On the stability of m-sequences

We study the stability of m-sequences in the sense of determining the number of errors needed for decreasing the period of the sequences, as well as giving lower bounds on the k-error linear complexity of the sequences. For prime periods the results are straightforward so we concentrate on composite periods. We give exact results for the case when the period is reduced by a factor which is a Mersenne number and for the case when it is reduced by a prime p such that the order of 2 modulo p equals p 1. The general case is believed to be di cult due to its similarity to a well studied problem in coding theory. We also provide results about the relative frequencies of the di erent cases. We formulate a conjecture regarding the minimum number of errors needed for reducing the period at all. Finally we apply our results to the LFSR components of several well known stream ciphers

Decim v2

The original publication is available at www.springerlink.comIn this paper, we present Decimv2, a stream cipher hardware- oriented selected for the phase 3 of the ECRYPT stream cipher project eSTREAM. As required by the initial call for hardware-oriented stream cipher contribution, Decimv2 manages 80-bit secret keys and 64-bit public initialization vectors. The design of Decimv2 combines two filtering mechanisms: a nonlinear Boolean filter over a LFSR, followed by an irregular decimation mechanism called the ABSG. Since designers have been invited to demonstrate flexibility of their design by proposing vari-ants that take 128-bit keys, we also present a 128-bit security version of Decim called Decim-128

Understanding Phase Shifting Equivalent Keys and Exhaustive Search

Recent articles~\cite{kucuk,ckp08,isobe,cryptoeprint:2008:128} introduce the concept of phase shifting equivalent keys in stream ciphers, and exploit this concept in order to mount attacks on some specific ciphers. The idea behind phase shifting equivalent keys is that, for many ciphers, each internal state can be considered as the result of an injection of a key and initialization vector. This enables speeding up the standard exhaustive search algorithm among the $2^n$ possible keys by decreasing the constant factor of $2^n$ in the time complexity of the algorithm. However, this has erroneously been stated in~\cite{isobe,cryptoeprint:2008:128} as decreasing the complexity of the algorithm below $2^n$. In this note, we show why this type of attacks, using phase shifting equivalent keys to improve exhaustive key search, can never reach time complexity below $2^n$, where $2^n$ is the size of the key space

Complexity measures for classes of sequences and cryptographic apllications

Pseudo-random sequences are a crucial component of cryptography, particularly in stream cipher design. In this thesis we will investigate several measures of randomness for certain classes of finitely generated sequences. We will present a heuristic algorithm for calculating the k-error linear complexity of a general sequence, of either finite or infinite length, and results on the closeness of the approximation generated. We will present an linear time algorithm for determining the linear complexity of a sequence whose characteristic polynomial is a power of an irreducible element, again presenting variations for both finite and infinite sequences. This algorithm allows the linear complexity of such sequences to be determined faster than was previously possible. Finally we investigate the stability of m-sequences, in terms of both k-error linear complexity and k-error period. We show that such sequences are inherently stable, but show that some are more stable than others

Interleaving Shifted Versions of a PN-Sequence

The output sequence of the shrinking generator can be considered as an interleaving of determined shifted versions of a single PN -sequence. In this paper, we present a study of the interleaving of a PN-sequence and shifted versions of itself. We analyze some important cryptographic properties as the period and the linear complexity in terms of the shifts. Furthermore, we determine the total number of the interleaving sequences that achieve each possible value of the linear complexity.This research is partially supported by Ministerio de Economía, Industria y Competitividad (MINECO), Agencia Estatal de Investigación (AEI), and Fondo Europeo de Desarrollo Regional (FEDER, UE) under project COPCIS, reference TIN2017-84844-C2-1-R. It is also supported by Comunidad de Madrid (Spain) under project CYNAMON (P2018/TCS-4566), co-funded by FSE and European Union FEDER funds. Finally, the third author is partially supported by Spanish grant VIGROB-287 of the Universitat d’Alacant

A Chosen IV Attack Using Phase Shifting Equivalent Keys against DECIM v2

DECIM v2 is a stream cipher submitted to the ECRYPT stream cipher project (eSTREAM) and ISO/IEC 18033-4. No attack against DECIM v2 has been proposed yet. In this paper, we propose a chosen IV attack against DECIM v2 using a new equivalent key class. Our attack can recover an $80$-bit key with a time complexity of $2^{79.90}$ when all bits of the IV are zero. This result is the best one on DECIM v2

