Breaking Grain-128 with Dynamic Cube Attacks

Dinur, Itai; Shamir, Adi

doi:10.1007/978-3-642-21702-9_10

Cited by 139 publications

(126 citation statements)

References 15 publications

Supporting

Mentioning

126

Contrasting

Order By: Relevance

“…Another possible approach it to carefully select the cube such that we obtain a practical distinguisher (as in Section 5.1). Then, we can try to apply several techniques that were developed to exploit similar distinguishers for key recovery (such as conditional differential cryptanalysis [19] and dynamic cube attacks [15]). However, these techniques seem to be better suited for stream ciphers built using feedback shift registers, rather than the SP-network design of Keccak.…”

Section: Keystream Prediction For 9-round Keccakmentioning

confidence: 99%

Cube Attacks and Cube-Attack-Like Cryptanalysis on the Round-Reduced Keccak Sponge Function

Dinur

Morawiecki

Pieprzyk

et al. 2015

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

Abstract. In this paper, we comprehensively study the resistance of keyed variants of SHA-3 (Keccak) against algebraic attacks. This analysis covers a wide range of key recovery, MAC forgery and other types of attacks, breaking up to 9 rounds (out of the full 24) of the Keccak internal permutation much faster than exhaustive search. Moreover, some of our attacks on the 6-round Keccak are completely practical and were verified on a desktop PC. Our methods combine cube attacks (an algebraic key recovery attack) and related algebraic techniques with structural analysis of the Keccak permutation. These techniques should be useful in future cryptanalysis of Keccak and similar designs. Although our attacks break more rounds than previously published techniques, the security margin of Keccak remains large. For Keyak -a Keccak-based authenticated encryption scheme -the nominal number of rounds is 12 and therefore its security margin is smaller (although still sufficient).

show abstract

Section: Keystream Prediction For 9-round Keccakmentioning

confidence: 99%

Cube Attacks and Cube-Attack-Like Cryptanalysis on the Round-Reduced Keccak Sponge Function

Dinur

Morawiecki

Pieprzyk

et al. 2015

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

show abstract

“…Hence, with a complexity of 2 14 , we can determine the candidates of Q 0 = {m 7 , m 0 } satisfying (6). Similarly, we can determine Q 1 = {m 8 , m 7 }, Q 2 = {m 9 , m 8 }, Q 3 = {m 10 , m 9 }, Q 4 = {m 11 , m 10 }, Q 5 = {m 12 , m 11 }, Q 6 = {m 13 , m 12 }, Q 7 = {m 14 , m 13 } and Q 8 = {m 15 , m 14 } from (7).…”

Section: Recovering the Middle Register Mmentioning

confidence: 99%

“…Thus, the techniques requiring chosen nonces, e.g. the differential-like chosen nonces attacks and the cube attacks [5,6] will not work in this realistic setting, neither will fast correlation attacks [11] which usually require large amounts of keystream.…”

Section: Introductionmentioning

confidence: 99%

Cryptanalysis of the Atmel Cipher in SecureMemory, CryptoMemory and CryptoRF

Biryukov

Kizhvatov

Zhang

2011

Applied Cryptography and Network Security

View full text Add to dashboard Cite

Abstract. SecureMemory (SM), CryptoMemory (CM) and CryptoRF (CR) are the Atmel chip families with wide applications in practice. They implement a proprietary stream cipher, which we call the Atmel cipher, to provide authenticity, confidentiality and integrity. At CCS'2010, it was shown that given 1 keystream frame, the secret key in SM protected by the simple version of the cipher can be recovered in 2 39.4 cipher ticks and if 2640 keystream frames are available, the secret key in CM guarded by the more complex version of the cipher can be restored in 2 58 cipher ticks. In this paper, we show much more efficient and practical attacks on both versions of the Atmel cipher. The idea is to dynamically reconstruct the internal state of the underlying register by exploiting the different diffusion speeds of the different cells. For SM, we can recover the secret key in 2 29.8 cipher ticks given 1 keystream frame; for CM, we can recover the secret key in 2 50 cipher ticks with around 24 frames. Practical implementation of the full attack confirms our results.

show abstract

“…In 2010, Li et al worked on cube testers on Bivium [20]. Shamir et al worked on Grain-128 [21] and gave results for cube testers and dynamic cube attack in [22] and [23]. Conditional differential cryptanalysis by Knellwolf et al is a predecessor to dynamic cube attack [24].…”

Section: Introductionmentioning

confidence: 99%

On the Security of LBlock against the Cube Attack and Side Channel Cube Attack

Islam

Afzal

Rashdi

2013

Security Engineering and Intelligence Informatics

View full text Add to dashboard Cite

Abstract. In this research, a recently proposed lightweight block cipher LBlock, not tested against the cube attack has been analyzed. 7, 8 and 9 round LBlock have been successfully attacked with complexities of O(2 10.76 ), O(2 11.11 ) and O(2 47.00 ) respectively. For the case of side channel cube attack, full version of LBlock has been attacked using a single bit leakage model with the complexity of O(2 55.00 ) cipher evaluations. For this purpose, a generic practical platform has been developed to test various stream and block ciphers against the latest cube attack.

show abstract

Breaking Grain-128 with Dynamic Cube Attacks

Cited by 139 publications

References 15 publications

Cube Attacks and Cube-Attack-Like Cryptanalysis on the Round-Reduced Keccak Sponge Function

Cube Attacks and Cube-Attack-Like Cryptanalysis on the Round-Reduced Keccak Sponge Function

Cryptanalysis of the Atmel Cipher in SecureMemory, CryptoMemory and CryptoRF

On the Security of LBlock against the Cube Attack and Side Channel Cube Attack

Contact Info

Product

Resources

About