Shiyong Zhang,Gongliang Chen,Jianhua Li

DOI: https://doi.org/10.2991/ifmeita-16.2016.181

2016-01-01

Abstract:Trivium is a notable light-weight synchronous stream cipher submitted to the European eSTREAM project in April 2005. State recovering attack is the best known attack to Trivium. In this paper, we study the structure of Trivium and point out the equations used in the state recovering attack are linearly dependent. The number of the equations is not enough to derive the exact solution. Then the revisional state recovering attack will be given to correct the problem of origin attack. We show that the internal state of Trivium will be recovered in time around 2(88.8), and the keystream has the length of 2(57.8). Therefore, the revisional attack is still faster than the exhaustive search

Yun Tian,Gongliang Chen,Jianhua Li

DOI: https://doi.org/10.4304/jcp.7.5.1278-1283

2012-01-01

Journal of Computers

Abstract:This paper is concerned with an extensive form of stream cipher Trivium. Trivium is extended to a scalable form by the coupling connection of Trivium-like shift registers. The characteristic polynomial of k Trivium-like shift registers in coupling connection is proved to have a factor of (1+x)(k). So k-order primitive polynomials are defined in this paper. As the main contribution, a new stream cipher Quavium is proposed based on 4-round Trivium-like shift registers and k-order primitive polynomials. Quavium can also be used with 3 rounds. Experimental results show that Quavium is nearly as fast as Trivium and 3-round Quavium has a better performance.

Yun TIAN,Gongliang CHEN,Jianhua LI

2010-01-01

Abstract:eSTREAM called for new stream ciphers designed for niche areas such as exceptional performance in software and hardware where resources are restricted. This project provides an open platform to discuss these ciphers. Trivium is one of the promis- ing new ciphers submitted to it. Until now, no attack has been successfully applied to it. This paper illustrates new design principles of stream ciphers based on the structure of Trivium and introduces the definition of k-order primitive polynomials. New designs of Trivium are also given according to the principles in this paper.

Shiyong Zhang,Gongliang Chen,Jianhua Li

DOI: https://doi.org/10.1109/ssic.2016.7571808

2016-01-01

Abstract:Trivium is a notable light-weight synchronous stream cipher submitted to the European eSTREAM project in April 2005. Enhanced-Bivium is a reduced version of Trivium which is suitable for RFID system. In this paper, the security of Enhanced-Bivium is concerned under cube attack, which is one of the best known attack on the reduced round Trivium proposed by Dinur and Shamir at EUROCRYPT09. Trivium with 576 initialization rounds can be recovered in 2(11). We show that it is difficult to search the cubes of Enhanced-Bivium with the same rounds and after 464 rounds the attack complexity is reduced to 2(55). Therefore, comparing with Trivium, Enhanced-Bivium has a better performance under cube attack.

