Grain-128AEAD v2 SpecificationGrain-128AEADv2 - A lightweight AEADstream cipherCover sheetMartin Hell, Lund University, SwedenThomas Johansson, Lund University, SwedenAlexander Maximov,...

1 answer below »
All instructions on the attachment



Grain-128AEAD v2 Specification Grain-128AEADv2 - A lightweight AEAD stream cipher Cover sheet Martin Hell, Lund University, Sweden Thomas Johansson, Lund University, Sweden Alexander Maximov, Ericsson AB, Sweden Willi Meier, FHNW, Switzerland Jonathan Sönnerup, Lund University, Sweden Hirotaka Yoshida, AIST, Japan Corresponding submitter: Hirotaka Yoshida Cyber Physical Security Research Center (CPSEC), National Institute of Advanced Industrial Science and Technology (AIST), 2-3-26 Aomi, Koto-ku, Tokyo, 135-0064, Japan [email protected] phone: +81298613258 Backup point of contact: Martin Hell Dept. of Electrical and Information Technology Box 118, Lund University, Sweden [email protected] phone: +46462224353 1 Grain-128AEADv2 Contents 1 Introduction 3 1.1 NIST requirements . . . . . . . . . . . . . . . . . . . . . . . . . . 3 1.2 Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 2 Algorithm Specification 6 2.1 Building Blocks and Functions . . . . . . . . . . . . . . . . . . . . 6 2.2 Key and Nonce Initialization . . . . . . . . . . . . . . . . . . . . . 8 2.3 Operating Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 2.4 Keystream Limitation . . . . . . . . . . . . . . . . . . . . . . . . 10 2.5 Authenticated Encryption with Associated Data . . . . . . . . . . 10 2.6 Using Grain-128AEADv2 with NIST API . . . . . . . . . . . . . . 11 3 Design Rationale 14 3.1 Short History of the Grain Family of Stream Ciphers . . . . . . . 14 3.2 Update to Grain-128AEADv2 . . . . . . . . . . . . . . . . . . . . 15 3.3 Differences Between Grain-128AEADv2 and Grain-128a . . . . . . 16 3.4 Design Choices for Individual Building Blocks . . . . . . . . . . . 17 4 Security Analysis and Cryptanalytic Attacks 21 4.1 General Security Analysis . . . . . . . . . . . . . . . . . . . . . . 21 4.2 Linear Approximations . . . . . . . . . . . . . . . . . . . . . . . . 23 4.3 Correlation Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . 23 4.4 Chosen IV Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . 24 4.5 Fault Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 4.6 Security of the Authentication . . . . . . . . . . . . . . . . . . . . 26 5 Hardware Implementation 26 6 Advantages and Limitations 28 6.1 Suitability of Grain-128AEADv2 in IoT/Embedded Systems . . . 28 6.2 Other Aspects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 7 Test Vectors 30 2 Grain-128AEADv2 1 Introduction This is the second version of the Grain-128AEAD documentation, detailing the Grain-128AEADv2 design. This is the specification for round 3 in the NIST LWC standardization process. The main difference with the first version is a tweak added in the initialization. This document is intended to be self-contained, and therefore it largely overlaps with the specification for the first version. Grain-128AEADv2 is an authenticated encryption algorithm with support for associated data. The specification is closely based on Grain-128a, introduced in 2011, which has, already for several years, been analyzed in the literature. To benefit from the maturity of the Grain family, our strategy in the design of Grain- 128AEADv2 is to have the changes made to Grain-128a as small as possible. This allows us to argue for the security of the cipher, based on previous results on Grain-128a. One notable change is added security against key reconstruction from a known internal state. Increased understanding of this feature is also the motivation for the update from Grain-128AEAD to Grain-128AEADv2. Grain-128a is in turn based on Grain v1 and Grain-128, which have both been extensively analyzed, providing much insight into the security of the design approach. All Grain stream ciphers also allow the throughput to be increased by adding additional copies of the Boolean functions involved. 1.1 NIST requirements This section provides a mapping of the requirements given by NIST [45] to the respective sections in this document and supporting files. 1.1.1 Cover Sheet The cover sheet with the name of the submission, name of the submitters, in- cluding contact information for the corresponding submitter and a backup point of contact is provided as the first page of this document. 1.1.2 Algorithm Specification and Supporting Documentation The documentation requirements are provided in [45, Section 2.2]. • The complete written specification of the algorithm is given in Section 2. 