Abstract
This paper analyses the resistance of certain keystream generators against algebraic attacks, namely generators consisting of a nonlinear feedback shift register, a linear feedback shift register and a filter function. We show that poorly chosen filter functions make such designs vulnerable to new algebraic attacks, using a divide and conquer approach that targets the LFSR first. This approach provides efficient LFSR initial state recovery followed by partial NFSR initial state recovery.
We apply our algebraic attacks to modified versions of the Grain family of stream ciphers. Our analysis shows that, despite the highly nonlinear filter functions used in these variants, the LFSR state can be recovered using our algebraic attack much faster than exhaustive search. Following this, the NFSR initial state can be partially recovered, leaving a smaller subset of NFSR stages to be exhaustively searched. This investigation highlights the importance of the filter function in keystream generators with a “Grain-like” structure, and demonstrates that many functions previously considered secure are vulnerable to this attack.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Armknecht, F., Mikhalev, V.: On lightweight stream ciphers with shorter internal states. In: Leander, G. (ed.) FSE 2015. LNCS, vol. 9054, pp. 451–470. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48116-5_22
Berbain, C., Gilbert, H., Joux, A.: Algebraic and correlation attacks against linearly filtered non linear feedback shift registers. In: Avanzi, R.M., Keliher, L., Sica, F. (eds.) SAC 2008. LNCS, vol. 5381, pp. 184–198. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-04159-4_12
Berbain, C., Gilbert, H., Maximov, A.: Cryptanalysis of grain. In: Robshaw, M. (ed.) FSE 2006. LNCS, vol. 4047, pp. 15–29. Springer, Heidelberg (2006). https://doi.org/10.1007/11799313_2
Courtois, N.T.: Higher order correlation attacks, XL algorithm and cryptanalysis of toyocrypt. In: Lee, P.J., Lim, C.H. (eds.) ICISC 2002. LNCS, vol. 2587, pp. 182–199. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-36552-4_13
Courtois, N.T.: Fast algebraic attacks on stream ciphers with linear feedback. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 176–194. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-45146-4_11
Courtois, N.T., Meier, W.: Algebraic attacks on stream ciphers with linear feedback. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 345–359. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-39200-9_21
De Cannière, C., Küçük, Ö., Preneel, B.: Analysis of grain’s initialization algorithm. In: Vaudenay, S. (ed.) AFRICACRYPT 2008. LNCS, vol. 5023, pp. 276–289. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-68164-9_19
Dinur, I., Shamir, A.: Breaking grain-128 with dynamic cube attacks. In: Joux, A. (ed.) FSE 2011. LNCS, vol. 6733, pp. 167–187. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-21702-9_10
Englund, H., Johansson, T.: A new simple technique to attack filter generators and related ciphers. In: Handschuh, H., Hasan, M.A. (eds.) SAC 2004. LNCS, vol. 3357, pp. 39–53. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-30564-4_3
Faugere, J.-C., Ars, G.: An algebraic cryptanalysis of nonlinear filter generators using Gröbner bases. Report, INRIA (2003)
Forré, R.: A fast correlation attack on nonlinearly feedforward filtered shift-register sequences. In: Quisquater, J.-J., Vandewalle, J. (eds.) EUROCRYPT 1989. LNCS, vol. 434, pp. 586–595. Springer, Heidelberg (1990). https://doi.org/10.1007/3-540-46885-4_56
Gammel, B.M., Göttfert, R.: Linear filtering of nonlinear shift-register sequences. In: Ytrehus, Ø. (ed.) WCC 2005. LNCS, vol. 3969, pp. 354–370. Springer, Heidelberg (2006). https://doi.org/10.1007/11779360_28
Golić, J.D., Salmasizadeh, M., Simpson, L., Dawson, E.: Fast correlation attacks on nonlinear filter generators. Inf. Process. Lett. 64(1), 37–42 (1997)
Hell, M., Johansson, T., Maximov, A., Meier, W.: The grain family of stream ciphers. In: Robshaw, M., Billet, O. (eds.) New Stream Cipher Designs. LNCS, vol. 4986, pp. 179–190. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-68351-3_14
Hell, M., Johansson, T., Maximov, A., Meier, W.: A stream cipher proposal: grain-128. In: 2006 IEEE International Symposium on Information Theory, pp. 1614–1618. IEEE (2006)
Hell, M., Johansson, T., Meier, W.: Grain: a stream cipher for constrained environments. Int. J. Wirel. Mob. Comput. 2(1), 86–93 (2007)
Hell, M., Johansson, T., Meier, W.: Grain-128a: a new version of Grain-128 with optional authentication. Int. J. Wirel. Mob. Comput. 5, 48–59 (2011)
