Abstract
GGHN is an RC4-like stream cipher designed to make use of today’s common 32-bit processors. It is 3–5 times faster than RC4. According to its designers, one of the sources of GGHN’s high security is the large size of its secret internal state, which totals 8240 bits. In this paper we show that if an attacker can obtain 2064 specific bits of this internal state, then the attacker can deduce the remaining state bits with limited computation, effectively reducing the secret internal state size by approximately a factor of 4. We then present a fault analysis attack that allows the cryptanalyst to obtain these critical 2064 bits. The whole procedure effectively breaks GGHN using 257×255 induced faults, 2 keystream words for each of these faults, around 257 non-faulted keystream words and negligible computational time.
Similar content being viewed by others
References
Anderson, R., Kuhn, M.: Low cost attacks on tamper resistant devices. In: Security Protocols, 5th International Workshop. LNCS, vol. 1361, pp. 125–136. Springer, New York (1997)
Biham, E., Shamir, A.: Differential fault analysis of secret key cryptosystems. In: CRYPTO’97. LNCS, vol. 1294, pp. 513–525. Springer, New York (1997)
Boneh, D., Demillo, R.A., Lipton, R.J.: On the importance of checking cryptographic protocols for faults. In: Eurocrypt’97. LNCS, vol. 1233, pp. 37–51. Springer, New York (1997)
Biham, E., Granboulan, L., Nguyen, P.Q.: Impossible fault analysis of RC4 and differential fault analysis of RC4. In: Fast Software Encryption 2005. LNCS, vol. 3557, pp. 359–367. Springer, New York (2005)
Dusart, P., Letourneux, G., Vivolo, O.: Differential fault analysis on AES. In: Applied Cryptography and Network Security 2003. LNCS, vol. 2846, pp. 293–306. Springer, New York (2003)
Fluhrer, S.R., McGrew, D.A.: Statistical analysis of the alleged RC4 keystream generator. In: Fast Software Encryption 2000. LNCS, vol. 1978, pp. 66–71. Springer, New York (2000)
Fluhrer, S.R., Mantin, I., Shamir, A.: Weaknesses in the key scheduling algorithm of RC4. In: Selected Areas in Cryptography 2001. LNCS, vol. 2259, pp. 1–24. Springer, New York (2001)
Golić, J.D.: Linear statistical weakness of alleged RC4 keystream generator. In: EUROCRYPT 1997. LNCS, vol. 1233, pp. 226–238. Springer, New York (1997)
Gong, G., Gupta, K.C., Hell, M., Nawaz, Y.: Towards a general RC4-like keystream generator. In: Proc. of Information Security and Cryptology 2005. LNCS, vol. 3822, pp. 162–174 Springer, New York (2005)
Hawkes, P., Rose, G.G.: On the applicability of distinguishing attacks against stream ciphers. In: Proc. of the Third NESSIE Workshop (2002)
Hoch, J., Shamir, A.: Fault analysis of stream ciphers. In: CHES 2004. LNCS, vol. 3156, pp. 240–253. Springer, New York (2004)
Knudsen, L.R., Meier, W., Prenel, B., Rijmen, V., Verdoolaege, S.: Analysis methods for (Alleged) RC4. In: ASIACRYPT’98. LNCS, vol. 1514, pp. 327–341. Springer, New York (1998)
Kocher, P., Jaffe, J., Jun, B.: Differential power analysis. In: CRYPTO’ 99. LNCS, vol. 1666, pp. 388–397. Springer, New York (1999)
Kocher, P.: Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems. In: CRYPTO ’96. LNCS, vol. 1109, pp. 104–113. Springer, New York (1996)
MacLaren, M.D., Marsaglia, G.: Uniform random number generation. J. ACM 15, 83–89 (1965)
Mantin, I., Shamir, A.: A practical attack on broadcast RC4. In: Fast Software Encryption 2001. LNCS, vol. 2355, pp. 152–164. Springer, New York (2001)
Mantin, I.: Predicting and distinguishing attacks on RC4 keystream generator. In: EUROCRYPT ’2005. LNCS, vol. 3494, pp. 491–506. Springer, New York (2005)
Maximov, A.: Two linear distinguishing attacks on VMPC and RC4A and weakness of RC4 family of stream ciphers. In: Fast Software Encryption 2005. LNCS, vol. 3357, pp. 342–358. Springer, New York (2005)
Maximov, A., Khovratovich, D.: New state recovery attack on RC4. In: CRYPTO’08. LNCS, vol. 5365, pp. 40–52. Springer, New York (2008)
Menezes, A.J., van Oorschot, P.C., Vanstone, S.A.: Handbook of Applied Cryptographic Research. CRC, Boca Raton (1996)
Mironov, I.: Not (So) random shuffle RC4. In: CRYPTO’ 02. LNCS, vol. 2442, pp. 304–319. Springer, New York (2002)
Nawaz, Y., Gupta, K.C., Gong, G.: A 32-bit RC4-like keystream generator. Technical Report CACR 2005-21, Center for Applied Cryptographic Research, University of Waterloo. http://www.cacr.math.uwaterloo.ca/tech_reports.html (2005) (Also available at Cryptology ePrint Archive, 2005-175, http://eprint.iacr.org/2005/175)
Paul, S., Preneel, B.: A new weakness in RC4 keystream generator and an approach to improve the security of the cipher. In: Fast Software Encryption 2004. LNCS, vol. 3017, pp. 245–259. Springer, New York (2004)
Paul, S., Preenel, B.: On the (In)security of stream ciphers based on arrays and modular addition. In: ASIACRYPT 2006. LNCS, vol. 4284, pp. 69–83. Springer, New York (2006)
Skorobogatov, S.P., Anderson, R.J.: Optical fault induction attacks. In: CHES 2003. LNCS, vol. 2523, pp. 2–12. Springer, New York (2003)
Tsunoo, Y., Saito, T., Kubo, H., Suzaki, T.: A distinguishing attack on a fast software-implemented RC4-like stream cipher. IEEE Trans. Inf. Theory 53(9) (2007)
Vaudenay, S., Vuagnoux, M.: Passive-only key recovery attacks on RC4. In: Selected Areas in Cryptography 2007. LNCS, vol. 4876, pp. 344–359. Springer, New York (2007)
Zoltak, B.: VMPC one-way function and stream cipher. In: Proc. of Fast Software Encryption, FSE 2004. LNCS, vol. 3017, pp. 210–225. Springer, New York (2004)
Acknowledgements
The authors would like to thank Dr. Liam Keliher for proof-reading the initial submission of this paper. The authors would also like to thank the anonymous reviewers for their comments that helped improve the presentation of the paper.
