a new version of grain-128 with authentication
TRANSCRIPT
A New Version of Grain-128 withAuthentication
Martin Agren1
Martin Hell1
Thomas Johansson1
Willi Meier2
1 Lund University, Sweden
2 FHNW, Switzerland
110216 / Lyngby
Outline
1 IntroductionMotivation and Goals
2 The Old Grain-128The AlgorithmAttacks and Observations
3 The New Grain-128aThe New Grain-128aAuthentication
4 Conclusion
M. Agren, M. Hell, T. Johansson, W. Meier, Lund University and FHNW 2 / 16
Outline
1 IntroductionMotivation and Goals
2 The Old Grain-128The AlgorithmAttacks and Observations
3 The New Grain-128aThe New Grain-128aAuthentication
4 Conclusion
M. Agren, M. Hell, T. Johansson, W. Meier, Lund University and FHNW 3 / 16
Motivation and Goals
I Grain-128 is lightweight but somenonlinearities are too lightweight.
I Some applications need built-in authentication
I . . . but leaving it out should be possible.
I Allow for easy updating of existing implementations.
I . . . and trust!
M. Agren, M. Hell, T. Johansson, W. Meier, Lund University and FHNW 4 / 16
Outline
1 IntroductionMotivation and Goals
2 The Old Grain-128The AlgorithmAttacks and Observations
3 The New Grain-128aThe New Grain-128aAuthentication
4 Conclusion
M. Agren, M. Hell, T. Johansson, W. Meier, Lund University and FHNW 5 / 16
The Old Grain-128
NFSR LFSR
g f
h
I 128-bit key, 96-bit IV.
I An LFSR provides a large period.
I An NFSR with degree two updates the state nonlinearly.
I An output function of degree three produces nonlinear output.
I State bits are added linearly to ensure resiliency.
I Initialize in 256 rounds: feed output into the registers.
I Make faster by duplicating Boolean functions.
M. Agren, M. Hell, T. Johansson, W. Meier, Lund University and FHNW 6 / 16
IV Padding Sliding Property
NFSR LFSR
g f
h
I The 96-bit IV goes into a 128-bit register and is padded with111. . . 111. With high probability, a shifted key and a shiftedIV will produce the exact same keystream, only with a shift.[Kucuk06], [DeCaKuPre08]
I Related-key Chosen-IV. [LeeJeongSungHong08]
M. Agren, M. Hell, T. Johansson, W. Meier, Lund University and FHNW 7 / 16
Too Little Nonlinearity or Initialization
I Cube, 237/256 [AumDinHenMeiSha09]
I Maxterm, 256/256 [Stankovski10]
Looking at the first keystream bits, the equations,in unknown key bits, are not complicated enough.
M. Agren, M. Hell, T. Johansson, W. Meier, Lund University and FHNW 8 / 16
Too Little Nonlinearity and Similar Bits
I Chosen-IV (cube): Assuming ten specific key bits to bezero, the equations simplify “enough”. [DinSha11]
NFSR LFSR
g f
h
I Also, bi+95 and si+95 are multiplied together. Duringinitialization, they are too similar, meaning the complexitydoesn’t grow as much as wanted.
M. Agren, M. Hell, T. Johansson, W. Meier, Lund University and FHNW 9 / 16
Too Little Nonlinearity and Similar Bits
I Chosen-IV (cube): Assuming ten specific key bits to bezero, the equations simplify “enough”. [DinSha11]
NFSR LFSR
g f
h
I Also, bi+95 and si+95 are multiplied together. Duringinitialization, they are too similar, meaning the complexitydoesn’t grow as much as wanted.
M. Agren, M. Hell, T. Johansson, W. Meier, Lund University and FHNW 9 / 16
Outline
1 IntroductionMotivation and Goals
2 The Old Grain-128The AlgorithmAttacks and Observations
3 The New Grain-128aThe New Grain-128aAuthentication
4 Conclusion
M. Agren, M. Hell, T. Johansson, W. Meier, Lund University and FHNW 10 / 16
Changes from Grain-128
NFSR LFSR
g f
h
Grain-128 with changes:
I Pad the IV with 111. . . 110.