Hell, M., Johansson, T., Meier, W., Sönnerup, J., Yoshida, H.: Grain-128AEAD - a lightweight AEAD stream cipher. NIST Lightweight Cryptography Competition (2019)
Katz, J., Menezes, A.J., Van Oorschot, P.C., Vanstone, S.A.: Handbook of Applied Cryptography. CRC Press, Boca Raton (1996)
Khazaei, S., Hassanzadeh, M., Kiaei, M.: Distinguishing attack on Grain. ECRYPT Stream Cipher Proj. Rep. 71, 2005 (2005)
Küçük, Ö: Slide resynchronization attack on the initialization of Grain 1.0. eSTREAM ECRYPT Stream Cipher Proj. Rep. 44, 2006 (2006)
Lee, Y., Jeong, K., Sung, J., Hong, S.: Related-key chosen IV attacks on grain-v1 and grain-128. In: Mu, Y., Susilo, W., Seberry, J. (eds.) ACISP 2008. LNCS, vol. 5107, pp. 321–335. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-70500-0_24
Massey, J.: Shift-register synthesis and BCH decoding. IEEE Trans. Inf. Theory 15(1), 122–127 (1969)
Meier, W., Staffelbach, O.: Fast correlation attacks on certain stream ciphers. J. Cryptol. 1(3), 159–176 (1988). https://doi.org/10.1007/BF02252874
Mikhalev, V., Armknecht, F., Müller, C.: On ciphers that continuously access the non-volatile key. IACR Trans. Symm. Cryptol., 52–79 (2016)
Millan, W.: Analysis and Design of Boolean Functions for Cryptographic Applications. PhD Thesis, Queensland University of Technology (1997)
Siegenthaler, T.: Cryptanalysts representation of nonlinearly filtered ML-sequences. In: Pichler, F. (ed.) EUROCRYPT 1985. LNCS, vol. 219, pp. 103–110. Springer, Heidelberg (1986). https://doi.org/10.1007/3-540-39805-8_12
Stein, W., Joyner, D.: Sage: system for algebra and geometry experimentation. ACM Bull. 39(2), 61–64 (2005)
Todo, Y., Isobe, T., Meier, W., Aoki, K., Zhang, B.: Fast correlation attack revisited. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018. LNCS, vol. 10992, pp. 129–159. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96881-0_5
Zhang, H., Wang, X.: Cryptanalysis of stream cipher Grain family. IACR Cryptol. ePrint Arch. 2009, 109 (2009)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A Algorithms
1.1 A.1 Algorithm for NLFG algebraic attack
Precomputation phase:
-
Step 1 Use \(f(S_0)=y_0\) to relate initial state bits \((s_0,s_1,\dots ,s_{n-1})\) to observed output bit \(y_0\).
-
Step 2 Multiply f by a function h (if applicable) to reduce overall degree to d.
-
Step 3 Clock forward using \(f(S_t)=y_t\) to build a system of equations of constant algebraic degree, applying the linear update as required.
Online phase:
-
Step 4 Substitute observed output bits \(\{y_t\}_{t=0}^{\infty }\) into the system of equations.
-
Step 5 Solve the system of equations by linearisation, to recover \(S_0=s_0,s_1,\dots ,s_{n-1}\).
1.2 A.2 Algorithm for Fast Algebraic Attack
The precomputation phase is similar to a regular algebraic attack, with Step 3 replaced by three steps (3a, 3b and 3c) as follows.
-
Step 3a Identify the combination of equations that will eliminate monomials of degree e to d in the initial state bits.
-
Step 3b Use this linear dependency to build a new general equation.
-
Step 3c Use this general equation to build a system of equations of degree e in the initial state bits.
1.3 A.3 Algorithm for LF-NFSR Algebraic Attack
Precomputation phase:
-
Step 1 A system of equations is developed using the linear filter function to represent every state bit as a linear combination of a subset of the initial state bits and some output bits. We denote this system of equation by system \(\mathcal {L}\).
-
Step 2 A second system of equations is developed using the nonlinear update function g to represent update bits as a nonlinear combination of a subset of initial state bits. We denote this system by system \(\mathcal {G}\). Substitutions are made for state bits in system \(\mathcal {G}\) using system \(\mathcal {L}\) where applicable to reduce the number of unknown state variables while keeping the degree of system \(\mathcal {G}\) constant.
-
Step 3 The two systems are combined by aligning the equations from each system that represent the same state bit. The resulting system contains only initial state bits and observed output bits. We denote this system as system \(\mathcal {L+ G}\).
Online phase:
-
Step 4 Substitute observed output bits \(\{y_t\}_{t=0}^{\infty }\) into the system of equations
-
Step 5 Solve the system of equations by linearisation.
B Modified Version of Grain
Grain-V1-\({\boldsymbol{m}}\)
As with Grain-V0\(-m\), f of Grain-V1\(-m\) satisfies Case 2 and so \(b_{63}\) was left in the function.
