A Detailed Analysis of Grain family of Stream Ciphers

I.J. Computer Network and Information Security, 2014, 6, 34-40 Published Online May 2014 in MECS (http://www.mecs-press.org/) DOI: 10.5815/ijcnis.2014.06.05 A Detailed Analysis of Grain family of Stream Ciphers Mohammad Ubaidullah Bokhari Aligarh Muslim University, Aligarh Email: mubokhari@gmail.com Shadab Alam Aligarh Muslim University, Aligarh Email: s4shadab@gmail.com Syed Hamid Hasan King Abdulaziz University, Kingdom of Saudi Arabia Email: shh786@hotmail.com Abstract—Hardware based ciphers are most suitable for resource constrained environments to provide information security and confidentiality. Grain is one such hardware based synchronous stream cipher. The motive of this study is to present a comprehensive survey and review of Grain family of stream ciphers that is one of the portfolio candidates in the hardware based category of eSTREAM. Security features and different attacks on these ciphers have been studied in this paper to analyze the strengths and weaknesses of these designs. Index Terms—Information Security, eSTREAM, Stream Cipher, Grain. Cryptography, I. INTRODUCTION In the last decade, we have witnessed an explosive growth of the digital data. On every walk of our like is becoming increasingly dependent on digital data and communication. The life is becoming so fast that there is no place for the manual or the hard bind data transfer. Internet and data communication technologies have become an integral part of our life. Without these technologies we cannot assume the life to go on, but these public networks and wireless medium of data communication are very much susceptible to be hacked or compromised by unauthorized users. What will be the cost of such leakage of the data; we cannot think when it is concerned with financial institutions or defense services. Therefore, these information sharing or data communication technologies should be adequately secure and confidential. Confidentiality means that the information should be out of reach to others except who are authorized to know it. Cryptography is the one of the oldest and major techniques involved with security and confidentiality of the data. Cryptographic algorithms are classified into two categories, Symmetric key and Asymmetric key based on keys used for encryption and decryption. Symmetric key Copyright © 2014 MECS algorithms use the same key for encryption and decryption, but asymmetric key algorithms use different key for encryption and decryption. Stream ciphers are the part of symmetric key cryptography, which has recently attracted the attention of the cryptographers and researchers. Stream ciphers operate on bit by bit level, but block ciphers operate on a fixed size of blocks of data. The other class of symmetric primitive is Block cipher which has been thoroughly studied and standardized. AES is the standard block cipher which is widely used, but there remain many applications were stream ciphers are preferred choice and cannot be ignored. In the applications where a high rate of throughput and low hardware and memory complexity is required, stream ciphers are the natural choice due to its low complexity and high efficiency. Stream ciphers operate on individual symbols with time varying transformations against the design of block ciphers which operate on blocks of symbols of fixed size with fixed transformations [1]. Stream ciphers try to work like one time pad (OTP) that is the only theoretically unbreakable cipher. Even with these advantages, the stream cipher designs have not been fully evolved and no standard design exists for stream ciphers. The eSTREAM project has tried to standardize the stream ciphers to a great extent and generated an interest in this field of cryptography. Grain is one of the submitted designs for eSTREAM. In this paper, we have tried to study the detailed design of Grain stream cipher and its subsequent versions and different cryptanalytic attacks on these stream cipher designs. The Grain V1 is a profile 