Jovan Dj. Golic

Cryptanalysis of alleged A5 stream cipher

A binary stream cipher, known as A5, consisting of three short LFSRs of total length 64 that are mutually clocked in the stop/go manner is cryptanalyzed. It is allegedly used in the GSM standard for digital cellular mobile telephones. Very short keystream sequences are generated from different initial states obtained by combining a 64-bit secret session key and a known 22-bit public key. A basic divide-and-conquer attack recovering the unknown initial state from a known keystream sequence is first introduced. It exploits the specific clocking rule used and has average computational complexity around 240. A time-memory trade-off attack based on the birthday paradox which yields the unknown internal state at a known time for a known keystream sequence is then pointed out. The attack is successful if T ċ M ≥ 2633.32, where T and M are the required computational time and memory (in 128-bit words), respectively. The precomputation time is O(M) and the required number of known keystream sequences generated from different public keys is about T/102. For example, one can choose T ≅ 227.67 and M ≅ 235.65. To obtain the secret session key from the determined internal state, a so-called internal state reversion attack is proposed and analyzed by the theory of critical and subcritical branching processes.

Multiplicative Masking and Power Analysis of AES

The recently proposed multiplicative masking countermeasure against power analysis attacks on AES is interesting as it does not require the costly recomputation and RAM storage of S-boxes for every run of AES. This is important for applications where the available space is very limited such as the smart card applications. Unfortunately, it is here shown that this method is in fact inherently vulnerable to differential power analysis. However, it is also shown that the multiplicative masking method can be modified so as to provide resistance to differential power analysis of nonideal but controllable security level, at the expense of increased computational complexity. Other possible random masking methods are also discussed.

Linear statistical weakness of alleged RC4 keystream generator

A keystream generator known as RC4 is analyzed by the linear model approach. It is shown that the second binary derivative of the least significant bit output sequence is correlated to 1 with the correlation coefficient close to 15ċ2-3n where n is the variable word size of RC4. The output sequence length required for the linear statistical weakness detection may be realistic in high speed applications if n ≤ 8. The result can be used to distinguish RC4 from other keystream generators and to determine the unknown parameter n, as well as for the plaintext uncertainty reduction if n is small.

High-Speed True Random Number Generation with Logic Gates Only

It is shown that the amount of true randomness produced by the recently introduced Galois and Fibonacci ring oscillators can be evaluated experimentally by restarting the oscillators from the same initial conditions and by examining the time evolution of the standard deviation of the oscillating signals. The restart approach is also applied to classical ring oscillators and the results obtained demonstrate that the new oscillators can achieve orders of magnitude higher entropy rates. A theoretical explanation is also provided. The restart and continuous modes of operation and a novel sampling method almost doubling the entropy rate are proposed. Accordingly, the new oscillators appear to be by far more effective than other known solutions for random number generation with logic gates only.

New Methods for Digital Generation and Postprocessing of Random Data

A new method for digital true random number generation based on asynchronous logic circuits with feedback is introduced. In particular, a concrete technique using the so-called Galois and Fibonacci ring oscillators is developed and analyzed both theoretically and experimentally. The generated random binary sequences may have a very high speed and a higher and more robust entropy rate in comparison with previous proposals for digital random number generators. A new method for digital postprocessing of random data based on irregularly clocked nonautonomous synchronous logic circuits with feedback is also introduced and a concrete technique using a self-clock-controlled linear feedback shift register is proposed. The postprocessing can provide both randomness extraction and computationally secure speed increase of input random data

On the Security of Nonlinear Filter Generators

By regarding a nonlinear filter keystream generator as a finite input memory combiner, it is observed that a recent, important attack introduced by Anderson can be viewed as a conditional correlation attack. Necessary and sufficient conditions for the output sequence to be purely random given than the input sequence is such are pointed out and a new, so-called inversion attack is introduced, which may work for larger input memory sizes in comparison with the Andersons attack. Large input memory size and use of full positive difference sets and correlation immune nonlinear filter functions are proposed as new design criteria to ensure the security against the considered attacks.

A generalized correlation attack on a class of stream ciphers based on the Levenshtein distance

A statistical approach to cryptanalysis of a memoryless function of clock-controlled shift registers is introduced. In the case of zero-order correlation immunity, an algorithm for a shift register initial state reconstruction based on the sequence comparison concept is proposed. A constrained Levenshtein distance relevant for the cryptanalysis is defined and a novel recursive procedure for its efficient computation is derived. Preliminary experimental results are given and open theoretic problems are discussed.

The LILI-II Keystream Generator

The LILI-II keystream generator is a LFSR based synchronous stream cipher with a 128 bit key. LILI-II is a specific cipher from the LILI family of keystream generators, and was designed with larger internal components than previous ciphers in this class, in order to provide increased security. The design offers large period and linear complexity, is immune to currently known styles of attack, and is simple to implement in hardware or software. The cipher achieves a security level of 128 bits.

Embedding and probabilistic correlation attacks on clock-controlled shift registers

Embedding and probabilistic correlation attacks on clock-controlled shift registers that are clocked at least once per output symbol are defined in general and are analyzed in the unconstrained case, with an arbitrary number of deletions at a time, and in the constrained case, with at most d deletions at a time. It is proved that the unconstrained embedding attack is successful if and only if the deletion rate is smaller than one half and if the length of the observed keystream sequence is greater than a value linear in the shift register length r. It is shown how to compute recursively the joint probability which is a basis for the unconstrained probabilistic attack with independent deletions. The efficiency of the attack is characterized in terms of the capacity of the corresponding communication channel with independent deletions and it is concluded that the probabilistic attack is successful for any deletion rate smaller than one if the given keystream sequence is sufficiently long, also linearly in r. It is proved that the constrained embedding attack is successful for any d and the minimum necessary length of the known output sequence is shown to be linear in r, and at least exponential and at most superexponential in d. This demonstrates that making d large can not ensure the theoretical security against the attack, but can considerably improve the practical security.

Linear Cryptanalysis of Bluetooth Stream Cipher

A general linear iterative cryptanalysis methodfor solving binary systems of approximate linear equations which is also applicable to keystream generators producing short keystream sequences is proposed. A linear cryptanalysis method for reconstructing the secret key in a general type of initialization schemes is also developed. A large class of linear correlations in the Bluetooth combiner, unconditioned or conditionedon the output or on both the output and one input, are found andc haracterized. As a result, an attack on the Bluetooth stream cipher that can reconstruct the 128-bit secret key with complexity about 270 from about 45 initializations is proposed. In the precomputation stage, a database of about 280 103-bit words has to be sorted out.