A new chosen IV statistical distinguishing framework to attack symmetric ciphers, and its application to ACORN-v3 and Grain-128a

  • Vahid Amin GhafariEmail author
  • Honggang Hu
Original Research


We propose a new attack framework based upon cube testers and d-monomial test. The d-monomial test is a general framework for comparing the ANF of the symmetric cipher’s output with ANF of a random Boolean function. In the d-monomial test, the focus is on the frequency of the special monomial in the ANF of Boolean functions, but in the proposed framework, the focus is on the truth table. We attack ACORN-v3 and Grain-128a and demonstrate the efficiency of our framework. We show how it is possible to apply a distinguishing attack for up to 670 initialization rounds of ACORN-v3 and 171 initialization rounds of Grain-128a using our framework. The attack on ACORN-v3 is the best practical attack (and better results can be obtained by using more computing power such as cube attacks). One can apply distinguishing attacks to black box symmetric ciphers by the proposed framework, and we suggest some guidelines to make it possible to improve the attack by analyzing the internal structure of ciphers. The framework is applicable to all symmetric ciphers and hash functions. We discuss how it can reveal weaknesses that are not possible to find by other statistical tests. The attacks were practically implemented and verified.


Chosen IV attack Distinguishing attack Statistical attack Cube testers Authenticated encryption 



We would like to acknowledge CAS-TWAS President’s Fellowship for International PhD Students funding that supported this work.


