Abstract
In 2018, an attack named fast-near-collision attack (FNCA) was proposed, which is an improved version of near-collision attack (NCA) on Grain-v1, one of the three hardware-oriented finalists of the eSTREAM project. FNCA is designed as a key recovery attack and takes a divide-and-conquer strategy that needs a merging phase. We propose an improved FNCA where the merging phase is optimized by a linear programming based strategy. It decreases the candidates of the internal state vectors (ISVs) in each step of merging and has a reduction in the overall time complexity. Since the merging phase is vital for a divide-and-conquer strategy, where the most of bits of the full internal state are recovered, other analyses on Grain family with FNCA can get optimized by our method in varying degrees. This paper offers an experiment on a reduced Grain and a theoretical analysis on Grain-v1 to confirm the results. In the case of the reduced Grain of an 80-bit internal state, the time complexity is 2 37.1096 , which has a 27.8% reduction. For Grain-v1, its theoretical time complexity is around 2 73.4 , which is reduced by 79.4% compared with the original one.
Highlights
The Grain-v1 stream cipher is proposed by Hell et al [9]
It is found that Grain-v1 can withstand a pure fast-near-collision attack (FNCA) [16], where around half of non-linear feedback shift register (NFSR) state bits remain unknown unless further efforts are made by other techniques, e.g., algebraic attack, Walsh distinguisher
Theorem 2: In the FNCA on a reduced Grain, after the 60 tap bits restricted by 20 consecutive keystream bits are recovered, all bits of a full internal state can be computed by implementing the update functions of linear feedback shift register (LFSR) and NFSR and guessing two internal state bits
Summary
The Grain-v1 stream cipher is proposed by Hell et al [9]. It is selected as a finalist in the eSTREAM project after withstanding the cryptanalysis [2]. [16] finds that Grain-v1 cannot be attacked successfully by a pure FNCA, only LFSR state bits and a few state bits of NFSR can be recovered. The variables x0, x1, x2, x3, x4 represent the tap positions, and the internal state bits that show on these positions are called tap bits These variables are defined as li+3, li+25, li+46, li+64, ni+63 respectively in the case of Grain-v1. It is found that Grain-v1 can withstand a pure FNCA [16], where around half of NFSR state bits remain unknown unless further efforts are made by other techniques, e.g., algebraic attack, Walsh distinguisher. The reduced Grain can be recovered totally by guessing two internal state bits after a pure FNCA, according to Theorem IV-B. The last part explains the near-collision theory and its combination with time/memory tradeoff cryptanalysis
Sign-in/Register to view highlights & summary Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