3 Grain-128AEADv2 • The design rationale and an explanation for the different design decisions are given in Section 3. This also includes specific constants that are used in the algorithm. • The submission describes a single AEAD algorithm, denoted Grain-128AEADv2 that takes a 128-bit key and a 96-bit nonce. It does not implement hashing functionality. • Grain-128AEADv2 has been designed with 128-bit security in mind. Thus, referring to the NIST requirements [45, Section 3.1], we expect that crypt- analytic attacks require at least 2112 computations on a classical computer in a single key setting. • Known cryptanalytic attacks, using attacks on Grain-128a as a reference point, on the algorithm are specified in Section 4. • Advantages and limitations of Grain-128AEADv2 are given in Section 6. • References given in Section 4 provide a list of published materials that analyze the security of the very similar Grain-128a. 1.1.3 Source Code and Test Vectors These requirements are provided in [45, Section 2.3]. Source code of a reference implementation is provided separately from this document. Test vectors from the reference implementation are provided in Section 7. 1.1.4 AEAD Requirements The AEAD requirements are provided in [45, Section 3.1]. • Grain-128AEADv2 takes a variable-length plaintext, variable-length asso- ciated data, a fixed-length nonce (IV) of size 96 bits, and a fixed-length key of size 128 bits. The output is a variable length ciphertext. The plaintext is recovered from a valid ciphertext. An invalid ciphertext does not return a plaintext. • For a single key, the nonce must be unique. If the nonce is not unique, i.e., it is repeated for the same key, the algorithm leaks information about the two plaintext, and the MAC can be forged. 4 Grain-128AEADv2 • The Grain-128AEADv2 is one algorithm with the only supported parame- ters are 128-bit key and 96-bit nonce. • Grain-128AEADv2 is a bit oriented stream cipher and it thus also allows byte string inputs. The message padding of one ’1’ bit, can in an environ- ment that only operates with bytes, be replaced by a ’1’ followed by seven ’0’s. This will not affect the MAC result. • Grain-128AEADv2 has a keystream limitation of 280 bits, i.e., a pre-output stream limitation of 281 bits. 1.2 Acknowledgments We wish to thank Martin Ågren, who has been involved in designing a previous variant in the Grain family of stream ciphers. His work has been valuable to the understanding of the cipher and design choices made to Grain-128AEADv2 have used inspiration from his work. 5 Grain-128AEADv2 2 Algorithm Specification Grain-128AEADv2 consists of two main building blocks. The first is a pre-output generator, which is constructed using a Linear Feedback Shift Register (LFSR), a Non-linear Feedback Shift Register (NFSR) and a pre-output function, while the second is an authenticator generator consisting of a shift register and an accumulator. The design is very similar to Grain-128a, but has been modified to allow for larger authenticators and to support AEAD. Moreover, the modes of usage have been updated. 2.1 Building Blocks and Functions The pre-output generator generates a stream of pseudo-random bits, which are used for encryption and the authentication tag. It is depicted in Fig. 1. The LFSR Accumulator Register NFSR g f h 7 2 7 6524 mi z'i zi y512+t ... / / / // / Figure 1: An overview of the building blocks in Grain-128AEADv2. content of the 128-bit LFSR is denoted St = [s t 0, s t 1, . . . , s t 127] and the content of the 128-bit NFSR is similarly denoted Bt = [b t 0, b t 1, . . . , b t 127]. These two shift registers represent the 256-bit state of the pre-output generator. The primitive feedback polynomial of the LFSR, defined over GF(2) and de- noted f(x), is defined as f(x) = 1 + x32 + x47 + x58 + x90 + x121 + x128. 6 Grain-128AEADv2 The corresponding update function of the LFSR is given by st+1127 = s t 0 + s t 7 + s t 38 + s t 70 + s t 81 + s t 96 = L(St). The nonlinear feedback polynomial of the NFSR, denoted g(x) and also defined over GF(2), is defined as g(x) = 1 + x32 + x37 + x72 + x102 + x128 + x44x60 + x61x125 + x63x67 + x69x101 + x80x88 + x110x111 + x115x117 + x46x50x58 + x103x104x106 + x33x35x36x40 and the corresponding update function is given by bt+1127 = s t 0 + b t 0 + b t 26 + b t 56 + b t 91 + b t 96 + b t 3b t 67 + b t 11b t 13 + bt17b t 18 + b t 27b t 59 + b t 40b t 48 + b t 61b t 65 + b t 68b t 84 + bt22b t 24b t 25 + b t 70b t 78b t 82 + b t 88b t 92b t 93b t 95 = st0 + F(Bt). Nine state variables are taken as input to a Boolean function h(x). Two of these bits are taken from the NFSR and seven are taken from the LFSR. The function is defined as h(x) = x0x1 + x2x3 + x4x5 + x6x7 + x0x4x8, where the variables x0, . . . , x8 correspond to, respectively, the state variables bt12, s t 8, s t 13, s t 20, b t 95, s t 42, s t 60, s t 79 and s t 94. The output of the pre-output generator, is then given by the pre-output func- tion yt = h(x) + s t 93 + ∑ j∈A btj, where A = {2, 15, 36, 45, 64, 73, 89}. The authenticator generator consists of a
Answered 5 days AfterDec 08, 2022

Answer To: Grain-128AEAD v2 SpecificationGrain-128AEADv2 - A lightweight AEADstream cipherCover...

Pratyush answered on Dec 13 2022
30 Votes
Grain_128AEADv2
SOLUTION.PDF

Answer To This Question Is Available To Download

Related Questions & Answers

More Questions »

Submit New Assignment

Copy and Paste Your Assignment Here