Atom: A Stream Cipher with Double Key Filter

It has been common knowledge that for a stream cipher to be secure against generic TMD tradeoff attacks, the size of its internal state in bits needs to be at least twice the size of the length of its secret key. In FSE 2015, Armknecht and Mikhalev however proposed the stream cipher Sprout with a Grain-like architecture, whose internal state was equal in size with its secret key and yet resistant against TMD attacks. Although Sprout had other weaknesses, it germinated a sequence of stream cipher designs like Lizard and Plantlet with short internal states. Both these designs have had cryptanalytic results reported against them. In this paper, we propose the stream cipher Atom that has an internal state of 159 bits and offers a security of 128 bits. Atom uses two key filters simultaneously to thwart certain cryptanalytic attacks that have been recently reported against keystream generators. In addition, we found that our design is one of the smallest stream ciphers that offers this security level, and we prove in this paper that Atom resists all the attacks that have been proposed against stream ciphers so far in literature. On the face of it, Atom also builds on the basic structure of the Grain family of stream ciphers. However, we try to prove that by including the additional key filter in the architecture of Atom we can make it immune to all cryptanalytic advances proposed against stream ciphers in recent cryptographic literature.

Download Full-text

On the Statistical Analysis of ZUC, Espresso and Grain v1

International Journal of Computing ◽

10.47839/ijc.20.3.2284 ◽

2021 ◽

pp. 384-390

Author(s):

Saurabh Shrivastava ◽

K. V. Lakshmy ◽

Chungath Srinivasan

Keyword(s):

Statistical Analysis ◽

Stream Cipher ◽

Internal State ◽

Statistical Tests ◽

Stream Ciphers ◽

Hamming Weight ◽

Secret Key ◽

State Correlation ◽

Very High

A stream cipher generates long keystream to be XORed with plaintext to produce ciphertext. A stream cipher is said to be secure if the keystream that it produces is consistently random. One of the ways by which we can analyze stream ciphers is by testing randomness of the keystream. The statistical tests mainly try to find if any output keystream leaks any information about the secret key or the cipher’s internal state and also check the randomness of the keystream. We have applied these tests to different keystreams generated by ZUC, Espresso and Grain v1 stream ciphers to check for any weaknesses. We have also proposed four new statistical tests to analyze the internal state when the hamming weight of key and IV used is very high or low. Out of these four tests, Grain v1 fails the last test i.e. internal state correlation using high hamming weight IV.

Download Full-text

Security and performance analysis of SCDSP

International Journal on Perceptive and Cognitive Computing ◽

10.31436/ijpcc.v2i1.33 ◽

2016 ◽

Vol 2 (1) ◽

Author(s):

Fardous Mohamed Eljadi ◽

Imad Fakhri Al-Shaikhli

Keyword(s):

Performance Analysis ◽

Stream Cipher ◽

Security Analysis ◽

Dynamic Structure ◽

Stream Ciphers ◽

Security Level ◽

Dynamic Parameters ◽

Secret Key ◽

And Performance ◽

A Performance

There are few approaches that attempt to add dynamicity to the structure of stream ciphers in order to improve their security level. SCDSP is a dynamic stream cipher that based on these approaches. It uses dynamic structure and parameters to increase the complexity of the cipher to improve its security level. The dynamic parameters are specified using bits from the secret key. In this paper, SCDSP is evaluated by conducting a performance and security analysis. Furthermore, a comparison between SCDSP and the seven winners of eSTREAM competition is performed. The results show that SCDSP is very promising for practical use.

