Cellular Automata in Cryptography" Information Security Group,Royal Holloway, Abstract The cipher systems based on Cellular Automata proposed by Nandi

Similar documents
A Weak Cipher that Generates the Symmetric Group

Cryptanalysis of a homomorphic public-key cryptosystem over a finite group

An average case analysis of a dierential attack. on a class of SP-networks. Distributed Systems Technology Centre, and

Cryptanalysis of a Message Authentication Code due to Cary and Venkatesan

Classical Cryptography

DK-2800 Lyngby, Denmark, Mercierlaan 94, B{3001 Heverlee, Belgium,

Cryptanalysis of Hiji-bij-bij (HBB)

Atypical usage of one-way hash functions for data integrityisasfollows. The hash-value corresponding to a particular message M is computed at time t 1

Cryptanalysis of the Light-Weight Cipher A2U2 First Draft version

SOBER Cryptanalysis. Daniel Bleichenbacher and Sarvar Patel Bell Laboratories Lucent Technologies

Transform Domain Analysis of DES. Guang Gong and Solomon W. Golomb. University of Southern California. Tels and

Modified Berlekamp-Massey algorithm for approximating the k-error linear complexity of binary sequences

Cryptanalysis of the Stream Cipher ABC v2

Winter 2008 Introduction to Modern Cryptography Benny Chor and Rani Hod. Assignment #2

DD2448 Foundations of Cryptography Lecture 3

A block cipher enciphers each block with the same key.

Stream Ciphers: Cryptanalytic Techniques

STREAM CIPHER. Chapter - 3

Final Exam Math 105: Topics in Mathematics Cryptology, the Science of Secret Writing Rhodes College Tuesday, 30 April :30 11:00 a.m.

The LILI-128 Keystream Generator

IEOR SEMINAR SERIES Cryptanalysis: Fast Correlation Attacks on LFSR-based Stream Ciphers

Stream ciphers I. Thomas Johansson. May 16, Dept. of EIT, Lund University, P.O. Box 118, Lund, Sweden

Breaking an encryption scheme based on chaotic Baker map

Fast Correlation Attacks: an Algorithmic Point of View

Distinguishing Attack on Common Scrambling Algorithm

7 Cryptanalysis. 7.1 Structural Attacks CA642: CRYPTOGRAPHY AND NUMBER THEORY 1

Cryptanalysis of a Multistage Encryption System

Lecture Notes. Advanced Discrete Structures COT S

Maximum Correlation Analysis of Nonlinear S-boxes in Stream Ciphers

Introduction to Cryptology. Lecture 2

Royal Holloway University of London

hold or a eistel cipher. We nevertheless prove that the bound given by Nyberg and Knudsen still holds or any round keys. This stronger result implies

Exercise Sheet Cryptography 1, 2011

Fast Cryptanalysis of the Matsumoto-Imai Public Key Scheme

Cryptanalysis of Achterbahn

Structural Cryptanalysis of SASAS

Linear Cellular Automata as Discrete Models for Generating Cryptographic Sequences

Fast Correlation Attacks: An Algorithmic Point of View

Analysis of Hidden Field Equations Cryptosystem over Odd-Characteristic Fields

Lecture 12: Block ciphers

Algebraic attack on stream ciphers Master s Thesis

Symmetric Cryptanalytic Techniques. Sean Murphy ショーン マーフィー Royal Holloway

Gurgen Khachatrian Martun Karapetyan

A Large Block Cipher using an Iterative Method and the Modular Arithmetic Inverse of a key Matrix

CODING AND CRYPTOLOGY III CRYPTOLOGY EXERCISES. The questions with a * are extension questions, and will not be included in the assignment.

