Related-Key Chosen IV Attacks on Grain-v1 and Grain-128.

using two related keys and 2 55 chosen IV pairs. ... efficient attack on both Grain v1 and Grain-128). ... We will then study the differential properties of the initialization, and develop a differential attack on Grain v1 which recovers one out of 2 9 keys, and requires two related keys and 2 55 chosen IV ...

doi:10.1007/978-3-540-68164-9_19 fatcat:o3haz66xfndljbxgspupxrk2nu

This paper explores the time-memory-data trade-off attack on stream and block ciphers. ... ATTACK ON GRAIN-V1 AND GRAIN-128 WITH PRE-PROCESSING AND ONLINE COMPLEXITY FASTER THAN EXHAUSTIVE SEARCH Grain-v1 is an Estream finalist with key size 80-bit, IV size 64-bit and state size 160-bit [18 ... Attack on Grain-v1 Consider the HS-TMD attack on Grain-v1 with key size 80-bit and IV size 64-bit. To get online attack complexity T < 2 80 , we need D ≤ √ T < 2 40 . ...

arXiv:1207.0269v3 fatcat:twhem2gcbbcmtdjedzqumptfeq

Multiple Versions

In Asiacrypt 2010, Knellwolf, Meier and Naya-Plasencia pro posed distinguishing attacks on Grain v1 when (i) Key Scheduling pro cess is reduced to 97 rounds using 2 27 chosen IVs and (ii) Key Schedul ing ... We present a new distinguisher on Grain v1 for 106 rounds with success probability 63%. As stated, the key-stream generation of Grain v1 consists of three phases. ... Grain 128 and Grain 128a are inspired from Grain v1, and use a similar structure. Küçük et al. [8] proposed related key-IV attack on Grain v1. ...

doi:10.1007/978-3-319-26961-0_20 fatcat:fc5qc3dtpnfp7ht2dzjyqv6jhu

Security features and different attacks on these ciphers have been studied in this paper to analyze the strengths and weaknesses of these designs. ... Hardware based ciphers are most suitable for resource constrained environments to provide information security and confidentiality. Grain is one such hardware based synchronous stream cipher. ... This related key attack requires 2 96 chosen IVs and 2 103.613 keystream bits to recover the 128 bit key with the computational complexity of 2 96.322 . VII. ...

doi:10.5815/ijcnis.2014.06.05 fatcat:erhgynibfbc5zhxb2rgaemyt6a

Open Access

Lizard uses 120-bit keys, 64-bit IVs and has an inner state length of 121 bit. It is supposed to provide 80-bit security against key recovery attacks. ... 2/3n-security against TMD tradeoff attacks aiming at key recovery. ... Acknowledgement We would like to thank Peter Fischer and Michael Ritzert, who provided us with the necessary technical means and additional valuable information for creating the hardware implementation ...

doi:10.46586/tosc.v2017.i1.45-79 fatcat:aap4zegsgvfbhe5ly76inmpkrm

DOAJ OJS

Lizard uses 120-bit keys, 64-bit IVs and has an inner state length of 121 bit. It is supposed to provide 80-bit security against key recovery attacks. ... 2/3n-security against TMD tradeoff attacks aiming at key recovery. ... Moreover, we are grateful to anonymous reviewers and to ...

doi:10.13154/tosc.v2017.i1.45-79 dblp:journals/tosc/HamannKM17 fatcat:yy3mitkbqfftlbhxdbw7nupkzu

DOAJ OJS

We introduced Fruit stream cipher informally in 2016 on the web page of IACR (eprint) and few cryptanalysis were published on it. Fortunately, the main structure of Fruit was resistant. ... To satisfy this rule and to design a concrete cipher, we used some new design ideas. It seems that the bottleneck of designing an ultra-lightweight stream cipher is TMDTO distinguishing attacks. ... Test Vector for Fruit-80 We use hexadecimal format for presenting the keystream, key, and IV as follows. ...

doi:10.3390/e20030180 pmid:33265271 fatcat:nj6lixcnf5gjtonf2p2cbdrnei

DOAJ

This paper introduces a fault attack on GRAIN-128 based on a realistic fault model and explores possible improvements of the attack. We also discuss countermeasures to counteract our fault attack. ... The best known mathematical attack against GRAIN-128 is the brute force key-search. ... DESCRIPTION OF GRAIN-128 GRAIN-128 [6] supports a 128 bits key and a 96 bits IV. ...

doi:10.1109/hst.2009.5225030 dblp:conf/host/CastagnosBCDGGPS09 fatcat:6wkr6yif4nderls5hsadvl3pfi

The series of published works, related to Differential Fault Attack (DFA) against the Grain family, require (i) quite a large number (hundreds) of faults (around n ln n, where n = 80 for Grain v1 and n ... = 128 for Grain-128, Grain-128a) and also (ii) several assumptions on location and timing of the fault injected. ... -For Grain v1 and Grain-128 we outline techniques that allows the adversary to relax requirements related to the timing of fault injections. ...

