DOCSLIB.ORG

An Overview of Estream Ciphers

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
An Overview of Estream Ciphers An Overview of eSTREAM Ciphers Pratyay Mukherjee Centre of Excellence in Cryptology Indian Statistical Institute ii Contents 1 Rabbit 1 1.1 Introduction.................................... 1 1.2 SpecificationsofRabbit . .... 2 1.2.1 Notation.................................... 2 1.2.2 A high-level description . ... 2 1.2.3 Key-SetupScheme .............................. 4 1.2.4 IV-SetupScheme............................... 5 1.2.5 ExtractionScheme .............................. 6 1.2.6 Next-StateFunction . 7 1.2.7 Encryption/decryptionScheme . .... 8 1.3 SecurityPropertiesofRabbit . ...... 11 1.3.1 KEY-SETUPProperties. 11 1.3.2 IVSetupProperties ............................. 13 1.3.3 PartialGuessing ............................... 14 1.3.4 AlgebraicAnalysis . .. .. .. .. .. .. .. .. 15 1.3.5 CorrelationAnalysis . 18 1.3.6 DifferentialAnalysis . 19 1.3.7 StatisticalTest ............................... 20 1.3.8 Mod n Analysis................................ 21 1.3.9 PeriodLength ................................ 22 1.4 CryptanalysisofRabbit . 22 iii iv CONTENTS 1.4.1 OnaBiasofRabbit ............................. 22 1.4.2 Another Cryptanalysis based on FFT . 23 1.4.3 Differential Fault Analysis of Rabbit . ..... 23 1.5 Performance Evaluations of Rabbit . ....... 23 1.5.1 IntelPlatforms ................................ 24 1.5.2 PowerPCPlatform ............................. 25 1.5.3 ARM7Platform ............................... 25 1.5.4 MIPS4KcPlatform ............................. 26 1.5.5 HardwarePerformances . 27 1.6 StrengthandAdvantages . 28 1.6.1 CompactDesign ............................... 28 1.6.2 HighSecurity................................. 28 1.7 Afewremarksaboutdesign . 28 1.7.1 DesignofCounterSystems . 29 1.7.2 SymmetryandMixing............................ 29 1.8 Conclusion ...................................... 29 1.9 ASimpleCImplementationofRabbit . ..... 30 2 Salsa 20 43 2.1 Introduction.................................... 43 2.2 SpecificationsofSalsa20 . ..... 43 2.2.1 The quarterround function ......................... 44 2.2.2 The rowround function ........................... 44 2.2.3 The columnround function ......................... 45 2.2.4 The doubleround function .......................... 45 2.2.5 The littleendian function . 45 2.2.6 TheSalsa20hashfunction. 45 2.2.7 TheSalsa20expansionfunction . 46 2.2.8 The Salsa20 encryption function . 47 CONTENTS v 2.3 SecurityPropertiesofSalsa20 . ....... 47 2.3.1 Thecostofanattack ............................ 48 2.3.2 Notes on the diagonal constants . 49 2.3.3 DiffusioninSalsa20 ............................. 49 2.3.4 Differential attacks . 50 2.3.5 Algebraicattacks.............................. 52 2.3.6 Otherattacks................................. 52 2.4 Performance Evaluation of Salsa20 . ....... 53 2.4.1 Salsa20ontheAMDAthlon. 53 2.4.2 Salsa20 on the IBM PowerPC RS64 IV (Sstar) . 54 2.4.3 Salsa20 on the Intel Pentium III . 54 2.4.4 Salsa20 on the Intel Pentium 4 f12 (Willamette) . ....... 55 2.4.5 Salsa20 on the Intel Pentium M . 