secure digital media distributioncsg3 cipher ..... 56 5.4 number of keys vs . cycle lengths ..... 64...

A New Stream Cipher for

Secure Digital Media Distribution

by

Lin Gan

A thesis submitted to the Department of Electrical and Computer

Engineering in conformity with the requirements for the degree of

Master of Science(Engineering)

Queen's University

Kingston, Ontario, Canada

November, 2001

Copyright @Lin Gan, 2001

Nat- Cibrary 1+1 ,canada Biblimtheque nationale du Canada

Acquisitions and Acquisitions et Bibliographie Services services bibliographiques 395 Wemgtm Street 395, rue Wdingûm -ON KlAONa OüawaON K 1 A W Corudo Canada

The author has granteci a non- exclusive licence allowing the National Library of Canada to reproduce, loan, distxiiute or selî copies of this thesis in microform, paper or electronic formats.

The author retains ownership of the copyright in this thesis. Neither the thesis nor substantial extracts fiom it may be printed or othemise reproduced without the author's permission.

L'auteur a accordé une licence non exclusive permettant à la Bibliothèque nationale du Canada de reproduire, prêter, distxibuer ou vendre des copies de cette thèse sous la forme de microfiche/film, de reproduction sur papier ou sur format électronique.

L'auteur conserve la propriété du droit d'auteur qui protège cette these. Ni la thèse ni des extraits substantiels de celle-ci ne doivent être imprimés ou autrement reproduits sans son autorisation.

Abst ract

In the 21st century, many valuable materials such as music and rnovies are stored

in various form of digital media and delivered over the Internet. To prevent these

copyrighted materials from illegal duplication, copyright protection technologies have

to be employed. An effective copyright protection technology d l reduce the risk of

large revenue loss in the industries concerned .

DVD: or Digital Video Disk: represents a quality digital medium with great market

value. The copyright protection system used in DVD applications is essentially a

cryptosystem. A cryptosystem is comprised of two parts: a set of cryptographic

protocols and underlying ciphers. In this thesis, research is carried out on both parts

of the cryptosystem.

We use a formal method called Coloured Petri Nets Co model and analyze the cryp-

tographic protocol in DVD. The Petri Nets modeling of the protocol offers graphical

representations and achieves a certain degree of formalization of it. A weakness is

round and remedial suggestions are made. The stream cipher in DVD applications

consists of Iwo linear feedback shift Registers (LFSRs) with a non-linear combining

function. In general, LFSR based stream ciphers are vulnerable to various versions

of the correlation attack. A substitution box (s-box) based stream cipher can offer a

more secure solution. Inspired by t h e design concept of the RC4 stream cipher, we

propose a new family of stream ciphers t hat makes use of a cascade of small s-boxes.

Cycle structures and output statistical properties of the cascaded s-box ciphers are

studied in this thesis. Our experimental results give the indication that the cascaded

S-box stream cipher develops more resistance to attacks as we increase the number of

cells in the cascade,

Acknowledgement s

Foremost, 1 would like to thank my supervisors, Dr. S.E. Tavares and Dr. S..?.

Simmons; for t heir continuous support and guidance throiighout t his project.

Special thanks to my wile Qian Tang, for her endless encouragement and patience.

To rny collegues, friends and parents, I would like to express my gratitude for your

efforts in helping me complete this work.

For financial assistance, I acknowledge the School of Graduate Studies and Re-

search of Queen% University, the Department of Electrical and Computer Engineering

and CITO.

