• No results found

Security analysis of the variant of the self-shrinking generator proposed at ICISC 2006

N/A
N/A
Protected

Academic year: 2020

Share "Security analysis of the variant of the self-shrinking generator proposed at ICISC 2006"

Copied!
9
0
0

Loading.... (view fulltext now)

Full text

(1)

DongHoonLee,Je HongPark,andJaewooHan

NationalSeurityResearhInstitute

161Gajeong-dong,Yuseong-Gu,Daejeon,SouthKorea

fdlee, jhpark, jwhangetri.re.kr

Abstrat. Inthispaper,werevisitthevariantoftheself-shrinking

gen-erator(SSG)proposedbyChangetal.atICISC2006.Thisvariant,whih

we allSSG-XORwas laimedto havebetterryptographi properties

thanSSG in a pratial setting. But we show that SSG-XOR has no

advantageoverSSGfromtheviewpointofpratialryptanalysis.

Keywords:Streamipher,LFSR,Self-Shrinkinggenerator,

Cryptanal-ysis

1 Introdution

The self-shrinking generator (SSG) is a well-known keystream generator

pro-posedbyMeierandStaelbah[4℄.SSGrequiresonlyoneLFSR,whihgenerates

abinarysequenea=(a

i )

i0

intheusualway.Foreahbitpair(a

2i ;a

2i+1 ),if

a

2i

=1,SSGoutputsa

2i+1

asakeystreambit,otherwisenooutputisprodued.

Until now, several methods have been proposed for attaking SSG [5,3,2,

6℄.ThedesignersofSSG havealso desribedtwokindsofsimpleattaksalled

exhaustive searh and entropy attak whose time omplexity is O(2 0:79L

) and

O(2 0:75L

) respetively, where L is a length of the underlying LFSR [4℄. The

time omplexity was redued to O(2 0:695L

) in [5℄. In [3℄ the BDD-attak was

proposed,it requires O(2 0:656L

) time omplexityfrom d2:41Le bits keystream.

HoweverthememoryrequirementfortheBDD-attakisinfeasible.Thisattak

was improved in [2℄. Theadvantageof theHJ attak [2℄overthe BDD-attak

is to havethealmost same timeomplexity with onlyO(L 2

)memory from

L-bit keystream.Reentlyanewguess-and-determineattakwasproposed[6℄. It

requiresO(2 0:556L

)timewithmemoryO(L 2

)from O(2 0:161L

)-bitkeystreamfor

L100and requiresO(2 0:571L

)time withmemory O(L 2

) fromO(2 0:194L

)-bit

keystreamforL<100.

Thevariant of SSG (denoted by SSG-XOR) was proposed by Chang et al.

[1℄ to improve some ryptographi properties of SSG. It has a similar

stru-ture to SSG, but it handles 4-tuple of onseutive bits produed by the

un-derlying LFSR to produe two keystream bits in a lump. For eah 4-tuple

(a

4i ;a

4i+1 ;a

4i+2 ;a

4i+3

), SSG-XOR outputs two bits a

4i+2 and a

4i+3 if a

4i

a

4i+1

(2)

LFSR

a

2i =1

y

es

a

2i+1 SSG

LFSR

a4ia4i+1=1

y

es

a

4i+2 ;a

4i+3 SSG-XOR

Fig.1.SSGandSSG-XOR

Theauthorsof[1℄analyzedtheseurityofSSG-XORbyapplyingtheexisting

attaks forSSG and laimedthat SSG-XORis moreseure than SSG against

attaksusingshortkeystreamsequenessuhasentropyattak[4℄orthe

BDD-attak[3℄.

Inthispaper,however,weshowthattheseurityofSSG-XORagainstseveral

attaksusingshortkeystreamsequenesanbedereasedsigniantly.First,we

re-analyze the seurityof SSG-XOR againstexhaustive searh attak,entropy

attakandtheBDD-attak.AndthenweinvestigatetheseurityofSSG-XOR

againsttheHJ attak andtheguess-and-determine attak.Ouranalysis shows

that SSG-XORhasnoadvantageoverSSG fromthe viewpoint oftheseurity.