Grain-128-\({\boldsymbol{m}}\)
Grain-128a-\({\boldsymbol{m}}\)/Grain-128AEAD-\({\boldsymbol{m}}\)
Note that the structure of the filter function used Grain-128 is identical to the structure of the filter functions in Grain-128a, except that \(s_{95}\) in the final term for Grain-128 was changed to \(s_{94}\) in Grain-128a. This change is reflected in the modified versions shown here.
C Recovering the LFSR Initial State of Grain
Grain-V1- \({\boldsymbol{m}}\)
At time \(t=0\) an output bit in Grain-V1 is produced as follows:
Multiplying this equation by \((s_{64}+ s_{3}s_{46}+ s_{25}s_{46}+ s_{46}s_{64})\) gives
where the right hand side of the equation contains only LFSR initial state bits. When the right hand side is expanded, the highest degree monomial is of order 3. Thus, by observing at least \(80\atopwithdelims ()3\) keystream bits, fast algebraic techniques may be applied in the precomputation phase of the attack to reduce the overall degree of the system to the degree of the left hand side (which is of degree 2 in the unknown LFSR initial state bits) [5].
Grain-128- \({\boldsymbol{m}}\)
At time \(t=0\) an output bit in Grain-128 is produced as follows:
Multiplying this equation by \((s_8+ 1)(s_{42}+ 1)(s_{95}+ 1)\) gives
where the right hand side of the equation contains only LFSR initial state bits. When the right hand side is expanded, the highest degree monomial is of order 5. Thus, by observing at least \(80\atopwithdelims ()5\) keystream bits, fast algebraic techniques may be applied in the precomputation phase of the attack to reduce the overall degree of the system to the degree of the left hand side (which is of degree 3 in the unknown LFSR initial state bits) [5].
Grain-128a- \({\boldsymbol{m}}\) (without authentication)
At time \(t=0\) an output bit in Grain-128a is produced as follows:
Multiplying this equation by \((s_8+ 1)(s_{42}+ 1)(s_{94}+ 1)\) gives
where the right hand side of the equation contains only LFSR initial state bits. When the right hand side is expanded, the highest degree monomial is of order 5. Thus, by observing at least \(80\atopwithdelims ()5\) keystream bits, fast algebraic techniques may be applied in the precomputation phase of the attack to reduce the overall degree of the system to the degree of the left hand side (which is of degree 3 in the unknown LFSR initial state bits) [5].
D Recovering the NFSR Initial State of Grain
Grain-V1- \({\boldsymbol{m}}\)
At time \(t=0\) an output bit in Grain-V1 is produced as follows:
Similarly to Grain-V0-m, this output function is already linear in \(b_{63}\) and the state can be partially recovered in a similar way.
Grain-128- \({\boldsymbol{m}}\)
At time \(t=0\) an output bit in Grain-128 is produced as follows:
There is one monomial (\(b_{12}b_{95}s_{95}\)) that is of degree 2 in NFSR initial state bits. At each time step we have:
As described in Sect. 4.2, these equations can be used to gain information about individual NFSR state bits when not all of \(\alpha , \beta \) and \(\gamma \) are 0. This information can in turn be used to partially recover the NFSR initial state.
Grain-128a- \({\boldsymbol{m}}\) (without authentication)
At time \(t=0\) an output bit in Grain-128a is produced as follows:
There is one monomial (\(b_{12}b_{95}s_{94}\)) that is of degree 2 in NFSR initial state bits. The possible output equations will be the same for Grain-128a\(-m\) (without authentication) as it is for Grain-128-m. The state can then be partially recovered in the same way as Grain-128-m.
Grain-128a- \({\boldsymbol{m}}\) (with authentication)/Grain-128AEAD- \({\boldsymbol{m}}\)
The possible output equations will be the same for Grain-128a\(-m\) (with authentication) as it is for Grain-128-m. In the case of Grain-128a\(-m\) (with authentication)/Grain-128AEAD-m, we may only utilise even index output bits to recover NFSR initial state bits. This will result in less of the state being recovered overall.
Rights and permissions
Copyright information
© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Beighton, M., Bartlett, H., Simpson, L., Wong, K.KH. (2022). Algebraic Attacks on Grain-Like Keystream Generators. In: Park, J.H., Seo, SH. (eds) Information Security and Cryptology – ICISC 2021. ICISC 2021. Lecture Notes in Computer Science, vol 13218. Springer, Cham. https://doi.org/10.1007/978-3-031-08896-4_12
Download citation
DOI: https://doi.org/10.1007/978-3-031-08896-4_12
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-08895-7
Online ISBN: 978-3-031-08896-4
eBook Packages: Computer ScienceComputer Science (R0)