Wenlong Sun,Jie Guan

DOI: https://doi.org/10.1049/cmu2.12752

IF: 1.345

2024-05-04

IET Communications

Abstract:In this paper, the authors show that the first Algebraic Side‐Channel Attacks on Trivium are implemented both in ASIC under Hamming distance leakage model and in microcontrollers of different buses under Hamming weight leakage model. Algebraic Side‐Channel Attacks (ASCAs), first proposed by Renauld and Standaert in 2009, are a potent cryptanalysis method against block ciphers. In this paper, the authors initially utilize ASCAs to analyze the security of the Trivium stream cipher, given its concise algebraic structure. Considering its efficiency in both hardware and software implementations, the authors deploy ASCAs to target Trivium implemented both in application specific integrated circuit (ASIC) under the Hamming Distance Leakage Model (HDLM) (noted as CASE 1) and in microcontrollers of various buses (i.e. some common 8‐bit, 16‐bit, and 32‐bit architectures, noted as CASE 2, CASE 3, and CASE 4, respectively) under the Hamming Weight Leakage Model (HWLM). Here, the authors' attacks are conducted on power‐simulated targets and not on real devices. For a single power consumption trace without measurement errors, this paper presents experimental results using MiniSat 2.0. Unfortunately, the authors were unable to break the ASIC implementation of Trivium under HDLM (CASE 1) with a time complexity of 2109 s or so, which is worse than the exhaustive key attack. For CASEs 2 to 4, the authors can find the complete 288‐bit state of Trivium within a reasonable timeframe. Specially, the success rate can reach 100% with an average solving time of less than 1 s when only measuring the leakages of the first eight consecutive rounds for CASE 2. Furthermore, the authors can still successfully recover the internal state even when obtaining leakages of the first 41 rounds with a random loss rate. In fact, it can tolerate a 74% random loss rate for the first 223 rounds. With regard to the potential errors in the measurements, the authors mitigate them using Tolerant ASCA (TASCA). Similarly, CASE 1 cannot be compromised even in error‐free situations, while the authors can still successfully recover the internal state of CASEs 2 to 4 from a single power trace, even with a high error rate, including 100% incorrect measurements. Surprisingly, for CASEs 2 to 4, the authors can recover the internal state with a 100% success rate, regardless of the error rate. As a result, the security of Trivium will not be enhanced when transitioning from a smaller 8‐bit platform to a larger 32‐bit platform. In the end, the authors will consider some more abstract attack models. The results can provide us with additional insights into the security of Trivium from a different perspective.

engineering, electrical & electronic

Bin Zhang,Zhenqi Li,Dengguo Feng,Dongdai Lin

DOI: https://doi.org/10.1007/978-3-662-43933-3_27

2014-01-01

Abstract:Grain v1 is one of the 7 finalists selected in the final portfolio by the eSTREAM project. It has an elegant and compact structure, especially suitable for a constrained hardware environment. Though a number of potential weaknesses have been identified, no key recovery attack on the original design in the single key model has been found yet. In this paper, we propose a key recovery attack, called near collision attack, on Grain v1. The attack utilizes the compact NFSR-LFSR combined structure of Grain v1 and works even if all of the previous identified weaknesses have been sewed and if a perfect key/IV initialization algorithm is adopted. Our idea is to identify near collisions of the internal states at different time instants and restore the states accordingly. Combined with the BSW sampling and the non-uniform distribution of internal state differences for a fixed keystream difference, our attack has been verified on a reduced version of Grain v1 in experiments. An extrapolation of the results under some assumption indicates an attack on Grain v1 for any fixed IV in 2(71.4) cipher ticks after the pre-computation of 2(73.1) ticks, given 2(62.8)-bit memory and 2(67.8) keystream bits, which is the best key recovery attack against Grain v1 so far. Hopefully, it provides some new insights on such compact stream ciphers.

Yonglin Hao,Gregor Leander,Willi Meier,Yosuke Todo,Qingju Wang

DOI: https://doi.org/10.1007/978-3-030-45721-1_17

2020-01-01

Abstract:A division property is a generic tool to search for integral distinguishers, and automatic tools such as MILP or SAT/SMT allow us to evaluate the propagation efficiently. In the application to stream ciphers, it enables us to estimate the security of cube attacks theoretically, and it leads to the best key-recovery attacks against well-known stream ciphers. However, it was reported that some of the key-recovery attacks based on the division property degenerate to distinguishing attacks due to the inaccuracy of the division property. Three-subset division property (without unknown subset) is a promising method to solve this inaccuracy problem, and a new algorithm using automatic tools for the three-subset division property was recently proposed at Asiacrypt2019. In this paper, we first show that this state-of-the-art algorithm is not always efficient and we cannot improve the existing key-recovery attacks. Then, we focus on the feature of the three-subset division property without unknown subset and propose another new efficient algorithm using automatic tools. Our algorithm is more efficient than existing algorithms, and it can improve existing key-recovery attacks. In the application to Trivium, we show a 841-round key-recovery attack. We also show that a 855-round key-recovery attack, which was proposed at CRYPTO2018, has a critical flaw and does not work. As a result, our 841-round attack becomes the best key-recovery attack. In the application to Grain-128AEAD, we show that the known 184-round key-recovery attack degenerates to distinguishing attacks. Then, the distinguishing attacks are improved up to 189 rounds, and we also show the best key-recovery attack against 190 rounds.