56 2.4.6 Salsa20 on the Motorola PowerPC 7410 (G4) . 56 2.4.7 Salsa20 on the Sun UltraSPARC II . 57 2.4.8 Salsa20 on the Sun UltraSPARC III . 57 2.4.9 Salsa20 on next-generation CPUs . 58 2.4.10 Salsa20 on smaller platforms . 58 2.5 CryptanalysisofSalsa20 . ..... 59 2.5.1 Truncated differential cryptanalysis of five rounds of Salsa20 . 59 2.5.2 Non-randomnessinSalsa20 . 59 2.5.3 Differential Cryptanalysis of Salsa20/8 . ....... 60 2.5.4 OntheSalsa20CoreFunction. 60 2.6 Conclusion ...................................... 61 2.7 A Simple C Implementation of Salsa20 . ...... 61 3 HC-128 77 3.1 Introduction.................................... 77 3.2 SpecificationsofHC-128 . 77 vi CONTENTS 3.2.1 Notation.................................... 78 3.2.2 KeyandIVSetup.............................. 79 3.2.3 KeystreamGeneration . 79 3.3 SecurityPropertiesofHC-128. ...... 79 3.3.1 Periodlength ................................. 81 3.3.2 Securityofthesecretkey . 81 3.3.3 Security of the initialization process (Key-IV setup) ........... 81 3.3.4 Randomnessofthekeystream. 81 3.4 Implementation and Performance of HC-128 . ........ 83 3.4.1 The optimized implementation of HC-128 . ..... 83 3.4.2 TheperformanceofHC-128 . 84 3.5 CryptanalysisofHC-128. 85 3.5.1 Approximating the Feedback Functions[Maitra et al. WCC 2009] . 85 3.5.2 Extending the designer’s cryptanalysis [Maitra et al. WCC 2009] . 87 3.5.3 State Leakage in Keystream . 87 3.5.4 State Recovery from Partial State Exposure . ....... 88 3.5.5 Differential Fault Analysis . 89 3.6 A New Variant of HC-128 to Resist Known Weaknesses . ....... 90 3.7 Conclusion ...................................... 91 3.8 A Simple C implementation of HC-128 . ..... 91 4 SOSEMANUK 95 4.1 Introduction.................................... 95 4.2 SpecificationsofSOSEMANUK. 96 4.2.1 SERPENTandderivatives . 96 4.2.2 TheLFSR................................... 97 4.2.3 Outputtransformation. 99 4.2.4 SOSEMANUKworkflow. .. .. .. .. .. .. .. .. 99 4.2.5 Initialization of SOSEMANUK . 102 CONTENTS vii 4.3 Design Rationale of SOSEMANUK . 103 4.3.1 Key initialization and IV injection . 103 4.3.2 TheLFSR................................... 104 4.3.3 TheFSM ................................... 105 4.3.4 Theoutputtransformation . 106 4.4 SecurityPropertiesofSOSEMANUK. 107 4.4.1 Time-memory-data tradeoff attacks . 107 4.4.2 Guessanddetermineattacks . 107 4.4.3 Correlationattacks. 108 4.4.4 Distinguishingattacks . 109 4.4.5 AlgebraicAttacks .............................. 109 4.5 PerformancesofSOSEMANUK . 110 4.6 CryptanalysisofSOSEMANUK. 112 4.6.1 Improved Guess and Determine Attack on SOSEMANUK . 112 4.6.2 Evaluation With Regard to Guess-and-Determine Attacks ........ 112 4.6.3 Cryptanalysis of SOSEMANUK and SNOW 2.0 Using Linear Masks . 112 4.6.4 Improved Linear Cryptanalysis of SOSEMANUK . 113 4.6.5 A Byte-Based Guess and Determine Attack on SOSEMANUK . 113 4.6.6 Differential Fault Analysis of SOSEMANUK . 114 4.7 Conclusion ...................................... 114 4.8 A Simple C Implementation of SOSEMANUK . 114 5 Trivium 137 5.1 Introduction.................................... 137 5.2 SpecificationsofTrivium. 