ArticlePublisher preview available

Design and analysis of small-state grain-like stream ciphers

Authors:
To read the full-text of this research, you can request a copy directly from the authors.

Abstract and Figures

Time-memory-data (TMD) tradeoff attacks limit the security level of many classical stream ciphers to the birthday bound. Very recently, a new field of research has emerged, which searches for so-called small-state stream ciphers that try to overcome this limitation. In this paper, existing designs and known analysis of small-state stream ciphers are revisited and new insights on distinguishers and key recovery are derived based on TMD tradeoff attacks. A particular result is the transfer of a generic distinguishing attack suggested in 2007 by Englund et al. to this new class of lightweight ciphers. Our analysis shows that the initial hope of achieving full security against TMD tradeoff attacks by continuously using the secret key has failed. In particular, we provide generic distinguishers for Plantlet and Fruit with complexity significantly smaller than that of exhaustive key search. However, by studying the assumptions underlying the applicability of these attacks, we are able to come up with a new design idea for small-state stream ciphers, which might allow to finally achieve full security against TMD tradeoff attacks. Another contribution of this paper is the first key recovery attack against the most recent version of Fruit. We show that there are at least 2⁶⁴ weak keys, each of which does not provide 80-bit security as promised by designers.
This content is subject to copyright. Terms and conditions apply.
Cryptogr. Commun. (2018) 10:803–834
https://doi.org/10.1007/s12095-017-0261-6
Design and analysis of small-state grain-like stream
ciphers
Matthias Hamann1·Matthias Krause1·
Willi Meier2·Bin Zhang3
Received: 25 June 2017 / Accepted: 9 October 2017 / Published online: 8 November 2017
© Springer Science+Business Media, LLC 2017
Abstract Time-memory-data (TMD) tradeoff attacks limit the security level of many clas-
sical stream ciphers to the birthday bound. Very recently, a new field of research has
emerged, which searches for so-called small-state stream ciphers that try to overcome this
limitation. In this paper, existing designs and known analysis of small-state stream ciphers
are revisited and new insights on distinguishers and key recovery are derived based on
TMD tradeoff attacks. A particular result is the transfer of a generic distinguishing attack
suggested in 2007 by Englund et al. to this new class of lightweight ciphers. Our analysis
shows that the initial hope of achieving full security against TMD tradeoff attacks by con-
tinuously using the secret key has failed. In particular, we provide generic distinguishers for
Plantlet and Fruit with complexity significantly smaller than that of exhaustive key search.
However, by studying the assumptions underlying the applicability of these attacks, we are
able to come up with a new design idea for small-state stream ciphers, which might allow
to finally achieve full security against TMD tradeoff attacks. Another contribution of this
paper is the first key recovery attack against the most recent version of Fruit. We show that
there are at least 264 weak keys, each of which does not provide 80-bit security as promised
by designers.
Keywords Stream ciphers ·Lightweight cryptography ·Time-memory-data tradeoff
attacks ·Grain ·Fruit
This article is part of the Topical Collection on Special Issue on Statistics in Design and Analysis of
Symmetric Ciphers
Willi Meier
willi.meier@fhnw.ch
1Lehrstuhl f¨
ur Theoretische Informatik, Universit¨
at Mannheim, 68131 Mannheim, Germany
2FHNW, Windisch, Switzerland
3TCA, SKLCS, Institute of Software, Chinese Academy of Sciences, Beijing, China
Content courtesy of Springer Nature, terms of use apply. Rights reserved.
... Key bits, IV bits or both are stored in fixed memories in SSCs and continuously participate in the internal state updating and keystream generation. Unfortunately, SSCs were not as strong as expected against a type of TMDTO attack, i.e. a TMDTO distinguishing attack [12]. A construction was proposed by Hamann et al. [12] to strengthen SSCs against TMDTO distinguishing attack: continuously using IV bits (along with key bits) after initialization in the keystream generation phase. ...
