A new idea in response to fast correlation attacks on small-state stream ciphers

In the conference “Fast Software Encryption 2015”, a new line of research was proposed by introducing the first small-state stream cipher (SSC). The goal was to design lightweight stream ciphers for hardware application by going beyond the rule that the internal state size must be at least twice the intended security level. Time-memory-data trade-off (TMDTO) attacks and fast correlation attacks (FCA) were successfully applied to all proposed SSCs which can be implemented by less than 1000 gate equivalents in hardware. It is possible to increase the security of stream ciphers against FCA by exploiting more complicated functions for the nonlinear feedback shift register and the output function, but we use lightweight functions to design the lightest SSC in the world while providing more security against FCA. Our proposed cipher provides 80-bit security against TMDTO distinguishing attacks, while Lizard and Plantlet provide only 60-bit and 58-bit security against distinguishing attacks, respectively. Our main contribution is to propose a lightweight round key function with a very long period that increases the security of SSCs against FCA

Fruit-v2: Ultra-Lightweight Stream Cipher with Shorter Internal State

A few lightweight stream ciphers were introduced for hardware applications in the eSTREAM project. In FSE 2015, while presenting a new idea (i.e. the design of stream ciphers with the shorter internal state by using a secret key, not only in the initialization but also in the keystream generation), Sprout was proposed. Unfortunately, Sprout is insecure. Because Grain-v1 is the lightest cipher in the portfolio of the eSTREAM project, we introduce Fruit-v2 as a successor of the Grain-v1 and Sprout. It is demonstrated that Fruit-v2 is safe and ultra-lightweight. The size of LFSR and NFSR in Fruit-v2 is only 80 bits (for 80-bit security level), while for resistance to the classical time-memory-data trade-off attack, the internal state size should be at least twice of the security level. To satisfy this rule and to design a concrete cipher, we used some new design ideas. The discussions are presented that Fruit-v2 can be more resistant than Grain-v1 to some attacks such as classical time-memory-data trade-off. The main objective of this work is to show how it is possible to exploit a secret key in a design to achieve smaller area size. It is possible to redesign many of stream ciphers (by the new idea) and achieve significantly smaller area size by the new idea

Parametric guess and determine attack on stream ciphers

The need for lightweight cryptography for resource-constrained devices gained a great importance due to the rapid evolution and usage of IoT devices in the world. Although it has been common in the cryptology community that stream ciphers are more ecient in speed and area than symmetric block ciphers, it has been seen in the last 10-15 years that most of ciphers designed for resource-constrained devices to take up less area and less energy on hardware-based platforms, such as ASIC or FPGA, are lightweight symmetric block ciphers. On the other hand, the design and analysis of stream ciphers using keyed internal update function is put forward against this belief and it has become one of the popular study subjects in the literature in the last few years. Plantlet, proposed in 2017, its predecessor Sprout, proposed in 2015 and Fruit proposed in 2016, are famous algorithms as instances of stream ciphers using keyed internal update function. Sprout was broken after a short time by many researchers but Plantlet hasn't been successfully broken yet and there has been only one attack mounted on Fruit since it was proposed. Traditionally, key stream generators of stream ciphers update their internal states only by using their current internal state. Since the use of the key in the internal update is a new approach, the security analysis of this approach is not fully understood. In this study, the security analysis of the key stream generators with keyed update function has been studied. A new attack algorithm for internal state recovery and key recovery has been developed and mounted on Plantlet algorithm as an instance of stream ciphers with keyed update function. The state bits and key bits are successfully recovered. In the second phase, the attack algorithm was mounted on Fruit algorithm and state bits and key bits are also recovered successfully.Abstract iii Öz iv Acknowledgments vi List of Figures ix Abbreviations x 1 Introduction 1 1.1 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 1.2 Contributions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 1.3 Outline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 2 Preliminaries 8 2.1 Stream Ciphers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 2.1.1 Types Of Stream Ciphers . . . . . . . . . . . . . . . . . . . . . . . 9 2.1.2 Keystream Generator Internal Structure . . . . . . . . . . . . . . . 10 2.1.3 Shift Register Based Stream Ciphers . . . . . . . . . . . . . . . . . 11 2.1.4 Stream Cipher Attack Models . . . . . . . . . . . . . . . . . . . . . 13 2.1.5 Basic Attacks To Stream Ciphers . . . . . . . . . . . . . . . . . . . 14 2.2 Grain Family . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 2.2.1 History of Grain Family . . . . . . . . . . . . . . . . . . . . . . . . 15 2.2.2 Grain Family Structure . . . . . . . . . . . . . . . . . . . . . . . . 15 2.2.3 Grain Family Design Criteria/Choices . . . . . . . . . . . . . . . . 17 3 Sprout 19 3.1 Sprout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 3.1.1 Keystream-equivalent states . . . . . . . . . . . . . . . . . . . . . . 20 3.1.2 Keystream Generator With Keyed Update Function . . . . . . . . 21 3.1.3 Sprout Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 3.1.4 Guess-and-Determine Attacks Against Sprout . . . . . . . . . . . . 24 4 Plantlet and Fruit 26 4.1 Plantlet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 4.1.1 Plantlet Design Goals . . . . . . . . . . . . . . . . . . . . . . . . . 26 4.1.2 Planlet Specication . . . . . . . . . . . . . . . . . . . . . . . . . . 26 4.1.3 Planlet Design Rationale . . . . . . . . . . . . . . . . . . . . . . . . 28 4.2 Fruit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 4.2.1 Fruit Specication . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 4.3 Guess Capacities of Plantlet and Fruit . . . . . . . . . . . . . . . . . . . . 31 5 New and Parametric Guess and Determine Attack 33 5.0.1 New Guess and Determine Attack Mounted On Plantlet . . . . . . 33 5.0.2 Parametric Guess and Determine Attack Mounted On Plantlet . . 35 5.0.3 Improving New Guess and Determine Attack Through Trade-O . 40 5.0.4 New and Parametric Guess and Determine Attacks Mounted On Fruit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 6 Conclusion 46 Bibliography 4

