Bias Analysis of a Certain Problem with Applications to E0 and Shannon Cipher

Bias analysis is an important problem in cryptanalysis.When the critical bias can be expressed by the XOR of many terms, it is wellknown that we can compute the bias of their sum by the famous Piling-up lemma assuming all the terms are independent. In this paper, we consider the terms of the sum are dependent and we study above bias problem. More precisely, let each term be a Boolean function of a variable over GF(2)n. We assume the distribution D of the XOR of k variables is known, each variable is uniformly distributed individually, and moreover, the XOR of k variables and (k - 1) variables all are independent. We give a simple expression for the bias of the sum of k Boolean functions. It takes time O(kn ċ 2n) to compute the bias, while under the independence assumption, it takes time O(k ċ 2n) to compute by Pilingup lemma. We further compare the general bias in our problem with the bias in the independent case. It is remarkable to note that the former can differ significantly from the latter. As application, we apply our results to cryptanalysis of two real examples, Bluetooth encryption standard E0 and Shannon cipher, which show a strongly biased and weakly biased D respectively. For E0, our analysis allows to make the best known key-recovery attack with precomputation, time and data complexities O(237). For Shannon cipher, our analysis verifies the validity of the estimated complexity O(2107) of the previous distinguishing attack [5]. As comparison, we also studied a variant of Shannon cipher, which shows much stronger dependency within the internal states. We gave a distinguishing attack on the Shannon variant with reduced complexity O(2293).

[1]  Matthew Franklin,et al.  Advances in Cryptology – CRYPTO 2004 , 2004, Lecture Notes in Computer Science.

[2]  Information Security and Privacy , 1996, Lecture Notes in Computer Science.

[3]  Dan Boneh,et al.  Advances in Cryptology - CRYPTO 2003 , 2003, Lecture Notes in Computer Science.

[4]  Colin Boyd,et al.  Cryptography and Coding , 1995, Lecture Notes in Computer Science.

[5]  Anne Canteaut,et al.  Computing the biases of parity-check relations , 2009, 2009 IEEE International Symposium on Information Theory.

[6]  Nicolas Courtois Fast Algebraic Attacks on Stream Ciphers with Linear Feedback , 2003, CRYPTO.

[7]  Serge Vaudenay,et al.  Faster Correlation Attack on Bluetooth Keystream Generator E0 , 2004, CRYPTO.

[8]  Risto M. Hakala,et al.  Linear Distinguishing Attack on Shannon , 2008, ACISP.

[9]  Tor Helleseth,et al.  Advances in Cryptology — EUROCRYPT ’93 , 2001, Lecture Notes in Computer Science.

[10]  Frederik Armknecht,et al.  Algebraic Attacks on Combiners with Memory , 2003, CRYPTO.

[11]  Mitsuru Matsui,et al.  Linear Cryptanalysis Method for DES Cipher , 1994, EUROCRYPT.

[12]  Zsolt Kukorelly The Piling-Up Lemma and Dependent Random Variables , 1999, IMACC.

[13]  Tor Helleseth,et al.  An Improved Correlation Attack Against Irregular Clocked and Filtered Keystream Generators , 2004, CRYPTO.

[14]  Philip Hawkes,et al.  Design and Primitive Specification for Shannon , 2007, Symmetric Cryptography.