In Table 1, we ompare with the omplexity of several attaks for SSG and

SSG-XOR.(Notethatweignoresomepolynomialfatorsin Table1.)

Table 1.Comparisonofomplexityofseveralattaksfor SSGandSSG-XOR

SSG SSG-XOR

Time Memory Data Time Memory Data

Exhaus.searh[4℄ O(2 0:79L

) { { O(2

0:774L

) { {

Entropyattak[4℄ O(2 0:75L

) { { O(2

0:667L

) { {

BDD-attak[3℄ O(2 0:656L

)infeasible d2:41Le O(2 0:631L

)infeasible d2:21Le

HJattak[2℄ O(2 0:66L

) O(L 2

) L O(2

0:5L

) O(L 2

) L

G&Dattak[6℄ O(2 0:556L

) O(L 2

) O(2 0:161L

) O(2 0:384L

) O(L 2

) O(2 0:111L

(3)

2 Seurity Analysis

Although the designers of SSG-XOR analyzed the seurity againstseveral

at-takswhih havebeenmountedto theoriginal SSG,the analysiswould notbe

suÆient.Sowere-analyzetheresistaneagainstpossibleattaks.

2.1 Exhaustive searhand entropy attak

TheseattaksweredesribedinthepaperproposingSSG[4℄toreonstrutthe

initialstatewithonlyafewkeystreambits.Therstattakisalledexhaustive

searh. The initial state of SSG may be reonstruted with omplexity 2 0:79L

by the exhaustive searh attak. Let z = (z

0 ;z

1 ;:::;z

i

;:::) bea known short

keystreamofSSG-XOR.ThedesignerofSSG-XORlaimedthattheexhaustive

searhattakrequires 2 0:8305L

stepssinethere are 10possibilitiesto generate

eah(z

2j ;z

2j+1

).However,givenakeystreamz,itisnotneessaryto guessa

4i

and a

4i+1

of the underlying LFSR output sequene a, independently. Instead,

we only guess one bit information whether a

4i a

4i+1

is equal to 1 or not.

Thisway,wewillreonstrutaninitialstatethat isnoneessarilyequaltothe

original initial state, but it is equivalent in a sense that it will reate z. From

this point of view, there exist ve possibilities rather than ten for a 3-tuple

(a

4i a

4i+1 ;a

4i+2 ;a

4i+3

)ofa. Sowean estimatethat thereexist

5 L=3 1

5 L=3

=2 ((log

2 5)=3)L

=2 0:774L

possibleinitialstatesoftheLFSR.

Theseondattak isalled entropyattak.ForSSG, the entropyperbit is

3/4soanexhaustivesearhamongalldierentasesintheorderofprobability

wouldrequire2 0:75L

steps.ForSSG-XOR,thedesignerslaimedthetheentropy

attakrequires2 0:8305L

steps.However,foreah(z

2j ;z

2j+1

)thereare5dierent

possibilities (a

4i a

4i+1 ;a

4i+2 ;a

4i+3

), namely (1;z

2j ;z

2j+1

), (0;0;0), (0;0;1),

(0;1;0),and(0;1;1).Theprobabilityfor(1;z

2j ;z

2j+1

)is1/2andtheprobability

fortheothersis1/8.Thustheentropyof3-tupleis

H = (1=2)log

2

(1=2) 4(1=8)log

2

(1=8)=2:

Therefore, theentropyperbit is 2/3so the omplexityof the attakfor

SSG-XORwouldbe2 0:667L

.

2.2 BDD-attak

For the BDD-attak [3℄, the required length of onseutive keystream bits is

dÆ 1

Le and the time omplexity is L O(1)

2

((1 Æ)=(1+Æ))L

, where and Æ are

dened asfollows:

(4)

{ Æistheinformationrate(perbit)whihwouldberevealedabouttheoutput

sequenea oftheunderlyingLFSRfrom thekeystreamz.

