Download
1 / 15
150 likes | 276 Vues
This paper presents a differential distinguishing attack on the Shannon stream cipher, highlighting its vulnerabilities. We explore the differential properties of the f2 function and demonstrate how specific input differences can lead to predictable output differences, which compromise the cipher's security. Our analysis shows that the keystream generator within the Shannon stream cipher is not robust against such attacks, suggesting the need for stronger alternatives, while the key loading mechanism remains secure. We provide insights into the computational complexities involved in executing our attack.
E N D
Differential Distinguishing Attack of Shannon Stream Cipher Yaser Esmaeili Elham ShakourZaeim Electronic Ind. R&D Department{yesmaeili, shakour}@zaeim.co.ir Mehdi Hassanzadeh University of Bergen Selmer Center, NorwayMehdi.hassanzadeh@ii.uib.no
Outline • Introduction • Description of the Shannon • Differential Properties of the f2 Function • Our Differential Distinguishing Attack • Conclusion
Introduction • The Shannon stream cipher was proposed by Philip Hawkes et al. for Ecrypt/eStream competitive. • An entirely new design, influenced by members of the SOBER family of stream ciphers. • Designed for a software-efficient algorithm • up to 256 bits key length • 32-bit words based • based on a single NLFSR and a NLF
A Brief Description The Shannon algorithm consists of two parts: • Key loading • key generation
Keystream Generation Mode 1) rt+1[i] ← rt[i+1] for i = 1...14 2)rt+1[15] ← f1(rt[12]rt[13] Konst) (rt[0]<<<1) 3) temp ← f2(rt+1[2] rt+1[15]) 4) rt+1[0]← rt[1]temp(“feed forward” to the new lowest element) 5) vt← temp rt+1[8] rt+1[12].
f Function f : (A,B,C,D are fixed numbers) t ← w ((w <<< A) | (w <<< B)) f(w) = t (( t <<< C) | (t <<< D)) f1 : (A,B,C,D)=(5,7,19,22) f2 : (A,B,C,D)=(7,22,5,19)
Differential Analysis for Stream Ciphers A differential of a stream cipher is a prediction that a given input difference (it can be the key, IV or internal state) produce some output difference (it can be the keystream or internal state)
Differential Property of f2 • Suppose that 31st bit of input is activated. • W, W 31 • 9 bits of output from f2 function will be impressed by 31 • The output differential of f2 function is determined bit by bit.
Differential Property of f2 • Theoretically: Shannon is a RNG, therefore the output bits of the Shannon are independent • The output is generated by the output of f2 function • the differential output bits of f2 function are 32 bit word M (i.e. 0x80000000 from Table ) with the probability of
TRNG Attack Scenario vtv't=∆t IS IS‘=IS vt , v't Repeat for N times
Differential properties of the output IS‘[11]=IS[11] 31 • N differential outputs are generated by black box (scenario is repeated N times) • In each repeatation, 9th output word is exracted. • A sequence consisting of N 32-bit differential words is provided (O9)
Hypotheses Test • Two hypotheses for O9:
If T≥10 => generated by the Shannon • If T<10 => was NOT generated by the Shannon Our Differential Distinguishing Attack • By using of frequency test, we can distinguish the sequance O9 (T= number of 0x80000000) • The probability of error is 10-3 • We need N=28.92 words in sequence O9
Complexity • We need N=28.92 words in sequence O9 • Then we need to run the Shannon 2*N=2*28.92 times • Then, the computational complexity is equal to O(29.92)
Conclusion • We showed that the keystream generator part of the Shannon stream cipher is not strong. • It should be replaced by stronger one. • The Key loading part is strong.
