An Overview of eSTREAM Ciphers Pratyay Mukherjee Centre of Excellence in Cryptology Indian Statistical Institute ii Contents 1 Rabbit 1 1.1 Introduction.................................... 1 1.2 SpecificationsofRabbit . .... 2 1.2.1 Notation.................................... 2 1.2.2 A high-level description . ... 2 1.2.3 Key-SetupScheme .............................. 4 1.2.4 IV-SetupScheme............................... 5 1.2.5 ExtractionScheme .............................. 6 1.2.6 Next-StateFunction . 7 1.2.7 Encryption/decryptionScheme . .... 8 1.3 SecurityPropertiesofRabbit . ...... 11 1.3.1 KEY-SETUPProperties. 11 1.3.2 IVSetupProperties ............................. 13 1.3.3 PartialGuessing ............................... 14 1.3.4 AlgebraicAnalysis . .. .. .. .. .. .. .. .. 15 1.3.5 CorrelationAnalysis . 18 1.3.6 DifferentialAnalysis . 19 1.3.7 StatisticalTest ............................... 20 1.3.8 Mod n Analysis................................ 21 1.3.9 PeriodLength ................................ 22 1.4 CryptanalysisofRabbit . 22 iii iv CONTENTS 1.4.1 OnaBiasofRabbit ............................. 22 1.4.2 Another Cryptanalysis based on FFT . 23 1.4.3 Differential Fault Analysis of Rabbit . ..... 23 1.5 Performance Evaluations of Rabbit . ....... 23 1.5.1 IntelPlatforms ................................ 24 1.5.2 PowerPCPlatform ............................. 25 1.5.3 ARM7Platform ............................... 25 1.5.4 MIPS4KcPlatform ............................. 26 1.5.5 HardwarePerformances . 27 1.6 StrengthandAdvantages . 28 1.6.1 CompactDesign ............................... 28 1.6.2 HighSecurity................................. 28 1.7 Afewremarksaboutdesign . 28 1.7.1 DesignofCounterSystems . 29 1.7.2 SymmetryandMixing............................ 29 1.8 Conclusion ...................................... 29 1.9 ASimpleCImplementationofRabbit . ..... 30 2 Salsa 20 43 2.1 Introduction.................................... 43 2.2 SpecificationsofSalsa20 . ..... 43 2.2.1 The quarterround function ......................... 44 2.2.2 The rowround function ........................... 44 2.2.3 The columnround function ......................... 45 2.2.4 The doubleround function .......................... 45 2.2.5 The littleendian function . 45 2.2.6 TheSalsa20hashfunction. 45 2.2.7 TheSalsa20expansionfunction . 46 2.2.8 The Salsa20 encryption function . 47 CONTENTS v 2.3 SecurityPropertiesofSalsa20 . ....... 47 2.3.1 Thecostofanattack ............................ 48 2.3.2 Notes on the diagonal constants . 49 2.3.3 DiffusioninSalsa20 ............................. 49 2.3.4 Differential attacks . 50 2.3.5 Algebraicattacks.............................. 52 2.3.6 Otherattacks................................. 52 2.4 Performance Evaluation of Salsa20 . ....... 53 2.4.1 Salsa20ontheAMDAthlon. 53 2.4.2 Salsa20 on the IBM PowerPC RS64 IV (Sstar) . 54 2.4.3 Salsa20 on the Intel Pentium III . 54 2.4.4 Salsa20 on the Intel Pentium 4 f12 (Willamette) . ....... 55 2.4.5 Salsa20 on the Intel Pentium M . 56 2.4.6 Salsa20 on the Motorola PowerPC 7410 (G4) . 56 2.4.7 Salsa20 on the Sun UltraSPARC II . 57 2.4.8 Salsa20 on the Sun UltraSPARC III . 57 2.4.9 Salsa20 on next-generation CPUs . 58 2.4.10 Salsa20 on smaller platforms . 58 2.5 CryptanalysisofSalsa20 . ..... 59 2.5.1 Truncated differential cryptanalysis of five rounds of Salsa20 . 59 2.5.2 Non-randomnessinSalsa20 . 59 2.5.3 Differential Cryptanalysis of Salsa20/8 . ....... 60 2.5.4 OntheSalsa20CoreFunction. 60 2.6 Conclusion ...................................... 61 2.7 A Simple C Implementation of Salsa20 . ...... 61 3 HC-128 77 3.1 Introduction.................................... 77 3.2 SpecificationsofHC-128 . 77 vi CONTENTS 3.2.1 Notation.................................... 78 3.2.2 KeyandIVSetup.............................. 79 3.2.3 KeystreamGeneration . 79 3.3 SecurityPropertiesofHC-128. ...... 79 3.3.1 Periodlength ................................. 81 3.3.2 Securityofthesecretkey . 81 3.3.3 Security of the initialization process (Key-IV setup) ........... 81 3.3.4 Randomnessofthekeystream. 81 3.4 Implementation and Performance of HC-128 . ........ 83 3.4.1 The optimized implementation of HC-128 . ..... 83 3.4.2 TheperformanceofHC-128 . 84 3.5 CryptanalysisofHC-128. 85 3.5.1 Approximating the Feedback Functions[Maitra et al. WCC 2009] . 85 3.5.2 Extending the designer’s cryptanalysis [Maitra et al. WCC 2009] . 87 3.5.3 State Leakage in Keystream . 87 3.5.4 State Recovery from Partial State Exposure . ....... 88 3.5.5 Differential Fault Analysis . 89 3.6 A New Variant of HC-128 to Resist Known Weaknesses . ....... 90 3.7 Conclusion ...................................... 