Security Analysis On The Initialization Algorithm Of Stream Ciphers

Initialization algorithm is a significant part of stream cipher. It influences the security ofstream cipher directly. This thesis divides the initialization algorithm of stream ciphers into threetypes, taking the extent of difference between initialization algorithm and keystream generationalgorithm as the criterion. This thesis analyzes the security of initialization algorithms ofMICKEY2.0, MICKEY-1282.0, Trivium, Decim v2, K2, Loiss and Py family of stream ciphersusing slide resynchronization attack, related key chosen IV attack, differential attack anddistinguishing attack. The results are showed as follows.1. For type-one stream ciphers, this thesis proposes attacks on the initialization algorithmsof MICKEY2.0, MICKEY-1282.0and Trivium.Slide resynchronization attacks and related-key chosen IV attacks on MICKEY2.0andMICKEY-1282.0are presented. The attacker can break these two stream ciphers in less than3minutes when65and113related keys for MICKEY2.0and MICKEY-1282.0are obtained,respectively. The experimental result corroborates our attack. The results show that there exist aweakness in the initialization algorithms of MICKEY2.0and MICKEY-1282.0, and they areextremely weak against related key attacks.A differential cryptanalysis based on automatic search of Trivium is presented, whichenables us to obtain differential path on arbitrary-round Trivium. A distinguishing attack on288-round Trivium is proposed, which requires226chosen IVs with a distinguishing advantageof0.999665. The result is much better than current single linear cryptanalysis and linearcryptanalysis with multiple approximations on288-round Trivium. The experimental resultcorroborates our attack. We also apply the attack to more-round Trivium and modified Triviumproposed by Turan and Kara. The results show that Trivium reduced to no more than359(out of1152) initialization rounds is weak against differential cryptanalysis, and modified Trivium isbetter against differential cryptanalysis than original Trivium.2. For type-two stream ciphers, this thesis proposes attacks on the initialization algorithmsof Decim v2, K2and Loiss.Related key chosen IV attacks on Decim v2and K2are proposed. When more than7relatedkeys are obtained, Decim v2can be broken in real time, and the experimental result corroboratesour attack. Our attack can recover the256-bit initial key with a computational complexityof O(2193), requiring two related keys,2193chosenIV s, and2196.09keystream words. Theseresults show that there exist a weakness in the initialization algorithms of Decim v2and K2, andthey are extremely weak against related key chosen IV attacks. Based on the idea of differential collision, a differential path with significant probabilityover the full initialization of Loiss is presented. A differential collision attack on Loiss ispresented based on this differential path. The attack can recover the128-bit secret key with acomputational complexity of O(264), requiring two related keys,235.07chosen IVs and239.07keystream bytes. The success rate of our attack is quite close to1. The experimental resultcorroborates our attack. No attack on Loiss has been published so far. Furthermore, a newproposal for initialization algorithm of Loiss is proposed. The modified Loiss provides betterresistance against the attacks on the original Loiss and keeps the high speed of the original Loiss.3. For type-three stream ciphers, this thesis proposes related-key distinguishing attacks onthe initialization algorithms of Py family of stream ciphers.No attack on RCR-32and RCR-64has been published so far. Under related keys, this thesisproposes distinguishing attacks on RCR-32and RCR-64with data complexity of2139.3andadvantage greater than0.5. We also show that the data complexity of the distinguishing attackson Py, Pypy, Tpy and TPypy proposed by Sekar et al. can be reduced from2193.7to2149.3. Thisresult constitutes the best attack on Tpypy. By modifying the key setup algorithm, two newstream ciphers TRCR-32and TRCR-64are proposed which are derived from RCR-32andRCR-64respectively. Based on the security analysis, we conjecture that TRCR-32and TRCR-64have better resistance to all previously known cryptanalytic attacks than the original RCR-32andRCR-64, respectively.