Souradyuti Paul

Analysis of Non-fortuitous Predictive States of the RC4 Keystream Generator

The RC4 stream cipher is the most widely used software based stream cipher. It is based on a secret internal state of N=256 bytes and two pointers. This paper proposes an efficient algorithm to compute a special set of RC4 states named non-fortuitous predictive states. These special states increase the probability to guess part of the internal state in a known plaintext attack and present a cryptanalytic weakness of RC4. The problem of designing a practical algorithm to compute them has been open since it was posed by Mantin and Shamir in 2001. We also formally prove a slightly corrected version of the conjecture by Mantin and Shamir of 2001 that only a known elements along with the two pointers at any RC4 round cannot predict more than a outputs in the next N rounds.

On the (in)security of stream ciphers based on arrays and modular addition

Stream ciphers play an important role in symmetric cryptology because of their suitability in high speed applications where block ciphers fall short. A large number of fast stream ciphers or pseudorandom bit generators (PRBGs) can be found in the literature that are based on arrays and simple operations such as modular additions, rotations and memory accesses (e.g. RC4, RC4A, Py, Py6, ISAAC etc.). This paper investigates the security of array-based stream ciphers (or PRBGs) against certain types of distinguishing attacks in a unified way. We argue, counter-intuitively, that the most useful characteristic of an array, namely, the association of array-elements with unique indices, may turn out to be the origins of distinguishing attacks if adequate caution is not maintained. In short, an adversary may attack a cipher simply exploiting the dependence of array-elements on the corresponding indices. Most importantly, the weaknesses are not eliminated even if the indices and the array-elements are made to follow uniform distributions separately. Exploiting these weaknesses we build distinguishing attacks with reasonable advantage on five recent stream ciphers (or PRBGs), namely, Py6 (2005, Biham et al.), IA, ISAAC (1996, Jenkins Jr.), NGG, GGHN (2005, Gong et al.) with data complexities 268.61, 232.89, 216.89, 232.89 and 232.89 respectively. In all the cases we worked under the assumption that the key-setup algorithms of the ciphers produced uniformly distributed internal states. We only investigated the mixing of bits in the keystream generation algorithms. In hindsight, we also observe that the previous attacks on the other array-based stream ciphers (e.g. Py, etc.), can also be explained in the general framework developed in this paper. We hope that our analyses will be useful in the evaluation of the security of stream ciphers based on arrays and modular addition.

Solving systems of differential equations of addition

Mixing addition modulo 2n (+) and exclusive-or (⊕) have a host of applications in symmetric cryptography as the operations are fast and nonlinear over GF(2). We deal with a frequently encountered equation (x+y)⊕((x⊕α)+(y⊕β))=γ. The difficulty of solving an arbitrary system of such equations – named differential equations of addition (DEA) – is an important consideration in the evaluation of the security of many ciphers against differential attacks. This paper shows that the satisfiability of an arbitrary set of DEA – which has so far been assumed hard for large n – is in the complexity class P. We also design an efficient algorithm to obtain all solutions to an arbitrary system of DEA with running time linear in the number of solutions. Our second contribution is solving DEA in an adaptive query model where an equation is formed by a query (α,β) and oracle output γ. The challenge is to optimize the number of queries to solve (x+y)⊕((x⊕α)+(y⊕β))=γ. Our algorithm solves this equation with only 3 queries in the worst case. Another algorithm solves the equation (x+y)⊕(x+(y⊕β))=γ with (n–t–1) queries in the worst case (t is the position of the least significant ‘1’ of x), and thus, outperforms the previous best known algorithm by Muller – presented at FSE ’04 – which required 3(n–1) queries. Most importantly, we show that the upper bounds, for our algorithms, on the number of queries match worst case lower bounds. This, essentially, closes further research in this direction as our lower bounds are optimal. Finally we describe applications of our results in differential cryptanalysis.

