Differential Distinguishing Attack of Shannon Stream Cipher
Mehdi HassanzadehUniversity of Bergen
Selmer Center, [email protected]
Yaser EsmaeiliElham Shakour
Zaeim Electronic Ind.R&D Department
{yesmaeili, shakour}@zaeim.co.ir
Differential Distinguishing Attack of Shannon Stream Cipher
Hassanzadeh Cryptology2008, Malaysia 2/16
Outline
Introduction Description of the Shannon Differential Properties of the f2 Function
Our Differential Distinguishing Attack Conclusion
Differential Distinguishing Attack of Shannon Stream Cipher
Hassanzadeh Cryptology2008, Malaysia 3/16
Introduction
The Shannon stream cipher was proposed by Philip Hawkes et al. for Ecrypt/eStream competitive.
An entirely new design, influenced by members of the SOBER family of stream ciphers.
Designed for a software-efficient algorithmup to 256 bits key length32-bit words basedbased on a single NLFSR and a NLF
Differential Distinguishing Attack of Shannon Stream Cipher
Hassanzadeh Cryptology2008, Malaysia 4/16
A Brief Description
The Shannon algorithm consists of two parts:
•Key loading
•key generation
Differential Distinguishing Attack of Shannon Stream Cipher
Hassanzadeh Cryptology2008, Malaysia 5/16
Keystream Generation Mode
1) rt+1[i] ← rt[i+1] for i = 1...14
2) rt+1[15] ← f1(rt[12] rt[13] Konst) (rt[0] <<<1)
3) temp ← f2(rt+1[2] rt+1[15])
4) rt+1[0]← rt[1]temp(“feed forward” to the new lowest element)
5) vt ← temp rt+1[8] rt+1[12].
Differential Distinguishing Attack of Shannon Stream Cipher
Hassanzadeh Cryptology2008, Malaysia 6/16
f Function
f : (A,B,C,D are fixed numbers)
t ← w ((w <<< A) | (w <<< B))
f(w) = t (( t <<< C) | (t <<< D))
f1 : (A,B,C,D)=(5,7,19,22)
f2 : (A,B,C,D)=(7,22,5,19)
Differential Distinguishing Attack of Shannon Stream Cipher
Hassanzadeh Cryptology2008, Malaysia 7/16
Differential Analysis for Stream Ciphers
A differential of a stream cipher is a prediction that a given input difference
(it can be the key, IV or internal state)
produce some output difference
(it can be the keystream or internal state)
Differential Distinguishing Attack of Shannon Stream Cipher
Hassanzadeh Cryptology2008, Malaysia 8/16
Suppose that 31st bit of input is activated. W, W 31
9 bits of output from f2 function will be impressed by 31
The output differential of f2 function is determined bit by bit.
Differential Property of f2
Differential Distinguishing Attack of Shannon Stream Cipher
Hassanzadeh Cryptology2008, Malaysia 9/16
Differential Property of f2
Theoretically: Shannon is a RNG, therefore the output bits of the Shannon are independent
The output is generated by the output of f2 function
the differential output bits of f2 function are 32 bit word M (i.e. 0x80000000 from Table ) with the probability of
66.54431
0
22
1
4
31
iip
Differential Distinguishing Attack of Shannon Stream Cipher
Hassanzadeh Cryptology2008, Malaysia 10/16
IS
IS‘=IS
vtv't=∆t
vt , v't TRNGRepeat for N times
Attack Scenario
Differential Distinguishing Attack of Shannon Stream Cipher
Hassanzadeh Cryptology2008, Malaysia 11/16
Differential properties of the output
N differential outputs are generated by black box (scenario is repeated N times)
In each repeatation, 9th output word is exracted. A sequence consisting of N 32-bit differential words is provided (O9)
IS‘[11]=IS[11] 31
Differential Distinguishing Attack of Shannon Stream Cipher
Hassanzadeh Cryptology2008, Malaysia 12/16
Hypotheses Test
Two hypotheses for O9:
66.5,9
66.5,9
0210x80000000Pr
20x80000000Pr
i
i
O
OH
32,9
32,9
1210x80000000Pr
20x80000000Pr
i
i
O
OH
Differential Distinguishing Attack of Shannon Stream Cipher
Hassanzadeh Cryptology2008, Malaysia 13/16
Our Differential Distinguishing Attack
• By using of frequency test, we can distinguish the sequance O9 (T= number of 0x80000000)
If T≥10 => generated by the Shannon
If T<10 => was NOT generated by the Shannon
• The probability of error is 10-3
• We need N=28.92 words in sequence O9
Differential Distinguishing Attack of Shannon Stream Cipher
Hassanzadeh Cryptology2008, Malaysia 14/16
Complexity
• We need N=28.92 words in sequence O9
• Then we need to run the Shannon 2*N=2*28.92 times
• Then, the computational complexity is equal to
O(29.92)
Differential Distinguishing Attack of Shannon Stream Cipher
Hassanzadeh Cryptology2008, Malaysia 15/16
Conclusion
We showed that the keystream generator part of the Shannon stream cipher is not strong.
It should be replaced by stronger one. The Key loading part is strong.