Download Full-text

Cryptanalysis of Plantlet

IACR Transactions on Symmetric Cryptology ◽

10.46586/tosc.v2019.i3.103-120 ◽

2019 ◽

pp. 103-120

Author(s):

Subhadeep Banik ◽

Khashayar Barooti ◽

Takanori Isobe

Keyword(s):

Stream Cipher ◽

Internal State ◽

Polynomial Equations ◽

Secret Key ◽

Key Recovery ◽

Internal States ◽

Key Recovery Attack ◽

System Of Polynomial Equations ◽

The Given ◽

Generic Time

Plantlet is a lightweight stream cipher designed by Mikhalev, Armknecht and Müller in IACR ToSC 2017. It has a Grain-like structure with two state registers of size 40 and 61 bits. In spite of this, the cipher does not seem to lose in security against generic Time-Memory-Data Tradeoff attacks due to the novelty of its design. The cipher uses a 80-bit secret key and a 90-bit IV. In this paper, we first present a key recovery attack on Plantlet that requires around 276.26 Plantlet encryptions. The attack leverages the fact that two internal states of Plantlet that differ in the 43rd LFSR location are guaranteed to produce keystream that are either equal or unequal in 45 locations with probability 1. Thus an attacker can with some probability guess that when 2 segments of keystream blocks possess the 45 bit difference just mentioned, they have been produced by two internal states that differ only in the 43rd LFSR location. Thereafter by solving a system of polynomial equations representing the keystream bits, the attacker can find the secret key if his guess was indeed correct, or reach some kind of contradiction if his guess was incorrect. In the latter event, he would repeat the procedure for other keystream blocks with the given difference. We show that the process when repeated a finite number of times, does indeed yield the value of the secret key. In the second part of the paper, we observe that the previous attack was limited to internal state differences that occurred at time instances that were congruent to 0 mod 80. We further observe that by generalizing the attack to include internal state differences that are congruent to all equivalence classed modulo 80, we lower the total number of keystream bits required to perform the attack and in the process reduce the attack complexity to 269.98 Plantlet encryptions.

Download Full-text

Performance and Statistical Analysis of Stream ciphers in GSM Communications

Journal of Communications Software and Systems ◽

10.24138/jcomss.v16i1.892 ◽

2020 ◽

Vol 16 (1) ◽

pp. 11-18 ◽

Cited By ~ 1

Author(s):

Nagendar Yerukala ◽

V Kamakshi Prasad ◽

Allam Apparao

Keyword(s):

Statistical Analysis ◽

Stream Cipher ◽

Statistical Tests ◽

Stream Ciphers ◽

Test Suite ◽

Secret Key ◽

Initial State ◽

Detailed Statistical Analysis ◽

Almost All ◽

The Given

For a stream cipher to be secure, the keystream generated by it should be uniformly random with parameter 1/2.Statistical tests check whether the given sequence follow a certain probability distribution. In this paper, we perform a detailed statistical analysis of various stream ciphers used in GSM 2G,3G, 4G and 5G communications. The sequences output by these ciphers are checked for randomness using the statistical tests defined by the NIST Test Suite. It should also be not possible to derive any information about secret key and the initial state ofthe cipher from the keystream. Therefore, additional statisticaltests based on properties like Correlation between Keystreamand Key, and Correlation between Keystream and IV are also performed. Performance analysis of the ciphers also has been done and the results tabulated. Almost all the ciphers pass thetests in the NIST test suite with 99% confidence level. For A5/3stream cipher, the correlation between the keystream and key is high and correlation between the keystream and IV is low when compared to other ciphers in the A5 family.

Download Full-text

Breaking Trivium Stream Cipher Implemented in ASIC Using Experimental Attacks and DFA

Sensors ◽

10.3390/s20236909 ◽

2020 ◽

Vol 20 (23) ◽

pp. 6909

Author(s):

Francisco Eugenio Potestad-Ordóñez ◽

Manuel Valencia-Barrero ◽

Carmen Baena-Oliva ◽

Pilar Parra-Fernández ◽

Carlos Jesús Jiménez-Fernández

Keyword(s):

