A Distinguishing Attack on a Fast Software-Implemented RC4-Like Stream Cipher

Abstract. Non-linear feedback shift register (NLFSR) ciphers are cryptographic tools of choice of the industry especially for mobile communication. Their attractive feature is a high efficiency when implemented in hardware or software. However, the main problem of NLFSR ciphers is that their security is still not well investigated. The paper makes a progress in the study of the security of NLFSR ciphers. In particular, we show a distinguishing attack on linearly filtered NLFSR (or LF-NLFSR) ciphers. We extend the attack to a linear combination of LF-NLFSRs. We investigate the security of a modified version of the Grain stream cipher and show its vulnerability to both key recovery and distinguishing attacks.

Download Full-text

On Distinguishing Attack Against the Reduced Version of the Cipher Nlsv2

Tatra Mountains Mathematical Publications ◽

10.2478/v10127-012-0037-5 ◽

2012 ◽

Vol 53 (1) ◽

pp. 21-32

Author(s):

Michal Braško ◽

Jaroslav Boor

Keyword(s):

Stream Cipher ◽

Stream Ciphers ◽

Web Page ◽

Security Issue ◽

Phase 3 ◽

Distinguishing Attack ◽

De Vries ◽

Practical Demonstration

ABSTRACT The Australian stream cipher NLSv2 [Hawkes, P.-Paddon, M.-Rose, G. G.-De Vries, M. W.: Primitive specification for NLSv2, Project eSTREAM web page, 2007, 1-25] is a 32-bit word oriented stream cipher that was quite successful in the stream ciphers competition-the project eSTREAM. The cipher achieved Phase 3 and successfully accomplished one of the main requirements for candidates in Profile 1 (software oriented proposals)-to have a better performance than AES in counter mode. However the cipher was not chosen into the final portfolio [Babbage, S.-De Canni`ere, Ch.-Canteaut, A.-Cid, C.-Gilbert, H.-Johansson, T.-Parker, M.-Preneel, B.-Rijmen, V.-Robshaw, M.: The eSTREAM Portfolio, Project eSTREAM web page, 2008], because its performance was not so perfect when comparing with other finalist. Also there is a security issue with a high correlation in the used S-Box, which some effective distinguishers exploit. In this paper, a practical demonstration of the distinguishing attack against the smaller version of the cipher is introduced. In our experiments, we have at disposal a machine with four cores (Intel® CoreTM Quad @ 2.66 GHz) and single attack lasts about 6 days. We performed successful practical experiments and our results demonstrate that the distingushing attack against the smaller version is working.

Download Full-text

Vectorized linear approximations for attacks on SNOW 3G

IACR Transactions on Symmetric Cryptology ◽

10.46586/tosc.v2019.i4.249-271 ◽

2020 ◽

pp. 249-271

Author(s):

Jing Yang ◽

Thomas Johansson ◽

Alexander Maximov

Keyword(s):

Stream Cipher ◽

Key Recovery ◽

Distinguishing Attack ◽

Linear Approximations ◽

Correlation Attack ◽

Finite State ◽

Integrity Protection ◽

Key Length ◽

Expected Complexity ◽

4G Lte

SNOW 3G is a stream cipher designed in 2006 by ETSI/SAGE, serving in 3GPP as one of the standard algorithms for data confidentiality and integrity protection. It is also included in the 4G LTE standard. In this paper we derive vectorized linear approximations of the finite state machine in SNOW3G. In particular,we show one 24-bit approximation with a bias around 2−37 and one byte-oriented approximation with a bias around 2−40. We then use the approximations to launch attacks on SNOW 3G. The first approximation is used in a distinguishing attack resulting in an expected complexity of 2172 and the second one can be used in a standard fast correlation attack resulting in key recovery in an expected complexity of 2177. If the key length in SNOW 3G would be increased to 256 bits, the results show that there are then academic attacks on such a version faster than the exhaustive key search.

Download Full-text