Abstract
Many cryptographers have focused on lightweight cryptography, and a huge number of lightweight block ciphers have been proposed. On the other hand, designing lightweight stream ciphers is a challenging task due to the well-known security criteria, i.e., the state size of stream ciphers must be at least twice the key size. The designers of Sprout addressed this issue by involving the secret key not only in the initialization but also in the keystream generation, and the state size of such stream ciphers can be smaller than twice the key size. After the seminal work, some small-state stream ciphers have been proposed such as Fruit, Plantlet, and LIZARD. Unlike conventional stream ciphers, these small-state stream ciphers have the limitation of keystream bits that can be generated from the same key and IV pair. In this paper, our motivation is to show whether the data limitation claimed by the designers is proper or not. The correlation attack is one of the attack methods exploiting many keystream bits generated from the same key and IV pair, and we apply it to Fruit-80 and Plantlet. As a result, we can break the full Fruit-80, i.e., the designers’ data limitation is not sufficient. We can also recover the secret key of Plantlet if it allows about \(2^{53}\) keystream bits from the same key and IV pair.
Keywords
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
If the correct initial state is guessed, it follows \(\mathcal{N}(Nc, N-Nc^2)\). However, since N is huge and \(N c^2\) is small, \(\mathcal{N}(Nc, N)\) is enough to approximate the distribution.
- 2.
Another contribution of [20] is to show the link between the parity-check equation and the multiplication over a finite field. This link is used to execute the correlation attack without guessing the whole of the initial state of the LFSR, but we do not use this technique because the size of the LFSR is small enough.
References
Bogdanov, A., Knudsen, L.R., Leander, G., Paar, C., Poschmann, A., Robshaw, M.J.B., Seurin, Y., Vikkelsoe, C.: PRESENT: an ultra-lightweight block cipher. In: Paillier, P., Verbauwhede, I. (eds.) CHES 2007. LNCS, vol. 4727, pp. 450–466. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-74735-2_31
Guo, J., Peyrin, T., Poschmann, A., Robshaw, M.: The LED block cipher. In: Preneel, B., Takagi, T. (eds.) CHES 2011. LNCS, vol. 6917, pp. 326–341. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-23951-9_22
Beierle, C., Jean, J., Kölbl, S., Leander, G., Moradi, A., Peyrin, T., Sasaki, Y., Sasdrich, P., Sim, S.M.: The SKINNY family of block ciphers and its low-latency variant MANTIS. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9815, pp. 123–153. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53008-5_5
Banik, S., Pandey, S.K., Peyrin, T., Sasaki, Y., Sim, S.M., Todo, Y.: GIFT: a small Present. In: Fischer, W., Homma, N. (eds.) CHES 2017. LNCS, vol. 10529, pp. 321–345. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-66787-4_16
Babbage, S.H.: Improved “exhaustive search” attacks on stream ciphers. In: European Convention on Security and Detection 1995, pp. 161–166 (1995)
Golić, J.D.: Cryptanalysis of alleged A5 stream cipher. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 239–255. Springer, Heidelberg (1997). https://doi.org/10.1007/3-540-69053-0_17
Biryukov, A., Shamir, A.: Cryptanalytic time/memory/data tradeoffs for stream ciphers. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 1–13. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-44448-3_1
Armknecht, F., Mikhalev, V.: On lightweight stream ciphers with shorter internal states. In: Leander, G. (ed.) FSE 2015. LNCS, vol. 9054, pp. 451–470. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48116-5_22
Lallemand, V., Naya-Plasencia, M.: Cryptanalysis of full Sprout. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9215, pp. 663–682. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-47989-6_32
Esgin, M.F., Kara, O.: Practical cryptanalysis of full Sprout with TMD tradeoff attacks. In: Dunkelman, O., Keliher, L. (eds.) SAC 2015. LNCS, vol. 9566, pp. 67–85. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-31301-6_4
Banik, S.: Some results on Sprout. In: Biryukov, A., Goyal, V. (eds.) INDOCRYPT 2015. LNCS, vol. 9462, pp. 124–139. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-26617-6_7
