Skip to main content

Tight Security Bounds for Generic Stream Cipher Constructions

  • 540 Accesses

Part of the Lecture Notes in Computer Science book series (LNSC,volume 11959)

Abstract

The design of modern stream ciphers is strongly influenced by the fact that Time-Memory-Data tradeoff (TMD-TO) attacks reduce their effective key length to half of the inner state length. The classical solution is to design the cipher in accordance with the Large-State-Small-Key principle, which implies that the state length is at least twice as large as the session key length. In lightweight cryptography, considering heavily resource-constrained devices, a large amount of inner state cells is a big drawback for these type of constructions.

Recent stream cipher proposals like Lizard, Sprout, Plantlet and Fruit employ new techniques to avoid a large inner state size. However, when considering indistinguishability, none of the ciphers mentioned above provide a security above the birthday barrier with regard to the state length.

In this paper, we present a formal indistinguishability framework for proving lower bounds on the resistance of generic stream cipher constructions against TMD-TO attacks. In particular, we first present a tight lower bound on constructions underlying the Large-State-Small-Key principle. Further, we show a close to optimal lower bound of stream cipher constructions continuously using the initial value during keystream generation. These constructions would allow to shorten the inner state size significantly and hence the resource requirements of the cipher. We thus believe that Continuous-IV-Use constructions are a hopeful direction of future research.

Keywords

  • Symmetric-key cryptography
  • Indistinguishability
  • Random oracle model
  • Provable security
  • Stream cipher
  • Lightweight cryptography

This is a preview of subscription content, access via your institution.

Buying options

Chapter
USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-3-030-38471-5_14
  • Chapter length: 30 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
eBook
USD   89.00
Price excludes VAT (USA)
  • ISBN: 978-3-030-38471-5
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Softcover Book
USD   119.99
Price excludes VAT (USA)

Notes

  1. 1.

    Up to a factor of \(2\cdot \mathtt {SL}\) w.r.t. attack complexity \(2^{\mathtt {SL}/2}\).

  2. 2.

    That is, he slides an \(\tilde{n}\)-bit window over the given keystream.

  3. 3.

    In a previous version of our construction, instead of using a constant \(\mathtt {CONST}\), the IV was extended by \(\mathtt {CONSTL}\) bits and these bits were loaded into the volatile part of the inner state. This allowed a chosen-IV attacker to generate more utilizable keystream bits than intended and was exploited in [2]. The above specification of our construction fixes this issue and the approach from [2] is no longer applicable.

References

  1. Ghafari, V.A., Hu, H.: Fruit-80: a secure ultra-lightweight stream cipher for constrained environments. Entropy 20(3), 180 (2018)

    CrossRef  Google Scholar 

  2. Ghafari, V.A., Hu, H., Lin, F.: On designing secure small-state stream ciphers against time-memory-data tradeoff attacks. Cryptology ePrint Archive, Report 2019/670 (2019). https://eprint.iacr.org/2019/670

  3. Andreeva, E., Bogdanov, A., Dodis, Y., Mennink, B., Steinberger, J.P.: On the indifferentiability of key-alternating ciphers. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8042, pp. 531–550. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40041-4_29

    CrossRef  Google Scholar 

  4. Armknecht, F., Mikhalev, V.: On lightweight stream ciphers with shorter internal states. In: Leander, G. (ed.) FSE 2015. LNCS, vol. 9054, pp. 451–470. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48116-5_22

    CrossRef  Google Scholar 

  5. Babbage, S., Borghoff, J., Velichkov, V.: D.SYM.10 - The eSTREAM Portfolio in 2012. eSTREAM: The ECRYPT Stream Cipher Project (2012). http://www.ecrypt.eu.org/ecrypt2/documents/D.SYM.10-v1.pdf

  6. Babbage, S.H.: Improved “exhaustive search” attacks on stream ciphers. In: European Convention on Security and Detection, May 1995, pp. 161–166 (1995)

    Google Scholar 

  7. Bellare, M., Rogaway, P., Wagner, D.: The EAX mode of operation. In: Roy, B., Meier, W. (eds.) FSE 2004. LNCS, vol. 3017, pp. 389–407. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-25937-4_25

    CrossRef  Google Scholar 

  8. Biryukov, A., Shamir, A.: Cryptanalytic time/memory/data tradeoffs for stream ciphers. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 1–13. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-44448-3_1

    CrossRef  Google Scholar 

  9. Bogdanov, A., Knudsen, L.R., Leander, G., Standaert, F.-X., Steinberger, J., Tischhauser, E.: Key-alternating ciphers in a provable setting: encryption using a small number of public permutations. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 45–62. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29011-4_5

    CrossRef  MATH  Google Scholar 

  10. Briceno, M., Goldberg, I., Wagner, D.: A pedagogical implementation of A5/1 (1999). http://www.scard.org/gsm/a51.html

  11. De Cannière, C., Preneel, B.: Trivium - Specifications. eSTREAM: The ECRYPT Stream Cipher Project (2005). http://www.ecrypt.eu.org/stream/p3ciphers/trivium/trivium_p3.pdf

  12. Chen, S., Lampe, R., Lee, J., Seurin, Y., Steinberger, J.: Minimizing the two-round Even-Mansour cipher. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014. LNCS, vol. 8616, pp. 39–56. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-44371-2_3

    CrossRef  Google Scholar 

  13. Chen, S., Steinberger, J.: Tight security bounds for key-alternating ciphers. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 327–350. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-55220-5_19