Meicheng Liu,Jingchun Yang,Wenhao Wang,Dongdai Lin

DOI: https://doi.org/10.1007/978-3-319-78375-8_23

2018-01-01

Abstract:In this paper, we describe a new variant of cube attacks called correlation cube attack. The new attack recovers the secret key of a cryptosystem by exploiting conditional correlation properties between the superpoly of a cube and a specific set of low-degree polynomials that we call a basis, which satisfies that the superpoly is a zero constant when all the polynomials in the basis are zeros. We present a detailed procedure of correlation cube attack for the general case, including how to find a basis of the superpoly of a given cube. One of the most significant advantages of this new analysis technique over other variants of cube attacks is that it converts from a weak-key distinguisher to a key recovery attack. As an illustration, we apply the attack to round-reduced variants of the stream cipher Trivium. Based on the tool of numeric mapping introduced by Liu at CRYPTO 2017, we develop a specific technique to efficiently find a basis of the superpoly of a given cube as well as a large set of potentially good cubes used in the attack on Trivium variants, and further set up deterministic or probabilistic equations on the key bits according to the conditional correlation properties between the superpolys of the cubes and their bases. For a variant when the number of initialization rounds is reduced from 1152 to 805, we can recover about 7-bit key information on average with time complexity 2(44), using 2(45) keystream bits and preprocessing time 2(51). For a variant of Trivium reduced to 835 rounds, we can recover about 5-bit key information on average with the same complexity. All the attacks are practical and fully verified by experiments. To the best of our knowledge, they are thus far the best known key recovery attacks for these variants of Trivium, and this is the first time that a weak-key distinguisher on Trivium stream cipher can be converted to a key recovery attack.

Yonglin Hao,Gregor Leander,Willi Meier,Yosuke Todo,Qingju Wang

DOI: https://doi.org/10.1007/s00145-021-09383-2

2021-01-01

Journal of Cryptology

Abstract:A division property is a generic tool to search for integral distinguishers, and automatic tools such as MILP or SAT/SMT allow us to evaluate the propagation efficiently. In the application to stream ciphers, it enables us to estimate the security of cube attacks theoretically, and it leads to the best key-recovery attacks against well-known stream ciphers. However, it was reported that some of the key-recovery attacks based on the division property degenerate to distinguishing attacks due to the inaccuracy of the division property. Three-subset division property (without unknown subset) is a promising method to solve this inaccuracy problem, and a new algorithm using automatic tools for the three-subset division property was recently proposed at Asiacrypt2019. In this paper, we first show that this state-of-the-art algorithm is not always efficient and we cannot improve the existing key-recovery attacks. Then, we focus on the three-subset division property without unknown subset and propose another new efficient algorithm using automatic tools. Our algorithm is more efficient than existing algorithms, and it can improve existing key-recovery attacks. In the application to Trivium, we show a 842-round key-recovery attack. We also show that a 855-round key-recovery attack, which was proposed at CRYPTO2018, has a critical flaw and does not work. As a result, our 842-round attack becomes the best key-recovery attack. In the application to Grain-128AEAD, we show that the known 184-round key-recovery attack degenerates to a distinguishing attack. Then, the distinguishing attacks are improved up to 189 rounds, and we also show the best key-recovery attack against 190 rounds. In the application to ACORN, we prove that the 772-round key-recovery attack at ISC2019 is in fact a constant-sum distinguisher. We then give new key-recovery attacks mounting to 773-, 774- and 775-round ACORN. We verify the current best key-recovery attack on 892-round Kreyvium and recover the exact superpoly. We further propose a new attack mounting to 893 rounds.

