Related-Key Chosen IV Attacks
on Grain-v1 and Grain-128⋆
Yuseop Lee1 , Kitae Jeong1 , Jaechul Sung2 , and Seokhie Hong1
1
2
Center for Information Security Technologies(CIST),
Korea University, Seoul, Korea
{yusubi,kite,hsh}@cist.korea.ac.kr
Department of Mathematics, University of Seoul, Seoul, Korea
jcsung@uos.ac.kr
Abstract. The slide resynchronization attack on Grain was proposed
in [6]. This attack finds related keys and initialization vectors of Grain
that generate the 1-bit shifted keystream sequence. In this paper, we
extend the attack proposed in [6] and propose related-key chosen IV attacks on Grain-v1 and Grain-128. The attack on Grain-v1 recovers the
secret key with 222.59 chosen IV s, 226.29 -bit keystream sequences and
222.90 computational complexity. To recover the secret key of Grain-128,
our attack requires 226.59 chosen IV s, 231.39 -bit keystream sequences and
227.01 computational complexity. These works are the first known key recovery attacks on Grain-v1 and Grain-128.
Keywords: Stream cipher, Grain-v1, Grain-128, Related-key chosen IV
attack, Cryptanalysis.
1
Introduction
A bit-oriented synchronous stream cipher Grain [2] was designed by M. Hell,
T. Johansson and W. Meier. Their main goal was to design an algorithm which
can be implemented efficiently in hardware. Grain consists of two 80-bit shift
registers, a linear feedback shift register (LFSR) and a nonlinear feedback shift
register (NFSR), and a 5-input filter function. The key size is specified with 80
bits and additionally an initialization vector of 64 bits is required. But because
of weakness in the filter function, a key recovery attack [1] and a distinguishing
attack [5] on Grain were proposed.
In order to solve the security problem of Grain, the designers of Grain proposed the tweak versions of Grain, called Grain-v1 [3] and Grain-128 [4]. Similarly to Grain, Grain-v1 uses a 80-bit secret key and a 64-bit initialization vector
to fill in an internal state of size 160 bits divided into LFSR and NFSR of length
80 bits each. The feedback function of NFSR used in Grain-v1 is not equal to
⋆
This research was supported by the MKE(Ministry of Knowledge Economy), Korea, under the ITRC(Information Technology Research Center) support program
supervised by the IITA(Institute of Information Technology Advancement) (IITA2008-(C1090-0801-0025)).
Y. Mu, W. Susilo, and J. Seberry (Eds.): ACISP 2008, LNCS 5107, pp. 321–335, 2008.
c Springer-Verlag Berlin Heidelberg 2008
322
Y. Lee et al.
that used in Grain. Grain-v1 generate a keystream bit by XORing 7-bit values
from NFSR with the output value of the filter function, in contrast to XORing
1-bit value from NFSR with the output value of the filter function in Grain.
The Grain-128 supports a 128-bit secret key and a 96-bit initialization vector.
It consists of an 128-bit LFSR, an 128-bit NFSR and a 9-input filter function.
On the other hand, Grain, Grain-v1 and Grain-128 use the same setup mode
similar to the keystream generation mode. The slide resynchronization attack
(SRA) on Grain was suggested with this property [6], finds related keys and
initialization vectors of Grain that generate the 1-bit shifted keystream sequence
with probability 2−2 . In this paper, we extend the attack in [6] and propose
related-key chosen IV attacks on Grain-v1 and Grain-128. To attack Grain-v1
and Grain-128, our attack uses m + 1 keys and does m steps repeatedly, i.e., we
run the fist step by using the secret key and the first related key and then the
second step by using the first related key and the second related key and so on. In
each step, we apply three methods, D-Test, ∗-Change and †-Change which will
be explained in Section 3. At first, in order to construct α linear equations for
the secret key, we find the initialization vector passing D-Test for the secret key
and the α-bit left rotated key among chosen initialization vectors adequately.
Then we apply †-Change to recover additional α-bit key. We repeat this step
m times. In case of Grain-v1 we can find 2mα-bit information of the key, the
remained key bits can be recovered by the exhaustive search with computational
complexity 280−2mα . The attack on Grain-128 is similar to that of Grain-v1. It
decrease the computational complexity of the exhaustive search from 2128 to
2128−3mα . Table 1 summarizes our results.
This paper is organized as follows: in Section 2, we briefly describe Grain-v1,
Grain-128 and the attack proposed in [6]. We present key recovery attacks on
Grain-v1 and Grain-128 in Section 3 and 4, respectively. Finally, we conclude in
Section 5.
Table 1. Results on Grain-v1 and Grain-128
Stream Cipher
Grain-v1
Grain-128
2
Related
Data Complexity
Keys Chosen IV s Keystream Bits
3
3
222.59
226.59
226.29
231.39
Computational
Complexity
222.90 240-clock cycles
227.01 384-clock cycles
Preliminaries
In this section, we briefly describe Grain-v1, Grain-128 and the attack proposed
in [6]. The following notations are used throughout the paper.
–
–
–
–
S t : the internal state of Grain-v1 and Grain-128 at time t.
Lt : the internal state of LFSR at time t.
N t : the internal state of NFSR at time t.
nt : a feedback bit of the NFSR at time t.
