Some cryptanalytic results on Lizard

Abstract

Lizard is a lightweight stream cipher proposed by Hamann, Krause and Meier in IACR ToSC 2017. It has a Grain-like structure with two state registers of size 90 and 31 bits. The cipher uses a 120-bit secret key and a 64-bit IV. The authors claim that Lizard provides 80-bit security against key recovery attacks and a 60-bit security against distinguishing attacks. In this paper, we present an assortment of results and observations on Lizard. First, we show that by doing 2⁵⁸ random trials it is possible to find a set of 2⁶⁴ triplets (K, IV₀, IV₁) such that the Key-IV pairs (K, IV₀) and (K, IV₁) produce identical keystream bits. Second, we show that by performing only around 2²⁸ random trials it is possible to obtain 2⁶⁴ Key-IV pairs (K₀, IV₀) and (K₁, IV₁) that produce identical keystream bits. Thereafter, we show that one can construct a distinguisher for Lizard based on IVs that produce shifted keystream sequences. The process takes around 2^51.5 random IV encryptions (with encryption required to produce 2¹⁸ keystream bits) and around 2^76.6 bits of memory. Next, we propose a key recovery attack on a version of Lizard with the number of initialization rounds reduced to 223 (out of 256) based on IV collisions. We then outline a method to extend our attack to 226 rounds. Our results do not affect the security claims of the designers.