ForSSG, Æ 0:2075and =0:5. Thus theBDD-attakfor SSGan ompute

theinitial statewithd2:41Le onseutivekeystreambitsin timeL O(1)

2 0:6563L

.

The designers of SSG-XOR laimed that the BDD-attak for SSG-XOR an

reonstruttheinitialstatefromthed2:95Leonseutivekeystreambitsintime

L O(1)

2 0:7101L

.

Nowwere-analyze theseurityagainst theBDD-attakfor SSG-XOR.We

an also set =0:5 forSSG-XOR.For axed m, letp(m) betheprobability

thattheshrinkingresultofarandomlyhosenbitstreamfromf0;1g m

isaprex

ofthegivenkeystream.Ifhosenbitstreamsareuniformlydistributedinf0;1g m

,

therearep(m)2 m

possiblez'ssuhthattheshrinkingresultofzisaprexofz.

Notethat p(m)anbesupposedtobehaveas p(m)=2 Æm

.

On the other hand, we observe that for all m with m 0mod4 and all

keystreams z, there are exatly 5 m=3

bitstreams z 2 f0;1g m

suh that the

shrinking result of z is a prex of z. Hene, we obtain an information rate

Æ =1 (log

2

5)=3 0:226 forSSG-XOR byevaluating therelation 2 (1 Æ)m

=

5 m=3

.Sotherequiredlengthofonseutiveoutputbitsisd2:21Leandthetime

omplexityisL O(1)

2 0:6313L

.

2.3 HJ attak

Eahknownkeystreambitgives,bydefault,afewequationsintheinitialstate.

Assume thatweknow2N keystreambits

z

0 ;z

1 ;:::;z

2N 1

: (1)

IntheaseofSSG-XOR,eahknownkeystreambitpair(z

2i ;z

2i+1

)willgiveus

threeequationsforsomej:

a

4j a

4j+1

=1; a

4j+2 =z

2i ; a

4j+3 =z

2i+1 :

Additionally, we only know that the observed keystream sequene (1)

orre-spondstotheoutputsequeneoftheunderlying LFSR

a

0 ;a

0 ;z

0 ;z

1 ;X

0 ;a

1 ;a

1 ;z

2 ;z

3 ;X

1 ;:::;X

N 2 ;a

N 1 ;a

N 1 ;z

2N 2 ;z

2N 1 ;

wherea

i

=1a

i

andeahX

i

orrespondstoasequeneofzeroormore4-tuples

in f(0;0;;);(1;1;;)g.Foreah ofthese4-tuplesthat weguessorretly,we

willgetonemoreequationsinethersttwobitshavethesamebit parity.The

total number of equations available is thus 3N+k where k is the number of

4-tuples disarded. Toget aomplete system of equations in the (equivalent)

initialstatebitswerequirethatN =d(L k)=3e.Theprobabilitythatintotal

k4-tuplesaredisardedis,for eahpossibleassumption,

(5)

Thenumberofwaystodisardk 4-tuplesin atotalofN 1gapsisgivenby

N 2+k

k !

:

We start by testing thease when 0 bits are disarded, then the asewhen 2

bitshasbeendisarded,et.Theprobabilitythat weguessorretlywithin

k

max

X

k =0

N 2+k

k !

guessesis

kmax

X

k =0

N 2+k

k !

2

N k +1

:

Byxingtheprobabilityofsuessto0.5,wealulatetheomplexityofthe

at-takforsomedierentLFSRlengths.InTable2,weanseethattheomplexity

isapproximatelyO(2 0:5L

).

Table2.TheComplexityoftheAttakforsomeLFSRLengths

LFSRlengthComplexityk

max

128 2

61:3

34

256 2

125:4

67

512 2

253:7

132

1024 2

510:5

262

2.4 Guess-and-determine attak

The guess-and-determine attak for SSG was reently proposed in Asiarypt

2006[6℄.Theproposedattakanrestoretheinitialstatewithtimeomplexity

O(2 0:556L

)andmemoryomplexityO(L 2

)fromO(2 0:161L

)keystreambitswhen

L100.Itutilizesthefatthatthetwodeimatedsequenesfa

2i

gandfa

2i+1 g

share the feedbak polynomial as that of the sequene fa

i

g whih is a binary

maximallengthsequeneproduedbyaLFSRoflengthLanddierbyashift

value2 L 1

.Thisapproahan beappliedtoSSG-XORimmediately.