Contents

Abstract

Acknowledgements

Contents

List of Tâbles

List of Figures

n i i

1 Introduction 1

1 .I General Overview and Motivation . . . . . . . . . . . . . . . . . - . - 1

1.2 Cryptosystems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

. . . . . . . . . . . . . . . . . . . . 1.2.1 Cryptographie Algorit hms 3

. . . . . . . . . . . . . . . . . . . . . 1.2.2 Cryptographie Protocols 4

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.3 Thesis Outline. 6

2 Literature Review

CONTENTS

2.1 Protocol Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.2 Petri Nets 9

. . . . . . . 2.2.1 Graphical Representations of Coloured Petri Nets 10

. . . . . . . . . . . . 2.2.2 Forma1 Definition of Coloured Petri Nets 11

. . . . . . . . . . . . . . . . 2.2.3 Pmpert ies of Coloured Petri Nets 13

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.3 Stream Ciphers 14

. . . . . . . . . . . . . . . . . . . 2.3.1 LFSR Based Stream Ciphers 15

. . . . . . . . . . . . . . . . . . . . . . . . 2.3.2 RC4 Stream Cipher 16

3 CPN Based Analysis of the DVD Protocol 20

. . . . . . . . 3.1 An Overview of the DVD Copyright Protection Scheme 20

. . . . . . 3.2 Petri Net Modeling of the DVD Playback Control Protocol 21

. . . . . . . . . . . . . . . . . . . 3.2.1 Coloured Petri Net Modeler 21

. . . . . . . . . . . 3.2.2 DVD Playback Control Protocol Modeling 22

. . . . . . . . . . . 3.3 Weakness and Improvement in the DVD Protocol 28

4 Analysis of DVD Stream Cipher 32

. . . . . . . . . . . . . . 4.1 The Underlying Cipher in the DVD System 32

. . . . . . . . . . . . . . . . . . . . . . . 4.1 -1 Keystream Generator 33

. . . . . . . . . . . . . . . . 4.1.2 EncryptionlDecryption Function 33

. . . . . . . . . . . . . 4.1.3 Cryptanalysis of Keystream Generator 35

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.2 RC4 Observations 37

CONTENTS vi

. . . . . . . . . . . . . . . . . . . . . . . . . . 4.3 RC4 Outputs Analysis 39

5 A New Cascaded S-Box Stream Cipher 41

. . . . . . . . . . . . . . 5.1 The General Cascaded S-Box Stream Cipher 42

. . . . . . . . . . 5.2 Keystream Cycle Structure of the Cascaded Cipher 45

5.2.1 Cycles in the Cascaded S-Box Stream Cipher . . . . . . . . . . 45

5.2.2 Property of Cascaded S-Box Stream Ciphers . . . . . . . . . . 54

. . . . . . . . . . . . . . . . 5.2.3 Upper Bound of the Cycle Length 55

. . . . . . . . . . . . . . . . . . . . . 5.2.4 Decomposi t ion of Cycles 57

. . . . . . . . . . 5.2.5 Typical Key Lengths for the Stream Cipher 62

. . . . . . . . . . . . . 5.3 Key Spacing Distribution in Cascaded Ciphers 63

5.4 Statistical Analysis of the Output of Cascaded Ciphers . . 67

. . . . . . . . . . . . . . . . . . 5.4.1 Frequency Test (one-bit test) 67

. . . . . . . . . . . . . . . . . . . . . 5.4.2 SerialTest (two-bittest) 68

. . . . . . . . . . . 5.4.3 Test Results for Cascaded Stream Ciphers 68

. . . . . . . . . . . . . . . . . . 5.4.4 Output Probability Deviation 69

6 Conclusion 74

. . . . . . . . . . . . . . . . . . . . . . . . . 6.1 Summary and Discussion 74

. . . . . . . . . . . . . . . . . . . . . . 6.2 Suggestions Cor Further Study 76

Bibliography

APPENDICES 83

CONTENTS vii

A CSS Cipher Analysis 83

A. 1 Another Attack on the Keystream Generator . . . . . . . . . . . . . . 83

A.2 Attack on the Encryption Function . . . . . . . . . . . . . . . . . . . 84

B More Key Spacing Distributions 86

C Output Test Results 96

D Probabilities for Right Pointer in RC43 116

Vita 121

List of Tables

2.1 Typical Interpretat ions of Places and Transitions . . . . . . . . . . . 12

2.2 Nominal and Effective Key Sizes for RC4-n . . . . . . . . . . . . . . . 18

2.3 Possible Periods for RC4 with Word Lengt h 2 and 3 . . . . . . . . . . 19

4.1 Probabilit ies for j in RC4-3 (Cycle Lengt h = 955:496) . . . . . . . . . 39

4.2 Output Conditional Pmbabilities P(O(i+l )/O(i)) for Cycle Length 164 40

4.3 Output Conditional Probabilities P(O(i+l)/O(i)) for Cycle Length 196 40

Cycle Lengths for CSGS Stream Cipher . . . . . . . . . . . . . . . . 46

Cycle Lengths for CSG3 Stream Cipher (1) . . . . . . . . . . . . . . 47

Cycle I ~ n g t h s Tor CSC-3 Stream Cipher (2) . . . . . . . . . . . . . . 48

Cycle Lengths for CSC-4 Stream Cipher (1) . . . . . . . . . . . . . . 51



Cycle Lengtbs for CSG5 Stream Cipher (1) . . . . . . . . . . . . . . 60

Cycle Lengths for CSG5 Stream Cipher (2) . . . . . . . . . . . . . . 61

... V l l l

LIST OF TABLES

5.9 Observed Longest Cycle Lengths for CSCG Stream Cipher . . . . . . 62

5.10 Output Statistical Test h s u l t s for Cascaded Ciphers . . . . . . . . . 69

C.1 Output Test Results for CSG2 Cipher(1) . . . . . . . . . . . . . . . . 96


C-3 Output Test Results for CSG2 Cipher(3) . . . . . . . . . . . . . . . . 98


. . . . . . . . . . . . . . . . C.5 Output Test Results for CSC3 Cipher(1) 100

. . . . . . . . . . . . . . . . 42.6 Output Test Results for CSG3 Cipher(2) 101

. . . . . . . . . . . . . . . . C-7 Output Test Results for CSC3 Cipher(3) 102

. . . . . . . . . . . . . . . . C.8 Output Test Results for CSC3 Cipher(4) 103

. . . . . . . . . . . . . . . . C.9 Output Test Results for CSC-4 Cipher(1) 104

. . . . . . . . . . . . . . . . C-10 Output Test Results for CSG4 Cipher(2) 105

. . . . . . . . . . . . . . . . C.11 Output Test Results for CSG4 Cipher(3) 106

C-12 Output Test Results for CSC4 Cipher(4) . . . . . . . . . . . . . . . . 107

. . . . . . . . . . . . . . . . (3.13 Output Test Results for CSG5 Cipher(1) 108

. . . . . . . . . . . . . . . . C-14 Output Test Results for CSG5 Cipher(2) 109

. . . . . . . . . . . . . . . . C . 15 Output Test Results for CSG5 Cipher(3) 110

. . . . . . . . . . . . . . . . C.16 Output Test Results for CSG5 Cipher(4) 111

. . . . . . . . . . . . . . . . (3.17 Outpiil Test Results for CSC-6 Ciptier(1) 112

. . . . . . . . . . . . . . . . C.18 Output Test Results for CSC-6 Cipher(2) 113

. . . . . . . . . . . . . . . . C.19 Output Test Resiilts for CSG6 Cipher(3) 114

LIST OF TABLES


. * . * . - . . . - D 1 Probabilities for j in RC4-3 (Cycle Lengt h = 322. 120) 117

