Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
A New Stream Cipher for
Secure Digital Media Distribution
by
Lin Gan
A thesis submitted to the Department of Electrical and Computer
Engineering in conformity with the requirements for the degree of
Master of Science(Engineering)
Queen's University
Kingston, Ontario, Canada
November, 2001
Copyright @Lin Gan, 2001
Nat- Cibrary 1+1 ,canada Biblimtheque nationale du Canada
Acquisitions and Acquisitions et Bibliographie Services services bibliographiques 395 Wemgtm Street 395, rue Wdingûm -ON KlAONa OüawaON K 1 A W Corudo Canada
The author has granteci a non- exclusive licence allowing the National Library of Canada to reproduce, loan, distxiiute or selî copies of this thesis in microform, paper or electronic formats.
The author retains ownership of the copyright in this thesis. Neither the thesis nor substantial extracts fiom it may be printed or othemise reproduced without the author's permission.
L'auteur a accordé une licence non exclusive permettant à la Bibliothèque nationale du Canada de reproduire, prêter, distxibuer ou vendre des copies de cette thèse sous la forme de microfiche/film, de reproduction sur papier ou sur format électronique.
L'auteur conserve la propriété du droit d'auteur qui protège cette these. Ni la thèse ni des extraits substantiels de celle-ci ne doivent être imprimés ou autrement reproduits sans son autorisation.
Abst ract
In the 21st century, many valuable materials such as music and rnovies are stored
in various form of digital media and delivered over the Internet. To prevent these
copyrighted materials from illegal duplication, copyright protection technologies have
to be employed. An effective copyright protection technology d l reduce the risk of
large revenue loss in the industries concerned .
DVD: or Digital Video Disk: represents a quality digital medium with great market
value. The copyright protection system used in DVD applications is essentially a
cryptosystem. A cryptosystem is comprised of two parts: a set of cryptographic
protocols and underlying ciphers. In this thesis, research is carried out on both parts
of the cryptosystem.
We use a formal method called Coloured Petri Nets Co model and analyze the cryp-
tographic protocol in DVD. The Petri Nets modeling of the protocol offers graphical
representations and achieves a certain degree of formalization of it. A weakness is
round and remedial suggestions are made. The stream cipher in DVD applications
consists of Iwo linear feedback shift Registers (LFSRs) with a non-linear combining
function. In general, LFSR based stream ciphers are vulnerable to various versions
of the correlation attack. A substitution box (s-box) based stream cipher can offer a
more secure solution. Inspired by t h e design concept of the RC4 stream cipher, we
propose a new family of stream ciphers t hat makes use of a cascade of small s-boxes.
Cycle structures and output statistical properties of the cascaded s-box ciphers are
studied in this thesis. Our experimental results give the indication that the cascaded
S-box stream cipher develops more resistance to attacks as we increase the number of
cells in the cascade,
Acknowledgement s
Foremost, 1 would like to thank my supervisors, Dr. S.E. Tavares and Dr. S..?.
Simmons; for t heir continuous support and guidance throiighout t his project.
Special thanks to my wile Qian Tang, for her endless encouragement and patience.
To rny collegues, friends and parents, I would like to express my gratitude for your
efforts in helping me complete this work.
For financial assistance, I acknowledge the School of Graduate Studies and Re-
search of Queen% University, the Department of Electrical and Computer Engineering
and CITO.
Contents
Abstract
Acknowledgements
Contents
List of Tâbles
List of Figures
n i i
1 Introduction 1
1 .I General Overview and Motivation . . . . . . . . . . . . . . . . . - . - 1
1.2 Cryptosystems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
. . . . . . . . . . . . . . . . . . . . 1.2.1 Cryptographie Algorit hms 3
. . . . . . . . . . . . . . . . . . . . . 1.2.2 Cryptographie Protocols 4
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.3 Thesis Outline. 6
2 Literature Review
CONTENTS
2.1 Protocol Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.2 Petri Nets 9
. . . . . . . 2.2.1 Graphical Representations of Coloured Petri Nets 10
. . . . . . . . . . . . 2.2.2 Forma1 Definition of Coloured Petri Nets 11
. . . . . . . . . . . . . . . . 2.2.3 Pmpert ies of Coloured Petri Nets 13
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.3 Stream Ciphers 14
. . . . . . . . . . . . . . . . . . . 2.3.1 LFSR Based Stream Ciphers 15
. . . . . . . . . . . . . . . . . . . . . . . . 2.3.2 RC4 Stream Cipher 16
3 CPN Based Analysis of the DVD Protocol 20
. . . . . . . . 3.1 An Overview of the DVD Copyright Protection Scheme 20
. . . . . . 3.2 Petri Net Modeling of the DVD Playback Control Protocol 21
. . . . . . . . . . . . . . . . . . . 3.2.1 Coloured Petri Net Modeler 21
. . . . . . . . . . . 3.2.2 DVD Playback Control Protocol Modeling 22
. . . . . . . . . . . 3.3 Weakness and Improvement in the DVD Protocol 28
4 Analysis of DVD Stream Cipher 32
. . . . . . . . . . . . . . 4.1 The Underlying Cipher in the DVD System 32
. . . . . . . . . . . . . . . . . . . . . . . 4.1 -1 Keystream Generator 33
. . . . . . . . . . . . . . . . 4.1.2 EncryptionlDecryption Function 33
. . . . . . . . . . . . . 4.1.3 Cryptanalysis of Keystream Generator 35
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.2 RC4 Observations 37
CONTENTS vi
. . . . . . . . . . . . . . . . . . . . . . . . . . 4.3 RC4 Outputs Analysis 39
5 A New Cascaded S-Box Stream Cipher 41
. . . . . . . . . . . . . . 5.1 The General Cascaded S-Box Stream Cipher 42
. . . . . . . . . . 5.2 Keystream Cycle Structure of the Cascaded Cipher 45
5.2.1 Cycles in the Cascaded S-Box Stream Cipher . . . . . . . . . . 45
5.2.2 Property of Cascaded S-Box Stream Ciphers . . . . . . . . . . 54
. . . . . . . . . . . . . . . . 5.2.3 Upper Bound of the Cycle Length 55
. . . . . . . . . . . . . . . . . . . . . 5.2.4 Decomposi t ion of Cycles 57
. . . . . . . . . . 5.2.5 Typical Key Lengths for the Stream Cipher 62
. . . . . . . . . . . . . 5.3 Key Spacing Distribution in Cascaded Ciphers 63
5.4 Statistical Analysis of the Output of Cascaded Ciphers . . 67
. . . . . . . . . . . . . . . . . . 5.4.1 Frequency Test (one-bit test) 67
. . . . . . . . . . . . . . . . . . . . . 5.4.2 SerialTest (two-bittest) 68
. . . . . . . . . . . 5.4.3 Test Results for Cascaded Stream Ciphers 68
. . . . . . . . . . . . . . . . . . 5.4.4 Output Probability Deviation 69
6 Conclusion 74
. . . . . . . . . . . . . . . . . . . . . . . . . 6.1 Summary and Discussion 74
. . . . . . . . . . . . . . . . . . . . . . 6.2 Suggestions Cor Further Study 76
Bibliography
APPENDICES 83
CONTENTS vii
A CSS Cipher Analysis 83
A. 1 Another Attack on the Keystream Generator . . . . . . . . . . . . . . 83
A.2 Attack on the Encryption Function . . . . . . . . . . . . . . . . . . . 84
B More Key Spacing Distributions 86
C Output Test Results 96
D Probabilities for Right Pointer in RC43 116
Vita 121
List of Tables
2.1 Typical Interpretat ions of Places and Transitions . . . . . . . . . . . 12
2.2 Nominal and Effective Key Sizes for RC4-n . . . . . . . . . . . . . . . 18
2.3 Possible Periods for RC4 with Word Lengt h 2 and 3 . . . . . . . . . . 19
4.1 Probabilit ies for j in RC4-3 (Cycle Lengt h = 955:496) . . . . . . . . . 39
4.2 Output Conditional Pmbabilities P(O(i+l )/O(i)) for Cycle Length 164 40
4.3 Output Conditional Probabilities P(O(i+l)/O(i)) for Cycle Length 196 40
Cycle Lengths for CSGS Stream Cipher . . . . . . . . . . . . . . . . 46
Cycle Lengths for CSG3 Stream Cipher (1) . . . . . . . . . . . . . . 47
Cycle I ~ n g t h s Tor CSC-3 Stream Cipher (2) . . . . . . . . . . . . . . 48
Cycle Lengths for CSC-4 Stream Cipher (1) . . . . . . . . . . . . . . 51
Cycle Lengths for CSC-4 Stream Cipher (2) . . . . . . . . . . . . . . 52
Cycle Lengths for CSC-4 Stream Cipher (3) . . . . . . . . . . . . . . 53
Cycle Lengtbs for CSG5 Stream Cipher (1) . . . . . . . . . . . . . . 60
Cycle Lengths for CSG5 Stream Cipher (2) . . . . . . . . . . . . . . 61
... V l l l
LIST OF TABLES
5.9 Observed Longest Cycle Lengths for CSCG Stream Cipher . . . . . . 62
5.10 Output Statistical Test h s u l t s for Cascaded Ciphers . . . . . . . . . 69
C.1 Output Test Results for CSG2 Cipher(1) . . . . . . . . . . . . . . . . 96
C.2 Output Test Results for CSG2 Cipher(2) . . . . . . . . . . . . . . . . 97
C-3 Output Test Results for CSG2 Cipher(3) . . . . . . . . . . . . . . . . 98
C.4 Output Test Results for CSG2 Cipher(4) . . . . . . . . . . . . . . . . 99
. . . . . . . . . . . . . . . . C.5 Output Test Results for CSC3 Cipher(1) 100
. . . . . . . . . . . . . . . . 42.6 Output Test Results for CSG3 Cipher(2) 101
. . . . . . . . . . . . . . . . C-7 Output Test Results for CSC3 Cipher(3) 102
. . . . . . . . . . . . . . . . C.8 Output Test Results for CSC3 Cipher(4) 103
. . . . . . . . . . . . . . . . C.9 Output Test Results for CSC-4 Cipher(1) 104
. . . . . . . . . . . . . . . . C-10 Output Test Results for CSG4 Cipher(2) 105
. . . . . . . . . . . . . . . . C.11 Output Test Results for CSG4 Cipher(3) 106
C-12 Output Test Results for CSC4 Cipher(4) . . . . . . . . . . . . . . . . 107
. . . . . . . . . . . . . . . . (3.13 Output Test Results for CSG5 Cipher(1) 108
. . . . . . . . . . . . . . . . C-14 Output Test Results for CSG5 Cipher(2) 109
. . . . . . . . . . . . . . . . C . 15 Output Test Results for CSG5 Cipher(3) 110
. . . . . . . . . . . . . . . . C.16 Output Test Results for CSG5 Cipher(4) 111
. . . . . . . . . . . . . . . . (3.17 Outpiil Test Results for CSC-6 Ciptier(1) 112
. . . . . . . . . . . . . . . . C.18 Output Test Results for CSC-6 Cipher(2) 113
. . . . . . . . . . . . . . . . C.19 Output Test Resiilts for CSG6 Cipher(3) 114
LIST OF TABLES
C.20 Output Test Results for CSG6 Cipher(4) . . . . . . . . . . . . . . . . 115
. * . * . - . . . - D 1 Probabilities for j in RC4-3 (Cycle Lengt h = 322. 120) 117
D.2 Probabilities for j in RC4-3 (Cycle Lengt h = 53. 000) . . . . . . . . . 117
. . . . . . . . . D.3 Probabilities for j in RC4-3 (Cycle Lengt h = 44. 264) 117
D.4 Probabili ties for j in RC4-3 (Cycle Lengt h = 29. 032) . . . . . . . . . 117
D.5 Probabilities for j in RC4-3 (Cycle Length = 9. 624) . . . . . . . . . . 118
D.6 Probabilities for j in RC4-3 (Cycle Lengt h = 9, 432) . . . . . . . . . . 118
D.7 Probabilities for j in RC4-3 (Cycle Length = 4. 696) . . . . . . . . . . 118
D.8 Probabilities for j in RC4-3 (Cycle Lengt h = 3, 008) . . . . . . . . . . 118
D.9 Probabilit ies for j in RC4-3 (Cycle Length = 648) . . . . . . . . . . . 119
D.10 Probabilities for j in RC4-3 (Cycle Lengt h = 472) . . . . . . . . . . . 119
D.11 Probabilities for j in RC4-3 (Cycle Length = 456) . . . . . . . . . . . 119
D.12 Probabilities for j in RC4-3 (Cycle Length = 264) . . . . . . . . . . . 119
D.13 Probabilities for j in RC4-3 (Cycle Length = 120) . . . . . . . . . . . 120
D . 14 Probabilities for j in RC4-3 (Cycle Length = 24) . . . . . . . . . . . . 120
List of Figures
. . . . . . . . . . . . . . . . . . . . . . . 2.1 A Simple Petri Net Diagram 12
. . . . . . . . . . . . . . . . . 2.2 A Sample LFSR Based Stream Cipher 16
3.1 An Entity Level Pet6 Net Mode1 of the DVD Protocol . . . . . . . . 24
3.2 A Functional Level Petri Net Model of the DVD Protocol . . . . . . . 27
. . . . . . . . . . . . 3.3 A Revised Petri Net Mode1 of t h e DVD Protocol 29
4.1 Keystream Generator in DVD Stream Cipher . . . . . . . . . . . . . 34
4.2 Encryption/Decryption Function in DVD Stream Cipher . . . . . . . 34
. . . . . . . . . . . . . . . . . . . . . . . . 4.3 The RC4-n Stream Cipher 38
. . . . . . . . . . . . . . . . . . . . 5.1 A Cascaded S-Box Stream Cipher 42
5.2 Cumulative Frequency (CF) of Occurrence versus Cycle Length . . . 50
. . . . . . . . . . . . . . . . . . . . . . . . . 5.3 RC4.3Vs . CSG3 Cipher 56
. . . . . . . . . . . . . . . . . . . 5.4 Number of Keys Vs . Cycle Lengths 64
5.5 Key Spacing Distribution in Cycle al Length 29,950, 992 in CSC-4 Cipher 65
5.6 Key Spacing in Cycle of Length 11430,699, 920 in CSC-5 Cipher . . . . 66
xii
5.7 Single Output Probability Deviation , . . . . . . . . . . . . . . . . . 71
5.8 Digraph Probability Deviation . . . . . . . . . . . . . . . . . . . . . . 72
5.9 Trigraph Probability Deviation . . . . . . . . . . . . . . . . . . . . . 73
B.1 Key Spacing Distribution in Cycle of Length 29,162,808 in CSG4 Cipher 87
8.2 Key Spacing Distribution in Cycle or Length 22,010,768 in CSG4 Cipher 88
B.3 Key Spacing Distribution in Cycle of Length 16,691,752 in C S W Cipher 89
B.4 Key Spacing Distribution in Cycle of Length 11,034,576 in CSG4 Cipher 90
B.5 Key Spacing Distribution in Cycle of Length 9,996,000 in CSG4 Cipher 91
B-6 Key Spacing Distribution in Cycle of Length 9,878,400 in CSG4 Cipher 92
B.7 Key Spacing Distribution in Cycle of Length 5,192,800 in CSC-4 Cipher 93
B.8 Key Spacing Distribution in Cycle of Length 7,814,912 in CSC-4 Cipher 94
B.9 Key Spacing Distribution in Cycle of Lengtti 7,247,100 in CSC-4 Cipher 95
Chapter 1
Introduction
1.1 General Overview and Motivation
Growing in the past few years, the Internet has become the carrier of contemporary
electronic commerce. Today: digitiaed materials such as rnovies, music: and cornputer
games are distributed over the Internet. From source t o destinalion, these materials
are exposed to potential risks of being copied. Unlike copying materials in analog
forms: digi ta1 copying in troduces no degradat ion. Copies possess I he same quali ty
as their original digital counterparts. To keep copyrighted materials [rom illegal
duplication and thus protect intellectual property, copyright protection technologies
should be employed.
