Algebraic Attacks on Grain-Like Keystream Generators

Abstract

This paper analyses the resistance of certain keystream generators against algebraic attacks, namely generators consisting of a nonlinear feedback shift register, a linear feedback shift register and a filter function. We show that poorly chosen filter functions make such designs vulnerable to new algebraic attacks, using a divide and conquer approach that targets the LFSR first. This approach provides efficient LFSR initial state recovery followed by partial NFSR initial state recovery.

We apply our algebraic attacks to modified versions of the Grain family of stream ciphers. Our analysis shows that, despite the highly nonlinear filter functions used in these variants, the LFSR state can be recovered using our algebraic attack much faster than exhaustive search. Following this, the NFSR initial state can be partially recovered, leaving a smaller subset of NFSR stages to be exhaustively searched. This investigation highlights the importance of the filter function in keystream generators with a “Grain-like” structure, and demonstrates that many functions previously considered secure are vulnerable to this attack.

Appendices

A Algorithms

1.1 A.1 Algorithm for NLFG algebraic attack

Precomputation phase:

• Step 1 Use \(f(S_0)=y_0\) to relate initial state bits \((s_0,s_1,\dots ,s_{n-1})\) to observed output bit \(y_0\).

• Step 2 Multiply f by a function h (if applicable) to reduce overall degree to d.

• Step 3 Clock forward using \(f(S_t)=y_t\) to build a system of equations of constant algebraic degree, applying the linear update as required.

Online phase:

• Step 4 Substitute observed output bits \(\{y_t\}_{t=0}^{\infty }\) into the system of equations.

• Step 5 Solve the system of equations by linearisation, to recover \(S_0=s_0,s_1,\dots ,s_{n-1}\).

1.2 A.2 Algorithm for Fast Algebraic Attack

The precomputation phase is similar to a regular algebraic attack, with Step 3 replaced by three steps (3a, 3b and 3c) as follows.

• Step 3a Identify the combination of equations that will eliminate monomials of degree e to d in the initial state bits.

• Step 3b Use this linear dependency to build a new general equation.

• Step 3c Use this general equation to build a system of equations of degree e in the initial state bits.

1.3 A.3 Algorithm for LF-NFSR Algebraic Attack

Precomputation phase:

• Step 1 A system of equations is developed using the linear filter function to represent every state bit as a linear combination of a subset of the initial state bits and some output bits. We denote this system of equation by system \(\mathcal {L}\).

• Step 2 A second system of equations is developed using the nonlinear update function g to represent update bits as a nonlinear combination of a subset of initial state bits. We denote this system by system \(\mathcal {G}\). Substitutions are made for state bits in system \(\mathcal {G}\) using system \(\mathcal {L}\) where applicable to reduce the number of unknown state variables while keeping the degree of system \(\mathcal {G}\) constant.

• Step 3 The two systems are combined by aligning the equations from each system that represent the same state bit. The resulting system contains only initial state bits and observed output bits. We denote this system as system \(\mathcal {L+ G}\).

Online phase:

• Step 4 Substitute observed output bits \(\{y_t\}_{t=0}^{\infty }\) into the system of equations

• Step 5 Solve the system of equations by linearisation.

B Modified Version of Grain

Grain-V1-\({\boldsymbol{m}}\)

$$\begin{aligned} z = h(B,S) =&\,s_1+ s_2+ s_4+ s_{10}+ s_{31}+ s_{43}+ s_{56}+ s_{25} + b_{63}+ \\&+ s_{3}s_{64}+ s_{46}s_{64}+ s_{46}s_{64}+ s_{3}s_{25}s_{46}+ s_{3}s_{46}s_{64}+ s_{3}s_{46}b_{63}+ s_{25}s_{46}b_{63}+ s_{46}s_{64}b_{63} \end{aligned}$$

As with Grain-V0\(-m\), f of Grain-V1\(-m\) satisfies Case 2 and so \(b_{63}\) was left in the function.

