Martin Ågren

Grain-128a: a new version of Grain-128 with optional authentication

A new version of the stream cipher Grain-128 is proposed. The new version, Grain-128a, is strengthened against all known attacks and observations on the original Grain-128, and has built-in support for optional authentication. The changes are modest, keeping the basic structure of Grain-128. This gives a high confidence in Grain-128a and allows for easy updating of existing implementations.

On the Distribution of Linear Biases: Three Instructive Examples

Despite the fact that we evidently have very good block ciphers at hand today, some fundamental questions on their security are still unsolved. One such fundamental problem is to precisely assess the security of a given block cipher with respect to linear cryptanalysis. In by far most of the cases we have to make (clearly wrong) assumptions, e.g., assume independent round-keys. Besides being unsatisfactory from a scientific perspective, the lack of fundamental understanding might have an impact on the performance of the ciphers we use. As we do not understand the security sufficiently enough, we often tend to embed a security margin -- from an efficiency perspective nothing else than wasted performance. The aim of this paper is to stimulate research on these foundations of block ciphers. We do this by presenting three examples of ciphers that behave differently to what is normally assumed. Thus, on the one hand these examples serve as counter examples to common beliefs and on the other hand serve as a guideline for future work.

A survey on fast correlation attacks

Fast correlation attacks, pioneered by Meier and Staffelbach in 1988, constitute an important class of attacks on stream ciphers. They exploit a correlation between the keystream and the output of a linear feedback shift register (LFSR) within the cipher. Several factors affect the feasibility of such an attack, e.g., the amount of available keystream and the number of taps in the LFSR. Notably, for a fixed number of taps, the length of the LFSR does not affect the complexity of the attack. When the register does not have a sufficiently small number of taps, however, the attacker will try to find parity check equations of low weight, at which point the length of the register does matter. In this paper, we go through the significant contributions to this field of cryptanalysis, reiterating the various algorithms that have been developed for finding parity check equations and performing the online stage on received keystream. We also suggest some new generalizations of Meier-Staffelbach’s original formulations.

Linear cryptanalysis of PRINTcipher: trails and samples everywhere

PRINTcipher is a recent lightweight block cipher designed by Knudsen et al. Some noteworthy characteristics are a burnt-in key, a key-dependent permutation layer and identical round keys. Independent work on PRINTcipher has identified weak key classes that allow for a key recovery -- the obvious countermeasure is to avoid these weak keys at the cost of a small loss of key entropy. This paper identifies several larger classes of weak keys. We show how to distinguish classes of keys and give a 28-round linear attack applicable to half the keys. We show that there are several similar attacks, each focusing on a specific class of keys. We also observe how some specific properties of PRINTcipher allow us to collect several samples from each plaintext---ciphertext pair. We use this property to construct an attack on 29-round PRINTcipher applicable to a fraction 2−5 of the keys.

Improved message passing techniques in fast correlation attacks on stream ciphers

The fast correlation attack is a general cryptanalytic attack directed at stream ciphers and is related to the decoding of low-density parity-check (LDPC) codes. In this paper, we improve the message passing algorithm by exploiting the fact that the sum of an arbitrary number of initial state variables, called a fixed point, can be written as the sum of only a few other variables. This will result in better use of information in the message passing algorithm. Simulations show that this added information results in better success probabilities for the attack. Our technique may also find applications to LDPC codes with girth 4, although such codes are normally avoided.

On Hardware-Oriented Message Authentication

We consider hardware-oriented message authentication, more specifically universal hash functions. We propose a new type of constructions that appear promising. These constructions are based on the framework of universal hash functions, Toeplitz matrices and epsilon-biased sample spaces. Some new theoretical results in this area are derived. The new constructions come at the price of not being able to prove the exact substitution probability. The expected probability is examined both through theoretical methods as well as through simulation.

Cryptanalysis of the stream cipher BEAN

BEAN is a recent stream cipher proposal that uses Feedback with Carry Shift Registers (FCSRs) and an output function. There is a sound motivation behind the use of FCSRs in BEAN as they provide several cryptographically interesting properties. In this paper, we show that the output function is not optimal. We give an efficient distinguisher and a key recovery attack that is slightly better than brute force, requiring no significant memory. We then show how this attack can be made better with access to more keystream. Already with access to 6 KiB, the 80-bit key is recovered in time 273.