Differential%20Distinguishing%20Attack%20of%20Shannon%20Stream%20Cipher - PowerPoint PPT Presentation

About This Presentation
Title:

Differential%20Distinguishing%20Attack%20of%20Shannon%20Stream%20Cipher

Description:

Our Differential Distinguishing Attack. Conclusion. 3 /16. Introduction ... Attack Scenario. 11 /16. Differential properties of the output ... – PowerPoint PPT presentation

Number of Views:77
Avg rating:3.0/5.0
Slides: 16
Provided by: johnma80
Category:

less

Transcript and Presenter's Notes

Title: Differential%20Distinguishing%20Attack%20of%20Shannon%20Stream%20Cipher


1
Differential Distinguishing Attack of Shannon
Stream Cipher
Yaser Esmaeili Elham Shakour Zaeim Electronic
Ind. RD Departmentyesmaeili,
shakour_at_zaeim.co.ir
Mehdi Hassanzadeh University of Bergen Selmer
Center, NorwayMehdi.hassanzadeh_at_ii.uib.no
2
Outline
  • Introduction
  • Description of the Shannon
  • Differential Properties of the f2 Function
  • Our Differential Distinguishing Attack
  • Conclusion

3
Introduction
  • The Shannon stream cipher was proposed by Philip
    Hawkes et al. for Ecrypt/eStream competitive.
  • An entirely new design, influenced by members of
    the SOBER family of stream ciphers.
  • Designed for a software-efficient algorithm
  • up to 256 bits key length
  • 32-bit words based
  • based on a single NLFSR and a NLF

4
A Brief Description
The Shannon algorithm consists of two parts
  • Key loading
  • key generation

5
Keystream Generation Mode
  • 1) rt1i ? rti1 for
    i 1...14
  • 2) rt115 ? f1(rt12 ? rt13 ? Konst) ?
    (rt0 ltltlt1)

3) temp ? f2(rt12 ? rt115) 4) rt10?
rt1?temp(feed forward to the new lowest
element) 5) vt ? temp ? rt18 ? rt112.
6
f Function
  • f (A,B,C,D are fixed numbers)
  • t ? w ? ((w ltltlt A) (w ltltlt B))
  • f(w) t ? (( t ltltlt C) (t ltltlt D))
  • f1 (A,B,C,D)(5,7,19,22)
  • f2 (A,B,C,D)(7,22,5,19)

7
Differential Analysis for Stream Ciphers
  • A differential of a stream cipher is a
    prediction that a given input difference
  • (it can be the key, IV or internal
    state)
  • produce some output difference
  • (it can be the keystream or internal
    state)

8
Differential Property of f2
  • Suppose that 31st bit of input is activated.
  • W, W ??31
  • 9 bits of output from f2 function will be
    impressed by ?31
  • The output differential of f2 function is
    determined bit by bit.

9
Differential Property of f2
  • Theoretically Shannon is a RNG, therefore the
    output bits of the Shannon are independent
  • The output is generated by the output of f2
    function
  • the differential output bits of f2 function are
    32 bit word ?M (i.e. 0x80000000 from Table ) with
    the probability of

10
Attack Scenario
IS ISIS??
  • vt?v't?t

vt , v't
Repeat for N times
11
Differential properties of the output
IS11IS11? ?31
  • N differential outputs are generated by black box
    (scenario is repeated N times)
  • In each repeatation, 9th output word is exracted.
  • A sequence consisting of N 32-bit differential
    words is provided (O9)

12
Hypotheses Test
  • Two hypotheses for O9

13
Our Differential Distinguishing Attack
  • By using of frequency test, we can distinguish
    the sequance O9 (T number of 0x80000000)
  • The probability of error is 10-3
  • We need N28.92 words in sequence O9

14
Complexity
  • We need N28.92 words in sequence O9
  • Then we need to run the Shannon 2N228.92 times
  • Then, the computational complexity is equal to
  • O(29.92)

15
Conclusion
  • We showed that the keystream generator part of
    the Shannon stream cipher is not strong.
  • It should be replaced by stronger one.
  • The Key loading part is strong.
Write a Comment
User Comments (0)
About PowerShow.com