Algebraic Attack on the Alternating Step(r,s)Generator

The Alternating Step(r,s) Generator, ASG(r,s), is a clock-controlled sequence generator which is recently proposed by A. Kanso. It consists of three registers of length l, m and n bits. The first register controls the clocking of the two others. The two other registers are clocked r times (or not clocked) (resp. s times or not clocked) depending on the clock-control bit in the first register. The special case r=s=1 is the original and well known Alternating Step Generator. Kanso claims there is no efficient attack against the ASG(r,s) since r and s are kept secret. In this paper, we present an Alternating Step Generator, ASG, model for the ASG(r,s) and also we present a new and efficient algebraic attack on ASG(r,s) using 3(m+n) bits of the output sequence to find the secret key with O((m^2+n^2)*2^{l+1}+ (2^{m-1})*m^3 + (2^{n-1})*n^3) computational complexity. We show that this system is no more secure than the original ASG, in contrast to the claim of the ASG(r,s)'s constructor.Comment: 5 pages, 2 figures, 2 tables, 2010 IEEE International Symposium on Information Theory (ISIT2010),June 13-18, 2010, Austin, Texa

On the Design and Analysis of Stream Ciphers

This thesis presents new cryptanalysis results for several different stream cipher constructions. In addition, it also presents two new stream ciphers, both based on the same design principle. The first attack is a general attack targeting a nonlinear combiner. A new class of weak feedback polynomials for linear feedback shift registers is identified. By taking samples corresponding to the linear recurrence relation, it is shown that if the feedback polynomial has taps close together an adversary to take advantage of this by considering the samples in a vector form. Next, the self-shrinking generator and the bit-search generator are analyzed. Both designs are based on irregular decimation. For the self-shrinking generator, it is shown how to recover the internal state knowing only a few keystream bits. The complexity of the attack is similar to the previously best known but uses a negligible amount of memory. An attack requiring a large keystream segment is also presented. It is shown to be asymptotically better than all previously known attacks. For the bit-search generator, an algorithm that recovers the internal state is given as well as a distinguishing attack that can be very efficient if the feedback polynomial is not carefully chosen. Following this, two recently proposed stream cipher designs, Pomaranch and Achterbahn, are analyzed. Both stream ciphers are designed with small hardware complexity in mind. For Pomaranch Version 2, based on an improvement of previous analysis of the design idea, a key recovery attack is given. Also, for all three versions of Pomaranch, a distinguishing attack is given. For Achterbahn, it is shown how to recover the key of the latest version, known as Achterbahn-128/80. The last part of the thesis introduces two new stream cipher designs, namely Grain and Grain-128. The ciphers are designed to be very small in hardware. They also have the distinguishing feature of allowing users to increase the speed of the ciphers by adding extra hardware

Some Results on Distinguishing Attacks on Stream Ciphers

Stream ciphers are cryptographic primitives that are used to ensure the privacy of a message that is sent over a digital communication channel. In this thesis we will present new cryptanalytic results for several stream ciphers. The thesis provides a general introduction to cryptology, explains the basic concepts, gives an overview of various cryptographic primitives and discusses a number of different attack models. The first new attack given is a linear correlation attack in the form of a distinguishing attack. In this attack a specific class of weak feedback polynomials for LFSRs is identified. If the feedback polynomial is of a particular form the attack will be efficient. Two new distinguishing attacks are given on classical stream cipher constructions, namely the filter generator and the irregularly clocked filter generator. It is also demonstrated how these attacks can be applied to modern constructions. A key recovery attack is described for LILI-128 and a distinguishing attack for LILI-II is given. The European network of excellence, called eSTREAM, is an effort to find new efficient and secure stream ciphers. We analyze a number of the eSTREAM candidates. Firstly, distinguishing attacks are described for the candidate Dragon and a family of candidates called Pomaranch. Secondly, we describe resynchronization attacks on eSTREAM candidates. A general square root resynchronization attack which can be used to recover parts of a message is given. The attack is demonstrated on the candidates LEX and Pomaranch. A chosen IV distinguishing attack is then presented which can be used to evaluate the initialization procedure of stream ciphers. The technique is demonstrated on four candidates: Grain, Trivium, Decim and LEX

Scan-based Attacks on Linear Feedback Shift Register Based Stream Ciphers

In this paper, we present an attack on stream cipher implementations by determining the scan chain structure of the linear feedback shift registers in their implementations. Although scan Design-for-Test (DFT) is a powerful testing scheme, we show that it can be used to retrieve the information stored in a crypto chip thus compromising its theoretically proven security

Complexity measures for classes of sequences and cryptographic apllications

Pseudo-random sequences are a crucial component of cryptography, particularly in stream cipher design. In this thesis we will investigate several measures of randomness for certain classes of finitely generated sequences. We will present a heuristic algorithm for calculating the k-error linear complexity of a general sequence, of either finite or infinite length, and results on the closeness of the approximation generated. We will present an linear time algorithm for determining the linear complexity of a sequence whose characteristic polynomial is a power of an irreducible element, again presenting variations for both finite and infinite sequences. This algorithm allows the linear complexity of such sequences to be determined faster than was previously possible. Finally we investigate the stability of m-sequences, in terms of both k-error linear complexity and k-error period. We show that such sequences are inherently stable, but show that some are more stable than others