138 5.2.1 Keystreamgeneration. 138 5.2.2 KeyandIVsetup .............................. 139 5.3 ImplementationofTrivium . 140 5.3.1 Hardware Implementation . 140 viii CONTENTS 5.3.2 Software Implementation . 141 5.3.3 Few other Hardware Implementations . 141 5.4 SecurityPropertiesofTrivium . 141 5.4.1 Correlation .................................. 142 5.4.2 Period..................................... 142 5.4.3 Guess and Determine attacks . 143 5.4.4 Algebraicattacks.............................. 143 5.4.5 Resynchronization attacks . 143 5.5 CryptanalysisofTrivium . 143 5.5.1 Cryptanalytic Results on Trivium . 143 5.5.2 Two Trivial Attacks on Trivium . 144 5.5.3 An Algebraic Analysis based on the Boolean SAT Problem ....... 144 5.5.4 Differential Fault Analysis of Trivium . 145 5.5.5 Floating Fault Analysis of Trivium . 146 5.5.6 Algebraic Attack Against Trivium . 146 5.5.7 CubeattacksonTrivium . 146 5.5.8 Floating Fault Analysis of Trivium under Weaker Assumptions . 147 5.5.9 Hard Fault Analysis of Trivium . 147 5.5.10 Analysis of Trivium by a Simulated Annealing Variant .......... 147 5.5.11 The Cube Attack on Stream Cipher Trivium and Quadraticity Tests . 148 5.5.12 Improved Differential Fault Analysis of Trivium . ......... 148 5.5.13 Conditional Differential Cryptanalysis of Trivium . ........... 149 5.6 Conclusion ...................................... 149 5.7 A Simple C Implementation of Trivium . 149 6 Grain v1 155 6.1 Introduction.................................... 155 6.2 SpecificationsofGrainv1 . 156 6.2.1 Key and IV Initialization . 157 CONTENTS ix 6.2.2 ThroughputRate............................... 157 6.3 SecurityPropertiesofGrain. 159 6.3.1 LinearApproximations. 159 6.3.2 AlgebraicAttacks .............................. 159 6.3.3 Time-Memory-Data Trade-off Attack . 160 6.3.4 FaultAttacks................................. 160 6.4 DesignChoicesofGrain . .. .. .. .. .. .. .. .. 160 6.4.1 SizeoftheLFSRandtheNFSR . 160 6.4.2 SpeedAcceleration . .. .. .. .. .. .. .. .. 161 6.4.3 Choice of f(·)................................. 161 6.4.4 Choice of g(·)................................. 161 6.4.5 Choiceofoutputfunction . 162 6.5 Hardware Performance of Grain-128 . 162 6.6 Hardware Implementations of Grain . 162 6.6.1 An Improved Implementation of Grain . 163 6.6.2 Design and Implementation Based on SABL Logic . 163 6.6.3 Comparison of Low-Power Implementations of Trivium and Grain . 164 6.6.4 Othercomparativestudies. 164 6.7 CryptanalysisofGrain. 164 6.7.1 Slide Resynchronization Attack on the Initialization of Grain v1 . 164 6.7.2 Related-Key Chosen IV Attack on Grain-v1 and Grain-128 ....... 164 6.7.3 Cryptanalysis of Grain using Time / Memory /Data Tradeoffs . 165 6.7.4 Distinguishing Attack on Grain using Linear Sequential Circuit Method 165 6.7.5 Analysis of Grain’s Initialization Algorithm . .......... 165 6.7.6 Fault Analysis of Grain-128 . 165 6.7.7 An Experimentally Verified Attack on Full Grain-128 . ........ 166 6.7.8 Breaking Grain-128 with Dynamic Cube Attacks . 166 6.7.9 Fault analysis of Grain-128 by targeting NFSR . ....... 167 6.8 Conclusion ...................................... 167 x CONTENTS 6.9 A Simple.
