Security analysis of the variant of the self-shrinking generator proposed at ICISC 2006

DongHoonLee,Je HongPark,andJaewooHan

NationalSeurityResearhInstitute

161Gajeong-dong,Yuseong-Gu,Daejeon,SouthKorea

fdlee, jhpark, jwhangetri.re.kr

Abstrat. Inthispaper,werevisitthevariantoftheself-shrinking

gen-erator(SSG)proposedbyChangetal.atICISC2006.Thisvariant,whih

we allSSG-XORwas laimedto havebetterryptographi properties

thanSSG in a pratial setting. But we show that SSG-XOR has no

advantageoverSSGfromtheviewpointofpratialryptanalysis.

Keywords:Streamipher,LFSR,Self-Shrinkinggenerator,

Cryptanal-ysis

1 Introdution

The self-shrinking generator (SSG) is a well-known keystream generator

pro-posedbyMeierandStaelbah[4℄.SSGrequiresonlyoneLFSR,whihgenerates

abinarysequenea=(a

i )

i0

intheusualway.Foreahbitpair(a

2i ;a

2i+1 ),if

a

2i

=1,SSGoutputsa

2i+1

asakeystreambit,otherwisenooutputisprodued.

Until now, several methods have been proposed for attaking SSG [5,3,2,

6℄.ThedesignersofSSG havealso desribedtwokindsofsimpleattaksalled

exhaustive searh and entropy attak whose time omplexity is O(2 0:79L

) and

O(2 0:75L

) respetively, where L is a length of the underlying LFSR [4℄. The

time omplexity was redued to O(2 0:695L

) in [5℄. In [3℄ the BDD-attak was

proposed,it requires O(2 0:656L

) time omplexityfrom d2:41Le bits keystream.

HoweverthememoryrequirementfortheBDD-attakisinfeasible.Thisattak

was improved in [2℄. Theadvantageof theHJ attak [2℄overthe BDD-attak

is to havethealmost same timeomplexity with onlyO(L 2

)memory from

L-bit keystream.Reentlyanewguess-and-determineattakwasproposed[6℄. It

requiresO(2 0:556L

)timewithmemoryO(L 2

)from O(2 0:161L

)-bitkeystreamfor

L100and requiresO(2 0:571L

)time withmemory O(L 2

) fromO(2 0:194L

)-bit

keystreamforL<100.

Thevariant of SSG (denoted by SSG-XOR) was proposed by Chang et al.

[1℄ to improve some ryptographi properties of SSG. It has a similar

stru-ture to SSG, but it handles 4-tuple of onseutive bits produed by the

un-derlying LFSR to produe two keystream bits in a lump. For eah 4-tuple

(a

4i ;a

4i+1 ;a

4i+2 ;a

4i+3

), SSG-XOR outputs two bits a

4i+2 and a

4i+3 if a

4i

a

4i+1

LFSR

a

2i =1

y

es

a

2i+1 SSG

LFSR

a4ia4i+1=1

y

es

a

4i+2 ;a

4i+3 SSG-XOR

Fig.1.SSGandSSG-XOR

Theauthorsof[1℄analyzedtheseurityofSSG-XORbyapplyingtheexisting

attaks forSSG and laimedthat SSG-XORis moreseure than SSG against

attaksusingshortkeystreamsequenessuhasentropyattak[4℄orthe

BDD-attak[3℄.

Inthispaper,however,weshowthattheseurityofSSG-XORagainstseveral

attaksusingshortkeystreamsequenesanbedereasedsigniantly.First,we

re-analyze the seurityof SSG-XOR againstexhaustive searh attak,entropy

attakandtheBDD-attak.AndthenweinvestigatetheseurityofSSG-XOR

againsttheHJ attak andtheguess-and-determine attak.Ouranalysis shows

that SSG-XORhasnoadvantageoverSSG fromthe viewpoint oftheseurity.

In Table 1, we ompare with the omplexity of several attaks for SSG and

SSG-XOR.(Notethatweignoresomepolynomialfatorsin Table1.)

Table 1.Comparisonofomplexityofseveralattaksfor SSGandSSG-XOR

SSG SSG-XOR

Time Memory Data Time Memory Data

Exhaus.searh[4℄ O(2 0:79L

) { { O(2

0:774L

) { {

Entropyattak[4℄ O(2 0:75L

) { { O(2

0:667L

) { {

BDD-attak[3℄ O(2 0:656L

)infeasible d2:41Le O(2 0:631L

)infeasible d2:21Le

HJattak[2℄ O(2 0:66L

) O(L 2

) L O(2

0:5L

) O(L 2

) L

G&Dattak[6℄ O(2 0:556L

) O(L 2

) O(2 0:161L

) O(2 0:384L

) O(L 2

) O(2 0:111L

2 Seurity Analysis

Although the designers of SSG-XOR analyzed the seurity againstseveral

at-takswhih havebeenmountedto theoriginal SSG,the analysiswould notbe

suÆient.Sowere-analyzetheresistaneagainstpossibleattaks.

