On the Design and Analysis of Stream Ciphers Hell, Martin 2007 Link to publication Citation for published version (APA): Hell, M. (2007). On the Design and Analysis of Stream Ciphers. Department of Electrical and Information Technology, Lund University. Total number of authors: 1 General rights Unless other specific re-use rights are stated the following general rights apply: Copyright and moral rights for the publications made accessible in the public portal are retained by the authors and/or other copyright owners and it is a condition of accessing publications that users recognise and abide by the legal requirements associated with these rights. • Users may download and print one copy of any publication from the public portal for the purpose of private study or research. • You may not further distribute the material or use it for any profit-making activity or commercial gain • You may freely distribute the URL identifying the publication in the public portal Read more about Creative commons licenses: https://creativecommons.org/licenses/ Take down policy If you believe that this document breaches copyright please contact us providing details, and we will remove access to the work immediately and investigate your claim. LUND UNIVERSITY PO Box 117 221 00 Lund +46 46-222 00 00 On the Design and Analysis of Stream Ciphers Martin Hell Ph.D. Thesis September 13, 2007 Martin Hell Department of Electrical and Information Technology Lund University Box 118 S-221 00 Lund, Sweden e-mail: [email protected] http://www.eit.lth.se/ ISBN: 91-7167-043-2 ISRN: LUTEDX/TEIT-07/1039-SE c Martin Hell, 2007 Abstract his thesis presents new cryptanalysis results for several different stream Tcipher constructions. In addition, it also presents two new stream ci- phers, both based on the same design principle. The first attack is a general attack targeting a nonlinear combiner. A new class of weak feedback polynomials for linear feedback shift registers is identified. By taking samples corresponding to the linear recurrence rela- tion, it is shown that if the feedback polynomial has taps close together an adversary to take advantage of this by considering the samples in a vector form. Next, the self-shrinking generator and the bit-search generator are ana- lyzed. Both designs are based on irregular decimation. For the self-shrinking generator, it is shown how to recover the internal state knowing only a few keystream bits. The complexity of the attack is similar to the previously best known but uses a negligible amount of memory. An attack requiring a large keystream segment is also presented. It is shown to be asymptotically better than all previously known attacks. For the bit-search generator, an algorithm that recovers the internal state is given as well as a distinguishing attack that can be very efficient if the feedback polynomial is not carefully chosen. Following this, two recently proposed stream cipher designs, Pomaranch and Achterbahn, are analyzed. Both stream ciphers are designed with small hardware complexity in mind. For Pomaranch Version 2, based on an im- provement of previous analysis of the design idea, a key recovery attack is given. Also, for all three versions of Pomaranch, a distinguishing attack is given. For Achterbahn, it is shown how to recover the key of the latest version, known as Achterbahn-128/80. The last part of the thesis introduces two new stream cipher designs, namely Grain and Grain-128. The ciphers are designed to be very small in hardware. They also have the distinguishing feature of allowing users to increase the speed of the ciphers by adding extra hardware. iii Contents Abstract iii Preface ix 1 Introduction 1 1.1 Cryptology . 2 1.2 Cryptographic Primitives . 3 1.3 Block Ciphers and Stream Ciphers . 4 1.4 Thesis Outline . 6 2 Stream Ciphers 9 2.1 Classification of Stream Ciphers . 10 2.2 Common Design Blocks . 13 2.2.1 Feedback Shift Registers . 13 2.2.2 Boolean Functions . 15 2.2.3 S-Boxes . 18 2.2.4 Large Tables . 19 2.2.5 T-functions . 20 2.2.6 Some Well-Known Stream Ciphers . 20 2.3 Methods of Cryptanalysis . 22 2.3.1 Classifying the Attack . 22 2.3.2 Brute Force Attack . 23 2.3.3 Time-Memory Tradeoff Attacks . 24 2.3.4 Correlation Attacks . 27 2.3.5 Algebraic Attacks . 29 2.3.6 Guess and Determine Attacks . 31 2.3.7 Side Channel Attacks . 31 2.4 Hypothesis Testing . 32 2.5 Summary . 38 v vi Contents 3 Correlation Attacks Using a New Class of Weak... 39 3.1 Preliminaries . 40 3.2 A Basic Distinguishing Attack From a Low Weight Feedback Polynomial . 