D.2 Probabilities for j in RC4-3 (Cycle Lengt h = 53. 000) . . . . . . . . . 117

. . . . . . . . . D.3 Probabilities for j in RC4-3 (Cycle Lengt h = 44. 264) 117

D.4 Probabili ties for j in RC4-3 (Cycle Lengt h = 29. 032) . . . . . . . . . 117

D.5 Probabilities for j in RC4-3 (Cycle Length = 9. 624) . . . . . . . . . . 118

D.6 Probabilities for j in RC4-3 (Cycle Lengt h = 9, 432) . . . . . . . . . . 118

D.7 Probabilities for j in RC4-3 (Cycle Length = 4. 696) . . . . . . . . . . 118

D.8 Probabilities for j in RC4-3 (Cycle Lengt h = 3, 008) . . . . . . . . . . 118

D.9 Probabilit ies for j in RC4-3 (Cycle Length = 648) . . . . . . . . . . . 119

D.10 Probabilities for j in RC4-3 (Cycle Lengt h = 472) . . . . . . . . . . . 119

D.11 Probabilities for j in RC4-3 (Cycle Length = 456) . . . . . . . . . . . 119



D . 14 Probabilities for j in RC4-3 (Cycle Length = 24) . . . . . . . . . . . . 120

List of Figures

. . . . . . . . . . . . . . . . . . . . . . . 2.1 A Simple Petri Net Diagram 12

. . . . . . . . . . . . . . . . . 2.2 A Sample LFSR Based Stream Cipher 16

3.1 An Entity Level Pet6 Net Mode1 of the DVD Protocol . . . . . . . . 24

3.2 A Functional Level Petri Net Model of the DVD Protocol . . . . . . . 27

. . . . . . . . . . . . 3.3 A Revised Petri Net Mode1 of t h e DVD Protocol 29

4.1 Keystream Generator in DVD Stream Cipher . . . . . . . . . . . . . 34

4.2 Encryption/Decryption Function in DVD Stream Cipher . . . . . . . 34

. . . . . . . . . . . . . . . . . . . . . . . . 4.3 The RC4-n Stream Cipher 38

. . . . . . . . . . . . . . . . . . . . 5.1 A Cascaded S-Box Stream Cipher 42

5.2 Cumulative Frequency (CF) of Occurrence versus Cycle Length . . . 50

. . . . . . . . . . . . . . . . . . . . . . . . . 5.3 RC4.3Vs . CSG3 Cipher 56

. . . . . . . . . . . . . . . . . . . 5.4 Number of Keys Vs . Cycle Lengths 64

5.5 Key Spacing Distribution in Cycle al Length 29,950, 992 in CSC-4 Cipher 65

5.6 Key Spacing in Cycle of Length 11430,699, 920 in CSC-5 Cipher . . . . 66

xii

5.7 Single Output Probability Deviation , . . . . . . . . . . . . . . . . . 71

5.8 Digraph Probability Deviation . . . . . . . . . . . . . . . . . . . . . . 72

5.9 Trigraph Probability Deviation . . . . . . . . . . . . . . . . . . . . . 73

B.1 Key Spacing Distribution in Cycle of Length 29,162,808 in CSG4 Cipher 87

8.2 Key Spacing Distribution in Cycle or Length 22,010,768 in CSG4 Cipher 88

B.3 Key Spacing Distribution in Cycle of Length 16,691,752 in C S W Cipher 89



B-6 Key Spacing Distribution in Cycle of Length 9,878,400 in CSG4 Cipher 92

B.7 Key Spacing Distribution in Cycle of Length 5,192,800 in CSC-4 Cipher 93

B.8 Key Spacing Distribution in Cycle of Length 7,814,912 in CSC-4 Cipher 94

B.9 Key Spacing Distribution in Cycle of Lengtti 7,247,100 in CSC-4 Cipher 95

Chapter 1

Introduction

1.1 General Overview and Motivation

Growing in the past few years, the Internet has become the carrier of contemporary

electronic commerce. Today: digitiaed materials such as rnovies, music: and cornputer

games are distributed over the Internet. From source t o destinalion, these materials

are exposed to potential risks of being copied. Unlike copying materials in analog

forms: digi ta1 copying in troduces no degradat ion. Copies possess I he same quali ty

as their original digital counterparts. To keep copyrighted materials [rom illegal

duplication and thus protect intellectual property, copyright protection technologies

should be employed.

Digital Video Disk: or DVD: is such an example. DVD offers not only higher

video/audio quality over traditional video tapes but also high storage capacity (4.7

CHAPTER 1. 1NTRODUCTlON 2

GB per side). According to [2], DVD is such a successful consumer electronic product

that more than three million DVD players and 25 million disks were shipped in

the United States in just over two years. Copyright protection schemes for DVD

applications involve business interests of three different industries: video content

o m e r s such as Holly~vood Studios, consumer electronic manufacturers and corn pu ter

makers. Several proposais for DVD copyright protection have corne into place. They

include Content Scrambling System (CSS): Analog Protection System (APS), Copÿ

Generation Management System (CGMS), SC, media identifier and Watermarking

[4]. The CSS scheme is reviewed and analyzed in this thesis.

In t hese copyright protection schemes, cryptography plays an important role. The

famous cryptographers Diffie and Hellman have defined cryptography as Ihe use of

trans/ormalions of dala inlended lo make the dala useless to one's opponents [9].

This thesis aims to study the Content Scrambling System (CSS) in DVD applications

from a cryptographic point or view.