2.1 Exhaustive searhand entropy attak

TheseattaksweredesribedinthepaperproposingSSG[4℄toreonstrutthe

initialstatewithonlyafewkeystreambits.Therstattakisalledexhaustive

searh. The initial state of SSG may be reonstruted with omplexity 2 0:79L

by the exhaustive searh attak. Let z = (z

0 ;z

1 ;:::;z

i

;:::) bea known short

keystreamofSSG-XOR.ThedesignerofSSG-XORlaimedthattheexhaustive

searhattakrequires 2 0:8305L

stepssinethere are 10possibilitiesto generate

eah(z

2j ;z

2j+1

).However,givenakeystreamz,itisnotneessaryto guessa

4i

and a

4i+1

of the underlying LFSR output sequene a, independently. Instead,

we only guess one bit information whether a

4i a

4i+1

is equal to 1 or not.

Thisway,wewillreonstrutaninitialstatethat isnoneessarilyequaltothe

original initial state, but it is equivalent in a sense that it will reate z. From

this point of view, there exist ve possibilities rather than ten for a 3-tuple

(a

4i a

4i+1 ;a

4i+2 ;a

4i+3

)ofa. Sowean estimatethat thereexist

5 L=3 1

5 L=3

=2 ((log

2 5)=3)L

=2 0:774L

possibleinitialstatesoftheLFSR.

Theseondattak isalled entropyattak.ForSSG, the entropyperbit is

3/4soanexhaustivesearhamongalldierentasesintheorderofprobability

wouldrequire2 0:75L

steps.ForSSG-XOR,thedesignerslaimedthetheentropy

attakrequires2 0:8305L

steps.However,foreah(z

2j ;z

2j+1

)thereare5dierent

possibilities (a

4i a

4i+1 ;a

4i+2 ;a

4i+3

), namely (1;z

2j ;z

2j+1

), (0;0;0), (0;0;1),

(0;1;0),and(0;1;1).Theprobabilityfor(1;z

2j ;z

2j+1

)is1/2andtheprobability

fortheothersis1/8.Thustheentropyof3-tupleis

H = (1=2)log

2

(1=2) 4(1=8)log

2

(1=8)=2:

Therefore, theentropyperbit is 2/3so the omplexityof the attakfor

SSG-XORwouldbe2 0:667L

.

2.2 BDD-attak

For the BDD-attak [3℄, the required length of onseutive keystream bits is

dÆ 1

Le and the time omplexity is L O(1)

2

((1 Æ)=(1+Æ))L

, where and Æ are

dened asfollows:

{ Æistheinformationrate(perbit)whihwouldberevealedabouttheoutput

sequenea oftheunderlyingLFSRfrom thekeystreamz.

ForSSG, Æ 0:2075and =0:5. Thus theBDD-attakfor SSGan ompute

theinitial statewithd2:41Le onseutivekeystreambitsin timeL O(1)

2 0:6563L

.

The designers of SSG-XOR laimed that the BDD-attak for SSG-XOR an

reonstruttheinitialstatefromthed2:95Leonseutivekeystreambitsintime

L O(1)

2 0:7101L

.

Nowwere-analyze theseurityagainst theBDD-attakfor SSG-XOR.We

an also set =0:5 forSSG-XOR.For axed m, letp(m) betheprobability

thattheshrinkingresultofarandomlyhosenbitstreamfromf0;1g m

isaprex

ofthegivenkeystream.Ifhosenbitstreamsareuniformlydistributedinf0;1g m

,

therearep(m)2 m

possiblez'ssuhthattheshrinkingresultofzisaprexofz.

Notethat p(m)anbesupposedtobehaveas p(m)=2 Æm

.

On the other hand, we observe that for all m with m 0mod4 and all

keystreams z, there are exatly 5 m=3

bitstreams z 2 f0;1g m

suh that the

shrinking result of z is a prex of z. Hene, we obtain an information rate

Æ =1 (log

2

5)=3 0:226 forSSG-XOR byevaluating therelation 2 (1 Æ)m

=

5 m=3

.Sotherequiredlengthofonseutiveoutputbitsisd2:21Leandthetime

omplexityisL O(1)

2 0:6313L

.