40 3.3 A More General Distinguisher Using Vectors . 41 3.4 Tweaking the Parameters in the Attack . 45 3.4.1 How gi(x) Affects the Results . 45 3.4.2 Increasing Vector Length . 47 3.4.3 Increasing the Number of Groups l ............ 47 3.5 Finding a Multiple of the Form a(x) ............... 48 3.5.1 Finding Low Weight Multiples . 48 3.5.2 Finding Multiples With Groups . 49 3.6 Comparing the Proposed Attack With a Basic Distinguishing Attack . 50 3.7 Summary . 51 4 Two New Attacks on the Self-Shrinking Generator 53 4.1 Description of the Self-Shrinking Generator . 54 4.2 Previous Attacks on the Self-Shrinking Generator . 56 4.2.1 Short Keystream Attacks . 56 4.2.2 Long Keystream Attacks . 57 4.3 New Attack Using Short Keystream . 58 4.4 New Attack Using Long Keystream . 60 4.4.1 Main Ideas . 60 4.4.2 Method for Cryptanalysis . 60 4.4.3 Asymptotic Complexity . 62 4.5 Improving the Attack . 64 4.5.1 Asymptotic Complexity . 65 4.5.2 Comparison to Time-Memory-Data Tradeoff Attacks . 66 4.6 Summary . 68 5 Some Attacks on the Bit-Search Generator 69 5.1 Description of the Bit-Search Generator . 70 5.2 Reconstructing the Input Sequence . 71 5.2.1 Analysis of the Algorithm . 73 5.2.2 A Data-Time Tradeoff . 74 5.3 Distinguishing Attack . 76 5.4 Related Work . 79 5.5 Summary . 80 Contents vii 6 Cryptanalysis of the Pomaranch Family of Stream Ciphers 81 6.1 Jump Registers . 82 6.2 Pomaranch Version 1 . 84 6.3 Biased Linear Relations in Jump Register Outputs . 85 6.4 Pomaranch Version 2 - Improving Jump Register Parameters . 87 6.5 A New Algorithm That Can Find Linear Relations . 88 6.5.1 Vectorial Representation of a Linear Approximation . 88 6.5.2 Finding a Biased Linear Approximation . 90 6.6 Algorithm Applied to Pomaranch Version 2 . 91 6.6.1 New Attack on Pomaranch Version 2 . 91 6.6.2 Distinguishing and Key Recovery Attacks . 94 6.6.3 Simulation Results . 95 6.7 Pomaranch Version 3 - New Jump Registers . 96 6.8 General Distinguising Attacks on All Versions . 97 6.8.1 Period of Registers . 98 6.8.2 Output Function . 98 6.8.3 Linear Approximations of Jump Registers . 99 6.8.4 Attacking Different Versions of Pomaranch . 99 6.8.5 Attack Complexities for the Existing Versions of the Pomaranch Family . 103 6.9 A Resynchronization Collision Attack . 106 6.9.1 Attack Complexities for Pomaranch . 108 6.10 Summary . 109 7 Cryptanalysis of the Achterbahn Family of Stream Ciphers 111 7.1 History of Achterbahn, Part I . 112 7.2 Description of Achterbahn-128/80 . 112 7.2.1 Notation . 113 7.2.2 Design Parameters . 113 7.2.3 Initialization . 115 7.3 Analysis of Achterbahn . 116 7.3.1 Attacking the Achterbahn Family of Stream Ciphers . 116 7.3.2 Summary of Attack Procedure . 118 7.4 The Sum of Dependent Variables . 119 7.5 Attack on Achterbahn-80 . 120 7.5.1 Generalization of the Attack Using Quadratic Approx- imations . 121 7.5.2 Attack Complexities for Achterbahn-80 . 121 7.6 Attack on Achterbahn-128 . 121 7.6.1 Generalization of the Attack Using Quadratic Approx- imations . 122 7.6.2 Generalization of the Attack Using Cubic Approxima- tions . 122 viii Contents 7.6.3 Attack Complexities for Achterbahn-128 . 123 7.7 Recovering the Key . 123 7.8 Further Improvements . 125 7.9 History of Achterbahn, Part II . 125 7.10 Summary . 126 8 The Grain Family of Stream Ciphers 127 8.1 Design specifications . 128 8.1.1 Grain - Design Parameters . 129 8.1.2 Grain-128 - Design Parameters . 130 8.2 Throughput Rate . 132 8.3 Security and Design Choices . 133 8.3.1 Linear Approximations . 133 8.3.2 Time-Memory Tradeoff Attacks . 136 8.3.3 Algebraic Attacks . 136 8.3.4 Chosen-IV Attacks . 137 8.3.5 Fault Attacks . 138 8.4 Hardware Performance . 139 8.5 Summary . 143 9 Concluding Remarks 145 Bibliography 146 Preface his thesis presents the results from my time as a Ph.D. student at the TDepartment of Electrical and Information Technology at Lund Univer- sity in Sweden. Parts of the material have been presented at international conferences and are based on results from the following papers: √ H. ENGLUND, M. HELL AND T. JOHANSSON. Correlation Attacks Using a New Class of Weak Feedback Polynomials. In B. Roy and W. Meier, editors, Fast Software Encryption – 2004, Delhi, India, volume 3017 of Lecture Notes in Computer Science, pages 127–142. Springer- Verlag, 2004. √ M. HELL AND T. JOHANSSON. Some Attacks on the Bit-Search Gener- ator. In H. Gilbert and H. Handschuh, editors, Fast Software Encryption – 2005, Paris, France, volume 3557 of Lecture Notes in Computer Science, pages 215–227. Springer-Verlag, 2005.