... Unfortunately, SSCs were not as strong as expected against a type of TMDTO attack, i.e. a TMDTO distinguishing attack [12]. A construction was proposed by Hamann et al. [12] to strengthen SSCs against TMDTO distinguishing attack: continuously using IV bits (along with key bits) after initialization in the keystream generation phase. Then, two papers were published by Hamann et al., who claimed that continuously using only IV bits after initialization in the keystream generation phase can provide full security against TMDTO attacks [13,14]. ...
... Accessing IV bits requires extra memory for storing IV bits in some cases, and storing IV bits (unlike key bits) imposes overhead in some cryptosystem applications. In [12], it was stated that storing IV bits provides a notable benefit for cryptosystems. The benefit can be used to avoid using the same IV twice under the same key, which is a problem that could happen in the old cryptosystems with small IV spaces, for example, in A5/1 with 22-bit IV. ...
Article
Small-state stream ciphers (SSCs) idea is based on using key bits not only in the initialization but also continuously in the keystream generation phase. A time-memory-data tradeoff (TMDTO) distinguishing attack was successfully applied against all SSCs in 2017 by Hamann et al. They suggested using not only key bits but also initial value (IV) bits continuously in the keystream generation phase to strengthen SSCs against TMDTO attacks. Then, Hamann and Krause proposed a construction based on using only IV bits continuously in the packet mode. They suggested an instantiation of an SSC and claimed that it is resistant to TMDTO attacks. We point out that accessing IV bits imposes an overhead on cryptosystems that might be unacceptable in some applications. More importantly, we show that the proposed SSC remains vulnerable to TMDTO attacks 1. To resolve this security threat, the current paper proposes constructions based on storing key or IV bits that are the first to provide full security against TMDTO attacks. Five constructions are proposed for different applications by considering efficiency. Designers can obtain each construction’s minimum volatile state length according to the desirable keystream, key and IV lengths.
... The hope was that the additional key bits would enhance the security beyond the birthday bound with regard to the volatile internal state bits. However, these constructions were not equipped with a proof of security and they were eventually successfully attacked and broken [HKMZ18]. Atom [BCI + 21] also uses the secret key continuously. ...
... Atom [BCI + 21] also uses the secret key continuously. However it does not provide beyond the birthday bound security against distinguishing attacks as the attack presented in [HKMZ18] also applies here. We refer to these ciphers as the continuous-key construction, in short CKEY. ...
Article
Full-text available
Stream ciphers are vulnerable to generic time-memory-data tradeoff attacks. These attacks reduce the security level to half of the cipher’s internal state size. The conventional way to handle this vulnerability is to design the cipher with an internal state twice as large as the desired security level. In lightweight cryptography and heavily resource constrained devices, a large internal state size is a big drawback for the cipher. This design principle can be found in the eSTREAM portfolio members Grain and Trivium.Recently proposals have been made that reduce the internal state size. These ciphers distinguish between a volatile internal state and a non-volatile internal state. The volatile part would typically be updated during a state update while the non-volatile part remained constant. Cipher proposals like Sprout, Plantlet, Fruit and Atom reuse the secret key as non-volatile part of the cipher. However, when considering indistinguishability none of the ciphers mentioned above provides security beyond the birthday bound with regard to the volatile internal state. Partially this is due to the lack of a proper proof of security.We present a new stream cipher proposal called Draco which implements a construction scheme called CIVK. In contrast to the ciphers mentioned above, CIVK uses the initial value and a key prefix as its non-volatile state. Draco builds upon CIVK and uses a 128-bit key and a 96-bit initial value and requires 23 % less area and 31 % less power than Grain-128a at 10 MHz. Further, we present a proof that CIVK provides full security with regard to the volatile internal state length against distinguishing attacks. This makes Draco a suitable cipher choice for ultra-lightweight devices like RFID tags.
... A fault attack on Plantlet was proposed by Maitra et al. [24]. The 80-bit version of Fruit was cryptanalyzed by Dey et al. [9], Zhang et al. [34], and Hamann et al. [17]. ...
... 17 ...
... It is the lightest stream cipher compared with other Grain-like stream ciphers. Although small-state stream ciphers may incur TMDTO distinguishing attacks, the designers of Fruit-80 ruled out the possibility the cipher to be susceptible to this attack depending on the application scenario [15,18]. Nevertheless, in order to avoid this attack, one of the countermeasures proposed by the designers is to limit the number of keystream bits to 2 16 . ...