1.2 Cryptosystems

Aside from water-marking Leclinology, many copyright protection schemes make use

of cryptosystems. A cryptosystem is a general term referring to a set or cryptographic

primitives used to provide information security services [20]. In many security appli-

cations, a cryptosystem serves as the fundamental building block of the whole system.

CHAPTER 1. 1NTRODUCTlON 3

Confident iality and aut henticat ion are t m major services provided by a cryptosys-

tem. Confidentiality ensures the secrecy of messages so that they are unintelligible

to potential intruders. Authentication safeguards the integrity of messages. Wi thout

authentication, recipients can not ascertain the origin of the messages. Nor can they

verify that the messages have not been modified in transit.

There are two parts in a cryptosystern: cryptographic algorithms and the crypto-

graphie protocols that employ those algorithms.

1.2.1 Cryptographie Algorit hms

A cryptographic algorithm: also called a cipher, is a mathematical function used

for encryption and decryption. Early cryptographic algori t hms main tain S ~ C U ~ ~ Y

by concealing the mathematical details of the algorithms. Such algorithms could

not be published as industrial standards and thus could not be widely impleniented.

In modern cryptography, the algorithms are published so that they cari undergo

public cryptanalysis and can be widely deployed to enable secure applications to

inter-operate. In well-designed ciphers: al1 security relies on the key so that eacti

cryptanalysis against the algori t hms is equivalent to an exhaustive key searching, i.e.,

a bru te-force attack.

There are two types of cryptographic algorithrns in terms of keys: symmetric

algorithms and public key algorithms. Symmetric algori thms, also called private key

algorithms: are algorit hms where the decryption key can be easily calculated from the

CHAPTER 1. lNTROD UCTlON

encryption key arid vice versa. Both keys should be kept secret. In most syrnmetric

algorithms, the two keys are identical, While in public key algorithms, the encryption

key is made public: anyone can use it to encrypt a message, but oniy t h e party with

the corresponding decryption key can decrypt the message and i t is computat ionally

infeasi ble to calculate the decrypt ion key fiom the encryption key. The encrypt ion key

is often called the public key and public key algorithms are also named asynimetric

algorithms. In general, symmetric algorithms are faster while asymmetric algorithms

offer simpler key management schemes and enable digital signatures. Private key

algorithms such as DES: RC4 and CAST are widely used in practice. RÇA is the

most widely used public key algorithm.

Ciphers can also be classified based on the amount of data being processed each

Lime. A block cipher encrypts or decrypts data in large blocks (e.g., 64-bits or more).

A stream cipher operates on data in small blocks at a time. Traditional stream

ciphers like the orietime pad process data bit by bit. Now there are stream ciphers

that operate on 8-bits of data each time. Such a stream cipher can be convenieritly

implemented in software. Both stream ciphers and block ciphers could be private key

or public key ciphers.

1.2.2 Cryptographie Protocols

A cryptographic protocol is a series of steps, involving two or more commurticating

parties, designed to achieve some security goals [33]. The execut ion of a cryptographic

CHAPTER 1. INTRODUCTlON 5

protocol typically involves sequentially exchanging of 3 to 5 messages between two

or more parties. The messages may contairi identification, key or lime stamp in-

formation, etc. They are either in ciphertext or plaintext form. The design of a

cryptographic protocol builds on some cryptographic algorithms.

Cryptographie protocols have various securi ty objectives. Aut hentication and

key exchange protocols represent an important category of cryptographic protocols.

Communicating parties use these protocols to au t hent icate t hemselves to one anot her

and exchange a pair of secret keys between them, then the exchanged key is used as

the session key in secure communications.

Although a cryptographic protocol seems relatively simple, it can actually be

qui te complex. Because many scenarios could exist in a protocol. Choosing suitable

methods is important to mode1 and analyze a cryptographic protocol under these

scenarios. A lot of research has been done in t his area and more is under development .

It is ambiguous to use informal method such as descriptive language iri protocol

speci fication and analysis. Formal methods are more effective. A formal met hod

is a speci ficatiori language wi th a firm mat bernatical semantics and the associated

development notion. Formal methods attempt to provide mat hematical underpinning

for the design and analysis of various syslems. State machines [22, 181, BAN Iogic [6],

Algebra [21] and Coloured Petri Nets [13: 37: 341 are examples of formal rnethods.

CHAPTER 1. ZNTRODUCTlON

1.3 Thesis Outline

This thesis is organized as follows. Chapter 2 contains a Iiterature review summarizing

two types of stream ciphers and formal methods for cryptographie protocols analysis.

LFSR based stream ciphers and the s-box based RC4 stream cipher are reviewed and

relevant research results to date on them are included. Theories of several forrnal

methods are introduced and emphasis is put on a method called Coloured Petri Nets

(CPNs).

A two-level rnodeling or a DVD playback contra1 protocol using CPNs is conducted

in Chapter 3. Entity level modeling gives readers an overview of the protocol. Func-

tional level modelirig reveals details of each entity and their interactions. Weaknesses

are uncovered in the protocol and a revision is proposed in this chapter.

Chapter 4 deals with stream cipher analysis. The uriderlying LFSR based stream

cipher in DVD copyright protection scheme is analyzed in detail. The cipher is

vulnerable to different versions of the correlation attack. As a cornparison, statistical

analysis is coriducted on s-box based RC4 stream cipher.

Chapter 5 introduces a new family of cascaded s-box stream ciphers. The struc-

ture of the cascaded s-box strearn cipher is specified. Some important properties

such as keystream cycle structures: key spacing distri but ion and out put raridomness

properties are studied in depth in this chapter.