Letf(x)=1+

1

x++

L 1 x

L 1

+x L

betheprimitivefeedbakpolynomial

oftheLFSRfortheSSG-XOR,i.e.foreahi0,a

i+L =

P

L

j=1

j a

i+L j where

=1.Then thereiproalof f(x)is x L

+ x L 1

(6)

denoted byf

(x). It iseasyto showthat eah a

i

orresponds tox i

modf

(x)

fromthereurrenerelation.

x i+L = L X j=1 j x i+L j modf (x):

Bysquaring(orexponentiatingby2 k

)theaboveformula,weanshowthatthe

deimated sequene fa

2i

g (orfa

2 k

i

g) shares the feedbakpolynomialwith the

original sequene fa

i

g. Thus one weknowany onseutive L-bit sequene of

thedeimatedsequene,weanimmediatelyomputethenextsequenesusing

thegivenreurrenerelation.Howeverotherdeimatedsequenes(forexample

fa

3i

g) wouldnotsharethefeedbakpolynomial.

Lemma1. Let a=fa

0 ;a

1

;gbeabinary maximallengthsequeneprodued

by a LFSR of length L. Let s (0) = fa 4j g, s (1) =fa 4j+1 g, s (2) =fa 4j+2 g, and s (3) =fa 4j+3

gbedeimatedsequenesofa.Thentheysharethefeedbak

polyno-mialwiththesequeneaandtheshiftvaluebetweens (i)

ands (i+1)

fori=0;1;2

is2 L 2

.

Proof. As mentioned before, eah deimated sequene s (i)

=fs (i)

j

g shares the

feedbak polynomialwiththeoriginal sequenea. Thustheydierseah other

byonlysomeshift.OurlemmasuÆestonotethat

s (i) j+2 L 2 =a 4(j+2 L 2 )+i =a 4j+2 L +i =a 4j+(i+1)+(2 L 1) =s (i+1) j : u t

Wedenepolynomialsh

i

(x)fori=1;2;3asfollows.

h 1 (x)= L 1 X i=0 h 1;i x i ; h 2 (x)= L 1 X i=0 h 2;i x i ; h 3 (x)= L 1 X i=0 h 3;i x i ;

suh that h

1

(x) x 2 L 2 modf (x), h 2

(x) x 2

L 1

modf

(x), and h

3 (x) x 32 L 2 mod f

(x). Thenwehave

a 4i+1 = L 1 X j=0 h 1;j a 4(i+j) ; a 4i+2 = L 1 X j=0 h 2;j a 4(i+j) ; a 4i+3 = L 1 X j=0 h 3;j a 4(i+j) :

Now we are ready to attak SSG-XOR. Let fz

i g

N 1

i=0

be the keystream of

SSG-XOR.WerstsetA=(a

0 ;a

4 ;;a

4(L 1)

)withLvariables.Itisenoughto

ndtheseunknownsforattakingSSG-XOR.Insteadofguessingtheunknowns

diretly, we guess an l-bit length segmentguess = (g

0 ;g

1 ;;g

l 1

) for (a

0 a 1 ;a 4 a 5 ;;a

4(l 1) a

4(l 1)+1

). LetH

w

(7)

2H

w

(guess)linearequationswithLvariablesas follows.

a

4i a

4i+1 =a

4i

L 1

X

j=0 h

1;j a

4(i+j) =g

i

; for0i<l;

a

4i+2 =

L 1

X

j=0 h

2;j a

4(i+j) =z

2( P

i

j=0 gj) 2

; forg

i =1

a

4i+3 =

L 1

X

j=0 h

3;j a

4(i+j) =z

2( P

i

j=0 g

j ) 1

; forg

i =1:

If we an solve the above system of linear equations, we an reover the

initialstateoftheSSG-XOR.Inordertosolvethesystem,wehavetogetlinear

equationsasmanyaspossible.Weobservethatthemore1intheguessedsegment

guess, themorelinearequationsan beobtained.TomounteÆientattak,we

justsearhoverthosepossibleguesssatisfyingthefollowingonditioninsteadof

exhaustivelysearhingoverallthepossiblevalue.