Load more

Recommended publications
  • Secure Transmission of Data Using Rabbit Algorithm
    International Research Journal of Engineering and Technology (IRJET) e-ISSN: 2395 -0056 Volume: 04 Issue: 05 | May -2017 www.irjet.net p-ISSN: 2395-0072 Secure Transmission of Data using Rabbit Algorithm Shweta S Tadkal1, Mahalinga V Mandi2 1 M. Tech Student , Department of Electronics & Communication Engineering, Dr. Ambedkar institute of Technology,Bengaluru-560056 2 Associate Professor, Department of Electronics & Communication Engineering, Dr. Ambedkar institute of Technology,Bengaluru-560056 ---------------------------------------------------------------------***----------------------------------------------------------------- Abstract— This paper presents the design and simulation of secure transmission of data using rabbit algorithm. The rabbit algorithm is a stream cipher algorithm. Stream ciphers are an important class of symmetric encryption algorithm, which uses the same secret key to encrypt and decrypt the data and has been designed for high performance in software implementation. The data or the plain text in our proposed model is the binary data which is encrypted using the keys generated by the rabbit algorithm. The rabbit algorithm is implemented and the language used to write the code is Verilog and then is simulated using Modelsim6.4a. The software tool used is Xilinx ISE Design Suit 14.7. Keywords—Cryptography, Stream ciphers, Rabbit algorithm 1. INTRODUCTION In today’s world most of the communications done using electronic media. Data security plays a vitalkrole in such communication. Hence there is a need to predict data from malicious attacks. This is achieved by cryptography. Cryptographydis the science of secretscodes, enabling the confidentiality of communication through an in secure channel. It protectssagainstbunauthorizedapartiesoby preventing unauthorized alterationhof use. Several encrypting algorithms have been built to deal with data security attacks.
    [Show full text]
  • Failures of Secret-Key Cryptography D
    Failures of secret-key cryptography D. J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven http://xkcd.com/538/ 2011 Grigg{Gutmann: In the past 15 years \no one ever lost money to an attack on a properly designed cryptosystem (meaning one that didn't use homebrew crypto or toy keys) in the Internet or commercial worlds". 2011 Grigg{Gutmann: In the past 15 years \no one ever lost money to an attack on a properly designed cryptosystem (meaning one that didn't use homebrew crypto or toy keys) in the Internet or commercial worlds". 2002 Shamir:\Cryptography is usually bypassed. I am not aware of any major world-class security system employing cryptography in which the hackers penetrated the system by actually going through the cryptanalysis." Do these people mean that it's actually infeasible to break real-world crypto? Do these people mean that it's actually infeasible to break real-world crypto? Or do they mean that breaks are feasible but still not worthwhile for the attackers? Do these people mean that it's actually infeasible to break real-world crypto? Or do they mean that breaks are feasible but still not worthwhile for the attackers? Or are they simply wrong: real-world crypto is breakable; is in fact being broken; is one of many ongoing disaster areas in security? Do these people mean that it's actually infeasible to break real-world crypto? Or do they mean that breaks are feasible but still not worthwhile for the attackers? Or are they simply wrong: real-world crypto is breakable; is in fact being broken; is one of many ongoing disaster areas in security? Let's look at some examples.
    [Show full text]
  • Key Differentiation Attacks on Stream Ciphers
    Key differentiation attacks on stream ciphers Abstract In this paper the applicability of differential cryptanalytic tool to stream ciphers is elaborated using the algebraic representation similar to early Shannon’s postulates regarding the concept of confusion. In 2007, Biham and Dunkelman [3] have formally introduced the concept of differential cryptanalysis in stream ciphers by addressing the three different scenarios of interest. Here we mainly consider the first scenario where the key difference and/or IV difference influence the internal state of the cipher (∆key, ∆IV ) → ∆S. We then show that under certain circumstances a chosen IV attack may be transformed in the key chosen attack. That is, whenever at some stage of the key/IV setup algorithm (KSA) we may identify linear relations between some subset of key and IV bits, and these key variables only appear through these linear relations, then using the differentiation of internal state variables (through chosen IV scenario of attack) we are able to eliminate the presence of corresponding key variables. The method leads to an attack whose complexity is beyond the exhaustive search, whenever the cipher admits exact algebraic description of internal state variables and the keystream computation is not complex. A successful application is especially noted in the context of stream ciphers whose keystream bits evolve relatively slow as a function of secret state bits. A modification of the attack can be applied to the TRIVIUM stream cipher [8], in this case 12 linear relations could be identified but at the same time the same 12 key variables appear in another part of state register.
