Conditional differential cryptanalysis of 105 round Grain v1

In this paper we propose conditional differential cryptanalysis of 105 round Grain v1. This improves the attack proposed on 97 round Grain v1 by Knellwolf et al at Asiacrypt 2010. We take the help of the tool ΔGrain _KSA, to track the differential trails introduced in the internal state of Grain v1 by any difference in the IV bits. We prove that a suitably introduced difference in the IV leads to a distinguisher for the output bit produced in the 105^th round. This helps determine the values of 6 expressions in the Secret Key bits. Using the above attack as a subroutine, we propose a method that determines 9 Secret Key bits explicitly. Thus, the complexity for the Key recovery is proportional to 2⁷¹ operations, which is faster than exhaustive search by 2⁹.

Authors and Affiliations

1. DTU Compute, Technical University of Denmark, Lyngby, Denmark

   Subhadeep Banik

Corresponding author

Correspondence to Subhadeep Banik.

Section 2.4 of this work has been taken from the paper “Some Insights into the Differential Cryptanalysis of Grain v1 [3]” accepted in ACISP 2014 and published in LNCS 8544, pp. 34-49, 2014.

Appendix A: Computing the distribution of \(z_{105}\oplus z_{105}^{\phi }\) for ϕ = 61 if all C ₁, C ₂,…,C ₆ are satisfied

We will prove the bias in the distribution of \(z_{105}\oplus z_{105}^{\phi }\) along similar lines of the proof of the bias of \(z_{97}\oplus z_{97}^{37}\) reported in [3]. The probability values we calculate are computed over the randomness due to the Key bits and the those IV bits not assigned by the Type 1, 2 relations. However, these results also hold, even if the Key is fixed, and the randomness comes only from the IV bits. First we state a straightforward lemma without proof.

Lemma 2

Let F be an i-variable Boolean function, with wt(F)=w. If the vector X is chosen uniformly from {0,1} ⁱ then \(\textsf {Pr}[ F(X) =0] =1- \frac {\textsf {w}}{2^{i}}\).

We begin by inspecting the output of Δ₆₁−Grain _KSA at round t = 105, in which the difference is nullified at rounds t = 15,36,39,42. At t = 105, we have

This implies that of all the bits of \(S_{105}, S_{105}^{\phi }\) involved in the computation of z ₁₀₅ and \(z_{105}^{\phi }\) respectively, the relations between only i) \(x_{148},x_{148}^{\phi }\) ii) \(x_{161},x_{161}^{\phi }\) iii) \(y_{151},y_{151}^{\phi }\) iv) \(y_{169},y_{169}^{\phi }\) v) \(x_{168},x_{168}^{\phi }\) are probabilistic. Therefore we have

We assume that the random variables \(x_{148} \oplus x_{148}^{\phi }\), \(x_{161}\oplus x_{161}^{\phi }\), \(y_{151} \oplus y_{151}^{\phi }\), \(y_{169} \oplus y_{169}^{\phi }\) and \(x_{168}\oplus x_{168}^{\phi }\) are statistically mutually independent of one another. It is difficult to prove this assumption theoretically but extensive computer simulations have shown that one can make this assumption.

1.1 Calculating \(\textsf {Pr}[x_{148} \oplus x_{148}^{\phi }=0]\)

To find this distribution we need to look at the state of our modified Δ₆₁−Grain _KSA at t = 148 − 80 = 68. At this we have u ₆₈ = 0, Υ₆₈ = 0, \(\mathcal {G}_{lin,68}=[v_{68}=0,v_{82}=0, v_{130}=1],\mathcal {G}_{nlin,68}=\mathbf {0} \), and

So we have

So in order to compute the above probability we need to compute the distribution of \((x_{124}\oplus x_{124}^{\phi })\) first. At t = 124−80=44, we have \(u_{44}=0, {\Upsilon }_{44}=[u_{47}=0, u_{69}=0, u_{90}=1,u_{108}=1,v_{107}=0], \chi _{44}=\mathbf {0}, \mathcal {G}_{lin,44}=[v_{44}=0,v_{58}=0,v_{106}=1], \mathcal {G}_{nlin,68}=\mathbf {0}\). Note that y ₄₇ = ν ₄₇ = 0 according to one of the Type 1 conditions, and y ₆₉ = 1 as defined by the padding rule of Grain v1. So we have

Since x ₁₀₇ ⊕ y ₉₀⋅x ₁₀₇ ⊕ y ₉₀ ⊕ y ₁₀₈⋅x ₁₀₇ ⊕ y ₁₀₈ is a Boolean Function of weight 6, assuming independence of the component variables we have \({\textsf {Pr}}\left [x_{124} \oplus x_{124}^{\phi }=0\right ] = 1-\frac {6}{8}=\frac {1}{4}\). This implies that \({\textsf {Pr}}\left [x_{148} \oplus x_{148}^{\phi }=0\right ] = \frac {3}{4}\).