Digital Video Disk: or DVD: is such an example. DVD offers not only higher
video/audio quality over traditional video tapes but also high storage capacity (4.7
CHAPTER 1. 1NTRODUCTlON 2
GB per side). According to [2], DVD is such a successful consumer electronic product
that more than three million DVD players and 25 million disks were shipped in
the United States in just over two years. Copyright protection schemes for DVD
applications involve business interests of three different industries: video content
o m e r s such as Holly~vood Studios, consumer electronic manufacturers and corn pu ter
makers. Several proposais for DVD copyright protection have corne into place. They
include Content Scrambling System (CSS): Analog Protection System (APS), Copÿ
Generation Management System (CGMS), SC, media identifier and Watermarking
[4]. The CSS scheme is reviewed and analyzed in this thesis.
In t hese copyright protection schemes, cryptography plays an important role. The
famous cryptographers Diffie and Hellman have defined cryptography as Ihe use of
trans/ormalions of dala inlended lo make the dala useless to one's opponents [9].
This thesis aims to study the Content Scrambling System (CSS) in DVD applications
from a cryptographic point or view.
1.2 Cryptosystems
Aside from water-marking Leclinology, many copyright protection schemes make use
of cryptosystems. A cryptosystem is a general term referring to a set or cryptographic
primitives used to provide information security services [20]. In many security appli-
cations, a cryptosystem serves as the fundamental building block of the whole system.
CHAPTER 1. 1NTRODUCTlON 3
Confident iality and aut henticat ion are t m major services provided by a cryptosys-
tem. Confidentiality ensures the secrecy of messages so that they are unintelligible
to potential intruders. Authentication safeguards the integrity of messages. Wi thout
authentication, recipients can not ascertain the origin of the messages. Nor can they
verify that the messages have not been modified in transit.
There are two parts in a cryptosystern: cryptographic algorithms and the crypto-
graphie protocols that employ those algorithms.
1.2.1 Cryptographie Algorit hms
A cryptographic algorithm: also called a cipher, is a mathematical function used
for encryption and decryption. Early cryptographic algori t hms main tain S ~ C U ~ ~ Y
by concealing the mathematical details of the algorithms. Such algorithms could
not be published as industrial standards and thus could not be widely impleniented.
In modern cryptography, the algorithms are published so that they cari undergo
public cryptanalysis and can be widely deployed to enable secure applications to
inter-operate. In well-designed ciphers: al1 security relies on the key so that eacti
cryptanalysis against the algori t hms is equivalent to an exhaustive key searching, i.e.,
a bru te-force attack.
There are two types of cryptographic algorithrns in terms of keys: symmetric
algorithms and public key algorithms. Symmetric algori thms, also called private key
algorithms: are algorit hms where the decryption key can be easily calculated from the
CHAPTER 1. lNTROD UCTlON
encryption key arid vice versa. Both keys should be kept secret. In most syrnmetric
algorithms, the two keys are identical, While in public key algorithms, the encryption
key is made public: anyone can use it to encrypt a message, but oniy t h e party with
the corresponding decryption key can decrypt the message and i t is computat ionally
infeasi ble to calculate the decrypt ion key fiom the encryption key. The encrypt ion key
is often called the public key and public key algorithms are also named asynimetric
algorithms. In general, symmetric algorithms are faster while asymmetric algorithms
offer simpler key management schemes and enable digital signatures. Private key
algorithms such as DES: RC4 and CAST are widely used in practice. RÇA is the
most widely used public key algorithm.
Ciphers can also be classified based on the amount of data being processed each
Lime. A block cipher encrypts or decrypts data in large blocks (e.g., 64-bits or more).
A stream cipher operates on data in small blocks at a time. Traditional stream
ciphers like the orietime pad process data bit by bit. Now there are stream ciphers
that operate on 8-bits of data each time. Such a stream cipher can be convenieritly
implemented in software. Both stream ciphers and block ciphers could be private key
or public key ciphers.
1.2.2 Cryptographie Protocols
A cryptographic protocol is a series of steps, involving two or more commurticating
parties, designed to achieve some security goals [33]. The execut ion of a cryptographic
CHAPTER 1. INTRODUCTlON 5
protocol typically involves sequentially exchanging of 3 to 5 messages between two
or more parties. The messages may contairi identification, key or lime stamp in-
formation, etc. They are either in ciphertext or plaintext form. The design of a
cryptographic protocol builds on some cryptographic algorithms.
Cryptographie protocols have various securi ty objectives. Aut hentication and
key exchange protocols represent an important category of cryptographic protocols.
Communicating parties use these protocols to au t hent icate t hemselves to one anot her
and exchange a pair of secret keys between them, then the exchanged key is used as
the session key in secure communications.
Although a cryptographic protocol seems relatively simple, it can actually be
qui te complex. Because many scenarios could exist in a protocol. Choosing suitable
methods is important to mode1 and analyze a cryptographic protocol under these
scenarios. A lot of research has been done in t his area and more is under development .
It is ambiguous to use informal method such as descriptive language iri protocol
speci fication and analysis. Formal methods are more effective. A formal met hod
is a speci ficatiori language wi th a firm mat bernatical semantics and the associated
development notion. Formal methods attempt to provide mat hematical underpinning
for the design and analysis of various syslems. State machines [22, 181, BAN Iogic [6],
Algebra [21] and Coloured Petri Nets [13: 37: 341 are examples of formal rnethods.
CHAPTER 1. ZNTRODUCTlON
1.3 Thesis Outline
This thesis is organized as follows. Chapter 2 contains a Iiterature review summarizing
two types of stream ciphers and formal methods for cryptographie protocols analysis.
LFSR based stream ciphers and the s-box based RC4 stream cipher are reviewed and
relevant research results to date on them are included. Theories of several forrnal
methods are introduced and emphasis is put on a method called Coloured Petri Nets
(CPNs).
A two-level rnodeling or a DVD playback contra1 protocol using CPNs is conducted
in Chapter 3. Entity level modeling gives readers an overview of the protocol. Func-
tional level modelirig reveals details of each entity and their interactions. Weaknesses
are uncovered in the protocol and a revision is proposed in this chapter.
Chapter 4 deals with stream cipher analysis. The uriderlying LFSR based stream
cipher in DVD copyright protection scheme is analyzed in detail. The cipher is
vulnerable to different versions of the correlation attack. As a cornparison, statistical
analysis is coriducted on s-box based RC4 stream cipher.
Chapter 5 introduces a new family of cascaded s-box stream ciphers. The struc-
ture of the cascaded s-box strearn cipher is specified. Some important properties
such as keystream cycle structures: key spacing distri but ion and out put raridomness
properties are studied in depth in this chapter.
Some closing remarks, a summary of Ltiis ttiesis; and possible further study are
presented in Chapter 6.
Chapter 2
Literat ure Review
2.1 Prot oc01 Analysis
Cryptographie protocols are desigried to achieve specific security objectives such as
data integrity, confidentialit~ and authenticity? etc. However, achieving such security
objectives has proven not to be an easy task. Some protocols have been in the public
domain for several years before their flaws were disclosed 18; 261. Formal methods
have been developed to address the securi ty concerns of cryp tograp hic protocols. In
this section: research work on several formal methods is bridy reviewed. Such formal
methods include algebraic methods, logic models, state machines and Petri Nets.
Basically there are two steps in a protocol analysis pmcess. The fint step is
modeling the protocol, wbere communicating parties and their exchariged messages
are modeled. The second step is manipulating and arialyzing these protocol rnodels
CHAPTER 2- LlTERATURE REVlEW
based on theoretical methods.
Dolev and Yaa [IO] are pioneers who used an algebraic method to prove the secu-
rity of certain classes of protocols. In modeling a protocol, messages are transformed
into rvords and how to manipulate the rvords is defined as terrn-rewriting rules. Fol-
lowing such rules: an intruder manipulates the words and tries to obtain the secret.
Flaws may exist in the protocol if the intruder has successfully gained access to the
secret - This approach is restricted ta analyzing t hose cryptographie protocols pro-
viding message encryption. Another disadvantage is its ineficient storage of state
in format ion [19].
The Interrogator [22] and the Navy Research Laboratory (NRL) Protocol Analy~er
[18] are representatives of the state machine approach. Ttiey are both computer expert
systems developed in Prolog language. In the Interrogator, each entity in a protocol
is modeled as a finite state machine. Given a target data item: the Interrogator would
output a message history that indicates a path or method an intruder used to obtain
the target data. The NRL Protocol Analyzer is ari interactive program. First: the
user specifies the conditions for sorne undesirable state for a protocol. Then the NRL
Protocol Analyzer performs backward search to determine whether the state can be
reached from a certain initial state. The NRL Protocol Analyzer is an exterision to
the Dolev and Yw:s term-rewriting model.
BAN logic [6]; developed by Burrows, Abadi and Needham, is a well-known logic
model for protocol analysis. BAN logic concentrates on the beliefs of tmstworthy
CHAPTER 2. LITERATURE REVTEW 9
parties involved in the protocols and on the evolution of these beliefs [6]. Based on
the beliers: a pmtocol and its security objectives are mapped into a set of logical
assertions. The logical assertions are ttien analyeed usirig formallÿ defined inference
rules to determine whether the objectives are derivable. BAN logic is most widely
used in analyzing authentication protocols. More discussions about the use of BAN
logic are in [5].
Although a protocol designer can prove that a cryptographie protocol is resistant
to a set of attacks, Meadows stipulates that it is unlikely t hat any formal method will
be able to mode1 al1 aspects of a cryptographic protocol, and thus it is urilikely that
any formal method will detect or prevent al1 types of protocol fiaws [19].
2.2 Petri Nets
In addition to their complexity, formal analysis methods discussed above do not have
graphical representat ions. In general, graphical descript ion can make t h e specification
of protocols more readable and iinambiguous.
Petri Nets are a formal graphical and mathematical modeling tool that was in-
vented by Carl Adam Petri in 1962. Petri Nets are a promising tool for specifying
and analyoing systems characterized as being concurrent, asynchronous, distributed
or parallel. As a graphical twl, Petri Nets c m be used as a visual-communication aid
sirnilar lo flow cbarts or block diagrams. As a mathematical lool: it is possible lo set
up state equations, algebraic equations, and other matbernatical models governing
CHAPTER 2. LITERATURE REWEW
the behavior of systems. Petri Nets represent a broader range of systems than finite
state machines (FSM).
Researchers at Queen's University have made a lot of contributions in analyzing
cryptographic protocols using Petri Nets. Behki and Tavares [3] applied Petri Nets to
model cryptographic protocols for the first time. Their work integrated Petri Nets:
LOTOS and a programming language into one model. Nieh and Tavares forrnalized a
method of protocol specification and andysis using a certain type of Petri Nets called
Coloured Petri Nets 128, 291. There are three levels in specifying a protocol: entity,
conceptual and functional level descriptions. An intruder is also modeled to simulate
various attacking scenarios. The amalyzing process was dotie manually. The process
was later automated using Prolog by Doyle, Tavares and Meijer [I l , 121. Zhao and
Tavares implemented the stubborn set method to optimize the state searching speed
[36: 371. Edwards, Tavares and Meijer integrated the Petri Nets based method into a
Java program with a friendly graphical user interface (GUI) [13, 141.
Timing information is introduced in Petri Nets and a new type of Petri Nets
called Cryptographie Timed Petri Nets (CTPN) is preserited in 1171. 1t is a different
approach to that of Queen's University.
2.2.1 Graphical Representations of Coloured Petri Nets
A Coloured Petri Net (CPN) consists of places, transitions and directed arcs that
connect them. Places may contain tokens. These CPN components have the relevant
CHAPTER 2. LITERATURE REWEW
graphical representations as follows:
a circie: to represent a place
a rectangular box: to represent a transition
a directed arc: t o connect a place and a transition
a coloured dot in circle: to represent a certain type of token in a place
In CPN modeling, the current state of the modeled system, or the marking, is given
by the number and colour of tokens in each place. Transitions are active components.
