Abstract
Lizard is a lightweight stream cipher proposed by Hamann, Krause and Meier in IACR ToSC 2017. It has a Grain-like structure with two state registers of size 90 and 31 bits. The cipher uses a 120-bit secret key and a 64-bit IV. The authors claim that Lizard provides 80-bit security against key recovery attacks and a 60-bit security against distinguishing attacks. In this paper, we present an assortment of results and observations on Lizard. First, we show that by doing 258 random trials it is possible to find a set of 264 triplets (K, IV0, IV1) such that the Key-IV pairs (K, IV0) and (K, IV1) produce identical keystream bits. Second, we show that by performing only around 228 random trials it is possible to obtain 264 Key-IV pairs (K0, IV0) and (K1, IV1) that produce identical keystream bits. Thereafter, we show that one can construct a distinguisher for Lizard based on IVs that produce shifted keystream sequences. The process takes around 251.5 random IV encryptions (with encryption required to produce 218 keystream bits) and around 276.6 bits of memory. Next, we propose a key recovery attack on a version of Lizard with the number of initialization rounds reduced to 223 (out of 256) based on IV collisions. We then outline a method to extend our attack to 226 rounds. Our results do not affect the security claims of the designers.
Highlights
Lightweight stream ciphers have become immensely popular in the cryptological research community, since the advent of the eStream project [est08]
After the publication of [BS00], it is widely accepted that to be secure against generic Time-Memory-Data tradeoff attacks, the internal state of a stream cipher must be at least twice the size of the secret key
We show that one can construct a distinguisher for Lizard based on IVs that produce shifted keystream sequences
Summary
Lightweight stream ciphers have become immensely popular in the cryptological research community, since the advent of the eStream project [est08]. After the publication of [BS00], it is widely accepted that to be secure against generic Time-Memory-Data tradeoff attacks, the internal state of a stream cipher must be at least twice the size of the secret key. While Plantlet was a re-design of Sprout after patching some existing weaknesses, Lizard was a new construction It uses a Grain-like structure with two state registers of size 90 and 31 bits. It leaves the stream cipher open to situations where the two different key-IV pairs produce same keystream segments, which can be exploited further to mount key recovery attacks, which is exactly what we have done in this work, on a reduced round version of Lizard. We can conclude that if at all it is necessary for a stream cipher to have an initialization function that is not one-to-one, it may be beneficial to design the cipher in a way that renders finding internal collisions practically infeasible, internal collisions do not necessarily leave the cipher vulnerable as in the case of Lizard
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