Author information
Authors and Affiliations
Corresponding author
Appendices
Appendix A: Reducing GGHN internal state: a toy example
In this appendix, we provide an example of applying the method described in Section 5. Consider GGHN(2,8), a toy version of GGHN, in which the S table has 22 = 4 elements and the internal word size is 8 bits. By x L we shall now denote the 2 least significant bits of x, and the remaining 6 most significant bits are denoted x R. Thus x L can take values from 0, ..., 3, and x R from 0, ..., 63.
Let the indices i, j and the value k of the internal state of GGHN(2,8) at some time be as shown in Table 1.
and let the S table be as shown in Table 2.
Suppose that the attacker was able to recover the 2 least significant bits of every internal state word, given by the first column in Table 3. Then the attacker can continue iterating the cipher reduced to 2 bits and obtain the remaining columns of the table.
The attacker observes the next 5 keystream words, given in Table 4.
Next, equations of the form in (4) can be constructed. For t = 0, the equation is of the form
From Table 3, we have \(a_0=S^L_0[i_1]+S^L_0[j_1]=S^L_0[2]+S^L_0[2]=1+1=2\), and from Table 4, we know \(z^R_0=50\). Since \(S_0^L[2]+k^L_1>3\), σ 0 = 1. Thus the equation is:
Similarly, other equations of the form in (4) are:
Now, the unknowns in the system should be expressed in terms of \(S^R_0[0], \ldots, S^R_0[3], k^R_0\). For this, we use equations (5), (6) and (7):
and
Substituting appropriate values yields the following system:
It can easily be verified that the set of values S R[0], ..., S R[3] in Table 2 is the solution for this system of linear equations.
Appendix B: On the probability of other outcomes when S t [j t + 1] is faulted
Consider the output step of the cipher at step t:
Let the assumptions from case 1(c) hold, i.e., i t + 1 ≠ j t + 1 ≠ S t [i t + 1] + S t [j t + 1] and m = j t + 1. As will be shown, with small probability, contrary to case 1(c) above, z′ t = z t and z′t + 1 = z t + 1 can hold. Namely, the faulted S t [j t + 1] will cause a difference in k t + 1, i.e., k′t + 1 ≠ k t + 1. However, d will also be different, i.e., another S element will be used. Thus it is possible that z′ t = k′t + 1 + S t [d′] = z t , if such S t [d′] exists, i.e., it is possible that the difference in k is annulled. The probability that this will happen is \(p_A=1/2^{32}\). As for z′t + 1, even though the assumptions of case 1(c) are fulfilled, this value can also be equal to z t + 1, with small probability, again contrary to the reasoning in case 1(c). Namely, this will occur if S t + 1[j t + 2] is such that k′t + 2 = k′t + 1 + S t + 1[j t + 2] = k t + 2. Since this can only happen if j t + 2 is equal to indices that point to corrupted S values j t + 1 and S t [i t + 1] + S t [j t + 1], the probability is \(p_B=(2/256)\times 1/2^{32}\approx 2^{-39}\). Similar probabilities are obtained if case 3 or case 4 is assumed. In case 2 and case 5, this problem cannot arise.
Since in one execution of the fault(t) procedure, m will equal j t + 1 at most once, and fault(t) is called 257 times, the probability that any of these errors will occur is \(1- ( (1-p_A)\times (1-p_B) )^{257}\approx 2^{-23.9}\), which does not present a problem in practical applications of the attack.
Rights and permissions
About this article
Cite this article
Kircanski, A., Youssef, A.M. On the structural weakness of the GGHN stream cipher. Cryptogr. Commun. 2, 1–17 (2010). https://doi.org/10.1007/s12095-009-0013-3
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s12095-009-0013-3