2.3 HJ attak

Eahknownkeystreambitgives,bydefault,afewequationsintheinitialstate.

Assume thatweknow2N keystreambits

z

0 ;z

1 ;:::;z

2N 1

: (1)

IntheaseofSSG-XOR,eahknownkeystreambitpair(z

2i ;z

2i+1

)willgiveus

threeequationsforsomej:

a

4j a

4j+1

=1; a

4j+2 =z

2i ; a

4j+3 =z

2i+1 :

Additionally, we only know that the observed keystream sequene (1)

orre-spondstotheoutputsequeneoftheunderlying LFSR

a

0 ;a

0 ;z

0 ;z

1 ;X

0 ;a

1 ;a

1 ;z

2 ;z

3 ;X

1 ;:::;X

N 2 ;a

N 1 ;a

N 1 ;z

2N 2 ;z

2N 1 ;

wherea

i

=1a

i

andeahX

i

orrespondstoasequeneofzeroormore4-tuples

in f(0;0;;);(1;1;;)g.Foreah ofthese4-tuplesthat weguessorretly,we

willgetonemoreequationsinethersttwobitshavethesamebit parity.The

total number of equations available is thus 3N+k where k is the number of

4-tuples disarded. Toget aomplete system of equations in the (equivalent)

initialstatebitswerequirethatN =d(L k)=3e.Theprobabilitythatintotal

k4-tuplesaredisardedis,for eahpossibleassumption,

Thenumberofwaystodisardk 4-tuplesin atotalofN 1gapsisgivenby

N 2+k

k !

:

We start by testing thease when 0 bits are disarded, then the asewhen 2

bitshasbeendisarded,et.Theprobabilitythat weguessorretlywithin

k

max

X

k =0

N 2+k

k !

guessesis

kmax

X

k =0

N 2+k

k !

2

N k +1

:

Byxingtheprobabilityofsuessto0.5,wealulatetheomplexityofthe

at-takforsomedierentLFSRlengths.InTable2,weanseethattheomplexity

isapproximatelyO(2 0:5L

).

Table2.TheComplexityoftheAttakforsomeLFSRLengths

LFSRlengthComplexityk

max

128 2

61:3

34

256 2

125:4

67

512 2

253:7

132

1024 2

510:5

262

2.4 Guess-and-determine attak

The guess-and-determine attak for SSG was reently proposed in Asiarypt

2006[6℄.Theproposedattakanrestoretheinitialstatewithtimeomplexity

O(2 0:556L

)andmemoryomplexityO(L 2

)fromO(2 0:161L

)keystreambitswhen

L100.Itutilizesthefatthatthetwodeimatedsequenesfa

2i

gandfa

2i+1 g

share the feedbak polynomial as that of the sequene fa

i

g whih is a binary

maximallengthsequeneproduedbyaLFSRoflengthLanddierbyashift

value2 L 1

.Thisapproahan beappliedtoSSG-XORimmediately.

Letf(x)=1+

1

x++

L 1 x

L 1

+x L

betheprimitivefeedbakpolynomial

oftheLFSRfortheSSG-XOR,i.e.foreahi0,a

i+L =

P

L

j=1

j a

i+L j where

=1.Then thereiproalof f(x)is x L

+ x L 1

denoted byf

(x). It iseasyto showthat eah a

i

orresponds tox i

modf

(x)

fromthereurrenerelation.

x i+L = L X j=1 j x i+L j modf (x):

Bysquaring(orexponentiatingby2 k

)theaboveformula,weanshowthatthe

deimated sequene fa

2i

g (orfa

2 k

i

g) shares the feedbakpolynomialwith the

original sequene fa

i

g. Thus one weknowany onseutive L-bit sequene of

thedeimatedsequene,weanimmediatelyomputethenextsequenesusing

thegivenreurrenerelation.Howeverotherdeimatedsequenes(forexample

fa

3i

g) wouldnotsharethefeedbakpolynomial.

Lemma1. Let a=fa

0 ;a

1

;gbeabinary maximallengthsequeneprodued

by a LFSR of length L. Let s (0) = fa 4j g, s (1) =fa 4j+1 g, s (2) =fa 4j+2 g, and s (3) =fa 4j+3

gbedeimatedsequenesofa.Thentheysharethefeedbak

polyno-mialwiththesequeneaandtheshiftvaluebetweens (i)

ands (i+1)

fori=0;1;2

is2 L 2

.

