stream cipher thesis

Download Stream cipher Thesis

Post on 14-Apr-2015

33 views

Category:

Documents

1 download

Embed Size (px)

DESCRIPTION

This thesis describes the analysis of strength of various stream cipher

TRANSCRIPT

On the Design and Analysis of Stream Ciphers

Martin Hell

Ph.D. Thesis September 13, 2007

Martin Hell Department of Electrical and Information Technology Lund University Box 118 S-221 00 Lund, Sweden e-mail: martin@eit.lth.se http://www.eit.lth.se/ ISBN: 91-7167-043-2 ISRN: LUTEDX/TEIT-07/1039-SE c Martin Hell, 2007

Abstract

T

his thesis presents new cryptanalysis results for several different stream cipher constructions. In addition, it also presents two new stream ciphers, both based on the same design principle. The rst attack is a general attack targeting a nonlinear combiner. A new class of weak feedback polynomials for linear feedback shift registers is identied. By taking samples corresponding to the linear recurrence relation, it is shown that if the feedback polynomial has taps close together an adversary to take advantage of this by considering the samples in a vector form. Next, the self-shrinking generator and the bit-search generator are analyzed. Both designs are based on irregular decimation. For the self-shrinking generator, it is shown how to recover the internal state knowing only a few keystream bits. The complexity of the attack is similar to the previously best known but uses a negligible amount of memory. An attack requiring a large keystream segment is also presented. It is shown to be asymptotically better than all previously known attacks. For the bit-search generator, an algorithm that recovers the internal state is given as well as a distinguishing attack that can be very efcient if the feedback polynomial is not carefully chosen. Following this, two recently proposed stream cipher designs, Pomaranch and Achterbahn, are analyzed. Both stream ciphers are designed with small hardware complexity in mind. For Pomaranch Version 2, based on an improvement of previous analysis of the design idea, a key recovery attack is given. Also, for all three versions of Pomaranch, a distinguishing attack is given. For Achterbahn, it is shown how to recover the key of the latest version, known as Achterbahn-128/80. The last part of the thesis introduces two new stream cipher designs, namely Grain and Grain-128. The ciphers are designed to be very small in hardware. They also have the distinguishing feature of allowing users to increase the speed of the ciphers by adding extra hardware. iii

ContentsAbstract Preface 1 Introduction 1.1 Cryptology . . . . . . . . . . . . . . 1.2 Cryptographic Primitives . . . . . 1.3 Block Ciphers and Stream Ciphers 1.4 Thesis Outline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iii ix 1 2 3 4 6 9 10 13 13 15 18 19 20 20 22 22 23 24 27 29 31 31 32 38

2

Stream Ciphers 2.1 Classication of Stream Ciphers . . . . . . 2.2 Common Design Blocks . . . . . . . . . . 2.2.1 Feedback Shift Registers . . . . . . 2.2.2 Boolean Functions . . . . . . . . . 2.2.3 S-Boxes . . . . . . . . . . . . . . . . 2.2.4 Large Tables . . . . . . . . . . . . . 2.2.5 T-functions . . . . . . . . . . . . . 2.2.6 Some Well-Known Stream Ciphers 2.3 Methods of Cryptanalysis . . . . . . . . . 2.3.1 Classifying the Attack . . . . . . . 2.3.2 Brute Force Attack . . . . . . . . . 2.3.3 Time-Memory Tradeoff Attacks . . 2.3.4 Correlation Attacks . . . . . . . . . 2.3.5 Algebraic Attacks . . . . . . . . . . 2.3.6 Guess and Determine Attacks . . . 2.3.7 Side Channel Attacks . . . . . . . . 2.4 Hypothesis Testing . . . . . . . . . . . . . 2.5 Summary . . . . . . . . . . . . . . . . . . . v

