1 / 15

Differential Distinguishing Attack of Shannon Stream Cipher

Differential Distinguishing Attack of Shannon Stream Cipher. Yaser Esmaeili Elham Shakour Zaeim Electronic Ind. R&D Department { yesmaeili, shakour } @zaeim.co.ir. Mehdi Hassanzadeh University of Bergen Selmer Center, Norway Mehdi.hassanzadeh@ii.uib.no. Outline. Introduction

nichole-lucas
Download Presentation

Differential Distinguishing Attack of Shannon Stream Cipher

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Differential Distinguishing Attack of Shannon Stream Cipher Yaser Esmaeili Elham ShakourZaeim Electronic Ind. R&D Department{yesmaeili, shakour}@zaeim.co.ir Mehdi Hassanzadeh University of Bergen Selmer Center, NorwayMehdi.hassanzadeh@ii.uib.no

  2. Outline • Introduction • Description of the Shannon • Differential Properties of the f2 Function • Our Differential Distinguishing Attack • Conclusion

  3. Introduction • The Shannon stream cipher was proposed by Philip Hawkes et al. for Ecrypt/eStream competitive. • An entirely new design, influenced by members of the SOBER family of stream ciphers. • Designed for a software-efficient algorithm • up to 256 bits key length • 32-bit words based • based on a single NLFSR and a NLF

  4. A Brief Description The Shannon algorithm consists of two parts: • Key loading • key generation

  5. Keystream Generation Mode 1) rt+1[i] ← rt[i+1] for i = 1...14 2)rt+1[15] ← f1(rt[12]rt[13] Konst)  (rt[0]<<<1) 3) temp ← f2(rt+1[2] rt+1[15]) 4) rt+1[0]← rt[1]temp(“feed forward” to the new lowest element) 5) vt← temp  rt+1[8]  rt+1[12].

  6. f Function f : (A,B,C,D are fixed numbers) t ← w  ((w <<< A) | (w <<< B)) f(w) = t (( t <<< C) | (t <<< D)) f1 : (A,B,C,D)=(5,7,19,22) f2 : (A,B,C,D)=(7,22,5,19)

  7. Differential Analysis for Stream Ciphers A differential of a stream cipher is a prediction that a given input difference (it can be the key, IV or internal state) produce some output difference (it can be the keystream or internal state)

  8. Differential Property of f2 • Suppose that 31st bit of input is activated. • W, W 31 • 9 bits of output from f2 function will be impressed by 31 • The output differential of f2 function is determined bit by bit.

  9. Differential Property of f2 • Theoretically: Shannon is a RNG, therefore the output bits of the Shannon are independent • The output is generated by the output of f2 function • the differential output bits of f2 function are 32 bit word M (i.e. 0x80000000 from Table ) with the probability of

  10. TRNG Attack Scenario vtv't=∆t IS IS‘=IS vt , v't Repeat for N times

  11. Differential properties of the output IS‘[11]=IS[11] 31 • N differential outputs are generated by black box (scenario is repeated N times) • In each repeatation, 9th output word is exracted. • A sequence consisting of N 32-bit differential words is provided (O9)

  12. Hypotheses Test • Two hypotheses for O9:

  13. If T≥10 => generated by the Shannon • If T<10 => was NOT generated by the Shannon Our Differential Distinguishing Attack • By using of frequency test, we can distinguish the sequance O9 (T= number of 0x80000000) • The probability of error is 10-3 • We need N=28.92 words in sequence O9

  14. Complexity • We need N=28.92 words in sequence O9 • Then we need to run the Shannon 2*N=2*28.92 times • Then, the computational complexity is equal to O(29.92)

  15. Conclusion • We showed that the keystream generator part of the Shannon stream cipher is not strong. • It should be replaced by stronger one. • The Key loading part is strong.

More Related