Grain-128-\({\boldsymbol{m}}\)

$$\begin{aligned} z = h(B,S) =&\,s_2+ s_{15}+ s_{36}+ s_{45}+ s_{64}+ s_{73}+ s_{89}+ s_{93} + \\&s_{8}b_{12}+ s_{13}s_{20}+ b_{95}s_{42}+ s_{60}s_{79}+ b_{12}b_{95}s_{95} \end{aligned}$$

Grain-128a-\({\boldsymbol{m}}\)/Grain-128AEAD-\({\boldsymbol{m}}\)

$$\begin{aligned} z = h(B,S) =&\,s_2+ s_{15}+ s_{36}+ s_{45}+ s_{64}+ s_{73}+ s_{89}+ s_{93} + \\&s_{8}b_{12}+ s_{13}s_{20}+ b_{95}s_{42}+ s_{60}s_{79}+ b_{12}b_{95}s_{94} \end{aligned}$$

Note that the structure of the filter function used Grain-128 is identical to the structure of the filter functions in Grain-128a, except that \(s_{95}\) in the final term for Grain-128 was changed to \(s_{94}\) in Grain-128a. This change is reflected in the modified versions shown here.

C Recovering the LFSR Initial State of Grain

Grain-V1- \({\boldsymbol{m}}\)

At time \(t=0\) an output bit in Grain-V1 is produced as follows:

$$\begin{aligned} z_0 =&\,s_1+ s_2+ s_3+ s_4+ s_{10}+ s_{31}+ s_{43}+ s_{56}+ s_{25} + \\&s_{3}s_{64}+ s_{46}s_{64}+ s_{3}s_{25}s_{46}+ s_{3}s_{46}s_{64}+ b_{63}(1+ s_{64}+ s_{3}s_{46}+ s_{25}s_{46}+ s_{46}s_{64}) \end{aligned}$$

Multiplying this equation by \((s_{64}+ s_{3}s_{46}+ s_{25}s_{46}+ s_{46}s_{64})\) gives

$$\begin{aligned} (s_{64}+ s_{3}s_{46}+ s_{25}s_{46}+ s_{46}s_{64})z_0 =&\, (s_1+ s_2+ s_4+ s_{10}+ s_{31}+ s_{43}+ s_{56}+ s_{25} + \\&s_{3}s_{64}+ s_{46}s_{64}+ s_{3}s_{25}s_{46}+ s_{3}s_{46}s_{64})\\&(s_{64}+ s_{3}s_{46}+ s_{25}s_{46}+ s_{46}s_{64}), \end{aligned}$$

where the right hand side of the equation contains only LFSR initial state bits. When the right hand side is expanded, the highest degree monomial is of order 3. Thus, by observing at least \(80\atopwithdelims ()3\) keystream bits, fast algebraic techniques may be applied in the precomputation phase of the attack to reduce the overall degree of the system to the degree of the left hand side (which is of degree 2 in the unknown LFSR initial state bits) [5].

Grain-128- \({\boldsymbol{m}}\)

At time \(t=0\) an output bit in Grain-128 is produced as follows:

$$\begin{aligned} z_0 =&\,s_2+ s_{15}+ s_{36}+ s_{45}+ s_{64}+ s_{73}+ s_{89}+ s_{93} + s_{8}b_{12}+ s_{13}s_{20}+ b_{95}s_{42}+ s_{60}s_{79}+ b_{12}b_{95}s_{95} \end{aligned}$$

Multiplying this equation by \((s_8+ 1)(s_{42}+ 1)(s_{95}+ 1)\) gives

$$\begin{aligned} (s_8+ 1)(s_{42}+ 1)(s_{95}+ 1)z_0 =&\,(s_8+ 1)(s_{42}+ 1)(s_{95}+ 1)(s_2+ s_{15}+ s_{36}+ s_{45}+ s_{64}+ s_{73}+ s_{89}+ \\&s_{93}+ s_{13}s_{20}+ s_{60}s_{79}), \end{aligned}$$

where the right hand side of the equation contains only LFSR initial state bits. When the right hand side is expanded, the highest degree monomial is of order 5. Thus, by observing at least \(80\atopwithdelims ()5\) keystream bits, fast algebraic techniques may be applied in the precomputation phase of the attack to reduce the overall degree of the system to the degree of the left hand side (which is of degree 3 in the unknown LFSR initial state bits) [5].

