Scalable method of searching for full-period Nonlinear Feedback Shift Registers with GPGPU. New List of Maximum Period NLFSRs.

This paper addresses the problem of efficient searching for Nonlinear Feedback Shift Registers (NLFSRs) with a guaranteed full period. The maximum possible period for an $n$-bit NLFSR is $2^n-1$ (all-zero state is omitted). %but omitting all-0 state makes the period $2^n-1$ in their longest cycle of states. A multi-stages hybrid algorithm which utilizes Graphics Processor Units (GPU) power was developed for processing data-parallel throughput computation.Usage of abovementioned algorithm allows to give an extended list of n-bit NLFSR with maximum period for 7 cryptographically applicable types of feedback functions

A New Version of Grain-128 with Authentication

A new version of the stream cipher Grain-128 is proposed. The new version, Grain-128a, is strengthened against all known attacks and observations on the original Grain-128, and has built-in support for authentication. The changes are modest, keeping the basic structure of Grain-128. This gives a high confidence in Grain-128a and allows for easy updating of existing implementations

A New Distinguisher on Grain v1 for 106 rounds

In Asiacrypt 2010, Knellwolf, Meier and Naya-Plasencia proposed distinguishing attacks on Grain v1 when (i) Key Scheduling process is reduced to 97 rounds using $2^{27}$ chosen IVs and (ii) Key Scheduling process is reduced to 104 rounds using $2^{35}$ chosen IVs. Using similar idea, Banik obtained a new distinguisher for 105 rounds. In this paper, we show similar approach can work for 106 rounds. We present a new distinguisher on Grain v1 for 106 rounds with success probability 63\%

Phase-shift Fault Analysis of Grain-128

Phase-shift fault attack is a type of fault attack used for cryptanalysis of stream ciphers. It involves clocking a cipher’s feedback shift registers out of phase, in order to generate faulted keystream. Grain-128 cipher is a 128-bit modification of the Grain cipher which is one of the finalists in the eSTREAM project. In this work, we propose a phase-shift fault attack against Grain-128 loaded with key-IV pairs that result in an all-zero LFSR after initialisation. We frame equations in terms of the input and output bits of the cipher and solve them using a SAT solver. By correctly guessing 40 innerstate bits, we are able to recover the entire 128-bit key with just 2 phase-shift faults for keystreams of length 200 bits

State convergence and keyspace reduction of the Mixer stream cipher

This paper presents an analysis of the stream cipher Mixer, a bit-based cipher with structural components similar to the well-known Grain cipher and the LILI family of keystream generators. Mixer uses a 128-bit key and 64-bit IV to initialise a 217-bit internal state. The analysis is focused on the initialisation function of Mixer and shows that there exist multiple key-IV pairs which, after initialisation, produce the same initial state, and consequently will generate the same keystream. Furthermore, if the number of iterations of the state update function performed during initialisation is increased, then the number of distinct initial states that can be obtained decreases. It is also shown that there exist some distinct initial states which produce the same keystream, resulting in a further reduction of the effective key space

A new idea in response to fast correlation attacks on small-state stream ciphers

In the conference “Fast Software Encryption 2015”, a new line of research was proposed by introducing the first small-state stream cipher (SSC). The goal was to design lightweight stream ciphers for hardware application by going beyond the rule that the internal state size must be at least twice the intended security level. Time-memory-data trade-off (TMDTO) attacks and fast correlation attacks (FCA) were successfully applied to all proposed SSCs which can be implemented by less than 1000 gate equivalents in hardware. It is possible to increase the security of stream ciphers against FCA by exploiting more complicated functions for the nonlinear feedback shift register and the output function, but we use lightweight functions to design the lightest SSC in the world while providing more security against FCA. Our proposed cipher provides 80-bit security against TMDTO distinguishing attacks, while Lizard and Plantlet provide only 60-bit and 58-bit security against distinguishing attacks, respectively. Our main contribution is to propose a lightweight round key function with a very long period that increases the security of SSCs against FCA

Necessary conditions for designing secure stream ciphers with the minimal internal states

After the introduction of some stream ciphers with the minimal internal state, the design idea of these ciphers (i.e. the design of stream ciphers by using a secret key, not only in the initialization but also permanently in the keystream generation) has been developed. The idea lets to design lighter stream ciphers that they are suitable for devices with limited resources such as RFID, WSN. We present necessary conditions for designing a secure stream cipher with the minimal internal state. Based on the conditions, we propose Fruit-128 stream cipher for 128-bit security against all types of attacks. Our implementations showed that the area size of Fruit-128 is about 25.2% smaller than that of Grain-128a. The discussions are presented that Fruit-128 is more resistant than Grain-128a to some attacks such as Related key chosen IV attack. Sprout, Fruit-v2 and Plantlet ciphers are vulnerable to time-memory-data trade-off (TMDTO) distinguishing attacks. For the first time, IV bits were permanently used to strengthen Fruit-128 against TMDTO attacks. We will show that if IV bits are not permanently available during the keystream production step, we can eliminate the IV mixing function from it. In this case, security level decreases to 69-bit against TMDTO distinguishing attacks (that based on the application might be tolerable). Dynamic initialization is another contribution of the paper (that it can strengthen initialization of all stream ciphers with low area cost)

New Configurations of Grain Ciphers: Security Against Slide Attacks

eSTREAM brought to the attention of the cryptographic community a number of stream ciphers including Grain v0 and its revised version Grain v1. The latter was selected as a finalist of the competition\u27s hardware-based portfolio. The Grain family includes two more instantiations, namely Grain 128 and Grain 128a. The scope our paper is to provide an insight on how to obtain secure configurations of the Grain family of stream ciphers. We propose different variants for Grain and analyze their security with respect to slide attacks. More precisely, as various attacks against initialization algorithms of Grain were discussed in the literature, we study the security impact of various parameters which may influence the LFSR\u27s initialization scheme

Differential Fault Attack against Grain family with very few faults and minimal assumptions

The series of published works, related to Differential Fault Attack (DFA) against the Grain family, require (i) quite a large number (hundreds) of faults (around $n \ln n$, where $n = 80$ for Grain v1 and $n = 128$ for Grain-128, Grain-128a) and also (ii) several assumptions on location and timing of the fault injected. In this paper we present a significantly improved scenario from the adversarial point of view for DFA against the Grain family of stream ciphers. Our model is the most realistic one so far as it considers that the cipher to be re-keyed a very few times and fault can be injected at any random location and at any random point of time, i.e., no precise control is needed over the location and timing of fault injections. We construct equations based on the algebraic description of the cipher by introducing new variables so that the degrees of the equations do not increase. In line of algebraic cryptanalysis, we accumulate such equations based on the fault-free and faulty key-stream bits and solve them using the SAT Solver Cryptominisat-2.9.5 installed with SAGE 5.7. In a few minutes we can recover the state of Grain v1, Grain-128 and Grain-128a with as little as 10, 4 and 10 faults respectively (and may be improved further with more computational efforts)