Related-Key Chosen IV Attacks on Grain-v1 and Grain-128
(a)
323
(b)
NFSR
lt
LFSR
nt
NFSR
h( x )
LFSR
h( x )
1 bit
7 bits
ot
Fig. 1. (a) the keystream generation mode (b) the setup mode of Grain-v1
–
–
–
–
2.1
lt : a feedback bit of the LFSR at time t.
ot : an output bit of Grain-v1 or Grain-128 at time t.
Z = (z0 , z1 , · · · ): the keystream sequence of Grain-v1 or Grain-128.
Z[α]: the α-bit shifted keystream sequence of Z, i.e., Z[α] = (zα , zα+1 , · · · ).
Grain-v1 and Gain-128
Grain-v1 consists of an 80-bit LFSR, an 80-bit NFSR and a 5-input filter function h. It generates the keystream sequence from an 80-bit secret key K =
(k0 , · · · , k79 ) and a 64-bit initialization vector IV = (iv0 , · · · , iv63 ).
At time t, LFSR and NFSR are denoted by Lt = (Lt0 , · · · , Lt79 ) and N t =
t
t
are the most significant bits. The
), respectively, where Lt79 , N79
(N0t , · · · , N79
t
feedback bits of LFSR and NFSR, l and nt , are computed as follows:
lt = Lt62 ⊕ Lt51 ⊕ Lt38 ⊕ Lt23 ⊕ Lt13 ⊕ Lt0 .
t
t
t
t
t
t
t
t
t
nt = Lt0 ⊕ N62
⊕ N60
⊕ N52
⊕ N45
⊕ N37
⊕ N33
⊕ N28
⊕ N21
⊕ N14
⊕ N9t ⊕ N0t
t
t
t
t
t
t
t
t
t
t
t
t
t
t
⊕ N63
N60
⊕ N37
N33
⊕ N15
N9t ⊕ N60
N52
N45
⊕ N33
N28
N21
⊕ N63
N45
N28
N9t
t
t
t
t
t
t
t
t
t
t
t
t
t
⊕ N60
N52
N37
N33
⊕ N63
N60
N21
N15
⊕ N63
N60
N52
N45
N37
t
t
t
t
t
t
t
t
t
t
⊕ N33
N28
N21
N15
N9t ⊕ N52
N45
N37
N33
N28
N21
.
The filter function h takes 5-bit input values from LFSR and NFSR as follows:
t
t
t
h(Lt3 , Lt25 , Lt46 , Lt64 , N63
) = Lt25 ⊕ N63
⊕ Lt3 Lt64 ⊕ Lt46 Lt64 ⊕ Lt64 N63
⊕ Lt3 Lt25 Lt46
t
t
t
⊕ Lt3 Lt46 Lt64 ⊕ Lt3 Lt46 N63
⊕ Lt25 Lt46 N63
⊕ Lt46 Lt64 N63
.
At time t, the output bit ot of Grain-v1 is generated as follows.
t
ot =
Nkt ⊕ h(Lt3 , Lt25 , Lt46 , Lt64 , N63
),
k∈A
where A = {1, 2, 4, 10, 31, 43, 56}. Note that z0 is equal to o160 , since Grain-v1
is clocked for 160 clock cycles without producing the keystream sequence.
324
Y. Lee et al.
(a)
(b)
NFSR
lt
LFSR
nt
NFSR
LFSR
h( x )
ot
h( x )
1 bit
7 bits
Fig. 2. (a) the keystream generation mode (b) the setup mode of Grain-128
The setup process is carried out using (K, IV ) in three steps:
1. The internal state of NFSR is loaded with K as follows: Ni0 = ki (0 ≤ i ≤ 79).
2. The internal state of LFSR is loaded with IV as follows:
ivi , where 0 ≤ i ≤ 63
0
Li =
.
1,
where 64 ≤ i ≤ 80
3. The two registers are clocked for 160 clock cycles without producing the
keystream sequence, where the output bit is fed back and XORed with the
input, both to LFSR and to NFSR. See Fig. 1-(b).
Grain-128 consists of a 128-bit LFSR, a 128-bit NFSR and a 9-input filter
function h. It generates keystream sequence from a 128-bit secret key K =
(k0 , · · · , k127 ) and a 96-bit initialization vector IV = (iv0 , · · · , iv95 ). At time t,
the feedback bits of LFSR and NFSR are computed as follows.
lt = Lt96 ⊕ Lt81 ⊕ Lt70 ⊕ Lt38 ⊕ Lt7 ⊕ Lt0 .
t
t
t
t
t
t
t
t
t
t
nt = Lt0 ⊕ N96
⊕ N91
⊕ N56
⊕ N26
⊕ N0t ⊕ N84
N68
⊕ N65
N61
⊕ N48
N40
t
t
t
t
t
t
t
⊕ N59
N27
⊕ N18
N17
⊕ N13
N11
⊕ N67
N3t .
The filter function h takes an input values as 7-bit values from LFSR and 2-bit
values from NFSR, respectively. It is defined as follows:
t
t
t
t
h(Lt8 , Lt13 , Lt20 , Lt42 , Lt60 , Lt79 , Lt95 , N12
, N95
) = N12
Lt8 ⊕ Lt13 Lt20 ⊕ N95
Lt42
t
t
⊕ Lt60 Lt79 ⊕ N12
N95
Lt95 .
