On the Design and Analysis of Stream Ciphers

This thesis presents new cryptanalysis results for several different stream cipher constructions. In addition, it also presents two new stream ciphers, both based on the same design principle. The first attack is a general attack targeting a nonlinear combiner. A new class of weak feedback polynomials for linear feedback shift registers is identified. By taking samples corresponding to the linear recurrence relation, it is shown that if the feedback polynomial has taps close together an adversary to take advantage of this by considering the samples in a vector form. Next, the self-shrinking generator and the bit-search generator are analyzed. Both designs are based on irregular decimation. For the self-shrinking generator, it is shown how to recover the internal state knowing only a few keystream bits. The complexity of the attack is similar to the previously best known but uses a negligible amount of memory. An attack requiring a large keystream segment is also presented. It is shown to be asymptotically better than all previously known attacks. For the bit-search generator, an algorithm that recovers the internal state is given as well as a distinguishing attack that can be very efficient if the feedback polynomial is not carefully chosen. Following this, two recently proposed stream cipher designs, Pomaranch and Achterbahn, are analyzed. Both stream ciphers are designed with small hardware complexity in mind. For Pomaranch Version 2, based on an improvement of previous analysis of the design idea, a key recovery attack is given. Also, for all three versions of Pomaranch, a distinguishing attack is given. For Achterbahn, it is shown how to recover the key of the latest version, known as Achterbahn-128/80. The last part of the thesis introduces two new stream cipher designs, namely Grain and Grain-128. The ciphers are designed to be very small in hardware. They also have the distinguishing feature of allowing users to increase the speed of the ciphers by adding extra hardware

On Some Symmetric Lightweight Cryptographic Designs

This dissertation presents cryptanalysis of several symmetric lightweight primitives, both stream ciphers and block ciphers. Further, some aspects of authentication in combination with a keystream generator is investigated, and a new member of the Grain family of stream ciphers, Grain-128a, with built-in support for authentication is presented. The first contribution is an investigation of how authentication can be provided at a low additional cost, assuming a synchronous stream cipher is already implemented and used for encryption. These findings are then used when presenting the latest addition to the Grain family of stream ciphers, Grain-128a. It uses a 128-bit key and a 96-bit initialization vector to generate keystream, and to possibly also authenticate the plaintext. Next, the stream cipher BEAN, superficially similar to Grain, but notably using a weak output function and two feedback with carry shift registers (FCSRs) rather than linear and (non-FCSR) nonlinear feedback shift registers, is cryptanalyzed. An efficient distinguisher and a state-recovery attack is given. It is shown how knowledge of the state can be used to recover the key in a straightforward way. The remainder of this dissertation then focuses on block ciphers. First, a related-key attack on KTANTAN is presented. The attack notably uses only a few related keys, runs in less than half a minute on a current computer, and directly contradicts the designers' claims. It is discussed why this is, and what can be learned from this. Next, PRINTcipher is subjected to linear cryptanalysis. Several weak key classes are identified and it is shown how several observations of the same statistical property can be made for each plaintext--ciphertext pair. Finally, the invariant subspace property, first observed for certain key classes in PRINTcipher, is investigated. In particular, its connection to large linear biases is studied through an eigenvector which arises inside the cipher and leads to trail clustering in the linear hull which, under reasonable assumptions, causes a significant number of large linear biases. Simulations on several versions of PRINTcipher are compared to the theoretical findings