Article
Fruit is a small-state stream cipher designed for securing communications among resource-constrained devices. The design of Fruit was first known to the public in 2016. It was later improved as Fruit-80 in 2018 and becomes the latest and final version among all versions of the Fruit stream ciphers. In this paper, we analyze the Fruit-80 stream cipher. We found that Fruit-80 generates identical keystreams from certain two distinct pairs of key and IV. Such pair of key and IV pairs is known as a slid pair. Moreover, we discover that when two pairs of key and IV fulfill specific characteristics, they will generate identical keystreams. This shows that slid pairs do not always exist arbitrarily in Fruit-80. We define specific rules which are equivalent to the characteristics. Using the defined rules, we are able to automate the searching process using an MILP solver, which makes searching of the slid pairs trivial.
... Furthermore the key update component in the state update function is completely linear, this ensures that table based special state attacks of [EK15] do not apply to all post-Sprout constructions. An interesting distinguishing attack against Sprout using slid keystreams was presented in [Ban15] that also applies to Plantlet, Lizard which was further generalized in [HKMZ18]. We will present the attack in context of Atom. ...
Article
Full-text available
It has been common knowledge that for a stream cipher to be secure against generic TMD tradeoff attacks, the size of its internal state in bits needs to be at least twice the size of the length of its secret key. In FSE 2015, Armknecht and Mikhalev however proposed the stream cipher Sprout with a Grain-like architecture, whose internal state was equal in size with its secret key and yet resistant against TMD attacks. Although Sprout had other weaknesses, it germinated a sequence of stream cipher designs like Lizard and Plantlet with short internal states. Both these designs have had cryptanalytic results reported against them. In this paper, we propose the stream cipher Atom that has an internal state of 159 bits and offers a security of 128 bits. Atom uses two key filters simultaneously to thwart certain cryptanalytic attacks that have been recently reported against keystream generators. In addition, we found that our design is one of the smallest stream ciphers that offers this security level, and we prove in this paper that Atom resists all the attacks that have been proposed against stream ciphers so far in literature. On the face of it, Atom also builds on the basic structure of the Grain family of stream ciphers. However, we try to prove that by including the additional key filter in the architecture of Atom we can make it immune to all cryptanalytic advances proposed against stream ciphers in recent cryptographic literature.
... No cryptanalytic advances have yet been reported against Plantlet that recovers the secret key without the use of side channels. In [HKMZ18], a distinguishing attack against Plantlet was reported that uses data and memory complexity of 2 61 bits, and time complexity of 2 55 steps. In [MSS17], a differential fault attack was reported against Plantlet that recovered the secret key using 4 fault injections. ...
Article
Full-text available
Plantlet is a lightweight stream cipher designed by Mikhalev, Armknecht and Müller in IACR ToSC 2017. It has a Grain-like structure with two state registers of size 40 and 61 bits. In spite of this, the cipher does not seem to lose in security against generic Time-Memory-Data Tradeoff attacks due to the novelty of its design. The cipher uses a 80-bit secret key and a 90-bit IV. In this paper, we first present a key recovery attack on Plantlet that requires around 276.26 Plantlet encryptions. The attack leverages the fact that two internal states of Plantlet that differ in the 43rd LFSR location are guaranteed to produce keystream that are either equal or unequal in 45 locations with probability 1. Thus an attacker can with some probability guess that when 2 segments of keystream blocks possess the 45 bit difference just mentioned, they have been produced by two internal states that differ only in the 43rd LFSR location. Thereafter by solving a system of polynomial equations representing the keystream bits, the attacker can find the secret key if his guess was indeed correct, or reach some kind of contradiction if his guess was incorrect. In the latter event, he would repeat the procedure for other keystream blocks with the given difference. We show that the process when repeated a finite number of times, does indeed yield the value of the secret key. In the second part of the paper, we observe that the previous attack was limited to internal state differences that occurred at time instances that were congruent to 0 mod 80. We further observe that by generalizing the attack to include internal state differences that are congruent to all equivalence classed modulo 80, we lower the total number of keystream bits required to perform the attack and in the process reduce the attack complexity to 269.98 Plantlet encryptions.
