Cryptanalysis of Stream Ciphers with Linear Masking
We describe a cryptanalytical technique for distinguishing some stream ciphers from a truly random process. Roughly, the ciphers to which this method applies consist of a “non-linear process” (say, akin to a round function in block ciphers), and a “linear process” such as an LFSR (or even fixed tables). The output of the cipher can be the linear sum of both processes. To attack such ciphers, we look for any property of the “non-linear process” that can be distinguished from random. In addition, we look for a linear combination of the linear process that vanishes. We then consider the same linear combination applied to the cipher’s output, and try to find traces of the distinguishing property. In this report we analyze two specific “distinguishing properties”. One is a linear approximation of the non-linear process, which we demonstrate on the stream cipher SNOW. This attack needs roughly 295 words of output, with work-load of about 2100. The other is a “low-diffusion” attack, that we apply to the cipher Scream-0. The latter attack needs only about 243 bytes of output, using roughly 250 space and 280 time.
KeywordsHypothesis testing Linear cryptanalysis Linear masking Low-Diffiusion attacks Stream ciphers
- 3.D. Coppersmith, S. Halevi, and C. Jutla. Cryptanalysis of stream ciphers with linear masking. Available from the ePrint archive, at http://www.eprint.iacr.org/2002/020/, 2002.
- 4.J. Daemen and C. S. K. Clapp. Fast hashing and stream encryption with Panama. In S. Vaudenay, editor, Fast Software Encryption: 5th International Workshop, volume 1372 of Lecture Notes in Computer Science, pages 23–25. Springer-Verlag, 1998.Google Scholar
- 5.P. Ekdahl and T. Johansson. SNOW-a new stream cipher. Submitted to NESSIE. Available on-line from http://www.it.lth.se/cryptology/snow/.
- 6.P. Ekdahl and T. Johansson. Distinguishing attacks on SOBER-t16 and t32. In Fast Software Encryption, Lecture Notes in Computer Science. Springer-Verlag, 2002. to appear.Google Scholar
- 7.S. Fluhrer. Cryptanalysis of the SEAL 3.0 pseudorandom function family. In Proceedings of the Fast Software Encryption Workshop (FSE’01), 2001.Google Scholar
- 8.S. R. Fluhrer and D. A. McGraw. Statistical analysis of the alleged RC4 keystream generator. In Proceedings of the 7th Annual Workshop on Fast Software Encryption, (FSE’2000), volume 1978 of Lecture Notes in Computer Science, pages 19–30. Springer-Verlag, 2000.Google Scholar
- 10.J. D. Golić. Linear models for keystream generators. IEEE Trans. on Computers, 45(1):41–49, Jan 1996.Google Scholar
- 11.J. D. Golić. Linear statistical weakness of alleged RC4 keystream generator. In W. Fumy, editor, Advances in Cryptology-Eurocrypt’97, volume 1233 of Lecture Notes in Computer Science, pages 226–238. Springer-Verlag, 1997.Google Scholar
- 12.H. Handschuh and H. Gilbert. X2 cryptanalysis of the SEAL encryption algorithm. In Proceedings of the 4th Workshop on Fast Software Encryption, volume 1267 of Lecture Notes in Computer Science, pages 1–12. Springer-Verlag, 1997.Google Scholar
- 13.T. Johansson and F. Jönsson. Fast correlation attacks based on turbo code techniques. In Advances in Cryptology-CRYPTO’ 99, volume 1666 of Lecture Notes in Computer Science, pages 181–197. Springer-Verlag, 1999.Google Scholar
- 14.T. Johansson and F. Jönsson. Improved fast correlation attacks on stream ciphers via convolution codes. In Advances in Cryptology-Eurocrypt’ 99, volume 1592 of Lecture Notes in Computer Science, pages 347–362. Springer-Verlag, 1999.Google Scholar
- 15.M. Matsui. Linear cryptanalysis method for DES cipher. In Advances in Cryptology, EUROCRYPT’93, volume 765 of Lecture Notes in Computer Science, pages 386–397. Springer-Verlag, 1993.Google Scholar
- 16.R. N. McDonough and A. D. Whalen. Detection of Signals in Noise. Academic Press, Inc., 2nd edition, 1995.Google Scholar
- 19.D. Sundararajan. The Discrete Fourier Transform: Theory, Algorithms and Applications. World Scientific Pub Co., 2001.Google Scholar
- 20.S. P. Vadhan. A Study of Statistical Zero-Knowledge Proofs. PhD thesis, MIT Department of Mathematics, August 1999.Google Scholar
- 21.D. Watanabe, S. Furuya, H. Yoshida, and B. Preneel. A new keystream generator MUGI. In Fast Software Encryption, Lecture Notes in Computer Science. Springer-Verlag, 2002. Description available on-line from http://www.sdl.hitachi.co.jp/crypto/mugi/index-e.html. Google Scholar