Stream Cipher ◽

Internal State ◽

Clock Cycle ◽

Fault Analysis ◽

Invasive Technique ◽

Sensitive Information ◽

Secret Key ◽

Key Recovery ◽

Differential Fault Analysis ◽

Secret Keys

One of the best methods to improve the security of cryptographic systems used to exchange sensitive information is to attack them to find their vulnerabilities and to strengthen them in subsequent designs. Trivium stream cipher is one of the lightweight ciphers designed for security applications in the Internet of things (IoT). In this paper, we present a complete setup to attack ASIC implementations of Trivium which allows recovering the secret keys using the active non-invasive technique attack of clock manipulation, combined with Differential Fault Analysis (DFA) cryptanalysis. The attack system is able to inject effective transient faults into the Trivium in a clock cycle and sample the faulty output. Then, the internal state of the Trivium is recovered using the DFA cryptanalysis through the comparison between the correct and the faulty outputs. Finally, a backward version of Trivium was also designed to go back and get the secret keys from the initial internal states. The key recovery has been verified with numerous simulations data attacks and used with the experimental data obtained from the Application Specific Integrated Circuit (ASIC) Trivium. The secret key of the Trivium were recovered experimentally in 100% of the attempts, considering a real scenario and minimum assumptions.

Download Full-text

Tradeoff Attacks on Symmetric Ciphers

10.5772/intechopen.96627 ◽

2021 ◽

Author(s):

Orhun Kara

Keyword(s):

Internal State ◽

Security Analysis ◽

Stream Ciphers ◽

Open Problems ◽

Key Recovery ◽

State Recovery ◽

Internal States ◽

Symmetric Ciphers ◽

Iot Devices ◽

State Size

Tradeoff attacks on symmetric ciphers can be considered as the generalization of the exhaustive search. Their main objective is reducing the time complexity by exploiting the memory after preparing very large tables at a cost of exhaustively searching all the space during the precomputation phase. It is possible to utilize data (plaintext/ciphertext pairs) in some cases like the internal state recovery attacks for stream ciphers to speed up further both online and offline phases. However, how to take advantage of data in a tradeoff attack against block ciphers for single key recovery cases is still unknown. We briefly assess the state of art of tradeoff attacks on symmetric ciphers, introduce some open problems and discuss the security criterion on state sizes. We discuss the strict lower bound for the internal state size of keystream generators and propose more practical and fair bound along with our reasoning. The adoption of our new criterion can break a fresh ground in boosting the security analysis of small keystream generators and in designing ultra-lightweight stream ciphers with short internal states for their usage in specially low source devices such as IoT devices, wireless sensors or RFID tags.

Download Full-text

Fast Correlation Attacks on Grain-like Small State Stream Ciphers

IACR Transactions on Symmetric Cryptology ◽

10.46586/tosc.v2017.i4.58-81 ◽

2017 ◽

pp. 58-81 ◽

Cited By ~ 1

Author(s):

Bin Zhang ◽

Xinxin Gong ◽

Willi Meier

Keyword(s):

Internal State ◽

Stream Ciphers ◽

Small Scale ◽

Secret Key ◽

Small State ◽

Key Recovery ◽

Key Recovery Attack ◽

Correlation Attacks ◽

Fast Correlation Attacks

In this paper, we study the security of Grain-like small state stream ciphers by fast correlation attacks, which are commonly regarded as classical cryptanalytic methods against LFSR-based stream ciphers. We extend the cascaded structure adopted in such primitives in general and show how to restore the full internal state part-by-part if the non-linear combining function meets some characteristic. As a case study, we present a key recovery attack against Fruit, a tweaked version of Sprout that employs key-dependent state updating in the keystream generation phase. Our attack requires 262.8 Fruit encryptions and 222.3 keystream bits to determine the 80-bit secret key. Practical simulations on a small-scale version confirmed our results.

