Stream ciphers for secure display

In any situation where private, proprietary or highly confidential material is being dealt with, the need to consider aspects of data security has grown ever more important. It is usual to secure such data from its source, over networks and on to the intended recipient. However, data security considerations typically stop at the recipient's processor, leaving connections to a display transmitting raw data which is increasingly in a digital format and of value to an adversary. With a progression to wireless display technologies the prominence of this vulnerability is set to rise, making the implementation of 'secure display' increasingly desirable. Secure display takes aspects of data security right to the display panel itself, potentially minimising the cost, component count and thickness of the final product. Recent developments in display technologies should help make this integration possible. However, the processing of large quantities of time-sensitive data presents a significant challenge in such resource constrained environments. Efficient high- throughput decryption is a crucial aspect of the implementation of secure display and one for which the widely used and well understood block cipher may not be best suited. Stream ciphers present a promising alternative and a number of strong candidate algorithms potentially offer the hardware speed and efficiency required. In the past, similar stream ciphers have suffered from algorithmic vulnerabilities. Although these new-generation designs have done much to respond to this concern, the relatively short 80-bit key lengths of some proposed hardware candidates, when combined with ever-advancing computational power, leads to the thesis identifying exhaustive search of key space as a potential attack vector. To determine the value of protection afforded by such short key lengths a unique hardware key search engine for stream ciphers is developed that makes use of an appropriate data element to improve search efficiency. The simulations from this system indicate that the proposed key lengths may be insufficient for applications where data is of long-term or high value. It is suggested that for the concept of secure display to be accepted, a longer key length should be used

Some Words on Cryptanalysis of Stream Ciphers

In the world of cryptography, stream ciphers are known as primitives used to ensure privacy over a communication channel. One common way to build a stream cipher is to use a keystream generator to produce a pseudo-random sequence of symbols. In such algorithms, the ciphertext is the sum of the keystream and the plaintext, resembling the one-time pad principal. Although the idea behind stream ciphers is simple, serious investigation of these primitives has started only in the late 20th century. Therefore, cryptanalysis and design of stream ciphers are important. In recent years, many designs of stream ciphers have been proposed in an effort to find a proper candidate to be chosen as a world standard for data encryption. That potential candidate should be proven good by time and by the results of cryptanalysis. Different methods of analysis, in fact, explain how a stream cipher should be constructed. Thus, techniques for cryptanalysis are also important. This thesis starts with an overview of cryptography in general, and introduces the reader to modern cryptography. Later, we focus on basic principles of design and analysis of stream ciphers. Since statistical methods are the most important cryptanalysis techniques, they will be described in detail. The practice of statistical methods reveals several bottlenecks when implementing various analysis algorithms. For example, a common property of a cipher to produce n-bit words instead of just bits makes it more natural to perform a multidimensional analysis of such a design. However, in practice, one often has to truncate the words simply because the tools needed for analysis are missing. We propose a set of algorithms and data structures for multidimensional cryptanalysis when distributions over a large probability space have to be constructed. This thesis also includes results of cryptanalysis for various cryptographic primitives, such as A5/1, Grain, SNOW 2.0, Scream, Dragon, VMPC, RC4, and RC4A. Most of these results were achieved with the help of intensive use of the proposed tools for cryptanalysis

Duplexing the sponge: single-pass authenticated encryption and other applications

This paper proposes a novel construction, called duplex, closely related to the sponge construction, that accepts message blocks to be hashed and, at no extra cost, provides digests on the input blocks received so far. It can be proven equivalent to a cascade of sponge functions and hence inherits its security against single-stage generic attacks. The main application proposed here is an authenticated encryption mode based on the duplex construction. This mode is efficient, namely, enciphering and authenticating together require only a single call to the underlying permutation per block, and is readily usable in, e.g., key wrapping. Furthermore, it is the first mode of this kind to be directly based on a permutation instead of a block cipher and to natively support intermediate tags. The duplex construction can be used to efficiently realize other modes, such as a reseedable pseudo-random bit sequence generators and a sponge variant that overwrites part of the state with the input block rather than to XOR it in

Cryptanalysis of Helix and Phelix revisited

Helix, designed by Ferguson et al., is a high-speed asynchronous stream cipher with a built-in MAC functionality. At FSE 2004, Muller presented two attacks on Helix. Motivated by these attacks, Phelix was proposed and selected as a Phase 2 focus cipher for both Profile 1 and Profile 2 by the eSTREAM project, but was not advanced to Phase 3 mainly due to a key recovery attack by Wu and Preneel when the prohibition against reusing a nonce is violated. In this paper, we study the security of Helix and Phelix in the more realistic chosen nonce model. We first point out a flaw in Muller's second attack, which results in the failure of his attack. Then we propose our distinguishing attack on Helix with a data complexity of 2132, faster than exhaustive search when the key length is larger than 132 bits. Furthermore, when the maximal length of output keystream is extended, the data complexity can be reduced to 2 127 and we also can construct a key recovery attack with a data complexity of 2163. Since this flaw is overlooked by the designers of Phelix, we can extend the distinguishing attack to Phelix with the same complexity, which shows that Phelix fails to strengthen Helix against internal state collision attacks. Our results provide new insights on the design of such dedicated ciphers with built-in authentication. © 2013 Springer-Verlag.Helix, designed by Ferguson et al., is a high-speed asynchronous stream cipher with a built-in MAC functionality. At FSE 2004, Muller presented two attacks on Helix. Motivated by these attacks, Phelix was proposed and selected as a Phase 2 focus cipher for both Profile 1 and Profile 2 by the eSTREAM project, but was not advanced to Phase 3 mainly due to a key recovery attack by Wu and Preneel when the prohibition against reusing a nonce is violated. In this paper, we study the security of Helix and Phelix in the more realistic chosen nonce model. We first point out a flaw in Muller's second attack, which results in the failure of his attack. Then we propose our distinguishing attack on Helix with a data complexity of 2132, faster than exhaustive search when the key length is larger than 132 bits. Furthermore, when the maximal length of output keystream is extended, the data complexity can be reduced to 2 127 and we also can construct a key recovery attack with a data complexity of 2163. Since this flaw is overlooked by the designers of Phelix, we can extend the distinguishing attack to Phelix with the same complexity, which shows that Phelix fails to strengthen Helix against internal state collision attacks. Our results provide new insights on the design of such dedicated ciphers with built-in authentication. © 2013 Springer-Verlag