91 3.8 A Simple C implementation of HC-128 . ..... 91 4 SOSEMANUK 95 4.1 Introduction.................................... 95 4.2 SpecificationsofSOSEMANUK. 96 4.2.1 SERPENTandderivatives . 96 4.2.2 TheLFSR................................... 97 4.2.3 Outputtransformation. 99 4.2.4 SOSEMANUKworkflow. .. .. .. .. .. .. .. .. 99 4.2.5 Initialization of SOSEMANUK . 102 CONTENTS vii 4.3 Design Rationale of SOSEMANUK . 103 4.3.1 Key initialization and IV injection . 103 4.3.2 TheLFSR................................... 104 4.3.3 TheFSM ................................... 105 4.3.4 Theoutputtransformation . 106 4.4 SecurityPropertiesofSOSEMANUK. 107 4.4.1 Time-memory-data tradeoff attacks . 107 4.4.2 Guessanddetermineattacks . 107 4.4.3 Correlationattacks. 108 4.4.4 Distinguishingattacks . 109 4.4.5 AlgebraicAttacks .............................. 109 4.5 PerformancesofSOSEMANUK . 110 4.6 CryptanalysisofSOSEMANUK. 112 4.6.1 Improved Guess and Determine Attack on SOSEMANUK . 112 4.6.2 Evaluation With Regard to Guess-and-Determine Attacks ........ 112 4.6.3 Cryptanalysis of SOSEMANUK and SNOW 2.0 Using Linear Masks . 112 4.6.4 Improved Linear Cryptanalysis of SOSEMANUK . 113 4.6.5 A Byte-Based Guess and Determine Attack on SOSEMANUK . 113 4.6.6 Differential Fault Analysis of SOSEMANUK . 114 4.7 Conclusion ...................................... 114 4.8 A Simple C Implementation of SOSEMANUK . 114 5 Trivium 137 5.1 Introduction.................................... 137 5.2 SpecificationsofTrivium. 138 5.2.1 Keystreamgeneration. 138 5.2.2 KeyandIVsetup .............................. 139 5.3 ImplementationofTrivium . 140 5.3.1 Hardware Implementation . 140 viii CONTENTS 5.3.2 Software Implementation . 141 5.3.3 Few other Hardware Implementations . 141 5.4 SecurityPropertiesofTrivium . 141 5.4.1 Correlation .................................. 142 5.4.2 Period..................................... 142 5.4.3 Guess and Determine attacks . 143 5.4.4 Algebraicattacks.............................. 143 5.4.5 Resynchronization attacks . 143 5.5 CryptanalysisofTrivium . 143 5.5.1 Cryptanalytic Results on Trivium . 143 5.5.2 Two Trivial Attacks on Trivium . 144 5.5.3 An Algebraic Analysis based on the Boolean SAT Problem ....... 144 5.5.4 Differential Fault Analysis of Trivium . 145 5.5.5 Floating Fault Analysis of Trivium . 146 5.5.6 Algebraic Attack Against Trivium . 146 5.5.7 CubeattacksonTrivium . 146 5.5.8 Floating Fault Analysis of Trivium under Weaker Assumptions . 147 5.5.9 Hard Fault Analysis of Trivium . 147 5.5.10 Analysis of Trivium by a Simulated Annealing Variant .......... 147 5.5.11 The Cube Attack on Stream Cipher Trivium and Quadraticity Tests . 148 5.5.12 Improved Differential Fault Analysis of Trivium . ......... 148 5.5.13 Conditional Differential Cryptanalysis of Trivium . ........... 149 5.6 Conclusion ...................................... 149 5.7 A Simple C Implementation of Trivium . 149 6 Grain v1 155 6.1 Introduction.................................... 155 6.2 SpecificationsofGrainv1 . 156 6.2.1 Key and IV Initialization . 157 CONTENTS ix 6.2.2 ThroughputRate............................... 157 6.3 SecurityPropertiesofGrain. 159 6.3.1 LinearApproximations. 159 6.3.2 AlgebraicAttacks .............................. 159 6.3.3 Time-Memory-Data Trade-off Attack . 160 6.3.4 FaultAttacks................................. 160 6.4 DesignChoicesofGrain . .. .. .. .. .. .. .. .. 160 6.4.1 SizeoftheLFSRandtheNFSR . 160 6.4.2 SpeedAcceleration . .. .. .. .. .. .. .. .. 161 6.4.3 Choice of f(·)................................. 161 6.4.4 Choice of g(·)................................. 161 6.4.5 Choiceofoutputfunction . 162 6.5 Hardware Performance of Grain-128 . 162 6.6 Hardware Implementations of Grain . 162 6.6.1 An Improved Implementation of Grain . 163 6.6.2 Design and Implementation Based on SABL Logic . 163 6.6.3 Comparison of Low-Power Implementations of Trivium and Grain . 164 6.6.4 Othercomparativestudies. 164 6.7 CryptanalysisofGrain. 164 6.7.1 Slide Resynchronization Attack on the Initialization of Grain v1 . 164 6.7.2 Related-Key Chosen IV Attack on Grain-v1 and Grain-128 ....... 164 6.7.3 Cryptanalysis of Grain using Time / Memory /Data Tradeoffs . 165 6.7.4 Distinguishing Attack on Grain using Linear Sequential Circuit Method 165 6.7.5 Analysis of Grain’s Initialization Algorithm . .......... 165 6.7.6 Fault Analysis of Grain-128 . 165 6.7.7 An Experimentally Verified Attack on Full Grain-128 . ........ 166 6.7.8 Breaking Grain-128 with Dynamic Cube Attacks . 166 6.7.9 Fault analysis of Grain-128 by targeting NFSR . ....... 167 6.8 Conclusion ...................................... 167 x CONTENTS 6.9 A Simple.