Differential%20Distinguishing%20Attack%20of%20Shannon%20Stream%20Cipher

1
Differential Distinguishing Attack of Shannon
Stream Cipher
Yaser Esmaeili Elham Shakour Zaeim Electronic
Ind. RD Departmentyesmaeili,
shakour_at_zaeim.co.ir
Mehdi Hassanzadeh University of Bergen Selmer
Center, NorwayMehdi.hassanzadeh_at_ii.uib.no
2
Outline

• Introduction
• Description of the Shannon
• Differential Properties of the f2 Function
• Our Differential Distinguishing Attack
• Conclusion

3
Introduction

• The Shannon stream cipher was proposed by Philip
  Hawkes et al. for Ecrypt/eStream competitive.
• An entirely new design, influenced by members of
  the SOBER family of stream ciphers.

• Designed for a software-efficient algorithm
• up to 256 bits key length
• 32-bit words based
• based on a single NLFSR and a NLF

4
A Brief Description
The Shannon algorithm consists of two parts

• Key loading

• key generation

5
Keystream Generation Mode

• 1) rt1i ? rti1 for
  i 1...14
• 2) rt115 ? f1(rt12 ? rt13 ? Konst) ?
  (rt0 ltltlt1)

3) temp ? f2(rt12 ? rt115) 4) rt10?
rt1?temp(feed forward to the new lowest
element) 5) vt ? temp ? rt18 ? rt112.
6
f Function

• f (A,B,C,D are fixed numbers)
• t ? w ? ((w ltltlt A) (w ltltlt B))
• f(w) t ? (( t ltltlt C) (t ltltlt D))
• f1 (A,B,C,D)(5,7,19,22)
• f2 (A,B,C,D)(7,22,5,19)

7
Differential Analysis for Stream Ciphers

• A differential of a stream cipher is a
  prediction that a given input difference
• (it can be the key, IV or internal
  state)
• produce some output difference
• (it can be the keystream or internal
  state)

8
Differential Property of f2

• Suppose that 31st bit of input is activated.
• W, W ??31
• 9 bits of output from f2 function will be
  impressed by ?31
• The output differential of f2 function is
  determined bit by bit.

9
Differential Property of f2

• Theoretically Shannon is a RNG, therefore the
  output bits of the Shannon are independent
• The output is generated by the output of f2
  function
• the differential output bits of f2 function are
  32 bit word ?M (i.e. 0x80000000 from Table ) with
  the probability of

10
Attack Scenario
IS ISIS??

• vt?v't?t

vt , v't
Repeat for N times
11
Differential properties of the output
IS11IS11? ?31

• N differential outputs are generated by black box
  (scenario is repeated N times)
• In each repeatation, 9th output word is exracted.
• A sequence consisting of N 32-bit differential
  words is provided (O9)

12
Hypotheses Test

• Two hypotheses for O9

13
Our Differential Distinguishing Attack

• By using of frequency test, we can distinguish
  the sequance O9 (T number of 0x80000000)

• The probability of error is 10-3
• We need N28.92 words in sequence O9

14
Complexity

• We need N28.92 words in sequence O9
• Then we need to run the Shannon 2N228.92 times
• Then, the computational complexity is equal to
• O(29.92)

15
Conclusion

• We showed that the keystream generator part of
  the Shannon stream cipher is not strong.
• It should be replaced by stronger one.
• The Key loading part is strong.