Get an update on changes of the IACR web-page here. For questions, contact newsletter (at) iacr.org. You can also receive updates via:
To receive your credentials via mail again, please click here.
You can also access the full news archive.
can be easily parallelized.
v1 to the estream call for stream cipher proposals and it also became one estream nalists in the
hardware category. The output function of Grain v1 connects its 160 bits internal state divided
equally between an LFSR and an NFSR, using a non-linear lter function in a complex way. Over
the last years many cryptanalyst identied several weaknesses in Grain v1. As a result in 2011 the
inventors modied Grain v1 and published a new version of Grain named Grain-128a which has
a similar structure as Grain v1 but with a 256 bits internal state with an optional authentication
is the latest version of Grain family resisting all known attacks on Grain v1. However both these
ciphers are quite resistant against the classical algebraic attack due to the rapid growth of the degree
of the key-stream equations in subsequent clockings caused by the NFSR. This paper presents a
probabilistic algebraic attack on both these Grain versions. The basic idea of our attack is to
develop separate probabilistic equations for the LFSR and the NFSR bits from each key-stream
equations. Surprisingly it turns out that in case of Grain-128a our proposed equations hold with all
most sure probability, which makes the sure retrieval of the LFSR bits. We also outline a technique
to reduce the growth of degree of the equations involving the NFSR bits for Grain v1. Further
we high light that the concept of probabilistic algebraic attack as proposed in this paper can be
considered as a generic attack strategy against any stream cipher having similar structure of the
output function as in case of the Grain family.
trusted parameters for many schemes from just a single trusted setup. In such a scheme
a trusted setup process will produce universal parameters $U$. These parameters can
then be combined with the description, $d(\\cdot)$ of any particular cryptographic setup
algorithm to produce parameters $p_d$ that can be used by the cryptographic system associated
with $d$. We give a solution in the random oracle model based on indistinguishability obfuscation.
algorithm derived from the first round CAESAR candidate StriBob
and the Whirlpool hash algorithm. The main advantage of WhirlBob over
StriBob is its greatly reduced implementation footprint on
resource-constrained platforms. Remarkably, the entire C reference
implementation of WhirlBob $\\pi$ fits onto a single page of the Appendix.
On most low-end microcontrollers the total software footprint of
$\\pi$+BLNK = WhirlBob AEAD is less than half a kilobyte. The greatly
reduced hardware gate count is also reflected as efficient bitsliced
straight-line implementations, especially on 64-bit platforms. Bitslicing
works as an efficient countermeasure against AES-style cache timing
side-channel attacks. The new design utilizes only the LPS or $\\rho$
keying line of Whirlpool in a flexible domain-separated Sponge mode BLNK
and adds the number of rounds in $\\pi$ permutation from 10 to 12 as a
countermeasure against Rebound Distinguishing attacks of ASIACRYPT \'09.
As with StriBob, the reduced-size Sponge design has a strong provable
security link with the original hash algorithm. We finally present some
discussion and analysis on differences between Whirlpool, the Russian
GOST Streebog hash, and the recently proposed draft Russian
Encryption Standard Kuznyechik.