The output bit ot of Grain-128 at time t is generated as follows.
t
t
ot =
Nkt ⊕ h(Lt8 , Lt13 , Lt20 , Lt42 , Lt60 , Lt79 , Lt95 , N12
, N95
) ⊕ Lt93 ,
k∈A
where A = {2, 15, 36, 45, 64, 73, 89} and z0 = o256 .
The setup process of Grain-128 is similar to that of Grain-v1 except that
the number of clocking without producing the keystream sequence is 256. See
Fig. 2-(b).
Related-Key Chosen IV Attacks on Grain-v1 and Grain-128
325
Table 2. Conditions used in the attack on Grain
K = (k0 , · · · , k79 ),
IV = (iv0 , · · · , iv79 )
t
t
N79
Lt79
K ′ = (k1 , · · · , k79 , n0 ⊕ o0 ),
IV ′ = (iv1 , · · · , iv63 , 1)
′t
t
N79
L′t
79
Condition
0
k79
1
1
n0 ⊕ o0
l0 ⊕ o0
0
n0 ⊕ o0
1
l0 ⊕ o0 = 1
1
1
1
1
′0
′0
′0
′0
2
n ⊕o
l ⊕o
1
n ⊕o
l ⊕o
..
..
..
..
..
..
..
.
.
.
.
.
.
.
160 n159 ⊕ o159 l159 ⊕ o159 159 n′158 ⊕ o′158 l′158 ⊕ o′158
161
n160
l160
160 n′159 ⊕ o′159 l′159 ⊕ o′159 o′159 = 0
161
161
162
n
l
161 n′160 ⊕ o′160 l′160 ⊕ o′160
..
..
..
..
..
..
..
.
.
.
.
.
.
.
2.2
Slide Resynchronization Attack on Grain
In [6], Kücük showed that it is possible to find related keys and initialization
vectors of Grain. For any pair (K, IV ), slide resynchronization attack (SRA)
′
′
on Grain finds the related pair (K ′ , IV ′ ) = ((k0′ , · · · , k79
), (iv0′ , · · · , iv63
)) that
−2
generates the 1-bit shifted keystream sequence with probability 2 . It is based
on two observations:
1. The number of updated bits for 1 clock is only 2.
2. The setup process and the keystream generation procedure are similar.
SRA is done by assuming two conditions as shown in Table 2. The relation of
(K, IV ) and (K ′ , IV ′ ) is as follows:
K = (k0 , · · · , k79 ) ⇒ K ′ = (k1 , · · · , k79 , b), where b ∈ {0, 1}.
IV = (iv0 , · · · , iv63 ) ⇒ IV ′ = (iv1 , · · · , iv63 , 1).
Let S t and S ′t be internal states generated from (K, IV ) and (K ′ , IV ′ ) at time
t, respectively. We assume that S 1 = S ′0 which is equal to l0 ⊕ o0 = 1 from
Table 2. Then S t+1 = S ′t (0 ≤ t ≤ 159). S 161 is updated by the keystream
generation mode but S ′160 is updated by the setup mode. If o′159 = 0, then S 161
is equal to S ′160 . Thus if l0 ⊕ o0 = 1 and o′159 = 0, then (K ′ , IV ′ ) generates the
1-bit shifted keystream sequence Z[1] of Z generated from (K, IV ). Assuming
that l0 ⊕o0 and o′159 are uniformly distributed, we find the related pair (K ′ , IV ′ )
with probability 2−2 .
3
Related-Key Chosen IV Attack on Grain-v1
In this section, we introduce a key recovery attack on Grain-v1. Firstly, we introduce some properties of Grain-v1 and propose a key recovery attack on Grain-v1
326
Y. Lee et al.
by using same properties. Let K be a secret key and IV be an initialization vector. Our attack uses m + 1 keys K, K1 , · · · , Km . Here, we only describe the case
that ((K, IV ) , (K1 , IV ′ )) pair is used. Other cases can be done by repeating
the case that ((Ki , IV ) and (Ki+1 , IV ′ )) is used, i.e., if we use three keys K, K1
and K2 , we run the first attack by using K, K1 and then second one by using
K1 , K2 . The second attack procedure is almost similar to the first.
3.1
Constructing α Linear Equations for K
The related key K ′ and initialization vector IV ′ are defined as follows. Here, α
is a parameter such that 1 ≤ α ≤ 12.
K = (k0 , · · · , k79 ) ⇒ K ′ = (kα , · · · , k79 , k0 , · · · , kα−1 ).
IV = (iv0 , · · · , iv63 ) ⇒ IV ′ = (ivα , · · · , iv63 , 1, · · · , 1).
(1)
(2)
Let Z and Z ′ be keystream sequences generated from (K, IV ) and (K ′ , IV ′ ).
Kücük assumed that S 1 is equal to S ′0 which implies S t+1 is equal to S ′t (0 ≤
t ≤ 159). We can get Property 1 by using this property.
Property 1. If S α is equal to S ′0 , then S i is equal to S ′i−α for α < i ≤ 160. It
means that oi is equal to o′i−α . That is,
S α = S ′0 ⇒ S i = S ′i−α .
Proof. This property follows directly from the setup process of Grain-v1. Recall
that the number of clocking without producing the keystream sequence is 160
in the setup process.
⊓
⊔
If IV satisfies S α = S ′0 , we say that IV is valid. Otherwise we say that the IV
is invalid. In Theorem 1, we prove that we can construct total 2α equations for
secret key using a valid IV and calculate the probability that a valid IV exists.