They simulate activities that can occur and thus change the state of the system (the
marking of the CPN). An input place is a place with an arc directed to a transition
and an output place is a place to wbich an arc is directed from a transition. A place
could be both an input and an output place. A transition is enabled when each of its
input places has one or more tokens rvith appropriate colours. An enabled transition
may Lyre and then tokens will move lrom input places to output places according to
t lie regdations called transi lion firing rules.
Figure 2.1 is a simple illustraLion of' a Petri Net diagram. Murata [25] gives
practical interpretations of places and transitions summarized in Table 2.1 [13].
2.2.2 Formal Definition of Coloured Petri Nets
In [13], a CPN is formally defined as a 6-tuple: C P N = {p : T , A, C, Mo: F ) where:
CHAPTER 2. LlTERATURE REVlEW
Transition
rJ Condition1
Input Piace VeriQ
Result2
Token Condition2
1 Input Arc Output Arc
Figure 2.1: A Simple Petri Net Diagram
Input Places Pre-Condi t ions Input Data lnpu t Signals Resaurces Needed Conditions Bu ffers
Transitions Event Computation Step Signal Processor Tas k Clause in Logic Processor
Output Places Poçt-Condi tions Output Data Output Signals Resources Released Conclusion (s) Bu ffers
Table 2.1: Typical Iriterpretations of Places and Transit ions
O P is a finite set of places
a T is a finite set of transitioris
a A is a finite set of arcs such that
P n T = P n A = T n A = d a r l d A c ( P x T ) u ( T x P)
a C is a finite set of coloiirs
CHAPTER 2- LITERATURE REVIEW 13
Mo is an initial state also called initial marking of the CPN, represented by the
distribution of coloured tokens across al1 places
0 F is a finite set of transition firing rules
This definition is a variation to that in [16]. Finite sets of places, transitions and
arcs are pairwise disjoint. A is a subset of the union of two Cartesian product sets of
P and T.
2.2.3 Properties of Coloured Petri Nets
Petri Nets have two types of propert ies: behavioral and structural propert ies [25].
Structural properties are the intrinsic properties that don% depend on an initial
marking. Behavioral properties depend on initial markings. Structural propert ies
are not covered in t tiis thesis. Three behavioral properties are reviewed as follows:
Boundedness
A place in a Petri Net is k-bounded if the riumber of tokens in it is 5 k alter any
sequence of transition firings. A Petri Net is bounded if al1 its places are bounded. If
the Petri Net mode1 of a protocol is bounded, it ensures that resources needed in the
protocol such as buffers are finite.
L' tveness
A transition is live if for any firing sequence of the Petri Net: there always exists
another sequence to make it Tire again. A Petri Net is live if al1 ils transitions are
CHAPTER 2. LITERATURE REWEW 14
[ive. The liveness property aims to check if the protocol rnodeled in Petti Nets will
fall into deadlock under any operating conditions.
Reachalilit y
A marking (state) of a Petri Net is said to be reachable lrom another if there is
at least one firing sequence between them. This property is very useful in protocol
analysis. Reachability of an undesirable or insecure state suggests protocols have
potent ial flaws or weaknesses.
2.3 Stream Ciphers
A seciire cryptosystem requires not only secure protocols but also secure underlying
ciphers. Stream ciphers are an important class of ciphers. In general, stream ciphers
are faster than block ciphers irt hardware and have less complex hardware circtiitry.
In some applications where bufKer space is limited, stream ciphers could be manda-
tory. Another advantage of stream ciphers is that ttiey have no error propagation.
Two types of stream ciphers are classified: synchronous and asynchronous stream ci-
phers. In a synchronous stream cipher, the keystream is independent of the plaintext
and the ciphertext so that the sender and recipient keystream generators have to be
synchronized. On the other hand, in an asynchronous strearn cipher? the keystrearn
i s generated as a lunction of the key and a fixed number of previous ciphertext bits.
Ernphasis is put on synchronous stream ciphers in this thesis.
2.3.1 LFSR Based Stream Ciphers
Many designs of stream ciphers make use of Linear Feedback Shirt Registers (LFSRs).
An LFSR is a bit shift register with a linear feedback function. The feedback function
is an XOR operation of certain bits in the shift register. At each clock tick? an LFSR
generates 1 bit output and the result of the XOR function is fed into the LFSR from
the other end. LFSRs can generate very long cycles with good randomness properties.
The list of feedback bits is called a tap sequence. If the polynomial forrned from the
tap sequence of an LFSR plus 1 is primitive over GF(2), the output sequerice OC the
LFSR will have the maximum period 2" - 1[33]. nt also called degree of an LFSR, is
the bit length of the LFSR. The maximum period is 2" - 1 rather than 2" because a
shift register filled with al1 zeros will make the LFSR output useless all-zero streams.
A lot of work on LFSR based stream ciphers is presented in [31]. The popularity of
using LFSRs in stream cipher design cornes from the following facts:
2. LFSR based stream ciphers are well studied.
2. LFSRs can be easily implemented in hardware
A general structure of LFSR based stream ciphers is in Figure 2.2 [23]. Oulputs
of several LFSRs are connected to a nonlinear combiner. To prevent the direct ap-
plication of a cryptandysis algorithm called BerlekampMassey algorithm [20], the
nonlinear combiner is used to ~ h ~ f F i e the outputs of the LFSRs. The initial states
of LFSRs are set according to a user key. The keystream bit: k;; cornes lrom the
CHAPTER 2. LITERATURE REVlEW 16
nonlinear combiner and is XORed with a plaintext bit; pit to generate a ciphertext
bit: c.
Figure 2.2: A Sample LFSR Based Stream Cipher
2.3.2 RC4 Stream Cipher
RC4 is another type of Stream cipher designed by Ron Rivest of MIT and RSA
Security. RC4 is considered to be a software oriented stream cipher because it can
be easily implemented in software. In security applications such as TLS BSAFE and
Lotus Notes, RC4 is used to provide services of encryption and decryption.
RC4 was a trade secret of RSA and the algorithm \vas claimed to be reverse engi-
neered and the source code of the algorithm was posted anonymously to an iriteniet
mailing list in 1994. It is believed to be the true RC4 algorithm [33]. Now the design
of RC4 stream cipher is public knowledge.
RC4-n is a substitution box (s-box) based stream cipher rvhere n denotes the
operating word size of the algorithm. RC4-8 cipher is used in I I known applications.
There is an n-bit s-box with two pointers (i and j) in RC4-n cipher. The s-box has 2*
elements, eacli of which is n-bits in size. There are two phases in RC4 algorithm: the
initialization and the keystream generation phase. In the initialization phase, a user
key is used to initialize the s-box. Keystream is then generated in the second phase.
The keystream is XORed with the plaintext to produce the ciphertext or XORed with
the ciphertext to produce the plaintext. A detailed description of RC4-n algorithm
is as follows:
Phase 1: Initialization
Input: lQ: . . . kl-,: f n-bit words of user's keÿ
Output: Initial State of RC4 (i: j and S)
2 , For z froni O to 2" - 1
{ Kz = k z rnod i )
2. For z from O to 2" - I
{ S z = z )
3. j=O
4. For i from O to 2n - 1
C
i = j + S[i] + Ki rnod T
Swap S[i] and Sb]
1
CHAPTER 2. LITERATURE REVIEW
5. i=O and j=O
Phase 2: Keystream Generation
Input: the State of RC4 (i: j and S)
Output: The next n-bit word in the keystream, and the next RC4 State
1. i = i + l m o d 2 "
2. j = j + S[i] mod 2"
3. Swap S[i] and Sb]
4. t = S[i] + S[j] mod 2": output S[t] as the next n-bit word in the keystream
RC4 is a variable-key-size stream cipher. Although the user key could be up to
n x 2" bits, the effective key length is shorter. The nominal and effective key sizes
for RC4-n in Table 2.2 are summarized by Mister and Tavares[24].
RC4 Word Sixe Nominal Key Length (bits) 8
24 64 160 384 896 2048 4608
Elfective Key Length (bits) 4.58
Table 2.2: Nominal and Efiective Key Sizes Tor RC4-n
There is a finite nurnber of states in RC4. Hence; the outputs of RC4 eventually
form cycles. For RC4 cipher, output cycle lengths depend on operating size: n, and
the initial state of the sbox. While for an LFSR, output cycle lengths are determined
CHAPTER 2. LITERATURE REVlEW 19
by the degree of the LFSR and the feedback polynornial regardless of its initial state.
The cycle lengths are, with high probability, very large. When n 2 4: it is time-
consuming to determine values of output cycle lengths of RC4-n cipher. The cycle
lengths with their associated occurrence for n = 2: 3 are listed in Table 2.3. They are
extracted from the work of Mister and Tavares [24] and confirmed by experiments.
We note that for RC4-3, some cycle lengths occur more than once.
Period 196 164
955496 322120 53000 44264 29032
9624 9432 4696 3008
648 472 456 264 120 24
Number of Initial States 12 12
30284 5144 816 688 1932 302 140 622 340
8 24 22 12 4 2
Table 2.3: Possible Periods for RC4 with Word Length 2 and 3
Observations on RC4 stream cipher and a cascaded s-box stream cipher are dis-
cussed in Chapters 4 and 5.
Chapter 3
CPN Based Analysis of the DVD
Protocol
3.1 An Overview of the DVD Copyright Protec-
tion Scheme
The copyright protection scheme used in DVD applications is called Content Scrarn-
bling System (CSS). CSS scheme i s designed by Toshiba and Matsushita: the parent
Company of Panasonic, and is incorporated in both DVD disks and DVD players. It
is a combination of content scrambling, key encrypt ion and condi tional access. DVD
manufacturers must obtain licenses detailing implementatioris of CSS scheme on their
products.
CSS scheme is essentially a cryptosystem. The DVD playback con trol prolocol,
CHAPTER 3. CPN BASED ANALYSE OF THE DVD PROTOCOL 21
extracted [rom CSS: is modeled using Coloured Petri Nets in this chapter and the
underlying LFSR based stream cipher in CSS is revierved in the next chapter.
3.2 Petri Net Modeling of the DVD Playback Con-
trol Protocol
3.2.1 Coloured Petri Net Modeler
The Coloured Petri Net Modeler (CPNM) to be used in modeling DVD playback con-
trol protocol was developed by Edwards, Tavares and Meijer (141. It is an integrated
software tool with a friendly graphical user interface (GUI). Petri Net components
(places, transitions, directed arcs and tokens) are drawn in CPNM. Then Transi-
tion firing rules and token colours are specified. No programming ski11 is required
to mode1 cryptographic protocols in CPNM. CPNM is written in Java, a popular
object-oriented cornputer lariguage. For archival reasons, al1 CPNM figures in this
thesis are printed in black and white.
A two-level approach is irivol ved in the CPNM modeling hierarchy : entity level
and functional level modeling. The former is focused on overvierv of the protocol and
the latter is concentrated on details.
A l entity level; a reusable component in CPNM called Petri Nets Object (PNO)
is introduced to mode1 communicating entity in cryptographic protocols. A PNO is
drawn as a rectangular box with internai ports (transitions) on the edges. PNOs
CHAPTER 3. CPN BASED ANALYSE OF T H E DVD PROTOCOL
are connected with arcs and places. PNOs send and receive messages to one another
through ports, simulating interactions between entities. AL this level: the number or
entities and their messages is observed.
When messages arrive at comrnunicating entities: they undergo a series of crypte
graphic operations such as encryption, decrÿption, etc. Such operations occur inside
PNOs. Places and transitions are used for modeling them. Transitions simulate ac-
tion mechanisms of these operations. Coloured tokens in input and output places
represent income and outcome messages respectively. This is funciional level mod-
eling at which working details of protocols are revealed. According to [37], there is
still another modeling level called conceptual level in between. At conceptual level,
processes that perform specific functions are defined as transitions in each PNO. But
in this thesis, it is contained in the functional level modeling implicitly.
3.2.2 DVD Playback Control Protocol Modeling
DVD playback control protocol is abstracted from CSS scheme ol DVD applications.
DVD disk and player are Iwo entities involved in ttiis protocol. There are ttiree
primary steps concerning about copyright protection in the manuracturing of DVD
disks and players:
1. Key Generation: A title key, a disk key and a small set of player keys are
generated.
CHAPTER 3. C P N BASED ANALYSIS OF THE DVD PROTOCOL 23
2. A set of cryptographie operations based on the underlying strearn cipher: The
audio/video content is encrypted by the title key and the title key is encrypted
by the disk key. The disk key is encrypted a number of times by each player
key. And the disk key is hashed.
3. Content and key distributions: The encrypted items (audio/video conterit, t itle
key, disk keys) and the hash value of the disk key are distributed t o DVD disks.
T h e player keys are distributed to different DVD players so tha t each one has
its own player key.
The protocol is carried out whenever a disk is being played, which ensures that
copyrighted DVD disks can only be played on Iicensed players.
The entity level modeling is depicted in Figure 3.1, which presents a concise
overview of the protocol. Four messages are exchanged betwcen the disk and the
player. Request 1 is a handshaking message sent from the player to initiate the pro-
tocol. Certain key informalion is sent back Co the player in Response 1. Request 2
i s another handstiaking message from the player. Encrypted video content and some
key information are included in Reçponse 2.
CHAPTER 3. CPN BASED ANALYSE OF THE DVD PROTOCOL
Figure 3.1: An Entity Level Petri Net Mode1 of the DVD Protocol
CHAPTER 3. CPhr BASED ANALYSE OF THE DVD PROTOCOL 25
Legends used in functional level modeling of the DVD playback control proto-
col are described as follows: (The enmyption and hash functions are defined in the
underlying stream cipher that will be discussed in the next chapter.)
dkey: disk key
O tkey: title key
pki, i=l: . . . n: player keys from 1 to n
O hash: hash value of the disk key
Hash(A): apply Hash function on A
O AVData: contents of audio and video data
E[A;K]: A encrypted by key K
0 PSN: player key seriai number
Functional level CPNM modeling is shown in Figure 3.2. Inside the PNO repre-
senting the DVD disk, audio/video data and keys are modeled as coloiired tokens in
places. The encrypted AVData is depicted in place pd4. Similarly, t h e encrypted title
key is depicted in place pd5. The token in place pd2 represents the encrypted disk
keys. The hasti value of the disk key is depicted in place pd6.
