Presentation is loading. Please wait.

Presentation is loading. Please wait.

Differential Distinguishing Attack on the Shannon Stream Cipher Based on Fault Analysis Mehdi Hassanzadeh University of Bergen Selmer Center, Norway

Published byAlice Payne Modified over 8 years ago

Similar presentations

Presentation on theme: "Differential Distinguishing Attack on the Shannon Stream Cipher Based on Fault Analysis Mehdi Hassanzadeh University of Bergen Selmer Center, Norway"— Presentation transcript:

1 Differential Distinguishing Attack on the Shannon Stream Cipher Based on Fault Analysis Mehdi Hassanzadeh University of Bergen Selmer Center, Norway Mehdi.hassanzadeh@ii.uib.no Yaser Esmaeili Mohammad R. Sohizadeh Matthew G. Parker Tor Helleseth

2 Differential Distinguishing Attack on the Shannon Stream Cipher Based on Fault Analysis Hassanzadeh IST2008, Tehran, Iran 2/25 Outline Introduction Description of the Shannon Differential Properties of the f 2 Function Fault Analysis Our Differential Distinguishing Attack Implementation Results Conclusion

3 Differential Distinguishing Attack on the Shannon Stream Cipher Based on Fault Analysis Hassanzadeh IST2008, Tehran, Iran 3/25 Introduction The Shannon stream cipher was proposed by Philip Hawkes et al. for Ecrypt/eStream competitive. Designed for a software- efficient algorithm up to 256 bits key length 32-bit words based based on a single NLFSR and a NLF

4 Differential Distinguishing Attack on the Shannon Stream Cipher Based on Fault Analysis Hassanzadeh IST2008, Tehran, Iran 4/25 A Brief Description The Shannon algorithm consists of two parts: Key loading key generation

5 Differential Distinguishing Attack on the Shannon Stream Cipher Based on Fault Analysis Hassanzadeh IST2008, Tehran, Iran 5/25 Keystream Generation Mode 1) r t+1 [i] ← r t [i+1] for i = 1...14 2) r t+1 [15] ← f 1 (r t [12]  r t [13]  Konst)  (r t [0] <<<1) 3) temp ← f 2 (r t+1 [2]  r t+1 [15]) 4) r t+1 [0]← r t [1]  temp(“feed forward” to the new lowest element ) 5) v t ← temp  r t+1 [8]  r t+1 [12].

6 Differential Distinguishing Attack on the Shannon Stream Cipher Based on Fault Analysis Hassanzadeh IST2008, Tehran, Iran 6/25 f Function f : (A,B,C,D are fixed numbers) t ← w  ((w <<< A) | (w <<< B)) f(w) = t  (( t <<< C) | (t <<< D)) f 1 : (A,B,C,D)=(5,7,19,22) f 2 : (A,B,C,D)=(7,22,5,19)

7 Differential Distinguishing Attack on the Shannon Stream Cipher Based on Fault Analysis Hassanzadeh IST2008, Tehran, Iran 7/25 Differential Analysis for Stream Ciphers A differential of a stream cipher is a prediction that a given input difference (it can be the key, IV or internal state) produces some output difference (it can be the keystream or internal state)

8 Differential Distinguishing Attack on the Shannon Stream Cipher Based on Fault Analysis Hassanzadeh IST2008, Tehran, Iran 8/25 Suppose that 31st bit of input is activated.  W, W  E 31 9 bits of output from f 2 function will be impressed by E 31 The output differential of f 2 function is determined bit by bit. Differential Property of f 2

9 Differential Distinguishing Attack on the Shannon Stream Cipher Based on Fault Analysis Hassanzadeh IST2008, Tehran, Iran 9/25

10 Differential Distinguishing Attack on the Shannon Stream Cipher Based on Fault Analysis Hassanzadeh IST2008, Tehran, Iran 10/25 Differential Property of f 2 Theoretically: Shannon is a RNG, therefore the output bits of the Shannon are independent The output is generated by the output of f 2 function the differential output bits of f 2 function are 32 bit word  M (i.e. 0x80000000 from Table ) with the probability of

11 Differential Distinguishing Attack on the Shannon Stream Cipher Based on Fault Analysis Hassanzadeh IST2008, Tehran, Iran 11/25

12 Differential Distinguishing Attack on the Shannon Stream Cipher Based on Fault Analysis Hassanzadeh IST2008, Tehran, Iran 12/25 Another Differential Property of the f 2 Function  M[t] appears as an input differential for the f 2 function in the next time (t+1) Differential input is  M[t]<<<1 that is 0x80000000<<<1 with probability 2 -5.66 26 bits of the f 2 function’s output will be influenced by  M[t]<<<1 The output differential is 0x8000021E with probability

