Presentation is loading. Please wait.

Presentation is loading. Please wait.

Differential Distinguishing Attack of Shannon Stream Cipher Mehdi Hassanzadeh University of Bergen Selmer Center, Norway Yaser.

Published byEdgar McKenzie Modified over 9 years ago

Similar presentations

Presentation on theme: "Differential Distinguishing Attack of Shannon Stream Cipher Mehdi Hassanzadeh University of Bergen Selmer Center, Norway Yaser."— Presentation transcript:

1 Differential Distinguishing Attack of Shannon Stream Cipher Mehdi Hassanzadeh University of Bergen Selmer Center, Norway Mehdi.hassanzadeh@ii.uib.no Yaser Esmaeili Elham Shakour Zaeim Electronic Ind. R&D Department {yesmaeili, shakour}@zaeim.co.ir

2 Differential Distinguishing Attack of Shannon Stream Cipher Hassanzadeh Cryptology2008, Malaysia 2/16 Outline Introduction Description of the Shannon Differential Properties of the f 2 Function Our Differential Distinguishing Attack Conclusion

3 Differential Distinguishing Attack of Shannon Stream Cipher Hassanzadeh Cryptology2008, Malaysia 3/16 Introduction The Shannon stream cipher was proposed by Philip Hawkes et al. for Ecrypt/eStream competitive. An entirely new design, influenced by members of the SOBER family of stream ciphers. Designed for a software- efficient algorithm up to 256 bits key length 32-bit words based based on a single NLFSR and a NLF

4 Differential Distinguishing Attack of Shannon Stream Cipher Hassanzadeh Cryptology2008, Malaysia 4/16 A Brief Description The Shannon algorithm consists of two parts: Key loading key generation

5 Differential Distinguishing Attack of Shannon Stream Cipher Hassanzadeh Cryptology2008, Malaysia 5/16 Keystream Generation Mode 1) r t+1 [i] ← r t [i+1] for i = 1...14 2) r t+1 [15] ← f 1 (r t [12]  r t [13]  Konst)  (r t [0] <<<1) 3) temp ← f 2 (r t+1 [2]  r t+1 [15]) 4) r t+1 [0]← r t [1]  temp(“feed forward” to the new lowest element ) 5) v t ← temp  r t+1 [8]  r t+1 [12].

6 Differential Distinguishing Attack of Shannon Stream Cipher Hassanzadeh Cryptology2008, Malaysia 6/16 f Function f : (A,B,C,D are fixed numbers) t ← w  ((w <<< A) | (w <<< B)) f(w) = t  (( t <<< C) | (t <<< D)) f 1 : (A,B,C,D)=(5,7,19,22) f 2 : (A,B,C,D)=(7,22,5,19)

7 Differential Distinguishing Attack of Shannon Stream Cipher Hassanzadeh Cryptology2008, Malaysia 7/16 Differential Analysis for Stream Ciphers A differential of a stream cipher is a prediction that a given input difference (it can be the key, IV or internal state) produce some output difference (it can be the keystream or internal state)

8 Differential Distinguishing Attack of Shannon Stream Cipher Hassanzadeh Cryptology2008, Malaysia 8/16 Suppose that 31st bit of input is activated.  W, W  31 9 bits of output from f 2 function will be impressed by  31 The output differential of f 2 function is determined bit by bit. Differential Property of f 2

9 Differential Distinguishing Attack of Shannon Stream Cipher Hassanzadeh Cryptology2008, Malaysia 9/16 Differential Property of f 2 Theoretically: Shannon is a RNG, therefore the output bits of the Shannon are independent The output is generated by the output of f 2 function the differential output bits of f 2 function are 32 bit word  M (i.e. 0x80000000 from Table ) with the probability of

10 Differential Distinguishing Attack of Shannon Stream Cipher Hassanzadeh Cryptology2008, Malaysia 10/16 IS IS‘=IS  v t  v' t =∆t v t, v' t TRNG Repeat for N times Attack Scenario

11 Differential Distinguishing Attack of Shannon Stream Cipher Hassanzadeh Cryptology2008, Malaysia 11/16 Differential properties of the output N differential outputs are generated by black box (scenario is repeated N times) In each repeatation, 9th output word is exracted. A sequence consisting of N 32-bit differential words is provided (O 9 ) IS‘[11]=IS [11]   31

12 Differential Distinguishing Attack of Shannon Stream Cipher Hassanzadeh Cryptology2008, Malaysia 12/16 Hypotheses Test Two hypotheses for O 9 :

13 Differential Distinguishing Attack of Shannon Stream Cipher Hassanzadeh Cryptology2008, Malaysia 13/16 Our Differential Distinguishing Attack By using of frequency test, we can distinguish the sequance O 9 (T= number of 0x80000000) If T≥10 => generated by the Shannon If T was NOT generated by the Shannon The probability of error is 10 -3 We need N=2 8.92 words in sequence O 9

14 Differential Distinguishing Attack of Shannon Stream Cipher Hassanzadeh Cryptology2008, Malaysia 14/16 Complexity We need N=2 8.92 words in sequence O 9 Then we need to run the Shannon 2*N=2*2 8.92 times Then, the computational complexity is equal to O(2 9.92 )

15 Differential Distinguishing Attack of Shannon Stream Cipher Hassanzadeh Cryptology2008, Malaysia 15/16 Conclusion We showed that the keystream generator part of the Shannon stream cipher is not strong. It should be replaced by stronger one. The Key loading part is strong.

