Some Words on Cryptanalysis of Stream Ciphers Maximov, Alexander 2006 Link to publication Citation for published version (APA): Maximov, A. (2006). Some Words on Cryptanalysis of Stream Ciphers. Department of Information Technology, Lund Univeristy. Total number of authors: 1 General rights Unless other specific re-use rights are stated the following general rights apply: Copyright and moral rights for the publications made accessible in the public portal are retained by the authors and/or other copyright owners and it is a condition of accessing publications that users recognise and abide by the legal requirements associated with these rights. • Users may download and print one copy of any publication from the public portal for the purpose of private study or research. • You may not further distribute the material or use it for any profit-making activity or commercial gain • You may freely distribute the URL identifying the publication in the public portal Read more about Creative commons licenses: https://creativecommons.org/licenses/ Take down policy If you believe that this document breaches copyright please contact us providing details, and we will remove access to the work immediately and investigate your claim. LUND UNIVERSITY PO Box 117 221 00 Lund +46 46-222 00 00 Some Words on Cryptanalysis of Stream Ciphers Alexander Maximov Ph.D. Thesis, June 16, 2006 Alexander Maximov Department of Information Technology Lund University Box 118 S-221 00 Lund, Sweden e-mail: [email protected] http://www.it.lth.se/ ISBN: 91-7167-039-4 ISRN: LUTEDX/TEIT-06/1035-SE c Alexander Maximov, 2006 Abstract n the world of cryptography, stream ciphers are known as primitives used Ito ensure privacy over a communication channel. One common way to build a stream cipher is to use a keystream generator to produce a pseudo- random sequence of symbols. In such algorithms, the ciphertext is the sum of the keystream and the plaintext, resembling the one-time pad principal. Although the idea behind stream ciphers is simple, serious investigation of these primitives has started only in the late 20th century. Therefore, crypt- analysis and design of stream ciphers are important. In recent years, many designs of stream ciphers have been proposed in an effort to find a proper candidate to be chosen as a world standard for data encryption. That potential candidate should be proven good by time and by the results of cryptanalysis. Different methods of analysis, in fact, explain how a stream cipher should be constructed. Thus, techniques for cryptanalysis are also important. This thesis starts with an overview of cryptography in general, and in- troduces the reader to modern cryptography. Later, we focus on basic prin- ciples of design and analysis of stream ciphers. Since statistical methods are the most important cryptanalysis techniques, they will be described in detail. The practice of statistical methods reveals several bottlenecks when im- plementing various analysis algorithms. For example, a common property of a cipher to produce n-bit words instead of just bits makes it more natural to perform a multidimensional analysis of such a design. However, in prac- tice, one often has to truncate the words simply because the tools needed for analysis are missing. We propose a set of algorithms and data structures for multidimensional cryptanalysis when distributions over a large probability space have to be constructed. This thesis also includes results of cryptanalysis for various cryptographic primitives, such as A5/1, Grain, SNOW 2.0, Scream, Dragon, VMPC, RC4, and RC4A. Most of these results were achieved with the help of intensive use of the proposed tools for cryptanalysis. iii To my Family Contents Abstract iii Preface xi 1 Introduction 1 1.1 Modern Cryptography in the Digital World ........... 3 1.2 Cryptographic Services . ...................... 4 1.3 Cryptographic Primitives . .................. 6 1.4 Recent History of Cryptography . ........... 8 1.5 Thesis Outline . .......................... 10 2 Symmetric Primitives — Introduction to Stream Ciphers 13 2.1 Definitions of Block and Stream Ciphers . ........... 15 2.2 Designing a Perfect Cipher . .................. 18 2.2.1 Unbreakable Cipher . .................. 18 2.2.2 Alternative Principles for Designs . ........... 19 2.2.3 Confusion and Diffusion .................. 19 2.3 Overview of Block Ciphers . .................. 20 2.4 Stream Ciphers in a Nutshell . .................. 24 2.4.1 General Structure of Stream Ciphers........... 24 2.4.2 Pseudo-Random Number Generators . ....... 27 2.5 Stream Cipher Building Blocks .................. 30 2.5.1 Boolean Functions . .................. 30 2.5.2 Finite Fields . ...................... 34 2.5.3 Linear Feedback Shift Registers . ........... 