Inside the PNO represeriting the DVD player, the player key is depicted as t h e
token in place ppG. In the message of Response 1: the set of ericrypted disk keys and
CHAPTER 3. CPN BASED ANALYSIS OF T H E DVD PROTOCOL 26
the hash value o l the disk key are sent to the DVD player. Using its player key, the
DVD player decrypts the set of disk keys one by one. After each decryption, the same
hash function is applied to the output disk key. Such hash result is then compared
with the hash value sent in Response 1. If the two hash values are equal, the disk
key is decrypted by the player successfully. Othenvise, the operations of decryption,
hash and cornparison are continued. Disk key decryption is modeled as transition I p b
Transitions Ip3: tp4 and l p 5 simulate the hash and comparing operations. Response
2 is sent to the player and the encrypted AVData and title key are then retrieved. As
shown in transition I p l , the disk key is used to decrypt the title key. Subsequently,
I.hr title key is applied to decrypt the AVData (transition t p 6 ) .
CHAPTER 3. CPN BASED ANALYSlS OF THE DVD PROTOCOL
Figure 3.2: A Funclional Level Petri Net Model of the DVD Protocol .
CHAPTER 3. CPN BASED ANALYSlS OF THE DVD PROTOCOL 28
3.3 Weakness and Improvement in the DVD Pro-
In Section 3.2.2, the DVD playback control protocol is explicitly specified. Ttirough
Petri Nets modeling, a structural weakness is uncovered in the protocol.
Differerit player keys are incorporated in DVD players. But in a DVD disk, the
video content is huge in size and thus should be encrypted only once. To enable a
disk be played iri al1 legitimate players, the video content cannot be encrypted by
player keys directly. Therefore, a title key is used in content encryptiori. Then the
title key is encrypted by the disk key and the disk key is encrypted by player keys,
as depicted in Figure 3.2. It is observed that the disk key aims to protect the title
key. But the disk key itself is protected by player keys. It has rio contributions to
the system security. Thus the disk key and its hash value (places pd2 and pdG) are
superfluous. A revision of the protocol is made and illustrated in Figure 3.3, where
the title key is encrypted by player keys directly.
CHAPTER 3. CPN BASED ANALYSIS OF THE DVD PROTOCOC,
Figure 3.3: A Revised Petri Net Mode1 of the DVD Protocol
CHAPTER 3. C P N BASED ANALYSlS OF THE DVD PROTOCOL 30
In the revised version or the DVD protocol, the disk key and its hash are removed-
A player key serial number (PSN) for each DVD player is introduced in the title key
encryption and decryption, The title key is encrypted a number of times by different
player keys (in place pd2). In eacti encryption, a player's PSN is appended to the
ti tle key More the title key is encrypted by the key of the same player. Then a DVD
player uses its player key to decrypt the title keys one by one. After each decryption
operation, the player compares the appended PSN rvith its O\VTI PSN. If the two PSNs
are equal, the title key is decrypted successfully. Otherwise, the decrypt ion opemt ion
is continued (depicted in transitions I p l , Ip2, tp3 and t p 4 ) .
Preserving the same security objective, the reviscd protocol has a tkvofold enhance-
ment. In one aspect, an intruder can no longer conduct an attack against the hash
value of the disk key. Besides, the revised protocol offers more efficient performance
without the operation or disk key encryptionldecrypt ion.
An intrinsic weakness of the DVD playback control protocol is located. A player
key has to be stored in a DVD player. If an intruder obtains the key of ariy licensed
DVD player, he/she can use the player key to decrypt al1 DVD disks in the market.
This is a system attack. To protect the sensitive DVD player key, a special type
of hardware called trusted hardware [32] could be used to store il. In the trusted
hardware, there is a Lamper detecting mechanism that generates a signal shortly
before an int ruder gains physical access to the system. Detection of an attempt to
gain access to the trusted hardware will result in erasure or the sensitive data (player
CHAPTER 3. CPN BASED ANALYSlS OF THE DVD PROTOCOL 31
key) in it.
Chapter 4
Analysis of DVD Stream Cipher
In Chapter 3: the DVD playback control protocol is modeled in the Coloured Petri
Net Modeler (CPNM) and potential weaknesses in the protocol are uncovered. An
enhanced version OF the protocol is proposed. However, the underlying cipher in DVD
applications is ignored there. Analysis of the cipher in a security application is as
important as analysis of the protocol, both of which provide us with insightful and
useful information about t h e security system. In this chapter, the underlying stream
cipher iri CSS, the DVD copyright protection scheme: is discussed. An s-box based
stream cipher RC4 is reviewed.
4.1 The Underlying Cipher in the DVD System
In DVD applications, movie contents and certain types of keys are encrypted and
stored on DVD disks. DVD players extract and decrypt them for playing. The
32
CHAPTER 4. ANALYSE OF DVD STREAM CIPHER 33
mat hemat ical operat ions of encryption and decryption are defined in the underlying
cipher. The cipher in CSS is an LFSR-based stream cipher.
4.1.1 Keystream Generator
The key stream generator of this stream cipher is based on tivo LFSRs. The first
one (LFSRl) has a degree 17. The corresponding polynomial fomied from its tap
seqiience is x15 + x + 1. The second one (LFSR2) has a degree 25 with corresponding
polynomial xI3 + x5 + x4 + x + 1. The keystream generator is shoivn in Figure 4.1.
To prevent it from generating never-eriding zeros stream: the most significant bit of
LFSRl (b17) and the 4th bit from least significant bit of LFSR2 (b4) are set to one
initially. Other bits in the tivo LFSRs are set according to the user key. The length
of the user key is 40 bits by design to comply with the US government export control
policy at the Lime. The first two bytes (16 bits) of the user key initialize LFSRl
and t h e other tbree bytes (24 bits) of the user key initialize LFSR2. At every clock
tick: each LFSR generates one bit output. After every eight ticks, an 8-bit keystream
output is generated by adding iip the outputs or LFSRl and LFSR.2 with the carry
bit from the previous addition.
4.1.2 Encryption/Decryption Function
The encryptionldecryption functiori is shown in Figure 4.2. The encryption function
is executed from the top down and the decryption furiction is carried out in the reverse
CHAPTER 4. ANALYSlS OF DVD STREAM ClPHER
Figure 4.1: Keystream Generator in DVD Stream Cipher
direction. The A(1,2,3,4,5) are 5 input plaintext bytes. C(1,2,3,4,5) are 5 output
ciphertext bytes. ki, . . . , k5 are 5 keystream bytes generated from the keystream
generator. B(1,2,3,4,5) are 5 intermediate bytes. F is a pre-defined byte permutation
table. Major mat hematical operations in the en~ry~t ionldecrypt ion include exclusive
ORS and byte permutations. We note the encryption function is also used as the hash
functian to generate the hash value of the disk key.
A(I. 2.3.4.5): 5 input bytes
ë3( 1.1.3.4.5): 5 intermediate bytes
C( 1.3.3.4.5): 5 ouiput bytes
k 1. k2. W. k4. :?.: 5 kcy strrsun output bytes
E byte permutation table
Figure 4.2: Encryplion/Decrypt ion Funct ion in DVD Stream Cipher
CHAPTER 4- ANALYSlS OF DVD STREAM ClPHER
4.1.3 Cryptanalysis of Keystream Generator
According to [35], there exist two known ciphertext attacks on the CSS keystream
generator. Six bytes of keystream output are required in the first attack. The compu-
tational complexity to recover the user key is in the order of 216. In the second attack,
only five keystream output bytes are needed but the computational complexity is in
the order of 2''. There is also a known plaintext attack on the encryption function.
Given A(1,2,3,4,5) and associated C(1,2,3,4,5), the five bytes of keystream ki,.. . : ks
could be obtained with only 256 trials.
The first attack on the CSS keystream generator is reviewed as follows.
Legends in the keys t ream generator at t ack:
O1 (1): 0i(2), . . .: output bytes of LFSRl
02(1): 02(2), . . .: output bytes of LFSR2
0(1), 0(2), . . .: output bytes of the keystream, where O(i) = Oi (i) + Oz(i) + c, and c is the carry bit from O(i-1)
The b17 in LFSRl and b4 in LFSR2 are set to one initially. Other bits in LFSRl
(16 bits) and LFSR2 (24 bits) are initialieed by the 5 bytes (40 bits) user key.
Attack: known O(1): 0(2), O(3): 0(4), O(5): O(6)
2 . Guess initial state of LFSRl
2. Generate 6 bytes 01 (1): 01 (2): 01 (3), Oi (4), O1 (8): O1 (6) from LFSRl
CHAPTER 4. ANALYSlS OF DVD STREAM ClPHER
4. Generate 02(5), 02 (6 ) from LFSR.2 given Oz(l), 02(2), O2(3), 0 2 (4)
5. Compare O(6) with 01(6) + 02(6) +c. If equal, stop. Otherwise repeat the
above steps.
A fter the execu tion or the above algorithm, the initial state of LFSRI is resumed.
Then the initial state of LFSR2 is deduced from its 32-bits output
02(1),02(2):02(3), 0 2 ( 4 ) . The user key, i.e., the initial states of both LFSRs, is
discovered wit h 216 computational complexity. Other attacks are reviewed in detail
in Appendix A.
While t h e stream cipher has a 40-bit key, its security strength turns out not even
to match ttie 40-bi t key length. This is partially due to the following facts.
First, in the keystream generator, neither of the two LFSRs is in full use. The
tiighest orders of the polynornials of the two LFSRs are 15 and 13: wtiich are smaller
than their respective degrees 17 and 25. This iridicates the most significant bits of
both LFSRs are not in the feedback bits and thus the effective degrees for the trvo
LFSRs are 15 and 13.
Moreover, the non-linear combiner used in the keystream generator is an &bit
addition with carry. The reason for using a non-liriear combiner is to conceal the
output of the LFSRs and add some degree of non-linearity to ttie keystream so that a
CHAPTER 4. ANALYSE OF DVD STREAM CIPHER 37
correlation attack cannot be applied directly. But the &bit addit ion wit h carry offers
little non-linear property. All its non-linearity relies on the one bit carry from the
previous addition.
LFSR-bas4 stream ciphers are vulnerable to various versions of the correlation
attack. LiLi-128 [7], an LFSR-based stream cipher submitted to NESSIE (New Eu-
ropean Schemes for Signatures, Integrity and Encryption), is another exarnple, which
has been cryptanalyzed recently [Il. In practice, other types of stream ciphers such
as an s-box based stream cipher or a cascaded s-box cipher could be a candidate to
enhance the security performance of the DVD copyright protection system.
4.2 RC4 Observations
S-box based stream cipher RC4-n is discussed in Section 2.3.2, where n denotes the
operating word size. Tt has an s-box with two pointers i and j pointing to its elements.
The s-box has 2" elements, each of cvhich is n-bits in size. At each clock tick (itera-
lion), elements of the s-box are swapped once and an output is generated from the
s-box. The pointer i is incremented by one. The movement of pointer j is irregular.
The state of RC4 refers Co positions of pointers i: j and contents of the s-box. As the
cipher is evolving, slates of RC4 form cycles eventually.
An experirnent is set u p to record al1 positions of the right pointer j within a cycle
of RC4-2 stream cipher. The results suggest that pointer j cannot remain in the same
position for more t han t hree consecut ive i terat ions. Experimen ta1 resul ts for RC4-3
CHAPTER 4. ANALYSE OF DVD STREAM CIPHER
cipher imply the same conclusion. We prove that this conclusion holds for any RC4-n
cipher as follows,
Figure 4.3 shows the only RC4 state in which the right pointer j does not move
for three iterations. To make pointer j stay in the same position, i has to point to O in
each iteration. At the same time i is incremented by one in each iteration. Involving
the swap action: i can only
remain in the same position
satisfy these two conditions at most twice thus make j
for at most three consecut ive iterations.
Figure 4.3: The RC4-n Stream Cipher
The movement of the right pointer j depends on its previous position and contents
of the s-box. If contents of the s-box are shumed randomly, j moves randomly.
In RC4-3 cipher, the pointer j has 23 = 8 positions. Both the ~robabilities for
j pointing to each position and the probabilities for j pointing to each position for
three consecut i ve iterations are collected e~~erimentally. If j moves randomly, the
probability for j pointing to each position should be 1/8=0.125 and the probability
for j to stay in one position for three iterations should be ( 1 / 8 ) ~ = 0.001953.
Experimental results of such probabilities lor the cycle length of 955,496, the
CHAPTER 4. ANALYSE OF DVD STREAM CIPHER 39
longest cycle in RC4-3, are in Table 4.1. P(xyz) denotes the probability for j pointing
to position x y ~ . P(xyz,xyir,xyz) denotes the probability for j to remain in the position
xyz for three consecutive rounds. The results show that j moves randomly as the
cipher evolves.
-- - - - - - - - - - -- --
Table 4.1: Probabilities for j in RC4-3 (Cycle Length = 955:496)
Similar results for other cycles in RC4-3 are in Appendix D. In the shortest two
cycles, the joint probabilities P(xyz,xyz,xyz) are al1 equal to O: which indicates j
cannot stay in one position for three consecutive rounds.
4.3 RC4 Outputs Analysis
As previously depicted in Table 2.3, there are trvo cycles in RC4-2 cipher: 164 and 196.
