Showing papers in "Cryptography and Communications in 2009"

An overview of distinguishing attacks on stream ciphers

Abstract: This paper overviews basic theory on distinguishing attacks on stream ciphers. It illustrates underlying ideas and common techniques without going into too many details on each topic. Some new approaches in distinguishing attacks are also included.

Small stopping sets in Steiner triple systems

Abstract: The size of the smallest stopping set in a low-density parity check (LDPC) code determines, to an extent, the performance of iterative decoding methods over the binary erasure channel. In an LDPC code arising from a block design, a stopping set is a subset of its blocks with the property that every point belonging to one of the selected blocks belongs to at least two of them. While some Steiner triple systems have no stopping sets of size 5 or less, it is shown that every Steiner triple system has a stopping set of size at most 7. The proof can be viewed as an application of polynomial identities among configuration counts that generalize the family of known linear identities. While no example of a Steiner triple system whose smallest stopping set has size seven is known, it is shown that a partial Steiner triple system on v points with c·v 1.8 triples that has no stopping set of size less than 7 exists.

Joint linear complexity of multisequences consisting of linear recurring sequences

Abstract: The linear complexity of sequences is one of the important security measures for stream cipher systems. Recently, in the study of vectorized stream cipher systems, the joint linear complexity of multisequences has been investigated. In this paper, we study the joint linear complexity of multisequences consisting of linear recurring sequences. The expectation and variance of the joint linear complexity of random multisequences consisting of linear recurring sequences are determined. These results extend the corresponding results on the expectation and variance of the joint linear complexity of random periodic multisequences. Then we enumerate the multisequences consisting of linear recurring sequences with fixed joint linear complexity. A general formula for the appropriate counting function is derived. Some convenient closed-form expressions for the counting function are determined in special cases. Furthermore, we derive tight upper and lower bounds on the counting function in general. Some interesting relationships among the counting functions of certain cases are established. The generating polynomial for the distribution of joint linear complexities is determined. The proofs use new methods that enable us to obtain results of great generality.

New criteria for linear maps in AES-like ciphers

Abstract: In this paper, we study a class of linear transformations that are used as mixing maps in block ciphers. We address the question which properties of the linear transformation affect the probability of differentials and characteristics over Super boxes. Besides the expected differential probability (EDP), we also study the fixed-key probability of characteristics, denoted by DP[k]. We define plateau characteristics, where the dependency on the value of the key is very structured. Our results show that the distribution of the key-dependent probability is not narrow for characteristics in the AES Super box and hence the widely made assumption that it can be approximated by the EDP, is not justified. Finally, we introduce a property of linear maps which hasn’t been studied before. We call this property related differentials. Related differentials don’t influence the EDP of characteristics, but instead they affect the distribution of their DP[k] values.

On biases of permutation and keystream bytes of RC4 towards the secret key

Abstract: A theoretical analysis of the RC4 Key Scheduling Algorithm (KSA) is presented in this paper, where the nonlinear operation is swapping among the permutation bytes. Explicit formulae are provided for the probabilities with which the permutation bytes at any stage of the KSA are biased to the secret key. Theoretical proofs of these formulae have been left open since Roos’ work (1995). Next, a generalization of the RC4 KSA is analyzed corresponding to a class of update functions of the indices involved in the swaps. This reveals an inherent weakness of shuffle-exchange kind of key scheduling. Moreover, we show that biases towards the secret key also exist in S[S[y]], S[S[S[y]]], and so on, for initial values of y. We additionally show that each byte of S N actually reveals secret key information. Looking at all the elements of the final permutation S N and its inverse $S^{-1}_N$ , the value of the hidden index j in each round of the KSA can be estimated from a “pair of values” in 0, ..., N − 1 with a constant probability of success $\pi = \frac{N-2}{N}\cdot(\frac{N-1}{N})^{N-1} + \frac{2}{N}$ (we get π ≈ 0.37, for N = 256), which is significantly higher than the random association. Using the values of two consecutive j’s, we estimate the y-th key byte from at most a “quadruple of values” in 0, ..., N − 1 with a probability > 0.12. As a secret key of l bytes is repeated at least $\lfloor \frac{N}{l}\rfloor$ times in RC4, these many quadruples can be accumulated to get each byte of the secret key with very high probability (e.g., 0.8 to close to 1) from a small set of values. Based on our analysis of the key scheduling, we show that the secret key of RC4 can be recovered from the state information in a time much less than the exhaustive search with good probability. Finally, based on the above biases of the permutation after the KSA and other related results, a complete framework is presented to show that many keystream output bytes of RC4 are significantly biased towards several linear combinations of the secret key bytes. The results do not assume any condition on the secret key. We find new biases in the initial as well as in the 256-th and 257-th keystream output bytes.

