Keystream

About: Keystream is a research topic. Over the lifetime, 902 publications have been published within this topic receiving 15374 citations.

Algebraic attacks on stream ciphers with linear feedback

Abstract: A classical construction of stream ciphers is to combine several LFSRs and a highly non-linear Boolean function f. Their security is usually analysed in terms of correlation attacks, that can be seen as solving a system of multivariate linear equations, true with some probability. At ICISC'02 this approach is extended to systems of higher-degree multivariate equations, and gives an attack in 292 for Toyocrypt, a Cryptrec submission. In this attack the key is found by solving an overdefined system of algebraic equations. In this paper we show how to substantially lower the degree of these equations by multiplying them by well-chosen multivariate polynomials. Thus we are able to break Toyocrypt in 249 CPU clocks, with only 20 Kbytes of keystream, the fastest attack proposed so far. We also successfully attack the Nessie submission LILI-128, within 257 CPU clocks (not the fastest attack known). In general, we show that if the Boolean function uses only a small subset (e.g. 10) of state/LFSR bits, the cipher can be broken, whatever is the Boolean function used (worst case). Our new general algebraic attack breaks stream ciphers satisfying all the previously known design criteria in at most the square root of the complexity of the previously known generic attack.

Cryptanalysis of alleged A5 stream cipher

Abstract: A binary stream cipher, known as A5, consisting of three short LFSRs of total length 64 that are mutually clocked in the stop/go manner is cryptanalyzed. It is allegedly used in the GSM standard for digital cellular mobile telephones. Very short keystream sequences are generated from different initial states obtained by combining a 64-bit secret session key and a known 22-bit public key. A basic divide-and-conquer attack recovering the unknown initial state from a known keystream sequence is first introduced. It exploits the specific clocking rule used and has average computational complexity around 240. A time-memory trade-off attack based on the birthday paradox which yields the unknown internal state at a known time for a known keystream sequence is then pointed out. The attack is successful if T ċ M ≥ 2633.32, where T and M are the required computational time and memory (in 128-bit words), respectively. The precomputation time is O(M) and the required number of known keystream sequences generated from different public keys is about T/102. For example, one can choose T ≅ 227.67 and M ≅ 235.65. To obtain the secret session key from the determined internal state, a so-called internal state reversion attack is proposed and analyzed by the theory of critical and subcritical branching processes.

Stream Ciphers and Number Theory

Abstract: Preface. Introduction. Applications of number theory. An outline of this book. Stream Ciphers. Stream cipher systems. Additive synchronous stream ciphers. Nonadditive synchronous stream ciphers. Stream ciphering with block ciphers. Cooperative distributed ciphering. Some keystream generators. Generators based on counters. Some number-theoretic generators. Cryptographic aspects of sequences. Minimal polynominal and linear complexity. Pattern distribution of key streams. Correlation functions. Sphere complexity and linear cryptanalysis. Higher order complexities. Harmony on binary NSGs. Security attacks. Primes, Primitive Roots and Sequences. Cyclotomic polynominals. Two basic problems from stream ciphers. A basic theorem and main bridge. Primes, primitive roots and binary sequences. Primes, primitive roots and ternary sequences. Primes, negord and sequences. Prime powers, primitive roots and sequences. Prime products and sequences. Binary sequences and primes. Ternary sequences and primes. On cryptographic primitive roots. Linear complexity of sequences over Z m . Period and its cryptographic importance. Cyclotomy and Cryptographic Functions. Cyclotomic numbers. Cyclotomy and cryptography. Cyclotomy and difference parameters. Cyclotomy and the differential cryptanalysis. Cryptographic cyclotomic numbers. Cryptographic functions from Z p to Z d . The case d = 2. The case d = 3. The case d = 4. The case d = 5. The case d = 6. The case d = 8. The case d = 10. The case d = 12. Cryptographic functions from Z pq to Z d . Whiteman's generalized cyclotomy and cryptography. Cryptographic functions from Z pq to Z 2 . Cryptographic functions from Z pq to Z 4 . Cryptographic functions from Z p2 to Z 2 . Cryptographic functions defined on GF(p m ) . The origin of cyclotomic numbers. Special Primes and Sequences. Sophie Germain primes and sequences. Their importance in stream ciphers. Their relations with other number-theoretic problems. The existence problem. A search for cryptographic Sophie Germain primes. Tchebychef primes and sequences. Their cryptographic significance. Existence and search problem. Other primes of form k x 2 n + 1 and sequences. Primes of form ( a n - 1)/( a - 1) and sequences. Mersenne primes and sequences. Cryptographic primes of form ((4 u ) n - 1)/(4 u - 1). Prime repunits and their cryptographic values. n ! +/- 1 and p# +/- 1 Primes and sequences. Twin primes and sequences over GF (2). The significance of twins and their sexes. Cryptographic twins and the sex distribution. Twin primes and sequences over GF (3). Other special primes and sequences. Prime distribution and their significance. Primes for stream ciphers and for RSA. Difference Sets and Cryptographic Functions. Rudiments of difference sets. Difference sets and autocorrelation functions. Differece sets and nonlinearity. Difference sets and information stability. Difference sets and linear approximation. Almost difference sets.

Statistical Analysis of the Alleged RC4 Keystream Generator

Abstract: The alleged RC4 keystream generator is examined, and a method of explicitly computing digraph probabilities is given. Using this method, we demonstrate a method for distinguishing 8-bit RC4 from randomness. Our method requires less keystream output than currently published attacks, requiring only 230:6 bytes of output. In addition, we observe that an attacker can, on occasion, determine portions of the internal state with nontrivial probability. However, we are currently unable to extend this observation to a full attack.