Let P(O(if1) /O(i) ) denote t tie output condi tional probabili ty. By way of exarnple,
P(01/11) represents the pmbability of output of 01 given tbal the previous output is
11. The coridi tional probability discloses the correlat ion between consecut ive outputs
of RC4 stream cipher. For RC4-2 cipher, the output is of 2-bits size. If ils output
has good randomness properties, each of four outputs is equally likely to occur. And
CHAPTER 4. ANALYSlS OF DVD STREAM CIPHER
output conditional probabilities should be close to 1/4.
Table 4.2: Output Conditional Probabilities P(O(i+l)/O (i)) for Cycle Lengt h 164
In Tables 4.2 and 4.3, output conditional probabilities for cycles of length 164 and
196 are listed, In both cycles, each output occurs equaIIy likely. But there are some
fluctuations in the conditional probabili ties. Given a certain output, some output is
more likely to follow up than other outputs, which implies outputs of RC4-2 cipher
have some di fferences from a complete random sequence.
Stream ciphers wi t h bet ter randomness pmperties and longer cycles are expected
from a cascade of small scale s-boxes. Cascaded s-box stream ci phers are discussed
in the next chapter.
P(OO/OO) = 12/49 P(OO/O1) = 13/49 P(OO/lO) = 11/49 P(OO/11) = 13/49
Table 4.3: Output Conditional Probabilities P(O(i+l)/O(i)) for Cycle Length 196
P(Ol/OO) = 16/49 P(01/01) = 11/49 P(01/10) = 14/49 P(Ol/ll) = 8/49
P(lO/OO) = 8/49 P(10/01) = 11/49 P(10/10) = 15/49 P(10/11) = 15/49
P(11/00) = 13/49 P(11/01) = 14/49 ~ ( 1 1 / 1 0 ) = 9/49 P ( l l / l l ) = 13/49
Chapter 5
A New Cascaded S-Box Stream
Ciyher
In t his chapter, ~ v e propose a new mode1 lor strearn ciphers based on a cascade of small
s-boxes. Like RC4 stream cipher designed by Ron Rivest [3û]: the cascade stream
cipher makes use of evolving s-boxes and pointers. However, instead of using one
large s-box rve employ a cascade or several small s-boxes. Smaller scale RC4 ci phers
are vulnerable to attacks [23]. The cascaded cipher achieves security by combining
the contributions of many small scale s-boxes. The number of s-boxes in the cascade
can be increased if we desire more securi ty. Important properties such as keystream
cycle structure and output statistical analysis are discussed in this chapter. The new
cascade stream cipher requires relatively little storage and execiites efficiently in both
hardware and software.
CHAPTER 5. A NEW CASCADED S-BOX STREAM CCPHER 42
5.1 The General Cascaded S-Box Stream Cipher
Figure 5.1: A Cascaded S-Box Stream Cipher
Figure 5.1 depicts a cascaded s-box stream cipher, where N denotes the total
number of cascaded s-boxes (cells) and n denotes the s i x of each s-box. We adopt
the following notation in the thesis: in the case where we assume 2-bit s-boxes we
refer to the cipher as CSCN, where N is defined above. Like the RC4-n stream cipher,
the contents al each s-box may be any permutation of {0;1;. . . ;2" - 1). Every s-box
has two pointers which rearrange their contents alter each output. The s-boxes are
cascaded serially with each output connecting to the left pointer of the next s-box.
The new cascaded stream cipher operates on n-bit words. As shown in the follow-
ir~g description: there are two phases involved in the stxeam cipher algorithm. In the
initialization phase, the input is the user's key whose length can be up to N x 2" n-bit
words. This determines the initial state of the cascaded stream cipher as follows. In
step 1, the user key is expanded to N x 2" x n bits. In step 2: each s-box is lilled
linearl~. And in step 3: the contents of the s-boxes are shuffied by the expanded user
CHAPTER 5 A N E W CASCADED S-BOX STREAM ClPHER
key. All the pointers are set to zero after this phase.
Phase 1: Initiaiization
Input: b:. . . : kt,l n-bit words of user's key
Output: Initial state of CSGN cascaded cipher
1. F o r ~ f r o r n O t o N x 2 ~ - 1
{ K z = L m d r )
2. For m [rom 1 CO N
{ For z from O to 2" - 1
{ sm[z] = 2 )
im 0: jm = O
1 4. For rn from 1 to N
{ i m = O : j m = O )
In the keystream generation phase, the input is the initial state of the cascaded
CHAPTER 5- A NEW CASCADED S-BOX STREAM ClPHER
strearn cipher and the output is the next n-bit word in the keystream and the next
state. The first left pointer is incremented regularly in step 1. In step 2: the contents
of each s-box are remanged according to the movements of its Iwo pointers. The
output key stream is generated from the output or the last s-box. The first s-box
with its two pointers evolves exactly the same way as an RC4-n stream cipher. Each
of the otlier N - 1 s-boxes evolves siightly differently because their left pointers are
no longer incrernented by one each time. Instead, they are determined by the output
of the previous s-box.
Phase 2: Keystream Generation
Input: Initial State of the CSGN cascaded stream cipher
Output: The next n-bit word in the keystream, and the next state
Repeat forever
{ i l = il + 1 mod 2"
For k from 1 to N
{ j k = j k + Sk[ik] rnod 2"
Swap &[ik ] and Skbk]
1 = Sk[ir] + SkLk] mod T
i f k < N, ik+, = Sk[l]
else output Sk[t] as the next word in the keystream
1
}
CHAPTER 5. A NEW CASCADED S-BOX STREAM ClPHER
5.2 Keystream Cycle Structure of the Cascaded
Cipher
The state of a cascaded s-box stream cipher refers to the positions of al1 the pointers
(il, il), . . . : (iN; jN) and the contents of each s-box in the cascade. Once the state
of the cipher is set up, the output keystream is completely deterrnined. In fact:
the keystream generating operation in a cascaded stream cipher is a deterministic
and reversible operation. Because the cascaded s-box stream cipher has a finite
number of states, its output repeats eventually. As the cipher is evolving, the output
keystream therefore forms cycles (rve also cal1 the period of the cipher the cycle
length). Investigation of cycle structure is important in the design and analysis of
stream ciphers.
5.2.1 Cycles in the Cascaded S-Box Stream Cipher
At the end of the initialization phase of the cascaded s-box stream cipher algorit hm,
an initial permutation is chosen for each s-box by the user key. The cipher with
dinerent initial states generates keystreams with different cycle lengths. Experiments
are carried out to determine cycle lengths in CSC-2, CSC-3, CSC-4, CSG5 and C S C
6 ciphers and the corresponding nurnber of occurrence for these cycles. For example,
Table 5.1 lists al1 the cycle lengths with the corresponding number of occurrence in
C S G 2 cipher. The decomposition of these cycles is discussed in Section 5.2.4.
CHAPTER 5- A NEW CASCADED S-BOXSTREAM CIPHER
Table 5.1: Cycle Lengths for CSC2 Stream Cipher
Cycle Length 14596
For CSG2 and CSG3 ciphen, al1 possible permutations of each s-box are tried.
There are 9 cycles in CSG2 cipher and the longest cycle has period 14,596. There
are 51 cycles in CSG3 cipher and the longest cycle has period 788,184. Detailed
information about the cycles in CSC-3 cipher can be round in Tables 5.2 and 5.3.
Number of Occurrence 265
Cycle Lengt h Decomposi tion 4*4 2 "89
CHAPTER 5. A N E W CASCADED S-BOX STREAM CIPHER
Index I 2 3 4 5 6 7 8 9
10 11 12 13 14 15 16 17 18 19 20 22 22 23 24 25 26 27 28 29 30
Cycle Length 788,184 423,284 249,900 211,288 197,568 176,792 131,712 102: 172 93,100 90,552 87:808 87,576 86,240 78,400 54,880 43,904 43,120 39,360 30,184 24:500 21,320 20,580 15,092 14,700 12,936 12,348 10,976 10,780 9,800 9,020
Number of Occurrence 3598 1895 936 872 648 821 470 461 333 390 321 406 349 306 199 147 189 197 233 99
114 88 62 62 61 55 39 44 40 42
Table 5.2: Cycle Lengths for CSC-3 Stream Cipher (1)
CHAPTER 5- A NEW CASCADED S-BOX STREAM CZPHER
Index 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51
Cycle Length 8,036 5,248 4,920 4,756 4,3 12 4,116 3,280 2,788 2,744 2,460 2,156 2,132 1,968 1,640 1 ,372 1,312 1,148 656 492 328 164
Number of Occurrence 28 27 37 20 71 24 35 12 14 25 6 6 6 7 5 8 3 5 4
Table 5.3: Cycle Lengths for CSG3
Cycle Lengt h Decomposi t ion 4*4l*l*49
itream Cipher (2)
CHAPTER 5. A NEW CASCADED S-BOX STREAM CIPHER
As N is incremented, the longest cycle lengths grow rapidly and searching for
cycles from every initial state requires long cornputer runs. To keep the experimental
time manageable, random sarnpling of initial states is adopted. Once the cycle length
of an initial state exceeds the t hreshold, the search is truncated.
Figure 5.2 depicts the relation between cycle length and cycle counts in C S G
3, C S W , CSC5 and CSG6 ciphers. The horizontal a i s represents different cycle
lengths. The vertical axis represents the cumulative frequency (CF) over al1 cycles
less than or equal to the current cycle length. Both axes are in log scale. The larger
the number of cascaded s-boxes: the longer the maximum cycle lengths are.
For CSC4: CSG5 and CSG6 ciphen, the search-threshold of cycle length is set
to IO8 and the results are based on 1000 random initial permutations or the s-boxes.
On a Sun Ultra 5 workstation, these experiments take about 10, 66 and 75 hours
respectively. In the experiment, no cycle with length greater than or equal to 10' is
found in CSC4 cipher (See Tables 5.4, 5.9 and 5.6, the longest one is 29,950,992).
Although it is Loo time-consurning to try al1 (22!)4 initial states: the cycle of length
29,950,992 is almost certainly the longest one in CSC-4 cipher. The reason is discussed
in Section 5.2.3. In Figure 5.2, only a small portion of cycles with lengths below the
threshold of 108 are discovered in CSG5 and CSG6 ciphers.
More information about cycle lengths of CSG5 and CSC-6 ciphers are Iisted in
Tables 5.7, 5.8 and 5.9.
CHAPTER 5. A N E W CASCADED S-BOX STREAM ClPHER
O : CSC-3 Cipher
+ : CSC-4 Cipher
. : CSG5 Cipher
x : CSC-6 Cipher
Figure 5.2: Cumulative Frequency (CF) of Occurrence versus Cycle Length
CHA PTER 5- A NEW CASCADED S-BOX STREAM CIPHER 51
Cycle Lengt h 29,950,992
Number of Occurrence 106 99 71 52 43 26 18 27 19 20 25 28 13 21 11 12 12 9
16 10 10 10 24 15 6 6
15 3
16 29 5
22 11 4 7
12 10
1
Cycle Lengt h Decomposi t ion 4*41*89*54*38 4*41*8g154*37
1
1
i
Table 5.4: Cycle Lengtbs for CS- Stream Cipher (1)
CHA PTER 5. A N E W CASCADED S-BOX STREAM CIPHER
Index 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76
Cycle Lengt h 1,849,920
Number of Occurrence Cycle Lengt h Decornposi t ion
Table 5.5: Cycle Lengths for CSC-4 Stream Cipher (2)
CHA PTER 5. A NEW CASCADED S-BOX STREAM CIPHER
Index 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99
100 101 102 103 104 105 106 107 108 109 110 111 112
Cycle Length 423,284 422,576 351 ,232 318,500 3 10,464 3011760 286 , 748 262,728 259,284 258,720 249 ,900 245,000 241 ,080 234,612 l86JOO 172,872 166,600 146,944 137,760 12'7,920 125,460 120,736 1 18,580 103,488 102,172 90,552 78,720 64,288 54&30 54,120 49,000 46,648 25,872 9,840 3,280 1 :64O
Number of Occurrence Cycle Length Decomposit ion 4*41*89*29* 1
Table 5.6: Cycle Lengths for CSG4 Stream Cipher (3)
CHA PTER 5. A NEW CASCADED S-BOX STREAM CXPHER
5.2.2 Property of Cascaded S-Box Stream Ciphers
If the number and lengths of keystream cycles of a stream cipher are knorvn, an
intruder may conduct a ciphertext only attack on t h e strearn cipher. Details are as
follows:
Without losing generality, it is assumed t hat keystream generates one key bit each
time,
Denotations: 1: cycle length. , b , . : - : 21 bits of plaintext . k k - - - : k : 1
bits or a complete keystream cycle. Q, cl , . . . , c~1-1: 21 bits of ciphertext . Where
Assume an intruder is given 21 bits of ciphertext and the cycle length I . Step
one, the intruder shifts Che ciphertext by 1 bits. Step trvo: the shifted ciphertext
CI: CI+, : . . . , CZ[-1 : Q, ch . . . : CI-1 is bi twise XORed wi t h co: cl : . . . , cz[-~ : the original ci-
phertext. Since each bit in the same position of both ciphertexts is the result of the
same key bit XORed with a plaintext bit: key bits are removed and XORed plaintext
bits are obtained in step trvo. There is a lot of redundancy in XORed plaintext bits.
For example, English language has 50% redundancy. The reduridancy makes these
XORed plaintext bits vulnerable to attacks.
The ciphertext stiift attack requires the ciphertext longer t han the corresponding
keystream cycle length. Thus il is a desirable properly for a stream cipher lo have
long keyslrearn cycles.
CHA PTER 5. A N E W CASCADED S-BOX STREAM CXPHER
Another ciphertext only attack on the cascaded stream cipher is that an intruder
can guess the initial states of s-boxes and then generate corresponding keystreams to
be XORed with the ciphertext. After trying at most every possible state: the intruder
c m obtain the key and thus the plaintext. This is a brute-force attack.
Since CSC3 and RC4-3 have the same amount of storage capacity, they are compa-
rable. The cycle length distributions of CSG3 and RCP3 are similar (See Figure 5.3).