37 2.5.4 Nonlinear Feedback Shift Registers ........... 42 2.5.5 S-boxes and P-boxes . .................. 43 v vi Contents 3 Techniques for Cryptanalysis 47 3.1 Introduction . .......................... 49 3.1.1 Attack Scenarios ...................... 49 3.1.2 Success Criteria . ...................... 49 3.1.3 Complexity Issues . .................. 50 3.2 Generic Attacks . .......................... 51 3.2.1 Brute-Force Attack . .................. 51 3.2.2 Time-Memory Trade-Offs . ........... 51 3.2.3 Relationship Between the Size of the Key, the IV, And the Internal State ...................... 53 3.3 Hypothesis Testing . ...................... 53 3.3.1 Basic Definitions ...................... 53 3.3.2 Hypothesis Testing in General . ........... 55 3.4 Distinguishing Attacks . ...................... 57 3.4.1 General Idea and Scenario . ........... 58 3.4.2 Assumptions . ...................... 59 3.4.3 Distinguishing via Hypothesis Testing . ....... 60 3.4.4 Distinguisher and Advantage . ........... 61 3.4.5 The Case When Both Noise and Random Distributions are Known .......................... 62 3.4.6 Special Case – Binary Distributions ........... 63 3.4.7 X-Distinguisher for Unknown Noise Distribution . 63 3.4.8 Analysis of the U-Distinguisher . ........... 67 3.4.9 On Distinguishers and Resynchronisation . ....... 70 3.5 Correlation Attacks . ...................... 72 3.5.1 Bit Estimation . ...................... 72 3.5.2 Correlation Attacks on LFSRs with Combiners . 72 3.5.3 LFSR Reconstruction via General Decoding Problem . 73 3.6 Other Attacks . .......................... 75 3.6.1 Differential Cryptanalysis . ........... 75 3.6.2 Algebraic Attacks ...................... 75 3.6.3 Side-Channel Attacks . .................. 76 4 Tools for Cryptanalysis 79 4.1 Pseudo-Linear Functions Modulo 2n ............... 81 4.1.1 A Pseudo-Linear Function Modulo 2n .......... 81 4.1.2 Algorithm for Calculating the Distribution for a PLFM 82 4.2 Distributions of Functions With Arbitrarily Distributed Inputs 90 4.2.1 Convolution over .................... 90 4.2.2 Convolution over ⊕ .................... 91 4.3 Data Structures for Large Distributions and Operations . 92 4.3.1 Data Structure Proposal .................. 92 4.3.2 A PLFM Distribution Construction . ........... 93 Contents vii 4.3.3 A Function Y = F (X) Evaluation Distribution . 93 4.3.4 Convolution over ⊕ .................... 95 4.3.5 Convolution over .................... 96 4.4 Application Example: 32 bit Cryptanalysis of SNOW 2.0 . 96 4.4.1 A Short Description of SNOW 2.0 . ........... 96 4.4.2 Basic Idea Behind the New Attack . ........... 98 4.4.3 Computational Aspects ..................100 4.4.4 Simulation Results and Discussion . ...........100 4.5 Summary . ..............................101 5 Cryptanalysis of A5/1 103 5.1 Description of A5/1 . ......................105 5.2 A Short Description of the Ekdahl-Johansson Attack on A5/1 107 5.3 Explaining the New Attack . ..................109 5.3.1 Statistical Analysis of m Frames . ...........110 5.3.2 Creating Candidate Tables of s(l)-Sequences . 114 5.3.3 Design of Intervals . ..................117 5.3.4 Strategies for Intersection of the Tables ∗ ÌIi ......120 5.4 Simulation Results . ......................121 5.5 Summary . ..............................125 6 Cryptanalysis of VMPC and RC4A. Weakness of RC4-like Ciphers 127 6.1 Introduction . ..........................128 6.1.1 Notation . ..........................128 6.1.2 Cryptanalysis Assumptions . ...........128 6.2 Descriptions of VMPC-k, RC4-k, and RC4A-k .........129 6.3 Investigation of the RC4 Family of Stream Ciphers . 130 6.3.1 Digraphs Approach, on the Instance of VMPC-k ....130 6.3.2 Theoretical Weakness of the RC4 Family of Stream Ci- phers . ..........................133 6.4 Our Distinguisher for VMPC-k ..................135 6.4.1 What Should the Probability of zt = zt+1 =0, When i =0and j =1,Be?.....................135 6.4.2 Calculating Pr{zt = zt+1 =0|i =0}, When j and R[·] are Random. ......................137 6.4.3 Simulations of the Attack on VMPC-k ..........138 6.4.4 Subalgorithm for Algorithm 2 . ...........140 6.5 Our Distinguisher for RC4A-k ..................141 6.5.1 Building a Distinguisher ..................141 6.5.2 Checking the Assumptions . ...........142 6.5.3 Simulations of the Attack on RC4A-k ..........143 6.6 Summary . ..............................143 viii Contents 7 Cryptanalysis of “Scream” 145 7.1 A Short Description of Scream . ..................147 7.2 Preparing a Distinguisher for Scream . ...........151 7.2.1 Ideas for the Distinguisher . ...........151 7.2.2 Assumptions . ......................152 7.2.3 A Distinguisher for Scream . ...........153 7.3 Scream Structure Analysis . ..................155 7.3.1 The F