Differential Distinguishing Attack on the Shannon Stream Cipher Based on Fault Analysis Mehdi Hassanzadeh University of Bergen Selmer Center, Norway Yaser Esmaeili Mohammad R. Sohizadeh Matthew G. Parker Tor Helleseth

Differential Distinguishing Attack on the Shannon Stream Cipher Based on Fault Analysis Hassanzadeh IST2008, Tehran, Iran 2/25 Outline Introduction Description of the Shannon Differential Properties of the f 2 Function Fault Analysis Our Differential Distinguishing Attack Implementation Results Conclusion

Differential Distinguishing Attack on the Shannon Stream Cipher Based on Fault Analysis Hassanzadeh IST2008, Tehran, Iran 3/25 Introduction The Shannon stream cipher was proposed by Philip Hawkes et al. for Ecrypt/eStream competitive. Designed for a software- efficient algorithm up to 256 bits key length 32-bit words based based on a single NLFSR and a NLF

Differential Distinguishing Attack on the Shannon Stream Cipher Based on Fault Analysis Hassanzadeh IST2008, Tehran, Iran 4/25 A Brief Description The Shannon algorithm consists of two parts: Key loading key generation

Differential Distinguishing Attack on the Shannon Stream Cipher Based on Fault Analysis Hassanzadeh IST2008, Tehran, Iran 5/25 Keystream Generation Mode 1) r t+1 [i] ← r t [i+1] for i = ) r t+1 [15] ← f 1 (r t [12]  r t [13]  Konst)  (r t [0] <<<1) 3) temp ← f 2 (r t+1 [2]  r t+1 [15]) 4) r t+1 [0]← r t [1]  temp(“feed forward” to the new lowest element ) 5) v t ← temp  r t+1 [8]  r t+1 [12].

Differential Distinguishing Attack on the Shannon Stream Cipher Based on Fault Analysis Hassanzadeh IST2008, Tehran, Iran 6/25 f Function f : (A,B,C,D are fixed numbers) t ← w  ((w <<< A) | (w <<< B)) f(w) = t  (( t <<< C) | (t <<< D)) f 1 : (A,B,C,D)=(5,7,19,22) f 2 : (A,B,C,D)=(7,22,5,19)

Differential Distinguishing Attack on the Shannon Stream Cipher Based on Fault Analysis Hassanzadeh IST2008, Tehran, Iran 7/25 Differential Analysis for Stream Ciphers A differential of a stream cipher is a prediction that a given input difference (it can be the key, IV or internal state) produces some output difference (it can be the keystream or internal state)

Differential Distinguishing Attack on the Shannon Stream Cipher Based on Fault Analysis Hassanzadeh IST2008, Tehran, Iran 8/25 Suppose that 31st bit of input is activated.  W, W  E 31 9 bits of output from f 2 function will be impressed by E 31 The output differential of f 2 function is determined bit by bit. Differential Property of f 2

Differential Distinguishing Attack on the Shannon Stream Cipher Based on Fault Analysis Hassanzadeh IST2008, Tehran, Iran 9/25

Differential Distinguishing Attack on the Shannon Stream Cipher Based on Fault Analysis Hassanzadeh IST2008, Tehran, Iran 10/25 Differential Property of f 2 Theoretically: Shannon is a RNG, therefore the output bits of the Shannon are independent The output is generated by the output of f 2 function the differential output bits of f 2 function are 32 bit word  M (i.e. 0x from Table ) with the probability of

Differential Distinguishing Attack on the Shannon Stream Cipher Based on Fault Analysis Hassanzadeh IST2008, Tehran, Iran 11/25

Differential Distinguishing Attack on the Shannon Stream Cipher Based on Fault Analysis Hassanzadeh IST2008, Tehran, Iran 12/25 Another Differential Property of the f 2 Function  M[t] appears as an input differential for the f 2 function in the next time (t+1) Differential input is  M[t]<<<1 that is 0x <<<1 with probability bits of the f 2 function’s output will be influenced by  M[t]<<<1 The output differential is 0x E with probability

Differential Distinguishing Attack on the Shannon Stream Cipher Based on Fault Analysis Hassanzadeh IST2008, Tehran, Iran 13/25 IS IS ' =IS  v t  v' t =∆t v t, v' t TRNG Repeat for n times Guess which algorithm is used (Shannon or TRNG) Attack Scenario