Article
In the conference “Fast Software Encryption 2015”, a new line of research was proposed by introducing the first small-state stream cipher (SSC). The goal was to design lightweight stream ciphers for hardware applications by going beyond the rule that the internal state size must be at least twice the intended security level. Fast correlation attack (FCA) was successfully applied to all proposed SSCs which can be implemented by less than 1000 gate equivalents in hardware. It is possible to increase the security of stream ciphers against FCA by exploiting more complicated functions for the nonlinear feedback shift register and the output function, but we use lightweight functions to design the lightest SSC in the world while providing more security against FCA. Our proposed cipher provides 80-bit security against all types of Time-memory-data trade-off (TMDTO) attacks, while Lizard and Plantlet provide only 60-bit and 58-bit security against TMDTO distinguishing attacks, respectively. Our main contribution is to propose a lightweight round key function with a very long period that increases the security of SSCs against FCA.
Article
Fruit-80, which emerged as an ultra-lightweight stream cipher with 80-bit secret key, is oriented toward resource constrained devices in the Internet of Things. In this paper, we propose area and speed optimization architectures of Fruit-80 on FPGAs. Our implementations include both serial and parallel structure and optimize area, power, speed and throughput respectively. The area optimization architecture aims to achieve the most suitable ratio of look-up-tables and flip-flops to fully utilize the reconfigurable unit. It also reuses NFSR and LFSR feedback functions to save resources for high throughput. The speed optimization architecture adopts a hybrid approach for parallelization and reduces the latency of long data paths by pre-generating primary feedback and inserting flip-flops. Besides, we recommend using the round key function to optimize serial or parallel implementations for Fruit-80 and using indexing and shifting methods for different throughput. In conclusion, our results show that the area optimization architecture occupies up to 35 slices on Xilinx Spartan-3 FPGA and 18 slices on Xilinx 7 series FPGA, smaller than that of Grain and other common stream ciphers. The optimal throughput/area ratio of the speed optimization architecture is 7.74 Mbps/ slice, better than that of Grain v1, which is 5.98 Mbps/ slice. The serial implementation of Fruit-80 with round key function occupies only 75 slices on Spartan-3 FPGA. To the best of our knowledge, the result sets a new record of the minimum area in lightweight cipher implementation on FPGA.
Chapter
With the continuous development of informatization, new challenges of information security have emerged. In the open network environment, when the collected data is transmitted back to the next node, it faces various threats of interception and tampering, and if it is under the condition of constrained devices, some high-security encryption algorithms are difficult to be implemented on the equipment, and the integrity and availability of the data will be threatened to a certain extent, and in the case of constrained devices resources The choice of function for data verification is also crucial in the case of constrained devices resources, so it is urgent to find a solution that requires the acceptance of data to ensure the authenticity and reliability of the data source and guarantee the legitimacy of the data source. In this paper, we propose a solution that combines ultra-lightweight stream cipher with Hash function authentication to provide flexible and efficient legitimacy verification with low computation and low power consumption, so that the receiver can verify the legitimacy of the data and obtain the complete data even if the data transmission is disturbed.KeywordsAuthenticationConstrained devicesHashUltra-lightweight stream cipher
Article
The fast correlation attack (FCA) is one of the most important cryptanalytic techniques against LFSR-based stream ciphers. In CRYPTO 2018, Todo et al. found a new property for the FCA and proposed a novel algorithm which was successfully applied to the Grain family of stream ciphers. Nevertheless, these techniques cannot be directly applied to Grain-like small state stream ciphers with keyed update, such as Plantlet, Fruit-v2 and Fruit80. In this paper, we study the security of Grain-like small state stream ciphers by the FCA. We first observe that the number of required parity-check equations can be reduced when there are multiple different parity-check equations. With exploiting the Skellam distribution, we introduce a sufficient condition to identify the correct LFSR initial state and derive a new relationship between the number and bias of the required parity-check equations. Then, a modified algorithm is presented based on this new relationship, which can recover the LFSR initial state no matter what the round key bits are. Under the condition that the LFSR initial state is known, an algorithm is given against the degraded system and to recover the NFSR state at some time instant, along with the round key bits. As cases study, we apply our cryptanalytic techniques to Plantlet, Fruit-v2 and Fruit-80. As a result, for Plantlet, our attack takes $ 2^{73.75} $ time complexity and $ 2^{73.06} $ keystream bits to recover the full 80-bit key. Regarding Fruit-v2, $ 2^{55.34} $ time complexity and $ 2^{55.62} $ keystream bits are needed to determine the secret key. As for Fruit-80, $2^{64.47}$ time complexity and $2^{62.82}$ keystream bits are required to recover the secret key. More flexible attacks can be obtained with lower data complexity at the cost of increasing the attack time. Especially, for Fruit-v2, a key recovery attack can be launched with data complexity of $2^{42.38}$ and time complexity of $2^{73.31}$. Moreover, we have implemented our attack methods on a toy version of Fruit-v2. The attack matches the expected complexities predicted by our theoretical analysis quite well, which proves the validity of our cryptanalytic techniques.