Theorem 1. For a valid IV , we can construct 2α equations of which unknown
values are K. And the valid IV exists with probability 2−2α . That is,
P r S α = S ′0 = 2−2α .
Proof. Since (K, IV ) is loaded to NFSR and LFSR directly, the following holds:
S α = S ′0 ⇔ N α = K ′ , Lα = IV ′ (1 · · · 1).
For 0 ≤ i < α, N α = K ′ and Lα = IV ′ (1 · · · 1) imply (3) and (4).
ni ⊕ oi = ki .
i
i
l ⊕ o = 1.
(3)
(4)
So, we can construct 2α equations for K using the valid IV . If ni , oi , li and
ki are assumed statically independent, (3) and (4) hold with probability 2−1 ,
respectively. Thus S α = S ′0 holds with probability 2−2α .
⊓
⊔
Related-Key Chosen IV Attacks on Grain-v1 and Grain-128
327
We show that how to construct α linear equations for K in Property 2 and
Theorem 2.
Property 2. If h takes the input value of which some bits are fixed, then it is
approximated to h′ with probability 1, as follows.
Approx1 : If Lt46 = 0, Lt64 = 1 then h′ = Lt3 ⊕ Lt25
t
Approx2 : If Lt3 = Lt25 , Lt46 = 1, Lt64 = 1 then h′ = N63
⊕1
Using Theorem 1 and Property 2, we can induce the following theorem. This
theorem shows that there exists a valid IV among 22α IV s whose some bit
positions are fixed.
Theorem 2. For a fixed K, we choose 22α IV s where (iv45+1 , · · · , iv45+α ) =
(0, · · · , 0) , (iv12+1 , · · · , iv12+α , iv24+1 , · · · , iv24+α ) are all 2α-bit values and the
remaining bits are fixed to b (∈ {0, 1}). Then there exists exactly one valid IV .
Thus we can construct α linear equations for K using (6) and the IV .
Proof. L064 , · · · , L079 are fixed to 1 in the setup mode. Thus (3) and (4) are equal
to (5) and (6) respectively by Approx1 of Property 2, if iv45+1 , · · · , iv45+α are
fixed 0.
ivi ⊕ (iv3+i ⊕ iv25+i ) = (ni ⊕ ivi ) ⊕ ki ⊕
ks+i ,
(5)
s∈A
(ivi ⊕iv13+i ⊕ iv23+i ⊕ iv38+i ⊕ iv51+i ⊕ iv62+i )⊕(iv3+i ⊕ iv25+i ) = 1⊕
ks+i ,
s∈A
(6)
where 0 ≤ i < α and A = {1, 2, 4, 10, 31, 43, 56}. Because the right hand side of
(5) and (6) are determined by K, these values are fixed for all chosen IV s. Also
the remaining bits of IV s except for (iv12+1 , · · · , iv12+α , iv24+1 , · · · , iv24+α ) are
fixed for all chosen IV s by the assumption. Thus we can rewrite (5) as (7), where
the right hand side of (7) is fixed for all chosen IV s.
iv25+i = iv3+i ⊕ ni ⊕ ki ⊕
ks+i .
(7)
s∈A
Since iv25+i ∈ {iv24+1 , · · · , iv24+α }, there exist 2α IV s which satisfy (7) among
all 22α chosen IV s and these IV s are fixed except for (iv12+1 , · · · , iv12+α ).
Similarly to the case of (5), we can rewrite (6) as (8), where the right hand side
of (8) is fixed for all 2α IV s.
iv13+i = ivi ⊕ iv23+i ⊕ iv38+i ⊕ iv51+i ⊕ iv62+i ⊕ iv3+i ⊕ iv25+i ⊕ 1 ⊕
ks+i . (8)
s∈A
So there exists exactly one IV satisfying (7) and (8) among all chosen 22α IV s.
By the definition of “valid IV ”, the IV satisfying (7) and (8) is valid. Hence
there exists exactly one valid IV . Moreover, we can construct α linear equations
by applying the valid IV to (6), since (6) is a linear equation for K.
⊓
⊔
328
Y. Lee et al.
Table 3. The changed bit positions of ∗-Change
Event The changed bit positions
∗-Change1
iv15 , iv40
∗-Change2
iv16 , iv41
∗-Change3
iv17 , iv42
∗-Change4
iv18 , iv43
Event The changed bit positions
∗-Change5
iv15 , iv40 , iv16 , iv41
∗-Change6
iv15 , iv40 , iv17 , iv42
∗-Change7
iv15 , iv40 , iv18 , iv43
∗-Change8
iv16 , iv41 , iv17 , iv42
Let β be the maximum value such that zi = 0 (0 ≤ i < β) (Note that the
expected value of β is about 2, since 2 ≈ 1 · 12 + 2 · 41 + 3 · 18 + · · · ). Because
an updated bit affects to keystream bits after 16 clock cycles, we define ∼α as
follows:
Z ∼α Z ′ ⇔ zα+i = zi′ (0 ≤ i < 16 − α + β).
In our attack, we find a valid IV by checking that Z and Z ′ satisfy Z ∼α Z ′ .
The following theorem enable us to distinguish a valid IV and an invalid IV .
Theorem 3. A valid IV always satisfies Z ∼α Z ′ but an invalid IV satisfies it
with probability 2−(16−α+β) .
