Some cryptanalytic results on Lizard
Lizard is a lightweight stream cipher proposed by Hamann, Krause and Meier in IACR ToSC 2017. It has a Grain-like structure with two state registers of size 90 and 31 bits. The cipher uses a 120-bit secret key and a 64-bit IV. The authors claim that Lizard provides 80-bit security against key recove...
Main Authors: | , , , |
---|---|
Format: | Article |
Language: | English |
Published: |
Ruhr-Universität Bochum
2017-12-01
|
Series: | IACR Transactions on Symmetric Cryptology |
Subjects: | |
Online Access: | https://tosc.iacr.org/index.php/ToSC/article/view/804 |
id |
doaj-e7938c989a954bada787248c36fe2bfb |
---|---|
record_format |
Article |
spelling |
doaj-e7938c989a954bada787248c36fe2bfb2021-03-02T10:08:07ZengRuhr-Universität BochumIACR Transactions on Symmetric Cryptology2519-173X2017-12-01829810.13154/tosc.v2017.i4.82-98804Some cryptanalytic results on LizardSubhadeep Banik0Takanori Isobe1Tingting Cui2Jian Guo3LASEC, École Polytechnique Fédérale de Lausanne, Switzerland; Cryptanalysis Taskforce, Nanyang Technological UniversityUniversity of HyogoKey Laboratory of Cryptologic Technology and Information Security, Ministry of Education, Shandong University, China; Cryptanalysis Taskforce, Nanyang Technological UniversityCryptanalysis Taskforce, Nanyang Technological UniversityLizard is a lightweight stream cipher proposed by Hamann, Krause and Meier in IACR ToSC 2017. It has a Grain-like structure with two state registers of size 90 and 31 bits. The cipher uses a 120-bit secret key and a 64-bit IV. The authors claim that Lizard provides 80-bit security against key recovery attacks and a 60-bit security against distinguishing attacks. In this paper, we present an assortment of results and observations on Lizard. First, we show that by doing 258 random trials it is possible to find a set of 264 triplets (K, IV0, IV1) such that the Key-IV pairs (K, IV0) and (K, IV1) produce identical keystream bits. Second, we show that by performing only around 228 random trials it is possible to obtain 264 Key-IV pairs (K0, IV0) and (K1, IV1) that produce identical keystream bits. Thereafter, we show that one can construct a distinguisher for Lizard based on IVs that produce shifted keystream sequences. The process takes around 251.5 random IV encryptions (with encryption required to produce 218 keystream bits) and around 276.6 bits of memory. Next, we propose a key recovery attack on a version of Lizard with the number of initialization rounds reduced to 223 (out of 256) based on IV collisions. We then outline a method to extend our attack to 226 rounds. Our results do not affect the security claims of the designers.https://tosc.iacr.org/index.php/ToSC/article/view/804Grain v1LizardStream Cipher |
collection |
DOAJ |
language |
English |
format |
Article |
sources |
DOAJ |
author |
Subhadeep Banik Takanori Isobe Tingting Cui Jian Guo |
spellingShingle |
Subhadeep Banik Takanori Isobe Tingting Cui Jian Guo Some cryptanalytic results on Lizard IACR Transactions on Symmetric Cryptology Grain v1 Lizard Stream Cipher |
author_facet |
Subhadeep Banik Takanori Isobe Tingting Cui Jian Guo |
author_sort |
Subhadeep Banik |
title |
Some cryptanalytic results on Lizard |
title_short |
Some cryptanalytic results on Lizard |
title_full |
Some cryptanalytic results on Lizard |
title_fullStr |
Some cryptanalytic results on Lizard |
title_full_unstemmed |
Some cryptanalytic results on Lizard |
title_sort |
some cryptanalytic results on lizard |
publisher |
Ruhr-Universität Bochum |
series |
IACR Transactions on Symmetric Cryptology |
issn |
2519-173X |
publishDate |
2017-12-01 |
description |
Lizard is a lightweight stream cipher proposed by Hamann, Krause and Meier in IACR ToSC 2017. It has a Grain-like structure with two state registers of size 90 and 31 bits. The cipher uses a 120-bit secret key and a 64-bit IV. The authors claim that Lizard provides 80-bit security against key recovery attacks and a 60-bit security against distinguishing attacks. In this paper, we present an assortment of results and observations on Lizard. First, we show that by doing 258 random trials it is possible to find a set of 264 triplets (K, IV0, IV1) such that the Key-IV pairs (K, IV0) and (K, IV1) produce identical keystream bits. Second, we show that by performing only around 228 random trials it is possible to obtain 264 Key-IV pairs (K0, IV0) and (K1, IV1) that produce identical keystream bits. Thereafter, we show that one can construct a distinguisher for Lizard based on IVs that produce shifted keystream sequences. The process takes around 251.5 random IV encryptions (with encryption required to produce 218 keystream bits) and around 276.6 bits of memory. Next, we propose a key recovery attack on a version of Lizard with the number of initialization rounds reduced to 223 (out of 256) based on IV collisions. We then outline a method to extend our attack to 226 rounds. Our results do not affect the security claims of the designers. |
topic |
Grain v1 Lizard Stream Cipher |
url |
https://tosc.iacr.org/index.php/ToSC/article/view/804 |
work_keys_str_mv |
AT subhadeepbanik somecryptanalyticresultsonlizard AT takanoriisobe somecryptanalyticresultsonlizard AT tingtingcui somecryptanalyticresultsonlizard AT jianguo somecryptanalyticresultsonlizard |
_version_ |
1724237668088283136 |