2 stream cipher in the recently published eSTREAM portfolio by Ecrypt. Section II defines the stream ciphers and its advantage and when and where they are suitable for applications. Section III and IV define the Grain family of stream ciphers and the general structure of the cipher design. Section V defines the key initialization process that takes place before actual keystream is generated for encryption. Section VI defines the different members of the Grain family of ciphers, feedback and update functions used in I.J. Computer Network and Information Security, 2014, 6, 34-40 A Detailed Analysis of Grain family of Stream Ciphers these ciphers and attacks mounted on these ciphers. In section VII the various members of the Grain stream cipher have been compared on the basis of their software as well as hardware performance and other functions used in the design of these ciphers and in last the conclusion of this study has been presented. II. STREAM CIPHER, ITS PROPERTIES AND ADVANTAGES Symmetric key ciphers are classified into two categories; Block Cipher and Stream Cipher. A stream cipher is an important class of symmetric key cipher. Unlike Block cipher, which use fixed cryptographic transformations on block of characters, Stream cipher to encrypt single characters of plaintext one by one with time varying transformations. As the stream ciphers encrypt individual digits, it takes less buffer memory, less complex hardware circuitry and is comparatively faster than block ciphers. Block cipher requires no memory, but stream cipher requires memory for the storage of the current state of function, which is being used for further encryption. This is the reason why the same bit is encrypted differently in case of stream ciphers when enciphered again and again, but that is not the case in block ciphers. AES in Counter Mode or Output Feedback Mode can also be used as stream cipher and any stream ciphers must be able to be more efficient than these block cipher modes of operation to be used in any practical application. Shamir in his popular invited talk [2] ―Stream Ciphers: Dead or Alive‖ and Babbage in his invited talk [3] ―Stream Ciphers - What does industry want?‖ at state of the art of stream ciphers workshop in 2004 clearly identified some areas where stream ciphers have an edge over block ciphers. These are the some areas where stream ciphers can be useful: 1. Stream ciphers have an edge over block ciphers where hardware resources are limited and less complex circuits are required like RFID tags and smart cards. 2. Stream ciphers can be useful in cases where very high speed throughput is required like multi gigabit communication channels. 3. Stream ciphers are also desirable where zero error propagation is required like radio communication, due to no error propagation in case of synchronous stream ciphers or limited error propagation in case of an asynchronous stream cipher. 4. Stream ciphers are also desirable where the length of the message cannot be predetermined and smaller input/output delay is required as in the case of GSM communication. These are the few areas where stream ciphers have a clear edge over block ciphers due to its efficiency and speed. 35 Specific cryptographic primitives are required for resource constrained environments for information security and hardware based stream ciphers are most suitable for this purpose. Grain family of stream ciphers that is one of the portfolio ciphers in the hardware based category of eSTREAM is one of the cipher designs for such applications. The original version of Grain referred as Grain V0 [4] was submitted to eSTREAM project [5] in the hardware category of stream ciphers. The grain V0 design was weak and it was susceptible to serious attacks. This design was tweaked and a new version of Grain called Grain V1 [6] was presented. Both of these versions of Grain used 80 bit key and 64 bit IV with an internal state of 160 bits. Grain was designed initially for security level of 280. But due to rapid technical