Proof. By Theorem 1, a valid IV satisfies S 160 = S ′160−α . Then o160 (= z0 ) is
equal to o′160−α . Since zi = 0 (0 ≤ i < b), o′160−α+i = zi = 0 (0 ≤ i < β) and
S 160+β = S ′160−α+β . After (α − β) clock cycles, L160+α and N 160+α are always
equal to L′160 and N ′160 except the (α − β) most significant bits, respectively.
Since α used in our attack is less than or equal to 12, h takes the same input
values for additional (16 − α + β) clock cycles in two cases. Thus (K, IV ) and
(K ′ , IV ′ ) always generate the same keystream bits for additional (16 − α + β)
clock cycles. For an invalid IV, Z and Z ′ are uniformly generated. Thus the IV
satisfies Z ∼α Z ′ with 2−(16−α+β) .
⊓
⊔
If α = 12 and β = 2, then the probability that an invalid IV satisfies Z ∼α Z ′
is 2−6 (we call it D-Test) which is not small. To decrease the probability that
an invalid IV passes D-Test, we use another method, ∗-Change. For any IV ,
we generate the corresponding IV ∗ by modifying the values of even positions
in the IV . We change the bits of IV that do not affect the results of (5) and
(6) as shown in Table 3. Since these bits are not used as input values of h for
1 ≤ α ≤ 12 and the left hand side of (6) is linear, the results of these equations
do not change. Thus an IV is valid if and only if the corresponding IV ∗ is valid.
Corollary 1 show that we can distinguish valid IV s and invalid IV s with very
high probability using ∗-changes. In our attack, we generate (γ − 1) IV ∗ s for
an IV where γ is the integer satisfying 22α−γ(16−α+β) << 1. Hence, we can
find a valid IV by Corollary 1 and construct α linear equations for K using
Theorem 2 and the valid IV .
Corollary 1. If an IV is invalid, the probability that the IV and the corresponding IV ∗ pass D-Test is 2−2(16−α+β) . Further, the IV and the corresponding
(γ − 1) IV ∗ s pass D-Test with probability 2−γ(16−α+β).
Related-Key Chosen IV Attacks on Grain-v1 and Grain-128
329
Proof. This property follows directly from the fact that each invalid IV ∗ passes
D-Test independently.
⊓
⊔
3.2
Recovering Another α-Bit Key
Up to now, we introduced the method to find a valid IV and construct α linear
equations for K by using the valid IV . From this, we can get the α-bit key
information. Now, we present the method, †-Change, to recover another α-bit
key. For a valid IV , we will generate the corresponding IV † by modifying the
values of some positions in the valid IV . In case of α = 12, Appendix A.1
presents the bit positions where †-Change modifies. The conditionally changed
bit positions in †-Changei are modified only if iv3+i is not equal to iv25+i . Here,
we focus only †-Change0 . Other events †-Changei (1 ≤ i ≤ 11) can be done
similar to †-Change0 . †-Change0 is done as follows:
1. Using Approx2 of Property 2, do the followings;
(a) Modify iv46 which is the third input value of h at time 0.
(b) If iv3 is not equal to iv25 , then modify iv25 . Here, iv3 and iv25 are the
first and second input values of h at time 0, respectively.
2. Modify bit positions of the IV such that the results of (5) and (6) that
time is not 0 do not change.
(a) Since iv46 changes the result of (6) at time 8, modify iv59 which is in
the linear part of (6) at time 8. Note that we can change other bits
which are in the linear part of (6) at time 8. But we found that the
number of the additional changed bits for iv59 are less than for other
bits.
(b) If iv25 in Step 1-(b) is changed, it changes the result of (6) at time 2.
Thus modify iv15 which is in the linear part of (6) at time 2.
Applying †-Change0 , the results of (5) and (6) for (K, IV ) are equal to them
for (K, IV † ) except time 0. The equations for (K, IV † ) at time 0 are (9) and
(10). Here, A = {1, 2, 4, 10, 31, 43, 56}.
iv0 ⊕ (k63 ⊕ 1) = (n0 ⊕ iv0 ) ⊕ k0 ⊕
(9)
ks .
s∈A
(iv0 ⊕ iv13 ⊕ iv23 ⊕ iv38 ⊕ iv51 ⊕ iv62 ) ⊕ (k63 ⊕ 1) = 1 ⊕
ks .
(10)
s∈A
If the IV † is valid, (5) and (6) are equal to (9) and (10) at time 0, respectively.
Thus we get (11). Otherwise we get (12). Applying other events similarly, we
can recover k63 , · · · , k74 .
iv3 ⊕ iv25 = k63 ⊕ 1.
(11)
iv3 ⊕ iv25 = k63 .
(12)
330
3.3
Y. Lee et al.
Description of Our Attack on Grain-v1
We are ready to present our attack on Grain-v1. This attack uses m + 1 keys
K, K1 , · · · , Km and consists of m steps. For 0 ≤ i < m, the i-th step use Ki and
Ki+1 satisfying the following relation:
Ki = (k0 , · · · , k79 ) ⇒ Ki+1 = (kα , · · · , k79 , k0 , · · · , kα−1 ).
Note that K0 = K. In each step, we construct α linear equations for K and recover the α-bit key. Finally we find the remaining bits by the exhaustive search.