Proof. As mentioned before, eah deimated sequene s (i)

=fs (i)

j

g shares the

feedbak polynomialwiththeoriginal sequenea. Thustheydierseah other

byonlysomeshift.OurlemmasuÆestonotethat

s (i) j+2 L 2 =a 4(j+2 L 2 )+i =a 4j+2 L +i =a 4j+(i+1)+(2 L 1) =s (i+1) j : u t

Wedenepolynomialsh

i

(x)fori=1;2;3asfollows.

h 1 (x)= L 1 X i=0 h 1;i x i ; h 2 (x)= L 1 X i=0 h 2;i x i ; h 3 (x)= L 1 X i=0 h 3;i x i ;

suh that h

1

(x) x 2 L 2 modf (x), h 2

(x) x 2

L 1

modf

(x), and h

3 (x) x 32 L 2 mod f

(x). Thenwehave

a 4i+1 = L 1 X j=0 h 1;j a 4(i+j) ; a 4i+2 = L 1 X j=0 h 2;j a 4(i+j) ; a 4i+3 = L 1 X j=0 h 3;j a 4(i+j) :

Now we are ready to attak SSG-XOR. Let fz

i g

N 1

i=0

be the keystream of

SSG-XOR.WerstsetA=(a

0 ;a

4 ;;a

4(L 1)

)withLvariables.Itisenoughto

ndtheseunknownsforattakingSSG-XOR.Insteadofguessingtheunknowns

diretly, we guess an l-bit length segmentguess = (g

0 ;g

1 ;;g

l 1

) for (a

0 a 1 ;a 4 a 5 ;;a

4(l 1) a

4(l 1)+1

). LetH

w

2H

w

(guess)linearequationswithLvariablesas follows.

a

4i a

4i+1 =a

4i

L 1

X

j=0 h

1;j a

4(i+j) =g

i

; for0i<l;

a

4i+2 =

L 1

X

j=0 h

2;j a

4(i+j) =z

2( P

i

j=0 gj) 2

; forg

i =1

a

4i+3 =

L 1

X

j=0 h

3;j a

4(i+j) =z

2( P

i

j=0 g

j ) 1

; forg

i =1:

If we an solve the above system of linear equations, we an reover the

initialstateoftheSSG-XOR.Inordertosolvethesystem,wehavetogetlinear

equationsasmanyaspossible.Weobservethatthemore1intheguessedsegment

guess, themorelinearequationsan beobtained.TomounteÆientattak,we

justsearhoverthosepossibleguesssatisfyingthefollowingonditioninsteadof

exhaustivelysearhingoverallthepossiblevalue.

H

w

(guess)dle;

where(0:51) isaparametertobedeterminedlater.

Bytheargumentin[6℄, theobtainedequationsin theaboveproessare

al-mostlinearlyindependent.ThuswehaveO(l+2l)linearlyindependent

equa-tionswithLvariables.Inordertosolvethesystemofequations,welet

O(l+2l)=L=)l=O

1

1+2 L

:

Theattakproeedsas follows.

1. ForeahguessedsegmentguesssatisfyingthatH

w

(guess)dleforagiven

parameter,derivelinearexpressionsontheL variableswithoutllingthe

onstantterms(keystreambits)asexplainedaboveandstoretheminmatrix

U.

(a) For eah0j N 1 (l+2dle),make(byllingonstantterms)

the system of linear equations with the linear expression U using the

keystreambitsstartingfromz

j .

(b) SolvethelinearsystemU,ndtheandidateinitialstate,andhekthe

andidatestateisorretbyrunningSSG-XORwiththestateand

om-paringthegeneratedstreamwiththe(original)keystreambitsfz

i g

N 1

i=j .

() If the above test sueeds, we nd the initial state (or an equivalent

state).Thusstopthisproessandoutputthestateas asolution.

(d) If theabovetest fails, repeat theproess from the step(a) with

inre-mentingj.

Now we determine thelength N of keystream bits in order to sueed the

aboveattak.OursearhspaeisH=fguessjdleH

w

(guess)l; andg

0 =

1g,thustheardinalityofH is

jHj= l 1

X

i=dle 1

l 1

i

:

Foreahl-bitguessedsegmentguess,wewilltryN Ltimestondanequivalent

state.Tosueedtheattak,wehavetondatleastonemathpairbetweenthe

guessset H andtheinitialstatederivedfrom thekeystreamsegmentsinvolved

in eahN Ltrials.Thus thelengthN shouldsatisfy

(N L)jHj2 l 1

=)N=O

2 1

1+2 L

;

wherejHj=2 l

and isaparameterdeterminedby.

