[Resource Topic] 2019/763: Fast Correlation Attacks on Grain-like Small State Stream Ciphers and Cryptanalysis of Plantlet, Fruit-v2 and Fruit-80

Welcome to the resource topic for 2019/763

Title:
Fast Correlation Attacks on Grain-like Small State Stream Ciphers and Cryptanalysis of Plantlet, Fruit-v2 and Fruit-80

Authors: Shichang Wang, Meicheng Liu, Dongdai Lin, Li Ma

Abstract:

The fast correlation attack (FCA) is one of the most important cryptanalytic techniques against LFSR-based stream ciphers. In CRYPTO 2018, Todo et al. found a new property for the FCA and proposed a novel algorithm which was successfully applied to the Grain family of stream ciphers. Nevertheless, these techniques can not be directly applied to Grain-like small state stream ciphers with keyed update, such as Plantlet, Fruit-v2, and Fruit80. In this paper, we study the security of Grain-like small state stream ciphers by the fast correlation attack. We first observe that the number of required parity-check equations can be reduced when there are multiple different parity-check equations. With exploiting the Skellam distribution, we introduce a sufficient condition to identify the correct LFSR initial state and derive a new relationship between the number and bias of the required parity-check equations. Then a modified algorithm is presented based on this new relationship, which can recover the LFSR initial state no matter what the round key bits are. Under the condition that the LFSR initial state is known, an algorithm is given against the degraded system and to recover the NFSR state at some time instant, along with the round key bits. As cases study, we apply our cryptanalytic techniques to Plantlet, Fruit-v2 and Fruit-80. As a result, for Plantlet our attack takes 2^{73.75} time complexity and 2^{73.06} keystream bits to recover the full 80-bit key. Regarding Fruit-v2, 2^{55.34} time complexity and 2^{55.62} keystream bits are token to determine the secret key. As for Fruit-80, 2^{64.47} time complexity and 2^{62.82} keystream bits are required to recover the secret key. More flexible attacks can be obtained with lower data complexity at cost of increasing attack time. Especially, for Fruit-v2 a key recovery attack can be launched with data complexity of 2^{42.38} and time complexity of 2^{72.63}. Moreover, we have implemented our attack methods on a toy version of Fruit-v2. The attack matches the expected complexities predicted by our theoretical analysis quite well, which proves the validity of our cryptanalytic techniques.

ePrint: https://eprint.iacr.org/2019/763

See all topics related to this paper.

Feel free to post resources that are related to this paper below.

Example resources include: implementations, explanation materials, talks, slides, links to previous discussions on other websites.

For more information, see the rules for Resource Topics .