On Analysis of Lightweight Stream Ciphers with Keyed Update

As the need for lightweight cryptography has grown even more due to the evolution of the Internet of Things, it has become a greater challenge for cryptographers to design ultra lightweight stream ciphers in compliance with the rule of thumb that the internal state size should be at least twice as the key size to defend against generic Time-Memory-Data Tradeoff (TMDT) attacks. However, recently in 2015, Armknecht and Mikhalev sparked a new light on designing keystream generators (KSGs), which in turn yields stream ciphers, with small internal states, called KSG with Keyed Update Function (KSG with KUF), and gave a concrete construction named Sprout. But, currently, security analysis of KSGs with KUF in a general setting is almost non-existent. Our contribution in this paper is two-fold. 1) We give a general mathematical setting for KSGs with KUF, and for the first time, analyze a class of such KSGs, called KSGs with Boolean Keyed Feedback Function (KSG with Boolean KFF), generically. In particular, we develop two generic attack algorithms applicable to any KSG with Boolean KFF having almost arbitrary output and feedback functions where the only requirement is that the secret key incorporation is biased. We introduce an upper bound for the time complexity of the first algorithm. Our extensive experiments validate our algorithms and assumptions made thereof. 2) We study Sprout to show the effectiveness of our algorithms in a practical instance. A straightforward application of our generic algorithm yields one of the most successful attacks on Sprout

Parametric guess and determine attack on stream ciphers

The need for lightweight cryptography for resource-constrained devices gained a great importance due to the rapid evolution and usage of IoT devices in the world. Although it has been common in the cryptology community that stream ciphers are more ecient in speed and area than symmetric block ciphers, it has been seen in the last 10-15 years that most of ciphers designed for resource-constrained devices to take up less area and less energy on hardware-based platforms, such as ASIC or FPGA, are lightweight symmetric block ciphers. On the other hand, the design and analysis of stream ciphers using keyed internal update function is put forward against this belief and it has become one of the popular study subjects in the literature in the last few years. Plantlet, proposed in 2017, its predecessor Sprout, proposed in 2015 and Fruit proposed in 2016, are famous algorithms as instances of stream ciphers using keyed internal update function. Sprout was broken after a short time by many researchers but Plantlet hasn't been successfully broken yet and there has been only one attack mounted on Fruit since it was proposed. Traditionally, key stream generators of stream ciphers update their internal states only by using their current internal state. Since the use of the key in the internal update is a new approach, the security analysis of this approach is not fully understood. In this study, the security analysis of the key stream generators with keyed update function has been studied. A new attack algorithm for internal state recovery and key recovery has been developed and mounted on Plantlet algorithm as an instance of stream ciphers with keyed update function. The state bits and key bits are successfully recovered. In the second phase, the attack algorithm was mounted on Fruit algorithm and state bits and key bits are also recovered successfully.Abstract iii Öz iv Acknowledgments vi List of Figures ix Abbreviations x 1 Introduction 1 1.1 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 1.2 Contributions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 1.3 Outline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 2 Preliminaries 8 2.1 Stream Ciphers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 2.1.1 Types Of Stream Ciphers . . . . . . . . . . . . . . . . . . . . . . . 9 2.1.2 Keystream Generator Internal Structure . . . . . . . . . . . . . . . 10 2.1.3 Shift Register Based Stream Ciphers . . . . . . . . . . . . . . . . . 11 2.1.4 Stream Cipher Attack Models . . . . . . . . . . . . . . . . . . . . . 13 2.1.5 Basic Attacks To Stream Ciphers . . . . . . . . . . . . . . . . . . . 14 2.2 Grain Family . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 2.2.1 History of Grain Family . . . . . . . . . . . . . . . . . . . . . . . . 15 2.2.2 Grain Family Structure . . . . . . . . . . . . . . . . . . . . . . . . 15 2.2.3 Grain Family Design Criteria/Choices . . . . . . . . . . . . . . . . 17 3 Sprout 19 3.1 Sprout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 3.1.1 Keystream-equivalent states . . . . . . . . . . . . . . . . . . . . . . 20 3.1.2 Keystream Generator With Keyed Update Function . . . . . . . . 21 3.1.3 Sprout Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 3.1.4 Guess-and-Determine Attacks Against Sprout . . . . . . . . . . . . 24 4 Plantlet and Fruit 26 4.1 Plantlet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 4.1.1 Plantlet Design Goals . . . . . . . . . . . . . . . . . . . . . . . . . 26 4.1.2 Planlet Specication . . . . . . . . . . . . . . . . . . . . . . . . . . 26 4.1.3 Planlet Design Rationale . . . . . . . . . . . . . . . . . . . . . . . . 28 4.2 Fruit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 4.2.1 Fruit Specication . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 4.3 Guess Capacities of Plantlet and Fruit . . . . . . . . . . . . . . . . . . . . 31 5 New and Parametric Guess and Determine Attack 33 5.0.1 New Guess and Determine Attack Mounted On Plantlet . . . . . . 33 5.0.2 Parametric Guess and Determine Attack Mounted On Plantlet . . 35 5.0.3 Improving New Guess and Determine Attack Through Trade-O . 40 5.0.4 New and Parametric Guess and Determine Attacks Mounted On Fruit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 6 Conclusion 46 Bibliography 4