Sinefor eah guessed segment guess wehaveto tryat mostN L times,

thetotaltimeomplexityof theattakin worstaseis

O(L 3

)O(N L)O(2 l

)=O

L 3

2 1

1+2 L

;

whereO(L 3

)fatorreetstheomplexityofsolvingasystemoflinearequations

ofsizeL.

Theorem 1. Theguess-and-determineattakfor SSG-XORhas time

omplex-ityO

L 3

2 1

1+2 L

,memoryomplexityO(L 2

)anddataomplexityO

2 1

1+2 L

,

whereL isthe lengthofthe underlyingLFSRofSSG-XOR,0:51, and

isaparameterdeterminedby .

NowwegiveomparisonresultinthefollowingtablebetweenSSGand

SSG-XORignoring thepolynomialfatorL 3

.

Table3.Theasymptotitime,memory,anddataomplexitytoattakSSGand

SSG-XORwhenL100

SSG SSG-XOR

Time Memory Data Time Memory Data

0.50.99 O(2 0:667L

) O(L 2

) O(2 0:007L

) O(2 0:5L

) O(L 2

) O(2 0:005L

)

0.80.71 O(2 0:556L

) O(L 2

) O(2 0:161L

) O(2 0:384L

) O(L 2

) O(2 0:111L

)

1.00.00 O(2 0:5L

) O(L 2

) O(2 0:5L

) O(2 0:333L

) O(L 2

) O(2 0:333L

Experiments We made several experimental results in C language on a

gen-eralPC tohekthevalidityofourattak.Forexample,wehooseanLFSR's

feedbakpolynomialoflength30asfollows.

f(x)=x 30

+x 27

+x 23

+x 22

+x 17

+x 16

+x 14

+x 11

+x 3

+x+1:

Wenotethatf(x)isaprimitivepolynomial,thusthegeneratedsequenewould

have a maximal length. Then h

1 (x), h

2

(x), and h

3

(x) modulo the reiproal

f

(x)an beobtainedas follows.

h

1 (x)=x

2 28

modf

(x)

=x 28

+x 26

+x 21

+x 20

+x 15

+x 11

+x 9

+x 8

+x 7

+x 6

+x 4

+x 2

+1

h2(x)=x 2

29

modf

(x)

=x 29

+x 28

+x 28

+x 27

+x 21

+x 17

+x 16

+x 15

+x 14

+x 13

+x 12

+x 11

+x 8

+x 7

+x 4

h3(x)=x 32

28

modf

(x)

=x 27

+x 24

+x 23

+x 17

+x 14

+x 11

+x 10

+x 6

+x 5

+x 3

Forarandomhoseninitialstate,ourattakreoverstheinitialstateoran

equivalentstateinaminutefrom200bitskeystream.

3 Conlusion

Inthispaper,weinvestigatedtheseurityaspetsforavariantofself-shrinking

generatoralled SSG-XORwhih was proposed at ICISC2006. The author of

SSG-XOR alleged that SSG-XOR is more seure than the original SSG in a

sense that theomplexityof attaksforSSG-XORis higherthanthat ofSSG.

HoweverweshowedthattheseurityofSSG-XORdoesnotreahthat ofSSG.

Referenes

1. K.-Y.Chang,J.-S.Kang,M.-K.Lee,H.LeeandD.Hong.Newvariantofthe

self-shringking generator and its ryptographi properties. Information Seuirty and

Cryptology - ICISC 2006, Leture Notes in Comput. Si., vol. 4296, pp. 41{50,

2006.

2. M. HellandT.Johansson.Twonewattaksontheself-shrinkinggenerator.IEEE

Trans.Infor.Theory,vol.52,no.8,pp.3837{3843,2006.

3. M.Krause.BDD-basedryptanalysisofkeystreamgenerator.Advanesin

Cryptol-ogy-EUROCRYPT2002,LetureNotesinComput.Si.,vol. 2332,pp. 222{237,

2002.

4. W. MeierandO.Staelbah.Theself-shrinkinggenerator. Advanes inCrptology

-EUROCRYPT'94,LetureNotesinComput.Si.,vol.950,pp.205{214,1994.

5. E. Zenner, M. Krause and S. Luks.Improved ryptanalysis of the self-shrinking

generator.InformationSeurityandPrivay-ACISP2001,LetureNotesin

Com-put.Si., vol.2119,pp.21{35,2001.

6. B.ZhangandD.Feng.Newguess-and-determineattakontheself-shrinking

gener-ator.AdvanesinCryptology -ASIACRYPT2006,LetureNotesinComput.Si.,