Brain Cisterns Dr. Yaser Abdulghani AlQasimi, MBBS Radiology Demonstrator, KAU.
Differential Distinguishing Attack of Shannon Stream Cipher Mehdi Hassanzadeh University of Bergen...
-
Upload
edgar-mckenzie -
Category
Documents
-
view
217 -
download
0
Transcript of Differential Distinguishing Attack of Shannon Stream Cipher Mehdi Hassanzadeh University of Bergen...
![Page 1: Differential Distinguishing Attack of Shannon Stream Cipher Mehdi Hassanzadeh University of Bergen Selmer Center, Norway Mehdi.hassanzadeh@ii.uib.no Yaser.](https://reader035.fdocuments.in/reader035/viewer/2022062321/56649f275503460f94c3ef11/html5/thumbnails/1.jpg)
Differential Distinguishing Attack of Shannon Stream Cipher
Mehdi HassanzadehUniversity of Bergen
Selmer Center, [email protected]
Yaser EsmaeiliElham Shakour
Zaeim Electronic Ind.R&D Department
{yesmaeili, shakour}@zaeim.co.ir
![Page 2: Differential Distinguishing Attack of Shannon Stream Cipher Mehdi Hassanzadeh University of Bergen Selmer Center, Norway Mehdi.hassanzadeh@ii.uib.no Yaser.](https://reader035.fdocuments.in/reader035/viewer/2022062321/56649f275503460f94c3ef11/html5/thumbnails/2.jpg)
Differential Distinguishing Attack of Shannon Stream Cipher
Hassanzadeh Cryptology2008, Malaysia 2/16
Outline
Introduction Description of the Shannon Differential Properties of the f2 Function
Our Differential Distinguishing Attack Conclusion
![Page 3: Differential Distinguishing Attack of Shannon Stream Cipher Mehdi Hassanzadeh University of Bergen Selmer Center, Norway Mehdi.hassanzadeh@ii.uib.no Yaser.](https://reader035.fdocuments.in/reader035/viewer/2022062321/56649f275503460f94c3ef11/html5/thumbnails/3.jpg)
Differential Distinguishing Attack of Shannon Stream Cipher
Hassanzadeh Cryptology2008, Malaysia 3/16
Introduction
The Shannon stream cipher was proposed by Philip Hawkes et al. for Ecrypt/eStream competitive.
An entirely new design, influenced by members of the SOBER family of stream ciphers.
Designed for a software-efficient algorithmup to 256 bits key length32-bit words basedbased on a single NLFSR and a NLF
![Page 4: Differential Distinguishing Attack of Shannon Stream Cipher Mehdi Hassanzadeh University of Bergen Selmer Center, Norway Mehdi.hassanzadeh@ii.uib.no Yaser.](https://reader035.fdocuments.in/reader035/viewer/2022062321/56649f275503460f94c3ef11/html5/thumbnails/4.jpg)
Differential Distinguishing Attack of Shannon Stream Cipher
Hassanzadeh Cryptology2008, Malaysia 4/16
A Brief Description
The Shannon algorithm consists of two parts:
•Key loading
•key generation
![Page 5: Differential Distinguishing Attack of Shannon Stream Cipher Mehdi Hassanzadeh University of Bergen Selmer Center, Norway Mehdi.hassanzadeh@ii.uib.no Yaser.](https://reader035.fdocuments.in/reader035/viewer/2022062321/56649f275503460f94c3ef11/html5/thumbnails/5.jpg)
Differential Distinguishing Attack of Shannon Stream Cipher
Hassanzadeh Cryptology2008, Malaysia 5/16
Keystream Generation Mode
1) rt+1[i] ← rt[i+1] for i = 1...14
2) rt+1[15] ← f1(rt[12] rt[13] Konst) (rt[0] <<<1)
3) temp ← f2(rt+1[2] rt+1[15])
4) rt+1[0]← rt[1]temp(“feed forward” to the new lowest element)
5) vt ← temp rt+1[8] rt+1[12].
![Page 6: Differential Distinguishing Attack of Shannon Stream Cipher Mehdi Hassanzadeh University of Bergen Selmer Center, Norway Mehdi.hassanzadeh@ii.uib.no Yaser.](https://reader035.fdocuments.in/reader035/viewer/2022062321/56649f275503460f94c3ef11/html5/thumbnails/6.jpg)
Differential Distinguishing Attack of Shannon Stream Cipher
Hassanzadeh Cryptology2008, Malaysia 6/16
f Function
f : (A,B,C,D are fixed numbers)
t ← w ((w <<< A) | (w <<< B))
f(w) = t (( t <<< C) | (t <<< D))
f1 : (A,B,C,D)=(5,7,19,22)
f2 : (A,B,C,D)=(7,22,5,19)
![Page 7: Differential Distinguishing Attack of Shannon Stream Cipher Mehdi Hassanzadeh University of Bergen Selmer Center, Norway Mehdi.hassanzadeh@ii.uib.no Yaser.](https://reader035.fdocuments.in/reader035/viewer/2022062321/56649f275503460f94c3ef11/html5/thumbnails/7.jpg)
Differential Distinguishing Attack of Shannon Stream Cipher
Hassanzadeh Cryptology2008, Malaysia 7/16
Differential Analysis for Stream Ciphers
A differential of a stream cipher is a prediction that a given input difference
(it can be the key, IV or internal state)
produce some output difference
(it can be the keystream or internal state)
![Page 8: Differential Distinguishing Attack of Shannon Stream Cipher Mehdi Hassanzadeh University of Bergen Selmer Center, Norway Mehdi.hassanzadeh@ii.uib.no Yaser.](https://reader035.fdocuments.in/reader035/viewer/2022062321/56649f275503460f94c3ef11/html5/thumbnails/8.jpg)
Differential Distinguishing Attack of Shannon Stream Cipher
Hassanzadeh Cryptology2008, Malaysia 8/16
Suppose that 31st bit of input is activated. W, W 31
9 bits of output from f2 function will be impressed by 31
The output differential of f2 function is determined bit by bit.