Shiyong Zhang,Gongliang Chen

DOI: https://doi.org/10.1177/1550147717694171

IF: 1.938

2017-01-01

International Journal of Distributed Sensor Networks

Abstract:Distributed sensor networks have been widely applied to healthcare, environmental monitoring and management, intelligent transportation, and other fields in which network sensors collect and transmit information about their surrounding environment. Radio frequency identification technology transmits an object’s identification as a unique serial number—using radio waves as the transmission carrier—and is becoming an important building block for distributed sensor networks. However, the security of radio frequency identification systems is a major industrial concern that can significantly hinder the market growth of distributed sensor networks. Trivium is a well-known lightweight synchronous stream cipher that was submitted to the European eSTREAM project in April 2005. In this article, we generalize Trivium to the Trivium-Model algorithm and highlight that security is mainly determined by the internal state bits and the number of nonlinear terms. We propose principles for choosing parameters and generating better parameters that are feasible for low-cost radio frequency identification tags in distributed sensor networks. The new algorithm, named Micro-Trivium, requires less power and a smaller chip area than the original Trivium, which is proven using experimental data and results. Mathematical analysis shows that using Micro-Trivium is as secure as using Trivium.

Wenjie Liu,Mengting Wang,Zixian Li

DOI: https://doi.org/10.1007/s11128-023-03877-7

2023-09-24

Abstract:Exploiting quantum mechanisms, quantum attacks have the potential ability to break the cipher structure. Recently, Ito et al. proposed a quantum attack on Feistel-2* structure (Ito et al.'s attack) based onthe Q2 model. However, it is not realistic since the quantum oracle needs to be accessed by the adversary, and the data complexityis high. To solve this problem, a quantum all-subkeys-recovery (ASR) attack based on multi-equations quantum claw-finding is proposed, which takes a more realistic model, the Q1 model, as the scenario, and only requires 3 plain-ciphertext pairs to quickly crack the 6-round Feistel-2* structure. First, we proposed a multi-equations quantum claw-finding algorithm to solve the claw problem of finding multiple equations. In addition, Grover's algorithm is used to speedup the rest subkeys recovery. Compared with Ito et al.'s attack, the data complexity of our attack is reduced from O(2^n) to O(1), while the time complexity and memory complexity are also significantly reduced.

Quantum Physics,Cryptography and Security,Emerging Technologies

Bohan Li,Hailong Zhang,Dongdai Lin

DOI: https://doi.org/10.1007/978-3-031-26553-2_18

2022-01-01

Abstract:Trivium as a representative stream cipher has been adopted by ISO/IEC in 2012. It can be foreseen that Trivium will be widely used to achieve the goal of information security. In practice, probing attacks can be used to recover key bits used by an implementation of Trivium under the (glitch-extended) probing model. In light of this, higher-order masking scheme secure under the glitch-extended probing model should be proposed for Trivium. Inspired by the ideas of the DOM masking scheme proposed by Gross et al. and the CHES 2021 masking scheme proposed by Shahmirzadi et al., we propose two versions of higher-order masking scheme for Trivium. We analyze the security of two versions of higher-order masking scheme under the glitch-extended probing model. Then, the performance of two versions of higher-order masking scheme is evaluated on ASIC and FPGA with or without the pipeline technique, and meaningful observations are obtained. Overall, higher-order masking schemes that are secure under the glitch-extended probing model are proposed for Trivium and their performances are evaluated on typical hardware platforms.

Xiaojuan Zhang,Meicheng Liu,Dongdai Lin

DOI: https://doi.org/10.1007/978-3-319-99136-8_9

2018-01-01

Abstract:In this paper, we describe a new cube searching method called conditional searching. The main idea of this new searching method is to reduce the searching space and contains two main steps: finding complementary variables and searching conditional cubes. At the first step, we introduce a concept of complementary variables corresponding to cube variables to ensure that cube variables are not multiplied with each other in the first few propagations. According to the taps in the feedback functions, two main strategies are given to find complementary variables. At the second step, we first give a simple algorithm to estimate the maximal size of conditional cubes that don't contain any complementary variable. Then another algorithm is given to search conditional cubes. We can confirm the maximum numbers of initialization rounds of some NFSR-based cryptosystems such that the generated keystream bit does not achieve the maximum algebraic degree with our cube searching method and the algebraic degree estimated method numeric mapping. We apply our method to Trivium to verify the validity and our searching space is about 2(12)(.5) much smaller than that of existing results. We also introduce two Trivium-variants named Par-Trivium and Loc-Trivium, and apply the method to them. We can get an upper bound of the maximum initialization rounds when we change the parameters or the key and IV loading locations in Trivium. The applications provide some insights into the taps used in the feedback functions of such stream ciphers. We believe that our method is useful in both cryptanalysis and design of NFSR-based cryptosystems.