Security analysis of NIST-LWC contest finalists

Dissertação de mestrado integrado em Informatics EngineeringTraditional cryptographic standards are designed with a desktop and server environment in mind, so, with the relatively recent proliferation of small, resource constrained devices in the Internet of Things, sensor networks, embedded systems, and more, there has been a call for lightweight cryptographic standards with security, performance and resource requirements tailored for the highly-constrained environments these devices find themselves in. In 2015 the National Institute of Standards and Technology began a Standardization Process in order to select one or more Lightweight Cryptographic algorithms. Out of the original 57 submissions ten finalists remain, with ASCON and Romulus being among the most scrutinized out of them. In this dissertation I will introduce some concepts required for easy understanding of the body of work, do an up-to-date revision on the current situation on the standardization process from a security and performance standpoint, a description of ASCON and Romulus, and new best known analysis, and a comparison of the two, with their advantages, drawbacks, and unique traits.Os padrões criptográficos tradicionais foram elaborados com um ambiente de computador e servidor em mente. Com a proliferação de dispositivos de pequenas dimensões tanto na Internet of Things, redes de sensores e sistemas embutidos, apareceu uma necessidade para se definir padrões para algoritmos de criptografia leve, com prioridades de segurança, performance e gasto de recursos equilibrados para os ambientes altamente limitados em que estes dispositivos operam. Em 2015 o National Institute of Standards and Technology lançou um processo de estandardização com o objectivo de escolher um ou mais algoritmos de criptografia leve. Das cinquenta e sete candidaturas originais sobram apenas dez finalistas, sendo ASCON e Romulus dois desses finalistas mais examinados. Nesta dissertação irei introduzir alguns conceitos necessários para uma fácil compreensão do corpo deste trabalho, assim como uma revisão atualizada da situação atual do processo de estandardização de um ponto de vista tanto de segurança como de performance, uma descrição do ASCON e do Romulus assim como as suas melhores análises recentes e uma comparação entre os dois, frisando as suas vantagens, desvantagens e aspectos únicos

Security of Ubiquitous Computing Systems

The chapters in this open access book arise out of the EU Cost Action project Cryptacus, the objective of which was to improve and adapt existent cryptanalysis methodologies and tools to the ubiquitous computing framework. The cryptanalysis implemented lies along four axes: cryptographic models, cryptanalysis of building blocks, hardware and software security engineering, and security assessment of real-world systems. The authors are top-class researchers in security and cryptography, and the contributions are of value to researchers and practitioners in these domains. This book is open access under a CC BY license

Residual Vulnerabilities to Power side channel attacks of lightweight ciphers cryptography competition Finalists