On the Design and Analysis of Stream Ciphers

This thesis presents new cryptanalysis results for several different stream cipher constructions. In addition, it also presents two new stream ciphers, both based on the same design principle. The first attack is a general attack targeting a nonlinear combiner. A new class of weak feedback polynomials for linear feedback shift registers is identified. By taking samples corresponding to the linear recurrence relation, it is shown that if the feedback polynomial has taps close together an adversary to take advantage of this by considering the samples in a vector form. Next, the self-shrinking generator and the bit-search generator are analyzed. Both designs are based on irregular decimation. For the self-shrinking generator, it is shown how to recover the internal state knowing only a few keystream bits. The complexity of the attack is similar to the previously best known but uses a negligible amount of memory. An attack requiring a large keystream segment is also presented. It is shown to be asymptotically better than all previously known attacks. For the bit-search generator, an algorithm that recovers the internal state is given as well as a distinguishing attack that can be very efficient if the feedback polynomial is not carefully chosen. Following this, two recently proposed stream cipher designs, Pomaranch and Achterbahn, are analyzed. Both stream ciphers are designed with small hardware complexity in mind. For Pomaranch Version 2, based on an improvement of previous analysis of the design idea, a key recovery attack is given. Also, for all three versions of Pomaranch, a distinguishing attack is given. For Achterbahn, it is shown how to recover the key of the latest version, known as Achterbahn-128/80. The last part of the thesis introduces two new stream cipher designs, namely Grain and Grain-128. The ciphers are designed to be very small in hardware. They also have the distinguishing feature of allowing users to increase the speed of the ciphers by adding extra hardware

On the sliding property of SNOW 3G and SNOW 2.0

SNOW 3G is a stream cipher chosen by the 3rd Generation Partnership Project (3GPP) as a crypto-primitive to substitute KASUMI in case its security is compromised. SNOW 2.0 is one of the stream ciphers chosen for the ISO/IEC standard IS 18033-4. In this study, the authors show that the initialisation procedure of the two ciphers admits a sliding property, resulting in several sets of related-key pairs. In case of SNOW 3G, a set of 232 related-key pairs is presented, whereas in the case of SNOW 2.0, several such sets are found, out of which the largest are of size 264 and 2192 for the 128-bit and 256-bit variant of the cipher, respectively. In addition to allowing related-key recovery attacks against SNOW 2.0 with 256-bit keys, the presented properties reveal non-random behaviour that yields related-key distinguishers and also questions the validity of the security proofs of protocols that are based on the assumption that SNOW 3G and SNOW 2.0 behave like perfect random functions of the key-IV

Randomness Generation for Secure Hardware Masking - Unrolled Trivium to the Rescue

Masking is a prominent strategy to protect cryptographic implementations against side-channel analysis. Its popularity arises from the exponential security gains that can be achieved for (approximately) quadratic resource utilization. Many variants of the countermeasure tailored for different optimization goals have been proposed over the past decades. The common denominator among all of them is the implicit demand for robust and high entropy randomness. Simply assuming that uniformly distributed random bits are available, without taking the cost of their generation into account, leads to a poor understanding of the efficiency and performance of secure implementations. This is especially relevant in case of hardware masking schemes which are known to consume large amounts of random bits per cycle due to parallelism. Currently, there seems to be no consensus on how to most efficiently derive many pseudo-random bits per clock cycle from an initial seed and with properties suitable for masked hardware implementations. In this work, we evaluate a number of building blocks for this purpose and find that hardware-oriented stream ciphers like Trivium and its reduced-security variant Bivium B outperform all competitors when implemented in an unrolled fashion. Unrolled implementations of these primitives enable the flexible generation of many bits per cycle while maintaining high performance, which is crucial for satisfying the large randomness demands of state-of-the-art masking schemes. According to our analysis, only Linear Feedback Shift Registers (LFSRs), when also unrolled, are capable of producing long non-repetitive sequences of random-looking bits at a high rate per cycle even more efficiently than Trivium and Bivium B. Yet, these instances do not provide black-box security as they generate only linear outputs. We experimentally demonstrate that using multiple output bits from an LFSR in the same masked implementation can violate probing security and even lead to harmful randomness cancellations. Circumventing these problems, and enabling an independent analysis of randomness generation and masking scheme, requires the use of cryptographically stronger primitives like stream ciphers. As a result of our studies, we provide an evidence-based estimate for the cost of securely generating n fresh random bits per cycle. Depending on the desired level of black-box security and operating frequency, this cost can be as low as 20n to 30n ASIC gate equivalents (GE) or 3n to 4n FPGA look-up tables (LUTs), where n is the number of random bits required. Our results demonstrate that the cost per bit is (sometimes significantly) lower than estimated in previous works, incentivizing parallelism whenever exploitable and potentially moving low randomness usage in hardware masking research from a primary to secondary design goal

Методи оцінювання та обґрунтування стійкості потокових шифрів відносно статистичних атак на основі алгебраїчно вироджених наближень булевих функцій

У дисертації розв’язано актуальну наукову задачу розробки методів по-будови науково обґрунтованих оцінок стійкості синхронних потокових шиф-рів (СПШ) відносно статистичних атак на основі алгебраїчно вироджених наближень булевих функцій. Отримані нові результати дозволяють на прак-тиці оцінювати і обґрунтовувати стійкість сучасних СПШ, що, зрештою, на-дає можливість суттєво скоротити час проведення експертних досліджень алгоритмів потокового шифрування, призначених для захисту державних інформаційних ресурсів України