A new idea in response to fast correlation attacks on small-state stream ciphers

In the conference “Fast Software Encryption 2015”, a new line of research was proposed by introducing the first small-state stream cipher (SSC). The goal was to design lightweight stream ciphers for hardware application by going beyond the rule that the internal state size must be at least twice the intended security level. Time-memory-data trade-off (TMDTO) attacks and fast correlation attacks (FCA) were successfully applied to all proposed SSCs which can be implemented by less than 1000 gate equivalents in hardware. It is possible to increase the security of stream ciphers against FCA by exploiting more complicated functions for the nonlinear feedback shift register and the output function, but we use lightweight functions to design the lightest SSC in the world while providing more security against FCA. Our proposed cipher provides 80-bit security against TMDTO distinguishing attacks, while Lizard and Plantlet provide only 60-bit and 58-bit security against distinguishing attacks, respectively. Our main contribution is to propose a lightweight round key function with a very long period that increases the security of SSCs against FCA

On designing secure small-state stream ciphers against time-memory-data tradeoff attacks

A new generation of stream ciphers, small-state stream ciphers (SSCs), was born in 2015 with the introduction of the Sprout cipher. The new generation is based on using key bits not only in the initialization but also continuously in the keystream generation phase. The new idea allowed designing stream ciphers with significantly smaller area size and low power consumption. A distinguishing time-memory-data tradeoff (TMDTO) attack was successfully applied against all SSCs in 2017 by Hamann et al. [1]. They suggested using not only key bits but also initial value (IV) bits continuously in the keystream generation phase to strengthen SSCs against TMDTO attacks. Then, Hamann and Krause [2] proposed a construction based on using only IV bits continuously in packet mode. They suggested an instantiation of an SSC and claimed that it is resistant to TMDTO attacks. We point out that storing IV bits imposes an overhead on cryptosystems that is not acceptable in many applications. More importantly, we show that the proposed SSC remains vulnerable to TMDTO attacks. To resolve security threat, the current paper proposes constructions, based on storing key or IV bits, that are the first to provide full security against TMDTO attacks. It is possible to obtain parameters for secure SSCs based on these suggested constructions. Our constructions are a fruitful research direction in stream ciphers

Fruit-v2: Ultra-Lightweight Stream Cipher with Shorter Internal State

A few lightweight stream ciphers were introduced for hardware applications in the eSTREAM project. In FSE 2015, while presenting a new idea (i.e. the design of stream ciphers with the shorter internal state by using a secret key, not only in the initialization but also in the keystream generation), Sprout was proposed. Unfortunately, Sprout is insecure. Because Grain-v1 is the lightest cipher in the portfolio of the eSTREAM project, we introduce Fruit-v2 as a successor of the Grain-v1 and Sprout. It is demonstrated that Fruit-v2 is safe and ultra-lightweight. The size of LFSR and NFSR in Fruit-v2 is only 80 bits (for 80-bit security level), while for resistance to the classical time-memory-data trade-off attack, the internal state size should be at least twice of the security level. To satisfy this rule and to design a concrete cipher, we used some new design ideas. The discussions are presented that Fruit-v2 can be more resistant than Grain-v1 to some attacks such as classical time-memory-data trade-off. The main objective of this work is to show how it is possible to exploit a secret key in a design to achieve smaller area size. It is possible to redesign many of stream ciphers (by the new idea) and achieve significantly smaller area size by the new idea

Necessary conditions for designing secure stream ciphers with the minimal internal states

After the introduction of some stream ciphers with the minimal internal state, the design idea of these ciphers (i.e. the design of stream ciphers by using a secret key, not only in the initialization but also permanently in the keystream generation) has been developed. The idea lets to design lighter stream ciphers that they are suitable for devices with limited resources such as RFID, WSN. We present necessary conditions for designing a secure stream cipher with the minimal internal state. Based on the conditions, we propose Fruit-128 stream cipher for 128-bit security against all types of attacks. Our implementations showed that the area size of Fruit-128 is about 25.2% smaller than that of Grain-128a. The discussions are presented that Fruit-128 is more resistant than Grain-128a to some attacks such as Related key chosen IV attack. Sprout, Fruit-v2 and Plantlet ciphers are vulnerable to time-memory-data trade-off (TMDTO) distinguishing attacks. For the first time, IV bits were permanently used to strengthen Fruit-128 against TMDTO attacks. We will show that if IV bits are not permanently available during the keystream production step, we can eliminate the IV mixing function from it. In this case, security level decreases to 69-bit against TMDTO distinguishing attacks (that based on the application might be tolerable). Dynamic initialization is another contribution of the paper (that it can strengthen initialization of all stream ciphers with low area cost)

An Attack on the LILLE Stream Cipher

A few small-state stream ciphers (SSCs) were proposed for constrained environments. All of the SSCs before the LILLE stream cipher suffered from distinguishing attacks and fast correlation attacks. The designers of LILLE claimed that it is based on the well-studied two-key Even-Mansour scheme and so is resistant to various types of attacks. This paper proposes a distinguishing attack on LILLE, the first attack since 2018. The data and time complexities to attack LILLE-40 are 2^(50.7) and 2^(41.2), respectively. We verified practically our attack on a halved version of LILLE-40. A countermeasure is suggested to strengthen LILLE against the proposed attack. We hope our attack opens the door to more cryptanalyses of LILLE

Fruit-80: A Secure Ultra-Lightweight Stream Cipher for Constrained Environments

In Fast Software Encryption (FSE) 2015, while presenting a new idea (i.e., the design of stream ciphers with the small internal state by using a secret key, not only in the initialization but also in the keystream generation), Sprout was proposed. Sprout was insecure and an improved version of Sprout was presented in FSE 2017. We introduced Fruit stream cipher informally in 2016 on the web page of IACR (eprint) and few cryptanalysis were published on it. Fortunately, the main structure of Fruit was resistant. Now, Fruit-80 is presented as a final version which is easier to implement and is secure. The size of LFSR and NFSR in Fruit-80 is only 80 bits (for 80-bit security level), while for resistance to the classical time-memory-data tradeoff (TMDTO) attacks, the internal state size should be at least twice that of the security level. To satisfy this rule and to design a concrete cipher, we used some new design ideas. It seems that the bottleneck of designing an ultra-lightweight stream cipher is TMDTO distinguishing attacks. A countermeasure was suggested, and another countermeasure is proposed here. Fruit-80 is better than other small-state stream ciphers in terms of the initialization speed and area size in hardware. It is possible to redesign many of the stream ciphers and achieve significantly smaller area size by using the new idea

A new chosen IV statistical distinguishing framework to attack symmetric ciphers, and its application to ACORN-v3 and Grain-128a

We propose a new attack framework based upon cube testers and d-monomial tests. The d-monomial test is a general framework for comparing the ANF of the symmetric cipher’s output with ANF of a random Boolean function. In the d-monomial test, the focus is on the frequency of the special monomial in the ANF of Boolean functions, but in the proposed framework, the focus is on the truth table. We attack ACORN-v3 and Grain-128a and demonstrate the efficiency of our framework. We show how it is possible to apply a distinguishing attack for up to 676 initialization rounds of ACORN-v3 and 171 initialization rounds of Grain-128a using our framework. The attack on ACORN-v3 is the best practical attack (and better results can be obtained by using more computing power). One can apply distinguishing attacks to black box symmetric ciphers by the proposed framework, and we suggest some guidelines to make it possible to improve the attack by analyzing the internal structure of ciphers. The framework is applicable to all symmetric ciphers and hash functions. We discuss how it can reveal weaknesses that are not possible to find by other statistical tests. The attacks were practically implemented and verified