The longest cycle length is larger in RC4-3 than in CSC-3. When we increase the
number of cells in the cascaded stream cipher, the cycle length grows rapidly.
5.2.3 Upper Bound of the Cycle Length
In a caçcaded stream cipher, there are N + 1 pointers each of which has 2" positions.
And there are N n-bit s-boxes each of which has (2")! permutations. Thus the total
number of the possible states in the cascaded çtream cipher is (2")"+'(2"!)": which
directly determines the upper bound of cycle length of the cipher.
Lernma 1 An upper houncl on cycle length for a cascaded s-boz stream cipher is
Experimental results show that in CSC-3 cipher, the 51 cycles add up to 3,234,204
states while the upper bound is 3,538,934. This indicates that CSC-3 cipher can actu-
ally visit 3: 234: 104/3,538,944 = 91.4% of the total number of states (the rernaining
dates are not reachable). In addition to data in Tables 5.4, 5.5 and 5.6: anolher
cycle-searching experiment is carried out for CSC-4 cipher. A total of 186 cycles is
CHAPTER 5. A NEW CASCADED S-BOX STREAM CIPHER
Figure 5.3: RC4-3 Vs. CSG3 Ciplier
observed (this includes 11 pairs of cycles that had the same cycle lengths) and they
add up to 308,094,256 states. The upper bound is 339,738,624 states. The percentage
of the number of states actually visited is 308,094,256/339: 738,624 = 90.7%. IL is
a desirable property of the cascaded stream cipher that it actually visits most of the
states in the complete space.
In CSC-4 cipher, the longest cycle generated frorn 1000 randoni initial states is
29,950,992. There are 34,063 keys in this cycle. The total number or initialkations
CHAPTER 5. A NEW CASCA DED S-BOX STREAM CIPHER
(Le., keys) for the cipher is (22!)4 = 331,776. Each time we randomly clioose an initial
state, we have 34,063/331; 766 = 10.3% probability to generate the cycle of length
29:950:992. In other words, we have a 89.7% probability to miss it. If rve repeat
our random sampling ZOO0 times: the probability that we miss the cycle of length
29,950,992 is (0.897)'- = 6.2 x which is extremely small and negligible. If there
rvere any cycle length in CSG4 cipher larger than 29,950,992, then the probability
of'missing it after 1000 random samples is even smaller than 6.2 x IO4'. In fact, no
such cycle is discovered. So we conclude with confidence that the longest cycle knglh
in CSC-4 cipher is Z9,950,996, With the help of probability and random sampling,
we do not have to search every initial state to determine the length of the longest
cycle in a cascaded cipher. We also use this method in CSC-5 cipher.
Cycle lengths in CSG5 and CSGG ciphers are even longer. The upper bounds
for them are 3.3 x 10'' and 3.1 x 1012 respectively. For a better understanding and
further analysis of the cascaded stream ciphers, we need more information about the
long cycle lengths. Based on the discussion in Section 5.2.4, the upper bounds or
cycle length for CSC-5 and CSG6 ciphers can be improved, W e extend our search
and more cycles are discovered. Details are in Section 5.2.4.
5.2.4 Decomposition of Cycles
As shorvn in Tables 5.1, 5.2 and 5.3, cycles in our cascaded stream cipher are decom-
posed into the products of several factors. Such a decomposi tion reveals some details
CHAPTER 5- A NEW CASCADED S-BOX STREAM CIPHER
about the cycle and the behavior oreach s-box.
The first factor represents the eflect of the first left pointer il in the cascaded
cipher. Each of the other factors represent the contribution of each s-box with its
right pointer in the cascaded cipher. All the first factors are equal to 4 in al1 cycle
decompositions. This is because il has 4 possibilities and has a cycle of length four-
The other factors have various values, but none of them exceeds 96. This is because
every s-box has 4! arrangements and its right pointer has 4 possibilities. Thus,
Lemma 2 The maximum cycle factor conlri6uled by a .?-bit s-box wilh ils righl
pointer is 4! x 4 = 96.
For each cell (s-box plus right pointer) added to the cascaded cipher, the average
growt h rate for cycle length is 45. As N is incremented, the longest cycle length
becomes closer Co its upper bound.
The method of cycle decomposition plus previous experimental results of cycle
lengths in CSC-4 cipher directly lead to the following lemma:
Lemma 3 b e r bounds on cycle lengih for Ihe CSC-5 and CSC-6 ciphers are 2.88 x
10' and 2.76 x 10" respeclively.
The longest cycle in CSC-4 ciptier is 29,950,992, thus the upper bound of cycle
length in a CSG5 cipher is 29:950,992 x 96 = 2.88 x 109. And the upper bound of
cycle length in CSC6 ciptier is 2.88 x IO9 x 96 = 2.76 x 10". It is an immediate im-
provernent of the cycle lengths upper bound in cascaded ciphers compared with those
CHAPTER 5. A NEW CASCA DED S-BOX STREAM CIPHER
in Section 5.2.3. Encouraged by this new upper bound, we repeat the experiments to
search for cycle lengths in CSG5 and CSC-6 ciphers. No threshold was put on the
cycle length, but t h e number of random initial states is reduced to keep the cornputer
time mariageable. Cycles in Tables 5.7 and 5.8 are obtained from 100 random initial
states of CSG5 cipher. The longest cycle length is 1,430,699,920. As in Section 5.2.3,
this cycle is highly likely to be the long es^ cycle in CSC-5 cipher, with a probability
of 99-42%.
CHAPTER 5. A NEW CASCADED S-BOX STREAM ClPHER
Index Cycle Lengt h 1,430,699,920 1,227,990,672 96O,OO8,l12 951,429,864 720,966,400 699,907,392 599,019,840 554,093,352 554,078,756 524,930,544 515,784,192 513,018,240 508,935,168 503,798,400 479,215,872 359,41 1 ,904 351,859,200 350,526,792 347,860,800 314,725,824 272,288,380 265,647,200 264,129,216 262,465,272 223,533,100 218,817,536 179,7O5,952
Num ber of Occurrence Cycle Lengt h Decomposi t ion
Table 5.7: Cycle Lengths for CSG5 Stream Cipher (1)
CHA PTER 5. A NEW CASCADED S-BOX STREAM CIPHER
Index 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53
Cycle Length 1 73,692,400
Number of Occurrence Cycle Lengt h Decomposi t ion
Table 5.8: Cycle Lengths for CSC-5 Stream Cipher (2)
CHAPTER 5. A NEW CASCADED S-BOX STREAM CIPHER 62
Searching for cycles in CSG6 ciptier needs even longer computer runs. In Ta-
ble 5.9, we found 13 big cycles. The longest one has length 108,733,193,920. Each of
t hem only occurs once in the experiment.
Index 2 2 3 4 5 6 7 8 9
10 11 12 13
Cycle Length 2 08,733,193,920
Cycle Lengt h Decom posi t ion 4*41*89*29*52*65*76
Table 5.9: Observed Longest Cycle Lengths for C S C 6 Stream Cipher
5.2.5 Typical Key Lengths for the Stream Cipher
The keys for t h e CSC are stored in tables the same size as ttie s-boxes. Thus for each
2-bit s-box in the cascade there are 2 x 4 = 8 bits of key. Hence, an CSC-N has SN
bits of nominal key. The eflective key length is determined by the number of initial
stales, generated by the keys. Each 2-bit s-box can be arranged in 4! = 24 ways.
Hence the effective key length for an CSGN is N log, 24 r N x 4.588. If we rom the
CSC cascade from 16 cells, the effective key length is 73.4 bits. For 24 ceils in the
CHA PTER 5. A N E W CASCADED S-BOX STREAM ClPHER 63
CSC the effective key length is 110 bits, for 32 cells it is approximately 146.8 bits.
In PCS wireless cellular phone applications, the CSC-16 cipher may be sufficient
(this compares with 56 bits of key for DES). The CSG24 would be immune to ex-
haus tive compu ter search wit h current and foreseen technology.
5.3 Key Spacing Distribut ion in Cascaded Ciphers
The number of keys is much larger than the number of cycles. A cycle of CSGN
cascaded cipher consists of a sequence of dimerent states of the system. Some of these
states have al1 of t heir pointers equal to zero; t hese states correspond to ini tializations
under different keys. Key spacing of the system refers to the number of states between
trvo such adjacent keys. lnvestigating the key spacing distribution in cycles gives us
useful insight irito the betiavior of CSCs.
Figure 5.4 shows the relationship between different cycles ana the number of keys
on them for CSC4 cipher. The X-axis indicates the cycle length and Y-axis indicates
the corresponding number of keys. Both of them are in log scale. It suggests very
good linearity between the cycle length and the number of keys in the cycle. The
longer the cycle, the more keys reside in it. This is a good property for the cascaded
cipher. An intruder cannot just look at a small portion of cycles to reveal a lot of
keys.
As the cascaded cipher state evolved, if each rearrangement of the s-boxes were
CHAPTER 5. A NEW CASCADED S-BOX STREAM CIPHER
Figure 5.4: Nurnber of Keys Vs. Cycle Lengths
truly random, then the subsequent values of the rest of Che pointers would be com-
pletely random. Thus each Cime the first pointer returned to zero, al1 the rest of t he
pointers \vould point, to zero with Bernoulli probability p. This would give a geometric
distribution for the in terval between keys on the cycle.
For CSC-4 cipher, w e experimentally collect the key spacing data in 112 cycles.
Figure 5.5 shows Lhe key spacing distribution o n cycle 29,950,992, the longest cycle
in CSC-4 cipher.
CHAPTER 5- A N E W CASCADED S-BOX STREAM CIPHER
Total Keys: 34063
Total bins: 50
Max Key Spaüng: 9392
6000 Min Key Swing: 4
Average Key Spacing: 879.3
~ s o o o 6 C - z Y4000 C
2 Q) n
L o l l Z
7 0 0 0
O O 1000 2000 3000 4000 5000 6000 7000 8000
Bins for Key Spacing
Figure 5.5: Key Spacirig Distribution in Cycle of Length 29,950,992 in CSC-4 Cipher
The experirnental resul ts on key spacing are represented in the tiistograrn by 50
equal-sized bins collecting keys on the cycle with differerit key spacing. The vertical
axis indicates the number of keys in eacti bin. The curve is the theoretical geometric
distribution curve. The experimental results visually match the theoretical geomet-
ric distribution quite well which suggests the new cascaded strearn cipher is giving
random-looking permutations of the s-boxes.
Similarly, Figure 5.6 depicts the key spacing distribution on the longest cycle in
CHA PTER 5. A NEW CASCA DED S-BOX STREAM CIPHER 66
CSC5 cipher. There are 399,105 keys in the cycle of length 1,430,699,920. The
maximum key spacing is 43,808 and minimum is 4. The profile of the histogram also
visually matches the geometric distribution very well.
10 x 10'
I I 1 1 1 1 I i
Total Keys: 3991 O5
Total bins: 50
Max Key Spacing: 43808
Min Key Spacing: 4
Average Key Spacing: 3584.8
Bins for Key Spacing x lo4
Figure 5.6: Key Spacing iri Cycle of Length 1,430,699:920 in CSC5 Cipher
Al1 collected key spacing data is subject ta geometric distribution except for the
shortest cycles which have very few keys in them, i.e.? there is only 1 key iri the
cycle of 1640, 2 in the cycle of 3280, etc. More key spacing distribution plots are in
Appendix B.
CHAPTER 5- A NEW CASCADED S-BOX STREAM CIPHER 67
5.4 Statistical Analysisofthe Output of Cascaded
Ciphers
Key spacing distribution in a cascaded cipher demonstrates the randomness in the
rearrangements of interna1 sboxes. Stud~ing of the keystream output is anot her
important aspect to determine randornness propert ies of the cipher.
Statistical tests are carried out on a sample output keystrearn. Each test deter-
mines whether the outpui sequence possesses a certain attribute that a twly random
bit stream exhibits. Passing such randomness tests provides evidence that the tested
sequence h a . certain characteristics of randomness.
5.4.1 Frequency Test (one-bit test)
The purpose of this test is to determine whether the number of 0:s and 1's in the
sequence are approximately the same: as would be ex~ected for a random sequence.
Let no: ni denote the number of 0% and 1 's respectively; where n denotes the total
number of bits in the sequence. The statistic used in this test is
XI = (no - n d 2 n
which appmximately follows a X 2 distribution with 1 degree of freedom if n 2 10. It
is important to choose an appropriate significance level. Too high a significance level
will cause rejection of a good random sequence generator while one that is too IOW
will cause acceptance of a sequence generator even with poor randomness property.
CHAPTER 5- A NEW CASCADED S-BOX STREAM CIPHER
In this thesis, a significance level of a = 0.05 is employed.
5.4.2 Serial Test (two-bit test)
The purpose of the serial test is to determine if the number of occurrences of 00, 01: 10
and 11 as subsequences of the tested string are approximately the same, as expected
from a random bit string. Let no: ni denote the number of 0's and 1% respectively,
and n denotes the total number of bits in the sequence. Let n m , n o ~ , n i o , n ~ ~ denote
the number of occurrences of 00: 01: 10 and 11 respectively. The statistic used here
which approximately follows a X2 distribution with 2 degrees of freedorn if n 2 21.
5.4.3 Test Results for Cascaded Stream Ciphers
For a significance level of a = 0.05: the threshold value for the frequency test with 1
degree of freedom is 3.8415; the threshold value for the serial test wiLh 2 degrees of
freedorn is 5.9915 1201.
For CSC2, CSG3: CSG4, CSG5 and CSG6 ciphers, 100 outputs with certain
number of bits from each cipher are randomly chosen and the two statistical tests
are carried out on them. Table 5.10 gives the summary of the experimental results:
in each experiment, the number of values that exceed the threshold are about 5% of
the total trials, which conforms to the a = 0.05 significance level; the remaining 95%
CHAPTER 5. A NEW CASCADED S-BOX STREAM CIPHER 69
of the outputs p a s the tests. This supports the hypothesis that the cascaded cipher
generates random-looking outputs. More detailed results of t hese experiments are in
Appendix C .
