Cryptanalysis of Grain

Berbain, Côme; Gilbert, Henri; Maximov, Alexander

doi:10.1007/11799313_2

Cited by 60 publications

(47 citation statements)

References 19 publications

(6 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Before describing the attack in detail let us state the following symbolic notations that we shall be using henceforth. 4 corresponds to the NFSR location 63. This implies that if two internal states S and S Δ be such that they differ in LFSR locations 3, 25 and NFSR location 63 and in no other location that contributes inputs to the output keystream bit, then the difference of the keystream bit produced by them will be equal to the value in LFSR location 46.…”

Section: Determining the Lfsr Internal Statementioning

confidence: 99%

See 1 more Smart Citation

A Differential Fault Attack on the Grain Family of Stream Ciphers

Banik

Maitra

Sarkar

2012

Cryptographic Hardware and Embedded Systems – CHES 2012

View full text Add to dashboard Cite

Abstract. In this paper we study a differential fault attack against the Grain family of stream ciphers. The attack works due to certain properties of the Boolean functions and corresponding choices of the taps from the LFSR. The existing works, by and Karmakar et al. (2011), are applicable only on Grain-128 exploiting certain properties of the combining Boolean function h. That idea could not easily be extended to the corresponding Boolean function used in Grain v1. Here we show that the differential fault attack can indeed be efficiently mounted for the Boolean function used in Grain v1. In this case we exploit the idea that there exists certain suitable α such that h(x) + h(x + α) is linear. In our technique, we present methods to identify the fault locations and then construct set of linear equations to obtain the contents of the LFSR and the NFSR. As a countermeasure to such fault attack, we provide exact design criteria for Boolean functions to be used in Grain like structure.

show abstract

Section: Determining the Lfsr Internal Statementioning

confidence: 99%

“…Similar to [5], we inject faults in the LFSR only, whereas the NFSR has been used for fault injection in [19]. 4. The attacker has full control over the timing of fault injection, i.e., it is possible to inject the fault precisely at any stage of the cipher operation.…”

Section: Introductionmentioning

confidence: 99%

A Differential Fault Attack on the Grain Family of Stream Ciphers

Banik

Maitra

Sarkar

2012

Cryptographic Hardware and Embedded Systems – CHES 2012

View full text Add to dashboard Cite

show abstract

“…In [5] it was shown, that this could have been done efficiently for the initial version of the cipher i.e. Grain v0.…”

Section: Determining the Nfsr Statementioning

confidence: 99%

“…Grain v0. After the attack in [5] was reported, the designers made the necessary changes to Grain v1, Grain-128 and Grain-128a so that for these new ciphers, determining the NFSR state form the knowledge of the LFSR state was no longer straightforward. In order to determine the NFSR bits, we look into the decomposition of the Boolean function h in more detail.…”

Section: Determining the Nfsr Statementioning

confidence: 99%

A Differential Fault Attack on Grain-128a Using MACs

Banik

Maitra

Sarkar

2012

Security, Privacy, and Applied Cryptography Engineering

View full text Add to dashboard Cite

Abstract. The 32-bit MAC of Grain-128a is a linear combination of the first 64 and then the alternative keystream bits. In this paper we describe a successful differential fault attack on Grain-128a, in which we recover the secret key by observing the correct and faulty MACs of certain chosen messages. The attack works due to certain properties of the Boolean functions and corresponding choices of the taps from the LFSR. We present methods to identify the fault locations and then construct set of linear equations to obtain the contents of the LFSR and the NFSR. Our attack requires less than 2 11 fault injections and invocations of less than 2 12 MAC generation routines.

show abstract

“…Its two members, Grain v1 and Grain-128, accept 80-bit and 128-bit keys respectively. The original version of the cipher, later referred to as Grain v0, was submitted to the eSTREAM project, but contained a serious flaw, as was demonstrated by several researchers [7,8]. As a response, the initial submission was tweaked and extended to a family of ciphers.…”

Section: Description Of Grainmentioning

confidence: 99%

Analysis of Grain’s Initialization Algorithm

Cannière

Küçük

Preneel

2008

Progress in Cryptology – AFRICACRYPT 2008

View full text Add to dashboard Cite

Abstract.In this paper, we analyze the initialization algorithm of Grain, one of the eSTREAM candidates which made it to the third phase of the project. We point out the existence of a sliding property in the initialization algorithm of the Grain family, and show that it can be used to reduce by half the cost of exhaustive key search (currently the most efficient attack on both Grain v1 and Grain-128). In the second part of the paper, we analyze the differential properties of the initialization, and mount several attacks, including a differential attack on Grain v1 which recovers one out of 2 9 keys using two related keys and 2 55 chosen IV pairs.

show abstract

Cryptanalysis of Grain

Cited by 60 publications

References 19 publications

A Differential Fault Attack on the Grain Family of Stream Ciphers

A Differential Fault Attack on the Grain Family of Stream Ciphers

A Differential Fault Attack on Grain-128a Using MACs

Analysis of Grain’s Initialization Algorithm

Contact Info

Product

Resources

About