Download ppt "Differential Distinguishing Attack of Shannon Stream Cipher Mehdi Hassanzadeh University of Bergen Selmer Center, Norway Yaser."

Similar presentations

1 KCipher-2 KDDI R&D Laboratories Inc.. ©KDDI R&D Laboratories Inc. All rights Reserved. 2 Introduction LFSR-based stream ciphers Linear recurrence between.

1 KCipher-2 KDDI R&D Laboratories Inc.. ©KDDI R&D Laboratories Inc. All rights Reserved. 2 Introduction LFSR-based stream ciphers Linear recurrence between.
“Advanced Encryption Standard” & “Modes of Operation”

“Advanced Encryption Standard” & “Modes of Operation”
Xiutao Feng Institute of Software Chinese Academy of Sciences A Byte-Based Guess and Determine Attack on SOSEMANUK.

Xiutao Feng Institute of Software Chinese Academy of Sciences A Byte-Based Guess and Determine Attack on SOSEMANUK.
1 Introduction to Practical Cryptography Lectures 3/4 Stream Ciphers.

1 Introduction to Practical Cryptography Lectures 3/4 Stream Ciphers.
An Introduction to Stream Ciphers Zahra Ahmadian Electrical Engineering Department Sahrif University of Technology

An Introduction to Stream Ciphers Zahra Ahmadian Electrical Engineering Department Sahrif University of Technology
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.
1 CIS 5371 Cryptography 5b. Pseudorandom Objects in Practice Block Ciphers.

1 CIS 5371 Cryptography 5b. Pseudorandom Objects in Practice Block Ciphers.
Block Ciphers and the Data Encryption Standard

Block Ciphers and the Data Encryption Standard
Cryptography and Network Security

Cryptography and Network Security
CS457 – Introduction to Information Systems Security Cryptography 1b Elias Athanasopoulos

CS457 – Introduction to Information Systems Security Cryptography 1b Elias Athanasopoulos
Introduction to CLOCK_CONTROLLED STREAM CIPHER SYSTEM Sayed Mahdi Mohammad Hasanzadeh Zaeim Electronics industries 1380.

Introduction to CLOCK_CONTROLLED STREAM CIPHER SYSTEM Sayed Mahdi Mohammad Hasanzadeh Zaeim Electronics industries 1380.
An Approach to Evaluate Data Trustworthiness Based on Data Provenance Department of Computer Science Purdue University.

An Approach to Evaluate Data Trustworthiness Based on Data Provenance Department of Computer Science Purdue University.
CSCI283 Fall 2005 GWU All slides from Bishop’s slide set Stream Ciphers.

CSCI283 Fall 2005 GWU All slides from Bishop’s slide set Stream Ciphers.
Session 6: Introduction to cryptanalysis part 2. Symmetric systems The sources of vulnerabilities regarding linearity in block ciphers are S-boxes. Example.

Session 6: Introduction to cryptanalysis part 2. Symmetric systems The sources of vulnerabilities regarding linearity in block ciphers are S-boxes. Example.
HSC: Building Stream Cipher from Secure Hash Functions Juncao Li Nov. 29 th 2007 Department of Computer Science Portland State University.

HSC: Building Stream Cipher from Secure Hash Functions Juncao Li Nov. 29 th 2007 Department of Computer Science Portland State University.
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 5 Wenbing Zhao Department of Electrical and Computer Engineering.

EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 5 Wenbing Zhao Department of Electrical and Computer Engineering.
UNIT INSTRUMENT DEMONSTRATION OF CRC GENERATION Imran Shafique Ansari246808 Saif Ahmad237903 Ahmad Qutb Al-Deen232563.

UNIT INSTRUMENT DEMONSTRATION OF CRC GENERATION Imran Shafique Ansari Saif Ahmad Ahmad Qutb Al-Deen
RC4 1 RC4 RC4 2 RC4  Invented by Ron Rivest o “RC” is “Ron’s Code” or “Rivest Cipher”  A stream cipher  Generate keystream byte at a step o Efficient.

RC4 1 RC4 RC4 2 RC4  Invented by Ron Rivest o “RC” is “Ron’s Code” or “Rivest Cipher”  A stream cipher  Generate keystream byte at a step o Efficient.
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 5 Wenbing Zhao Department of Electrical and Computer Engineering.

EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 5 Wenbing Zhao Department of Electrical and Computer Engineering.
1 Constructing Pseudo-Random Permutations with a Prescribed Structure Moni Naor Weizmann Institute Omer Reingold AT&T Research.

1 Constructing Pseudo-Random Permutations with a Prescribed Structure Moni Naor Weizmann Institute Omer Reingold AT&T Research.

Similar presentations

Ads by Google