Zhang, B., Gong, X.: Another tradeoff attack on Sprout-like stream ciphers. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015. LNCS, vol. 9453, pp. 561–585. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48800-3_23
Ghafari, V.A., Hu, H., Xie, C.: Fruit: ultra-lightweight stream cipher with shorter internal state. Cryptology ePrint Archive, Report 2016/355 (2016). http://eprint.iacr.org/2016/355
Dey, S., Sarkar, S.: Cryptanalysis of full round Fruit. Cryptology ePrint Archive, Report 2017/087 (2017). http://eprint.iacr.org/2017/087
Zhang, B., Gong, X., Meier, W.: Fast correlation attacks on Grain-like small state stream ciphers. IACR Trans. Symm. Cryptol. 2017(4), 58–81 (2017). https://doi.org/10.13154/tosc.v2017.i4.58-81
Ghafari, V.A., Hu, H., Chen, Y.: Fruit-v2: ultra-lightweight stream cipher with shorter internal state. IACR Cryptology ePrint Archive 2016, 355 (2016)
Ghafari, V.A., Hu, H., Alizadeh, M.: Necessary conditions for designing secure stream ciphers with the minimal internal states. Cryptology ePrint Archive, Report 2017/765 (2017). http://eprint.iacr.org/2017/765
Ghafari, V.A., Hu, H.: Fruit-80: a secure ultra-lightweight stream cipher for constrained environments. Entropy 20(3), 180 (2018)
Mikhalev, V., Armknecht, F., Müller, C.: On ciphers that continuously access the non-volatile key. IACR Trans. Symm. Cryptol. 2016(2), 52–79 (2016). https://doi.org/10.13154/tosc.v2016.i2.52-79
Todo, Y., Isobe, T., Meier, W., Aoki, K., Zhang, B.: Fast correlation attack revisited. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018. LNCS, vol. 10992, pp. 129–159. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96881-0_5
Matsui, M.: On correlation between the order of S-boxes and the strength of DES. In: De Santis, A. (ed.) EUROCRYPT 1994. LNCS, vol. 950, pp. 366–375. Springer, Heidelberg (1995). https://doi.org/10.1007/BFb0053451
Siegenthaler, T.: Correlation-immunity of nonlinear combining functions for cryptographic applications. IEEE Trans. Inf. Theory 30(5), 776–780 (1984)
Meier, W., Staffelbach, O.: Fast correlation attacks on certain stream ciphers. J. Cryptol. 1(3), 159–176 (1989)
Chose, P., Joux, A., Mitton, M.: Fast correlation attacks: an algorithmic point of view. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 209–221. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-46035-7_14
Ågren, M., Hell, M., Johansson, T., Meier, W.: Grain-128a: a new version of Grain-128 with optional authentication. IJWMC 5(1), 48–59 (2011)
Acknowledgments
The authors thank the anonymous SAC 2019 reviewers for careful reading and many helpful comments.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A Correlation of \(g'_t \oplus \langle L^{(t)}, \varLambda \rangle \) on Fruit-80
In this section, we show the detailed method to evaluate the correlation of \(g'_t \oplus \langle L^{(t)}, \varLambda \rangle \). As we already showed in Sect. 4, we first extract independent terms from \(g'_t \oplus \langle L^{(t)}, \varLambda \rangle \) as
where \(g''_t \oplus \langle L^{(t)}, \varLambda ' \rangle \) is the remaining term after extracting the first six lines. Then, there are \(2^{11}\) linear masks \(\varLambda [1,3,4,6,9,13,15,18,22,24,25,34]\) satisfying \(g'_t \oplus \langle \varLambda , L \rangle \approx g''_t \oplus \langle L^{(t)}, \varLambda ' \rangle \) with correlation \(\pm 2^{-6}\).
Our next goal is to evaluate the correlation of \(g''_t \oplus \langle L^{(t)}, \varLambda ' \rangle \), which is described as
where
Here, the indices 44, 45, and 49 exceeds the length of \(\varLambda \), i.e., 43. Therefore, \(\varLambda '[44,45,49]\) are computed by using the feedback function f as
We expand all terms in \(g''_t \oplus \langle L^{(t)}, \varLambda ' \rangle \) as
There are 35 bits in the NFSR and 9 bits in the LFSR in \(g''_t \oplus \langle L^{(t)}, \varLambda ' \rangle \), and the size of involved bits is too large to evaluate the correlation with brute force. Therefore, we decompose this Boolean function into six Boolean functions \(G_1\), \(G_2\), \(G_3\), \(G_4\), \(G_5\), and \(G_6\), i.e., \(g''_t \oplus \langle L^{(t)}, \varLambda ' \rangle = G_1 \oplus G_2 \oplus G_3 \oplus G_4 \oplus G_5 \oplus G_6\).