Algebraic Aspects of Symmetric-key Cryptography

Combinatorics of p-ary Bent Functions

CHAPTER 12 CRYPTOGRAPHY OF A GRAY LEVEL IMAGE USING A MODIFIED HILL CIPHER

Chapter 2 Classical Cryptosystems

A Low Data Complexity Attack on the GMR-2 Cipher Used in the Satellite Phones

Cryptanalysis of the Stream Cipher DECIM

Private-key Systems. Block ciphers. Stream ciphers

Algebraic Attacks on Stream Ciphers with Linear Feedback

Improved Cascaded Stream Ciphers Using Feedback

Differential Attack on Five Rounds of the SC2000 Block Cipher

A Block Cipher using an Iterative Method involving a Permutation

Cryptanalysis of Patarin s 2-Round Public Key System with S Boxes (2R)

Cube Attacks on Non-Blackbox Polynomials Based on Division Property (Full Version)

Impossible Differential Attacks on 13-Round CLEFIA-128

Notes on Alekhnovich s cryptosystems

Practical Complexity Cube Attacks on Round-Reduced Keccak Sponge Function

Detection and Exploitation of Small Correlations in Stream Ciphers

of the Data Encryption Standard Fauzan Mirza

Algebraic Attack Against Trivium

Cryptography. Lecture 2: Perfect Secrecy and its Limitations. Gil Segev

A Forgery Attack on the Candidate LTE Integrity Algorithm 128-EIA3 (updated version)

Distinguishing Attacks on a Kind of Generalized Unbalanced Feistel Network

Public-key Cryptography: Theory and Practice

arxiv:nlin/ v1 [nlin.cd] 10 Aug 2006

Modified Hill Cipher with Interlacing and Iteration

Thesis Research Notes

ORYX. ORYX not an acronym, but upper case Designed for use with cell phones. Standard developed by. Cipher design process not open

Notes 10: Public-key cryptography

Improvements to Correlation Attacks Against Stream. Ciphers with Nonlinear Combiners. Brian Stottler Elizabethtown College

AES side channel attacks protection using random isomorphisms

Revisit and Cryptanalysis of a CAST Cipher

MILP-based Cube Attack on the Reduced-Round WG-5 Lightweight Stream Cipher

Cryptographically Robust Large Boolean Functions. Debdeep Mukhopadhyay CSE, IIT Kharagpur

A Knapsack Cryptosystem Based on The Discrete Logarithm Problem

Introduction to Cryptography

Cube attack in finite fields of higher order

Optimized Interpolation Attacks on LowMC

Solution to Midterm Examination

Weak key-iv Pairs in the A5/1 Stream Cipher

Reprint of pp in Advances in Cryptology-EUROCRYPT'90 Proceedings, LNCS 473, Springer-Verlag, Xuejia Lai and James L.

Cryptography Lecture 4 Block ciphers, DES, breaking DES

Math-Net.Ru All Russian mathematical portal

Constructing c-ary Perfect Factors

Linear Approximations for 2-round Trivium

Improved Fast Correlation Attacks Using Parity-Check Equations of Weight 4 and 5

Differential Cryptanalysis of the Stream Ciphers Py, Py6 and Pypy

Cryptanalysis of the TTM Cryptosystem

CSCI3381-Cryptography

Counting Functions for the k-error Linear Complexity of 2 n -Periodic Binary Sequences

Jay Daigle Occidental College Math 401: Cryptology

Outline. Computer Science 418. Number of Keys in the Sum. More on Perfect Secrecy, One-Time Pad, Entropy. Mike Jacobson. Week 3

Structural Cryptanalysis of SASAS

UNPREDICTABLE BINARY STRINGS

Unpredictable Binary Strings

PLAINTEXT RECOVERY IN DES-LIKE CRYPTOSYSTEMS BASED ON S-BOXES WITH EMBEDDED PARITY CHECK. Vesela Angelova, Yuri Borissov

Transcription:

Comments on \Theory and Applications of Cellular Automata in Cryptography" S.R. Blackburn, S. Murphy y and K.G. Paterson z Information Security Group,Royal Holloway, University of London, Surrey TW20 0EX, U.K. June 26, 1995 Abstract The cipher systems based on Cellular Automata proposed by Nandi et al. [3] are ane and are insecure. Index Terms Cryptography, block ciphers, stream ciphers, cellular automata, ane group. This author's research supported by EPSRC Research Grant No. GR/H23719. y This author acknowledges the support of the Nueld Foundation z This author's research supported by a Lloyd's of London Tercentenary Foundation Research Fellowship. 1