Article
Full-text available
Lizard is a lightweight stream cipher proposed by Hamann, Krause and Meier in IACR ToSC 2017. It has a Grain-like structure with two state registers of size 90 and 31 bits. The cipher uses a 120-bit secret key and a 64-bit IV. The authors claim that Lizard provides 80-bit security against key recovery attacks and a 60-bit security against distinguishing attacks. In this paper, we present an assortment of results and observations on Lizard. First, we show that by doing 258 random trials it is possible to find a set of 264 triplets (K, IV0, IV1) such that the Key-IV pairs (K, IV0) and (K, IV1) produce identical keystream bits. Second, we show that by performing only around 228 random trials it is possible to obtain 264 Key-IV pairs (K0, IV0) and (K1, IV1) that produce identical keystream bits. Thereafter, we show that one can construct a distinguisher for Lizard based on IVs that produce shifted keystream sequences. The process takes around 251.5 random IV encryptions (with encryption required to produce 218 keystream bits) and around 276.6 bits of memory. Next, we propose a key recovery attack on a version of Lizard with the number of initialization rounds reduced to 223 (out of 256) based on IV collisions. We then outline a method to extend our attack to 226 rounds. Our results do not affect the security claims of the designers.
Article
Full-text available
Most stream ciphers are vulnerable against generic time-memory-data tradeoff (TMD-TO) attacks, which reduce their effective key length to the birthday bound \(n/2\), where n denotes the inner state length of the underlying keystream generator. This implies the necessity of a comparatively large inner state length for practical stream ciphers (e.g., \(n = 288\) and \(n = 160\) for the eSTREAM portfolio members Trivium and Grain v1, respectively). In this paper, we propose and analyze the Lizard-construction, a new way to build stream ciphers. We prove a tight \(2n/3\) bound on its security against TMD-TO key recovery attacks, where the security lower bound refers to chosen-IV attacks. The security against TMD-TO distinguishing attacks remains at the birthday-bound level \(n/2\). The lower bound refers to a random oracle model which allows to derive formal security results w.r.t. generic TMD-TO attacks. While similar frameworks have already been widely used for analyzing the security of block cipher, MAC, and hash function constructions, to the best of our knowledge this is the first time that such a model is considered in the context of stream ciphers. The security analysis presented in this paper is also of immediate practical relevance as, with the stream cipher Lizard, a first instantiation of our new design principle (which we hence named Lizard-construction) was introduced at FSE 2017. Lizard has an inner state length of only 121 bits and surpasses Grain v1, the most hardware efficient member of the eSTREAM portfolio, in important metrics for lightweight ciphers such as chip area and power consumption.
