin Zhang∗, Chao Xu∗ and Willi Meier∗∗ (∗ Chinese Academy of Sciences ∗∗FHNW,Switzerland) Fast Near Collision Attack on the Grain v1 Stream Cipher 02-05-2018 34 / 45
After the attack process for recovering x∗, i.e., list merging x∗ involves 78 LFSR bits; note that both l64 and l65 are used 2 times in these equations, thus the candidate values should be consistent on l64 and l65, which will provide a reduction factor of
1 22 = 1 4.
From l83 = l65 ⊕ l54 ⊕ l41 ⊕ l26 ⊕ l16 ⊕ l3, we have a third linear consistency check on the candidates. Hence, the number of candidates is
1 2−54.0895 · 26.66996 · 2−3 = 257.7595.
By guessing 2 more bits l0, l1, we can get l23, l24 from the recursion l80+j = l62+j ⊕ l51+j ⊕ l38+j ⊕ l23+j ⊕ l13+j ⊕ lj for j = 0, 1. In addition, we can derive l2 from l82 = l64 ⊕ l53 ⊕ l40 ⊕ l25 ⊕ l15 ⊕ l2. The total number of candidates for the LFSR part and the accompanying partial NFSR state, 22 · 257.7595 = 259.7595, will dominate the complexity.
Bin Zhang∗, Chao Xu∗ and Willi Meier∗∗ (∗ Chinese Academy of Sciences ∗∗FHNW,Switzerland) Fast Near Collision Attack on the Grain v1 Stream Cipher 02-05-2018 35 / 45
After the attack process for recovering x∗, i.e., list merging We exploit the first 20-bit keystream information in this procedure in a probabilistic way, not in a deterministic way. We target 78 + 20 + 20 = 118 variables, not 160 variables, in a tradeoff-like manner. Here only 98 variables can be freely chosen. This cannot be interpreted in a straightforward information-theoretical way, which is usually evaluated in a deterministic way. We use the pre-computed tables which also contain quite some information on the internal structure of Grain v1 in an implicit way in the attack.
Bin Zhang∗, Chao Xu∗ and Willi Meier∗∗ (∗ Chinese Academy of Sciences ∗∗FHNW,Switzerland) Fast Near Collision Attack on the Grain v1 Stream Cipher 02-05-2018 36 / 45
The adversary could run the LFSR individually forwards/backwards to get all the necessary values and thus peel off the non-linearity of h function. Check the correctness of the LFSR candidate first, then the NFSR could be restored afterwards independently: i.e., divide-and-conquer If we go backwards 1 step, we get x−1 = n0 ⊕ n1 ⊕ n3 ⊕ n9 ⊕ n30 ⊕ n42 ⊕ n55, i.e., we get 1 more linear equation for free. If we go backwards further, we could get a series of variables that can be expressed as the linear combination of the known values and the target initial NFSR state variables. if we go forwards, the n82+i variables have a probability of 0.5 to vanish in the resultant keystream bit and the adversary could directly collect a linear equation through the corresponding x20+i variable at the beginning time instants from 20.
Bin Zhang∗, Chao Xu∗ and Willi Meier∗∗ (∗ Chinese Academy of Sciences ∗∗FHNW,Switzerland) Fast Near Collision Attack on the Grain v1 Stream Cipher 02-05-2018 37 / 45
To get more linear equations on the NFSR initial state The Z-technique is based on the index difference of the involving variables in the keystream bit. If n82+i appears at the z19+i position, let us look at the end of the keystream equation z26+i to see whether n82+i exists there or not. If it is not there, then this will probably give us one more linear equation on the NFSR initial variables due to the index difference 56 − 43 = 13 > 7; if it is there, we could just xor the two keystream equations to cancel out the n82+i variable to get a linear equation on the NFSR initial variables. Increase i by 1 and repeat the above process for the new i. Reduce the number of unknown variables in the initial NFSR state to around 80 − 40 − (8 − 3) = 35.
Bin Zhang∗, Chao Xu∗ and Willi Meier∗∗ (∗ Chinese Academy of Sciences ∗∗FHNW,Switzerland) Fast Near Collision Attack on the Grain v1 Stream Cipher 02-05-2018 38 / 45
n80+i = n62+i ⊕n60+i ⊕n52+i ⊕n45+i ⊕n37+i ⊕n28+i ⊕n21+i ⊕n14+i ⊕ni ⊕e, where e is the binary noise variable satisfying Pr(e = 0) = 1
2 + 41 512.
Iteratively expressing the NFSR variables with indices larger than 80 by the corresponding linear combinations of keystream bits and the known information from the LFSR part and the partial NFSR state: a weakness of Grain v1. If there are δ NFSR variables represented in this process, the complexity is just 35 · δ. construct the parity checks of weight 2 from the derived system, the bias of the parity checks is 2 · ( 41
512)2 = 2−6.2849.
