Linear cryptanalysis method for DES cipher
EUROCRYPT '93 Workshop on the theory and application of cryptographic techniques on Advances in cryptology
Differential Cryptanalysis of DES-like Cryptosystems
CRYPTO '90 Proceedings of the 10th Annual International Cryptology Conference on Advances in Cryptology
Related-Key Chosen IV Attacks on Grain-v1 and Grain-128
ACISP '08 Proceedings of the 13th Australasian conference on Information Security and Privacy
Cube Attacks on Tweakable Black Box Polynomials
EUROCRYPT '09 Proceedings of the 28th Annual International Conference on Advances in Cryptology: the Theory and Applications of Cryptographic Techniques
Cube Testers and Key Recovery Attacks on Reduced-Round MD6 and Trivium
Fast Software Encryption
Algorithmic Cryptanalysis
A framework for chosen IV statistical analysis of stream ciphers
INDOCRYPT'07 Proceedings of the cryptology 8th international conference on Progress in cryptology
Chosen IV statistical analysis for key recovery attacks on stream ciphers
AFRICACRYPT'08 Proceedings of the Cryptology in Africa 1st international conference on Progress in cryptology
Cryptanalysis of the atmel cipher in secure memory, cryptoMemory and crypto RF
ACNS'11 Proceedings of the 9th international conference on Applied cryptography and network security
A cryptanalysis of PRINTcipher: the invariant subspace attack
CRYPTO'11 Proceedings of the 31st annual conference on Advances in cryptology
Grain-128a: a new version of Grain-128 with optional authentication
International Journal of Wireless and Mobile Computing
An experimentally verified attack on full grain-128 using dedicated reconfigurable hardware
ASIACRYPT'11 Proceedings of the 17th international conference on The Theory and Application of Cryptology and Information Security
Conditional differential cryptanalysis of trivium and KATAN
SAC'11 Proceedings of the 18th international conference on Selected Areas in Cryptography
The Cube Attack on Stream Cipher Trivium and Quadraticity Tests
Fundamenta Informaticae - Cryptology in Progress: 10th Central European Conference on Cryptology, Będlewo Poland, 2010
High order differential attacks on stream ciphers
Cryptography and Communications
On the security of hummingbird-2 against side channel cube attacks
WEWoRC'11 Proceedings of the 4th Western European conference on Research in Cryptology
FSE'12 Proceedings of the 19th international conference on Fast Software Encryption
A differential fault attack on the grain family of stream ciphers
CHES'12 Proceedings of the 14th international conference on Cryptographic Hardware and Embedded Systems
Proceedings of the 7th ACM Symposium on Information, Computer and Communications Security
Some results on related Key-IV pairs of grain
SPACE'12 Proceedings of the Second international conference on Security, Privacy, and Applied Cryptography Engineering
A differential fault attack on grain-128a using MACs
SPACE'12 Proceedings of the Second international conference on Security, Privacy, and Applied Cryptography Engineering
A new model for error-tolerant side-channel cube attacks
CHES'13 Proceedings of the 15th international conference on Cryptographic Hardware and Embedded Systems
Hi-index | 0.00 |
We present a new variant of cube attacks called a dynamic cube attack. Whereas standard cube attacks [4] find the key by solving a system of linear equations in the key bits, the new attack recovers the secret key by exploiting distinguishers obtained from cube testers. Dynamic cube attacks can create lower degree representations of the given cipher, which makes it possible to attack schemes that resist all previously known attacks. In this paper we concentrate on the well-known stream cipher Grain-128 [6], on which the best known key recovery attack [15] can recover only 2 key bits when the number of initialization rounds is decreased from 256 to 213. Our first attack runs in practical time complexity and recovers the full 128-bit key when the number of initialization rounds in Grain-128 is reduced to 207. Our second attack breaks a Grain-128 variant with 250 initialization rounds and is faster than exhaustive search by a factor of about 228. Finally, we present an attack on the full version of Grain-128 which can recover the full key but only when it belongs to a large subset of 2-10 of the possible keys. This attack is faster than exhaustive search over the 2118 possible keys by a factor of about 215. All of our key recovery attacks are the best known so far, and their correctness was experimentally verified rather than extrapolated from smaller variants of the cipher. This is the first time that a cube attack was shown to be effective against the full version of a well known cipher which resisted all previous attacks.