Conference Paper
Full-text available
Symmetric ciphers purposed for Fully Homomorphic Encryption (FHE) have recently been proposed for two main reasons. First, minimizing the implementation (time and memory) overheads that are inherent to current FHE schemes. Second, improving the homomorphic capacity, i.e. the amount of operations that one can perform on homomorphic ciphertexts before bootstrapping, which amounts to limit their level of noise. Existing solutions for this purpose suggest a gap between block ciphers and stream ciphers. The first ones typically allow a constant but small homomorphic capacity, due to the iteration of rounds eventually leading to complex Boolean functions (hence large noise). The second ones typically allow a larger homomorphic capacity for the first ciphertext blocks, that decreases with the number of ciphertext blocks (due to the increasing Boolean complexity of the stream ciphers’ output). In this paper, we aim to combine the best of these two worlds, and propose a new stream cipher construction that allows constant and small(er) noise. Its main idea is to apply a Boolean (filter) function to a public bit permutation of a constant key register, so that the Boolean complexity of the stream cipher outputs is constant. We also propose an instantiation of the filter function designed to exploit recent (3rd-generation) FHE schemes, where the error growth is quasi-additive when adequately multiplying ciphertexts with the same amount of noise. In order to stimulate further investigation, we then specify a few instances of this stream cipher, for which we provide a preliminary security analysis. We finally highlight the good properties of our stream cipher regarding the other goal of minimizing the time and memory complexity of calculus delegation (for 2nd-generation FHE schemes). We conclude the paper with open problems related to the large design space opened by these new constructions.
Article
The cube attack is a powerful cryptanalytic technique and is especially powerful against stream ciphers. Since we need to analyze the complicated structure of a stream cipher in the cube attack, the cube attack basically analyzes it by regarding it as a blackbox. Therefore, the cube attack is an experimental attack, and we cannot evaluate the security when the size of cube exceeds an experimental range, e.g., 40. In this paper, we propose cube attacks on non-blackbox polynomials. Our attacks are developed by using the division property, which is recently applied to various block ciphers. The clear advantage is that we can exploit large cube sizes because it never regards the cipher as a blackbox. We apply the new cube attack to Trivium , Grain128a, ACORN and Kreyvium. As a result, the secret keys of 832-round Trivium , 183-round Grain128a, 704-round ACORN and 872-round Kreyvium are recovered. These attacks are the current best key-recovery attack against these ciphers.
Conference Paper
In this paper, we study the security of NFSR-based cryptosystems from the algebraic degree point of view. We first present a general framework of iterative estimation of algebraic degree for NFSR-based cryptosystems, by exploiting a new technique, called numeric mapping. Then based on this general framework we propose a concrete and efficient algorithm to find an upper bound on the algebraic degree for Trivium-like ciphers. Our algorithm has linear time complexity and needs a negligible amount of memory. As illustrations, we apply it to Trivium, Kreyvium and TriviA-SC, and reveal various upper bounds on the algebraic degree of these ciphers by setting different input variables. By this algorithm, we can make use of a cube with any size in cube testers, which is generally believed to be infeasible for an NFSR-based cryptosystem before. Due to the high efficiency of our algorithm, we can exhaust a large set of the cubes with large size. As such, we obtain the best known distinguishing attacks on reduced Trivium and TriviA-SC as well as the first cryptanalysis of Kreyvium. Our experiments on Trivium show that our algorithm is not only efficient in computation but also accurate in estimation of attacked rounds. The best cubes we have found for Kreyvium and TriviA-SC are both of size larger than 60. To the best of our knowledge, our tool is the first formalized and systematic one for finding an upper bound on the algebraic degree of an NFSR-based cryptosystem, and this is the first time that a cube of size beyond practical computations can be used in cryptanalysis of an NFSR-based cryptosystem. It is also potentially useful in the future applications to key recovery attacks and more cryptographic primitives.
Conference Paper
The cube attack is a powerful cryptanalytic technique and is especially powerful against stream ciphers. Since we need to analyze the complicated structure of a stream cipher in the cube attack, the cube attack basically analyzes it by regarding it as a blackbox. Therefore, the cube attack is an experimental attack, and we cannot evaluate the security when the size of cube exceeds an experimental range, e.g., 40. In this paper, we propose cube attacks on non-blackbox polynomials. Our attacks are developed by using the division property, which is recently applied to various block ciphers. The clear advantage is that we can exploit large cube sizes because it never regards the cipher as a blackbox. We apply the new cube attack to Trivium, Grain128a, and ACORN. As a result, the secret keys of 832-round Trivium, 183-round Grain128a, and 704-round ACORN are recovered. These attacks are the current best key-recovery attack against these ciphers.