In [3], the authors present cryptographic transformations based on Cellular Automata. These transformations are used to dene block ciphers and stream ciphers. It is claimed that the cryptographic transformations generate the alternating group and that the cryptosystems are secure. Both of these claims are incorrect. The systems in [3] are based on permutations of the vector space V N of dimension N over GF (2). These permutations are obtained from Cellular Automata. The specic permutations used (called fundamental transformations in [3]) are in fact ane. Thus the group generated by these permutations is a subgroup of the Ane group on V N and not the Alternating group A VN as claimed. The ane group is a small subgroup of the alternating group. In any case, knowing that the group generated by the cryptographic transformations contains the alternating group gives no guarantee of security (see [2]). The various ciphers proposed are cryptographically weak as they depend on ane transformations. We examine each in turn. 2

1 The Block Cipher We rst note that there appears to be no mechanism for changing the key as the authors propose that it is stored in ROM. The ability tochange the key is essential for any cipher. Our cryptanalysis is independent of this observation. The block cipher proposed in [3] uses p dierent enciphering functions E 0 ::: E p;1. Plaintext block i + jp (0 i<p) is enciphered using E i.each E i is an ane cipher, as it is a composition of ane transformations. (N +1) chosen plaintext{ciphertext pairs encrypted under E i suce to deduce E i, see [1]. In any case, the probability of being able to deduce E i given k known plaintext{ciphertext pairs is at least 1 ; 2 N +1;k.For example, given 2N plaintext-ciphertext pairs encrypted under E i,we can deduce E i with probability at least 1 ; 2 ;(N ;1). Thus this block cipher is insecure against both chosen and known plaintext attacks. 2 The Stream Ciphers Two stream ciphers are proposed in [3]. Both produce L bits each time they are clocked. Four consecutive bits are extracted and XORed with a block of four bits of the plaintext, to produce the ciphertext. We cryptanalyse each of the stream ciphers in turn. 3

2.1 PCA with ROM Generator The PCA with ROM generator consists of l invertible L L binary matrices R 0 ::: R l;1 stored in ROM. Let V be an L dimensional binary vector space. The state of the generator v(t) :=(v 1 (t) ::: v L (t)) at time t is an element of V.At time (t + 1), the new state of the generator is dened by v(t +1)= R t 0v(t), where t 0 = t mod l. At time t, the generator outputs the four bits v h (t) v h+1 (t) v h+2 (t) andv h+3 (t) where h is time independent. This generator is insecure as decimations of its output sequence have low linear complexity. For example, consider the sequence w = w(0) w(1) ::: dened by w(j) :=v h (jl): This sequence is v h decimated by l. Ifwe set A = Q l;1 i=0 R i,so v((j +1)l) =Av(jl) and set to be the linear map from V to GF (2) mapping (v 1 ::: v L )tov h, then we may write w(j) =A j v(0): Suppose A has characteristic polynomial c(x) := P L i=0 c ix i. By the Cayley{ Hamilton theorem c(a) = 0,so LX i=0 c i w(j + i) = LX i=0 c i A j+i v(0) = A j c(a)v(0) = 0: 4

Hence w has linear complexity atmostl. A similar argument shows that any decimation by l of any of the four sequences produced by the generator has linear complexity at most L. Thus the keystream consists of an interleaving of 4l sequences, each of linear complexity at most L. By using the Berlekamp{ Massey algorithm on 2L bits of each ofthe4l decimated sequences, the keystream generator can therefore be determined in complexity O(L 2 l). Since both l and L are small (the values L =8,l = 16 are suggested in [3]), the generator is insecure. 2.2 The Two Stage PCA Generator The second generator consists of two cellular automata PCA 1 and PCA 2. PCA 2 has a xed next state function and is regularly clocked. Its output is used to control the next state function of PCA 1. We can dene the automaton PCA 2 as follows. Its current state k(t) = (k 1 (t) k 2 (t) ::: k L (t)) is a binary vector of length L. The next state k(t+1) is M(x 1 ::: x L )k(t), where the elements x i 2 GF (2) are part of the key and M(x 1 ::: x L )isthel L matrix dened as follows. Let P be the L L binary matrix having ones on its super{ and sub{diagonals and zeros 5

