Back to Search Start Over

On Grain-Like Small State Stream Ciphers Against Fast Correlation Attacks: Cryptanalysis of Plantlet, Fruit-v2 and Fruit-80.

Authors :
Wang, Shichang
Liu, Meicheng
Lin, Dongdai
Ma, Li
Source :
Computer Journal; Jun2023, Vol. 66 Issue 6, p1376-1399, 24p
Publication Year :
2023

Abstract

The fast correlation attack (FCA) is one of the most important cryptanalytic techniques against LFSR-based stream ciphers. In CRYPTO 2018, Todo et al. found a new property for the FCA and proposed a novel algorithm which was successfully applied to the Grain family of stream ciphers. Nevertheless, these techniques cannot be directly applied to Grain-like small state stream ciphers with keyed update, such as Plantlet, Fruit-v2 and Fruit80. In this paper, we study the security of Grain-like small state stream ciphers by the FCA. We first observe that the number of required parity-check equations can be reduced when there are multiple different parity-check equations. With exploiting the Skellam distribution, we introduce a sufficient condition to identify the correct LFSR initial state and derive a new relationship between the number and bias of the required parity-check equations. Then, a modified algorithm is presented based on this new relationship, which can recover the LFSR initial state no matter what the round key bits are. Under the condition that the LFSR initial state is known, an algorithm is given against the degraded system and to recover the NFSR state at some time instant, along with the round key bits. As cases study, we apply our cryptanalytic techniques to Plantlet, Fruit-v2 and Fruit-80. As a result, for Plantlet, our attack takes |$ 2^{73.75} $| time complexity and |$ 2^{73.06} $| keystream bits to recover the full 80-bit key. Regarding Fruit-v2, |$ 2^{55.34} $| time complexity and |$ 2^{55.62} $| keystream bits are needed to determine the secret key. As for Fruit-80, |$2^{64.47}$| time complexity and |$2^{62.82}$| keystream bits are required to recover the secret key. More flexible attacks can be obtained with lower data complexity at the cost of increasing the attack time. Especially, for Fruit-v2, a key recovery attack can be launched with data complexity of |$2^{42.38}$| and time complexity of |$2^{73.31}$|⁠. Moreover, we have implemented our attack methods on a toy version of Fruit-v2. The attack matches the expected complexities predicted by our theoretical analysis quite well, which proves the validity of our cryptanalytic techniques. [ABSTRACT FROM AUTHOR]

Details

Language :
English
ISSN :
00104620
Volume :
66
Issue :
6
Database :
Complementary Index
Journal :
Computer Journal
Publication Type :
Academic Journal
Accession number :
164417631
Full Text :
https://doi.org/10.1093/comjnl/bxac016