Grain-128a- \({\boldsymbol{m}}\) (without authentication)

At time \(t=0\) an output bit in Grain-128a is produced as follows:

$$\begin{aligned} z_0 =&\,s_2+ s_{15}+ s_{36}+ s_{45}+ s_{64}+ s_{73}+ s_{89}+ s_{93} + s_{8}b_{12}+ s_{13}s_{20}+ b_{95}s_{42}+ s_{60}s_{79}+ b_{12}b_{95}s_{94} \end{aligned}$$

Multiplying this equation by \((s_8+ 1)(s_{42}+ 1)(s_{94}+ 1)\) gives

$$\begin{aligned} (s_8+ 1)(s_{42}+ 1)(s_{94}+ 1)z_0 = \,&(s_8+ 1)(s_{42}+ 1)(s_{94}+ 1)(s_2+ s_{15}+ s_{36}+ s_{45}+ s_{64}+ s_{73}+ s_{89}+ \\&s_{93}+ s_{13}s_{20}+ s_{60}s_{79}), \end{aligned}$$

where the right hand side of the equation contains only LFSR initial state bits. When the right hand side is expanded, the highest degree monomial is of order 5. Thus, by observing at least \(80\atopwithdelims ()5\) keystream bits, fast algebraic techniques may be applied in the precomputation phase of the attack to reduce the overall degree of the system to the degree of the left hand side (which is of degree 3 in the unknown LFSR initial state bits) [5].

D Recovering the NFSR Initial State of Grain

Grain-V1- \({\boldsymbol{m}}\)

At time \(t=0\) an output bit in Grain-V1 is produced as follows:

$$\begin{aligned} z_0 =&\,s_1+ s_2+ s_4+ s_{10}+ s_{31}+ s_{43}+ s_{56}+ s_{25} + \\&s_{3}s_{46}+ s_{25}s_{46}+ s_{3}s_{25}s_{46}+ s_{3}s_{46}s_{64}+ b_{63}(1+ s_{64}+ s_{3}s_{46}+ s_{25}s_{46}+ s_{46}s_{64}) \end{aligned}$$

Similarly to Grain-V0-m, this output function is already linear in \(b_{63}\) and the state can be partially recovered in a similar way.

Grain-128- \({\boldsymbol{m}}\)

At time \(t=0\) an output bit in Grain-128 is produced as follows:

$$\begin{aligned} z_0 =&\,s_2+ s_{15}+ s_{36}+ s_{45}+ s_{64}+ s_{73}+ s_{89}+ s_{93} + s_{8}b_{12}+ s_{13}s_{20}+ b_{95}s_{42}+ s_{60}s_{79}+ b_{12}b_{95}s_{95} \end{aligned}$$

There is one monomial (\(b_{12}b_{95}s_{95}\)) that is of degree 2 in NFSR initial state bits. At each time step we have:

$$\begin{aligned} z_t&= \alpha b_{12} + \beta b_{95} + \gamma b_{12}b_{95} + \zeta \end{aligned}$$

As described in Sect. 4.2, these equations can be used to gain information about individual NFSR state bits when not all of \(\alpha , \beta \) and \(\gamma \) are 0. This information can in turn be used to partially recover the NFSR initial state.

Grain-128a- \({\boldsymbol{m}}\) (without authentication)

At time \(t=0\) an output bit in Grain-128a is produced as follows:

$$\begin{aligned} z_0 =&\,s_2+ s_{15}+ s_{36}+ s_{45}+ s_{64}+ s_{73}+ s_{89}+ s_{93} + s_{8}b_{12}+ s_{13}s_{20}+ b_{95}s_{42}+s_{60}s_{79}+b_{12}b_{95}s_{94} \end{aligned}$$

There is one monomial (\(b_{12}b_{95}s_{94}\)) that is of degree 2 in NFSR initial state bits. The possible output equations will be the same for Grain-128a\(-m\) (without authentication) as it is for Grain-128-m. The state can then be partially recovered in the same way as Grain-128-m.

Grain-128a- \({\boldsymbol{m}}\) (with authentication)/Grain-128AEAD- \({\boldsymbol{m}}\)

The possible output equations will be the same for Grain-128a\(-m\) (with authentication) as it is for Grain-128-m. In the case of Grain-128a\(-m\) (with authentication)/Grain-128AEAD-m, we may only utilise even index output bits to recover NFSR initial state bits. This will result in less of the state being recovered overall.