Advertisement

Cryptanalysis of Stream Ciphers with Linear Masking

  • Don Coppersmith
  • Shai Halevi
  • Charanjit Jutla
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2442)

Abstract

We describe a cryptanalytical technique for distinguishing some stream ciphers from a truly random process. Roughly, the ciphers to which this method applies consist of a “non-linear process” (say, akin to a round function in block ciphers), and a “linear process” such as an LFSR (or even fixed tables). The output of the cipher can be the linear sum of both processes. To attack such ciphers, we look for any property of the “non-linear process” that can be distinguished from random. In addition, we look for a linear combination of the linear process that vanishes. We then consider the same linear combination applied to the cipher’s output, and try to find traces of the distinguishing property. In this report we analyze two specific “distinguishing properties”. One is a linear approximation of the non-linear process, which we demonstrate on the stream cipher SNOW. This attack needs roughly 295 words of output, with work-load of about 2100. The other is a “low-diffusion” attack, that we apply to the cipher Scream-0. The latter attack needs only about 243 bytes of output, using roughly 250 space and 280 time.

Keywords

Hypothesis testing Linear cryptanalysis Linear masking Low-Diffiusion attacks Stream ciphers 

References

  1. 1.
    A. Canteaut and E. Filiol. Ciphertext only reconstruction of stream ciphers based on combination generators. In Fast Software Encryption, volume 1978 of Lecture Notes in Computer Science, pages 165–180. Springer-Verlag, 2000.CrossRefGoogle Scholar
  2. 2.
    D. Copersmith, S. Halevi, and C. Jutla. Scream: a software-efficient stream cipher. In Fast Software Encryption, Lecture Notes in Computer Science. Springer-Verlag, 2002. to appear. A longer version is available on-line from http://www.eprint.iacr.org/2002/019/.Google Scholar
  3. 3.
    D. Coppersmith, S. Halevi, and C. Jutla. Cryptanalysis of stream ciphers with linear masking. Available from the ePrint archive, at http://www.eprint.iacr.org/2002/020/, 2002.
  4. 4.
    J. Daemen and C. S. K. Clapp. Fast hashing and stream encryption with Panama. In S. Vaudenay, editor, Fast Software Encryption: 5th International Workshop, volume 1372 of Lecture Notes in Computer Science, pages 23–25. Springer-Verlag, 1998.Google Scholar
  5. 5.
    P. Ekdahl and T. Johansson. SNOW-a new stream cipher. Submitted to NESSIE. Available on-line from http://www.it.lth.se/cryptology/snow/.
  6. 6.
    P. Ekdahl and T. Johansson. Distinguishing attacks on SOBER-t16 and t32. In Fast Software Encryption, Lecture Notes in Computer Science. Springer-Verlag, 2002. to appear.Google Scholar
  7. 7.
    S. Fluhrer. Cryptanalysis of the SEAL 3.0 pseudorandom function family. In Proceedings of the Fast Software Encryption Workshop (FSE’01), 2001.Google Scholar
  8. 8.
    S. R. Fluhrer and D. A. McGraw. Statistical analysis of the alleged RC4 keystream generator. In Proceedings of the 7th Annual Workshop on Fast Software Encryption, (FSE’2000), volume 1978 of Lecture Notes in Computer Science, pages 19–30. Springer-Verlag, 2000.Google Scholar
  9. 9.
    J. D. Golić. Correlation properties of a general binary combiner with memory. Journal of Cryptology, 9(2):111–126, 1996.MATHCrossRefGoogle Scholar
  10. 10.
    J. D. Golić. Linear models for keystream generators. IEEE Trans. on Computers, 45(1):41–49, Jan 1996.Google Scholar
  11. 11.
    J. D. Golić. Linear statistical weakness of alleged RC4 keystream generator. In W. Fumy, editor, Advances in Cryptology-Eurocrypt’97, volume 1233 of Lecture Notes in Computer Science, pages 226–238. Springer-Verlag, 1997.Google Scholar
  12. 12.
    H. Handschuh and H. Gilbert. X2 cryptanalysis of the SEAL encryption algorithm. In Proceedings of the 4th Workshop on Fast Software Encryption, volume 1267 of Lecture Notes in Computer Science, pages 1–12. Springer-Verlag, 1997.Google Scholar
  13. 13.
    T. Johansson and F. Jönsson. Fast correlation attacks based on turbo code techniques. In Advances in Cryptology-CRYPTO’ 99, volume 1666 of Lecture Notes in Computer Science, pages 181–197. Springer-Verlag, 1999.Google Scholar
  14. 14.
    T. Johansson and F. Jönsson. Improved fast correlation attacks on stream ciphers via convolution codes. In Advances in Cryptology-Eurocrypt’ 99, volume 1592 of Lecture Notes in Computer Science, pages 347–362. Springer-Verlag, 1999.Google Scholar
  15. 15.
    M. Matsui. Linear cryptanalysis method for DES cipher. In Advances in Cryptology, EUROCRYPT’93, volume 765 of Lecture Notes in Computer Science, pages 386–397. Springer-Verlag, 1993.Google Scholar
  16. 16.
    R. N. McDonough and A. D. Whalen. Detection of Signals in Noise. Academic Press, Inc., 2nd edition, 1995.Google Scholar
  17. 17.
    W. Meier and O. Staffelbach. Fast correlation attacks on stream ciphers. Journal of Cryptology, 1(3):159–176, 1989.MATHCrossRefMathSciNetGoogle Scholar
  18. 18.
    P. Rogaway and D. Coppersmith. A software optimized encryption algorithm. Journal of Cryptology, 11(4):273–287, 1998.MATHCrossRefGoogle Scholar
  19. 19.
    D. Sundararajan. The Discrete Fourier Transform: Theory, Algorithms and Applications. World Scientific Pub Co., 2001.Google Scholar
  20. 20.
    S. P. Vadhan. A Study of Statistical Zero-Knowledge Proofs. PhD thesis, MIT Department of Mathematics, August 1999.Google Scholar
  21. 21.
    D. Watanabe, S. Furuya, H. Yoshida, and B. Preneel. A new keystream generator MUGI. In Fast Software Encryption, Lecture Notes in Computer Science. Springer-Verlag, 2002. Description available on-line from http://www.sdl.hitachi.co.jp/crypto/mugi/index-e.html. Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2002

Authors and Affiliations

  • Don Coppersmith
    • 1
  • Shai Halevi
    • 1
  • Charanjit Jutla
    • 1
  1. 1.IBM T. J. Watson Research CenterUSA

Personalised recommendations