An Attack on the LILLE Stream Cipher

A few small-state stream ciphers (SSCs) were proposed for constrained environments. All of the SSCs before the LILLE stream cipher suffered from distinguishing attacks and fast correlation attacks. The designers of LILLE claimed that it is based on the well-studied two-key Even-Mansour scheme and so is resistant to various types of attacks. This paper proposes a distinguishing attack on LILLE, the first attack since 2018. The data and time complexities to attack LILLE-40 are 2^(50.7) and 2^(41.2), respectively. We verified practically our attack on a halved version of LILLE-40. A countermeasure is suggested to strengthen LILLE against the proposed attack. We hope our attack opens the door to more cryptanalyses of LILLE

Modern and Lightweight Component-based Symmetric Cipher Algorithms: A Review

Information security, being one of the corner stones of network and communication technology, has been evolving tremendously to cope with the parallel evolution of network security threats. Hence, cipher algorithms in the core of the information security process have more crucial role to play here, with continuous need for new and unorthodox designs to meet the increasing complexity of the applications environment that keep offering challenges to the current existing cipher algorithms. The aim of this review is to present symmetric cipher main components, the modern and lightweight symmetric cipher algorithms design based on the components that utilized in cipher design, highlighting the effect of each component and the essential component among them, how the modern cipher has modified to lightweight cipher by reducing the number and size of these components, clarify how these components give the strength for symmetric cipher versus asymmetric of cipher. Moreover, a new classification of cryptography algorithms to four categories based on four factors is presented. Finally, some modern and lightweight symmetric cipher algorithms are selected, presented with a comparison between them according to their components by taking into considerations the components impact on security, performance, and resource requirements

Lightweight cryptography on ultra-constrained RFID devices

Devices of extremely small computational power like RFID tags are used in practice to a rapidly growing extent, a trend commonly referred to as ubiquitous computing. Despite their severely constrained resources, the security burden which these devices have to carry is often enormous, as their fields of application range from everyday access control to human-implantable chips providing sensitive medical information about a person. Unfortunately, established cryptographic primitives such as AES are way to 'heavy' (e.g., in terms of circuit size or power consumption) to be used in corresponding RFID systems, calling for new solutions and thus initiating the research area of lightweight cryptography. In this thesis, we focus on the currently most restricted form of such devices and will refer to them as ultra-constrained RFIDs. To fill this notion with life and in order to create a profound basis for our subsequent cryptographic development, we start this work by providing a comprehensive summary of conditions that should be met by lightweight cryptographic schemes targeting ultra-constrained RFID devices. Building on these insights, we then turn towards the two main topics of this thesis: lightweight authentication and lightweight stream ciphers. To this end, we first provide a general introduction to the broad field of authentication and study existing (allegedly) lightweight approaches. Drawing on this, with the (n,k,L)^-protocol, we suggest our own lightweight authentication scheme and, on the basis of corresponding hardware implementations for FPGAs and ASICs, demonstrate its suitability for ultra-constrained RFIDs. Subsequently, we leave the path of searching for dedicated authentication protocols and turn towards stream cipher design, where we first revisit some prominent classical examples and, in particular, analyze their state initialization algorithms. Following this, we investigate the rather young area of small-state stream ciphers, which try to overcome the limit imposed by time-memory-data tradeoff (TMD-TO) attacks on the security of classical stream ciphers. Here, we present some new attacks, but also corresponding design ideas how to counter these. Paving the way for our own small-state stream cipher, we then propose and analyze the LIZARD-construction, which combines the explicit use of packet mode with a new type of state initialization algorithm. For corresponding keystream generator-based designs of inner state length n, we prove a tight (2n/3)-bound on the security against TMD-TO key recovery attacks. Building on these theoretical results, we finally present LIZARD, our new lightweight stream cipher for ultra-constrained RFIDs. Its hardware efficiency and security result from combining a Grain-like design with the LIZARD-construction. Most notably, besides lower area requirements, the estimated power consumption of LIZARD is also about 16 percent below that of Grain v1, making it particularly suitable for passive RFID tags, which obtain their energy exclusively through an electromagnetic field radiated by the reading device. The thesis is concluded by an extensive 'Future Research Directions' chapter, introducing various new ideas and thus showing that the search for lightweight cryptographic solutions is far from being completed