H

w

(guess)dle;

where(0:51) isaparametertobedeterminedlater.

Bytheargumentin[6℄, theobtainedequationsin theaboveproessare

al-mostlinearlyindependent.ThuswehaveO(l+2l)linearlyindependent

equa-tionswithLvariables.Inordertosolvethesystemofequations,welet

O(l+2l)=L=)l=O

1

1+2 L

:

Theattakproeedsas follows.

1. ForeahguessedsegmentguesssatisfyingthatH

w

(guess)dleforagiven

parameter,derivelinearexpressionsontheL variableswithoutllingthe

onstantterms(keystreambits)asexplainedaboveandstoretheminmatrix

U.

(a) For eah0j N 1 (l+2dle),make(byllingonstantterms)

the system of linear equations with the linear expression U using the

keystreambitsstartingfromz

j .

(b) SolvethelinearsystemU,ndtheandidateinitialstate,andhekthe

andidatestateisorretbyrunningSSG-XORwiththestateand

om-paringthegeneratedstreamwiththe(original)keystreambitsfz

i g

N 1

i=j .

() If the above test sueeds, we nd the initial state (or an equivalent

state).Thusstopthisproessandoutputthestateas asolution.

(d) If theabovetest fails, repeat theproess from the step(a) with

inre-mentingj.

(8)

Now we determine thelength N of keystream bits in order to sueed the

aboveattak.OursearhspaeisH=fguessjdleH

w

(guess)l; andg

0 =

1g,thustheardinalityofH is

jHj= l 1

X

i=dle 1

l 1

i

:

Foreahl-bitguessedsegmentguess,wewilltryN Ltimestondanequivalent

state.Tosueedtheattak,wehavetondatleastonemathpairbetweenthe

guessset H andtheinitialstatederivedfrom thekeystreamsegmentsinvolved

in eahN Ltrials.Thus thelengthN shouldsatisfy

(N L)jHj2 l 1

=)N=O

2 1

1+2 L

;

wherejHj=2 l

and isaparameterdeterminedby.

Sinefor eah guessed segment guess wehaveto tryat mostN L times,

thetotaltimeomplexityof theattakin worstaseis

O(L 3

)O(N L)O(2 l

)=O

L 3

2 1

1+2 L

;

whereO(L 3

)fatorreetstheomplexityofsolvingasystemoflinearequations

ofsizeL.

Theorem 1. Theguess-and-determineattakfor SSG-XORhas time

omplex-ityO

L 3

2 1

1+2 L

,memoryomplexityO(L 2

)anddataomplexityO

2 1

1+2 L

,

whereL isthe lengthofthe underlyingLFSRofSSG-XOR,0:51, and

isaparameterdeterminedby .

NowwegiveomparisonresultinthefollowingtablebetweenSSGand

SSG-XORignoring thepolynomialfatorL 3

.

Table3.Theasymptotitime,memory,anddataomplexitytoattakSSGand

SSG-XORwhenL100

SSG SSG-XOR

Time Memory Data Time Memory Data

0.50.99 O(2 0:667L

) O(L 2

) O(2 0:007L

) O(2 0:5L

) O(L 2

) O(2 0:005L

)

0.80.71 O(2 0:556L

) O(L 2

) O(2 0:161L

) O(2 0:384L

) O(L 2

) O(2 0:111L

)

1.00.00 O(2 0:5L

) O(L 2

) O(2 0:5L

) O(2 0:333L

) O(L 2

) O(2 0:333L

(9)

Experiments We made several experimental results in C language on a

gen-eralPC tohekthevalidityofourattak.Forexample,wehooseanLFSR's

feedbakpolynomialoflength30asfollows.

