Lund University Publications

Analysis and design of modern stream ciphers (invited paper)

• Mark

Johansson, Thomas ^LU

Abstract

Summary form only given. When designing symmetric ciphers, security and performance are of utmost importance. When selecting a symmetric encryption algorithm, the first choice is whether to choose a block cipher or a stream cipher. Most modern block ciphers offer a sufficient security and a reasonably good performance. But a block cipher must usually be used in a "stream cipher" mode of operation, which suggests that using a pure stream cipher primitive might be beneficial. Modern stream ciphers indeed offer an improved performance compared with block ciphers (typically at least a factor 4-5 if measured in speed). However, the security of modern stream ciphers is not as well understood as for block ciphers. Most stream ciphers that have... (More)

Summary form only given. When designing symmetric ciphers, security and performance are of utmost importance. When selecting a symmetric encryption algorithm, the first choice is whether to choose a block cipher or a stream cipher. Most modern block ciphers offer a sufficient security and a reasonably good performance. But a block cipher must usually be used in a "stream cipher" mode of operation, which suggests that using a pure stream cipher primitive might be beneficial. Modern stream ciphers indeed offer an improved performance compared with block ciphers (typically at least a factor 4-5 if measured in speed). However, the security of modern stream ciphers is not as well understood as for block ciphers. Most stream ciphers that have been widely spread, like RC4, A5/1, have security weaknesses. It is clear that modern stream cipher designs, represented by proposals like Panama, Mugi, Sober, Snow, Seal, Scream, Turing, Rabbit, Helix, and many more, are very far from classical designs like nonlinear filter generators, nonlinear combination generators, etc. one major difference is that classical designs are bit-oriented, whereas modern designs tend to operate on (e.g. 32 bit) words to provide efficient software implementations. This leads to the usage of different operations. Modern stream ciphers use building blocks very similar to those used in block ciphers. Essentially all modern stream cipher designs use S-boxes in one way or the other and combine this with various linear operations, essentially following the old confuse and diffuse paradigm from Shannon. In this invited talk, we give the overview of various methods for cryptanalysis of modern stream ciphers. This includes time-memory tradeoff attacks, correlation attacks, and the very interesting algebraic attacks. This gives us lots of useful feedback when considering the design of secure and fast stream ciphers (Less)