STATISTICAL PROPERTIES OF PSEUDORANDOM SEQUENCES

Random numbers (in one sense or another) have applications in computer simulation, Monte Carlo integration, cryptography, randomized computation, radar ranging, and other areas. It is impractical to generate random numbers in real life, instead sequences of numbers (or of bits) that appear to be ``random yet repeatable are used in real life applications. These sequences are called pseudorandom sequences. To determine the suitability of pseudorandom sequences for applications, we need to study their properties, in particular, their statistical properties. The simplest property is the minimal period of the sequence. That is, the shortest number of steps until the sequence repeats. One important type of pseudorandom sequences is the sequences generated by feedback with carry shift registers (FCSRs). In this dissertation, we study statistical properties of N-ary FCSR sequences with odd prime connection integer q and least period (q-1)/2. These are called half-ℓ-sequences. More precisely, our work includes: The number of occurrences of one symbol within one period of a half-ℓ-sequence; The number of pairs of symbols with a fixed distance between them within one period of a half-ℓ-sequence; The number of triples of consecutive symbols within one period of a half-ℓ-sequence. In particular we give a bound on the number of occurrences of one symbol within one period of a binary half-ℓ-sequence and also the autocorrelation value in binary case. The results show that the distributions of half-ℓ-sequences are fairly flat. However, these sequences in the binary case also have some undesirable features as high autocorrelation values. We give bounds on the number of occurrences of two symbols with a fixed distance between them in an ℓ-sequence, whose period reaches the maximum and obtain conditions on the connection integer that guarantee the distribution is highly uniform. In another study of a cryptographically important statistical property, we study a generalization of correlation immunity (CI). CI is a measure of resistance to Siegenthaler\u27s divide and conquer attack on nonlinear combiners. In this dissertation, we present results on correlation immune functions with regard to the q-transform, a generalization of the Walsh-Hadamard transform, to measure the proximity of two functions. We give two definitions of q-correlation immune functions and the relationship between them. Certain properties and constructions for q-correlation immune functions are discussed. We examine the connection between correlation immune functions and q-correlation immune functions

D.STVL.9 - Ongoing Research Areas in Symmetric Cryptography

This report gives a brief summary of some of the research trends in symmetric cryptography at the time of writing (2008). The following aspects of symmetric cryptography are investigated in this report: • the status of work with regards to different types of symmetric algorithms, including block ciphers, stream ciphers, hash functions and MAC algorithms (Section 1); • the algebraic attacks on symmetric primitives (Section 2); • the design criteria for symmetric ciphers (Section 3); • the provable properties of symmetric primitives (Section 4); • the major industrial needs in the area of symmetric cryptography (Section 5)

Ongoing Research Areas in Symmetric Cryptography

This report is a deliverable for the ECRYPT European network of excellence in cryptology. It gives a brief summary of some of the research trends in symmetric cryptography at the time of writing. The following aspects of symmetric cryptography are investigated in this report: • the status of work with regards to different types of symmetric algorithms, including block ciphers, stream ciphers, hash functions and MAC algorithms (Section 1); • the recently proposed algebraic attacks on symmetric primitives (Section 2); • the design criteria for symmetric ciphers (Section 3); • the provable properties of symmetric primitives (Section 4); • the major industrial needs in the area of symmetric cryptography (Section 5)

Algebraic attacks on certain stream ciphers

To encrypt data streams of arbitrary lengths, keystream generators are used in modern cryptography which transform a secret initial value, called the key, into a long sequence of seemingly random bits. Many designs are based on linear feedback shift registers (LFSRs), which can be constructed in such a way that the output stream has optimal statistical and periodical properties and which can be efficiently implemented in hardware. Particularly prominent is a certain class of LFSR-based keystream generators, called (ι,m)-combiners or simply combiners. The maybe most famous example is the E0 keystream generator deployed in the Bluetooth standard for encryption. To evaluate the combiner’s security, cryptographers adopted an adversary model where the design and some parts of the input and output are known. An attack is a method to derive the key using the given knowledge. In the last decades, several kinds of attacks against LFSR-based keystream generators have been developed. In 2002 a new kind of attacks came up, named ”algebraic attacks”. The basic idea is to model the knowledge by a system of equation whose solution is the secret key. For several existing combiners, algebraic attacks represent the fastest theoretical attacks publicly known so far. This thesis discusses algebraic attacks against combiners. After providing the required mathematical fundament and a background on combiners, we describe algebraic attacks and explore the two main steps (generating the system of equations and computing the solution) in detail. The efficiency of algebraic attacks is closely connected to the degree of the equations. Thus, we examine the existence of low-degree equations in several situations and discuss multiple design principles to thwart their existence. Furthermore, we investigate ”fast algebraic attacks”, an extension of algebraic attacks.To encrypt data streams of arbitrary lengths, keystream generators are used in modern cryptography which transform a secret initial value, called the key, into a long sequence of seemingly random bits. Many designs are based on linear feedback shift registers (LFSRs), which can be constructed in such a way that the output stream has optimal statistical and periodical properties and which can be efficiently implemented in hardware. Particularly prominent is a certain class of LFSR-based keystream generators, called (ι,m)-combiners or simply combiners. The maybe most famous example is the E0 keystream generator deployed in the Bluetooth standard for encryption. To evaluate the combiner’s security, cryptographers adopted an adversary model where the design and some parts of the input and output are known. An attack is a method to derive the key using the given knowledge. In the last decades, several kinds of attacks against LFSR-based keystream generators have been developed. In 2002 a new kind of attacks came up, named ”algebraic attacks”. The basic idea is to model the knowledge by a system of equation whose solution is the secret key. For several existing combiners, algebraic attacks represent the fastest theoretical attacks publicly known so far. This thesis discusses algebraic attacks against combiners. After providing the required mathematical fundament and a background on combiners, we describe algebraic attacks and explore the two main steps (generating the system of equations and computing the solution) in detail. The efficiency of algebraic attacks is closely connected to the degree of the equations. Thus, we examine the existence of low-degree equations in several situations and discuss multiple design principles to thwart their existence. Furthermore, we investigate ”fast algebraic attacks”, an extension of algebraic attacks