The protection of communications between Internet of Things (IoT) devices is of great concern because the information exchanged contains vital sensitive data. Malicious agents seek to exploit those data to extract secret information about the owners or the system. Power side channel attacks are of great concern on these devices because their power consumption unintentionally leaks information correlatable to the device\u27s secret data. Several studies have demonstrated the effectiveness of authenticated encryption with advanced data, in protecting communications with these devices. A comprehensive evaluation of the seven (out of 10) algorithm finalists of the National Institute of Standards and Technology (NIST) IoT lightweight cipher competition that do not integrate built‐in countermeasures is proposed. The study shows that, nonetheless, they still present some residual vulnerabilities to power side channel attacks (SCA). For five ciphers, an attack methodology as well as the leakage function needed to perform correlation power analysis (CPA) is proposed. The authors assert that Ascon, Sparkle, and PHOTON‐Beetle security vulnerability can generally be assessed with the security assumptions “Chosen ciphertext attack and leakage in encryption only, with nonce‐misuse resilience adversary (CCAmL1)” and “Chosen ciphertext attack and leakage in encryption only with nonce‐respecting adversary (CCAL1)”, respectively. However, the security vulnerability of GIFT‐COFB, Grain, Romulus, and TinyJambu can be evaluated more straightforwardly with publicly available leakage models and solvers. They can also be assessed simply by increasing the number of traces collected to launch the attack

Tradeoff Attacks on Symmetric Ciphers

Tradeoff attacks on symmetric ciphers can be considered as the generalization of the exhaustive search. Their main objective is reducing the time complexity by exploiting the memory after preparing very large tables at a cost of exhaustively searching all the space during the precomputation phase. It is possible to utilize data (plaintext/ciphertext pairs) in some cases like the internal state recovery attacks for stream ciphers to speed up further both online and offline phases. However, how to take advantage of data in a tradeoff attack against block ciphers for single key recovery cases is still unknown. We briefly assess the state of art of tradeoff attacks on symmetric ciphers, introduce some open problems and discuss the security criterion on state sizes. We discuss the strict lower bound for the internal state size of keystream generators and propose more practical and fair bound along with our reasoning. The adoption of our new criterion can break a fresh ground in boosting the security analysis of small keystream generators and in designing ultra-lightweight stream ciphers with short internal states for their usage in specially low source devices such as IoT devices, wireless sensors or RFID tags

On Lightweight Stream Ciphers with Shorter Internal States

To be resistant against certain time-memory-data-tradeoff (TMDTO) attacks, a common rule of thumb says that the internal state size of a stream cipher should be at least twice the security parameter. As memory gates are usually the most area and power consuming components, this implies a sever limitation with respect to possible lightweight implementations. In this work, we revisit this rule. We argue that a simple shift in the established design paradigm, namely to involve the fixed secret key not only in the initialization process but in the keystream generation phase as well, enables stream ciphers with smaller area size for two reasons. First, it improves the resistance against the mentioned TMDTO attacks which allows to choose smaller state sizes. Second, one can make use of the fact that storing a fixed value (here: the key) requires less area size than realizing a register of the same length. We demonstrate the feasibility of this approach by describing and implementing a concrete stream cipher Sprout which uses significantly less area than comparable existing lightweight stream ciphers

Security of Ubiquitous Computing Systems

The chapters in this open access book arise out of the EU Cost Action project Cryptacus, the objective of which was to improve and adapt existent cryptanalysis methodologies and tools to the ubiquitous computing framework. The cryptanalysis implemented lies along four axes: cryptographic models, cryptanalysis of building blocks, hardware and software security engineering, and security assessment of real-world systems. The authors are top-class researchers in security and cryptography, and the contributions are of value to researchers and practitioners in these domains. This book is open access under a CC BY license

A Novel Approach to Communicate Secret Message Between Users Using Sponge Function Technique on NTRU

This paper presents a novel approach for a (key distribution) for secret message communication among a group (G). In order to increase security to distribute secret message (key), we introduce sponge functions using these at a specific permutation. We generate a key and distribute this key using (PKCS)(public key crypto systems), the absorbing, squeezing functions are used. In this paper an introduction part which briefs regarding sponge functions, key distribution centre, group communication and NTRU, key generation authentication, in literature review we describe about the research states of sponge functions, lightweight hash functions-KDC – NTRU. In proposed work we propose how the group communication establishes registration of users, entry and exit of a user. The encryption and decryption algorithm are used between sender and receiver. The entire proposed work is verified in VHDL and ‘MATLABS'. doi: http://dx.doi.org/10.12777/ijse.4.2.2013.44-51 [How to cite this article: Varaprasad, S., Rao, K. V., & Avadhani, P. S. (2013). A Novel Approach to Communicate Secret Message between Users Using Sponge Function Technique on NTRU. INTERNATIONAL JOURNAL OF SCIENCE AND ENGINEERING, 4(2), 44-51; doi: http://dx.doi.org/10.12777/ijse.4.2.2013.44-51