Table 5.10: Output Statistical Test Results for Cascaded Ciphers
5.4.4 Output Probability Deviation
We use the probability deviations Co describe the probabili ty differences between the
output of CSC-N cipher and a truly randorn bit sequence.
A digraph refers to each successive pair of n-bit outputs of Che cipher. A trigraph
refers to three consecutive outputs of the cipher[l5]. If CSGN cipher generates ran-
dom outputs, theri the probability for every single output sliould be 1/4: and the joint
probabilities for digrapbs and trigraphs should be 1/16, 1/64 respectively.
Detailed derinitions are as follows:
single output probability deviat ion
1 FI( ; ) = Prob(i) - -. where i = 00 , O 1 : 10 ,or I l
4 '
digraph prolability devialion
CHA PTER 5. A NEW CASCADED S-BOX STREAM ClPHER
F2(i: j) = Prob( i : j ) - '. where if j = 00 :O1 : IO :or 11 16 '
trigraph probability deviation
F3(ir j, k) = Prob(i,j: k) - 64 ' where i: j: k = 00 :O1 : 10 : o r I l
Figures 5.7; 5.8 and 5.9 dernonstrate the single, digraph and trigraph output av-
erage probability deviations with error bars indicating the error range for CSG2,
CSC3 , CSG-4: CSG5 and CSG6 ciphers. Results in these figures are obtained from
experiments. For each cipher, \ve randomly choose 10 keystream outputs and calcu-
late their probability deviations. Then we calculate the average value and standard
deviation of each of them. The average value is represented by an asteriçli sign and
the standard deviation by the error bar in the figures.
T h e probability deviations from 1/4: 1/16 and 1/64 are quite smaI1. This confirms
the output randomness of the cascaded stream cipher from another aspect. As the
number of cascaded s-boxes grows, al1 three probability deviations tend to setde down.
So we can expect a more random looking output from a cascade with more s-boxes.
CHAPTER 5- A NEW CASCADED S-BOX STREAM CfPHER
Number of Cascaded S-Boxes
Figure 5.7: Single Output Probability Deviation
CHA PTER 5. A NEW CASCADED S-BOX STREAM CIPHER
loQt i I I J
l -
1 O-= - 1 2 3 4 5 6 7
Number of Cascaded S-Boxes
Figure 5.8: Digraph Probability Deviation
CHAPTER 5. A N E W CASCADED S-BOX STREAM CIPHER
Figure 5.9: Trigraph Probability Deviat ion
Chapter 6
Conclusion
6.1 Summary and Discussion
As a high quality digital medium, DVD offers a picture with twice the resolution of
tradi tiorial video tapes and has great market value. Copyright protection becornes
one of the most cri~ical issues in ttiis application. A good copyright protection system
will lead Lo the widespread use of this technology.
Essentially, the copyright protection system in the DVD application is a cryptosys-
lem, thus it is worth doing research on it from a cryptographic viewpoint. This thesis
serves such a purpose. Tt is a combination of research on cryptographic protocols and
the underlying cipher used in the DVD copyright protection scheme.
As an effective and formal method, Coloured Petri Nets are adopted for specifi-
cation and analysis of cryptographic protocols. Ambiguity is less likely to exist in a
CHAPTER 6. CONCLUSION 75
protocol modeled in Coloured Petri Nets. In this thesis, the DVD playback control
protocol is modeled using the Coloured Petri Net Modeler (CPNM): a Java-based soft-
ware tool developed and optimized by researchers at Queen's University [13: 14, 341.
Structural and intrinsic weaknesses are uncovered in the protocol and a revision is
made.
The stream cipher in the DVD application is a weak cipher based on two LFSRs.
The non-linear function used to combine these two LFSRs is just an 8-bit addition
with one bit carry. Several cryptanalytic attacks of this cipher are reviewed. The
key length is $&bits to meet the US export control rules at the time. However, its
security strength does not even match the 40-bit key length. An s-box based stream
cipher: such as RC4, would be a better solution. The RC4 stream cipher remains
secure given the analysis available to date. Observations of the interna1 structure of
RC4 are made and the statistical tests for RC4 output are conducted.
RC4 kvas a trade secret of RSA Security. Now it is made public. Motivated by
the design concept of RC4, we propose a cascaded s-box stream cipher. Interna1
details of the cascaded s-box stream cipher are studied. Experiments are carried out
on CSC-2, CSG3, C S M , CSG5 and CSC-6 ciphers. Although its cycle lengths are
not random, t be cascaded stream cipher demonstrates good cryptographic properties.
The keystreams have long cycles. Keys are distributed to various keystream cycles in
proportion to their lengths. The contents of each s-box are stiumed randomly. And
the outputs also have good random features. It is usually hard to prove the security of
CHA PTER 6. CONCLUSION 76
a cipher. But al1 of our experimental results suggest that the cascaded s-box stream
cipher develops more resistance to attacks as we increase the number of cells in t h e
cascade.
The cascaded stream ciplier offers good security scalability by cascading more s-
boxes as needed. This is one advantage of t h e cascade cipher over RC4 because key
lengths differ dramatically in various versions of RC4.
6.2 Suggestions for Further Study
A Few further aspects for study are as follows:
Modeling and analyzing more protocols using Coloured Petri Net Modeler
0 Obtaining more resiilts of cycle lengths in CSC-6 ciptier to detemine t h e longesl
one in i C
Launching cryptanalysis on the cascaded s-box stream cipher given al1 the in-
formation in this thesis to test its seciirity strength
Investigating properties of other versions of the cascaded cipher such as an N
cascaded 3-bit s-box cipher
Bibliography
[l] Steve Babbage. Cryptanalysis of' LiLi-128, Internet document
https://www.cosic.esat.hleuven.ac.be/nessie/reportç/ex~p3-001-2.pdf Jan-
uary 2001.
[2] Alan E. Bell. The dynamic digital disk, iEEE Spectrumo October 1999.
[3] N. Behki. An Integrated Approach to Protocol Design. Master% thesis, Queen's
University: Kingston, Ontario: Canada, 1990.
[4] Jeffrey A. Bloom e l al. Copy Protection for DVD Video, Proceedings of Lhe IEE.
Vo1.87, No. 7: July 1999.
[5] C. Boyd and W. Mm. On a Limitation of BAN
Proceedings of E UR OCR YP T '93, Lecture No
Springer-Verlag, Berlin: pp240-247, 1993.
Logic, Advances in Cnjptology-
tes in Cornputer Science r65,
[6] M. Burrows, M. Abadi and R. Needham. Logic of Autlientication. ACM Trans.
on Cornputer Sgslems, 8: 18-36? 2990.
[7] E. Dawson et al. The LILI-128 Keystream Generator, Internet document
https://www.cosic.esat.kuleuven.ac.be/nessie/wvorkshop/su bmissions.titml
[8] D. E. Denning and G. M. Sacco. Tirnestamps in key distribution protocols. Corn-
munications of the ACM? 24(8): 533-536, August 1981.
[9] W. Difie and M. E. Hellman. P r i ~ f y and authentication: An introduction to
cryptography. Pmceedings of the IEEE, 67(3):397-427, 1979.
[IO] D. Dolev and A. C . Yaa. On the Security of Public Key Protocols. IEEE Trans-
aclions on Information Theory, 1T-29(2):198-208, March 1983.
[11] E. M. Doyle. Au tomated Securi ty Analysis of cryptographic Pmtocols using
Caloured Petri Net Specificat ions. Master's thesis, Queen's University: Kingston,
Ontario: Canada, 1996
[12] E. M. Doyle; S. E. Tavares and H. Meijer. Automated Security Analysis of crypto-
graphie Protocols using Coloured Petri Net Specifications. Workshop on Selecled
Areas in Cqplography (SACY95) May 18-19 1995.
[13] K. Edwards. Cryptographie Pmtocol Specification and Analysis using Colored
Petri Nets and Java. Master's thesis, Queenk University: Kingston, Ontario:
Canada, 1998.
[14] K. Edwards, S. E. Tavares and H. Meijer. A Java tool for specitication and anal-
ysis of cryptographic protocols using coloured Petri Nets. 191h Biennial Sym-
posium on CommunicaLions, pp403-407. Queen's University, Kingston, Ontario:
May 1998-
1151 S. R. Fluhrer and D. A. McGrew. Statistical Anaiysis of the Alleged RC4
Keyst ream Generator, FSE 2000, April 2000, Proc. to appear, Springer-Verlag,
LNCS Vol. 1978,2001.
[16] K. Jensen. Coloured P elri Nets, volume 1, Springer-Verlag, Berlin, 1992.
[17] G-S Lee and J-S Lee. Petri Net based models for specification and analysis of
cryptographic protocols. Journal O/ Syslems So flwa7-e' 3?:ppl4l-l59, 1997.
[18] C. Meadows. The NRL Protocol AnalFer: An overview. J. Logic Programming,
26(2): 123-131, February 2 996.
[19] C . A. Meadows. Formal Verilication of Cryptographic Protocols: A Survey. Ad-
vances in Cqplology-ASIA CR YPTY94, Springer-Verlag, pp 133-1 50, 1995.
[20] Alfred J. Menezes et al. Handbook of Applied Cryplography CRC Press Inc.: 1997.
[21] M. Merritt. Cryptograplric Prolocols Ph.D. dissertation, Georgia Institute of
Technology, February 1983.
BlBLlOGRA P H Y 80
[22] J. K. Millen, S.C. Clark and S. B. Freedrnan. The Interrogator: Protocol Secu-
rity Arialysist IEEE Transaciions on SoItware Engineering, SE13(2): 274-288,
February 1987.
[23] S. Mister. Cryptanalysis of RCClike Stream Ciphers. Master's thesis, Queenzs
University, Kingston, Ontario, Canada, t 998.
[24] S. Mister and S. E. Tavares. Cryptanalysis of RCPIike Ciphers, Workîhop on
Selecl ed Areas in C q p t ograph y (SA C798) Lecture Notes in Corn pu ter Science,
Vol. 1556, Springer-Veriag: pp.131-143, 1999.
[25] T. Murata. Petri nets: Properties, analysis and applications. Proc. of lhe IEEE,
77(4), April 1989.
1261 R. M. Needham and M. D. Schroeder. Using encryption for authentication in
large networks of cornputers. Cornmunicalions 01 lhe A CM. 21 (1 2): 993-999,
December 1978.
[27] D. M. Nessett. A critique of the Burrows, Abadi and Needham logic. Opemting
Syslems Reuiew, 24(2):3538, April 1990.
[28] B. B. Nieh. Modelling and Analysis of Cryptographic Protocois using Petri Nets.
Master's thesis, Queen's University, Kingston, Ontario, Canada, 1992.
[29] B. B. Nieh and S. E. Tavares. Modelling and Analysis of Cryptographic Pro te
cols using Petri Nets. Advance in Cryplolopj(ACiSCRYPT792)~ LNCS, Springer-
Vërlag: pp-275-295, 1993.
[30] R Rivest. The RC4 Encryption Algorithm, RSA Data Security7 Inc., arch 1992.
[31] R. A. Rueppel. Analyssis and design of stream ciphers. Springer-Verlag, New
York, 1986.
1321 P. B. Schneck. Persistent Access Control to Prevent Piracy of Digital Informa-
tion. Proceedings o j Ihe IEEE: Vol. 87: No. 7, July 1999.
[33] B. Schneier. Applied Crypiography. John Wiley & Sons, Toronto, Canada, 2nd
edition, 1996.
[34] Y. Sb=. Specification and Analysis of Internet Cryptographic Protocols Using
a Petri Net Modeler. Master's Thesis: Queen's University: Kingston, Ontario,
Canada, 1999.
[35] F. A. Stevenson. Cryptanalysis of Contents Scrambling System, Internet docu-
ment http://www.lemuria.org/DeCSS/aypto.gq.n/
[36] W. Zhao and S. E. Tavares. An Analysis of MSAT Security Protocols using
Coloured Petri Nets. Technical report, Departmen t of Electrical and Corn puter
Engineering, Queen's University: April 1997.
BIBLlOGRA P H Y 82
[37] W. Zhao. Efficient Analysis of Cryptographie Protocols in Wireless Communica-
tion Systems. Masterk Thesis, Queen's University: Kingston, Ontario; Canada:
1997.
Appendix A
C S S Cipher Analysis
A.1 Another Attack on the Keystream Generator
Notations in the keystream generator:
Oi ( 1 ) : 0 1 ( 2 ) , . . .: output bytes of LFSRI
0 2 ( 1 ) , 0 2 ( 2 ) , . . .: output bytes of LFSR2
0(1), 0(2), . . .: output bytes of the keystream, and O( i ) = 01 ( O ) + O2 (é) + c: where c i s the carry bit from O(i - 1 )
Attack: known 0(1), 0 ( 2 ) , O(3): 0(4) , O(5)
1. Guess initial date of LFSRl
2. Generate 5 bytes output Oi ( 1 ) : 0 1 (2): 0, (3): 01 (4): O, ( 5 ) fram LFSRI
83
A PPENDIX A. CSS ClPHER ANA LYSCS 84
4. Generate 02(4): 0 2 (5) from LFSR2 given 02( l ) ; 0 2 ( 2 ) : 02(3). There are 2 pos-
sible sets of 02(4); 02(5) since we only have 3 bytes(24 bits) oloutput of LFSR2.
5. Compare O(5) with both sets of Oi (5) + 0 2 ( 5 ) + c. If either one equai, stop
othenvise repeat the above steps,
After this algorithm, the initial states or the user key can be easily obtained. The
computational complexity is in the order of 2".
The two attacks to keystream generator belong to the ciphertext only attack. The
one in Section 4.1.3 requires one more ciphertext byte so t hat it offers half complexi ty
as of this one.