Distinguishing attacks on the stream cipher py

The stream cipher Py designed by Biham and Seberry is a submission to the ECRYPT stream cipher competition. The cipher is based on two large arrays (one is 256 bytes and the other is 1040 bytes) and it is designed for high speed software applications (Py is more than 2.5 times faster than the RC4 on Pentium III). The paper shows a statistical bias in the distribution of its output-words at the 1st and 3rd rounds. Exploiting this weakness, a distinguisher with advantage greater than 50% is constructed that requires 284.7 randomly chosen key/IV’s and the first 24 output bytes for each key. The running time and the data required by the distinguisher are t284.7 and 289.2 respectively (t denotes the running time of the key/IV setup). We further show that the data requirement can be reduced by a factor of about 3 with a distinguisher that considers outputs of later rounds. In such case the running time is reduced to t284.7 (t denotes the time for a single round of Py). The Py specification allows a 256-bit key and a keystream of 264 bytes per key/IV. As an ideally secure stream cipher with the above specifications should be able to resist the attacks described before, our results constitute an academic break of Py. In addition we have identified several biases among pairs of bits; it seems possible to combine all the biases to build more efficient distinguishers.

Near optimal algorithms for solving differential equations of addition with batch queries

Combination of modular addition (+) and exclusive-or (⊕) is one of the widely used symmetric cipher components. The paper investigates the strength of modular addition against differential cryptanalysis (DC) where the differences of inputs and outputs are expressed as XOR. In particular, we solve two very frequently used equations (1) and (2) , known as the differential equations of addition (DEA), with a set of batch queries. In a companion paper, presented at ACISP’05, we improved the algorithm by Muller (at FSE’04) to design optimal algorithms to solve the equations with adaptive queries. However, a nontrivial solution with batch queries has remained open. The major contributions of this paper are (i) determination of lower bounds on the required number of batch queries to solve the equations and (ii) design of two algorithms which solve them with queries close to optimal. Our algorithms require 2n−−2 and 6 queries to solve (1) and (2) where the lower bounds are (theoretically proved) and 4 (based on extensive experiments) respectively (n is the bit-length of x,y,α,β,γ). This exponential lower bound is an important theoretical benchmark which certifies (1) as strong against DC. On the other hand, the constant number of batch queries to solve (2) discovers a major weakness of modular addition against DC. Muller, at FSE’04, showed a key recovery attack on the Helix stream cipher (presented at FSE’03) with 212adaptive chosen plaintexts (ACP). At ACISP 2005, we improved the data complexity of the attack to 210.41. However, the complexity of the attack with chosen plaintexts (CP) was unknown. Using our results we recover the secret key of the Helix cipher with only 235.64chosen plaintexts (CP) which has so far been the only CP attack on this cipher (under the same assumption as that of Muller’s attack). Considering the abundant use of this component, the results seem useful to evaluate the security of many block ciphers against DC.

Related-key attacks on the Py-family of ciphers and an approach to repair the weaknesses

The stream cipher TPypy has been designed by Biham and Seberry in January 2007 as the strongest member of the Py-family ciphers, after weaknesses in the other members Py, Pypy, Py6 were discovered. One main contribution of the paper is the detection of related-key weaknesses in the Py-family of ciphers including the strongest member TPypy. Under related keys, we show a distinguishing attack on TPypy with data complexity 2192.3 which is lower than the previous best known attack on the cipher by a factor of 288. It is shown that the above attack also works on the other members TPy, Pypy and Py. A second contribution of the paper is design and analysis of two fast ciphers RCR-64 and RCR-32 which are derived from the TPy and the TPypy respectively. The performances of the RCR-64 and the RCR-32 are 2.7 cycles/byte and 4.45 cycles/byte on Pentium III (note that the speeds of the ciphers Py, Pypy and RC4 are 2.8, 4.58 and 7.3 cycles/byte). Based on our security analysis, we conjecture that no attacks lower than brute force are possible on the RCR ciphers.

Speeding Up the Wide-Pipe: Secure and Fast Hashing

In this paper we propose a new sequential mode of operation – the Fast wide pipe or FWP for short – to hash messages of arbitrary length. The mode is shown to be (1) preimage-resistance preserving, (2) collision-resistance-preserving and, most importantly, (3) indifferentiable from a random oracle up to \(\mathcal{O}(2^{n/2})\) compression function invocations. In addition, our rigorous investigation suggests that any variants of Joux’s multi-collision, Kelsey-Schneier 2nd preimage and Herding attack are also ineffective on this mode. This fact leads us to conjecture that the indifferentiability security bound of FWP can be extended beyond the birthday barrier. From the point of view of efficiency, this new mode, for example, is always faster than the Wide-pipe mode when both modes use an identical compression function. In particular, it is nearly twice as fast as the Wide-pipe for a reasonable selection of the input and output size of the compression function. We also compare the FWP with several other modes of operation.