Secure Stream Cipher Initialisation Processes by Ali Abdulaziz Alhamdan Bachelor of Engineering (Electrical Engineering) (KSU) { 1997 Master of Information Technology (QUT) { 2009 Thesis submitted in accordance with the regulations for the Degree of Doctor of Philosophy Information Security discipline Electrical Engineering and Computer Science School Science and Engineering Faculty Queensland University of Technology January 2014 ii Keywords A5/1, Common Scrambling Algorithm Stream Cipher (CSA-SC), cryptanaly- sis, cryptography, differential attacks, diffusion phase, Dragon, Grain, initialisa- tion flaws, initialisation process, initialisation vector (IV), LILI, loading phase, MICKEY, RC4, rekeying, resynchronisation attacks, Sfinks, shifted keystream, slid pairs, slide attacks, state convergence, stream cipher, symmetric cipher, Time Memory trade-off (TMTO) attacks, Trivium, weak key-IV combinations. iii iv Abstract Stream ciphers are symmetric key cryptosystems that are used commonly to pro- vide confidentiality for a wide range of frame-based applications; such as mobile phone communication, pay TV transmission and Internet traffic. For these ap- plications, stream ciphers are preferred for encryption due to the simplicity of implementation, security against known attacks, efficiency and high throughput. In modern stream ciphers, the initialisation process (also known as resyn- chronisation) involves the use of publicly known material as well as the secret key. Unless it is carefully designed, this process may reveal some information about the secret key or may leave a stream cipher vulnerable for some attacks. Analysis of the initialisation process in the literature is limited and has not been addressed thoroughly. The main objective of this research is to provide design recommendations for strengthening initialisation processes in modern stream ciphers. We achieve this by examining in-depth the initialisation process of three well-known stream ciphers: A5/1, Sfinks and the Common Scrambling Algorithm. Our reasons for choosing these algorithms are: • These ciphers are broadly representative of modern stream ciphers. • They cover a variety of loading processes • A5/1 and the Common Scrambling Algorithm are both used widely. We have examined the initialisation processes of these three ciphers Design criteria provide to prevent these flaws as well as other flaws in the initialisation process of stream ciphers. v vi Contents Front Matteri Keywords.................................. iii Abstract...................................v Table of Contents.............................. vii List of Tables................................ xiii List of Figures................................ xv List of Algorithms............................. xvi Abbreviations................................ xix List of Symbols............................... xxi Declaration................................. xxiii Previously Published Material....................... xxv Acknowledgements............................. xxvii 1 Introduction1 1.1 Motivation...............................2 1.2 Aims and Objectives.........................4 1.3 Contributions and Achievements...................4 1.3.1 Analysis of the Initialisation Process of A5/1 Stream Cipher4 1.3.2 Analysis of the Initialisation Process of Sfinks Stream Cipher6 1.3.3 Analysis of the Initialisation Process of the CSA-SC....7 1.3.4 Criteria for the Initialisation Process of Stream Ciphers..8 1.4 Thesis Outline.............................8 2 Background 11 2.1 Terminology and Notation...................... 12 2.2 Stream Ciphers............................ 13 2.2.1 Types of Keystream Generators............... 16 vii 2.2.2 Properties of Keystream................... 19 2.3 Initialisation Process......................... 20 2.3.1 Loading Phase........................ 20 2.3.2 Diffusion Phase........................ 21 2.3.3 Keystream Generation Process................ 21 2.4 Examples of Initialisation Processes................. 22 2.4.1 RC4.............................. 22 2.4.2 Trivium............................ 24 2.4.3 Grain v1............................ 25 2.4.4 Dragon............................. 28 2.4.5 MICKEY v1.......................... 30 2.4.6 LILI-II............................. 34 2.4.7 Why A5/1, Sfinks and CSA-SC............... 36 2.5 Cryptanalysis of Stream Ciphers................... 39 2.5.1 Attacking Models....................... 39 2.5.2 Aims of Attackers....................... 40 2.6 Generic Attacks on the Initialisation Process............ 41 2.6.1 Brute Force Attack...................... 41 2.6.2 Time Memory Data Trade-Off Attack............ 42 2.6.3 Differential Attacks...................... 44 2.7 Flaws in the Initialisation Process.................. 45 2.7.1 State Convergence...................... 