advancement in the field of hardware technology and speed of hardware, 80 bit ciphers are not found to be secure enough and susceptible to exhaustive key search attack. Therefore, it was desirable to have at least 128 bit security and to meet this requirement Grain 128 [7] was proposed by the designers of the Grain. Grain 128 uses 128 bit keys and 96 bit IV. In view of some cryptanalytic attacks on Grain 128, a new version of Grain 128 was introduced that also incorporate authentication named as Grain 128a. The new cipher was designed to overcome the existing weaknesses of Grain 128 and provide authentication when needed, otherwise behave similar to Grain 128 cipher. The new design was named Grain 128a [8] where "a" represent authentication. In this way there are four members in Grain family of ciphers, namely Grain V0, Grain V1, Grain 128, and Grain 128a. IV. DESIGN SPECIFICATIONS OF GRAIN STREAM CIPHERS The basic building blocks of all four variants are same and these use one Non Linear Feedback Shift Register (NFSR) and one Linear Feedback Shift Register (LFSR) with modifications in their feedback functions for different variants of this family. Grain family of ciphers is a bit oriented synchronous stream cipher. The general structure of Grain family of stream cipher is given in Fig 1. f(x) g(x) LFSR NFSR h(x) 1 Input 4 Inputs III. GRAIN FAMILY OF STREAM CIPHERS Fig 1: Overview of design blocks in Grain Copyright © 2014 MECS I.J. Computer Network and Information Security, 2014, 6, 34-40 A Detailed Analysis of Grain family of Stream Ciphers 36 The NFSR is updated with function g (x) and LFSR is updated with a function f(x). For keystream generation, 1 input is taken from NFSR and 4 inputs from LFSR and passed to the boolean function h(x) that gives a one bit output. That one bit output is again masked with the first bit of the NFSR to generate a keystream that will xored with the plaintext to generate the ciphertext. The feedback polynomial of LFSR used to update the register is defined as: f(x) = 1+ x18 + x29 + x42 + x57 + x67 + x80 It is a irreducible primitive polynomial of degree 80. The update function of LFSR is defined as: si+80 = si + si+13 + si+23 + si+38 + si+51 + si+62 Feedback polynomial of NFSR V. KEY INITIALIZATION OF GRAIN The cipher has to be initiated before it actually generates key streams. The secret key is loaded in the NFSR and first 64 in case of 80 bit ciphers and first 96 bits in case of 128 bit ciphers are loaded with the IV’s [9]. The remaining vacant bit positions are filled with all ones. If the key size is K then the cipher is clocked 2K times without producing any keystream. The output of the filter function is fed back into both the shift registers. The logic behind clocking the cipher 2K times is that all the previously stored values before initialization phase from shift registers will be flushed out and only random values will be in the both shift registers. Later on, after the observation by Kucuk [10] the designers chose to fill the last 31 bits of LFSR by ones and rightmost bit with zero to counter this attack in Grain 128a. The key initialization process has been shown in Fig 2. g(x) f(x) g(x) = 1+ x17 + x20 + x28 + x35 + x43 + x47 + x52 + x59 + x65 + x71 +x80 + x17x20 + x43x47 + x65x71 + x20x28x35 + x47x52x59 + x17x35x52x71 + x20x28x43x47 + x17x20x59x65 + x17x20x28x35x43 + x47x52x59x65x71 + x28x35x43x47x52x59 And hence the update function of NFSR is defined as: bi+80 = si + bi+63 + bi+60 + bi+52 + bi+45 + bi+37 + bi+33 + bi+28 + bi+21+bi+15 + bi+9 + bi + bi+63bi+60 + bi+37bi+33 + bi+15bi+9+bi+60bi+52bi+45 + bi+33bi+28bi+21 + bi+63bi+45bi+28bi+9+ bi+60bi+52bi+37bi+33 + bi+63bi+60bi+21bi+15+bi+63bi+60bi+52bi+45bi+37 + bi+33bi+28bi+21bi+15bi+9+ bi+52bi+45bi+37bi+33bi+28bi+21 The filter function h(x) is a Boolean function that takes five inputs and gives a single output, has been given as: h(x) = x1 + x4 + x0x3 + x2x3 + x3x4 + x0x1x2 + x0x2x3 + x0x2x4 + x1x2x4 + x2x3x4 Where the variables x0, x1, x2, x3 and x4 correspond to the tap