The First Experimental Cryptanalysis of the Data Encryption Standard
CRYPTO '94 Proceedings of the 14th Annual International Cryptology Conference on Advances in Cryptology
Related-Key Chosen IV Attacks on Grain-v1 and Grain-128
ACISP '08 Proceedings of the 13th Australasian conference on Information Security and Privacy
IEEE Transactions on Computers
Cube Attacks on Tweakable Black Box Polynomials
EUROCRYPT '09 Proceedings of the 28th Annual International Conference on Advances in Cryptology: the Theory and Applications of Cryptographic Techniques
Cube Testers and Key Recovery Attacks on Reduced-Round MD6 and Trivium
Fast Software Encryption
Algorithmic Cryptanalysis
A framework for chosen IV statistical analysis of stream ciphers
INDOCRYPT'07 Proceedings of the cryptology 8th international conference on Progress in cryptology
Chosen IV statistical analysis for key recovery attacks on stream ciphers
AFRICACRYPT'08 Proceedings of the Cryptology in Africa 1st international conference on Progress in cryptology
Analysis of Grain's initialization algorithm
AFRICACRYPT'08 Proceedings of the Cryptology in Africa 1st international conference on Progress in cryptology
Breaking Grain-128 with dynamic cube attacks
FSE'11 Proceedings of the 18th international conference on Fast software encryption
A differential fault attack on the grain family of stream ciphers
CHES'12 Proceedings of the 14th international conference on Cryptographic Hardware and Embedded Systems
Some results on related Key-IV pairs of grain
SPACE'12 Proceedings of the Second international conference on Security, Privacy, and Applied Cryptography Engineering
A differential fault attack on grain-128a using MACs
SPACE'12 Proceedings of the Second international conference on Security, Privacy, and Applied Cryptography Engineering
Hi-index | 0.00 |
In this paper we describe the first single-key attack which can recover the full key of the full version of Grain-128 for arbitrary keys by an algorithm which is significantly faster than exhaustive search (by a factor of about 238). It is based on a new version of a cube tester, which uses an improved choice of dynamic variables to eliminate the previously made assumption that ten particular key bits are zero. In addition, the new attack is much faster than the previous weak-key attack, and has a simpler key recovery process. Since it is extremely difficult to mathematically analyze the expected behavior of such attacks, we implemented it on RIVYERA, which is a new massively parallel reconfigurable hardware, and tested its main components for dozens of random keys. These tests experimentally verified the correctness and expected complexity of the attack, by finding a very significant bias in our new cube tester for about 7.5% of the keys we tested. This is the first time that the main components of a complex analytical attack are successfully realized against a full-size cipher with a special-purpose machine. Moreover, it is also the first attack that truly exploits the configurable nature of an FPGA-based cryptanalytical hardware.