On the structural weakness of the GGHN stream cipher

GGHN is an RC4-like stream cipher designed to make use of today’s common 32-bit processors. It is 3–5 times faster than RC4. According to its designers, one of the sources of GGHN’s high security is the large size of its secret internal state, which totals 8240 bits. In this paper we show that if an attacker can obtain 2064 specific bits of this internal state, then the attacker can deduce the remaining state bits with limited computation, effectively reducing the secret internal state size by approximately a factor of 4. We then present a fault analysis attack that allows the cryptanalyst to obtain these critical 2064 bits. The whole procedure effectively breaks GGHN using 257×255 induced faults, 2 keystream words for each of these faults, around 257 non-faulted keystream words and negligible computational time.

[1]  Itsik Mantin,et al.  Predicting and Distinguishing Attacks on RC4 Keystream Generator , 2005, EUROCRYPT.

[2]  Pierre L'Ecuyer,et al.  Uniform random number generation , 1994, Ann. Oper. Res..

[3]  Pierre Dusart,et al.  Differential Fault Analysis on A.E.S , 2003, ACNS.

[4]  Martin Hell,et al.  Towards a General RC4-Like Keystream Generator , 2005, CISC.

[5]  Alexander Maximov,et al.  New State Recovery Attack on RC4 , 2008, CRYPTO.

[6]  Bart Preneel,et al.  A New Weakness in the RC4 Keystream Generator and an Approach to Improve the Security of the Cipher , 2004, FSE.

[7]  Jovan Dj. Golic,et al.  Linear Statistical Weakness of Alleged RC4 Keystream Generator , 1997, EUROCRYPT.

[8]  Adi Shamir,et al.  Fault Analysis of Stream Ciphers , 2004, CHES.

[9]  Ilya Mironov,et al.  (Not So) Random Shuffles of RC4 , 2002, IACR Cryptol. ePrint Arch..

[10]  Scott R. Fluhrer,et al.  Statistical Analysis of the Alleged RC4 Keystream Generator , 2000, FSE.

[11]  Serge Vaudenay,et al.  Passive-Only Key Recovery Attacks on RC4 , 2007, Selected Areas in Cryptography.

[12]  Vincent Rijmen,et al.  Analysis Methods for (Alleged) RC4 , 1998, ASIACRYPT.

[13]  George Marsaglia,et al.  Uniform Random Number Generators , 1965, JACM.

[14]  Bartosz Zoltak,et al.  VMPC One-Way Function and Stream Cipher , 2004, FSE.

[15]  Markus G. Kuhn,et al.  Low Cost Attacks on Tamper Resistant Devices , 1997, Security Protocols Workshop.

[16]  Guang Gong,et al.  A 32-bit RC4-like Keystream Generator , 2005, IACR Cryptol. ePrint Arch..

[17]  Philip Hawkes,et al.  On the Applicability of Distinguishing Attacks Against Stream Ciphers , 2002, IACR Cryptol. ePrint Arch..

[18]  Richard J. Lipton,et al.  On the Importance of Checking Cryptographic Protocols for Faults (Extended Abstract) , 1997, EUROCRYPT.

[19]  Adi Shamir,et al.  A Practical Attack on Broadcast RC4 , 2001, FSE.

[20]  Ross J. Anderson,et al.  Optical Fault Induction Attacks , 2002, CHES.

[21]  Adi Shamir,et al.  Weaknesses in the Key Scheduling Algorithm of RC4 , 2001, Selected Areas in Cryptography.

[22]  Yukiyasu Tsunoo,et al.  A Distinguishing Attack on a Fast Software-Implemented RC4-Like Stream Cipher , 2007, IEEE Transactions on Information Theory.

[23]  Paul C. Kocher,et al.  Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems , 1996, CRYPTO.

[24]  Bart Preneel,et al.  On the (In)security of Stream Ciphers Based on Arrays and Modular Addition , 2006, ASIACRYPT.

[25]  Eli Biham,et al.  Differential Fault Analysis of Secret Key Cryptosystems , 1997, CRYPTO.

[26]  Alexander Maximov Two Linear Distinguishing Attacks on VMPC and RC4A and Weakness of RC4 Family of Stream Ciphers , 2005, FSE.

[27]  Siva Sai Yerubandi,et al.  Differential Power Analysis , 2002 .

[28]  Eli Biham,et al.  Impossible Fault Analysis of RC4 and Differential Fault Analysis of RC4 , 2005, FSE.