1.2 Calculating \(\textsf {Pr}[y_{151} \oplus y_{151}^{\phi }=0]\)

To find this distribution we need to look at the state of our modified Δ₆₁−Grain _KSA at t = 151−80=71. At this we have Υ₇₁ = [u ₇₄ = 0,u ₉₆ = 0,u ₁₁₇ = 0,u ₁₃₅ = 2,v ₁₃₄ = 2], \(\mathcal {F}_{71}=\mathbf {0}, \chi _{71}=\mathbf {0}\). So we have

Define the set of functions h _{i j} = h(y ₇₄, y ₉₆, y ₁₁₇, y ₁₃₅, x ₁₃₄)⊕h(y ₇₄, y ₉₆, y ₁₁₇, y ₁₃₅ ⊕ i, x ₁₃₄ ⊕ j), for i, j ∈ {0, 1}. Now assuming independence or the random variables involved, we can write,

To compute this probability, we would need to calculate the individual probabilities \(\textsf {Pr}\left [y_{135}\oplus y_{135}^{\phi }=0\right ]\) and \(\textsf {Pr}\left [x_{134}\oplus x_{134}^{\phi }=0\right ]\). At t = 135−80=55, we have \(\mathcal {F}_{55}=[u_{55}=0, u_{68}=0, u_{78}=0,u_{93}=0, u_{106}=1,u_{117}=0]\), χ ₅₅ = 0, Υ₅₅ = [u ₅₈ = 0,u ₈₀ = 0,u ₁₀₁ = 0,u ₁₁₉ = 1,v ₁₁₈ = 0]. So we have

This represents a Boolean Function of weight 2, and hence we have \(\textsf {Pr}[y_{135}\oplus y_{135}^{\phi }=0]= 1- \frac {2}{8}=\frac {3}{4}\). Now at t = 134−80=54, we have \(\chi _{54}=\mathbf {0}, \mathcal {G}_{lin,54}=\mathbf {0}, u_{54}=0, {\Upsilon }_{54}= [u_{57}=0, u_{79}=0,u_{100}=0, u_{118}=1,v_{117}=0]\)and all elements of \(\mathcal {G}_{nlin,54}\) are zeros except v ₁₀₆ = 1. So we have

We have to set x ₉₉ = 1, in the above equation since it is one of the conditions imposed at t = 36 to nullify a difference. Hence we have \(\textsf {Pr}[y_{135} \oplus y_{135}^{\phi }=0] = \frac {35}{64}\). Now turning back to our original problem, we know that \(\textsf {Pr}[h_{00}=0]=1, \textsf {Pr}[h_{01}=0]=\frac {1}{2}, \textsf {Pr}[h_{10}=0]=\frac {1}{4}, \textsf {Pr}[h_{11}=0] = \frac {1}{2} \). Putting these values in (9), we get \(\textsf {Pr}[y_{151} \oplus y_{151}^{\phi }=0]\approx 0.6709\).

1.3 Calculating \(\textsf {Pr}[y_{169} \oplus y_{169}^{\phi }=0]\), \(\textsf {Pr}[x_{168} \oplus x_{168}^{\phi }=0]\) and \({\textsf {Pr}}[x_{161} \oplus x_{161}^{\phi }=0]\)

To compute these probabilities, we will need to look at outputs of Δ₆₁−Grain _KSA at t = 81,88,89. However at these rounds both χ _t and Υ _t have many elements equal to 2 and hence at this point we have to delve into several lower KSA rounds and compute the distributions of several intermediate variables and work our way up from there. Since this is slightly tedious, we omit extensive analysis of these two distributions and simply state the results.

1.4 Calculating \(\textsf {Pr}[h(y_{108} , y_{130} , y_{151} , y_{169} , x_{168} )\oplus h(1\oplus y_{108} , 1\oplus y_{130} , y_{151}^{\phi } , y_{169}^{\phi } ,\) \( x_{168}^{\phi })=0]\)

For the sake of conciseness, let this expression be denoted by the symbol H, and define the Boolean Functions \(\mathcal {H}_{ijk}= h(y_{108} , y_{130} , y_{151} , y_{169} , x_{168} )\oplus h(1\oplus y_{108} , 1\oplus y_{130} , i \oplus y_{151} ,j\oplus y_{169} ,k\oplus x_{168})\), for all i, j, k ∈ {0, 1}. Assuming independence, it is easy to see that Pr[H = 0] equals

As it turns out, all the functions \(\mathcal {H}_{ijk}\) are balanced except \(\mathcal {H}_{011}\) and \({\textsf {Pr}}[\mathcal {H}_{011}=0]=\frac {3}{4}\). By plugging these values into the above equation we get Pr[H = 0]≈0.542.

1.5 Calculating \(\textsf {Pr}[z_{105}\oplus z_{105}^{\phi } =0]\)

From (9), we can write \(\textsf {Pr}[z_{105}\oplus z_{105}^{\phi } =0 ]\) equal to the following:

This concludes our proof for the distribution of \(z_{105}\oplus z_{105}^{\phi } =0\). This has also been verified by independent computer simulations.

Reprints and permissions