Hao Chen,Tao Wang,Fan Zhang,Xinjie Zhao

DOI: https://doi.org/10.13245/j.hust.170214

2017-01-01

Abstract:The SOSEMANUK stream cipher is a member of the finalists of the eSTREAM proj ect.In this paper,the previous known attacks against SOSEMANUK was presented and discussed.Firstly, SOSEMANUK was described as a set of equations involving the public and key variables at bit level. Secondly,the attacker was assumed to be able to fault a random inner state word and the faults were described as a set of equations by analyzing the propagation of faults.Thirdly,the CryptoMinisat sol-ver was adapted to recover the secret inner state by guessing certain inner state words and solving the combined equations.The results show that the first round attack recovers the secret internal states, requires 20 faults and the computational complexity is dramatically reduced to O(296 ).The first two rounds attack recovers the whole states,requires 10 faults without guessing any inner state word, which is better than the previous known cryptanalytic results.

Lu Xiaojuan,Li Bohan,Liu Meicheng,Lin Dongdai

DOI: https://doi.org/10.1186/s42400-021-00108-3

2022-01-01

Abstract:Nonlinear feedback shift register (NFSR) is one of the most important cryptographic primitives in lightweight cryptography. At ASIACRYPT 2010, Knellwolf et al. proposed conditional differential attack to perform a cryptanalysis on NFSR-based cryptosystems. The main idea of conditional differential attack is to restrain the propagation of the difference and obtain a detectable bias of the difference of the output bit. QUARK is a lightweight hash function family which is designed by Aumasson et al. at CHES 2010. Then the extended version of QUARK was published in Journal of Cryptology 2013. In this paper, we propose an improved conditional differential attack on QUARK. One improvement is that we propose a method to select the input difference. We could obtain a set of good input differences by this method. Another improvement is that we propose an automatic condition imposing algorithm to deal with the complicated conditions efficiently and easily. It is shown that with the improved conditional differential attack on QUARK, we can detect the bias of output difference at a higher round of QUARK. Compared to the current literature, we find a distinguisher of U-QUARK/D-QUARK/S-QUARK/C-QUARK up to 157/171/292/460 rounds with increasing 2/5/33/8 rounds respectively. We have performed the attacks on each instance of QUARK on a 3.30 GHz Intel Core i5 CPU, and all these attacks take practical complexities which have been fully verified by our experiments. As far as we know, all of these results have been the best thus far.

Xiaoyang Dong,Xiaoyun Wang

DOI: https://doi.org/10.1007/s11432-017-9468-y

2018-08-31

Science China Information Sciences

Abstract:Post-quantum cryptography has drawn considerable attention from cryptologists on a global scale. At Asiacrypt 2017, Leander and May combined Grover’s and Simon’s quantum algorithms to break the FX-based block ciphers, which were introduced by Kilian and Rogaway to strengthen DES. In this study, we investigate the Feistel constructions using Grover’s and Simon’s algorithms to generate new quantum key-recovery attacks on different rounds of Feistel constructions. Our attacks require 20.25nr−0.75n quantum queries to break an r-round Feistel construction. The time complexity of our attacks is less than that observed for quantum brute-force search by a factor of 20.75n. When compared with the best classical attacks, i.e., Dinur et al.’s attacks at CRYPTO 2015, the time complexity is reduced by a factor of 20.5n without incurring any memory cost.

computer science, information systems,engineering, electrical & electronic

Haibo Zhou,Rui Zong,Xiaoyang Dong,Keting Jia,Willi Meier

DOI: https://doi.org/10.1093/comjnl/bxaa101

2020-01-01

Abstract:We introduce an interpolation attack using the Moebius Transform. This can reduce the time complexity to get a linear system of equations for specified intermediate state bits, which is general to cryptanalysis of some ciphers with update function of low algebraic degree. Along this line, we perform an interpolation attack against Elephant-Delirium, a round 2 submission of the ongoing national institute of standards and technology (NIST) lightweight cryptography project. This is the first third-party cryptanalysis on this cipher. Moreover, we promote the interpolation attack by applying it to the Farfalle pseudo-random constructions Kravatte and Xoofff. Our attacks turn out to be the most efficient method for these ciphers thus far.