Each step runs three algorithms, the FilterIV algorithm, the CheckValid algorithm and the RecoverKey algorithm. Firstly, the FilterIV algorithm finds a valid
IV among 22α IV s that satisfies Corollary 1 as follows:
1. Generate 22α (16 + βi )-bit keystream sequences Zi by using K and
IVi (1 ≤ i < 22α ) from Corollary 1. Here, βi is the value such that the
first βi bits of Zi are zeros.
2. Calculate the corresponding IVi′ to IVi from (2) and generate the (16 −
α + βi )-bit keystream sequence Zi′ by using K ′ and IVi′ .
3. Check D-test for each (Zi , Zi′ ) and store all IVi which the corresponding
Zi and Zi′ pass D-test.
4. Until only one IV remains, repeat the followings;
(a) Set j=1;
(b) Calculate IV ∗ s by applying ∗-Changej to the remaining IV s.
(c) Calculate the IV ∗′ s corresponding IV ∗ s.
(d) Generate keystream sequences using (K, IV ∗ ) and (K ′ , IV ∗′ ).
(e) Check D-Test for the generated keystream sequences and discard IV s
that the corresponding keystream sequences do not pass D-test.
(f) Add 1 to j.
5. Return the remaining IV .
On average, the number of IV s used in this algorithm is
2
γ−1
i=0
22α−i(16−α+β) ,
where α is parameter which is chosen by the attacker, β is maximum value such
that zi = 0 (0 ≤ i < β) and γ is the number satisfying 22α−γ(16−α+β) << 1.
From an IV , this algorithm generates the (16 + β)-bit keystream sequence for
K and the (16 − α + β)-bit keystream sequence for K ′ . Thus it requires the
(16 + β)
γ−1
i=0
γ−1
22α−i(16−α+β) + (16 − α + β)
22α−i(16−α+β)
-bit keystream sequence on average.
i=0
Related-Key Chosen IV Attacks on Grain-v1 and Grain-128
331
The CheckValid algorithm takes an IV and checks the validity of it as follows:
1. Generate Z and Z ′ using (K, IV ) and (K ′ , IV ′ ), respectively. Check Dtest for (Z, Z ′ ). If it does not pass D-test, then return “invalid”.
2. Set i = 1 and if i < γ, then repeat the followings;
(a) Calculate the IV ∗ by applying ∗-Changei to the IV .
(b) Generate keystream sequences by using (K, IV ∗ ), (K ′ , IV ∗′ ) and
check D-Test for the generated keystream sequences. If they do not
pass, then return “invalid”.
(c) Add 1 to i.
3. Return “valid”.
This algorithm uses 2γ IV s and ((16 + β)γ + (16 − α + β)γ)-bit keystream
sequence.
Finally, the RecoverKey algorithm takes a valid IV and recover the α-bit key
k(62+mα+1) mod 80 , · · · , k(62+mα+α) mod 80
in the m-th step. Since this algorithm calls the CheckValid algorithm α times, it
requires 2αγ IV s and the α((16 + β)γ + (16 − α + β)γ)-bit keystream sequence.
It is done as follows:
Input : a valid IV = (iv0 , · · · iv63 )
1. Set i = 0 and if i < α, then repeat the followings;
(a) Calculate the corresponding IVi† by applying †-Changei to the IV .
(b) Check that IVi† is valid by using the CheckValid algorithm.
(c) If IVi† is valid, k(63+mα+i) mod 80 = iv3+i ⊕ iv25+i ⊕ 1. Otherwise
k(63+mα+i) mod 80 = iv3+i ⊕ iv25+i .
(d) Add 1 to i.
We find the right secret key by the exhaustive search by using the 2mα-bit
key information obtained in previous steps. We generate the 80-bit keystream
sequence from each candidate key and check that it is equal to the original
keystream sequence. Thus, this test requires 240-clock cycles of Grain-v1. Our
attack procedure on Grain-v1 is done as follows:
1. Generate 22α IV s from Theorem 2.
2. Set i = 0 and if i < m, repeat the followings;
(a) For Ki and Ki+1 , find an valid IV by using the FilterIV algorithm.
(b) Construct α linear equations by using (6) and the valid IV .
(c) Recover the α-bit key by using the RecoverKey algorithm.
3. Find the right secret key K by the exhaustive search using the 2mα-bit
key information obtained in Step 2.
γ−1
The number of chosen IV s used in our attack is 2m( i=0 (22α−i(16−α+β) ) +
2α−i(16−α+β)
γα) and our attack requires m((32 − α + 2β)( γ−1
) + γα))-bit
i=0 (2
keystream sequence. The computational complexity of Step 2 is m( (352−α+2β)
240
332
Y. Lee et al.
Table 4. Our results on Grain-v1
m α
γ
Data Complexity
Computational Complexity
Chosen IV s Keystream Bits
1 12 6
2 12 6
3 10 4
3 12 6
Computation
225.02
228.61
256
26.02
29.61
32.02
2
2
2
22.59
26.29
2
2
222.90
26.61
30.19
2
2
226.70
complexity unit: 240-clock cycles of Grain-v1
γ−1
( i=0 (22α−i(16−α+β) )+γα)) 240-clock cycles of Grain-v1. Since we get the 2mαbit key information, the computational complexity of Step 3 is 280−2mα 240-clock
cycles of Grain-v1. Table 4 shows the complexities of our attack for parameters
m, α and γ. For m = 3, α = 10 and γ = 4, we recover the secret key of Grain-v1
with 226.29 bits keystream sequence and 222.90 computational complexity. If we
use more related keys, we need less complexities to attack Grain-v1, i.e., if we use
40 related keys, then the computational complexity decrease to 28.21 240-clock
cycles of Grain-v1 and the data complexity is as follows: 28.64 chosen IV s and
212.77 -bit keystream sequence. The usage of 3 related keys and the computational
complexity of 222.90 is reasonable. For m = 3, α = 10 and γ = 4, we practically
recovered the secret key within 3 minutes on average.
