differential distinguishing attack of shannon stream cipher

15
Differential Distinguishing Attack of Shannon Stream Cipher Mehdi Hassanzadeh University of Bergen Selmer Center, Norway [email protected] o Yaser Esmaeili Elham Shakour Zaeim Electronic Ind. R&D Department {yesmaeili, shakour}@zaeim.co.ir

Upload: nichole-lucas

Post on 31-Dec-2015

23 views

Category:

Documents


0 download

DESCRIPTION

Differential Distinguishing Attack of Shannon Stream Cipher. Yaser Esmaeili Elham Shakour Zaeim Electronic Ind. R&D Department { yesmaeili, shakour } @zaeim.co.ir. Mehdi Hassanzadeh University of Bergen Selmer Center, Norway [email protected]. Outline. Introduction - PowerPoint PPT Presentation

TRANSCRIPT

Page 1: Differential Distinguishing Attack of Shannon Stream Cipher

Differential Distinguishing Attack of Shannon Stream Cipher

Mehdi HassanzadehUniversity of Bergen

Selmer Center, [email protected]

Yaser EsmaeiliElham Shakour

Zaeim Electronic Ind.R&D Department

{yesmaeili, shakour}@zaeim.co.ir

Page 2: Differential Distinguishing Attack of Shannon Stream Cipher

Differential Distinguishing Attack of Shannon Stream Cipher

Hassanzadeh Cryptology2008, Malaysia 2/16

Outline

Introduction Description of the Shannon Differential Properties of the f2 Function

Our Differential Distinguishing Attack Conclusion

Page 3: Differential Distinguishing Attack of Shannon Stream Cipher

Differential Distinguishing Attack of Shannon Stream Cipher

Hassanzadeh Cryptology2008, Malaysia 3/16

Introduction

The Shannon stream cipher was proposed by Philip Hawkes et al. for Ecrypt/eStream competitive.

An entirely new design, influenced by members of the SOBER family of stream ciphers.

Designed for a software-efficient algorithmup to 256 bits key length32-bit words basedbased on a single NLFSR and a NLF

Page 4: Differential Distinguishing Attack of Shannon Stream Cipher

Differential Distinguishing Attack of Shannon Stream Cipher

Hassanzadeh Cryptology2008, Malaysia 4/16

A Brief Description

The Shannon algorithm consists of two parts:

•Key loading

•key generation

Page 5: Differential Distinguishing Attack of Shannon Stream Cipher

Differential Distinguishing Attack of Shannon Stream Cipher

Hassanzadeh Cryptology2008, Malaysia 5/16

Keystream Generation Mode

1) rt+1[i] ← rt[i+1] for i = 1...14

2) rt+1[15] ← f1(rt[12] rt[13] Konst) (rt[0] <<<1)

3) temp ← f2(rt+1[2] rt+1[15])

4) rt+1[0]← rt[1]temp(“feed forward” to the new lowest element)

5) vt ← temp rt+1[8] rt+1[12].

Page 6: Differential Distinguishing Attack of Shannon Stream Cipher

Differential Distinguishing Attack of Shannon Stream Cipher

Hassanzadeh Cryptology2008, Malaysia 6/16

f Function

f : (A,B,C,D are fixed numbers)

t ← w ((w <<< A) | (w <<< B))

f(w) = t (( t <<< C) | (t <<< D))

f1 : (A,B,C,D)=(5,7,19,22)

f2 : (A,B,C,D)=(7,22,5,19)

Page 7: Differential Distinguishing Attack of Shannon Stream Cipher

Differential Distinguishing Attack of Shannon Stream Cipher

Hassanzadeh Cryptology2008, Malaysia 7/16

Differential Analysis for Stream Ciphers

A differential of a stream cipher is a prediction that a given input difference

(it can be the key, IV or internal state)

produce some output difference

(it can be the keystream or internal state)

Page 8: Differential Distinguishing Attack of Shannon Stream Cipher

Differential Distinguishing Attack of Shannon Stream Cipher

Hassanzadeh Cryptology2008, Malaysia 8/16

Suppose that 31st bit of input is activated. W, W 31

9 bits of output from f2 function will be impressed by 31

The output differential of f2 function is determined bit by bit.

Differential Property of f2

Page 9: Differential Distinguishing Attack of Shannon Stream Cipher

Differential Distinguishing Attack of Shannon Stream Cipher

Hassanzadeh Cryptology2008, Malaysia 9/16

Differential Property of f2

Theoretically: Shannon is a RNG, therefore the output bits of the Shannon are independent

The output is generated by the output of f2 function

the differential output bits of f2 function are 32 bit word M (i.e. 0x80000000 from Table ) with the probability of

66.54431

0

22

1

4

31

iip

Page 10: Differential Distinguishing Attack of Shannon Stream Cipher

Differential Distinguishing Attack of Shannon Stream Cipher

Hassanzadeh Cryptology2008, Malaysia 10/16

IS

IS‘=IS

vtv't=∆t

vt , v't TRNGRepeat for N times

Attack Scenario

Page 11: Differential Distinguishing Attack of Shannon Stream Cipher

Differential Distinguishing Attack of Shannon Stream Cipher

Hassanzadeh Cryptology2008, Malaysia 11/16

Differential properties of the output

N differential outputs are generated by black box (scenario is repeated N times)

In each repeatation, 9th output word is exracted. A sequence consisting of N 32-bit differential words is provided (O9)

IS‘[11]=IS[11] 31

Page 12: Differential Distinguishing Attack of Shannon Stream Cipher

Differential Distinguishing Attack of Shannon Stream Cipher

Hassanzadeh Cryptology2008, Malaysia 12/16

Hypotheses Test

Two hypotheses for O9:

66.5,9

66.5,9

0210x80000000Pr

20x80000000Pr

i

i

O

OH

32,9

32,9

1210x80000000Pr

20x80000000Pr

i

i

O

OH

Page 13: Differential Distinguishing Attack of Shannon Stream Cipher

Differential Distinguishing Attack of Shannon Stream Cipher

Hassanzadeh Cryptology2008, Malaysia 13/16

Our Differential Distinguishing Attack

• By using of frequency test, we can distinguish the sequance O9 (T= number of 0x80000000)

If T≥10 => generated by the Shannon

If T<10 => was NOT generated by the Shannon

• The probability of error is 10-3

• We need N=28.92 words in sequence O9

Page 14: Differential Distinguishing Attack of Shannon Stream Cipher

Differential Distinguishing Attack of Shannon Stream Cipher

Hassanzadeh Cryptology2008, Malaysia 14/16

Complexity

• We need N=28.92 words in sequence O9

• Then we need to run the Shannon 2*N=2*28.92 times

• Then, the computational complexity is equal to

O(29.92)

Page 15: Differential Distinguishing Attack of Shannon Stream Cipher

Differential Distinguishing Attack of Shannon Stream Cipher

Hassanzadeh Cryptology2008, Malaysia 15/16

Conclusion

We showed that the keystream generator part of the Shannon stream cipher is not strong.

It should be replaced by stronger one. The Key loading part is strong.