Professional Documents
Culture Documents
Comparative Study of Techniques and Attacks On NLFSR Based Stream Ciphers - A Review
Comparative Study of Techniques and Attacks On NLFSR Based Stream Ciphers - A Review
net/publication/234037962
CITATIONS READS
0 557
3 authors:
SEE PROFILE
Some of the authors of this publication are also working on these related projects:
All content following this page was uploaded by Shadab Alam on 20 May 2014.
LFSRs into a nonlinear Boolean function to form a an n-bit NLFSR. First, we introduce some definitions which are
combination generator [17]. The combining function has to be necessary for the presentation of the main result [17].
carefully selected to ensure the security of the resulting Definition 1: Two NLFSRs are equivalent if their sets of output
scheme, for example, in order to prevent correlation attacks [2]. sequences are equal.
Other solutions are to combine several bits from the LFSR state Definition 2: The feedback graph of an –bit NLFSR is a
using a nonlinear function [18], to use the irregular clocking of directed graph v0…vn-1 with vertices which represent the bits 0
the LFSR [19], or to make the LFSR structure more complex ….. n-1 of the NLFSR, respectively. There is an edge from vi to
by complementing feedback with carry [20]. Examples of vj if
LFSR-based stream ciphers include A5/1 stream cipher which i €(dep fj)
is used to provide over-the-air communication privacy in the
Definition 3: Given a feedback graph, the reduced feedback
GSM cellular telephone standard [21], and E0 stream cipher
which is used in the Bluetooth protocol [22]. In general, there graph of G is a graph obtained by repeatedly applying the
are two ways to implement an NLFSR: in the Fibonacci substitution to each vertex of with the input degree, until no
configuration, or in the Galois configuration. The Fibonacci more substitutions can be applied.
configuration, shown in Fig. 1, is conceptually simpler. The
Fibonacci type of NLFSRs consists of a number of bits 3. COMPARISON BASED ON TECHNIQUES
numbered from left to right as There are many different pseudorandom sequence generators
n-1, n-2, …., 0 with feedback from each bit to the n-1th bit. applied to stream ciphering. Most of them are based on the
structure of the LFSR. Within the combination schemes, we
can find the first non-LFSR generator, proposed by Geffe [24].
His idea resides in using two LFSR, the entry to a multiplexer
controlled by a third LFSR that selects which of the bits of the
two previous LFSR will be reflected in the output. This
combination has no memory, and presents a high correlation
between the output bits of the global generator and those bits of
any of the internal LFSRs. Therefore, it is easily
cryptoanalizable. The clock-controlled schemes are especially
Fig.1.The Fibonacci configuration of NLFSR interesting by their capacity to obtain high complexities,
although their periods are reduced and it is necessary to use key
lengths somewhat higher than what it would be strictly
necessary. There are two general modalities: the schemes in
which the clock of a subgenerator is controlled by another
subgenerator (i.e. bilateral generator), and those where the
clock of a generator is ruled by its own output or a function of
he internal state (i.e. A5 generator).According to Schneier [25],
Fig 2. The Galois configuration of NLFSR the A5 generator is composed of three LFSRs of lengths 19, 22
and 23. The central bits of each register are used in a voting by
At each clocking instance, the value of the bit is moved to the majority. Those LFSRs whose intermediate bit equals to the
bit i-1. The value of the bit becomes the output of the register. voting are the only ones that change. The output is the sum of
The new value of the bit n-1 is computed as some function of the last bits of the three registers.