Tester for chosen sub-standard of the IEEE 802.1Q

Tato práce se zabývá analyzováním IEEE 802.1Q standardu TSN skupiny a návrhem testovacího modulu. Testovací modul je napsán v jazyku VHDL a je možné jej implementovat do Intel Stratix® V GX FPGA (5SGXEA7N2F45C2) vývojové desky. Standard IEEE 802.1Q (TSN) definuje deterministickou komunikace přes Ethernet sít, v reálném čase, požíváním globálního času a správným rozvrhem vysíláním a příjmem zpráv. Hlavní funkce tohoto standardu jsou: časová synchronizace, plánování provozu a konfigurace sítě. Každá z těchto funkcí je definovaná pomocí více různých podskupin tohoto standardu. Podle definice IEEE 802.1Q standardu je možno tyto podskupiny vzájemně libovolně kombinovat. Některé podskupiny standardu nemohou fungovat nezávisle, musí využívat funkce jiných podskupin standardu. Realizace funkce podskupin standardu je možná softwarově, hardwarově, nebo jejich kombinací. Na základě výše uvedených fakt, implementace podskupin standardu, které jsou softwarově související, byly vyloučené. Taky byly vyloučené podskupiny standardů, které jsou závislé na jiných podskupinách. IEEE 802.1Qbu byl vybrán jako vhodná část pro realizaci hardwarového testu. Různé způsoby testování byly vysvětleny jako DFT, BIST, ATPG a další jiné techniky. Pro hardwarové testování byla vybrána „Protocol Aware (PA)“technika, protože tato technika zrychluje testování, dovoluje opakovanou použitelnost a taky zkracuje dobu uvedení na trh. Testovací modul se skládá ze dvou objektů (generátor a monitor), které mají implementovanou IEEE 802.1Qbu podskupinu standardu. Funkce generátoru je vygenerovat náhodné nebo nenáhodné impulzy a potom je poslat do testovaného zařízeni ve správném definovaném protokolu. Funkce monitoru je přijat ethernet rámce a ověřit jejich správnost. Objekty jsou navrhnuty stejným způsobem na „TOP“úrovni a skládají se ze čtyř modulů: Avalon MM rozhraní, dvou šablon a jednoho portu. Avalon MM rozhraní bylo vytvořeno pro komunikaci softwaru s hardwarem. Tento modul přijme pakety ze softwaru a potom je dekóduje podle definovaného protokolu a „pod-protokolu “. „Pod-protokol“se skládá z příkazu a hodnoty daného příkazu. Podle dekódovaného příkazu a hodnot daných příkazem je kontrolovaný celý objekt. Šablona se používá na generování nebo ověřování náhodných nebo nenáhodných dat. Dvě šablony byly implementovány pro expresní ověřování nebo preempční transakce, definované IEEE 802.1Qbu. Porty byly vytvořené pro komunikaci mezi testovaným zařízením a šablonou podle daného standardu. Port „generátor“má za úkol vybrat a vyslat rámce podle priority a času vysílaní. Port „monitor“přijme rámce do „content-addressable memory”, která ověřuje priority rámce a podle toho je posílá do správné šablony. Výsledky prokázaly, že tato testovací technika dosahuje vysoké rychlosti a rychlé implementace.This master paper is dealing with the analysis of IEEE 802.1Q group of TSN standards and with the design of HW tester. Standard IEEE 802.1Qbu has appeared to be an optimal solution for this paper. Detail explanation of this sub-standard are included in this paper. As HW test the implementation, a protocol aware technique was chosen in order to accelerate testing. Paper further describes architecture of this tester, with detail explanation of the modules. Essential issue of protocol aware controlling objects by SW, have been resolved and described. Result proof that this technique has reached higher speed of testing, reusability, and fast implementation.

Stream ciphers for secure display

In any situation where private, proprietary or highly confidential material is being dealt with, the need to consider aspects of data security has grown ever more important. It is usual to secure such data from its source, over networks and on to the intended recipient. However, data security considerations typically stop at the recipient's processor, leaving connections to a display transmitting raw data which is increasingly in a digital format and of value to an adversary. With a progression to wireless display technologies the prominence of this vulnerability is set to rise, making the implementation of 'secure display' increasingly desirable. Secure display takes aspects of data security right to the display panel itself, potentially minimising the cost, component count and thickness of the final product. Recent developments in display technologies should help make this integration possible. However, the processing of large quantities of time-sensitive data presents a significant challenge in such resource constrained environments. Efficient high- throughput decryption is a crucial aspect of the implementation of secure display and one for which the widely used and well understood block cipher may not be best suited. Stream ciphers present a promising alternative and a number of strong candidate algorithms potentially offer the hardware speed and efficiency required. In the past, similar stream ciphers have suffered from algorithmic vulnerabilities. Although these new-generation designs have done much to respond to this concern, the relatively short 80-bit key lengths of some proposed hardware candidates, when combined with ever-advancing computational power, leads to the thesis identifying exhaustive search of key space as a potential attack vector. To determine the value of protection afforded by such short key lengths a unique hardware key search engine for stream ciphers is developed that makes use of an appropriate data element to improve search efficiency. The simulations from this system indicate that the proposed key lengths may be insufficient for applications where data is of long-term or high value. It is suggested that for the concept of secure display to be accepted, a longer key length should be used