Grain: a stream cipher for constrained environments

Hell, Martin; Johansson, Thomas; Meier, Willi

doi:10.1504/ijwmc.2007.013798

Cited by 364 publications

(268 citation statements)

References 9 publications

Supporting

Mentioning

264

Contrasting

Unclassified

Order By: Relevance

“…The starting point for the construction of our mutual authentication protocol is a stream cipher such as Grain or Trivium [25,16], that takes a secret key and a non-secret initialization value (IV) as input and produces a binary sequence (the keystream). An IVdependent stream cipher of key length k bits and IV length n bits that produces a keystream sequence of length up to m bits can be conveniently represented as a family of functions F = {f K } : {0, 1} n → {0, 1} m indexed by a key K randomly chosen from {0, 1} k ; f K thus represents the function mapping the IV to the keystream associated with key K. For such an IV-dependent stream cipher to be considered secure when producing keystreams of length at most m bits, one usually requires [9] that the associated family of functions F be a pseudo-random function (PRF).…”

Section: Definitions and Propertiesmentioning

confidence: 99%

“…Some stream ciphers with a very low hardware footprint, e.g. Grain v1 or Trivium [25,16], are also known to have the potential to lead to extremely efficient authentication solutions. On the other hand, few explicit stream cipher based authentication schemes have been proposed so far; an example is the relatively complex stream cipher based protocol from [36] which requires up to six message exchanges.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Lightweight Privacy Preserving Authentication for RFID Using a Stream Cipher

Billet

Etrog

Gilbert

2010

Fast Software Encryption

View full text Add to dashboard Cite

Abstract. In this paper, a privacy preserving authentication protocol for RFID that relies on a single cryptographic component, a lightweight stream cipher, is constructed. The goal is to provide a more realistic balance between forward privacy and security, resistance against denial of service attacks, and computational efficiency (in tags and readers) than existing protocols. We achieve this goal by solely relying on a stream cipher-which can be arbitrarily chosen, for instance a stream cipher design aimed at extremely lightweight hardware implementations-and we provide security proofs for our new protocol in the standard model, under the assumption that the underlying stream cipher is secure.

show abstract

Section: Definitions and Propertiesmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Lightweight Privacy Preserving Authentication for RFID Using a Stream Cipher

Billet

Etrog

Gilbert

2010

Fast Software Encryption

View full text Add to dashboard Cite

show abstract

“…Therefore, a regular stream cipher is sufficient for WIPR-RNS. We may choose Grain [8] as the selected stream cipher. Grain uses about 1300 gates and may be the most efficient stream cipher without known flaws.…”

Section: B Wipr-rnsmentioning

confidence: 99%

How to improve security and reduce hardware demands of the WIPR RFID protocol

Stinson

2009

2009 IEEE International Conference on RFID

View full text Add to dashboard Cite

Abstract-In this paper, we analyze and improve WIPR, an RFID identification scheme based on public key techniques with efficient hardware implementation. First we analyze the security and privacy features of WIPR. We show that a reduced version of WIPR is vulnerable to short padding attacks and WIPR needs a random number generator with certain properties to withstand reset attacks. We discuss countermeasures to avoid these attacks. Then we propose two variants of WIPR, namely WIPR-SAEP and WIPR-RNS, to improve its security and to further reduce its hardware cost. Using an additional hash function, WIPR-SAEP achieves provable security in the sense that violating the security properties leads to solving the integer factoring problem. WIPR-RNS uses a residue number system (RNS) for computation, and reduces the hardware costs of WIPR. WIPR-RNS provides a better security guarantee than WIPR in that it does not use a nonstandard cryptographic primitive in WIPR. WIPR-SAEP and WIPR-RNS can be combined into one scheme.

show abstract

“…Grain-128a is essentially part of the Grain family which was first proposed by Hell, Johansson and Meier in 2005 [13] as a part of the eStream project. The physical structure of the Grain family is simple as well as elegant and has been designed so as to require low hardware complexity.…”

Section: Introductionmentioning

confidence: 99%

A Differential Fault Attack on Grain-128a Using MACs

Banik

Maitra

Sarkar

2012

Security, Privacy, and Applied Cryptography Engineering

View full text Add to dashboard Cite

Abstract. The 32-bit MAC of Grain-128a is a linear combination of the first 64 and then the alternative keystream bits. In this paper we describe a successful differential fault attack on Grain-128a, in which we recover the secret key by observing the correct and faulty MACs of certain chosen messages. The attack works due to certain properties of the Boolean functions and corresponding choices of the taps from the LFSR. We present methods to identify the fault locations and then construct set of linear equations to obtain the contents of the LFSR and the NFSR. Our attack requires less than 2 11 fault injections and invocations of less than 2 12 MAC generation routines.

show abstract

Grain: a stream cipher for constrained environments

Cited by 364 publications

References 9 publications

Lightweight Privacy Preserving Authentication for RFID Using a Stream Cipher

Lightweight Privacy Preserving Authentication for RFID Using a Stream Cipher

How to improve security and reduce hardware demands of the WIPR RFID protocol

A Differential Fault Attack on Grain-128a Using MACs

Contact Info

Product

Resources

About