the previous values of other bits. In the Galois type of NLFSR,
shown in Fig. 2, each bit is updated according to its own The prototype of a cascade generator is the generator of
feedback function. Thus, in contrast to the Fibonacci NLFSRs Gollmann [26]. In fact, the cascade schemes generally use a
in which feedback is applied to the n-1th bit only, in the Galois clock-controlled mechanism, but they have the advantage of
the fact that their design is modular and repetitive, allowing the
NLFSRs feedback can be applied to every bit. Since the depth
concatenation of an undefined number of generators, thus,
of the circuits implementing feedback functions of individual obtaining huge periods and high linear complexities. They are
bits is usually smaller than the depth of the circuits vulnerable to the lock-in attack and it is recommended to use at
implementing the feedback function of the Fibonacci NLFSR, least more than 15 generators in cascade. Finally, in the last
the propagation time can potentially be reduced. This makes years, there have being appearing some new methods of stream
Galois NLFSRs particularly attractive for stream ciphers ciphering that operate with blocks of bits, as for example, the
applications in which high keystream generation speed is RC4. The RC4 uses a variable length key. During some years,
important [18]. it was patented by R.S.A. Data Security and it has been used in
applications as Lotus Notes, Apple Computer's AOCE, Oracle
2.2A CONDITION FOR EXISTENCE OF A NONLINEAR Secure SQL Three years ago, the source code was spread
RECURRENCE anonymously through electronic mail and the code was quickly
In this section, we formulate a condition for existence of a divulged by Internet to everybody. It uses some S-boxes of 8x8
nonlinear recurrence of order describing the output sequence of size (similar to those that the DES algorithm uses), that are
changing every time a symbol is ciphered. Therefore, the
Values
parameters are calculated applying some algorithms called tests
2
to the generated sequences. Before seeing the performance of a 1.5 Bit Entropy
cipher, it is very important to know the length of the key used. 1
In order to avoid a brute-force attack it is recommended having 0.5 Spectral
not less than 100 bits. However, the statistics of the ciphers 0
hardly vary when the key does. Because of this, we will H(ZL)
Grain
Gollmann
Bilateral
RC4
Geffe
A5
manage lower key lengths so as to be able to calculate the
period and other features. The key lengths and periods will be
as close as possible to compare equitably among them.
Ciphers
There exist several types of tests in order to evaluate the
strength of a stream ciphering device: statistical, empirical,
theoretical, complexities ... We will use at least one of each Fig.3 Comparison of different tests which have small values
type to compare the upper explained generating schemes. For a
deeper knowledge about the analysis techniques on
pseudorandom sequences, see: [27]-[28]-[29]-[30]-[31]-[32].
Concretely, the following tests have been used.
3.1 THIRD POSTULATE OF GOLOMB
It performs the autocorrelation of the sequence and compares
the value of the maximum peak with the value in the origin, the
principal-secondary lobe. The worst result of this test is when
there is a large peak because many of the bits shifted will
reflect the same behavior as the originals. The outcome of the
test will reflect the relationship principal-secondary lobe in dB.
All the peaks are important, because the main aspect is the 4. ATTACKS ON CIPHERS
difference between the result and the ideal values, the lost Cryptanalytic attacks against ciphers play a very important role
energy, and it doesn’t matter if this lost energy is spread in the analysis of their strengths. Algebraic attack in recent few
uniformly, or concentrated in only one particular frequency years has become a threat to stream ciphers based on LFSR.
component.
That is why the designs which are vulnerable to these attacks REFERENCES
are avoided. [1] M.U. Bokhari, Shadab Alam, and Faheem Syed
Masoodi “Coparative analysis of Py (Roo) family of
Somewhat surprisingly for such a widely known and analyzed stream ciphers” ICRITO-2010, November 2010,
Faidabad (India) pp 667-671
cipher RC4, Mantin and Shamir found a trivial distinguishing [2] S. Golomb, Shift Register Sequences, Aegean Park
attack as late as 2001[33]-[34]. The first few hundred output Press, 1982.
bytes are random and leak information about the key, [3] B.Schneier, “A self-study course in block-cipher
especially the first few bytes are highly biased and the second cryptanalysis,” Cryptologia, vol. XXIV, no. 1, pp. 18–
output byte of RC4 takes on the value 0 with probability 2-7 33, 2000.
instead of 2-8. The reason for these weaknesses is that the table [4] M. Robshaw, “Stream ciphers,” Tech. Rep. TR - 701,
S does not have uniform distributions after the initial July 1994.
permutation. The attack on A5 is found Active KPA or KPA [5] W. Meier and O. Staffelbach, “Fast correlation attacks
Time memory Tradeoff with a computational complexity 239.91 on certain stream ciphers,” J. Cryptol., vol. 1, no. 3,
pp. 159–176, 1989
[35].