A.2 Attack on the Encryption Function
Notations in the encryption function:
a A(1): . . . , A(5) : 5 input plaintext bytes
0 kl , . . . : k5 : 5 keystream bytes from keystrearn generator
0 B(1): . . .: B(5) : 5 intermediate bytes
C(1)' . . . : C(5) : 5 output ciphertext bytes
APPENDLX A. CSS ClPHER ANALYSE
There is a known plaintext attack to it,
Attack:
Known: A(l), . . .: A(5) and associated C(l), . . . , C(5)
1. Guess k5
11. Compare C(I) with F ( B ( 1 ) ) @ ki. If equal, we get the right ks and then deduce
4: . . . ; ki easily. Otherwise repeat the above steps.
In this attack, we only need to guess one byte of keystream so its ciphertext only
altacks to the keystream generator to get the user key to break the whole system.
Appendix B
More Key Spacing Distributions
In Chapter 5, key spacing data are only depicted Cor the longest cycles in CSC4 and
C S C 5 ciphers. Key spacing data for more cycles in C S W cipher are obtàined from
experiments and are depicted as foliows. All diagrams indicate a good match between
the experimerital results and the theoretical geornetric distribution curves.
APPENDlX B. MORE KEY SPAClNG DlSTRlBUTlONS
7000 I I l I I I 1 1
4 6000 Total Keys: 33280 -
Total bins: 50
Max Key Spacing: 8088 -
Min Key Spacing: 4
Average Key Spacing: 876.3 -
d
-
-
* T.
O 1000 2000 3000 4000 5000 6000 7000 8000 9000 Bins for Key Spacing
Figure B. 1: Key Spacing Distribution in Cycle or Lengt h 29,162,808 in CSC-4 Cipher
APPENDLX B. MORE KEY SPACING DlSTRIBUTlONS
Total Keys: 24531
Total bins: 50
Max Key Spacing: 7820
Min Key Spacing: 4
Average Key Spacing: 897.3
Bins for Key Spacing
Figure B.2: Key Spacing Distribut ion in Cycle of Length 22,010,768 in CSC-4 Cipher
APPENDUC B. MORE KEY SPAClNG DISTRU3UTlONS
Total Keys: 17284
Total bins: 50
Max Key Spacing: 1264û
Min Key Spacing: 4
Average Key Spacing: 965.7
Bins for Key Spacing
Figure B.3: Key Spacing Distribution in Cycle or Length 16:691:752 in CSC-4 Cipher
APPENDIX B. MORE KEY SPAClNG DISTRIBUTIONS
Toîai Keys: 12745
Total bins: 50
Max Key Spacing: 9244
C 2000
i3 Min Key Spacing: 4 Q C - Average Key Spacing: 865.8 (Ib )r
3 1500 C
O
ài P
5 Z
1 000
500
O O 1000 2000 3000 4000 5000 6000 7000
Bins for Key Spacing
Figure B.4: Key Spacing Distribution in Cycle of Length 11,034:576 in CSC-4 Cipher
A PPENDlX B. M O RE KEY SPAClNG DlSTRlB UTIONS
Total Keys: 9246
Total bins: 50
Max Key Spacing: 9608
Min Key Spacing: 4
Average Key Spacing: 1081 -1
8ins for Key Spacing
Figure B.5: Key Spacing Distribution in Cycle of Length 9;996:000 in CSC4 Cipher
APPENDIX B. MORE KEY SPACING DISTRIBUTIONS
Total Keys: 81 12
Total bins: 50
Max Key Spacing: 1 Z7CM
Min Key Spacing: 4
Average Key Spacing: 121 7.8
Bins for Key Spacing
Figure B.6: Key Spacing Distribution in Cycle of Length 9,878,400 in CSC-4 Cipher
A PPENDlX B. MORE KEY SPACING DlSTRlBUTlONS
Total Keys: 8285
Total bins: 50
Max Key Spacing: 81 56
Min Key Spacing: 4
Average Key Spacing: 988.9
Bins for Key Spacing
Figure B.7: Key Spacing Distribution in Cycle of Lengtti 8,192,800 in CSC-4 Cipher
A PPENDlX B. MORE K E Y SPAClNG DISTRIBUTIONS
Max Key Spacing: 10724
Min Key Spacing: 4
Average Key Spacing: 1095.4
Bins for Key Spacing
Figure B.8: Key Spacing Distribution in Cycle of Length 7,814,912 in CSC-4 Cipher
A PPENDlX B. MORE KEY SPAClNG DISTRIBUTlONS
Total Keys: 6893
Total bins: 50
Max Key Spacing: 9204
Min Key Spacing: 4
Average Key Spacing: 1 051 -4
Bins for Key Spacing
Figure B.9: Key Spacing Distribution in Cycle of Length 7,247,100 in CSC4 Cipher
Appendix C
Output Test Results
index 001 002 003 004 005 006 007 008 009 010 01 1 012 013 014 015
Table C.l: Output Test Results for CSC-2 Cipher(1)
A PPENDLX C. OUTPUT TEST RESULTS
n10 3980 4021 3985 4001 3988 4028 4064 4018 4019 4045 3977 3975 4022 3995 4047 3989 3982 3987 4045 3984 3996 4004 2027 4067 3989 3992 101 1 IO15 1973 1989 CO09 1978 1957 5987 LOO 1
n l l 4023 4035 3973 4077 4003 3955 3963 4045 4013 3963 4083 3989 3982 4012 3970 4078 4094 4092 3966 4094 4030 4103 4037 3916 2002 $079 $039 396 1 $047 3987 5986 108 l 1684 CO19 CO68
Table C.2: Output Test Results for CSC-2 Cipher(2)
A PPENDCX C. OUTPUT TEST RESULTS
index 051 052 053 054 055 056 057 058 059 060 061 062 063 064 065 066 067 068 069 070 071 072 073 074 075
Table C.3: Output Test Results for CSC-2 Cipher(3)
APPENDlX C. OUTPUT TEST RESULTS
index 076 077 078 079 080 081 082 083 084 085 086 087 088 089 090 091 092 093 094 095 096 097 098 099 100
Table C.4: Output Test Results for CSG2 Cipher(4)
A PPENDIX C. OUTPUT TEST RESULTS
index nll 468 510 555 506 500 490 491 530 489 507 502 523 491 503 498 527 514 499 529 475 524 474 509 488 480
Table C.5: Output Test Results for CSC-3 Cipher(1)
A P P E N D K C. OUTPUT TEST RESULTS
index 026 027 028 029 030 031 032 033 034 035 036 037 038 039 040 041 042 043 044 045
Table C.6: Output Test Results for CSC-3 Cipher(2)
APPENDLX C. OUTPUT TEST RESULTS
index 051 053 053 054 055 056 057 058 059 060 O6 1 062 063 064 065 066 067 068 069 070 071 072 073 074 075
Table C.7: Output Test Results for CSC-3 Cipher(3)
A PPENDLX C. OUTPUT TEST RESULTS
index
076 077 078 079 080 O81 082 083 084 085 OS6 087 088 089 090 091 092 093 094 095 096 097 098 099 100
n l l - 497 502 521 537 496 430 487 502 500 524 507 524 486 508 497 482 481 523 493 483 517 532 502 489 486
Table C.8: Output Test Results for CSC-3 Cipher(4)
APPENDLX C. OUTPUT TEST RESULTS
index 001 002 003 O04 005 006 007 008 009 010 011 012 013 014 O15 016 017 018 019 020 021 022 023 024 025
n l l 4962 5101 4950 4954 4977 4968 4980 5045 5109 4969 4973 5063 5039 4935 4938 5036 4932 5043 506 1 5105 4858 4907 5021 5214 4900
Table C.9: Output Test Results for CSG4 Cipher(1)
APPENDlX C- OUTPUT TEST RESULTS
index 026 027 028 029 030 031 032 033 034 035 036 037 038 039 040 041 042 043 044 045 046 047 048 049 050
Table C.lO: Output Test Resvlts for CSC4 Cipher(2)
APPENDlX C. OUTPUT TEST RESULTS
index 051 052 053 054 055 056 057 058 059 060 O6 1 062 063 064 065 066 067 068 069 070 071 072 073 074 075
Table C . l l : Output Test Results for CSC4 Cipher(3)
APPENDlX C. OUTPUT TEST RElSULTS
index 076 0'77 078 079 080 081 082 083 084 085 086 087 088 089 090 091 092 093 094 095 096 097 098 099 100
nll 5030 4975 4890 4903 4893 4945 4958 4894 4950 5057 5005 5053 4901 4948 4911 4844 4922 5024 4986 5071 5009 4943 5054 5105 5022
Table C-12: Output Test Results for CSC-4 Cipher(4)
APPENDIX C- OUTPUT TEST RESULTS
index 001 002 003 004 005 006 007 008 009 010 011 012 013 014 015 016 017 O18 019 020 021 022 023 024 025
n l l 50122 49907 50128 501 14 49687 50165 50043 49874 49945 501 79 49748 50209 49853 49989 49911 50269 50337 49867 49688 49779 49944 49716 50081 49883 50192
Table C.13: Output Test Results for CSC5 Cipher(1)
APPENDIX C. OUTPUT TEST RESULTS
index 026 027 028 029 030 031 032 033 034 035 036 037 038 039 040 041 042 043 044 045 046 047 048 049 050
n l l 50064 49613 50331 49980 49748 50434 49947 49820 50489 49987 49891 49850 50377 49970 49992 50302 50105 4973 t 49935 49796 49948 50165 49895 50378 498 17
Table C.14: Output Test Results for CSG5 Cipher(2)
A PPENDIX C. OUTPUT TEST RESULTS
index 051 052 053 054 055 056 057 058 059 060 061 062 063 064 065 066 067 068 069 070 071 072 073 074 075
Table C.15: Output Test Results for CSG5 Cipher(3)
A PPENDLX C- OUTPUT TEST RESULTS
index 076 077 078 079 080 081 082 083 084 085 086 087 088 089 090 091 092 093 094 095 096 097 098 099 1 O0
n l l 49826 50190 49619 49609 49831 50051 50339 50106 50031 50072 49939 50049 49708 50194 50154 49821 49797 50061 5041 1 50306 49981 50157 50403 50024 50608
Table C.16: Output Test Results for CSG5 Cipher(4)
APPENDlX CI O UTPUT TEST RESULTS
index 001 002 003 004 005 006 007 008 009 010 01 1 012 013 014 015 016 017 018 019 020 021 022 023 024 025
Table C.17: Output Test Results for CSC-6 Cipher(1)
A PPENDlX C. OUTPUT TEST RESULTS
index 026 027 028 029 030 031 032 033 034 035 036 037 038 039 040 041 042 043 044 045 046 047 048 049 050
Table C.18: Output Test Results for CSC-6 Cipher(2)
A PPENDZX C- OUTPUT TEST RESULTS
index O5 1 052 053 054 055 056 057 058 059 060 061 062 063 064 065 066 067 068 069 070 071 072 073 074 075
n l l 1999158 1999932 2002016 2000471 1997879 1998639 1999485 2002553 200 1490 1997603 1998271 1999070 200 1249 1999253 1998209 2001408 2000327 1998407 1999760 1 996585 2001217 1998619 1997912 1999783 2996429
Table C.19: Output Test Results for CSG6 Cipher(3)
A PPENDlX C- OUTPUT TEST RESULTS
index
076 077 078 079 080 O8 1 082 083 084 085 086 087 088 089 090 O9 1 092 093 094 095 096 097 098 099 100
n l l 2000635 2000168 2001 944 2000254 l99763O 2000495 1999297 1996944 1999777 1998323 2999356 1999791 2002516 2004322 1999399 2000998 1999699 200 1857 2001277 1999268 2001007 2000660 2001569 1999761 1999429
Table C.20: Output Test Resiilts for CSCG Cipher(4)
Appendix D
Probabilities for Right Pointer in
RC4-3
In Chapter 4, probabilities for the right pointer j in the longest cycle O C RC4-3 cipher
are listed. Similar probabilities for j in al1 the rest cycles of RC4-3 are listed as follows.
APPENDlX D- PROBABlLlTlES FOR RIGHT POlNTER IN RC4-3
Table D.1: Probabilities for j in RC4-3 (Cycle Lengt h = 322,120)
Table D.2: Pmbabilities for j in RC4-3 (Cycle Length = 53,000)
Table D.3: Probabilities for j in RC4-3 (Cycle Length = 44,264)
Table D.4: Probabilities for j in RC4-3 (Cycle Length = 29,032)
APPENDlX D. PROBA BILITIES FOR RlGHT POINTER 1N RC4-3 118
Table D.5: Probabilities for j in RC4-3 (Cycle Lengt h = 9,624)
Table D.6: Probabilities for j in RC4-3 (Cycle Length = 9,432)
Table D.8: Probabilities for j in RC4-3 (Cycle Lengt h = 3,008)
- P(O00) =O-123722 P(100) = 0.132453
P(O01) = 0.125852 P(101) = 0.132453
P(OOO,OOO,OOO) = 0.001491 P(010,010,010) = 0.001704 P(100,100,100) = 0.001704 P(110,110,110) = 0.001278
P(001,001,001) = 0.001491 P(011,011,01 1) = 0.001 065 P(101,101,101) = 0.004259 P(111,111,111) = 0.001917
P(O10) = 0.125213 P(110) = 0.120102
Table D.7: Probabilities Cor j in RC4-3 (Cycle Length = 4,696)
P(011) = 0.116482 P(111) = 0.123722
APPENDLX D. PROBABILITIES FOR RIGHT POINTER IN RC4-3 119
Table D.9: Probabilities for j in RC4-3 (Cycle Length = 648)
Table D. 10: Probabilities for j in RC4-3 (Cycle Length = 472)
Table D. 1 1 : Probabil i t ies for j in RC4-3 (Cycle Lengt h = 466)
Table D.12: Probabilities for j in RC4-3 (Cycle Length = 264)
APPENDLX D. PROBA BILlTlES FOR RlGHT POlNTER IN RC4-3
Table D. 13: Probabilities for j in RC4-3 (Cycle Length = 120)
Table D.14: Probabilities for j in RCP3 (Cycle Length = 24)