13 Differential Distinguishing Attack on the Shannon Stream Cipher Based on Fault Analysis Hassanzadeh IST2008, Tehran, Iran 13/25 IS IS ' =IS  v t  v' t =∆t v t, v' t TRNG Repeat for n times Guess which algorithm is used (Shannon or TRNG) Attack Scenario

14 Differential Distinguishing Attack on the Shannon Stream Cipher Based on Fault Analysis Hassanzadeh IST2008, Tehran, Iran 14/25 Differential properties of the output n differential outputs are generated by black box (scenario is repeated n times) In each repeatation, 9th & 10th output words are exracted. IS´[11]=IS [11]  E 31

15 Differential Distinguishing Attack on the Shannon Stream Cipher Based on Fault Analysis Hassanzadeh IST2008, Tehran, Iran 15/25 Differential Fault Analysis (1) By applying ionizing radiation, microwave radiation or some other environmental stress Occurs with reasonable probability Occurs in a random position If occurs in the suitable position, a special pattern will be appeared in the differential outputs

16 Differential Distinguishing Attack on the Shannon Stream Cipher Based on Fault Analysis Hassanzadeh IST2008, Tehran, Iran 16/25 Differential Fault Analysis (2) If the error occurs in any words from 3rd to 11th, the output differential (  M) appears in word number 0th up to 9th sequentially

17 Differential Distinguishing Attack on the Shannon Stream Cipher Based on Fault Analysis Hassanzadeh IST2008, Tehran, Iran 17/25 Differential Fault Analysis (3) If the error occurs in any bits instead of 31st bits in a word in the initial state, we will have another pattern as an output differential instead of 0x80000000 and 0x8000021E. By the same method presented in this paper, we can find the output differential pattern (  M). We suppose that the bit-error occurs in the 31st bit of the word number 11.

18 Differential Distinguishing Attack on the Shannon Stream Cipher Based on Fault Analysis Hassanzadeh IST2008, Tehran, Iran 18/25 Our Distinguisher O i k [t] denote the ith (0 ≤ i ≤ 31) bit of the tth (t =9 or 10) word in the kth (1≤ k ≤ n) 10-tuple output differential words. For the kth output differential words, 44 new binary random variables (x i k ) are defined as a function of O i k [t]. We are interested that the probability of all variables (x i k ) for being “One” to be higher than ½.

19 Differential Distinguishing Attack on the Shannon Stream Cipher Based on Fault Analysis Hassanzadeh IST2008, Tehran, Iran 19/25 Our Distinguisher E(X)=31n+13np and VAR(X)=13np(1-p) The distribution of X can be approximated by a Normal distribution X~ N ( 31n + 13np, 13np(1-p) ) If X is produced by a TRNG, we will have X~ N(22n, 11n )

20 Differential Distinguishing Attack on the Shannon Stream Cipher Based on Fault Analysis Hassanzadeh IST2008, Tehran, Iran 20/25 Hypotheses Test Two hypotheses X: H 0  X~ N( 31n + 13np, 13np(1-p) ) H 1  X~ N(22n, 11n )

21 Differential Distinguishing Attack on the Shannon Stream Cipher Based on Fault Analysis Hassanzadeh IST2008, Tehran, Iran 21/25 Our Distinguisher If X≥69 => X generated by the Shannon If X X does NOT generated by the Shannon The probability of error is 10 -3 We need n=2 10-tuple output differential words

22 Differential Distinguishing Attack on the Shannon Stream Cipher Based on Fault Analysis Hassanzadeh IST2008, Tehran, Iran 22/25 The implementation results It is repeated for 5*10 7 different differential outputs of the Shannon The AES algorithm is considered as a TRNG

23 Differential Distinguishing Attack on the Shannon Stream Cipher Based on Fault Analysis Hassanzadeh IST2008, Tehran, Iran 23/25 Conclusion The keystream generator part of the Shannon stream cipher is not strong. It should be replaced by stronger one. The Key loading part is strong. Computational complexity of this attack is only equal to four times the complexity of running the Shannon stream cipher Error probability is 0.001 while only two random differential outputs are needed.

24 Differential Distinguishing Attack on the Shannon Stream Cipher Based on Fault Analysis Hassanzadeh IST2008, Tehran, Iran 24/25 Conclusion We also achieved this result by the implementation. By using of the Differential Fault Analysis idea, our attack can be applied practically. For the first time, the ideas of the differential and distinguishing attacks and Fault Analysis method are combined in our paper.

25 Differential Distinguishing Attack on the Shannon Stream Cipher Based on Fault Analysis Hassanzadeh IST2008, Tehran, Iran 25/25 Question Thank you for your attention Seyed Mehdi Mohammad Hassanzadeh University of Bergen, Selmer Center, Norway Mehdi.hassanzadeh@ii.uib.no

Download ppt "Differential Distinguishing Attack on the Shannon Stream Cipher Based on Fault Analysis Mehdi Hassanzadeh University of Bergen Selmer Center, Norway"

Similar presentations

1 KCipher-2 KDDI R&D Laboratories Inc.. ©KDDI R&D Laboratories Inc. All rights Reserved. 2 Introduction LFSR-based stream ciphers Linear recurrence between.