positions si+3, si+25, si+46, si+64 and bi+63 respectively Keystream function is defined as: zt = xt LFSR NFSR h(x) 1 Input 4 Inputs Fig 2: Key Initialization of Grain VI. MEMBERS OF GRAIN FAMILY OF STREAM CIPHERS There are four members of Grain family of stream ciphers. In this section we have discussed the design specifications, feedback polynomials and different attacks against these ciphers. A. Grain V0: Grain V0 was the first design that was submitted to eSTREAM in the hardware profile of stream ciphers. Grain V0 is a 80 bit stream cipher that uses two feedback shift registers; one LFSR and one NFSR of 80 bits each and with internal state of 160 bits that has been assumed to be secure against all the attacks with complexities less than O (280). Copyright © 2014 MECS h(yt+3, yt+25, yt+46, yt+64, xt+63) Attacks on Grain V0: A distinguishing attack against Grain V0 was mounted by Khazaei, Hassanzadeh and Kiaei [11] that uses the concepts of linear sequential circuit approximation method given by Golic. This attack also requires a preprocessing phase to compute the trinomial multiples of some primitive polynomials of degree 80 and requires time and memory complexity of O (240). This distinguishing attack can distinguish a Grain output sequence from a purely random one with a complexity of O (261.4). The second attack was presented by Barbein, Gilbert and Maximov [12] that is a key recovery attack against Grain V0. In this attack first of all, the linear approximation method is used to derive the LFSR bits and these LFSR bits are further utilized to recover the initial state of NFSR and knowledge of key. This attack requires 238 keystream bits and computational complexity of O (243) to recover the key. In order to thwart these attacks and strengthen the designers of Grain have proposed a new design Grain V1 and submitted it to eSTREAM. B. Grain V1: The new version of Grain called as Grain V1 also has the similar design specifications as in Grain V0 and it is also a 80 bit stream cipher that uses two shift registers, I.J. Computer Network and Information Security, 2014, 6, 34-40 A Detailed Analysis of Grain family of Stream Ciphers one NFSR and one LFSR of 80 bits each and give an internal state of 160 bits. The feedback polynomial of LFSR was retained same as in Grain V0 but the feedback polynomial and update function of NFSR was slightly modified to overcome the weaknesses of Grain V0. The new feedback polynomial g1(x) of NFSR is defined as: g1(x) = 1+ x18 + x20 + x28 + x35 + x43 + x47 + x52 + x59 + x65 + x71 +x80 + x17x20 + x43x47 + x65x71 + x20x28x35 + x47x52x59 + x17x35x52x71 + x20x28x43x47 + x17x20x59x65 + x17x20x28x35x43 + x47x52x59x65x71 + x28x35x43x47x52x59 And hence the new update function of NFSR as per the new feedback polynomial of NFSR is defined as: bi+80 =si + bi + bi+9 + bi+14 + bi+21 + bi+28 + bi+33 + bi+37 + bi+45+bi+52 + bi+60 + bi+62 + bi+9bi+15 + bi+33bi+37 + bi+60bi+63+ bi+21bi+28bi+33 + bi+45bi+52bi+60 + bi+15bi+21bi+60bi+63+ bi+33bi+37bi+52bi+60 + bi+9bi+28bi+45bi+63+ bi+9bi+15bi+21bi+28bi+33 + bi+37bi+45bi+52bi+60bi+63+ bi+21bi+28bi+33bi+37bi+45bi+52 The filter function is same as Grain V0 but the keystream function was slightly modified. The new keystream function is defined as : zi = ∑ i+k + h(si+3, si+25, si+46, si+64, bi+63) 37 was needed that the minimum of stream cipher key should now be assumed as 128 bits. This was the motive behind the new 128 bit version of Grain called Grain 128 while maintaining the benefits of Grain V1. Grain 128 uses a 128 bit LFSR and a 128 bit NFSR that provides a 256 bit internal state equally divided among LFSR and NFSR while other design principles remained same. The Boolean function h(x) was also modified. The feedback polynomials and update functions of LFSR and NFSR were updated accordingly. Feedback polynomial of LFSR f(x) = 1+ x32 + x47 + x58 + x90 + x121 + x128 It is a irreducible primitive polynomial of degree 128. The update function of LFSR is defined as: si+128 = si + si+7 + si+38 + si+70 + si+81 + si+96 The feedback polynomial of NFSR is defined as: g(x) = 1 + x32 + x37 + x72 + x102 + x128 + x44x60 + x61x125 + x63x67 + x69x101 + x80x88 + x110x111 + x115x117 Now the update function of NFSR is defined as: bi+128 = si + bi + bi+26 + bi+56 + bi+91 + bi+96 + bi+3bi+67 + bi+11bi+13 + bi+17bi+18 + bi+27bi+59 + bi+40bi+48 + bi+61bi+65 + bi+68bi+84 Where A = {1, 2,4,10, 31, 43, 56} The filter function is defined as: Attacks on Grain V1: Canniere, Kucuk and Preneel [13] mounted an attack on Grain V1 by using a weakness in initialization algorithm. This attack was an extension of the work carried out by Kucuk in [10]. These two attacks have exploited the sliding property of the Grain V1 that is due to similarity in key initialization and key generation processes. The attackers have claimed to reduce the attack complexity by half of the exhaustive key search attack. Lee et al [14] have extended and proposed a sophisticated attack by exploiting the same weakness of related key in Grain V1. This attack is a key recovery attack that recovers the key with 222.59 chosen IVs, 226.29 keystream bits and 222.90 computations. Bjorstad also proposed TMTO attack [15] using known keystream bits of O (253.5) and time and memory complexity of O (271) but this attack was of no practical significance except it shows some weakness in design. Recently Dynamic Cube attack [16] was also proposed against the Grain V1 by Rahimi et al. This attack can fully recover the 80 bit key if initialization rounds are reduced to 100 with the computational complexity of 248. h(x) = x0x1 + x2x3 + x4x5 + x6x7 + x0x4x8 C. Grain 128: If the key size of a stream cipher is K then a Time Memory Tradeoff attack can be mounted on it with a complexity of O (2K/2). In this way a cipher having 80 bit key can be attacked with a complexity of order O(240) and this complexity can be easily achieved with the recent advancement in hardware technology. Hence it Copyright © 2014 MECS Where two inputs are taken from NFSR and seven inputs from LFSR and the variables x0 to x8 respectively correspond to the tap position bi+12, si+8, si+13, si+20, bi+95, si+42, si+60, si+79 and si+95. The keystream function is defined as : zi = ∑ i+j + h(x) + si+93 Where A = {2,15, 36, 45, 64, 73, 89} Attacks on Grain 128: Due to similarity in the designs of Grain V1 and Grain 128, the attacks that are applicable to Grain V1 are also applicable to Grain 128. The attack Proposed by Lee et al [14] takes 226.59 chosen IVs, 231.39 keystream bits and 227.01 computations to recover the 128 bit key. Berzati et al [17] introduced a fault attack against Grain 128 that can calculate 128 bit key within minutes by using an average 24 consecutive faults in LFSR. Karmakar and Chowdhury [18] also proposed a fault attack against Grain 128 that targets NFSR and requires 56 faults to upto 256 faults in NFSR state to compute the secret key with time a complexity of O (221) and space complexity of O (222). Dynamic Cube attack [19] was proposed against Grain 128 by Dinur and Shamir that can recover the full key in practical time complexity when initialization rounds is reduced to 207 but when initialization rounds are reduced to 250 only then the time complexity is reduced by a factor of 228 in comparison to exhaustive key search attack. I.J. Computer Network and Information Security, 2014, 6, 34-40 A Detailed Analysis of Grain family of Stream Ciphers 38 Dinur et al presented a key recovery attack with the help of a dedicated reconfigurable hardware and based on cube testers [20] that can reduce the attack complexity by a factor of 238 in comparison to exhaustive key search attack. The test results have been experimentally verified by the attackers. D. Grain 128a: In order to add Message Authentication Code (MAC) functionality and to overcome the weaknesses in the design in the Grain 128, the designers of Grain have proposed a new design called Grain 128a where a represents authentication. Grain 128a is the strongest member of Grain family of stream cipher that is 128 