Article
Lightweight stream ciphers have received serious attention in the last few years. The present design paradigm considers very small state (less than twice the key size) and use of the secret key bits during pseudo-random stream generation. One such effort, Sprout, had been proposed two years back and it was broken almost immediately. After carefully studying these attacks, a modified version named Plantlet has been designed very recently. While the designers of Plantlet do not provide any analysis on fault attacks, we note that Plantlet is even weaker than Sprout in terms of Differential Fault Attack (DFA). Our investigation, following the similar ideas as in the analysis against Sprout, shows that we require only around 4 faults to break Plantlet by DFA in a few hours time. While fault attack is indeed difficult to implement and our result does not provide any weakness of the cipher in normal mode, we believe that these initial results will be useful for further understanding of Plantlet.
Conference Paper
In this paper, we show structural cryptanalyses against two popular networks, i.e., the Feistel Network and the Substitute-Permutation Network (SPN). Our cryptanalyses are distinguishing attacks by an improved integral distinguisher. The integral distinguisher is one of the most powerful attacks against block ciphers, and it is usually constructed by evaluating the propagation characteristic of integral properties, e.g., the ALL or BALANCE property. However, the integral property does not derive useful distinguishers against block ciphers with non-bijective functions and bit-oriented structures. Moreover, since the integral property does not clearly exploit the algebraic degree of block ciphers, it tends not to construct useful distinguishers against block ciphers with low-degree functions. In this paper, we propose a new property called the division property, which is the generalization of the integral property. It can effectively construct the integral distinguisher even if the block cipher has non-bijective functions, bit-oriented structures, and low-degree functions. From viewpoints of the attackable number of rounds or chosen plaintexts, the division property can construct better distinguishers than previous methods. Although our attack is a generic attack, it can improve several integral distinguishers against specific cryptographic primitives. For instance, it can reduce the required number of chosen plaintexts for the \(10\)-round distinguisher on Keccak-\(f\) from \(2^{1025}\) to \(2^{515}\). For the Feistel cipher, it theoretically proves that Simon 32, 48, 64, 96, and 128 have \(9\)-, \(11\)-, \(11\)-, \(13\)-, and \(13\)-round integral distinguishers, respectively.
Conference Paper
The internal state size of a stream cipher is supposed to be at least twice the key length to provide resistance against the conventional Time-Memory-Data (TMD) tradeoff attacks. This well adopted security criterion seems to be one of the main obstacles in designing, particularly, ultra lightweight stream ciphers. At FSE 2015, Armknecht and Mikhalev proposed an elegant design philosophy for stream ciphers as fixing the key and dividing the internal states into equivalence classes where any two different keys always produce non-equivalent internal states. The main concern in the design philosophy is to decrease the internal state size without compromising the security against TMD tradeoff attacks. If the number of equivalence classes is more than the cardinality of the key space, then the cipher is expected to be resistant against TMD tradeoff attacks even though the internal state (except the fixed key) is of fairly small length. Moreover, Armknecht and Mikhalev presented a new design, which they call Sprout, to embody their philosophy. In this work, ironically, we mount a TMD tradeoff attack on Sprout within practical limits using \(2^d\) output bits in \(2^{71-d}\) encryptions of Sprout along with \(2^{d}\) table lookups. The memory complexity is \(2^{86-d}\) where \(d\le 40\). In one instance, it is possible to recover the key in \(2^{31}\) encryptions and \(2^{40}\) table lookups if we have \(2^{40}\) bits of keystream output by using tables of 770 Terabytes in total. The offline phase of preparing the tables consists of solving roughly \(2^{41.3}\) systems of linear equations with 20 unknowns and an effort of about \(2^{35}\) encryptions. Furthermore, we mount a guess-and-determine attack having a complexity about \(2^{68}\) encryptions with negligible data and memory. We have verified our attacks by conducting several experiments. Our results show that Sprout can be practically broken.