4
Related-Key Chosen IV Attack on Grain-128
Since the attack on Grain-128 is similar to that on Grain-v1, we briefly present
our attack on Grain-128 using one related key K ′ . K ′ , IV ′ and ∼α are defined
as follows:
K = (k0 , · · · , k127 ) ⇒ K ′ = (kα , · · · , k127 , k0 , · · · , kα−1 ).
IV = (iv0 , · · · , iv95 ) ⇒ IV ′ = (ivα , · · · , iv95 , 1, · · · , 1).
Z ∼α Z ′ ⇔ zα+i = zi′ (0 ≤ i < 32 − α + β).
In case of Grain-128, a valid IV always satisfy Z ∼α Z ′ but an invalid IV
passes D-test with probability 2−(32−α+β) . Similarly to the attack on Grain-v1,
we apply ∗-Change to decreases the probability that an invalid IV passes D-test.
The changed bit positions are shown in Table 5. In the attack on Grain-v1, we
change the values of even positions in IV but the positions of Table 5 do not
affect all equations for α ≤ 15. Thus we choose just one position in IV .
Table 5. The changed bit positions of ∗-Change on Grain-128
Event The changed bit positions Event The changed bit positions
∗-change1
iv38
∗-change3
iv40
∗-change2
iv39
∗-change4
iv41
Related-Key Chosen IV Attacks on Grain-v1 and Grain-128
333
Table 6. The modification of h
Event
Fixed value
Approximated function h′
t
t
Approx1 Lt8 = 0, Lt13 = 0, Lt42 = 0, Lt60 = 0, Lt95 = 1
N12
N95
t
t
t
Approx2 Lt8 = 1, Lt13 = 0, Lt42 = 0, Lt60 = 0, Lt95 = 1
N12
⊕ N12
N95
t
t
t
t
t
t
t
t
Approx3 L8 = 0, L13 = 0, L42 = 1, L60 = 0, L95 = 1
N95 ⊕ N12 N95
Table 7. Our results on Grain-128
m α
γ
Data Complexity
Computational Complexity
Chosen IV s Keystream Bits
1 15 2
231
235.73
283
32
36.73
38.03
2 15 2
2
2
2
3 12 2
226.59
231.39
227
32.59
37.31
32.98
3 15 2
2
2
2
Computation complexity unit: 384-clock cycles of Grain-128
As shown in Table 6, h is approximated to h′ with probability 1. Since h
takes two input value from NFSR, we can recover the 2α-bit key by applying
†-Change as shown in Appendix A.2. For 0 ≤ i < α, the events †-Change1i and †Change2i can be used to recover k12+i and k95+i , respectively. The conditionally
changed bit positions in †-Changei are modified only if iv20+i = 0. Note that
iv87 , · · · , iv95 are fixed to 1 in order to apply †-Change.
Our attack on Grain-128 uses 22α IV s that satisfy conditions of Approx1 in
Table 6. Then there exists a valid IV among these IV s. But ui ⊕ oi = 1 (0 ≤
i < α) is quadratic equation for K. So we construct α quadratic equations for
K as follows:
li ⊕ k12+i k95+i ⊕ (k2+i ⊕ k15+i ⊕ k36+i ⊕ k45+i ⊕ k64+i ⊕ k73+i ⊕ k89+i ) = 1.
Since we can recover k12+i and k95+i by using the RecoverKey algorithm, we
can construct α linear equations as follows:
li ⊕(k2+i ⊕k15+i ⊕k36+i ⊕k45+i ⊕k64+i ⊕k73+i ⊕k89+i ) = 1⊕vi (vi = k12+i k95+i ).
Because the RecoverKey algorithm recovers the key bits that are quadratic part
of these equations, we can construct α linear equations for K. The bit positions
that are modified in †-changei is presented in Appendix A.2.
As shown in Table 7, we need 226.59 chosen IV s, the 231.39 -bit keystream
sequence and 227 384-clock cycles of Grain-128 to recover the secret key of Grain128. If we use more related keys, we need less complexities to attack Grain-128.
5
Conclusion
In this paper, we have presented related-key chosen IV attacks on Grain-v1 and
Grain-128 with the weakness that the setup mode is similar to the keystream
334
Y. Lee et al.
Table 8. Simulation results of our attack
Stream Cipher m α
Grain-v1
Grain-128
3
3
γ Attack Time Success Rate (success trials/total trials)
10 4
12 2
145 sec
95 min
1 (100/100)
1 (100/100)
generation mode. As summarized in Table 1, these results imply that Grain-v1
and Grain-128 have still the weakness, though they are designed to advance
Grain which has been cryptanalyzed by a key recovery attack and a distinguishing attack by the weakness in the filter function. Our attack on Grain-v1 recovers
the secret key with 222.59 chosen IV s, 226.29 -bit keystream sequences and 222.90
computational complexity. In case of Grain-128, our attack needs 226.59 chosen IV s, 231.39 -bit keystream sequences and 227.01 computational complexity.