Some closing remarks, a summary of Ltiis ttiesis; and possible further study are

presented in Chapter 6.

Chapter 2

Literat ure Review

2.1 Prot oc01 Analysis

Cryptographie protocols are desigried to achieve specific security objectives such as

data integrity, confidentialit~ and authenticity? etc. However, achieving such security

objectives has proven not to be an easy task. Some protocols have been in the public

domain for several years before their flaws were disclosed 18; 261. Formal methods

have been developed to address the securi ty concerns of cryp tograp hic protocols. In

this section: research work on several formal methods is bridy reviewed. Such formal

methods include algebraic methods, logic models, state machines and Petri Nets.

Basically there are two steps in a protocol analysis pmcess. The fint step is

modeling the protocol, wbere communicating parties and their exchariged messages

are modeled. The second step is manipulating and arialyzing these protocol rnodels

CHAPTER 2- LlTERATURE REVlEW

based on theoretical methods.

Dolev and Yaa [IO] are pioneers who used an algebraic method to prove the secu-

rity of certain classes of protocols. In modeling a protocol, messages are transformed

into rvords and how to manipulate the rvords is defined as terrn-rewriting rules. Fol-

lowing such rules: an intruder manipulates the words and tries to obtain the secret.

Flaws may exist in the protocol if the intruder has successfully gained access to the

secret - This approach is restricted ta analyzing t hose cryptographie protocols pro-

viding message encryption. Another disadvantage is its ineficient storage of state

in format ion [19].

The Interrogator [22] and the Navy Research Laboratory (NRL) Protocol Analy~er

[18] are representatives of the state machine approach. Ttiey are both computer expert

systems developed in Prolog language. In the Interrogator, each entity in a protocol

is modeled as a finite state machine. Given a target data item: the Interrogator would

output a message history that indicates a path or method an intruder used to obtain

the target data. The NRL Protocol Analyzer is ari interactive program. First: the

user specifies the conditions for sorne undesirable state for a protocol. Then the NRL

Protocol Analyzer performs backward search to determine whether the state can be

reached from a certain initial state. The NRL Protocol Analyzer is an exterision to

the Dolev and Yw:s term-rewriting model.

BAN logic [6]; developed by Burrows, Abadi and Needham, is a well-known logic

model for protocol analysis. BAN logic concentrates on the beliefs of tmstworthy

CHAPTER 2. LITERATURE REVTEW 9

parties involved in the protocols and on the evolution of these beliefs [6]. Based on

the beliers: a pmtocol and its security objectives are mapped into a set of logical

assertions. The logical assertions are ttien analyeed usirig formallÿ defined inference

rules to determine whether the objectives are derivable. BAN logic is most widely

used in analyzing authentication protocols. More discussions about the use of BAN

logic are in [5].

Although a protocol designer can prove that a cryptographie protocol is resistant

to a set of attacks, Meadows stipulates that it is unlikely t hat any formal method will

be able to mode1 al1 aspects of a cryptographic protocol, and thus it is urilikely that

any formal method will detect or prevent al1 types of protocol fiaws [19].

2.2 Petri Nets

In addition to their complexity, formal analysis methods discussed above do not have

graphical representat ions. In general, graphical descript ion can make t h e specification

of protocols more readable and iinambiguous.

Petri Nets are a formal graphical and mathematical modeling tool that was in-

vented by Carl Adam Petri in 1962. Petri Nets are a promising tool for specifying

and analyoing systems characterized as being concurrent, asynchronous, distributed

or parallel. As a graphical twl, Petri Nets c m be used as a visual-communication aid

sirnilar lo flow cbarts or block diagrams. As a mathematical lool: it is possible lo set

up state equations, algebraic equations, and other matbernatical models governing

CHAPTER 2. LITERATURE REWEW

the behavior of systems. Petri Nets represent a broader range of systems than finite

state machines (FSM).

Researchers at Queen's University have made a lot of contributions in analyzing

cryptographic protocols using Petri Nets. Behki and Tavares [3] applied Petri Nets to

model cryptographic protocols for the first time. Their work integrated Petri Nets:

LOTOS and a programming language into one model. Nieh and Tavares forrnalized a

method of protocol specification and andysis using a certain type of Petri Nets called

Coloured Petri Nets 128, 291. There are three levels in specifying a protocol: entity,

conceptual and functional level descriptions. An intruder is also modeled to simulate

various attacking scenarios. The amalyzing process was dotie manually. The process

was later automated using Prolog by Doyle, Tavares and Meijer [I l , 121. Zhao and

Tavares implemented the stubborn set method to optimize the state searching speed

[36: 371. Edwards, Tavares and Meijer integrated the Petri Nets based method into a

Java program with a friendly graphical user interface (GUI) [13, 141.

Timing information is introduced in Petri Nets and a new type of Petri Nets

called Cryptographie Timed Petri Nets (CTPN) is preserited in 1171. 1t is a different

approach to that of Queen's University.

2.2.1 Graphical Representations of Coloured Petri Nets

A Coloured Petri Net (CPN) consists of places, transitions and directed arcs that

connect them. Places may contain tokens. These CPN components have the relevant

CHAPTER 2. LITERATURE REWEW

graphical representations as follows:

a circie: to represent a place

a rectangular box: to represent a transition

a directed arc: t o connect a place and a transition

a coloured dot in circle: to represent a certain type of token in a place

In CPN modeling, the current state of the modeled system, or the marking, is given

by the number and colour of tokens in each place. Transitions are active components.