bit cipher which also incorporate an authentication mechanism. This design uses the same feedback polynomial for LFSR and similar filter function as in the Grain 128 but the feedback polynomial has been strengthened in view of different attacks proposed against Grain 128. The new Feedback polynomial of NFSR In Table 1, we have given the key length IV size and padding used in IV's to fill it for different ciphers of Grain family. Table 1: Key and IV length in Grain Family of Ciphers Cipher Key Length IV Length Padding within IV Grain V0 80 64 FFFF Grain V1 80 64 FFFF Grain 128 128 96 FFFFFFFF Grain 128a 128 96 FFFFFFFE Only in the last version of Grain family called Grain 128a, the padding is done by all ones except the rightmost bit of LFSR that is filled with zero to avoid the resynchronization attack proposed by Kucuk [8]. In all other versions of Grain, the padding is done with all ones. In Table 2, we have given the update functions of all the ciphers of the Grain family for the two shift registers i.e. LFSR and NFSR. Table 2: Update functions of Grain Family of Ciphers g(x) = 1 + x32+ x37+ x72+ x102+ x128+ x44x60+ x61x125+ x63x67+ x69x101+ x80x88+ x110x111+ x115x117+ x46x50x58+ x103x104x106+ x33x35x36x40 Cipher Now the update function of NFSR is defined as: Grain V0 bi+128 = si + bi + bi+26 + bi+56 + bi+91 + bi+96 + bi+3bi+67 + bi+11bi+13 + bi+17bi+18 + bi + 27bi+59 + bi+40bi+48 + bi+61bi+65 + bi+68bi+84 + bi+88bi+92bi+93bi+95 + bi+22bi+24bi+25 + bi+70bi+78bi+82 LFSR update function si+80 = si + si+13 + si+23 + si+38 + si+51 + si+62 The filter function is same as in Grain 128 but the keystream function has been also tweaked for Grain 128a. The keystream function is defined as : yi = h(x) + si+93 + ∑ i+j Where A = {2, 15, 36, 45, 64, 73, 89} Grain V1 si+80 = si + si+13 + si+23 + si+38 + si+51 + si+62 Grain 128 si+128 = si + si+7 + si+38 + si+70 + si+81 + si+96 zi = y64+2i Grain 128a can be used in both the modes i.e. with authentication or without authentication. Attacks on Grain 128a: In case of Grain 128a, the first 64 bits cannot be accessed by the attackers when authentication mode is on. Banik, Maitra and Sarkar proposed a differential fault attack [21] that targets the MAC instead of keystream. This attack requires 211 fault injections and 212 MAC generation routines to access the key. A second attack was proposed by Ding and Guan [22]. This related key attack requires 296 chosen IVs and 2103.613 keystream bits to recover the 128 bit key with the computational complexity of 296.322. VII. COMPARATIVE STUDY OF GRAIN FAMILY OF STREAM CIPHERS In this section, we have discussed and compared the various design parameters for different members of Grain family of Stream ciphers. Copyright © 2014 MECS Grain 128a NFSR update function bi+80 = si + bi+63 + bi+60 + bi+52 + bi+45 + bi+37 + bi+33 + bi+28 + bi+21+ bi+15 + bi+9 + bi + bi+63bi+60 + bi+37bi+33 + bi+15bi+9+bi+60bi+52bi+45 + bi+33bi+28bi+21 + bi+63bi+45bi+28bi+9+ bi+60bi+52bi+37bi+33 + bi+63bi+60bi+21bi+15+bi+63bi+60bi+52b i+45bi+37 + bi+33bi+28bi+21bi+15bi+9+ bi+52bi+45bi+37bi+33bi+28bi+21 bi+80 =si + bi + bi+9 + bi+14 + bi+21 + bi+28 + bi+33 + bi+37 + bi+45+bi+52 + bi+60 + bi+62 + bi+9bi+15 + bi+33bi+37 + bi+60bi+63+ bi+21bi+28bi+33 + bi+45bi+52bi+60 + bi+15bi+21bi+60bi+63+ bi+33bi+37bi+52bi+60 + bi+9bi+28bi+45bi+63+ bi+9bi+15bi+21bi+28bi+33 + bi+37bi+45bi+52bi+60bi+63+ bi+21bi+28bi+33bi+37bi+45bi+52 bi+128 = si + bi + bi+26 + bi+56 + bi+91 + bi+96 + bi+3bi+67 + bi+11bi+13 + bi+17bi+18 + bi+27bi+59 + bi+40bi+48 + bi+61bi+65 + bi+68bi+84 bi+128 = si + bi + bi+26 + bi+56 + bi+91 + bi+96 + bi+3bi+67 + bi+11bi+13 + bi+17bi+18 + bi + 27bi+59 + bi+40bi+48 + bi+61bi+65 + bi+68bi+84 + bi+88bi+92bi+93bi+95 + bi+22bi+24bi+25 + bi+70bi+78bi+82 In table 3, we have given the gate count of different members of the Grain family of ciphers that reflect the hardware complexity of the design. I.J. Computer Network and Information Security, 2014, 6, 34-40 A Detailed Analysis of Grain family of Stream Ciphers Table 3: Gate Count