    [Show full text]
  • Algebraic Attacks on SOBER-T32 and SOBER-T16 Without Stuttering
    Algebraic Attacks on SOBER-t32 and SOBER-t16 without stuttering Joo Yeon Cho and Josef Pieprzyk? Center for Advanced Computing – Algorithms and Cryptography, Department of Computing, Macquarie University, NSW, Australia, 2109 {jcho,josef}@ics.mq.edu.au Abstract. This paper presents algebraic attacks on SOBER-t32 and SOBER-t16 without stuttering. For unstuttered SOBER-t32, two differ- ent attacks are implemented. In the first attack, we obtain multivariate equations of degree 10. Then, an algebraic attack is developed using a collection of output bits whose relation to the initial state of the LFSR can be described by low-degree equations. The resulting system of equa- tions contains 269 equations and monomials, which can be solved using the Gaussian elimination with the complexity of 2196.5. For the second attack, we build a multivariate equation of degree 14. We focus on the property of the equation that the monomials which are combined with output bit are linear. By applying the Berlekamp-Massey algorithm, we can obtain a system of linear equations and the initial states of the LFSR can be recovered. The complexity of attack is around O(2100) with 292 keystream observations. The second algebraic attack is applica- ble to SOBER-t16 without stuttering. The attack takes around O(285) CPU clocks with 278 keystream observations. Keywords : Algebraic attack, stream ciphers, linearization, NESSIE, SOBER-t32, SOBER-t16, modular addition, multivariate equations 1 Introduction Stream ciphers are an important class of encryption algorithms. They encrypt individual characters of a plaintext message one at a time, using a stream of pseudorandom bits.
    [Show full text]
  • VMPC-MAC: a Stream Cipher Based Authenticated Encryption Scheme
    VMPC-MAC: A Stream Cipher Based Authenticated Encryption Scheme Bartosz Zoltak http://www.vmpcfunction.com [email protected] Abstract. A stream cipher based algorithm for computing Message Au- thentication Codes is described. The algorithm employs the internal state of the underlying cipher to minimize the required additional-to- encryption computational e®ort and maintain general simplicity of the design. The scheme appears to provide proper statistical properties, a comfortable level of resistance against forgery attacks in a chosen ci- phertext attack model and high e±ciency in software implementations. Keywords: Authenticated Encryption, MAC, Stream Cipher, VMPC 1 Introduction In the past few years the interest in message authentication algorithms has been concentrated mostly on modes of operation of block ciphers. Examples of some recent designs include OCB [4], OMAC [7], XCBC [6], EAX [8], CWC [9]. Par- allely a growing interest in stream cipher design can be observed, however along with a relative shortage of dedicated message authentication schemes. Regarding two recent proposals { Helix and Sober-128 stream ciphers with built-in MAC functionality { a powerful attack against the MAC algorithm of Sober-128 [10] and two weaknesses of Helix [12] were presented at FSE'04. This paper gives a proposition of a simple and software-e±cient algorithm for computing Message Authentication Codes for the presented at FSE'04 VMPC Stream Cipher [13]. The proposed scheme was designed to minimize the computational cost of the additional-to-encryption MAC-related operations by employing some data of the internal-state of the underlying cipher. This approach allowed to maintain sim- plicity of the design and achieve good performance in software implementations.
    [Show full text]
  • Stream Ciphers (Contd.)
    Stream Ciphers (contd.) Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and Engineering Indian Institute of Technology Kharagpur INDIA -721302 Objectives • Non-linear feedback shift registers • Stream ciphers using LFSRs: – Non-linear combination generators – Non-linear filter generators – Clock controlled generators – Other Stream Ciphers Low Power Ajit Pal IIT Kharagpur 1 Non-linear feedback shift registers • A Feedback Shift Register (FSR) is non-singular iff for all possible initial states every output sequence of the FSR is periodic. de Bruijn Sequence An FSR with feedback function fs(jj−−12 , s ,..., s jL − ) is non-singular iff f is of the form: fs=⊕jL−−−−+ gss( j12 , j ,..., s jL 1 ) for some Boolean function g. The period of a non-singular FSR with length L is at most 2L . If the period of the output sequence for any initial state of a non-singular FSR of length L is 2L , then the FSR is called a de Bruijn FSR, and the output sequence is called a de Bruijn sequence. Low Power Ajit Pal IIT Kharagpur 2 Example f (,xxx123 , )1= ⊕⊕⊕ x 2 x 3 xx 12 t x1 x2 x3 t x1 x2 x3 0 0 0 0 4 0 1 1 1 1 0 0 5 1 0 1 2 1 1 0 6 0 1 0 3 1 1 1 3 0 0 1 Converting a maximal length LFSR to a de-Bruijn FSR Let R1 be a maximum length LFSR of length L with linear feedback function: fs(jj−−12 , s ,..., s jL − ). Then the FSR R2 with feedback function: gs(jj−−12 , s ,..., s jL − )=⊕ f sjj−−12 , s ,..., s j −L+1 is a de Bruijn FSR.
    [Show full text]
  • Cryptanalysis of Sfinks*
    Cryptanalysis of Sfinks? Nicolas T. Courtois Axalto Smart Cards Crypto Research, 36-38 rue de la Princesse, BP 45, F-78430 Louveciennes Cedex, France, [email protected] Abstract. Sfinks is an LFSR-based stream cipher submitted to ECRYPT call for stream ciphers by Braeken, Lano, Preneel et al. The designers of Sfinks do not to include any protection against algebraic attacks. They rely on the so called “Algebraic Immunity”, that relates to the complexity of a simple algebraic attack, and ignores other algebraic attacks. As a result, Sfinks is insecure. Key Words: algebraic cryptanalysis, stream ciphers, nonlinear filters, Boolean functions, solving systems of multivariate equations, fast algebraic attacks on stream ciphers. 1 Introduction Sfinks is a new stream cipher that has been submitted in April 2005 to ECRYPT call for stream cipher proposals, by Braeken, Lano, Mentens, Preneel and Varbauwhede [6]. It is a hardware-oriented stream cipher with associated authentication method (Profile 2A in ECRYPT project). Sfinks is a very simple and elegant stream cipher, built following a very classical formula: a single maximum-period LFSR filtered by a Boolean function. Several large families of ciphers of this type (and even much more complex ones) have been in the recent years, quite badly broken by algebraic attacks, see for exemple [12, 13, 1, 14, 15, 2, 18]. Neverthe- less the specialists of these ciphers counter-attacked by defining and applying the concept of Algebraic Immunity [7] to claim that some designs are “secure”. Unfortunately, as we will see later, the notion of Algebraic Immunity protects against only one simple alge- braic attack and ignores other algebraic attacks.
    [Show full text]
  • Hardware Implementation of the Salsa20 and Phelix Stream Ciphers
    Hardware Implementation of the Salsa20 and Phelix Stream Ciphers Junjie Yan and Howard M. Heys Electrical and Computer Engineering Memorial University of Newfoundland Email: {junjie, howard}@engr.mun.ca Abstract— In this paper, we present an analysis of the digital of battery limitations and portability, while for virtual private hardware implementation of two stream ciphers proposed for the network (VPN) applications and secure e-commerce web eSTREAM project: Salsa20 and Phelix. Both high speed and servers, demand for high-speed encryption is rapidly compact designs are examined, targeted to both field increasing. programmable (FPGA) and application specific integrated circuit When considering implementation technologies, normally, (ASIC) technologies. the ASIC approach provides better performance in density and The studied designs are specified using the VHDL hardware throughput, but an FPGA is reconfigurable and more flexible. description language, and synthesized by using Synopsys CAD In our study, several schemes are used, catering to the features tools. The throughput of the compact ASIC design for Phelix is of the target technology. 260 Mbps targeted for 0.18µ CMOS technology and the corresponding area is equivalent to about 12,400 2-input NAND 2. PHELIX gates. The throughput of Salsa20 ranges from 38 Mbps for the 2.1 Short Description of the Phelix Algorithm compact FPGA design, implemented using 194 CLB slices to 4.8 Phelix is claimed to be a high-speed stream cipher. It is Gbps for the high speed ASIC design, implemented with an area selected for both software and hardware performance equivalent to about 470,000 2-input NAND gates. evaluation by the eSTREAM project.
