The need for lightweight (that is, compact, low-power, low-energy) cryptographic hash functions has been repeatedly expressed by professionals, notably to implement cryptographic protocols in RFID technology. At the time of writing, however, no algorithm exists that provides satisfactory security and performance. The ongoing SHA-3 Competition will not help, as it concerns general-purpose designs and focuses on software performance. This paper thus proposes a novel design philosophy for lightweight hash functions, based on the sponge construction in order to minimize memory requirements. Inspired by the stream cipher Grain and by the block cipher KATAN (amongst the lightest secure ciphers), we present the hash function family Quark, composed of three instances: u-Quark, d-Quark, and s-Quark. As a sponge construction, Quark can be used for message authentication, stream encryption, or authenticated encryption. Our hardware evaluation shows that Quark compares well to previous tentative lightweight hash functions. For example, our lightest instance u-Quark conjecturally provides at least 64-bit security against all attacks (collisions, multicollisions, distinguishers, etc.), fits in 1379 gate-equivalents, and consumes on average 2.44 μW at 100 kHz in 0.18 μm ASIC. For 112-bit security, we propose s-Quark, which can be implemented with 2296 gate-equivalents with a power consumption of 4.35 μW.

/pdf/quark-a-lightweight-hash-461jjxjajg.pdf

Quark: A Lightweight Hash

A new version of the stream cipher Grain-128 is proposed. The new version, Grain-128a, is strengthened against all known attacks and observations on the original Grain-128, and has built-in support for optional authentication. The changes are modest, keeping the basic structure of Grain-128. This gives a high confidence in Grain-128a and allows for easy updating of existing implementations.

/pdf/grain-128a-a-new-version-of-grain-128-with-optional-32q00hifb4.pdf

Grain-128a: a new version of Grain-128 with optional authentication

The need for lightweight cryptographic hash functions has been repeatedly expressed by application designers, notably for implementing RFID protocols. However not many designs are available, and the ongoing SHA-3 Competition probably won't help, as it concerns general-purpose designs and focuses on software performance. In this paper, we thus propose a novel design philosophy for lightweight hash functions, based on a single security level and on the sponge construction, to minimize memory requirements. Inspired by the lightweight ciphers Grain and KATAN, we present the hash function family QUARK, composed of the three instances U-QUARK, D-QUARK, and T-QUARK. Hardware benchmarks show that QUARK compares well to previous lightweight hashes. For example, our lightest instance U-QUARK conjecturally provides at least 64-bit security against all attacks (collisions, multicollisions, distinguishers, etc.), fits in 1379 gate-equivalents, and consumes in average 2.44 µW at 100 kHz in 0.18 µm ASIC. For 112- bit security, we propose T-QUARK, which we implemented with 2296 gate-equivalents.

/pdf/quark-a-lightweight-hash-3j5ekv1nxe.pdf

QUARK: a lightweight hash

Embedded systems are deployed in various domains, including industrial installations, critical and nomadic environments, private spaces and public infrastructures. Their operation typically involves access, storage and communication of sensitive and/or critical information that requires protection, making the security of their resources and services an imperative design concern. The demand for applicable cryptographic components is therefore strong and growing. However, the limited resources of these devices, in conjunction with the ever-present need for smaller size and lower production costs, hinder the deployment of secure algorithms typically found in other environments and necessitate the adoption of lightweight alternatives. This paper provides a survey of lightweight cryptographic algorithms, presenting recent advances in the field and identifying opportunities for future research. More specifically, we examine lightweight implementations of symmetric-key block ciphers in hardware and software architectures. We evaluate 52 block ciphers and 360 implementations based on their security, performance and cost, classifying them with regard to their applicability to different types of embedded devices and referring to the most important cryptanalysis pertaining to these ciphers.

A review of lightweight block ciphers

We present a new variant of cube attacks called a dynamic cube attack. Whereas standard cube attacks [4] find the key by solving a system of linear equations in the key bits, the new attack recovers the secret key by exploiting distinguishers obtained from cube testers. Dynamic cube attacks can create lower degree representations of the given cipher, which makes it possible to attack schemes that resist all previously known attacks. In this paper we concentrate on the well-known stream cipher Grain-128 [6], on which the best known key recovery attack [15] can recover only 2 key bits when the number of initialization rounds is decreased from 256 to 213. Our first attack runs in practical time complexity and recovers the full 128-bit key when the number of initialization rounds in Grain-128 is reduced to 207. Our second attack breaks a Grain-128 variant with 250 initialization rounds and is faster than exhaustive search by a factor of about 228. Finally, we present an attack on the full version of Grain-128 which can recover the full key but only when it belongs to a large subset of 2-10 of the possible keys. This attack is faster than exhaustive search over the 2118 possible keys by a factor of about 215. All of our key recovery attacks are the best known so far, and their correctness was experimentally verified rather than extrapolated from smaller variants of the cipher. This is the first time that a cube attack was shown to be effective against the full version of a well known cipher which resisted all previous attacks.

/pdf/breaking-grain-128-with-dynamic-cube-attacks-5fopghuge3.pdf

Breaking Grain-128 with dynamic cube attacks

The slide resynchronization attack on Grain was proposed in [6]. This attack finds related keys and initialization vectors of Grain that generate the 1-bit shifted keystream sequence. In this paper, we extend the attack proposed in [6] and propose related-key chosen IV attacks on Grain-v1 and Grain-128. The attack on Grain-v1 recovers the secret key with 222.59chosen IVs, 226.29-bit keystream sequences and 222.90computational complexity. To recover the secret key of Grain-128, our attack requires 226.59chosen IVs, 231.39-bit keystream sequences and 227.01computational complexity. These works are the first known key recovery attacks on Grain-v1 and Grain-128.

Related-Key Chosen IV Attacks on Grain-v1 and Grain-128

Differential fault analysis on block cipher SEED

PRESENT is a hardware-optimized 64-bit lightweight block cipher which supports 80-and 128-bit secret keys. In this paper, we propose a differential fault analysis DFA on PRESENT-80/128. The proposed attack is based on a 2-byte random fault model. In detail, by inducing several 2-byte random faults in input registers after 28 rounds, our attack recovers the secret key of the target algorithm. From simulation results, our attacks on PRESENT-80/128 can recover the secret key by inducing only two and three 2-byte random faults, respectively. These are superior to known DFA results on them.

Improved differential fault analysis on PRESENT-80/128

The literature offers several efficient masking methods for providing resistance to side-channel attacks against iterative block ciphers, such as Data Encryption Standard (DES) and Advanced Encryption Standard (AES). One of the proposed methods is to apply independent masks to each of the first and last few rounds. However, at the workshops on Selected Areas in Cryptography (SAC) 2006 and Cryptographic Hardware and Embedded System (CHES) 2007, Handschuh-Preneel and Biryukov-Khovratovich showed that DES and AES with such reduced masked rounds are still vulnerable to side-channel attacks combined with block cipher cryptanalysis. Specifically, Handschuh and Preneel presented differential based side-channel attacks on DES with the first 4 rounds masked, and Biryukov and Khovratovich presented impossible and multiset collision based side-channel attacks on AES with the first 2, 3 and 4 rounds masked. More recently, Kim and Hong showed that AES-192 and AES-256 with the first 5 rounds masked are also vulnerable to side-channel attacks based on the meet-in-the-middle technique. In this paper, we focus on the security of DES with reduced masked rounds against side-channel attacks; we propose differential based side-channel attacks on DES with the first 5, 6 and 7 rounds masked: they require 2^1^7^.^4, 2^2^4, 2^3^5^.^5 chosen plaintexts with associate power traces and collision measurements, correspondingly. Our attacks are the first known side-channel attacks on DES with the first 5, 6 and 7 rounds masked; our attack results show that DES with any reduced masked rounds is not secure against side-channel attacks, i.e., in order for DES to be resistant to side-channel attacks, entire rounds should be masked.

DES with any reduced masked rounds is not secure against side-channel attacks

In Choukri and Tunstall (2005), the authors showed that if they decreased the number of rounds in AES by injecting faults, it is possible to recover the secret key. In this paper, we propose fault injection attacks on HMAC/NMAC by applying the main idea of their attack. These attacks are applicable to HMAC/NMAC based on the MD-family hash functions and can recover the secret key with the negligible computational complexity. Particularly, these results on HMAC/NMAC-SHA-2 are the first known key recovery attacks so far.

/pdf/security-analysis-of-hmac-nmac-by-using-fault-injection-4awsq9os7i.pdf

Yuseop Lee

Papers

Related-Key Chosen IV Attacks on Grain-v1 and Grain-128

Differential fault analysis on block cipher SEED

Improved differential fault analysis on PRESENT-80/128

DES with any reduced masked rounds is not secure against side-channel attacks

Security Analysis of HMAC/NMAC by Using Fault Injection