for hardware implementation of Grain Family of Ciphers Cipher Grain V0 Grain V1 Grain 128 Grain 128a without authentication Grain 128a with authentication Gate Count for LFSR 640 640 1024 1024 1024 Gate Count for NFSR Gate Count for output function Total Gate Count 640 640 1024 1024 na na 35.5 35.5 1435 1450 2133 2145.5 1024 35.5 2769.5 As the design of Grain V0 and Grain V1 are similar, hence total gate count is very much equal. Grain 128a without authentication requires just 12.5 gate counts more than Grain 128 that means that Grain 128a can be efficiently used without authentication with comparable hardware complexity of Grain 128 and much more secure than it. Grain 128a with authentication requires just about 30% of more gate counts that means it does not require very much extra hardware for authentication process. In table 4, we have compared the various members of Grain family of stream ciphers on the basis of key setup time, IV setup time and encryption speed. These encryption speeds have been measured on Pentium 4 2.80 GHz processor machines for two types of data, one for long streams and second for short streams of data less than 40 bytes. Apart from the encryption speed of the all the members of Grain family, the encryption speed of standard block cipher called Advanced Encryption Standard (AES) in counter mode has been also given for comparative purpose. Block cipher in Counter mode of operation (CTR) works as the synchronous stream cipher. Table 4: Performance comparison of Grain Family of Cipher [23] Cipher Grain V0 Grain V1 Grain 128 AES-CTR with 128 bit key Key Setup Time IV Setup Time 29.27 31.14 38.89 393.45 73408.44 1498.23 1098.61 76.16 Encryption Speed For long streams 3729.79 57.31 31.16 26.86 For 40 bytes 5545.83 102.95 70.30 38.65 This table shows that AES-CTR is better suited in terms of speed, but due to hardware efficiency of the Grain family of stream ciphers, Grain is preferred over AES counter mode in hardware applications. VIII. CONCLUSIONS In this paper, we have presented the detailed design specifications of the Grain family of stream ciphers and their features. We have studied the major weakness and different attacks on these stream ciphers. We have also presented a comparative study based on hardware and Copyright © 2014 MECS 39 software performance of Grain family of stream cipher, encryption speed, key and IV setup time, etc. The results show that Grain family of stream ciphers is better suited for hardware based applications but the design have some inherent weaknesses that resulted in many cryptanalytic attacks on the ciphers of this family. REFERENCES [1] Rueppel, Rainer A. Analysis and design of stream ciphers. Springer-Verlag New York, Inc., 1986. [2] Shamir, A. "Stream Ciphers: Dead or Alive?‖ invited talk, ASIACRYPT 2004, Jeju Island." Korea, Dec (2004): 5-9. [3] Babbage, Steve. "Stream ciphers: What does the industry want?" State of the Art of Stream Ciphers workshop, Brugge. 2004. [4] M. Hell, T. Jonasson, and W. Meier. Grain- A Stream Cipher for Constrained Environments. ECRYPT Stream Cipher Project Report 2005/001, 2005. Available at http://www.ecrypt.eu.org/stream. [5] Robshaw, Matthew. "The eSTREAM project." New Stream Cipher Designs. Springer Berlin Heidelberg, 2008. 1-6. [6] Hell, Martin, Thomas Johansson, and Willi Meier. "Grain: a stream cipher for constrained environments." International Journal of Wireless and Mobile Computing 2.1 (2007): 86-93. [7] Hell, Martin, et al. "A stream cipher proposal: Grain128." Information Theory, 2006 IEEE International Symposium on. IEEE, 2006. [8] Agren, Martin, et al. "A new version of Grain-128 with authentication."Symmetric Key Encryption Workshop. 2011. [9] Hell, Martin, et al. "The Grain family of stream ciphers." New Stream Cipher Designs. Springer Berlin Heidelberg, 2008. 179-190. [10] Küçük, Ö. "Slide resynchronization attack on the initialization of grain 1.0."eSTREAM, ECRYPT Stream Cipher Project, Report 44 (2006): 2006. [11] Khazaei, Shahram, Mehdi Hassanzadeh, and Mohammad Kiaei. "Distinguishing attack on grain." 