232020
20181203024840.0
ARTICLE
Some Cryptanalytic Results on Lizard
2017
2017
Journal Articles
Lizard is a lightweight stream cipher proposed by Hamann, Krause and Meier in IACR ToSC 2017. It has a Grain-like structure with two state registers of size 90 and 31 bits. The cipher uses a 120 bit secret key and a 64 bit IV. The authors claim that Lizard provides 80-bit security against key recovery attacks and a 60-bit security against distinguishing attacks. In this paper, we present an assortment of results and observations on Lizard. First, we show that by doing $2^58$ random trials it is possible to find a set of 2 64 triplets (K, IV 0 , IV 1 ) such that the Key-IV pairs (K, IV 0 ) and (K, IV 1 ) produce identical keystream bits. Second, we show that by performing only around 2 28 random trials it is possible to obtain $2^64$ Key-IV pairs (K 0 , IV 0 ) and (K 1 , IV 1 ) that produce identical keystream bits. Thereafter, we show that one can construct a distinguisher for Lizard based on IVs that produce shifted keystream sequences. The process takes around $2^{51.5}$ random IV encryptions (with encryption required to produce $2^{18}$ keystream bits) and around $2^{76.6}$ bits of memory. Next, we propose a key recovery attack on a version of Lizard with the number of initialization rounds reduced to 223 (out of 256) based on IV collisions. We then outline a method to extend our attack to 226 rounds. Our results do not affect the security claims of the designers.
Banik, Subhadeep
283270
250951
Isobe, Takanori
Cui, Tingting
Guo, Jian
IACR ToSC
4
LASEC
252183
U10433
oai:infoscience.tind.io:232020
article
IC
266837
EPFL-ARTICLE-232020
EPFL
ACCEPTED
REVIEWED
ARTICLE