elsewhere, so P ij = 8 >< >: 1 when j = i 1 0 otherwise. Then M(x 1 ::: x L ) is the matrix P +diag(x 1 ::: x L ). The state of PCA 1 at time t is a binary vector v(t) :=(v 1 (t) ::: v L (t)): Its next state v(t + 1) is dened by v(t +1)=M(k(t))v(t): Thus the output of PCA 2 controls the next state function of PCA 1. The generator outputs the four bits (v h (t) v h+1 (t) v h+2 (t) v h+3 (t)) at time t, where h is time independent. The generator's key consists of the initial states v(0) of PCA 1 and k(0) of PCA 2, together with the elements x 1 ::: x L 2f0 1g which control the next state function of PCA 2. We cryptanalyse the generator as follows. We assume we have a segment of the keystream (a small multiple of L bits should suce). Firstly, weguess h. There are at most four choices for h in the system proposed in [3] and we try each in turn. We then note that v h+1 (t +1)=v h (t) v h+2 (t) k h+1 (t)v h+1 (t): (1) 6

If we know all the output terms appearing in this equation, we can deduce k h+1 (t) whenever v h+1 (t) 6= 0. The correlation given by this equation is a serious weakness of this type of cipher, whatever the size of L. For the purposes of this cryptanalysis, we assume that v h+1 (t) isanapproximately balanced sequence. If this is not the case, the output sequence is very weak, and is easily analysed. Using our knowledge of the keystream, we can calculate about half the bits in a segment of the sequence k h+1 (0) k h+1 (1) ::: : This sequence has linear complexityatmostl, since it is generated by PCA 2 which has a linear next state function and output function. Wemay therefore recover all the sequence k h+1 (0) k h+1 (1) ::: using standard techniques (see for example [1, pages 209-214]). Similarly, by examining the output sequences v h+1 (t), v h+2 (t) and v h+3 (t) we can recover the sequence k h+2 (0) k h+2 (1) :::. We have obtained two of the output sequences for the generator PCA 2. We next guess values x 0 1 :::x0 L 2 f0 1g for x 1 ::: x L. There are 2 L possibilities and testing each in turn constitutes the main work needed in breaking the system. When L = 16, as suggested, this number of guesses is very manageable. For each guess x 0 1 ::: x0 L,we construct a system of 4L linear equations in L ; 2 variables which correspond to the unknown bits of the initial state. If is the linear map from V to GF (2) 2 which 7

maps (w 1 ::: w L )to(w h+1 w h+2 ), then the (2i)th and (2i + 1)th equations correspond to the vector equation M(x 0 1 ::: x0 L) i =(k h+1 (i) k h+2 (i)): If these linear equations are inconsistent, our guess x 0 1 ::: x0 L is wrong. This consistency test rules out nearly all possibilities for x 1 ::: x L. If, however, the equations are consistent, they produce a unique value for the initial state. Assuming that a particular choice of x 0 1 ::: x0 L has passed the test above, we then check ifthischoice is consistent withourknowledge of the output of PCA 1.We do this as follows. Suppose that our guess is correct. In this case, we know the initial state k(0) of PCA 2,sowe can generate the next state matrix of PCA 1 at any time t. We can use this information, together with our knowledge of the output of PCA 1, to reconstruct the initial state v(0) of PCA 1 by solving a set of linear equations in L ;2 variables. However, for an incorrect guess the linear equations we produce are likely to be inconsistent. We can generate more equations by using more cipher output bits. The probability of inconsistency then converges to one geometrically fast. In summary, bychecking each possibility for x 1 ::: x L for consistency with the known outputs of PCA 2 and then with the known outputs of PCA 1, we can nd with very high probability the next state function of PCA 2. In accomplishing this, wehave derived k(0) and can easily calculate v(0). We 8

have therefore found the complete key using a small amount ofkeystream and 4:2 L =2 L+2 trials. This compares with the value of approximately 2 3L trials given in [3]. Moreover, the correlation expressed by equation (1) makes the generator even more insecure than we have described. Since the suggested value of L is 16 [3], this shows that the two stage PCA generator as proposed is insecure. References [1] H. Beker and F. Piper, Cipher Systems (Van Nostrand, London, 1982). [2] S. Murphy, K. Paterson and P. Wild, `A Weak Cipher that Generates the Symmetric Group', Journal of Cryptology Vol. 7, 1994, pp61-65. [3] S. Nandi, B.K. Kar and P. Pal Chaudhuri, `Theory and Applications of Cellular Automata in Cryptography', IEEE Trans. Comp. Vol. 43, No. 12 December 1994, pp. 1346{1357. 9

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback