On Statistical Analysis of Synchronous Stream Ciphers
Total Page:16
File Type:pdf, Size:1020Kb
ON STATISTICAL ANALYSIS OF SYNCHRONOUS STREAM CIPHERS MELTEM SONMEZ¨ TURAN APRIL 2008 ON STATISTICAL ANALYSIS OF SYNCHRONOUS STREAM CIPHERS A THESIS SUBMITTED TO THE GRADUATE SCHOOL OF APPLIED MATHEMATICS OF THE MIDDLE EAST TECHNICAL UNIVERSITY BY MELTEM SONMEZ¨ TURAN IN PARTIAL FULFILLMENT OF THE REQUIREMENTS FOR THE DEGREE OF DOCTOR OF PHILOSOPHY IN THE DEPARTMENT OF CRYPTOGRAPHY APRIL 2008 Approval of the Graduate School of Applied Mathematics Prof. Dr. Ersan AKYILDIZ Director I certify that this thesis satisfies all the requirements as a thesis for the degree of Doctor of Philosophy. Prof. Dr. Ferruh OZBUDAK¨ Head of Department This is to certify that we have read this thesis and that in our opinion it is fully adequate, in scope and quality, as a thesis for the degree of Doctor of Philosophy. Assoc. Prof. Dr. Ali DOGANAKSOY˘ Supervisor Examining Committee Members Prof. Dr. Ersan AKYILDIZ Prof. Dr. Ferruh OZBUDAK¨ Prof. Dr. Semih Koray Assoc. Prof. Dr. Ali DOGANAKSOY˘ Dr. Orhun KARA I hereby declare that all information in this document has been obtained and presented in accordance with academic rules and ethical conduct. I also declare that, as required by these rules and conduct, I have fully cited and referenced all material and results that are not original to this work. Name, Last name : Signature : iii Abstract ON STATISTICAL ANALYSIS OF SYNCHRONOUS STREAM CIPHERS S¨onmez Turan, Meltem Ph.D., Department of Cryptography Supervisor: Assoc. Prof. Ali Do˘ganaksoy April 2008, 146 pages Synchronous stream ciphers constitute an important class of symmetric ciphers. After the call of the eSTREAM project in 2004, 34 stream ciphers with different design approaches were proposed. In this thesis, we aim to provide a general framework to analyze stream ciphers statistically. Firstly, we consider stream ciphers as pseudo random number generators and study the quality of their output. We propose three randomness tests based on one dimensional random walks. Moreover, we theoretically and experimentally analyze the relations of various randomness tests. We focus on the ideas of algebraic, time memory tradeoff (TMTO) and correlation attacks and propose a number of chosen IV distinguishers. We experimentally observe statistical weaknesses in some of the stream ciphers that are believed to be secure. Keywords: Synchronous stream ciphers, Statistical analysis, eSTREAM, Distinguishing attacks. iv Oz¨ SENKRONIZE˙ AKAN S¸IFRELER˙ IN˙ ISTAT˙ IST˙ IKSEL˙ ANALIZ˙ I˙ UZER¨ INE˙ S¨onmez Turan, Meltem Doktora, Kriptografi B¨ol¨um¨u Tez Y¨oneticisi:Do¸c. Dr. Ali Do˘ganaksoy Nisan 2008, 146 sayfa Senkronize akan ¸sifreler simetrik anahtarlı kriptosistemlerin ¨onemlibir par¸casını olu¸sturur. 2004 yılında duyurulan eSTREAM projesi ¨uzerine, farklı tasarımlara sahip 34 akan ¸sifre ¨onerilmi¸stir.Bu tezde, senkronize akan ¸sifrelerin istatistiksel analizi ¨uzerine genel bir ¸cer¸ceve verilmesi hedeflenmi¸stir. Ilk˙ olarak, akan ¸sifreler rastgele sayı ¨urete¸cleri olarak d¨u¸s¨un¨ulm¨u¸sve ¸cıktılarının kalitesi ¸calı¸sılmı¸stır. Tek boyutlu rastgele y¨ur¨uy¨u¸slere dayanan ¨u¸ctest ¨onerilmi¸stir. Ayrıca, teorik ve deneysel olarak testlerin birbirleri ile olan ili¸skileri¸calı¸sılmı¸stır. Cebirsel, zaman-hafıza ¨ozd¨unle¸simi ve ilinti ataklarının fikirleri ¨uzerinde durularak ayırt edici testler ¨onerilmi¸stir.G¨uvenli oldu˘gud¨u¸s¨un¨ulenbazı ¸sifrelerde deneysel zayıflıklar g¨ozlemlenmi¸stir. Anahtar Kelimeler: Senkronize akan ¸sifreler, Istatistiksel˙ analiz, eSTREAM, Ayırt edici ataklar. v To Fırat, vi Acknowledgments This thesis has been an inspiring, exciting and challenging experience. During the preparation of this thesis, I have been accompanied and supported by a great number of people whose contribution is worth to mention. First, I would like to express my deep and sincere thanks to my supervisor, As- soc. Prof. Ali Do˘ganaksoy for his mentoring, expertise and guidance throughout the research. Many thanks go to all members of the Institute of Applied Mathematics especially to Prof. Dr. Ersan Akyıldız for providing an excellent and inspiring working atmosphere. Special thanks go to Dr. Orhun Kara, for his guidance and ideas. I thank C¸a˘gda¸sC¸alık for his endless help in implementation of tests, proof reading of the thesis and most importantly for being a good friend. My sincere thanks go to Onur Ozen¨ and Kerem Varıcı for their motivation and encouragement. I thank Fatih Sulak for his help on probability calculations. I also thank Nurdan Buz Saran, G¨u¸cl¨u D¨undar and Z¨ulf¨ukar Saygı for their support. I gratefully thank Prof. Dr. Thomas Johansson for giving me the opportunity to work with him. Many thanks go to friends in Lund especially to H˚akan, Martin and Koraljka. I greatly appreciate the guidance of Prof. Dr. Nur Evin Ozdemirel¨ and Assoc. Prof. Dr. Haldun S¨uralduring my MS studies, who taught me the importance of academic work. Finally, I wish to express my love and gratitude to my family. I’d particularly like to thank my parents and brother Tun¸c.Last but not least, without the understanding of my husband Fırat, it would have been impossible for me to finish this work. vii Table of Contents Plagiarism .............................................................. iii Abstract ................................................................ iv Oz¨ ........................................................................ v Acknowledgments ..................................................... vii Table of Contents .................................................... viii List of Figures ......................................................... xi List of Tables .......................................................... xiii List of Abbreviations .................................................xvii 1 Introduction ........................................................ 1 1.1 Motivation . 5 1.1.1 Outline of the Thesis . 6 2 Brief Overview of Synchronous Stream Ciphers .............. 8 2.1 Basic Building Blocks . 9 2.1.1 Feedback Shift Registers . 9 2.1.2 Boolean Functions and S-boxes . 14 2.1.3 T-functions . 15 2.2 Desired Properties of Keystream . 16 2.2.1 Period . 17 viii 2.2.2 Randomness . 17 2.2.3 Complexity Measures . 20 2.3 Common Designs . 23 2.3.1 Designs Based on Feedback Shift Registers . 24 2.3.2 Designs Based on Block Ciphers . 28 2.3.3 Designs Based on Hash Functions . 30 2.3.4 Designs Based on NP-Hard Problems . 30 2.3.5 Other Designs . 31 2.4 Cryptanalysis of Stream Ciphers . 32 2.5 Distinguishing Attacks . 33 3 Analysis of Keystream ............................................ 38 3.1 Randomness Tests . 40 3.2 New Tests Based on Random Walks . 44 3.2.1 Random Walks . 45 3.2.2 Test Descriptions . 48 3.3 Independence of Tests . 50 3.3.1 Theoretical Results . 52 3.3.2 Experiments on Short Sequences . 53 3.4 Sensitivity of Tests . 57 3.5 Summary . 58 4 Tests Based on Algebraic Properties ........................... 60 4.1 Basics of Algebraic Attacks . 61 4.2 Desired Properties of Fi’s .......................... 62 4.3 Analyzing Classical Designs . 63 4.4 A Case Study on Trivium . 67 4.4.1 Description of Trivium . 67 4.4.2 Linear Approximations . 69 4.4.3 Searching for Linear Approximations . 70 ix 4.4.4 Linear Approximations for 2-round Trivium . 71 4.4.5 Discussion . 74 4.5 d-Monomial Approach . 75 4.5.1 A Generalized Approach . 77 4.5.2 Monomial Distribution Test . 78 4.5.3 Maximal Degree Test . 79 4.5.4 Experimental Results . 81 4.5.5 Discussion . 85 4.5.6 Improvement of Fischer et al.[1] . 86 4.6 Linear Independence . 86 4.6.1 Preliminaries . 86 4.6.2 Linear Span Test . 87 4.6.3 Experimental Results . 88 4.7 Completeness Property . 88 4.7.1 Diffusion Test . 88 4.7.2 Experimental Results . 90 4.8 Summary . 90 5 Tests Based on Random Mappings ............................... 93 5.1 Preliminaries . 94 5.2 Time Memory Tradeoff Attacks . 95 5.3 Three New Distinguishers . 98 5.3.1 Coverage Test . 99 5.3.2 ρ-Test................................. 100 5.3.3 DP-Coverage Test . 102 5.4 Experimental Results . 103 5.5 Summary . 104 6 Tests Based on Correlations .....................................105 6.1 Basics of Correlation Attacks . 105 x 6.2 Tests Based on Correlation of Key, IV and Keystream . 107 6.2.1 Key/Keystream Correlation Test . 107 6.2.2 IV/Keystream Correlation Test . 108 6.2.3 Frame Correlation Test . 109 6.3 Experimental Results . 110 6.4 Summary . 112 7 Conclusion .......................................................... 114 References ............................................................. 117 Appendices ..............................................................132 A Basics of Statistical Inference ..................................132 A.1 Probability Theory . 132 A.1.1 Some Special Distributions . 133 A.2 Hypothesis Testing . 135 B Other Attacks Against Stream Ciphers ........................ 139 B.1 Resynchronization Attacks . 139 B.2 Guess and Determine Attacks . 140 B.3 Side Channel Attacks . 141 C NIST Test Results .................................................143 D F1 for 2-round Trivium ............................................144 E Linear Regression Model for d-monomial Test of Grain . 145 Vita ......................................................................147 xi List of Figures 1.1 Encryption and decryption . 1 1.2 Classification of cryptographic primitives . 2 2.1 Generic structure of a synchronous stream cipher . 9 2.2 Binary additive stream cipher . 9 2.3 Block diagram of a FSR . 10 2.4 Nonlinear combining generator . 24 2.5 Nonlinear filtering generator . 26 2.6 Distinguishing