Table 8 presents simulation results that our attacks. The simulation was implemented on Pentium-4, CPU 2.4GHz, 2.0 Gb RAM, OS Windows XP Pro
SP2. We could always recover the secret key of Grain-v1 and Grain-128 within
3 minutes and 100 minutes on average, respectively.
References
1. Berbain, C., Gilbert, H., Maximov, A.: Cryptanalysis of Grain. In: Robshaw, M.J.B.
(ed.) FSE 2006. LNCS, vol. 4047, pp. 15–29. Springer, Heidelberg (2006)
2. Hell, M., Johansson, T., Meier, W.: Grain - A Stream Cipher for Constrained Environments, eSTREAM - ECRYPT Stream Cipher Project, Report 2005/010 (2005),
http://www.ecrypt.eu.org/stream/ciphers/grain/grain.pdf
3. Hell, M., Johansson, T., Meier, W.: Grain - A Stream Cipher for Constrained Environments, eSTREAM - ECRYPT Stream Cipher Project (2007),
http://www.ecrypt.eu.org/stream/p3ciphers/grain/Grain p3.pdf
4. Hell, M., Johansson, T., Meier, W.: A Stream Cipher Proposal: Grain-128,
eSTREAM - ECRYPT Stream Cipher Project (2007),
http://www.ecrypt.eu.org/stream/p3ciphers/grain/Grain128 p3.pdf
5. Khazaei, S., Hassanzadeh, M., Kiaei, M.: Distinguishing Attack on Grain,
eSTREAM - ECRYPT Stream Cipher Project, Report 2005/071 (2005),
http://www.ecrypt.eu.org/stream/papersdir/071.pdf
6. Kücük, O.: Slide Resynchronization Attack on the Initialization of Grain 1.0,
eSTREAM - ECRYPT Stream Cipher Project, Report 2006/044 (2006),
http://www.ecrypt.eu.org/stream/papersdir/2006/044.ps
7. Vielhaber, M.: Breaking ONE.FIVIUM by AIDA an Algebraic IV Differential Attack, Cryptology ePrint Archive: Report 2007/413 (2007),
http://eprint.iacr.org/2007/413.pdf
Related-Key Chosen IV Attacks on Grain-v1 and Grain-128
335
†-Change on Grain-v1 and Grain-128
A
A.1
The Changed Bit Positions of †-Change on Grain-v1 (α = 12)
Event
Recovered key bit The changed bit positions
c
c
†-Change0
k63
iv46 , iv59 , iv25
, iv15
c
c
, iv16
†-Change1
k64
iv47 , iv60 , iv26
c
c
†-Change2
k65
iv48 , iv61 , iv27 , iv17
c
c
†-Change3
k66
iv49 , iv62 , iv38 , iv28 , iv18
c
c
†-Change4
k67
iv50 , iv29 , iv19
c
c
†-Change5
k68
iv51 , iv38 , iv30
, iv20
c
c
†-Change6
k69
iv52 , iv39 , iv31 , iv21
c
c
†-Change7
k70
iv53 , iv40 , iv32 , iv22
c
c
c
†-Change8
k71
iv54 , iv41 , iv33 , iv37 , iv61
c
c
c
†-Change9
k72
iv55 , iv42 , iv34 , iv38 , iv62
c
†-Change10
k73
iv56 , iv43 , iv35
c
†-Change11
k74
iv57 , iv44 , iv36
c
ivi : the changed bit position conditionally.
A.2
The Changed Bit Positions of †-Change on Grain-128 (α = 15)
Recovered
The changed
Key bit
bit positions
1
†-change0
k12
iv8 , iv68 , iv39
†-change11
k13
iv9 , iv69 , iv40
†-change12
k14
iv10 , iv70 , iv41 , iv38
†-change13
k15
iv11 , iv71 , iv85 , iv39
†-change14
k16
iv12 , iv72 , iv86 , iv40
†-change15
k17
iv13 , iv73 , iv87 , iv41
†-change16
k18
iv14 , iv74 , iv77 , iv85
†-change17
k19
iv15 , iv78
†-change18
k20
iv16 , iv79
†-change19
k21
iv17 , iv80
†-change110
k22
iv18 , iv92
†-change111
k23
iv19 , iv82 , iv39
†-change112
k24
iv20 , iv83 , iv40 , iv0c
1
†-change13
k25
iv21 , iv84 , iv41 , iv1c
1
†-change14
k26
iv22 , iv2c
c
ivi : the conditional changed bit position.
Event
Event
†-change20
†-change21
†-change22
†-change23
†-change24
†-change25
†-change26
†-change27
†-change28
†-change29
†-change210
†-change211
†-change212
†-change213
†-change214
Recovered The changed
Key bit bit positions
k95
iv42 , iv85
k96
iv43 , iv86
k97
iv44 , iv87
k98
iv45 , iv88
k99
iv46 , iv89
k100
iv47 , iv90
k101
iv48 , iv91
k102
iv49 , iv92
k103
iv50 , iv39
k104
iv51 , iv40
k105
iv52 , iv41
k106
iv53
k107
iv54
k108
iv55
k109
iv56