Differential Property of f2
![Page 9: Differential Distinguishing Attack of Shannon Stream Cipher Mehdi Hassanzadeh University of Bergen Selmer Center, Norway Mehdi.hassanzadeh@ii.uib.no Yaser.](https://reader035.fdocuments.in/reader035/viewer/2022062321/56649f275503460f94c3ef11/html5/thumbnails/9.jpg)
Differential Distinguishing Attack of Shannon Stream Cipher
Hassanzadeh Cryptology2008, Malaysia 9/16
Differential Property of f2
Theoretically: Shannon is a RNG, therefore the output bits of the Shannon are independent
The output is generated by the output of f2 function
the differential output bits of f2 function are 32 bit word M (i.e. 0x80000000 from Table ) with the probability of
66.54431
0
22
1
4
31
iip
![Page 10: Differential Distinguishing Attack of Shannon Stream Cipher Mehdi Hassanzadeh University of Bergen Selmer Center, Norway Mehdi.hassanzadeh@ii.uib.no Yaser.](https://reader035.fdocuments.in/reader035/viewer/2022062321/56649f275503460f94c3ef11/html5/thumbnails/10.jpg)
Differential Distinguishing Attack of Shannon Stream Cipher
Hassanzadeh Cryptology2008, Malaysia 10/16
IS
IS‘=IS
vtv't=∆t
vt , v't TRNGRepeat for N times
Attack Scenario
![Page 11: Differential Distinguishing Attack of Shannon Stream Cipher Mehdi Hassanzadeh University of Bergen Selmer Center, Norway Mehdi.hassanzadeh@ii.uib.no Yaser.](https://reader035.fdocuments.in/reader035/viewer/2022062321/56649f275503460f94c3ef11/html5/thumbnails/11.jpg)
Differential Distinguishing Attack of Shannon Stream Cipher
Hassanzadeh Cryptology2008, Malaysia 11/16
Differential properties of the output
N differential outputs are generated by black box (scenario is repeated N times)
In each repeatation, 9th output word is exracted. A sequence consisting of N 32-bit differential words is provided (O9)
IS‘[11]=IS[11] 31
![Page 12: Differential Distinguishing Attack of Shannon Stream Cipher Mehdi Hassanzadeh University of Bergen Selmer Center, Norway Mehdi.hassanzadeh@ii.uib.no Yaser.](https://reader035.fdocuments.in/reader035/viewer/2022062321/56649f275503460f94c3ef11/html5/thumbnails/12.jpg)
Differential Distinguishing Attack of Shannon Stream Cipher
Hassanzadeh Cryptology2008, Malaysia 12/16
Hypotheses Test
Two hypotheses for O9:
66.5,9
66.5,9
0210x80000000Pr
20x80000000Pr
i
i
O
OH
32,9
32,9
1210x80000000Pr
20x80000000Pr
i
i
O
OH
![Page 13: Differential Distinguishing Attack of Shannon Stream Cipher Mehdi Hassanzadeh University of Bergen Selmer Center, Norway Mehdi.hassanzadeh@ii.uib.no Yaser.](https://reader035.fdocuments.in/reader035/viewer/2022062321/56649f275503460f94c3ef11/html5/thumbnails/13.jpg)
Differential Distinguishing Attack of Shannon Stream Cipher
Hassanzadeh Cryptology2008, Malaysia 13/16
Our Differential Distinguishing Attack
• By using of frequency test, we can distinguish the sequance O9 (T= number of 0x80000000)
If T≥10 => generated by the Shannon
If T<10 => was NOT generated by the Shannon
• The probability of error is 10-3
• We need N=28.92 words in sequence O9
![Page 14: Differential Distinguishing Attack of Shannon Stream Cipher Mehdi Hassanzadeh University of Bergen Selmer Center, Norway Mehdi.hassanzadeh@ii.uib.no Yaser.](https://reader035.fdocuments.in/reader035/viewer/2022062321/56649f275503460f94c3ef11/html5/thumbnails/14.jpg)
Differential Distinguishing Attack of Shannon Stream Cipher
Hassanzadeh Cryptology2008, Malaysia 14/16
Complexity
• We need N=28.92 words in sequence O9
• Then we need to run the Shannon 2*N=2*28.92 times
• Then, the computational complexity is equal to
O(29.92)
![Page 15: Differential Distinguishing Attack of Shannon Stream Cipher Mehdi Hassanzadeh University of Bergen Selmer Center, Norway Mehdi.hassanzadeh@ii.uib.no Yaser.](https://reader035.fdocuments.in/reader035/viewer/2022062321/56649f275503460f94c3ef11/html5/thumbnails/15.jpg)
Differential Distinguishing Attack of Shannon Stream Cipher
Hassanzadeh Cryptology2008, Malaysia 15/16
Conclusion
We showed that the keystream generator part of the Shannon stream cipher is not strong.
It should be replaced by stronger one. The Key loading part is strong.