Zahra Ahmadian
Electrical Engineering Department
Sahrif University of Technology ahmadian@ee.sharif.ir

• The development of stream ciphers
• Two types of stream ciphers
– Synchronizing stream ciphers
– Self synchronizing stream ciphers
• Cryptanalyses of stream ciphers
• eStream project
• Conclusion

Taxonomy of cryptographic primitives
Keyed Hash Functions

• Vernam one time pad cipher: a sequence of independent and uniformly distributed bits.
•  its perfect security is proven by Shannon; I(M,C)=0.
•  No deterministic algorithm can produce truly independent outputs.
•  The keystream should be at least as long as the plaintext and each key should be used only once so the exchanging of the private key becomes difficult.

The development of Stream cipher
• Tries to be a generalization of Vernam cipher.
• Turning a blind eye, Stream ciphers can be considered as
Pseudo Random Generators (PRG).
• Generation of a periodic key stream with
– maximal period,
– Maximal linear complexity,
– Easy to implement,
– Fast algorithm,
– Easily controlled by the key.

• Stream ciphers are typically
• Faster
– Suitable for real time scenarios
– multi-Gigabit-per-second communications e.g. routers
• More efficient compact implementation
– Suitable for constrained devices
• zero error propagation
– Suitable for radio communications

• A5 family in GSM mobile network
• SNOW 3G in UMTS mobile network
• E0 in Bluetooth
• RC4 in Wired Equivalent Privacy (WEP)
• …

Comparison of synchronous and Self synchronizing Stream ciphers
Property
Synchronizing
Error propagation
Detection of active attacks
Ctx only
Known Ptx
Possible attack scenarios
Chosen Ptx
Known Ctx synchronous
Weak (IV is needed)
Good
Weak
Yes
Yes
No
No
Self synchronizing
Good
Weak
Good
Yes
Yes
Yes
Yes

• The standard assumption: KNOWN PLAINTEXT
ATTACK
• This implies knowledge of the keystream

• Key Recovery attacks
– Recover the secret key k.
• Distinguishing Attacks
– Build a distinguisher that can distinguish the running key from a random sequence
• Other attacks:
– Prediction of the next symbol
– Recovering the initial state
– …

• Universal distinguishers
– Apply known statistical tests
• Time-memory tradeoff attacks
– Decrease computational complexity by using memory
• Guess-and-determine
– Guess unknown things on demand

• Correlation attacks
– Dependence between output and internal unknown variables
• Linear attacks
– Apply linear approximations
• Algebraic attacks
– View your problem as the solution to a system of nonlinear equations

• Held by ECRYPT a consortium of European research organizations.
• A multi-year effort running from 2004 to 2008
• A Call for Stream Cipher Primitives to identify new stream ciphers suitable for widespread adoption.

• The submissions fall into either or both of two profiles:
– Profile 1: Stream ciphers for software applications with high throughput requirements
– Profile 2: Stream ciphers for hardware applications with restricted resources such as limited storage, gate count, or power consumption.

• Phase 1. a general analysis of all submissions based on their security, performance, simplicity, flexibility, justification, clarity and completeness of the documentation.
• Phase 2. For each of the profiles, a number of algorithms have been selected to be focus Phase 2 algorithm.

• Phase 3. for each of the profiles, eight candidate have been introduced to be analyzed with more scrutiny,
• It ended April 15, 2008 with the announcement of the candidates that had been selected for the final eSTREAM portfolio.
Profile 1 (SW)
HC-128
Rabbit
Salsa20/12
SOSEMANUK
Profile 2 (HW)
Grain v1
MICKEY v2
Trivium

• Due to the advantages of stream ciphers, they are widely used in many applications (e.g. wireless)
• Before eStream project, there was a little work on stream ciphers.
• eStream introduced new block cipher designs and also results in a extensive development in cryptanalysis method for stream ciphers.
• A serious competitor for stream ciphers are block ciphers in counter or OFB modes of operation.