Design of Stream Ciphers and Cryptographic Properties of Nonlinear Functions

Block and stream ciphers are widely used to protect the privacy of digital information. A variety of attacks against block and stream ciphers exist; the most recent being the algebraic attacks. These attacks reduce the cipher to a simple algebraic system which can be solved by known algebraic techniques. These attacks have been very successful against a variety of stream ciphers and major efforts (for example eSTREAM project) are underway to design and analyze new stream ciphers. These attacks have also raised some concerns about the security of popular block ciphers. In this thesis, apart from designing new stream ciphers, we focus on analyzing popular nonlinear transformations (Boolean functions and S-boxes) used in block and stream ciphers for various cryptographic properties, in particular their resistance against algebraic attacks. The main contribution of this work is the design of two new stream ciphers and a thorough analysis of the algebraic immunity of Boolean functions and S-boxes based on power mappings. First we present WG, a family of new stream ciphers designed to obtain a keystream with guaranteed randomness properties. We show how to obtain a mathematical description of a WG stream cipher for the desired randomness properties and security level, and then how to translate this description into a practical hardware design. Next we describe the design of a new RC4-like stream cipher suitable for high speed software applications. The design is compared with original RC4 stream cipher for both security and speed. The second part of this thesis closely examines the algebraic immunity of Boolean functions and S-boxes based on power mappings. We derive meaningful upper bounds on the algebraic immunity of cryptographically significant Boolean power functions and show that for large input sizes these functions have very low algebraic immunity. To analyze the algebraic immunity of S-boxes based on power mappings, we focus on calculating the bi-affine and quadratic equations they satisfy. We present two very efficient algorithms for this purpose and give new S-box constructions that guarantee zero bi-affine and quadratic equations. We also examine these S-boxes for their resistance against linear and differential attacks and provide a list of S-boxes based on power mappings that offer high resistance against linear, differential, and algebraic attacks. Finally we investigate the algebraic structure of S-boxes used in AES and DES by deriving their equivalent algebraic descriptions

Some Results on Distinguishing Attacks on Stream Ciphers

Stream ciphers are cryptographic primitives that are used to ensure the privacy of a message that is sent over a digital communication channel. In this thesis we will present new cryptanalytic results for several stream ciphers. The thesis provides a general introduction to cryptology, explains the basic concepts, gives an overview of various cryptographic primitives and discusses a number of different attack models. The first new attack given is a linear correlation attack in the form of a distinguishing attack. In this attack a specific class of weak feedback polynomials for LFSRs is identified. If the feedback polynomial is of a particular form the attack will be efficient. Two new distinguishing attacks are given on classical stream cipher constructions, namely the filter generator and the irregularly clocked filter generator. It is also demonstrated how these attacks can be applied to modern constructions. A key recovery attack is described for LILI-128 and a distinguishing attack for LILI-II is given. The European network of excellence, called eSTREAM, is an effort to find new efficient and secure stream ciphers. We analyze a number of the eSTREAM candidates. Firstly, distinguishing attacks are described for the candidate Dragon and a family of candidates called Pomaranch. Secondly, we describe resynchronization attacks on eSTREAM candidates. A general square root resynchronization attack which can be used to recover parts of a message is given. The attack is demonstrated on the candidates LEX and Pomaranch. A chosen IV distinguishing attack is then presented which can be used to evaluate the initialization procedure of stream ciphers. The technique is demonstrated on four candidates: Grain, Trivium, Decim and LEX

