Title: Differential%20Distinguishing%20Attack%20of%20Shannon%20Stream%20Cipher
1Differential Distinguishing Attack of Shannon
Stream Cipher
Yaser Esmaeili Elham Shakour Zaeim Electronic
Ind. RD Departmentyesmaeili,
shakour_at_zaeim.co.ir
Mehdi Hassanzadeh University of Bergen Selmer
Center, NorwayMehdi.hassanzadeh_at_ii.uib.no
2Outline
- Introduction
- Description of the Shannon
- Differential Properties of the f2 Function
- Our Differential Distinguishing Attack
- Conclusion
3Introduction
- The Shannon stream cipher was proposed by Philip
Hawkes et al. for Ecrypt/eStream competitive. - An entirely new design, influenced by members of
the SOBER family of stream ciphers.
- Designed for a software-efficient algorithm
- up to 256 bits key length
- 32-bit words based
- based on a single NLFSR and a NLF
4A Brief Description
The Shannon algorithm consists of two parts
5Keystream Generation Mode
- 1) rt1i ? rti1 for
i 1...14 - 2) rt115 ? f1(rt12 ? rt13 ? Konst) ?
(rt0 ltltlt1)
3) temp ? f2(rt12 ? rt115) 4) rt10?
rt1?temp(feed forward to the new lowest
element) 5) vt ? temp ? rt18 ? rt112.
6 f Function
- f (A,B,C,D are fixed numbers)
- t ? w ? ((w ltltlt A) (w ltltlt B))
- f(w) t ? (( t ltltlt C) (t ltltlt D))
- f1 (A,B,C,D)(5,7,19,22)
- f2 (A,B,C,D)(7,22,5,19)
7Differential Analysis for Stream Ciphers
-
- A differential of a stream cipher is a
prediction that a given input difference - (it can be the key, IV or internal
state) - produce some output difference
- (it can be the keystream or internal
state)
8Differential Property of f2
- Suppose that 31st bit of input is activated.
- W, W ??31
- 9 bits of output from f2 function will be
impressed by ?31 - The output differential of f2 function is
determined bit by bit.
9Differential Property of f2
- Theoretically Shannon is a RNG, therefore the
output bits of the Shannon are independent - The output is generated by the output of f2
function - the differential output bits of f2 function are
32 bit word ?M (i.e. 0x80000000 from Table ) with
the probability of
10Attack Scenario
IS ISIS??
vt , v't
Repeat for N times
11Differential properties of the output
IS11IS11? ?31
- N differential outputs are generated by black box
(scenario is repeated N times) - In each repeatation, 9th output word is exracted.
- A sequence consisting of N 32-bit differential
words is provided (O9)
12Hypotheses Test
13Our Differential Distinguishing Attack
- By using of frequency test, we can distinguish
the sequance O9 (T number of 0x80000000)
- The probability of error is 10-3
- We need N28.92 words in sequence O9
14Complexity
- We need N28.92 words in sequence O9
- Then we need to run the Shannon 2N228.92 times
- Then, the computational complexity is equal to
- O(29.92)
15Conclusion
- We showed that the keystream generator part of
the Shannon stream cipher is not strong. - It should be replaced by stronger one.
- The Key loading part is strong.