Abstract
In this paper, we evaluate the security of FASER and TriviA-ck, two authenticated encryption schemes submitted to the CAESAR competition, by linear cryptanalysis method. It is pointed out that the most serious weakness of FASER is that the linear FSRs and nonlinear FSRs do not interact with each other. Thus by linear approximation of the MAJ function, it is possible to derive linear approximations involving the keystream words and the linear FSR initial states only. We found some such equations with correlation coefficient \(2^{-1}\) for FASER128 and FASER256, which lead to the initial state recovery of the linear FSRs with an off-line time complexity of \(2^{36}\) to compute a low weight multiple polynomial, and a negligible online time complexity, which is the polynomial time of the total length of linear FSRs, given \(2^{36}\) keystream words. Moreover, we construct some distinguishers involving two consecutive steps of keystream words with a correlation coefficient of \(2^{-2}\) for FASER128 and FASER256. Thus we only need \(16\) keystream words for FASER128 and FASER256 to distinguish the corresponding keystream from random sequence, respectively. These distinguishers do not rely on any weakness of the MIX operation, so the distinguishing attack will still work even when the FASER designers modify the MIX function. Finally, we use the linear sequential circuit approximation (LSCA) method to analyze TriviA-ck, a stream cipher similar to Trivium, and derive a linear function of consecutive keystream bits with a correlation coefficient of \(2^{-76}\). This shows that TriviA-ck has much more weaker immunity against linear cryptanalysis than Trivium.
This work was supported by the National Grand Fundamental Research 973 Program of China (Grant No. 2013CB338002) and the programs of the National Natural Science Foundation of China (Grant No. 60833008, 60603018, 61173134, 91118006, 61272476).
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Caesar: Competition for authenticated encryption: Security, applicability, and robustness. http://competitions.cr.yp.to/caesar.html
Ågren, M., Löndahl, C., Hell, M., Johansson, T.: A survey on fast correlation attacks. Cryptography and Communications 4(3–4), 173–202 (2012)
Berbain, C., Gilbert, H., Maximov, A.: Cryptanalysis of grain. In: Robshaw, M. (ed.) FSE 2006. LNCS, vol. 4047, pp. 15–29. Springer, Heidelberg (2006)
Chakraborti, A., Nandi, M.: Trivia-ck v1. CAESAR (2014)
Chaza, F., McDonald, C., Avanzi, R.: Faser v1: Authenticated encryption in a feedback shift register. CAESAR (2014)
Coppersmith, D., Halevi, S., Jutla, C.: Cryptanalysis of stream ciphers with linear masking. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 515–532. Springer, Heidelberg (2002)
De Cannière, C.: Trivium: A stream cipher construction inspired by block cipher design principles. In: Katsikas, S.K., López, J., Backes, M., Gritzalis, S., Preneel, B. (eds.) ISC 2006. LNCS, vol. 4176, pp. 171–186. Springer, Heidelberg (2006)
Feng, X., Zhang, F.: A realtime key recovery attack on the authenticated cipher faser128. Cryptology ePrint Archive, Report 2014/258 (2014). http://eprint.iacr.org/
Golić, J.D.: Intrinsic statistical weakness of keystream generators. In: Safavi-Naini, R., Pieprzyk, J.P. (eds.) ASIACRYPT 1994. LNCS, vol. 917, pp. 91–103. Springer, Heidelberg (1995)
Hell, M., Johansson, T.: Linear attacks on stream ciphers. Advanced Linear Cryptanalysis of Block and Stream Ciphers/Cryptology and Information Security Series, pp. 55–85 (2011)
Khazaei, S., Hassanzadeh, M.: Linear sequential circuit approximation of the trivium stream cipher. eSTREAM, ECRYPT Stream Cipher Project (2005)
Meier, W., Staffelbach, O.: Fast correlation attacks on certain stream ciphers. Journal of Cryptology 1, 159–176 (1989)
Siegenthaler, T.: Decrypting a class of stream ciphers using ciphertext only. IEEE Transactions on Computers C-34, 81–85 (1985)
Wagner, D.: A generalized birthday problem. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 288–304. Springer, Heidelberg (2002)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 Springer International Publishing Switzerland
About this paper
Cite this paper
Xu, C., Zhang, B., Feng, D. (2014). Linear Cryptanalysis of FASER128/256 and TriviA-ck. In: Meier, W., Mukhopadhyay, D. (eds) Progress in Cryptology -- INDOCRYPT 2014. INDOCRYPT 2014. Lecture Notes in Computer Science(), vol 8885. Springer, Cham. https://doi.org/10.1007/978-3-319-13039-2_14
Download citation
DOI: https://doi.org/10.1007/978-3-319-13039-2_14
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-13038-5
Online ISBN: 978-3-319-13039-2
eBook Packages: Computer ScienceComputer Science (R0)