45 2.7.2 Analysis of State Convergence................ 46 2.7.3 Slid Pairs and Shifted Keystream.............. 49 2.7.4 Analysis of Slid Pairs and Shifted Keystream........ 51 2.7.5 Weak Key-IV Combinations................. 53 2.7.6 Analysis of Weak Key-IV Pairs............... 53 2.8 Existing Attacks on Initialisation Processes............. 55 2.8.1 RC4 Analysis......................... 55 2.8.2 Trivium Analysis....................... 56 2.8.3 Grain Analysis........................ 57 2.8.4 Dragon Analysis....................... 59 2.8.5 MICKEY Analysis...................... 59 2.8.6 LILI-II Analysis........................ 60 2.9 Tools.................................. 60 viii 2.10 Summary............................... 61 3 Analysis of A5/1 Stream Cipher Initialisation Process 63 3.1 Specification of A5/1 Stream Cipher................ 64 3.1.1 Initialisation Process..................... 65 3.1.2 Keystream Generation.................... 66 3.2 State Convergence.......................... 66 3.2.1 Previous Analysis....................... 67 3.2.2 Extension of Existing Work................. 69 3.3 Slid Pairs and Synchronisation Attacks............... 74 3.3.1 Analysis of Slid Pairs..................... 75 3.3.2 Result of Analysis....................... 79 3.3.3 Attack Procedure....................... 82 3.4 Weak Key-IV Combinations..................... 85 3.4.1 Three Registers all Zeros................... 87 3.4.2 Two Registers all Zeros.................... 90 3.4.3 One Register all Zeros.................... 95 3.5 Summary and Security Impact.................... 100 4 Analysis of Sfinks Stream Cipher Initialisation Process 105 4.1 Specification of Sfinks Stream Cipher................ 106 4.1.1 Initialisation Process..................... 107 4.1.2 Keystream Generation.................... 110 4.2 State Convergence.......................... 111 4.2.1 States Which Converge.................... 111 4.2.2 State Convergence Across the Initialisation Process.... 115 4.3 Slid Pairs and Synchronisation Attacks............... 116 4.3.1 Slid Pairs Using Sfinks.................... 116 4.3.2 Analysis of Slid Pairs..................... 119 4.3.3 Findings and Results..................... 123 4.3.4 Attack Procedure....................... 131 4.3.5 Analysis of Sfinks with Slight Modification......... 134 4.4 Weak Key-IV Combinations..................... 135 4.5 Summary and Security Impact.................... 135 ix 5 Analysis of CSA-SC Initialisation Process 139 5.1 Specification of CSA-SC....................... 140 5.1.1 Initialisation process..................... 142 5.1.2 Keystream generation.................... 145 5.2 State Convergence in CSA-SC.................... 145 5.2.1 Initialisation State Update Equations............ 146 5.2.2 State Convergence During Initialisation Process...... 149 5.2.3 State Convergence During Keystream Generation..... 158 5.3 Analysis of Slid Pairs......................... 160 5.4 Weak Key-IV Combinations..................... 167 5.5 Summary and Security Impact.................... 167 6 Security Issues in Initialisation 171 6.1 Security Flaws in Initialisation Process............... 173 6.2 Loading Phase and Security Flaws.................. 174 6.2.1 Padding Pattern Weaknesses................. 175 6.2.2 Loading Process and Flaws................. 176 6.2.3 Autonomy in Loading Phase and Flaws........... 177 6.3 Diffusion Phase and Security Flaws................. 179 6.3.1 Number of Iterations and Security.............. 179 6.3.2 Properties of State Update Function and Flaws...... 181 6.4 Recommendations........................... 184 6.5 Summary............................... 186 7 Conclusion and Future Work 189 7.1 Review of Contributions....................... 190 7.1.1 Analysis of the Initialisation Process of A5/1........ 190 7.1.2 Analysis of the Initialisation Process of Sfinks....... 191 7.1.3 Analysis of the Initialisation Process of CSA-SC...... 192 7.1.4 Criteria for the Initialisation Process of Stream Ciphers.. 193 7.2 Future Work.............................. 193 Appendix A A5/1 Algebraic Representation 197 A.1 The Key and IV Relationship for Slid Pairs............ 197 A.2 The Key and IV Relationship for Weak Key-IV.......... 214 x Appendix B Common Scrambling Algorithm Stream Cipher 237 B.1 The Boolean Functions of the CSA-SC............... 237 B.2 Algebraic Equations at Time t = −31................ 240 Index 245 Bibliography 247 xi xii List of Tables 2.1 The four sequences COMP 0i; COMP 1i;FB0i and FB1i ..... 32 2.2 Summary of well known stream cipher proposals.......... 38 3.1 Proportions of states in each of Goli´c'scases............ 68 3.2 Comparison between the analysis of inaccessible states...... 68 3.3 Proportion of available states after α iterations.......... 71 3.4 Slid