  1. Abed F, Forler C, Lucks S (2014) General overview of the authenticated schemes for the first round of the caesar competition. IACR Cryptol ePrint Arch 2014:792Google Scholar
  2. Ågren M, Hell M, Johansson T, Meier W (2011) A new version of grain-128 with authentication. In: Symmetric Key Encryption WorkshopGoogle Scholar
  3. Aumasson J-P, Dinur I, Henzen L, Meier W, Shamir A (2009a) Efficient FPGA implementations of high-dimensional cube testers on the stream cipher Grain-128. In: SHARCS09 Special-purpose Hardware for Attacking Cryptographic Systems, p 147Google Scholar
  4. Aumasson J-P, Dinur I, Meier W, Shamir (2009b) A Cube testers and key recovery attacks on reduced-round MD6 and trivium. In: Fast Software Encryption. Springer, pp 1-22Google Scholar
  5. Babbage S, Canniere C, Canteaut A, et al (2008) The eSTREAM portfolio. eSTREAM ECRYPT Stream Cipher Project, p 44Google Scholar
  6. Banik S, Maitra S, Sarkar S (2012) A differential fault attack on grain-128a using macs. In: Security, Privacy, and Applied Cryptography Engineering. Springer, pp 111-125Google Scholar
  7. Banik S, Maitra S, Sarkar S, Snmez TM (2013) A chosen IV related key attack on Grain-128a. In: Australasian Conference on Information Security and Privacy. Springer, pp 13-26Google Scholar
  8. Cochran WG (1954) Some methods for strengthening the common \(\chi ^2\) tests. Biometrics 10:417–451MathSciNetCrossRefzbMATHGoogle Scholar
  9. Dalai DK, Roy D (2017) A state recovery attack on ACORN-v1 and ACORN-v2. In: International Conference on Network and System Security. Springer, pp 332-345Google Scholar
  10. Dey P, Rohit RS, Adhikari A (2016) Full key recovery of ACORN with a single fault. J Inf Secur Appl 29:57–64Google Scholar
  11. Ding L, Guan J (2013) Related key chosen IV attack on Grain-128a stream cipher. IEEE Trans Inf Foren Secur 8:803–809CrossRefGoogle Scholar
  12. Dinur I, Gneysu T, Paar C, Shamir A, Zimmermann R (2011b) An experimentally verified attack on full Grain-128 using dedicated reconfigurable hardware. In: International Conference on the Theory and Application of Cryptology and Information Security. Springer, pp 327-343Google Scholar
  13. Dinur I, Shamir A (2011a) Breaking Grain-128 with dynamic cube attacks. In: International Workshop on Fast Software Encryption. Springer, pp 167-187Google Scholar
  14. Englund H, Johansson T, Turan MS (2007) A framework for chosen IV statistical analysis of stream ciphers. In: International Conference on Cryptology in India. Springer, pp 268-281Google Scholar
  15. Filiol E (2002) A new statistical testing for symmetric ciphers and hash functions. In: International Conference on Information and Communications Security, 2002. Springer, pp 342-353Google Scholar
  16. Fischer S, Khazaei S, Meier W (2008) Chosen IV statistical analysis for key recovery attacks on stream ciphers. Lect Notes Comput Sci 5023:236–245MathSciNetCrossRefzbMATHGoogle Scholar
  17. Ghafari VA, Hu H (2017) A New Chosen IV Statistical Attack on Grain-128a Cipher. In: Cyber-Enabled Distributed Computing and Knowledge Discovery (CyberC 2017) pp 58-62Google Scholar
  18. Hell M, Johansson T, Maximov A, Meier W (2006) A stream cipher proposal: Grain-128. In: Information Theory, 2006 IEEE International Symposium on. IEEE, pp 1614-1618Google Scholar
  19. Hell M, Johansson T, Meier W (2007) Grain: a stream cipher for constrained environments. Int J Wirel Mob Comput 2:86–93CrossRefGoogle Scholar
  20. Ii- ISO (2015) Crypto Suite Grain-128A Security Services for Air Interface Communications. Information Technology—Automated Identification and Data Capture Techniques, Part, p 13Google Scholar
  21. Karlsson L, Hell M, Stankovski P (2017) Improved Greedy nonrandomness detectors for stream ciphers. ICISSP 2017:225–232Google Scholar
  22. Knellwolf S, Meier W, Naya-Plasencia M (2010)Conditional differential cryptanalysis of NLFSR-based cryptosystems. In: International Conference on the Theory and Application of Cryptology and Information Security, Springer, pp 130-145Google Scholar
  23. Lee Y, Jeong K, Sung J, Hong S (2008) Related-key chosen IV attacks on Grain-v1 and Grain-128. In: Australasian Conference on Information Security and Privacy. Springer, pp 321-335Google Scholar
  24. Lehmann M, Meier W (2012) Conditional differential cryptanalysis of grain-128a. In: International Conference on Cryptology and Network Security. Springer, pp 1-11Google Scholar
  25. Liu M (2017) Degree evaluation of NFSR-based cryptosystems. In: Annual International Cryptology Conference. Springer, pp 227-249Google Scholar
  26. Ma Z, Tian T, Qi W-F (2016) Conditional differential attacks on Grain-128a stream cipher. IET Inf Secur 11:139–45CrossRefGoogle Scholar
  27. Mihaljevic M, Gangopadhyay S, Paul G, Imai H (2012) Generic cryptographic weakness of k-normal Boolean functions in certain stream ciphers and cryptanalysis of grain-128. Period Math Hung 65:205–227MathSciNetCrossRefzbMATHGoogle Scholar
  28. Roy D, Mukhopadhyay S (2016) Some results on ACORN. IACR Cryptol ePrint Arch 2016:1132Google Scholar
  29. Saarinen M-JO (2006) Chosen-IV statistical attacks on eStream stream ciphers. In: Stream Ciphers Revisited SASC, Leuven, pp 94-103Google Scholar
  30. Salam MI, Bartlett H, Dawson E, Pieprzyk J, Simpson L, Wong KK-H (2016a) Investigating cube attacks on the authenticated encryption stream cipher ACORN. In: International Conference on Applications and Techniques in Information Security. Springer, pp 15-26Google Scholar
  31. Salam MI, Wong KK-H, Bartlett H, Simpson L, Dawson E, Pieprzyk J (2016b) Finding state collisions in the authenticated encryption stream cipher ACORN. In: Australasian Computer Science Week Multiconference, ACM, p 36Google Scholar
  32. Siddhanti A, Sarkar S, Maitra S, Chattopadhyay (2017) A Differential Fault Attack on Grain v1, ACORN v3 and Lizard. In: International Conference on Security, Privacy, and Applied Cryptography Engineering. Springer, pp 247-263Google Scholar
  33. Stankovski P (2010) Greedy distinguishers and nonrandomness detectors. In: International Conference on Cryptology in India. Springer, pp 210-226Google Scholar
  34. Todo Y, Isobe T, Hao Y, Meier W (2017) Cube attacks on non-blackbox polynomials based on division property. In: Annual International Cryptology Conference. Springer, pp 250-279Google Scholar
  35. Vardasbi A, Salmasizadeh M, Mohajeri J (2013) Superpoly algebraic normal form monomial test on Trivium. IET Inf Secur 7:230–238CrossRefGoogle Scholar
  36. Wu H (2016) ACORN: A Lightweight Authenticated Cipher (v3). CAESAR: Competition for Authenticated Encryption: Security, Applicability, and Robustness.[Accessed 11 May 2018]
  37. Zhang X, Feng X, Lin D (2017) Fault Attack on the Authenticated Cipher ACORN v2. Security and Communication Networks, Article ID, p 3834685Google Scholar

Copyright information

© Springer-Verlag GmbH Germany, part of Springer Nature 2018

Authors and Affiliations

  1. 1.Key Laboratory of Electromagnetic Space Information, Chinese Academy of Sciences, School of Information Science and TechnologyUniversity of Science and Technology of ChinaHefeiChina

Personalised recommendations