vi 3

Contents Correlation Attacks Using a New Class of Weak. . . 3.1 Preliminaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.2 A Basic Distinguishing Attack From a Low Weight Feedback Polynomial . . . . . . . . . . . . . . . . . . 3.3 A More General Distinguisher Using Vectors . . . . . . . . . 3.4 Tweaking the Parameters in the Attack . . . . . . . . . . . . . 3.4.1 How gi (x) Affects the Results . . . . . . . . . . . . . . 3.4.2 Increasing Vector Length . . . . . . . . . . . . . . . . 3.4.3 Increasing the Number of Groups l . . . . . . . . . . . 3.5 Finding a Multiple of the Form a(x) . . . . . . . . . . . . . . 3.5.1 Finding Low Weight Multiples . . . . . . . . . . . . . 3.5.2 Finding Multiples With Groups . . . . . . . . . . . . . 3.6 Comparing the Proposed Attack With a Basic Distinguishing Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.7 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Two New Attacks on the Self-Shrinking Generator 4.1 Description of the Self-Shrinking Generator . . . . . . . . . . 4.2 Previous Attacks on the Self-Shrinking Generator . . . . . . 4.2.1 Short Keystream Attacks . . . . . . . . . . . . . . . . . 4.2.2 Long Keystream Attacks . . . . . . . . . . . . . . . . . 4.3 New Attack Using Short Keystream . . . . . . . . . . . . . . 4.4 New Attack Using Long Keystream . . . . . . . . . . . . . . 4.4.1 Main Ideas . . . . . . . . . . . . . . . . . . . . . . . . . 4.4.2 Method for Cryptanalysis . . . . . . . . . . . . . . . . 4.4.3 Asymptotic Complexity . . . . . . . . . . . . . . . . . 4.5 Improving the Attack . . . . . . . . . . . . . . . . . . . . . . . 4.5.1 Asymptotic Complexity . . . . . . . . . . . . . . . . . 4.5.2 Comparison to Time-Memory-Data Tradeoff Attacks 4.6 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Some Attacks on the Bit-Search Generator 5.1 Description of the Bit-Search Generator 5.2 Reconstructing the Input Sequence . . . 5.2.1 Analysis of the Algorithm . . . . 5.2.2 A Data-Time Tradeoff . . . . . . 5.3 Distinguishing Attack . . . . . . . . . . 5.4 Related Work . . . . . . . . . . . . . . . 5.5 Summary . . . . . . . . . . . . . . . . . . 39 . 40 . . . . . . . . . 40 41 45 45 47 47 48 48 49

. 50 . 51 53 54 56 56 57 58 60 60 60 62 64 65 66 68 69 70 71 73 74 76 79 80

4

. . . . . . . . . . . . .

5

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

Contents 6 Cryptanalysis of the Pomaranch Family of Stream Ciphers 6.1 Jump Registers . . . . . . . . . . . . . . . . . . . . . . . . . . 6.2 Pomaranch Version 1 . . . . . . . . . . . . . . . . . . . . . . . 6.3 Biased Linear Relations in Jump Register Outputs . . . . . . 6.4 Pomaranch Version 2 - Improving Jump Register Parameters 6.5 A New Algorithm That Can Find Linear Relations . . . . . . 6.5.1 Vectorial Representation of a Linear Approximation . 6.5.2 Finding a Biased Linear Approximation . . . . . . . . 6.6 Algorithm Applied to Pomaranch Version 2 . . . . . . . . . . 6.6.1 New Attack on Pomaranch Version 2 . . . . . . . . . 6.6.2 Distinguishing and Key Recovery Attacks . . . . . . 6.6.3 Simulation Results . . . . . . . . . . . . . . . . . . . . 6.7 Pomaranch Version 3 - New Jump Registers . . . . . . . . . . 6.8 General Distinguising Attacks on All Versions . . . . . . . . 6.8.1 Period of Registers . . . . . . . . . . . . . . . . . . . . 6.8.2 Output Function . . . . . . . . . . . . . . . . . . . . . 6.8.3 Linear Approximations of Jump Registers . . . . . . . 6.8.4 Attacking Different Versions of Pomaranch . . . . . . 6.8.5 Attack Complexities for the Existing Versions of the Pomaranch Family . . . . . . . . . . . . . . . . . . . . 6.9 A Resynchronization Collision Attack . . . . . . . . . . . . . 6.9.1 Attack Complexities for Pomaranch . . . . . . . . . . 6.10 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

vii 81 82 84 85 87 88 88 90 91 91 94 95 96 97 98 98 99 99 103 106 108 109 111 112 112 113 113 115 116 116 118 119 120 121 121 121 122 122

. . . . . . . . . . . . . . . . . . . . .

7

Cryptanalysis of the Achterbahn Family of Stream Ciphers 7.1 History of Achterbahn, Part I . . . . . . . . . . . . . . . . . . . 7.2 Description of Achterbahn-128/80 . . . . . . . . . . . . . . . . 7.2.1 Notation . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.2.2 Design Parameters . . . . . . . . . . . . . . . . . . . . . 7.2.3 Initialization . . . . . . . . . . . . . . . . . . . . . . . . . 7.3 Analysis of Achterbahn . . . . . . . . . . . . . . . . . . . . . . . 7.3.1 Attacking the Achterbahn Family of Stream Ciphers . . 7.3.2 Summary of Attack Procedure . . . . . . . . . . . . . . 7.4 The Sum of Dependent Variables . . . . . . . . . . . . . . . . . 7.5 Attack on Achterbahn-80 . . . . . . . . . . . . . . . . . . . . . . 7.5.1 Generalization of the Attack Using Quadratic Approximations . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.5.2 Attack Complexities for Achterbahn-80 . . . . . . . . . 7.6 Attack on Achterbahn-128 . . . . . . . . . . . . . . . . . . . . . 7.6.1 Generalization of the Attack Using Quadratic Approximations . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.6.2 Generalization of the Attack Using Cubic Approximations . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

viii 7.6.3 Attack Complexities for Achterbahn-128 Recovering the Key . . . . . . . . . . . . . . . . . Further Improvements . . . . . . . . . . . . . . . History of Achterbahn, Part II . . . . . . . . . . . Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Recommended

View more >