Paper 2002/020

Cryptanalysis of stream ciphers with linear masking

Don Coppersmith, Shai Halevi, and Charanjit Jutla

Abstract

We describe a cryptanalytical technique for distinguishing some stream ciphers from a truly random process. Roughly, the ciphers to which this method applies consist of a ``non-linear process'' (say, akin to a round function in block ciphers), and a ``linear process'' such as an LFSR (or even fixed tables). The output of the cipher can be the linear sum of both processes. To attack such ciphers, we look for any property of the ``non-linear process'' that can be distinguished from random. In addition, we look for a linear combination of the linear process that vanishes. We then consider the same linear combination applied to the cipher's output, and try to find traces of the distinguishing property. In this report we analyze two specific ``distinguishing properties''. One is a linear approximation of the non-linear process, which we demonstrate on the stream cipher SNOW. This attack needs roughly $2^{95}$ words of output, with work-load of about $2^{100}$. The other is a ``low-diffusion'' attack, that we apply to the cipher Scream-0. The latter attack needs only about $2^{43}$ bytes of output, using roughly $2^{50}$ space and $2^{80}$ time.

Metadata
Available format(s)
PDF PS
Category
Secret-key cryptography
Publication info
Published elsewhere. extended abstract appears in Crypto'02
Keywords
Hypothesis testingLinear cryptanalysisLinear maskingLow-Diffusion attacksStream ciphers
Contact author(s)
shaih @ watson ibm com
History
2002-06-05: last of 2 revisions
2002-02-16: received
See all versions
Short URL
https://ia.cr/2002/020
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2002/020,
      author = {Don Coppersmith and Shai Halevi and Charanjit Jutla},
      title = {Cryptanalysis of stream ciphers with linear masking},
      howpublished = {Cryptology {ePrint} Archive, Paper 2002/020},
      year = {2002},
      url = {https://eprint.iacr.org/2002/020}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.