They simulate activities that can occur and thus change the state of the system (the

marking of the CPN). An input place is a place with an arc directed to a transition

and an output place is a place to wbich an arc is directed from a transition. A place

could be both an input and an output place. A transition is enabled when each of its

input places has one or more tokens rvith appropriate colours. An enabled transition

may Lyre and then tokens will move lrom input places to output places according to

t lie regdations called transi lion firing rules.

Figure 2.1 is a simple illustraLion of' a Petri Net diagram. Murata [25] gives

practical interpretations of places and transitions summarized in Table 2.1 [13].

2.2.2 Formal Definition of Coloured Petri Nets

In [13], a CPN is formally defined as a 6-tuple: C P N = {p : T , A, C, Mo: F ) where:

CHAPTER 2. LlTERATURE REVlEW

Transition

rJ Condition1

Input Piace VeriQ

Result2

Token Condition2

1 Input Arc Output Arc

Figure 2.1: A Simple Petri Net Diagram

Input Places Pre-Condi t ions Input Data lnpu t Signals Resaurces Needed Conditions Bu ffers

Transitions Event Computation Step Signal Processor Tas k Clause in Logic Processor

Output Places Poçt-Condi tions Output Data Output Signals Resources Released Conclusion (s) Bu ffers

Table 2.1: Typical Iriterpretations of Places and Transit ions

O P is a finite set of places

a T is a finite set of transitioris

a A is a finite set of arcs such that

P n T = P n A = T n A = d a r l d A c ( P x T ) u ( T x P)

a C is a finite set of coloiirs

CHAPTER 2- LITERATURE REVIEW 13

Mo is an initial state also called initial marking of the CPN, represented by the

distribution of coloured tokens across al1 places

0 F is a finite set of transition firing rules

This definition is a variation to that in [16]. Finite sets of places, transitions and

arcs are pairwise disjoint. A is a subset of the union of two Cartesian product sets of

P and T.

2.2.3 Properties of Coloured Petri Nets

Petri Nets have two types of propert ies: behavioral and structural propert ies [25].

Structural properties are the intrinsic properties that don% depend on an initial

marking. Behavioral properties depend on initial markings. Structural propert ies

are not covered in t tiis thesis. Three behavioral properties are reviewed as follows:

Boundedness

A place in a Petri Net is k-bounded if the riumber of tokens in it is 5 k alter any

sequence of transition firings. A Petri Net is bounded if al1 its places are bounded. If

the Petri Net mode1 of a protocol is bounded, it ensures that resources needed in the

protocol such as buffers are finite.

L' tveness

A transition is live if for any firing sequence of the Petri Net: there always exists

another sequence to make it Tire again. A Petri Net is live if al1 ils transitions are

CHAPTER 2. LITERATURE REWEW 14

[ive. The liveness property aims to check if the protocol rnodeled in Petti Nets will

fall into deadlock under any operating conditions.

Reachalilit y

A marking (state) of a Petri Net is said to be reachable lrom another if there is

at least one firing sequence between them. This property is very useful in protocol

analysis. Reachability of an undesirable or insecure state suggests protocols have

potent ial flaws or weaknesses.

2.3 Stream Ciphers

A seciire cryptosystem requires not only secure protocols but also secure underlying

ciphers. Stream ciphers are an important class of ciphers. In general, stream ciphers

are faster than block ciphers irt hardware and have less complex hardware circtiitry.

In some applications where bufKer space is limited, stream ciphers could be manda-

tory. Another advantage of stream ciphers is that ttiey have no error propagation.

Two types of stream ciphers are classified: synchronous and asynchronous stream ci-

phers. In a synchronous stream cipher, the keystream is independent of the plaintext

and the ciphertext so that the sender and recipient keystream generators have to be

synchronized. On the other hand, in an asynchronous strearn cipher? the keystrearn

i s generated as a lunction of the key and a fixed number of previous ciphertext bits.

Ernphasis is put on synchronous stream ciphers in this thesis.

2.3.1 LFSR Based Stream Ciphers

Many designs of stream ciphers make use of Linear Feedback Shirt Registers (LFSRs).

An LFSR is a bit shift register with a linear feedback function. The feedback function

is an XOR operation of certain bits in the shift register. At each clock tick? an LFSR

generates 1 bit output and the result of the XOR function is fed into the LFSR from

the other end. LFSRs can generate very long cycles with good randomness properties.

The list of feedback bits is called a tap sequence. If the polynomial forrned from the

tap sequence of an LFSR plus 1 is primitive over GF(2), the output sequerice OC the

LFSR will have the maximum period 2" - 1[33]. nt also called degree of an LFSR, is

the bit length of the LFSR. The maximum period is 2" - 1 rather than 2" because a

shift register filled with al1 zeros will make the LFSR output useless all-zero streams.

A lot of work on LFSR based stream ciphers is presented in [31]. The popularity of

using LFSRs in stream cipher design cornes from the following facts:

2. LFSR based stream ciphers are well studied.

2. LFSRs can be easily implemented in hardware

A general structure of LFSR based stream ciphers is in Figure 2.2 [23]. Oulputs

of several LFSRs are connected to a nonlinear combiner. To prevent the direct ap-

plication of a cryptandysis algorithm called BerlekampMassey algorithm [20], the

nonlinear combiner is used to ~ h ~ f F i e the outputs of the LFSRs. The initial states

of LFSRs are set according to a user key. The keystream bit: k;; cornes lrom the

CHAPTER 2. LITERATURE REVlEW 16

nonlinear combiner and is XORed with a plaintext bit; pit to generate a ciphertext

bit: c.