1 KCipher-2 KDDI R&D Laboratories Inc.. ©KDDI R&D Laboratories Inc. All rights Reserved. 2 Introduction LFSR-based stream ciphers Linear recurrence between.
“Advanced Encryption Standard” & “Modes of Operation”

“Advanced Encryption Standard” & “Modes of Operation”
Xiutao Feng Institute of Software Chinese Academy of Sciences A Byte-Based Guess and Determine Attack on SOSEMANUK.

Xiutao Feng Institute of Software Chinese Academy of Sciences A Byte-Based Guess and Determine Attack on SOSEMANUK.
A Paper on RANDOM SAMPLING OVER JOINS by SURAJIT CHAUDHARI RAJEEV MOTWANI VIVEK NARASAYYA PRESENTED BY, JEEVAN KUMAR GOGINENI SARANYA GOTTIPATI.

A Paper on RANDOM SAMPLING OVER JOINS by SURAJIT CHAUDHARI RAJEEV MOTWANI VIVEK NARASAYYA PRESENTED BY, JEEVAN KUMAR GOGINENI SARANYA GOTTIPATI.
An Introduction to Stream Ciphers Zahra Ahmadian Electrical Engineering Department Sahrif University of Technology

An Introduction to Stream Ciphers Zahra Ahmadian Electrical Engineering Department Sahrif University of Technology
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.
Order Statistics Sorted

Order Statistics Sorted
Block Ciphers and the Data Encryption Standard

Block Ciphers and the Data Encryption Standard
An Approach to Evaluate Data Trustworthiness Based on Data Provenance Department of Computer Science Purdue University.

An Approach to Evaluate Data Trustworthiness Based on Data Provenance Department of Computer Science Purdue University.
Resampling techniques Why resampling? Jacknife Cross-validation Bootstrap Examples of application of bootstrap.

Resampling techniques Why resampling? Jacknife Cross-validation Bootstrap Examples of application of bootstrap.
Session 6: Introduction to cryptanalysis part 2. Symmetric systems The sources of vulnerabilities regarding linearity in block ciphers are S-boxes. Example.

Session 6: Introduction to cryptanalysis part 2. Symmetric systems The sources of vulnerabilities regarding linearity in block ciphers are S-boxes. Example.
HSC: Building Stream Cipher from Secure Hash Functions Juncao Li Nov. 29 th 2007 Department of Computer Science Portland State University.

HSC: Building Stream Cipher from Secure Hash Functions Juncao Li Nov. 29 th 2007 Department of Computer Science Portland State University.
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 5 Wenbing Zhao Department of Electrical and Computer Engineering.

EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 5 Wenbing Zhao Department of Electrical and Computer Engineering.
Stream Ciphers 1 Stream Ciphers. Stream Ciphers 2 Stream Ciphers  Generalization of one-time pad  Trade provable security for practicality  Stream.

Stream Ciphers 1 Stream Ciphers. Stream Ciphers 2 Stream Ciphers  Generalization of one-time pad  Trade provable security for practicality  Stream.
Session 6: Introduction to cryptanalysis part 1. Contents Problem definition Symmetric systems cryptanalysis Particularities of block ciphers cryptanalysis.

Session 6: Introduction to cryptanalysis part 1. Contents Problem definition Symmetric systems cryptanalysis Particularities of block ciphers cryptanalysis.
Lecture 23 Symmetric Encryption

Lecture 23 Symmetric Encryption
15-349 Introduction to Computer and Network Security Iliano Cervesato 26 August 2008 – Modern Cryptography.

Introduction to Computer and Network Security Iliano Cervesato 26 August 2008 – Modern Cryptography.
ORYX 1 ORYX ORYX 2 ORYX  ORYX not an acronym, but upper case  Designed for use with cell phones o To protect confidentiality of voice/data o For “data.

ORYX 1 ORYX ORYX 2 ORYX  ORYX not an acronym, but upper case  Designed for use with cell phones o To protect confidentiality of voice/data o For “data.
Cryptanalysis on Substitution- Permutation Networks Jen-Chang Liu, 2005 Ref: Cryptography: Theory and Practice, D. R. Stinson.

Cryptanalysis on Substitution- Permutation Networks Jen-Chang Liu, 2005 Ref: Cryptography: Theory and Practice, D. R. Stinson.
Decryption Algorithms Characterization Project ECE 526 spring 2007 Ravimohan Boggula,Rajesh reddy Bandala Southern Illinois University Carbondale.

Decryption Algorithms Characterization Project ECE 526 spring 2007 Ravimohan Boggula,Rajesh reddy Bandala Southern Illinois University Carbondale.

Similar presentations

Ads by Google