    [Show full text]
  • Improved Correlation Attacks on SOSEMANUK and SOBER-128
    Improved Correlation Attacks on SOSEMANUK and SOBER-128 Joo Yeon Cho Helsinki University of Technology Department of Information and Computer Science, Espoo, Finland 24th March 2009 1 / 35 SOSEMANUK Attack Approximations SOBER-128 Outline SOSEMANUK Attack Method Searching Linear Approximations SOBER-128 2 / 35 SOSEMANUK Attack Approximations SOBER-128 SOSEMANUK (from Wiki) • A software-oriented stream cipher designed by Come Berbain, Olivier Billet, Anne Canteaut, Nicolas Courtois, Henri Gilbert, Louis Goubin, Aline Gouget, Louis Granboulan, Cedric` Lauradoux, Marine Minier, Thomas Pornin and Herve` Sibert. • One of the final four Profile 1 (software) ciphers selected for the eSTREAM Portfolio, along with HC-128, Rabbit, and Salsa20/12. • Influenced by the stream cipher SNOW and the block cipher Serpent. • The cipher key length can vary between 128 and 256 bits, but the guaranteed security is only 128 bits. • The name means ”snow snake” in the Cree Indian language because it depends both on SNOW and Serpent. 3 / 35 SOSEMANUK Attack Approximations SOBER-128 Overview 4 / 35 SOSEMANUK Attack Approximations SOBER-128 Structure 1. The states of LFSR : s0,..., s9 (320 bits) −1 st+10 = st+9 ⊕ α st+3 ⊕ αst, t ≥ 1 where α is a root of the primitive polynomial. 2. The Finite State Machine (FSM) : R1 and R2 R1t+1 = R2t ¢ (rtst+9 ⊕ st+2) R2t+1 = Trans(R1t) ft = (st+9 ¢ R1t) ⊕ R2t where rt denotes the least significant bit of R1t. F 3. The trans function Trans on 232 : 32 Trans(R1t) = (R1t × 0x54655307 mod 2 )≪7 4. The output of the FSM : (zt+3, zt+2, zt+1, zt)= Serpent1(ft+3, ft+2, ft+1, ft)⊕(st+3, st+2, st+1, st) 5 / 35 SOSEMANUK Attack Approximations SOBER-128 Previous Attacks • Authors state that ”No linear relation holds after applying Serpent1 and there are too many unknown bits...”.
    [Show full text]
  • On the Use of Continued Fractions for Stream Ciphers
    On the use of continued fractions for stream ciphers Amadou Moctar Kane Département de Mathématiques et de Statistiques, Université Laval, Pavillon Alexandre-Vachon, 1045 av. de la Médecine, Québec G1V 0A6 Canada. [email protected] May 25, 2013 Abstract In this paper, we present a new approach to stream ciphers. This method draws its strength from public key algorithms such as RSA and the development in continued fractions of certain irrational numbers to produce a pseudo-random stream. Although the encryption scheme proposed in this paper is based on a hard mathematical problem, its use is fast. Keywords: continued fractions, cryptography, pseudo-random, symmetric-key encryption, stream cipher. 1 Introduction The one time pad is presently known as one of the simplest and fastest encryption methods. In binary data, applying a one time pad algorithm consists of combining the pad and the plain text with XOR. This requires the use of a key size equal to the size of the plain text, which unfortunately is very difficult to implement. If a deterministic program is used to generate the keystream, then the system will be called stream cipher instead of one time pad. Stream ciphers use a great deal of pseudo- random generators such as the Linear Feedback Shift Registers (LFSR); although cryptographically weak [37], the LFSRs present some advantages like the fast time of execution. There are also generators based on Non-Linear transitions, examples included the Non-Linear Feedback Shift Register NLFSR and the Feedback Shift with Carry Register FCSR. Such generators appear to be more secure than those based on LFSR.
