Cryptology ePrint Archive: Report 2018/522

Fast Correlation Attack Revisited --Cryptanalysis on Full Grain-128a, Grain-128, and Grain-v1

Yosuke Todo and Takanori Isobe and Willi Meier and Kazumaro Aoki and Bin Zhang

Abstract: A fast correlation attack (FCA) is a well-known cryptanalysis technique for LFSR-based stream ciphers. The correlation between the initial state of an LFSR and corresponding key stream is exploited, and the goal is to recover the initial state of the LFSR. In this paper, we revisit the FCA from a new point of view based on a finite field, and it brings a new property for the FCA when there are multiple linear approximations. Moreover, we propose a novel algorithm based on the new property, which enables us to reduce both time and data complexities. We finally apply this technique to the Grain family, which is a well-analyzed class of stream ciphers. There are three stream ciphers, Grain-128a, Grain-128, and Grain-v1 in the Grain family, and Grain-v1 is in the eSTREAM portfolio and Grain-128a is standardized by ISO/IEC. As a result, we break them all, and especially for Grain-128a, the cryptanalysis on its full version is reported for the first time.

Category / Keywords: Fast correlation attack, Stream cipher, LFSR, Finite field, Multiple linear approximations, Grain-128a, Grain-128, Grain-v1

Original Publication (in the same form): IACR-CRYPTO-2018

Date: received 27 May 2018, last revised 18 Sep 2018

Contact author: todo yosuke at lab ntt co jp, ysktodo@gmail com, takanori isobe@ai u-hyogo ac jp, willi meier@fhnw ch, aoki kazumaro@lab ntt co jp, martin_zhangbin@hotmail com

Available format(s): PDF | BibTeX Citation

Version: 20180919:011539 (All versions of this report)

Short URL: ia.cr/2018/522


[ Cryptology ePrint archive ]