I NFSR has nonlinearity four.
I Change a tap into the output function:bi+95, si+94, so that we don’tmultiply bits that are “similar”.
M. Agren, M. Hell, T. Johansson, W. Meier, Lund University and FHNW 11 / 16
Authentication
The above algorithm is used to produce pre-output stream.Use different parts of it for different things:
I Encryption
I Authentication
Key
IV
Message
Pre-outputgenerator
z0z1 . . . z63 . . . . . . z64+2iz65+2i . . .
MAC
mi ciCiphertext
tTag
M. Agren, M. Hell, T. Johansson, W. Meier, Lund University and FHNW 12 / 16
Authentication
The above algorithm is used to produce pre-output stream.Use different parts of it for different things:
I Encryption
I Authentication
Key
IV
Message
Pre-outputgenerator
z0z1 . . . z63 . . . . . . z64+2iz65+2i . . .
MAC
mi ciCiphertext
tTag
M. Agren, M. Hell, T. Johansson, W. Meier, Lund University and FHNW 12 / 16
Authentication
Accumulator
Shift register
. . .mi
bits from pre-output
I A Wegman-Carter approach.
I Initialize both registers with pre-output bits.
I We multiply the message bit vector by a Toeplitz matrix.
I PS is the prob. that an attack succeeds.
I With perfectly random input to the shift register, PS = 2−32.
I We have PS < 2−32 + 2ε. [Krawczyk95], [AHJ11],[Maximov06]
M. Agren, M. Hell, T. Johansson, W. Meier, Lund University and FHNW 13 / 16
Authentication
Accumulator
Shift register
. . .mi
bits from pre-output
I A Wegman-Carter approach.
I Initialize both registers with pre-output bits.
I We multiply the message bit vector by a Toeplitz matrix.
I PS is the prob. that an attack succeeds.
I With perfectly random input to the shift register, PS = 2−32.
I We have PS < 2−32 + 2ε. [Krawczyk95], [AHJ11],[Maximov06]
M. Agren, M. Hell, T. Johansson, W. Meier, Lund University and FHNW 13 / 16
Hardware Characteristics
Several nice aspects:
I We can still increase the speed up to 32x.
I We can leave out the authentication.
I . . . or part of it. w -bit tags for 2−w .
The cheapest one — a version that produces one bit per clock:
I Grain-128: 2133 gate equivalents
I Grain-128a: 2243 gate equivalents; a five per cent increase(as a bonus, we initialize faster.)
Adding authentication, we’d get a total of 2867 gate equivalents.
M. Agren, M. Hell, T. Johansson, W. Meier, Lund University and FHNW 14 / 16
Hardware Characteristics
Several nice aspects:
I We can still increase the speed up to 32x.
I We can leave out the authentication.
I . . . or part of it. w -bit tags for 2−w .
The cheapest one — a version that produces one bit per clock:
I Grain-128: 2133 gate equivalents
I Grain-128a: 2243 gate equivalents; a five per cent increase(as a bonus, we initialize faster.)
Adding authentication, we’d get a total of 2867 gate equivalents.
M. Agren, M. Hell, T. Johansson, W. Meier, Lund University and FHNW 14 / 16
Outline
1 IntroductionMotivation and Goals
2 The Old Grain-128The AlgorithmAttacks and Observations
3 The New Grain-128aThe New Grain-128aAuthentication
4 Conclusion
M. Agren, M. Hell, T. Johansson, W. Meier, Lund University and FHNW 15 / 16
Conclusion
Grain-128a
I is at least as secure than Grain-128,
I resists all current cryptanalysis on Grain-128,
I has optional authentication,
I is still hardware-efficient.
M. Agren, M. Hell, T. Johansson, W. Meier, Lund University and FHNW 16 / 16
On Cube/Maxterm/AIDA/...
bitset size
number of rounds
5 10 15 20 25 30 35 40
50
100
150
200
256
How does a greedy strategy aid in finding good bitsets?Upper curve: Stankovski’s on Grain-128.Lower curve: Ours on the pre-output of Grain-128a.
M. Agren, M. Hell, T. Johansson, W. Meier, Lund University and FHNW 16 / 16