On the structural weakness of the GGHN stream cipher

Abstract

GGHN is an RC4-like stream cipher designed to make use of today’s common 32-bit processors. It is 3–5 times faster than RC4. According to its designers, one of the sources of GGHN’s high security is the large size of its secret internal state, which totals 8240 bits. In this paper we show that if an attacker can obtain 2064 specific bits of this internal state, then the attacker can deduce the remaining state bits with limited computation, effectively reducing the secret internal state size by approximately a factor of 4. We then present a fault analysis attack that allows the cryptanalyst to obtain these critical 2064 bits. The whole procedure effectively breaks GGHN using 257×255 induced faults, 2 keystream words for each of these faults, around 257 non-faulted keystream words and negligible computational time.

Appendices

Appendix A: Reducing GGHN internal state: a toy example

In this appendix, we provide an example of applying the method described in Section 5. Consider GGHN(2,8), a toy version of GGHN, in which the S table has 2² = 4 elements and the internal word size is 8 bits. By x ^L we shall now denote the 2 least significant bits of x, and the remaining 6 most significant bits are denoted x ^R. Thus x ^L can take values from 0, ..., 3, and x ^R from 0, ..., 63.

Let the indices i, j and the value k of the internal state of GGHN(2,8) at some time be as shown in Table 1.

Table 1 Internal state variables: i, j and k

and let the S table be as shown in Table 2.

Table 2 The S table

Suppose that the attacker was able to recover the 2 least significant bits of every internal state word, given by the first column in Table 3. Then the attacker can continue iterating the cipher reduced to 2 bits and obtain the remaining columns of the table.

Table 3 Information known by the attacker

The attacker observes the next 5 keystream words, given in Table 4.

Table 4 Keystream words observed by the attacker

Next, equations of the form in (4) can be constructed. For t = 0, the equation is of the form

$$ S^R_0[a_0]+k^R_1+\sigma_0=z^R_0 $$

From Table 3, we have \(a_0=S^L_0[i_1]+S^L_0[j_1]=S^L_0[2]+S^L_0[2]=1+1=2\), and from Table 4, we know \(z^R_0=50\). Since \(S_0^L[2]+k^L_1>3\), σ ₀ = 1. Thus the equation is:

$$ S^R_0[2]+k^R_1+1=50 $$

Similarly, other equations of the form in (4) are:

$$\begin{array}{l} S^R_1[0]+k^R_2=15\\ S^R_2[1]+k^R_3=44\\ S^R_3[2]+k^R_4=46\\ S^R_4[3]+k^R_5=44 \end{array}$$

Now, the unknowns in the system should be expressed in terms of \(S^R_0[0], \ldots, S^R_0[3], k^R_0\). For this, we use equations (5), (6) and (7):

$$\begin{array}{rll} &S^R_1[2]=k^R_1+S^R_0[2]+1, &S^R_1[0]=S^R_0[0], S^R_1[1]=S^R_0[1], S^R_1[3]=S^R_0[3] \\ &S^R_2[0]=k^R_2+S^R_1[3]+1, &S^R_2[1]=S^R_1[1], S^R_2[2]=S^R_1[2], S^R_2[3]=S^R_1[3]\\ &S^R_3[1]=k^R_3+S^R_2[0], &S^R_3[0]=S^R_2[0], S^R_3[2]=S^R_2[2], S^R_3[3]=S^R_2[3]\\ &S^R_4[2]=k^R_4+S^R_3[1]+1,& S^R_4[0]=S^R_3[0], S^R_4[1]=S^R_3[1], S^R_4[3]=S^R_3[3] \end{array}$$

and

$$\begin{array}{rll} k^R_1&=&k^R_0+S^R_0[2]+1 \\[3pt] k^R_2&=&k^R_1+S^R_1[1] \\[3pt] k^R_3&=&k^R_2+S^R_2[2] \\[3pt] k^R_4&=&k^R_3+S^R_3[1]+1 \\[3pt] k^R_5&=&k^R_4+S^R_4[1]+1 \end{array}$$

Substituting appropriate values yields the following system:

$$\begin{array}{r} k^R_0 + 2S^R_0[2] = 48 \\[3pt] k^R_0 + S^R_0[0] + S^R_0[1] + S^R_0[2] = 14 \\[3pt] 2k^R_0 + 2S^R_0[1]+3S^R_0[2]=41 \\[3pt] 6k^R_0+3S^R_0[1]+9S^R_0[2]+S^R_0[3]=35 \\[3pt] 8k^R_0+5S^R_0[1]+11S^R_0[2]+3S^R_0[3]=29 \end{array}$$

It can easily be verified that the set of values S ^R[0], ..., S ^R[3] in Table 2 is the solution for this system of linear equations.

Appendix B: On the probability of other outcomes when S _t [j _t + 1] is faulted

Consider the output step of the cipher at step t:

$$ z_t=k_{t+1}+S_t[d],\text{ there } d=S_t[i_{t+1}]+S_t[j_{t+1}] $$

Let the assumptions from case 1(c) hold, i.e., i _t + 1 ≠ j _t + 1 ≠ S _t [i _t + 1] + S _t [j _t + 1] and m = j _t + 1. As will be shown, with small probability, contrary to case 1(c) above, z′ _t  = z _t and z′_t + 1 = z _t + 1 can hold. Namely, the faulted S _t [j _t + 1] will cause a difference in k _t + 1, i.e., k′_t + 1 ≠ k _t + 1. However, d will also be different, i.e., another S element will be used. Thus it is possible that z′ _t  = k′_t + 1 + S _t [d′] = z _t , if such S _t [d′] exists, i.e., it is possible that the difference in k is annulled. The probability that this will happen is \(p_A=1/2^{32}\). As for z′_t + 1, even though the assumptions of case 1(c) are fulfilled, this value can also be equal to z _t + 1, with small probability, again contrary to the reasoning in case 1(c). Namely, this will occur if S _t + 1[j _t + 2] is such that k′_t + 2 = k′_t + 1 + S _t + 1[j _t + 2] = k _t + 2. Since this can only happen if j _t + 2 is equal to indices that point to corrupted S values j _t + 1 and S _t [i _t + 1] + S _t [j _t + 1], the probability is \(p_B=(2/256)\times 1/2^{32}\approx 2^{-39}\). Similar probabilities are obtained if case 3 or case 4 is assumed. In case 2 and case 5, this problem cannot arise.

Since in one execution of the fault(t) procedure, m will equal j _t + 1 at most once, and fault(t) is called 257 times, the probability that any of these errors will occur is \(1- ( (1-p_A)\times (1-p_B) )^{257}\approx 2^{-23.9}\), which does not present a problem in practical applications of the attack.