f(x)=x 30

+x 27

+x 23

+x 22

+x 17

+x 16

+x 14

+x 11

+x 3

+x+1:

Wenotethatf(x)isaprimitivepolynomial,thusthegeneratedsequenewould

have a maximal length. Then h

1 (x), h

2

(x), and h

3

(x) modulo the reiproal

f

(x)an beobtainedas follows.

h

1 (x)=x

2 28

modf

(x)

=x 28

+x 26

+x 21

+x 20

+x 15

+x 11

+x 9

+x 8

+x 7

+x 6

+x 4

+x 2

+1

h2(x)=x 2

29

modf

(x)

=x 29

+x 28

+x 28

+x 27

+x 21

+x 17

+x 16

+x 15

+x 14

+x 13

+x 12

+x 11

+x 8

+x 7

+x 4

h3(x)=x 32

28

modf

(x)

=x 27

+x 24

+x 23

+x 17

+x 14

+x 11

+x 10

+x 6

+x 5

+x 3

Forarandomhoseninitialstate,ourattakreoverstheinitialstateoran

equivalentstateinaminutefrom200bitskeystream.

3 Conlusion

Inthispaper,weinvestigatedtheseurityaspetsforavariantofself-shrinking

generatoralled SSG-XORwhih was proposed at ICISC2006. The author of

SSG-XOR alleged that SSG-XOR is more seure than the original SSG in a

sense that theomplexityof attaksforSSG-XORis higherthanthat ofSSG.

HoweverweshowedthattheseurityofSSG-XORdoesnotreahthat ofSSG.

Referenes

1. K.-Y.Chang,J.-S.Kang,M.-K.Lee,H.LeeandD.Hong.Newvariantofthe

self-shringking generator and its ryptographi properties. Information Seuirty and

Cryptology - ICISC 2006, Leture Notes in Comput. Si., vol. 4296, pp. 41{50,

2006.

2. M. HellandT.Johansson.Twonewattaksontheself-shrinkinggenerator.IEEE

Trans.Infor.Theory,vol.52,no.8,pp.3837{3843,2006.

3. M.Krause.BDD-basedryptanalysisofkeystreamgenerator.Advanesin

Cryptol-ogy-EUROCRYPT2002,LetureNotesinComput.Si.,vol. 2332,pp. 222{237,

2002.

4. W. MeierandO.Staelbah.Theself-shrinkinggenerator. Advanes inCrptology

-EUROCRYPT'94,LetureNotesinComput.Si.,vol.950,pp.205{214,1994.

5. E. Zenner, M. Krause and S. Luks.Improved ryptanalysis of the self-shrinking

generator.InformationSeurityandPrivay-ACISP2001,LetureNotesin

Com-put.Si., vol.2119,pp.21{35,2001.

6. B.ZhangandD.Feng.Newguess-and-determineattakontheself-shrinking

gener-ator.AdvanesinCryptology -ASIACRYPT2006,LetureNotesinComput.Si.,

References

Related documents

Despite the fact that the rise in net saving rate, capital stock and total consumption are the same in these two economies, the permanent increase in consumption that an

When comparing the maths app intervention to standard practice, results showed children who used the maths apps in either Brazilian Portuguese (treatment group 1) or in

First, I build on previous evidence by Chevalier and Marie (2017) on the East German fertility decline, but in contrast to these authors, I exploit exogenous variation in women’s

It was decided that with the presence of such significant red flag signs that she should undergo advanced imaging, in this case an MRI, that revealed an underlying malignancy, which

The work presented here supports the prevailing view that both CD and IOVD share common cortical loci, although they draw on different sources of visual information, and that

In summary, we have presented an infant with jaundice complicating plorie stenosis. The jaundice reflected a marked increase in indirect- reacting bilirubin in the serum. However,

A total of 33 cases suspected for neoplastic growths were screened by cytological and histopathological procedures and 29 cases werediagnosed as tumors.Results of

Field experiments were conducted at Ebonyi State University Research Farm during 2009 and 2010 farming seasons to evaluate the effect of intercropping maize with