2005-12-01)[200901-12]. http://www. ecrypt. eu. org/stream/papersdir/071. Pdf (2005). [12] Berbain, Côme, Henri Gilbert, and Alexander Maximov. "Cryptanalysis of grain."Fast Software Encryption. Springer Berlin Heidelberg, 2006. [13] De Cannière, Christophe, Özgül Küçük, and Bart Preneel. "Analysis of Grain’s initialization algorithm." Progress in Cryptology–AFRICACRYPT 2008. Springer Berlin Heidelberg, 2008. 276-289. [14] Lee, Yuseop, et al. "Related-key chosen IV attacks on Grain-v1 and Grain-128."Information Security and Privacy. Springer Berlin Heidelberg, 2008. [15] T.E. Bjørstad. Cryptanalysis of grain using time / memory /data tradeoffs. Available at http://www.ecrypt.eu.org/stream/papersdir/2008/012.pdf. [16] Dinur, Itai, and Adi Shamir. "Breaking Grain-128 with dynamic cube attacks."Fast Software Encryption. Springer Berlin Heidelberg, 2011. [17] Berzati, Alexandre, et al. "Fault analysis of GRAIN-128." Hardware-Oriented Security and Trust, 2009. HOST'09. IEEE International Workshop on. IEEE, 2009. [18] Karmakar, Sandip, and Dipanwita Roy Chowdhury. "Fault analysis of grain-128 by targeting NFSR." Progress in Cryptology–AFRICACRYPT 2011. Springer Berlin Heidelberg, 2011. 298-315. [19] Dinur, Itai, and Adi Shamir. "Breaking Grain-128 with I.J. Computer Network and Information Security, 2014, 6, 34-40 A Detailed Analysis of Grain family of Stream Ciphers 40 [20] [21] [22] [23] dynamic cube attacks."Fast Software Encryption. Springer Berlin Heidelberg, 2011. Dinur, Itai, et al. "An experimentally verified attack on full Grain-128 using dedicated reconfigurable hardware." Advances in Cryptology–ASIACRYPT 2011. Springer Berlin Heidelberg, 2011. 327-343. Banik, Subhadeep, Subhamoy Maitra, and Santanu Sarkar. "A differential fault attack on grain-128a using MACs." Security, Privacy, and Applied Cryptography Engineering. Springer Berlin Heidelberg, 2012. 111-125. Ding, Lin, and Jie Guan. "Related Key Chosen IV Attack on Grain-128a Stream Cipher." Information Forensics and Security, IEEE Transactions on 8.5 (2013): 803-809. De Canniere, Christophe. "eSTREAM Software Performance." New Stream Cipher Designs. Springer Berlin Heidelberg, 2008. 119-139. Available at http://www.ecrypt.eu.org/stream/phase3perf/2007a/pentiu m-4-a/ accessed 19/12/2013. Mohammad Ubaidullah Bokhari, born in 1979. He is currently working as Associate Professor and Ex-Chairman, Department of Computer Science, AMU, Aligarh and has more than 24 years of teaching and research experience. He completed his Ph.D. in Computer Science from AMU, Aligarh. He has published more than 85 research papers in different reputed journals and conference proceedings. He has also authored 5 books on different fields of Computer Science. His current research interests are Cryptography Requirement Engineering, Software Reliability, Wireless Network Security and Database. Shadab Alam, born in 1985. He is a Ph.D. candidate at Aligarh Muslim University, Aligarh and received his B.Sc. and MCA degrees from Aligarh Muslim University, Aligarh, India. He is pursuing Ph.D. in the field of Cryptography from AMU, Aligarh. He is also working as a counselor for IGNOU. He has published 10 research papers in different reputed international/national journals and conference proceedings. His main research interests include Stream Ciphers, Network Security and Cryptographic Primitives. Syed Hamid Hasan, has completed his Ph.D. in Computer Science from JMI, India, MSc in Statistics and PGDCS from AMU, India. Dr Hamid has a teaching and research experience of more than 30 years and is currently working as a Professor at Information Systems department, faculty of Computing and Information Technology, King Abdulaziz University, Kingdom of Saudi Arabia. Prof. Hamid has worked as the Head of Computer Science department at AMU, India and also Head of IT department at the Musana College of Technology, Sultanate of Oman. Copyright © 2014 MECS I.J. Computer Network and Information Security, 2014, 6, 34-40