Download Full-text

A Fault Attack on the Family of Enocoro Stream Ciphers

Cryptography ◽

10.3390/cryptography5040026 ◽

2021 ◽

Vol 5 (4) ◽

pp. 26

Author(s):

Julian Danner ◽

Martin Kreuzer

Keyword(s):

Fault Injection ◽

Internal State ◽

Linear Equations ◽

Stream Ciphers ◽

Secret Key ◽

Fault Attack ◽

Time Period ◽

The Family ◽

Small Parts ◽

Differential Fault Attack

A differential fault attack framework for the Enocoro family of stream ciphers is presented. We only require that the attacker can reset the internal state and inject a random byte-fault, in a random register, during a known time period. For a single fault injection, we develop a differential clocking algorithm that computes a set of linear equations in the in- and output differences of the non-linear parts of the cipher and relates them to the differential keystream. The usage of these equations is two-fold. Firstly, one can determine those differentials that can be computed from the faulty keystream, and secondly they help to pin down the actual location and timing of the fault injection. Combining these results, each fault injection gives us information on specific small parts of the internal state. By encoding the information we gain from several fault injections using the weighted Horn clauses, we construct a guessing path that can be used to quickly retrieve the internal state using a suitable heuristic. Finally, we evaluate our framework with the ISO-standardized and CRYPTREC candidate recommended cipher Enocoro-128v2. Simulations show that, on average, the secret key can be retrieved within 20 min on a standard workstation using less than five fault injections.

Download Full-text

LIZARD – A Lightweight Stream Cipher for Power-constrained Devices

IACR Transactions on Symmetric Cryptology ◽

10.46586/tosc.v2017.i1.45-79 ◽

2017 ◽

pp. 45-79 ◽

Cited By ~ 8

Author(s):

Matthias Hamann ◽

Matthias Krause ◽

Willi Meier

Keyword(s):

Stream Cipher ◽

Stream Ciphers ◽

Rfid Tags ◽

Security Level ◽

Key Recovery ◽

Passive Rfid ◽

Key Recovery Attacks ◽

Mode A ◽

Hardware Efficiency ◽

Constrained Devices

Time-memory-data (TMD) tradeoff attacks limit the security level of many classical stream ciphers (like E0, A5/1, Trivium, Grain) to 1/2n, where n denotes the inner state length of the underlying keystream generator. In this paper, we present Lizard, a lightweight stream cipher for power-constrained devices like passive RFID tags. Its hardware efficiency results from combining a Grain-like design with the FP(1)-mode, a recently suggested construction principle for the state initialization of stream ciphers, which offers provable 2/3n-security against TMD tradeoff attacks aiming at key recovery. Lizard uses 120-bit keys, 64-bit IVs and has an inner state length of 121 bit. It is supposed to provide 80-bit security against key recovery attacks. Lizard allows to generate up to 218 keystream bits per key/IV pair, which would be sufficient for many existing communication scenarios like Bluetooth, WLAN or HTTPS.

Download Full-text

Catalog and Illustrative Examples of Lightweight Cryptographic Primitives

Security of Ubiquitous Computing Systems ◽

10.1007/978-3-030-10591-4_2 ◽

2021 ◽

pp. 21-47

Author(s):

Aleksandra Mileva ◽

Vesna Dimitrova ◽

Orhun Kara ◽

Miodrag J. Mihaljević

Keyword(s):

Stream Cipher ◽

Block Cipher ◽

Security Analysis ◽

Stream Ciphers ◽

Security Evaluation ◽

Cryptographic Primitives ◽

Internal States ◽

Lightweight Block Cipher ◽

Hardware Performance

AbstractThe main objective of this chapter is to offer to practitioners, researchers and all interested parties a brief categorized catalog of existing lightweight symmetric primitives with their main cryptographic features, ultimate hardware performance, and existing security analysis, so they can easily compare the ciphers or choose some of them according to their needs. Certain security evaluation issues have been addressed as well. In particular, the reason behind why modern lightweight block cipher designs have in the last decade overwhelmingly dominated stream cipher design is analyzed in terms of security against tradeoff attacks. It turns out that it is possible to design stream ciphers having much smaller internal states.

Download Full-text