matt�rsa.com

Abstract — A new stream cipher, Grain-128, is proposed. The design is very small in hardware and it targets environments with very limited resources in gate count, power consumption, and chip area. Grain-128 supports key size of 128 bits and IV size of 96 bits. The design is very simple and based on two shift registers, one linear and one nonlinear, and an output function. I.

Dragon is a word oriented stream cipher submitted to the ECRYPT project, it operates on key sizes of 128 and 256 bits. The original idea of the design is to use a nonlinear feedback shift register (NLFSR) and a linear part (counter), combined by a filter function to generate a new state of the NLFSR and produce the keystream. The internal state of the cipher is 1088 bits, i.e., any kinds of TMD attacks are not applicable. In this paper we present two statistical distinguishers that distinguish Dragon from a random source both requiring around O(2 ) words of the keystream. In the first scenario the time complexity is around O(2 ) with the memory complexity O(2 ), whereas the second scenario needs only O(2 ) of time, but O(2 ) of memory. The attack is based on a statistical weakness introduced into the keystream by the filter function F . This is the first paper presenting an attack on Dragon, and it shows that the cipher does not provide full security when the key of size 256 bits is used.

The shrinking generator is a well-known keystream generator composed of two linear feedback shift registers, LFSR 1 and LFSR 2 , where LFSR 1 is clock-controlled according to regularly clocked LFSR 2 . The keystream sequence is thus a decimated LFSR 1 sequence.

Abstract. Grain and Trivium are two hardware oriented synchronous stream ciphers proposed as the simplest candidates to the ECRYPT Stream Cipher Project, both dealing with 80-bit secret keys. In this paper we apply the linear sequential circuit approximation method to evaluate the strength of these stream ciphers against distinguishing attack. In this approximation method which was initially introduced by Golic in 1994, linear models are effectively determined for autonomous finite-state machines. We derive linear functions of consecutive key-stream bits which are held with correlation coefficient of about 2-63.7 and 2-126 for Grain and Trivium ciphers, respectively. Then using the concept of socalled generating function, we turn them into linear functions with correlation coefficient of 2-29 for Grain and 2-72 for Trivium. It shows that the Grain output sequence can be distinguished from a purely random sequence, using about 2 58 bits of the output sequence with the same time complexity. However, our attempt fails to find a successful distinguisher for Trivium.

Abstract. A new version of the stream cipher Grain-128 is proposed. The new version, Grain-128a, is strengthened against all known attacks and observations on the original Grain-128, and has built-in support for authentication. The changes are modest, keeping the basic structure of Grain-128. This gives a high confidence in Grain-128a and allows for easy updating of existing implementations.