Factorization of determinants over finite fields and application in stream ciphers

Abstract: Binary sequences being generated by nonlinearly filtering maximal length sequences with period 2n − 1 are studied in this paper. In particular, we focus on two well-known classes of nonlinear filters, namely the equidistant and normal filters, and provide new improved lower bounds on the linear complexity of the generated keystreams. In order to achieve this, properties of certain determinants over finite fields, i.e. generalized Vandermonde and linearized determinants, are first analyzed in terms of their factorization. The value of the derived methodology is demonstrated by the simplification that occurs in the generalized version of the root presence test, which has been commonly used to obtain lower bounds on the linear complexity. Moreover, it is shown how these results can be applied to reason about the properties of more complex nonlinear filters.

How to determine linear complexity and k-error linear complexity in some classes of linear recurring sequences

Abstract: Several fast algorithms for the determination of the linear complexity of d-periodic sequences over a finite field \({\mathbb F}_q\), i.e. sequences with characteristic polynomial f(x) = xd − 1, have been proposed in the literature. In this contribution fast algorithms for determining the linear complexity of binary sequences with characteristic polynomial f(x) = (x − 1)d for an arbitrary positive integer d, and \(f(x) = (x^2+x+1)^{2^v}\) are presented. The result is then utilized to establish a fast algorithm for determining the k-error linear complexity of binary sequences with characteristic polynomial \((x^2+x+1)^{2^v}\).

A combinatorial analysis of recent attacks on step reduced SHA-2 family

Abstract: We perform a combinatorial analysis of the SHA-2 compression function. This analysis explains in a unified way the recent attacks against reduced round SHA-2. We start with a general class of local collisions and show that the previously used local collision by Nikolic and Biryukov (NB) and Sanadhya and Sarkar (SS) are special cases. The study also clarifies several advantages of the SS local collision over the NB local collision. Deterministic constructions of up to 22-round SHA-2 collisions are described using the SS local collision and up to 21-round SHA-2 collisions are described using the NB local collision. For 23 and 24-round SHA-2, we describe a general strategy and then apply the SS local collision to this strategy. The resulting attacks are faster than those proposed by Indesteege et al using the NB local collision. We provide colliding message pairs for 22, 23 and 24-round SHA-2. Although these attacks improve upon the existing reduced round SHA-256 attacks, they do not threaten the security of the full SHA-2 family.1

Lower bounds on error complexity measures for periodic LFSR and FCSR sequences

Abstract: Non-trivial lower bounds on the linear complexity are derived for a sequence obtained by performing a combination of up to k substitutions, insertions, and deletions. The bounds derived are similar to those previously established for either k substitutions, k insertions or k deletions within a single period. The bounds are useful when T/2k < λ < T/k, where λ is the linear complexity of the original sequence and T is its period. It is shown that similar bounds hold for the joint linear complexity of periodic multisequences. Similar results are obtained for the N-adic complexity of periodic sequences over {0, ⋯ , N − 1}. New non-trivial lower bounds on the minimum number of operations needed to decrease the complexity are also given. The derivations are simpler compared to those in previous work on these problems.

A new distinguishing and key recovery attack on NGG stream cipher

Abstract: NGG is an RC4-like stream cipher designed to make use of today’s common 32-bit processors. It is 3–5 times faster than RC4. In this paper, we show that the NGG stream can be distinguished, with success probability ≈ 97%, from a random stream using only the first keystream word. We also show that the first few kilobytes of the keystream may leak information about the secret key which allows the cryptanalyst to recover the secret key in a very efficient way.

Autocorrelations of l-sequences with prime connection integer

Abstract: In this paper, the autocorrelations of l-sequences with prime connection integer are discussed. Let \(\underline{a}\) be an l-sequence with connection integer p and period T = p − 1, we show that the autocorrelation \(C_{\underline{a}}(\tau )\) of \(\underline{a}\) with shift τ satisfies: $$ \left\vert C_{\underline{a}}(\tau )-\frac{p-1}{p^{2}}\cdot \underset{c=1}{ \overset{p-1}{\sum }}\tan \left( \frac{\pi c2^{-\tau }}{p}\right) \tan \left( \frac{\pi c}{p}\right) \right\vert =O(\ln ^{2}p). $$ Thus by calculating this triangular sum, an estimate of \(C_{\underline{a} }(\tau )\) can be obtained. Particularly, for any shift τ with \( 2^{-\tau }(\mbox{mod}\ p)=(p-3)/2\) or \( (p+3)/2\), the autocorrelation \(C_{ \underline{a}}(\tau )\) of \(\underline{a}\) with shift τ satisfies \(C_{ \underline{a}}(\tau )=O(\ln ^{2}p)\), thus when p is sufficiently large, the autocorrelation is low. Such result also holds for the decimations of l-sequences.