Figure 2.2: A Sample LFSR Based Stream Cipher

2.3.2 RC4 Stream Cipher

RC4 is another type of Stream cipher designed by Ron Rivest of MIT and RSA

Security. RC4 is considered to be a software oriented stream cipher because it can

be easily implemented in software. In security applications such as TLS BSAFE and

Lotus Notes, RC4 is used to provide services of encryption and decryption.

RC4 was a trade secret of RSA and the algorithm \vas claimed to be reverse engi-

neered and the source code of the algorithm was posted anonymously to an iriteniet

mailing list in 1994. It is believed to be the true RC4 algorithm [33]. Now the design

of RC4 stream cipher is public knowledge.

RC4-n is a substitution box (s-box) based stream cipher rvhere n denotes the

operating word size of the algorithm. RC4-8 cipher is used in I I known applications.

There is an n-bit s-box with two pointers (i and j) in RC4-n cipher. The s-box has 2*

elements, eacli of which is n-bits in size. There are two phases in RC4 algorithm: the

initialization and the keystream generation phase. In the initialization phase, a user

key is used to initialize the s-box. Keystream is then generated in the second phase.

The keystream is XORed with the plaintext to produce the ciphertext or XORed with

the ciphertext to produce the plaintext. A detailed description of RC4-n algorithm

is as follows:

Phase 1: Initialization

Input: lQ: . . . kl-,: f n-bit words of user's keÿ

Output: Initial State of RC4 (i: j and S)

2 , For z froni O to 2" - 1

{ Kz = k z rnod i )

2. For z from O to 2" - I

{ S z = z )

3. j=O

4. For i from O to 2n - 1

C

i = j + S[i] + Ki rnod T

Swap S[i] and Sb]

1

CHAPTER 2. LITERATURE REVIEW

5. i=O and j=O

Phase 2: Keystream Generation

Input: the State of RC4 (i: j and S)

Output: The next n-bit word in the keystream, and the next RC4 State

1. i = i + l m o d 2 "

2. j = j + S[i] mod 2"

3. Swap S[i] and Sb]

4. t = S[i] + S[j] mod 2": output S[t] as the next n-bit word in the keystream

RC4 is a variable-key-size stream cipher. Although the user key could be up to

n x 2" bits, the effective key length is shorter. The nominal and effective key sizes

for RC4-n in Table 2.2 are summarized by Mister and Tavares[24].

RC4 Word Sixe Nominal Key Length (bits) 8

24 64 160 384 896 2048 4608

Elfective Key Length (bits) 4.58

Table 2.2: Nominal and Efiective Key Sizes Tor RC4-n

There is a finite nurnber of states in RC4. Hence; the outputs of RC4 eventually

form cycles. For RC4 cipher, output cycle lengths depend on operating size: n, and

the initial state of the sbox. While for an LFSR, output cycle lengths are determined

CHAPTER 2. LITERATURE REVlEW 19

by the degree of the LFSR and the feedback polynornial regardless of its initial state.

The cycle lengths are, with high probability, very large. When n 2 4: it is time-

consuming to determine values of output cycle lengths of RC4-n cipher. The cycle

lengths with their associated occurrence for n = 2: 3 are listed in Table 2.3. They are

extracted from the work of Mister and Tavares [24] and confirmed by experiments.

We note that for RC4-3, some cycle lengths occur more than once.

Period 196 164

955496 322120 53000 44264 29032

9624 9432 4696 3008

648 472 456 264 120 24

Number of Initial States 12 12

30284 5144 816 688 1932 302 140 622 340

8 24 22 12 4 2

Table 2.3: Possible Periods for RC4 with Word Length 2 and 3

Observations on RC4 stream cipher and a cascaded s-box stream cipher are dis-

cussed in Chapters 4 and 5.

Chapter 3

CPN Based Analysis of the DVD

Protocol

3.1 An Overview of the DVD Copyright Protec-

tion Scheme

The copyright protection scheme used in DVD applications is called Content Scrarn-

bling System (CSS). CSS scheme i s designed by Toshiba and Matsushita: the parent

Company of Panasonic, and is incorporated in both DVD disks and DVD players. It

is a combination of content scrambling, key encrypt ion and condi tional access. DVD

manufacturers must obtain licenses detailing implementatioris of CSS scheme on their

products.

CSS scheme is essentially a cryptosystem. The DVD playback con trol prolocol,

CHAPTER 3. CPN BASED ANALYSE OF THE DVD PROTOCOL 21

extracted [rom CSS: is modeled using Coloured Petri Nets in this chapter and the

underlying LFSR based stream cipher in CSS is revierved in the next chapter.

3.2 Petri Net Modeling of the DVD Playback Con-

trol Protocol

3.2.1 Coloured Petri Net Modeler

The Coloured Petri Net Modeler (CPNM) to be used in modeling DVD playback con-

trol protocol was developed by Edwards, Tavares and Meijer (141. It is an integrated

software tool with a friendly graphical user interface (GUI). Petri Net components

(places, transitions, directed arcs and tokens) are drawn in CPNM. Then Transi-

tion firing rules and token colours are specified. No programming ski11 is required

to mode1 cryptographic protocols in CPNM. CPNM is written in Java, a popular

object-oriented cornputer lariguage. For archival reasons, al1 CPNM figures in this

thesis are printed in black and white.

A two-level approach is irivol ved in the CPNM modeling hierarchy : entity level

and functional level modeling. The former is focused on overvierv of the protocol and

the latter is concentrated on details.