Peng-kun LIU,Gong-liang CHEN,Jian-hua LI

DOI: https://doi.org/10.3969/j.issn.1002-0802.2017.01.023

2017-01-01

Abstract:Different from sequential access, random access means to access any element in the sequence at the same time. Random access efficiency is an important performance parameter of a file system, for which, the encryption algorithm in file system encryption must be able to support efficient random access, or otherwise could seriously reduce the access speed. It is pointed out by J.Dj.GoliC' that the stream ciphering algorithm based on keystream generator can implement efficient and safe encryption on random access file. Also, the design principles are proposed. The Trivium algorithm is one of the 7 winners in eSTREAM program with high efficiency and low hardware complexity. The random access performance of Trivium is improved by using the idea of packet encryption, and the rate of random access reaches 167%of AES-CTR.

Xiaoyang Dong,Bingyou Dong,Xiaoyun Wang

DOI: https://doi.org/10.1007/s10623-020-00741-y

2020-03-09

Abstract:Post-quantum cryptography has attracted much attention from worldwide cryptologists. However, most research works are related to public-key cryptosystem due to Shor's attack on RSA and ECC ciphers. At CRYPTO 2016, Kaplan et al. showed that many secret-key (symmetric) systems could be broken using a quantum period finding algorithm, which encouraged researchers to evaluate symmetric systems against quantum attackers. In this paper, we continue to study symmetric ciphers against quantum attackers. First, we convert the classical advanced slide attacks (introduced by Biryukov and Wagner) to a quantum one, that gains an exponential speed-up in time complexity. Thus, we could break 2/4K-Feistel and 2/4K-DES in polynomial time. Second, we give a new quantum key-recovery attack on full-round GOST, which is a Russian standard, with <span class="mathjax-tex">\(2^{114.8}\)</span> quantum queries of the encryption process, faster than a quantum brute-force search attack by a factor of <span class="mathjax-tex">\(2^{13.2}\)</span>.

Shichang Wang,Meicheng Liu,Dongdai Lin,Li Ma

DOI: https://doi.org/10.1093/comjnl/bxac016

2022-01-01

Abstract:The fast correlation attack (FCA) is one of the most important cryptanalytic techniques against LFSR-based stream ciphers. In CRYPTO 2018, Todo et al. found a new property for the FCA and proposed a novel algorithm which was successfully applied to the Grain family of stream ciphers. Nevertheless, these techniques cannot be directly applied to Grain-like small state stream ciphers with keyed update, such as Plantlet, Fruit-v2 and Fruit80. In this paper, we study the security of Grain-like small state stream ciphers by the FCA. We first observe that the number of required parity-check equations can be reduced when there are multiple different parity-check equations. With exploiting the Skellam distribution, we introduce a sufficient condition to identify the correct LFSR initial state and derive a new relationship between the number and bias of the required parity-check equations. Then, a modified algorithm is presented based on this new relationship, which can recover the LFSR initial state no matter what the round key bits are. Under the condition that the LFSR initial state is known, an algorithm is given against the degraded system and to recover the NFSR state at some time instant, along with the round key bits. As cases study, we apply our cryptanalytic techniques to Plantlet, Fruit-v2 and Fruit-80. As a result, for Plantlet, our attack takes 2(73.75) time complexity and 2(73.06) keystream bits to recover the full 80-bit key. Regarding Fruit-v2, 2(55.34) time complexity and 2(55.62) keystream bits are needed to determine the secret key. As for Fruit-80, 2(64.47) time complexity and 2(62.82) keystream bits are required to recover the secret key. More flexible attacks can be obtained with lower data complexity at the cost of increasing the attack time. Especially, for Fruit-v2, a key recovery attack can be launched with data complexity of 2(42.38) and time complexity of 2(73.31). Moreover, we have implemented our attack methods on a toy version of Fruit-v2. The attack matches the expected complexities predicted by our theoretical analysis quite well, which proves the validity of our cryptanalytic techniques.