[6] K. Zeng, C. Yang, D. Wei, and T. R. N. Rao,
“Pseudo-random bit generators in stream-cipher
Due to NLFSR, degrees of algebraic equations of Grain cryptography,” Computer, 1991.
increase with each clock. With the high degrees of equations [7] E. Biham and O. Dunkelman, “Cryptanalysis of the
which also vary in time, it is not possible to obtain all internal A5/1 GSM stream cipher,” in INDOCRYPT ’00:
state bits within the reasonable resources. The best known Proceedings of the First International Conference on
attack on Grain is key derivation [36]-[35]. In this work an Progress in Cryptology, (London, UK), pp. 43–51,
attempt is made to figure out the maximum number of bits that Springer-Verlag, 2000.
can be recovered while rest of the bits is guessed. We also give [8] O.Y.Shaked, “Cryptanalysis of the Bluetooth E0
cipher,”citeseer.ist.psu.edu/ 744254.html.
here the importance of guessing bits at different positions, by
[9] D. Coppersmith, H. Krawczyk, and Y. Mansour, “The
providing a comparison between the degrees of equations in shrinking generator,” in CRYPTO ’93: Proceedings of
different cases. the 13th annual international cryptology conference on
Advances in cryptology, (New York, NY,USA), pp.
Trivium seems to be a particularly attractive target for 22–39, Springer-Verlag New York, Inc., 1994.
algebraic attacks (Brute force attack)[37]-[35]. The complete [10] B. Gammel, R. G¨ottfert, and O. Kniffler,
scheme can easily be described with extremely sparse “Achterbahn-128/80: Design and analysis,” in
SASC’2007: Workshop Record of The State of the Art
equations of low degree. However, its state does not evolve in a of Stream Ciphers, pp. 152–165, 2007.
linear way, and hence the efficient linearization techniques [11] A. Maximov, “Cryptanalysis of the ”Grain” family of
used to solve the systems of equations generated by LFSR stream ciphers,” in ASIACCS ’06: Proceedings of the
based schemes will be hard to apply. However, other 2006 ACM Symposium on Information, computer and
techniques might be applicable and their efficiency in solving communications security, (New York, NY, USA), pp.
this particular system of equations needs to be investigated 283– 288, ACM Press, 2006.
[12] B. Gittins, H. A. Landman, S. O’Neil, and R. Kelson,
“A presentation on VEST hardware performance, chip
CONCLUSION area measurements, power consumption estimates and
benchmarking in relation to the aes, sha- 256 and sha-
Undoubtedly, the importance of NLFSR based stream ciphers 512.” Cryptology ePrint Archive, Report 2005/415,
in computer applications cannot be ignored. Therefore, a 2005, http://eprint.iacr.org/
standardized model for the stream cipher design is certainly [13] Mykkeltveit, “Nonlinear recurrences and arithmetic
today’s requisite. In the Figure 3, shows Comparison of codes,” Information and Control, vol. 33, no. 3, pp.
different tests which have small values and the Figure 4 shows 193–209, 1977.
Comparison of different tests which have large values, On the [14] J. S. I. Janicka-Lipska, “ Boolean feedback functions
for full-length nonlinear shift registers,”
basis of analysis it can be conclude that Geffe cipher is not Telecommunications and Information Technology,
good at all, Gollmann also lacks in serial test and the LC/P is vol. 5, pp. 28–29, 2004.
very low, Bilateral has good properties but it fails at the 3rd [15] Shohreh Sharif Mansouri and Elena Dubrova, “An
postulate of Golomb compared to the values of the other Improved Hardware Implementation of the Grain
sequences and other ciphering schemes (A5, Grain and RC4) Stream Cipher” 13th Euromicro Conference on Digital
System Design: Architectures, Methods and Tools,
are robust and have succeeded these tests. 2010.
[16] C. Canni`ere and B. Preneel, “Trivium,” New Stream
FUTURE SCOPE Cipher Designs: The eSTREAM Finalists, LNCS
This review studies the standard structures and a few important 4986, pp. 244–266, 2008.
stream ciphers with a hope to come up with an advanced [17] E. Dubrova, “A transformation from the Fibonacci to
the Galois NLFSRs,” in IEEE Transactions on
stream cipher that meets the standards of efficiency in terms of Information Theory, November 2009, to appear
security and implementation. We aim to design a cipher which [18] Cadence, “Using encounter rtl compiler, product
will be more secure and robust from the existing ciphers. version 9.1,” 2009.