Download - Differential Distinguishing Attack of Shannon Stream Cipher Mehdi Hassanzadeh University of Bergen Selmer Center, Norway [email protected] Yaser

Differential Distinguishing Attack of Shannon Stream Cipher

Mehdi HassanzadehUniversity of Bergen

Selmer Center, [email protected]

Yaser EsmaeiliElham Shakour

Zaeim Electronic Ind.R&D Department

{yesmaeili, shakour}@zaeim.co.ir


Hassanzadeh Cryptology2008, Malaysia 2/16

Outline

Introduction Description of the Shannon Differential Properties of the f2 Function

Our Differential Distinguishing Attack Conclusion



Introduction

The Shannon stream cipher was proposed by Philip Hawkes et al. for Ecrypt/eStream competitive.

An entirely new design, influenced by members of the SOBER family of stream ciphers.

Designed for a software-efficient algorithmup to 256 bits key length32-bit words basedbased on a single NLFSR and a NLF



A Brief Description

The Shannon algorithm consists of two parts:

•Key loading

•key generation



Keystream Generation Mode

1) rt+1[i] ← rt[i+1] for i = 1...14

2) rt+1[15] ← f1(rt[12] rt[13] Konst) (rt[0] <<<1)

3) temp ← f2(rt+1[2] rt+1[15])

4) rt+1[0]← rt[1]temp(“feed forward” to the new lowest element)

5) vt ← temp rt+1[8] rt+1[12].



f Function

f : (A,B,C,D are fixed numbers)

t ← w ((w <<< A) | (w <<< B))

f(w) = t (( t <<< C) | (t <<< D))

f1 : (A,B,C,D)=(5,7,19,22)

f2 : (A,B,C,D)=(7,22,5,19)



Differential Analysis for Stream Ciphers

A differential of a stream cipher is a prediction that a given input difference

(it can be the key, IV or internal state)

produce some output difference

(it can be the keystream or internal state)



Suppose that 31st bit of input is activated. W, W 31

9 bits of output from f2 function will be impressed by 31

The output differential of f2 function is determined bit by bit.

Differential Property of f2



Differential Property of f2

Theoretically: Shannon is a RNG, therefore the output bits of the Shannon are independent

The output is generated by the output of f2 function

the differential output bits of f2 function are 32 bit word M (i.e. 0x80000000 from Table ) with the probability of

66.54431

0

22

1

4

31

iip



IS

IS‘=IS

vtv't=∆t

vt , v't TRNGRepeat for N times

Attack Scenario



Differential properties of the output

N differential outputs are generated by black box (scenario is repeated N times)

In each repeatation, 9th output word is exracted. A sequence consisting of N 32-bit differential words is provided (O9)

IS‘[11]=IS[11] 31



Hypotheses Test

Two hypotheses for O9:

66.5,9

66.5,9

0210x80000000Pr

20x80000000Pr

i

i

O

OH

32,9

32,9

1210x80000000Pr

20x80000000Pr

i

i

O

OH



Our Differential Distinguishing Attack

• By using of frequency test, we can distinguish the sequance O9 (T= number of 0x80000000)

If T≥10 => generated by the Shannon

If T<10 => was NOT generated by the Shannon

• The probability of error is 10-3

• We need N=28.92 words in sequence O9



Complexity

• We need N=28.92 words in sequence O9

• Then we need to run the Shannon 2*N=2*28.92 times

• Then, the computational complexity is equal to

O(29.92)



Conclusion

We showed that the keystream generator part of the Shannon stream cipher is not strong.

It should be replaced by stronger one. The Key loading part is strong.

Download - Differential Distinguishing Attack of Shannon Stream Cipher Mehdi Hassanzadeh University of Bergen Selmer Center, Norway [email protected] Yaser

Top Related