International Association for Cryptologic Research

International Association
for Cryptologic Research


Shahram Khazaei

Affiliation: Zaeim Electronic Industries


New Directions in Cryptanalysis of Self-synchronizing Stream Ciphers
Shahram Khazaei Willi Meier
In cryptology we commonly face the problem of finding an unknown key K from the output of an easily computable keyed function F(C,K) where the attacker has the power to choose the input parameter C. In this work we focus on self-synchronizing stream ciphers. First we show how to model these primitives in the above-mentioned general problem by relating appropriate functions F to the underlying ciphers. Then we apply the recently proposed framework at AfricaCrypt’08 [4] (for dealing with this kind of problems) to the proposed T-function based self-synchronizing stream cipher by Klimov and Shamir at FSE’05 [5] and show how to deduce some non-trivial information about the key. We also open a new window for answering an open question raised in [4].
New Features of Latin Dances: Analysis of Salsa, ChaCha, and Rumba
The stream cipher Salsa20 was introduced by Bernstein in 2005 as a candidate in the eSTREAM project, accompanied by the reduced versions Salsa20/8 and Salsa20/12. ChaCha is a variant of Salsa20 aiming at bringing better diffusion for similar performance. Variants of Salsa20 with up to 7 rounds (instead of 20) have been broken by differential cryptanalysis, while ChaCha has not been analyzed yet. In this paper, we introduce a novel method for differential cryptanalysis of Salsa20 and ChaCha, inspired by correlation attacks and related to the notion of neutral bits. This is the first application of neutral bits in stream cipher cryptanalysis, and it allows us to present the first break of Salsa20/8, to bring faster attacks on the 7-round variant, and to break 6- and 7-round ChaCha. In a second part, we analyze the compression function Rumba, constructed as the XOR of four Salsa20 instances, and returning a 512-bit output. We find collision and preimage attacks for two simplified variants, then we discuss differential attacks on the original version, and exploit a high-probability differential to reduce complexity of collision search from 2^(256) to 2^(79) for 3-round Rumba. We give examples of collisions over three rounds for a version without feedforward, and near-collisions of weight 16 for three rounds of the original compression function, and of weight 129 for four rounds.
Linear Sequential Circuit Approximation of Grain and Trivium Stream Ciphers
Grain and Trivium are two hardware oriented synchronous stream ciphers proposed as the simplest candidates to the ECRYPT Stream Cipher Project, both dealing with 80-bit secret keys. In this paper we apply the linear sequential circuit approximation method to evaluate the strength of these stream ciphers against distinguishing attack. In this approximation method which was initially introduced by Golic in 1994, linear models are effectively determined for autonomous finite-state machines. We derive linear functions of consecutive key-stream bits which are held with correlation coefficient of about 2^-63.7 and 2^-126 for Grain and Trivium ciphers, respectively. Then using the concept of so-called generating function, we turn them into linear functions with correlation coefficient of 2^-29 for Grain and 2^-72 for Trivium. It shows that the Grain output sequence can be distinguished from a purely random sequence, using about 2^58 bits of the output sequence with the same time complexity. However, our attempt fails to find a successful distinguisher for Trivium.
On the Statistically Optimal Divide and Conquer Correlation Attack on the Shrinking Generator
The shrinking generator is a well-known key stream generator composed of two LFSR?s, LFSRx and LFSRc, where LFSRx is clock-controlled according to the regularly clocked LFSRc. In this paper we investigate the minimum required length of the output sequence for successful reconstruction of the LFSRx initial state in an optimal probabilistic divide and conquer correlation attack. We extract an exact expression for the joint probability of the prefix of length m of the output sequence of LFSRx and prefix of length n of the output sequence of the generator. Then we use computer simulation to compare our probability measure and two other probability measures, previousely proposed in [5] and [3], in the sense of minimum required output length. Our simulation results show that our measure reduces the required output length.