    [Show full text]
  • SOBER: a Stream Cipher Based on Linear Feedback Over GF\(2N\)
    Turing: a fast software stream cipher Greg Rose, Phil Hawkes {ggr, phawkes}@qualcomm.com 25-Feb-03 Copyright © QUALCOMM Inc, 2002 DISCLAIMER! •This version (1.8 of TuringRef.c) is what we expect to publish. Any changes from now on will be because someone broke it. (Note: we said that about 1.5 and 1.7 too.) •This is an experimental cipher. Turing might not be secure. We've already found two attacks (and fixed them). We're starting to get confidence. •Comments are welcome. •Reference implementation source code agrees with these slides. 25-Feb-03 Copyright© QUALCOMM Inc, 2002 slide 2 Introduction •Stream ciphers •Design goals •Using LFSRs for cryptography •Turing •Keying •Analysis and attacks •Conclusion 25-Feb-03 Copyright© QUALCOMM Inc, 2002 slide 3 Stream ciphers •Very simple – generate a stream of pseudo-random bits – XOR them into the data to encrypt – XOR them again to decrypt •Some gotchas: – can’t ever reuse the same stream of bits – so some sort of facility for Initialization Vectors is important – provides privacy but not integrity / authentication – good statistical properties are not enough for security… most PRNGs are no good. 25-Feb-03 Copyright© QUALCOMM Inc, 2002 slide 4 Turing's Design goals •Mobile phones – cheap, slow, small CPUs, little memory •Encryption in software – cheaper – can be changed without retooling •Stream cipher – two-level keying structure (re-key per data frame) – stream is "seekable" with low overhead •Very fast and simple, aggressive design •Secure (? – we think so, but it's experimental) 25-Feb-03
    [Show full text]
  • Grein a New Non-Linear Cryptoprimitive
    UNIVERSITY OF BERGEN Grein A New Non-Linear Cryptoprimitive by Ole R. Thorsen Thesis for the degree Master of Science December 2013 in the Faculty of Mathematics and Natural Sciences Department of Informatics Acknowledgements I want to thank my supervisor Tor Helleseth for all his help during the writing of this thesis. Further, I wish to thank the Norwegian National Security Authority, for giving me access to their Grein cryptosystem. I also wish to thank all my colleagues at the Selmer Centre, for all the inspiring discus- sions. Most of all I wish to thank prof. Matthew Parker for all his input, and my dear friends Stian, Mikal and Jørgen for their spellchecking, and socialising in the breaks. Finally, I wish to thank my girlfriend, Therese, and my family, for their continuous sup- port during the writing of this thesis. Without you, this would not have been possible. i Contents Acknowledgementsi List of Figures iv List of Tablesv 1 Introduction1 2 Cryptography2 2.1 Classical Cryptography............................3 2.2 Modern Cryptography.............................4 3 Stream Ciphers5 3.1 Stream Cipher Fundamentals.........................5 3.2 Classification of Stream Ciphers........................6 3.3 One-Time Pad.................................7 4 Building Blocks8 4.1 Boolean Functions...............................8 4.1.1 Cryptographic Properties....................... 10 4.2 Linear Feedback Shift Registers........................ 11 4.2.1 The Recurrence Relation....................... 12 4.2.2 The Matrix Method.......................... 12 4.2.3 Characteristic Polynomial....................... 13 4.2.4 Period of a Sequence.......................... 14 4.3 Linear Complexity............................... 16 4.4 The Berlekamp-Massey Algorithm...................... 16 4.5 Non-Linear Feedback Shift Registers....................
    [Show full text]