Tradeoff Attacks on Symmetric Ciphers

Tradeoff attacks on symmetric ciphers can be considered as the generalization of the exhaustive search. Their main objective is reducing the time complexity by exploiting the memory after preparing very large tables at a cost of exhaustively searching all the space during the precomputation phase. It is possible to utilize data (plaintext/ciphertext pairs) in some cases like the internal state recovery attacks for stream ciphers to speed up further both online and offline phases. However, how to take advantage of data in a tradeoff attack against block ciphers for single key recovery cases is still unknown. We briefly assess the state of art of tradeoff attacks on symmetric ciphers, introduce some open problems and discuss the security criterion on state sizes. We discuss the strict lower bound for the internal state size of keystream generators and propose more practical and fair bound along with our reasoning. The adoption of our new criterion can break a fresh ground in boosting the security analysis of small keystream generators and in designing ultra-lightweight stream ciphers with short internal states for their usage in specially low source devices such as IoT devices, wireless sensors or RFID tags

Provable security for lightweight message authentication and encryption

The birthday bound often limits the security of a cryptographic scheme to half of the block size or internal state size. This implies that cryptographic schemes require a block size or internal state size that is twice the security level, resulting in larger and more resource-intensive designs. In this thesis, we introduce abstract constructions for message authentication codes and stream ciphers that we demonstrate to be secure beyond the birthday bound. Our message authentication codes were inspired by previous work, specifically the message authentication code EWCDM by Cogliati and Seurin, as well as the work by Mennink and Neves, which demonstrates easy proofs of security for the sum of permutations and an improved bound for EWCDM. We enhance the sum of permutations by incorporating a hash value and a nonce in our stateful design, and in our stateless design, we utilize two hash values. One advantage over EWCDM is that the permutation calls, or block cipher calls, can be parallelized, whereas in EWCDM they must be performed sequentially. We demonstrate that our constructions provide a security level of 2n/3 bits in the nonce-respecting setting. Subsequently, this bound was further improved to 3n/4 bits of security. Additionally, it was later discovered that security degrades gracefully with nonce repetitions, unlike EWCDM, where the security drops to the birthday bound with a single nonce repetition. Contemporary stream cipher designs aim to minimize the hardware module's resource requirements by incorporating an externally available resource, all while maintaining a high level of security. The security level is typically measured in relation to the size of the volatile internal state, i.e., the state cells within the cipher's hardware module. Several designs have been proposed that continuously access the externally available non-volatile secret key during keystream generation. However, there exists a generic distinguishing attack with birthday bound complexity. We propose schemes that continuously access the externally available non-volatile initial value. For all constructions, conventional or contemporary, we provide proofs of security against generic attacks in the random oracle model. Notably, stream ciphers that use the non-volatile initial value during keystream generation offer security beyond the birthday bound. Based on these findings, we propose a new stream cipher design called DRACO

Security of Ubiquitous Computing Systems

The chapters in this open access book arise out of the EU Cost Action project Cryptacus, the objective of which was to improve and adapt existent cryptanalysis methodologies and tools to the ubiquitous computing framework. The cryptanalysis implemented lies along four axes: cryptographic models, cryptanalysis of building blocks, hardware and software security engineering, and security assessment of real-world systems. The authors are top-class researchers in security and cryptography, and the contributions are of value to researchers and practitioners in these domains. This book is open access under a CC BY license

Security of Ubiquitous Computing Systems

The chapters in this open access book arise out of the EU Cost Action project Cryptacus, the objective of which was to improve and adapt existent cryptanalysis methodologies and tools to the ubiquitous computing framework. The cryptanalysis implemented lies along four axes: cryptographic models, cryptanalysis of building blocks, hardware and software security engineering, and security assessment of real-world systems. The authors are top-class researchers in security and cryptography, and the contributions are of value to researchers and practitioners in these domains. This book is open access under a CC BY license