Six Boolean functions \(G_1\), \(G_2\), \(G_3\), \(G_4\), \(G_5\), and \(G_6\) involve 3, 5, 8, 7, 18, and 20 bits, respectively. These involved bits are independent except for \(n_{t+24}\), \(n_{t+31}\), \(n_{t+33}\), and \(n_{t+36}\), where these four bits are colored by red. Therefore, we compute the conditional correlations of \(G_1\), \(G_2\), \(G_3\), \(G_4\), \(G_5\), and \(G_6\).
Definition 2 (Conditional correlation)
Let G be a Boolean function from n bits to 1 bit, and let x be the input of G. We add a condition for bits \(x_i \in \mathbb {I}\), and these bits are fixed to \(v_i\). Then, the conditional correlation of G is defined as
We add conditions for four bits \(n_{t+24}\), \(n_{t+31}\), \(n_{t+33}\), and \(n_{t+36}\). Then, we compute the conditional correlations of the six Boolean functions, and then, compute the conditional correlation of G by using the piling-up lemma. Finally, the correlation of G is computed by summing conditional correlations of G over all conditions.
Table 5 shows the correlation of G when \(\varLambda '[8,17,27,29,30,42,44,45,49] = 000100000\). Here, note that each conditional correlation must be divided by \(2^{4}\) because we add 4-bit condition. Finally, Table 6 summarizes each correlation, where we picked the case whose absolute values of correlation are greater than \(2^{-18}\).
B Correlation of \(g_t'' \oplus \langle L^{(t)}, \varLambda ' \rangle \) of Plantlet
Similarly to the case of Fruit-80, we compute the correlation of \(g_t'' \oplus \langle L^{(t)}, \varLambda ' \rangle \) of Plantlet. After extracting independent terms from \(g'_t \oplus \langle L^{(t)}, \varLambda \rangle \), \(g''_t \oplus \langle L^{(t)}, \varLambda ' \rangle \) is described as
where
Now, let us expand all terms in \(g''_t \oplus \langle L^{(t)}, \varLambda ' \rangle \) as
There are 46 bits in the NFSR and 6 bits in the LFSR in \(g''_t \oplus \langle L^{(t)}, \varLambda ' \rangle \), and the size of involved bits is too large to evaluate the correlation with brute force. We decompose this Boolean function into four Boolean functions \(G_1\), \(G_2\), \(G_3\), and \(G_4\), i.e., \(g''_t \oplus \langle L^{(t)}, \varLambda ' \rangle = G_1 \oplus G_2 \oplus G_3 \oplus G_4\).
Four Boolean functions \(G_1\), \(G_2\), \(G_3\), and \(G_4\) involve 14, 12, 24, and 24 bits, respectively. These involved bits are independent except for \(n_{t+39}\), \(n_{t+38}\), \(n_{t+34}\), \(n_{t+32}\), \(n_{t+31}\), \(n_{t+29}\), \(n_{t+21}\), \(n_{t+15}\), and \(n_{t+10}\), where these nine bits are colored by red. Therefore, we compute the conditional correlations of \(G_1\), \(G_2\), \(G_3\), and \(G_4\).
Table 7 shows the correlation of G when \(\varLambda '[6,17,18,29,32,44] = 001100\). Here, note that each conditional correlation must be divided by \(2^{9}\) because we add 9-bit condition. Table 8 summarizes each correlation, where we picked the case whose correlation is non-zero.
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Todo, Y., Meier, W., Aoki, K. (2020). On the Data Limitation of Small-State Stream Ciphers: Correlation Attacks on Fruit-80 and Plantlet. In: Paterson, K., Stebila, D. (eds) Selected Areas in Cryptography – SAC 2019. SAC 2019. Lecture Notes in Computer Science(), vol 11959. Springer, Cham. https://doi.org/10.1007/978-3-030-38471-5_15
Download citation
DOI: https://doi.org/10.1007/978-3-030-38471-5_15
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-38470-8
Online ISBN: 978-3-030-38471-5
eBook Packages: Computer ScienceComputer Science (R0)