Contributions to Confidentiality and Integrity Algorithms for 5G

The confidentiality and integrity algorithms in cellular networks protect the transmission of user and signaling data over the air between users and the network, e.g., the base stations. There are three standardised cryptographic suites for confidentiality and integrity protection in 4G, which are based on the AES, SNOW 3G, and ZUC primitives, respectively. These primitives are used for providing a 128-bit security level and are usually implemented in hardware, e.g., using IP (intellectual property) cores, thus can be quite efficient. When we come to 5G, the innovative network architecture and high-performance demands pose new challenges to security. For the confidentiality and integrity protection, there are some new requirements on the underlying cryptographic algorithms. Specifically, these algorithms should: 1) provide 256 bits of security to protect against attackers equipped with quantum computing capabilities; and 2) provide at least 20 Gbps (Gigabits per second) speed in pure software environments, which is the downlink peak data rate in 5G. The reason for considering software environments is that the encryption in 5G will likely be moved to the cloud and implemented in software. Therefore, it is crucial to investigate existing algorithms in 4G, checking if they can satisfy the 5G requirements in terms of security and speed, and possibly propose new dedicated algorithms targeting these goals. This is the motivation of this thesis, which focuses on the confidentiality and integrity algorithms for 5G. The results can be summarised as follows.1. We investigate the security of SNOW 3G under 256-bit keys and propose two linear attacks against it with complexities 2172 and 2177, respectively. These cryptanalysis results indicate that SNOW 3G cannot provide the full 256-bit security level. 2. We design some spectral tools for linear cryptanalysis and apply these tools to investigate the security of ZUC-256, the 256-bit version of ZUC. We propose a distinguishing attack against ZUC-256 with complexity 2236, which is 220 faster than exhaustive key search. 3. We design a new stream cipher called SNOW-V in response to the new requirements for 5G confidentiality and integrity protection, in terms of security and speed. SNOW-V can provide a 256-bit security level and achieve a speed as high as 58 Gbps in software based on our extensive evaluation. The cipher is currently under evaluation in ETSI SAGE (Security Algorithms Group of Experts) as a promising candidate for 5G confidentiality and integrity algorithms. 4. We perform deeper cryptanalysis of SNOW-V to ensure that two common cryptanalysis techniques, guess-and-determine attacks and linear cryptanalysis, do not apply to SNOW-V faster than exhaustive key search. 5. We introduce two minor modifications in SNOW-V and propose an extreme performance variant, called SNOW-Vi, in response to the feedback about SNOW-V that some use cases are not fully covered. SNOW-Vi covers more use cases, especially some platforms with less capabilities. The speeds in software are increased by 50% in average over SNOW-V and can be up to 92 Gbps.Besides these works on 5G confidentiality and integrity algorithms, the thesis is also devoted to local pseudorandom generators (PRGs). 6. We investigate the security of local PRGs and propose two attacks against some constructions instantiated on the P5 predicate. The attacks improve existing results with a large gap and narrow down the secure parameter regime. We also extend the attacks to other local PRGs instantiated on general XOR-AND and XOR-MAJ predicates and provide some insight in the choice of safe parameters

Designing a secure ubiquitous mammography consultation system

This thesis attempts to design and develop a prototype for mammography image consultation that can work securely within a ubiquitous environment. Mammogram images differ largely from other type of images and it requires special and dedicated techniques to identify the required regions of interest. Thus in Chapter 2 we started to explore the affectivity of the various traditional techniques based on convolution operators (e.g. Sobol, Pretwitt, Canny) for mammography edge detection. The second part of chapter 2 tries to enhance the results obtained via the traditional techniques by hybriding some of them. The hybriding technique is called in our thesis as Pipelined Operators. In this direction we proposed four pipeline operators, which contribute to the edge enhancement as well as abnormalities rendering through the introduction of an additional coloring mechanism. Although the visualization pipelines represent in our view an advancement on the traditional techniques applied to mammograms, such pipelines expose healthcare users to further usage complexities. For this purpose we extended our research work in chapter 2 to find a better single technique that can work smoothly within the healthcare system. In this direction, we developed in the third part of chapter 2 a novel technique for finding edges based on analyzing the dynamic and fuzzy nature of edges in mammograms. We called our developed method as "Dynamic Fuzzy Classifier or the DFC"