    CrossRef  Google Scholar 

  14. Cogliati, B., Lee, J., Seurin, Y.: New constructions of MACs from (tweakable) block ciphers. IACR Trans. Symmetric Cryptol. 2017, 27–58 (2017)

    Google Scholar 

  15. Cogliati, B., Seurin, Y.: EWCDM: an efficient, beyond-birthday secure, nonce-misuse resistant MAC. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9814, pp. 121–149. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53018-4_5

    CrossRef  Google Scholar 

  16. Datta, N., Dutta, A., Nandi, M., Yasuda, K.: Encrypt or decrypt? To make a single-key beyond birthday secure nonce-based MAC. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018. LNCS, vol. 10991, pp. 631–661. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96884-1_21

    CrossRef  Google Scholar 

  17. Dunkelman, O., Keller, N., Shamir, A.: Minimalism in cryptography: the Even-Mansour scheme revisited. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 336–354. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29011-4_21

    CrossRef  MATH  Google Scholar 

  18. Dutta, A., Jha, A., Nandi, M.: Tight security analysis of EHtM MAC. IACR Trans. Symmetric Cryptol. 2017, 130–150 (2017)

    Google Scholar 

  19. Golić, J.D.: On the security of nonlinear filter generators. In: Gollmann, D. (ed.) FSE 1996. LNCS, vol. 1039, pp. 173–188. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-60865-6_52

    CrossRef  Google Scholar 

  20. Hamann, M., Krause, M.: On stream ciphers with provable beyond-the-birthday-bound security against time-memory-data tradeoff attacks. Cryptogr. Commun. 10(5), 959–1012 (2018)

    MathSciNet  CrossRef  Google Scholar 

  21. Hamann, M., Krause, M., Meier, W.: A note on stream ciphers that continuously use the IV. Cryptology ePrint Archive, Report 2017/1172 (2017). https://eprint.iacr.org/2017/1172

  22. Hamann, M., Krause, M., Meier, W.: LIZARD - a lightweight stream cipher for power-constrained devices. IACR Trans. Symmetric Cryptol. 2017(1), 45–79 (2017)

    Google Scholar 

  23. Hamann, M., Krause, M., Meier, W., Zhang, B.: Design and analysis of small-state grain-like stream ciphers. Cryptogr. Commun. 10, 803–834 (2017)

    MathSciNet  CrossRef  Google Scholar 

  24. Hell, M., Johansson, T., Meier, W.: Grain - a stream cipher for constrained environments. eSTREAM: The ECRYPT Stream Cipher Project (2006). http://www.ecrypt.eu.org/stream/p3ciphers/grain/Grain_p3.pdf

  25. Hellman, M.: A cryptanalytic time-memory trade-off. IEEE Trans. Inf. Theory 26(4), 401–406 (1980)

    MathSciNet  CrossRef  Google Scholar 

  26. Lampe, R., Patarin, J., Seurin, Y.: An asymptotically tight security analysis of the iterated Even-Mansour cipher. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 278–295. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-34961-4_18

    CrossRef  Google Scholar 

  27. Mennink, B., Neves, S.: Encrypted Davies-Meyer and its dual: towards optimal security using mirror theory. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10403, pp. 556–583. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63697-9_19

    CrossRef  Google Scholar 

  28. Mikhalev, V., Armknecht, F., Müller, C.: On ciphers that continuously access the non-volatile key. IACR Trans. Symmetric Cryptol. 2016(2), 52–79 (2017)

    Google Scholar 

  29. Moch, A., List, E.: Parallelizable MACs based on the sum of PRPs with security beyond the birthday bound. In: Deng, R.H., Gauthier-Umaña, V., Ochoa, M., Yung, M. (eds.) ACNS 2019. LNCS, vol. 11464, pp. 131–151. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-21568-2_7

    CrossRef  Google Scholar 

  30. Patarin, J.: The “Coefficients H” technique. In: Avanzi, R.M., Keliher, L., Sica, F. (eds.) SAC 2008. LNCS, vol. 5381, pp. 328–345. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-04159-4_21

    CrossRef  Google Scholar 

  31. Pietrzak, K.: A leakage-resilient mode of operation. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 462–482. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-01001-9_27

    CrossRef  Google Scholar 

  32. Rogaway, P., Bellare, M., Black, J.: OCB: a block-cipher mode of operation for efficient authenticated encryption. ACM Trans. Inf. Syst. Secur. (TISSEC) 6(3), 365–403 (2003)

    CrossRef  Google Scholar 

Download references

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Matthias Hamann .

Editor information

Editors and Affiliations

A Comparison of the Two Schemes

A Comparison of the Two Schemes

For further clarification the following tables provide an overview of the parameters used in this paper. Additionally it is shown how the \((i+1)\)-th output bit \(z_i\) of the stream cipher is computed from the loading state \(q_\mathrm {load}\). Note that \(\pi ^0\) is the identity function.

figure a

Rights and permissions

Reprints and Permissions

Copyright information

© 2020 Springer Nature Switzerland AG

About this paper

Verify currency and authenticity via CrossMark

Cite this paper

Hamann, M., Krause, M., Moch, A. (2020). Tight Security Bounds for Generic Stream Cipher Constructions. In: Paterson, K., Stebila, D. (eds) Selected Areas in Cryptography – SAC 2019. SAC 2019. Lecture Notes in Computer Science(), vol 11959. Springer, Cham. https://doi.org/10.1007/978-3-030-38471-5_14

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-38471-5_14

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-38470-8

  • Online ISBN: 978-3-030-38471-5

  • eBook Packages: Computer ScienceComputer Science (R0)