Some Results on Distinguishing Attacks on Stream Ciphers

Stream ciphers are cryptographic primitives that are used to ensure the privacy of a message that is sent over a digital communication channel. In this thesis we will present new cryptanalytic results for several stream ciphers. The thesis provides a general introduction to cryptology, explains the basic concepts, gives an overview of various cryptographic primitives and discusses a number of different attack models. The first new attack given is a linear correlation attack in the form of a distinguishing attack. In this attack a specific class of weak feedback polynomials for LFSRs is identified. If the feedback polynomial is of a particular form the attack will be efficient. Two new distinguishing attacks are given on classical stream cipher constructions, namely the filter generator and the irregularly clocked filter generator. It is also demonstrated how these attacks can be applied to modern constructions. A key recovery attack is described for LILI-128 and a distinguishing attack for LILI-II is given. The European network of excellence, called eSTREAM, is an effort to find new efficient and secure stream ciphers. We analyze a number of the eSTREAM candidates. Firstly, distinguishing attacks are described for the candidate Dragon and a family of candidates called Pomaranch. Secondly, we describe resynchronization attacks on eSTREAM candidates. A general square root resynchronization attack which can be used to recover parts of a message is given. The attack is demonstrated on the candidates LEX and Pomaranch. A chosen IV distinguishing attack is then presented which can be used to evaluate the initialization procedure of stream ciphers. The technique is demonstrated on four candidates: Grain, Trivium, Decim and LEX

Association between the number of coadministered P-glycoprotein inhibitors and serum digoxin levels in patients on therapeutic drug monitoring

BACKGROUND: The ABC transporter P-glycoprotein (P-gp) is recognized as a site for drug-drug interactions and provides a mechanistic explanation for clinically relevant pharmacokinetic interactions with digoxin. The question of whether several P-gp inhibitors may have additive effects has not yet been addressed. METHODS: We evaluated the effects on serum concentrations of digoxin (S-digoxin) in 618 patients undergoing therapeutic drug monitoring. P-gp inhibitors were classified as Class I, with a known effect on digoxin kinetics, or Class II, showing inhibition in vitro but no documented effect on digoxin kinetics in humans. Mean S-digoxin values were compared between groups of patients with different numbers of coadministered P-gp inhibitors by a univariate and a multivariate model, including the potential covariates age, sex, digoxin dose and total number of prescribed drugs. RESULTS: A large proportion (47%) of the digoxin patients undergoing therapeutic drug monitoring had one or more P-gp inhibitor prescribed. In both univariate and multivariate analysis, S-digoxin increased in a stepwise fashion according to the number of coadministered P-gp inhibitors (all P values < 0.01 compared with no P-gp inhibitor). In multivariate analysis, S-digoxin levels were 1.26 ± 0.04, 1.51 ± 0.05, 1.59 ± 0.08 and 2.00 ± 0.25 nmol/L for zero, one, two and three P-gp inhibitors, respectively. The results were even more pronounced when we analyzed only Class I P-gp inhibitors (1.65 ± 0.07 for one and 1.83 ± 0.07 nmol/L for two). CONCLUSIONS: Polypharmacy may lead to multiple drug-drug interactions at the same site, in this case P-gp. The S-digoxin levels increased in a stepwise fashion with an increasing number of coadministered P-gp inhibitors in patients taking P-gp inhibitors and digoxin concomitantly. As coadministration of digoxin and P-gp inhibitors is common, it is important to increase awareness about P-gp interactions among prescribing clinicians

A new simple technique to attack filter generators and related ciphers

This paper presents a new simple distinguishing attack that can be applied on stream ciphers constructed from filter generators or similar structures. We demonstrate the effectiveness by describing key recovery attacks on the stream cipher LILI-128. One attack on LILI-128 requires 247 bits of keystream and a computational complexity of roughly 253. This is a significant improvement compared to other known attack

Three Ways to Mount Distinguishing Attacks on Irregularly Clocked Stream Ciphers

Many stream ciphers use irregular clocking to introduce nonlinearity to the keystream. We present three distinguishers on irregularly clocked linear feedback shift registers. The general idea used is to find suitable linear combinations of keystream bits, here called samples, that are drawn from a biased distribution. We describe how to place windows around the estimated positions around members of the linear combinations, and very efficiently create many samples with low computational complexity. We also describe ideas based on constructing samples consisting of vectors of bits (words) instead of single binary samples. These vectors based methods can distinguish the cipher using fewer keystream bits but sometimes require a higher computational complexity

