Martin Hell

Grain: a stream cipher for constrained environments

A new stream cipher, Grain, is proposed. The design targets hardware environments where gate count, power consumption and memory is very limited. It is based on two shift registers and a non-linear output function. The cipher has the additional feature that the speed can be increased at the expense of extra hardware. The key size is 80 bits and no attack faster than exhaustive key search has been identified. The hardware complexity and throughput compares favourably to other hardware oriented stream ciphers like E0 and A5/1.

A Stream Cipher Proposal: Grain-128

A new stream cipher, Grain-128, is proposed. The design is very small in hardware and it targets environments with very limited resources in gate count, power consumption, and chip area. Grain-128 supports key size of 128 bits and IV size of 96 bits. The design is very simple and based on two shift registers, one linear and one nonlinear, and an output function

The Grain Family of Stream Ciphers

A new family of stream ciphers, Grain, is proposed. Two variants, a 80-bit and a 128-bit variant are specified, denoted Grain and Grain-128 respectively. The designs target hardware environments where gate count, power consumption and memory are very limited. Both variants are based on two shift registers and a nonlinear output function. The ciphers also have the additional feature that the speed can be easily increased at the expense of extra hardware.

Grain-128a: a new version of Grain-128 with optional authentication

A new version of the stream cipher Grain-128 is proposed. The new version, Grain-128a, is strengthened against all known attacks and observations on the original Grain-128, and has built-in support for optional authentication. The changes are modest, keeping the basic structure of Grain-128. This gives a high confidence in Grain-128a and allows for easy updating of existing implementations.

Towards a general RC4-Like keystream generator

RC4 was designed in 1987 when 8-bit and 16-bit processors were commercially available. Today, most processors use 32-bit or 64-bit words but using original RC4 with 32/64 bits is infeasible due to the large memory constraints and the number of operations in the key scheduling algorithm. In this paper we propose a new 32/64-bit RC4-like keystream generator. The proposed generator produces 32 or 64 bits in each iteration and can be implemented in software with reasonable memory requirements. It has a huge internal state and offers higher resistance to state recovery attacks than the original 8-bit RC4. Further, on a 32-bit processor the generator is 3.1 times faster than original RC4. We also show that it can resist attacks that are successful on the original RC4. The generator is suitable for high speed software encryption.

Breaking the F-FCSR-H Stream Cipher in Real Time

The F-FCSR stream cipher family has been presented a few years ago. Apart from some flaws in the initial propositions, corrected in a later stage, there are no known weaknesses of the core of these algorithms. The hardware oriented version, called FCSR-H, is one of the ciphers selected for the eSTREAM portfolio. In this paper we present a new and severe cryptanalytic attack on the F-FCSR stream cipher family. We give the details of the attack when applied on F-FCSR-H. The attack requires a few Mbytes of received sequence and the complexity is low enough to allow the attack to be performed on a single PC within seconds.

A Note on Distinguishing Attacks

A new distinguishing attack scenario for stream ciphers, allowing a resynchronization collision attack, is presented. The attack can succeed if the part of the state that depends on both the key and the IV is smaller than twice the key size. It is shown that the attack is applicable to block ciphers in OFB mode. For OFB mode, the attack is more powerful than the previously known generic distinguishing attack since it will directly recover a part of the plaintext while having the same asymptotic complexity as the generic distinguishing attack. The attack is also demonstrated on the eSTREAM candidate LEX. LEX is not vulnerable to any of the previously known generic distinguishing attack but is vulnerable to the new attack. It is shown that if approximately 265.7 resynchro-nizations using LEX are performed for the same key, some plaintext might be recovered.

An overview of distinguishing attacks on stream ciphers

This paper overviews basic theory on distinguishing attacks on stream ciphers. It illustrates underlying ideas and common techniques without going into too many details on each topic. Some new approaches in distinguishing attacks are also included.

Breaking the Stream Ciphers F-FCSR-H and F-FCSR-16 in Real Time

The F-FCSR stream cipher family has been presented a few years ago. Apart from some flaws in the initial propositions, corrected in a later stage, there are no known weaknesses of the core of these algorithms. Two variants, F-FCSR-H and F-FCSR-16, were proposed in the eSTREAM project, and F-FCSR-H v2 is one of the ciphers selected for the eSTREAM portfolio.In this paper we present a new and severe cryptanalytic attack on the F-FCSR stream cipher family. We give the details of the attack when applied to F-FCSR-H v2 and F-FCSR-16. The attack requires a few Mbytes of received sequence, and the complexity is low enough to allow the attack to be performed on a single PC within seconds.

Two New Attacks on the Self-Shrinking Generator

The self-shrinking generator was introduced in 1994. It is based on the idea behind the shrinking generator and despite its simplicity it has remained remarkably resistant to efficient attacks. Several known plaintext attacks have been proposed on the generator, some operating on a short keystream and others requiring a longer sequence to succeed. In this paper, two new attacks on the self-shrinking generator are proposed. The first attack, using a short known keystream, has the same complexity as the BDD-based attack, which is the best previously known attack. However, while the BDD-based attack requires a huge amount of memory, the proposed algorithm uses almost no memory, leaving it as the preferred alternative. The second attack operates on a longer known keystream, exponential in the length of the LFSR. The attack considers one or several segments of keystream bits and guesses that these bits stem from LFSR segments of some size. It is shown that this attack achieves better complexity than any previously known attack