Abstract
Fast Near collision attacks on the stream ciphers Grain v1 and A5/1 were presented at Eurocrypt 2018 and Asiacrypt 2019 respectively. They use the fact that the entire internal state can be split into two parts so that the second part can be recovered from the first one which can be found using the keystream prefix and some guesses of the key materials.In this paper we reevaluate the complexity of these attacks and show that actually they are inferior to previously known results. Basically, we show that their complexity is actually much higher and we point out the main problems of these papers based on information theoretic ideas. We also check that some distributions do not have the predicted entropy loss claimed by the authors. Checking cryptographic attacks with galactic complexity is difficult in general. In particular, as these attacks involve many steps it is hard to identify precisely where the attacks are flawed. But for the attack against A5/1, it could have been avoided if the author had provided a full experiment of its attack since the overall claimed complexity was lower than 232 in both time and memory.
Highlights
Checking results is in some sciences such as experimental physics as important as the result itself
We look at the recent fast near collision attacks proposed by Zhang, Xu and Meier against the Grain v1 [ZXM18] stream cipher and by Zhang against A5/1 [Zha19]
We found that for 5 given bits of keystream prefix, there are exactly 228 crucial part (CP) combinations that generate it
Summary
Checking results is in some sciences such as experimental physics as important as the result itself. In symmetric cryptography, where usually the complexities of attacks and distinguishers can be out of reach with experiments, a well-known method consists in experimentally checking only some parts of the attack and/or by targeting a toy cipher. They design the EasyCrypt tool to help the verification of cryptographic proofs to reason about code-based proofs as these tools were first developed to verify programs There is no such tool to check symmetric-key cryptanalysis. Replacing the refined self-contained method, which is the core of those attacks and the only algorithm relying on near collisions, by an algorithm outputting a random set (of fixed size) of pre-images would lead to the exact same complexities
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