Bin Zhang∗, Chao Xu∗ and Willi Meier∗∗ (∗ Chinese Academy of Sciences ∗∗FHNW,Switzerland) Fast Near Collision Attack on the Grain v1 Stream Cipher 02-05-2018 39 / 45
This problem is equivalent to the LF2 reduction in LPN solving problems, which can be solved in a sort-and-merge manner with a complexity of at most δ using pre-computed small tables. If δ = 219 and y = 15, we could collect 219−15
2
parity-checks on 35 − y = 20 NFSR variables of the bias 2−6.2849. we could further cancel out 4 more NFSR variables in these parity-checks by only selecting those equations that the corresponding coefficient of the assigned variable is 0, in this way we could easily get
221.9069 24
= 217.9069 parity-checks on 20 − 4 = 16 NFSR variables. from the unique solution distance in correlation attacks, we have 8 · 16 · ln2 1 − h(p) = 217.5121 < 217.9069, where p = 1
2 + 2−6.2849 and h(p) = −p · logp − (1 − p) · log(1 − p) is
the binary entropy function.
Bin Zhang∗, Chao Xu∗ and Willi Meier∗∗ (∗ Chinese Academy of Sciences ∗∗FHNW,Switzerland) Fast Near Collision Attack on the Grain v1 Stream Cipher 02-05-2018 40 / 45
Theorem
If both the LFSR candidate and the partial NFSR state are correct, we can distinguish the correct value of the remaining 16 NFSR variables from the wrong ones with a success probability very close to 1. The time complexity is 219·35+219+217.9069+216·16
Ω
= 224.2656
Ω
cipher
function, the adversary could identify the correct LFSR and the correct partial NFSR states if they survived through the first step.
Bin Zhang∗, Chao Xu∗ and Willi Meier∗∗ (∗ Chinese Academy of Sciences ∗∗FHNW,Switzerland) Fast Near Collision Attack on the Grain v1 Stream Cipher 02-05-2018 41 / 45
The algebraic degree of g in Grain v1 is 6 and the multiple (n28 ⊕ 1)(n60 ⊕ 1) · g has the algebraic degree 4, thus could be solved by linearization. The time complexity of this step is Tsolving =
26.7595· 7·(215.8615)log2 7
64
Ω
. = 248.0957
Ω
cipher ticks. Finally, the overall time complexity of all the procedures for restoring NFSR is 259.7595 · 224.2656
Ω
+ 248.0957
Ω
cipher ticks.
Bin Zhang∗, Chao Xu∗ and Willi Meier∗∗ (∗ Chinese Academy of Sciences ∗∗FHNW,Switzerland) Fast Near Collision Attack on the Grain v1 Stream Cipher 02-05-2018 42 / 45
Theorem
Let TAlg5 and λAlg5 be the time complexity and the number of invoking times of Algorithm 5, then the time complexity of our attack is TAlg6+ξ·( 1 PrλAlg5
x
·(TAlg5·λAlg5+
18
T i
merg)+ |L18|
PrλAlg5
x
·Twalsh+Tsolving +Tcst) cipher ticks, where TAlg6 is the pre-computation complexity of Algorithm 6, T i
merg (1 ≤ i ≤ 18) is the list merging complexity at step i in Table 6 and 7,
Twalsh is the complexity for the Z-technique and Walsh distinguisher in Section 5.4, Tsolving is the complexity for restoring the remaining NFSR state in Section 5.4, Tcst is the complexity of the final consistency examination and we repeat the
where Li (1 ≤ i ≤ 18) are the lists generated during the process in Table 6 and 7, and the data complexity is 219 + 20 + 160 = 219.0005 keystream bits.
Bin Zhang∗, Chao Xu∗ and Willi Meier∗∗ (∗ Chinese Academy of Sciences ∗∗FHNW,Switzerland) Fast Near Collision Attack on the Grain v1 Stream Cipher 02-05-2018 43 / 45
We introduce a new generic cryptanalytic method on modern large state stream ciphers, called fast near collision attack. The theoretical framework of FNCA is established and a state recovery attack on the full Grain v1 is presented.
Table: Comparison with the best previous attack on the full Grain v1
Attack Complexities Pre-comp Data Memory Time brute force
27.4 287.4 This paper 28.1 219 228 275.7
Bin Zhang∗, Chao Xu∗ and Willi Meier∗∗ (∗ Chinese Academy of Sciences ∗∗FHNW,Switzerland) Fast Near Collision Attack on the Grain v1 Stream Cipher 02-05-2018 44 / 45
Bin Zhang∗, Chao Xu∗ and Willi Meier∗∗ (∗ Chinese Academy of Sciences ∗∗FHNW,Switzerland) Fast Near Collision Attack on the Grain v1 Stream Cipher 02-05-2018 45 / 45