Attack the dragon

Dragon is a word oriented stream cipher submitted to the ECRYPT project, it operates on key sizes of 128 and 256 bits. The original idea of the design is to use a nonlinear feedback shift register (NLFSR) and a linear part (counter), combined by a filter function to generate a new state of the NLFSR and produce the keystream. The internal state of the cipher is 1088 bits, i.e., any kinds of TMD attacks are not applicable. In this paper we present two statistical distinguishers that distinguish Dragon from a random source both requiring around O(2(155)) words of the keystream. In the first scenario the time complexity is around O(2(155+32)) with the memory complexity O(2(32)), whereas the second scenario needs only O(2(155)) of time, but O(2(96)) of memory. The attack is based on a statistical weakness introduced into the keystream by the filter function F. This is the first paper presenting an attack on Dragon, and it shows that the cipher does not provide full security when the key of size 256 bits is used

A note on distinguishing attacks

A new distinguishing attack scenario for stream ciphers, allowing a resynchronization collision attack, is presented. The attack can succeed if the part of the state that depends on both the key and the IV is smaller than twice the key size. It is shown that the attack is applicable to block ciphers in OFB mode. For OFB mode, the attack is more powerful than the previously known generic distinguishing attack since it will directly recover a part of the plaintext while having the same asymptotic complexity as the generic distinguishing attack. The attack is also demonstrated on the eSTREAM candidate LEX. LEX is not vulnerable to any of the previously known generic distinguishing attack but is vulnerable to the new attack. It is shown that if approximately 265.7 resynchronizations using LEX are performed for the same key, some plaintext might be recovered

Correlation attacks using a new class of weak feedback polynomials

In 1985 Siegenthaler introduced the concept of correlation attacks on LFSR based stream ciphers. A few years later Meier and Staffelbach demonstrated a special technique, usually referred to as fast correlation attacks, that is very effective if the feedback polynomial has a special form, namely, if its weight is very low. Due to this seminal result, it is a well known fact that one avoids low weight feedback polynomials in the design of LFSR based stream ciphers. This paper identifies a new class of such weak feedback polynomials, polynomials of the form f(x) = g(1) (x) + g(2) (x)x(M1) + (...) + g(t)(x)x(Mt-1), where g(1), g(2), (...), g(t) are all polynomials of low degree. For such feedback polynomials, we identify an efficient correlation attack in the form of a distinguishing attack

Two General Attacks on Pomaranch-like Keystream Generators

Two general attacks that can be applied to all versions and variants of the Pomaranch stream cipher are presented. The attacks are demonstrated on all versions and succeed with complexity less than exhaustive keysearch. The first attack is a distinguisher which needs keystream from only one or a few IVs to succeed. The attack is not only successful on Pomaranch Version 3 but has also less computational complexity than all previously known distinguishers for the first two versions of the cipher. The second attack is an attack which requires keystream from an amount of IVs exponential in the state size. It can be used as a distinguisher but it can also be used to predict future keystream bits corresponding to an IV if the first few bits are known. The attack will succeed on all versions of Pomaranch with complexities much lower than previously known attacks

A framework for chosen IV statistical analysis of stream ciphers

Saarinen recently proposed a chosen IV statistical attack, called the $d$-monomial test, and used it to find eaknesses in several proposed stream ciphers. In this paper we generalize this idea and propose a framework for chosen IV statistical attacks using a polynomial description. We propose a few new statistical attacks, apply them on some existing stream cipher proposals, and give some conclusions regarding the strength of their IV initialization. In particular, we experimentally detected statistical weaknesses in some state bits of Grain-128 with full IV initialization as well as in the keystream of Trivium using an initialization reduced to 736 rounds from 1152 rounds. We also propose some stronger alternative initialization schemes with respect to these statistical attacks

Attack the Dragon

Dragon is a word oriented stream cipher submitted to the ECRYPT project, it operates on key sizes of 128 and 256 bits. The original idea of the design is to use a nonlinear feedback shift register (NLFSR) and a linear part (counter), combined by a filter function to generate a new state of the NLFSR and produce the keystream. The internal state of the cipher is 1088 bits, i.e., any kinds of TMD attacks are not applicable. In this paper we present two statistical distinguishers that distinguish Dragon from a random source both requiring around O(2 ) words of the keystream. In the first scenario the time complexity is around O(2 ) with the memory complexity O(2 ), whereas the second scenario needs only O(2 ) of time, but O(2 ) of memory. The attack is based on a statistical weakness introduced into the keystream by the filter function F . This is the first paper presenting an attack on Dragon, and it shows that the cipher does not provide full security when the key of size 256 bits is used