doi:10.1109/tc.2014.2339854 fatcat:fwag63zyz5ajbdjatw6acieoaq

We show the power of the new methods by analyzing two stream ciphers: Grain-v1 and ACORN. Grain-v1 is one of the finalists selected in the eSTREAM project. ... We present a timememory-data tradeoff attack against Grain-v1 by importing the idea of conditional sampling resistance based on the k-linear-normality and a specific guessing path, with the parameters ... In [12] , a slide property in the initialization phase was discovered, and later mounted with several related-key chosen IV attacks [22] . ...

doi:10.1007/978-3-319-23318-5_21 fatcat:5bwwwikswvfprgime2bfai3g4m

The Grain family uses an n-bit key K, and an m-bit initialization vector IV , with m < n. The key is loaded in the NFSR and the IV is loaded in the 0 th to the (m − 1) th bits of the LFSR. ... The existing works, by Karmakar et al. (2011) , are applicable only on Grain-128 exploiting certain properties of the combining Boolean function h. ... In Grain v1, the size of Key is n = 80 bits and the IV is of size m = 64 bits. The pad used in the KLA is P = 0xFFFF. ...

doi:10.1007/978-3-642-33027-8_8 fatcat:m67lsnvp4rhyloe46byjmd7tju

In this paper we study DFA on three ciphers, namely Grain v1, Lizard and ACORN v3. ... In this paper, we mount a DFA on ACORN v3 that requires 9 faults to obtain the state. In case of Grain v1 and ACORN v3, we can obtain the secret key once the state is known. ... Till now, there has been no reported cryptanalysis on Lizard apart from a related key/IV attack shown in [5] . ...

doi:10.1007/978-3-319-71501-8_14 fatcat:2eqv6ima2naiblx2dpr2s7kq74

The new version, Grain-128a, is strengthened against all known attacks and observations on the original Grain-128, and has built-in support for optional authentication. ... The changes are modest, keeping the basic structure of Grain-128. This gives a high confidence in Grain-128a and allows for easy updating of existing implementations. ... Recognizing the emerging need for 128-bit keys, proposed Grain-128 supporting 128-bit keys and 96-bit IVs. ...

doi:10.1504/ijwmc.2011.044106 fatcat:bxcud66u3zdftpcllzcrrc67vi

This article aims to present dynamic cube attack on Grain-v1. Dynamic cube attack finds the secret key by using distinguishers gained from structural weakness. ... Our attack is done in feasible time complexity, and it recovers all bits of the key while the number of initialization rounds in Grain-v1 is decreased to 100. ... This paper concentrates dynamic cube attack on Grain-v1 and elaborates on how to use it in key recovery attack. ...

doi:10.1049/iet-ifs.2014.0239 fatcat:g4w2r53to5b5xc2aohs2hzmts4

DOAJ

In particular, the reason behind why modern lightweight block cipher designs have in the last decade overwhelmingly dominated stream cipher design is analyzed in terms of security against tradeoff attacks ... cryptographic features, ultimate hardware performance, and existing security analysis, so they can easily compare the ciphers or choose some of them according to their needs. ... Trivium [127] Key-recovery attack [224]: 2 77 on 855 rounds Quavium [555] − WG-8 [207] Related key attacks [180] with one related key 2 52 chosen IVs/−/ 2 53.32 ZUC (v 1.6) − KP-Known Plaintext ...

doi:10.1007/978-3-030-10591-4_2 fatcat:d2gtrxu225asnmubp5ezfloz3m

Open Access

Analysis of Grain's Initialization Algorithm [chapter]

Preserved Fulltext

Breaking the Estream Finalists and AES Modes of Operation Faster than Exhaustive Search [article]

Preserved Fulltext

Other Versions

A New Distinguisher on Grain v1 for 106 Rounds [chapter]

Preserved Fulltext

A Detailed Analysis of Grain family of Stream Ciphers

Preserved Fulltext

LIZARD – A Lightweight Stream Cipher for Power-constrained Devices

Preserved Fulltext

LIZARD – A Lightweight Stream Cipher for Power-constrained Devices

Preserved Fulltext

Fruit-80: A Secure Ultra-Lightweight Stream Cipher for Constrained Environments

Preserved Fulltext

Fault analysis of GRAIN-128

Preserved Fulltext

Differential Fault Attack against Grain Family with Very Few Faults and Minimal Assumptions

Preserved Fulltext

Two Generic Methods of Analyzing Stream Ciphers [chapter]

Preserved Fulltext

A Differential Fault Attack on the Grain Family of Stream Ciphers [chapter]

Preserved Fulltext

Differential Fault Attack on Grain v1, ACORN v3 and Lizard [chapter]

Preserved Fulltext

Grain-128a: a new version of Grain-128 with optional authentication

Preserved Fulltext

Dynamic cube attack on Grain-v1

Preserved Fulltext

Catalog and Illustrative Examples of Lightweight Cryptographic Primitives [chapter]

Preserved Fulltext