Differential Distinguishing Attack on the Shannon Stream Cipher Based on Fault Analysis Hassanzadeh IST2008, Tehran, Iran 14/25 Differential properties of the output n differential outputs are generated by black box (scenario is repeated n times) In each repeatation, 9th & 10th output words are exracted. IS´[11]=IS [11]  E 31

Differential Distinguishing Attack on the Shannon Stream Cipher Based on Fault Analysis Hassanzadeh IST2008, Tehran, Iran 15/25 Differential Fault Analysis (1) By applying ionizing radiation, microwave radiation or some other environmental stress Occurs with reasonable probability Occurs in a random position If occurs in the suitable position, a special pattern will be appeared in the differential outputs

Differential Distinguishing Attack on the Shannon Stream Cipher Based on Fault Analysis Hassanzadeh IST2008, Tehran, Iran 16/25 Differential Fault Analysis (2) If the error occurs in any words from 3rd to 11th, the output differential (  M) appears in word number 0th up to 9th sequentially

Differential Distinguishing Attack on the Shannon Stream Cipher Based on Fault Analysis Hassanzadeh IST2008, Tehran, Iran 17/25 Differential Fault Analysis (3) If the error occurs in any bits instead of 31st bits in a word in the initial state, we will have another pattern as an output differential instead of 0x and 0x E. By the same method presented in this paper, we can find the output differential pattern (  M). We suppose that the bit-error occurs in the 31st bit of the word number 11.

Differential Distinguishing Attack on the Shannon Stream Cipher Based on Fault Analysis Hassanzadeh IST2008, Tehran, Iran 18/25 Our Distinguisher O i k [t] denote the ith (0 ≤ i ≤ 31) bit of the tth (t =9 or 10) word in the kth (1≤ k ≤ n) 10-tuple output differential words. For the kth output differential words, 44 new binary random variables (x i k ) are defined as a function of O i k [t]. We are interested that the probability of all variables (x i k ) for being “One” to be higher than ½.

Differential Distinguishing Attack on the Shannon Stream Cipher Based on Fault Analysis Hassanzadeh IST2008, Tehran, Iran 19/25 Our Distinguisher E(X)=31n+13np and VAR(X)=13np(1-p) The distribution of X can be approximated by a Normal distribution X~ N ( 31n + 13np, 13np(1-p) ) If X is produced by a TRNG, we will have X~ N(22n, 11n )

Differential Distinguishing Attack on the Shannon Stream Cipher Based on Fault Analysis Hassanzadeh IST2008, Tehran, Iran 20/25 Hypotheses Test Two hypotheses X: H 0  X~ N( 31n + 13np, 13np(1-p) ) H 1  X~ N(22n, 11n )

Differential Distinguishing Attack on the Shannon Stream Cipher Based on Fault Analysis Hassanzadeh IST2008, Tehran, Iran 21/25 Our Distinguisher If X≥69 => X generated by the Shannon If X X does NOT generated by the Shannon The probability of error is We need n=2 10-tuple output differential words

Differential Distinguishing Attack on the Shannon Stream Cipher Based on Fault Analysis Hassanzadeh IST2008, Tehran, Iran 22/25 The implementation results It is repeated for 5*10 7 different differential outputs of the Shannon The AES algorithm is considered as a TRNG

Differential Distinguishing Attack on the Shannon Stream Cipher Based on Fault Analysis Hassanzadeh IST2008, Tehran, Iran 23/25 Conclusion The keystream generator part of the Shannon stream cipher is not strong. It should be replaced by stronger one. The Key loading part is strong. Computational complexity of this attack is only equal to four times the complexity of running the Shannon stream cipher Error probability is while only two random differential outputs are needed.

Differential Distinguishing Attack on the Shannon Stream Cipher Based on Fault Analysis Hassanzadeh IST2008, Tehran, Iran 24/25 Conclusion We also achieved this result by the implementation. By using of the Differential Fault Analysis idea, our attack can be applied practically. For the first time, the ideas of the differential and distinguishing attacks and Fault Analysis method are combined in our paper.

Differential Distinguishing Attack on the Shannon Stream Cipher Based on Fault Analysis Hassanzadeh IST2008, Tehran, Iran 25/25 Question Thank you for your attention Seyed Mehdi Mohammad Hassanzadeh University of Bergen, Selmer Center, Norway