A l entity level; a reusable component in CPNM called Petri Nets Object (PNO)

is introduced to mode1 communicating entity in cryptographic protocols. A PNO is

drawn as a rectangular box with internai ports (transitions) on the edges. PNOs

CHAPTER 3. CPN BASED ANALYSE OF T H E DVD PROTOCOL

are connected with arcs and places. PNOs send and receive messages to one another

through ports, simulating interactions between entities. AL this level: the number or

entities and their messages is observed.

When messages arrive at comrnunicating entities: they undergo a series of crypte

graphic operations such as encryption, decrÿption, etc. Such operations occur inside

PNOs. Places and transitions are used for modeling them. Transitions simulate ac-

tion mechanisms of these operations. Coloured tokens in input and output places

represent income and outcome messages respectively. This is funciional level mod-

eling at which working details of protocols are revealed. According to [37], there is

still another modeling level called conceptual level in between. At conceptual level,

processes that perform specific functions are defined as transitions in each PNO. But

in this thesis, it is contained in the functional level modeling implicitly.

3.2.2 DVD Playback Control Protocol Modeling

DVD playback control protocol is abstracted from CSS scheme ol DVD applications.

DVD disk and player are Iwo entities involved in ttiis protocol. There are ttiree

primary steps concerning about copyright protection in the manuracturing of DVD

disks and players:

1. Key Generation: A title key, a disk key and a small set of player keys are

generated.

CHAPTER 3. C P N BASED ANALYSIS OF THE DVD PROTOCOL 23

2. A set of cryptographie operations based on the underlying strearn cipher: The

audio/video content is encrypted by the title key and the title key is encrypted

by the disk key. The disk key is encrypted a number of times by each player

key. And the disk key is hashed.

3. Content and key distributions: The encrypted items (audio/video conterit, t itle

key, disk keys) and the hash value of the disk key are distributed t o DVD disks.

T h e player keys are distributed to different DVD players so tha t each one has

its own player key.

The protocol is carried out whenever a disk is being played, which ensures that

copyrighted DVD disks can only be played on Iicensed players.

The entity level modeling is depicted in Figure 3.1, which presents a concise

overview of the protocol. Four messages are exchanged betwcen the disk and the

player. Request 1 is a handshaking message sent from the player to initiate the pro-

tocol. Certain key informalion is sent back Co the player in Response 1. Request 2

i s another handstiaking message from the player. Encrypted video content and some

key information are included in Reçponse 2.

CHAPTER 3. CPN BASED ANALYSE OF THE DVD PROTOCOL

Figure 3.1: An Entity Level Petri Net Mode1 of the DVD Protocol

CHAPTER 3. CPhr BASED ANALYSE OF THE DVD PROTOCOL 25

Legends used in functional level modeling of the DVD playback control proto-

col are described as follows: (The enmyption and hash functions are defined in the

underlying stream cipher that will be discussed in the next chapter.)

dkey: disk key

O tkey: title key

pki, i=l: . . . n: player keys from 1 to n

O hash: hash value of the disk key

Hash(A): apply Hash function on A

O AVData: contents of audio and video data

E[A;K]: A encrypted by key K

0 PSN: player key seriai number

Functional level CPNM modeling is shown in Figure 3.2. Inside the PNO repre-

senting the DVD disk, audio/video data and keys are modeled as coloiired tokens in

places. The encrypted AVData is depicted in place pd4. Similarly, t h e encrypted title

key is depicted in place pd5. The token in place pd2 represents the encrypted disk

keys. The hasti value of the disk key is depicted in place pd6.

Inside the PNO represeriting the DVD player, the player key is depicted as t h e

token in place ppG. In the message of Response 1: the set of ericrypted disk keys and

CHAPTER 3. CPN BASED ANALYSIS OF T H E DVD PROTOCOL 26

the hash value o l the disk key are sent to the DVD player. Using its player key, the

DVD player decrypts the set of disk keys one by one. After each decryption, the same

hash function is applied to the output disk key. Such hash result is then compared

with the hash value sent in Response 1. If the two hash values are equal, the disk

key is decrypted by the player successfully. Othenvise, the operations of decryption,

hash and cornparison are continued. Disk key decryption is modeled as transition I p b

Transitions Ip3: tp4 and l p 5 simulate the hash and comparing operations. Response

2 is sent to the player and the encrypted AVData and title key are then retrieved. As

shown in transition I p l , the disk key is used to decrypt the title key. Subsequently,

I.hr title key is applied to decrypt the AVData (transition t p 6 ) .

CHAPTER 3. CPN BASED ANALYSlS OF THE DVD PROTOCOL

Figure 3.2: A Funclional Level Petri Net Model of the DVD Protocol .

CHAPTER 3. CPN BASED ANALYSlS OF THE DVD PROTOCOL 28

3.3 Weakness and Improvement in the DVD Pro-

In Section 3.2.2, the DVD playback control protocol is explicitly specified. Ttirough

Petri Nets modeling, a structural weakness is uncovered in the protocol.

Differerit player keys are incorporated in DVD players. But in a DVD disk, the

video content is huge in size and thus should be encrypted only once. To enable a

disk be played iri al1 legitimate players, the video content cannot be encrypted by

player keys directly. Therefore, a title key is used in content encryptiori. Then the

title key is encrypted by the disk key and the disk key is encrypted by player keys,

as depicted in Figure 3.2. It is observed that the disk key aims to protect the title

key. But the disk key itself is protected by player keys. It has rio contributions to

the system security. Thus the disk key and its hash value (places pd2 and pdG) are

superfluous. A revision of the protocol is made and illustrated in Figure 3.3, where

the title key is encrypted by player keys directly.

CHAPTER 3. CPN BASED ANALYSIS OF THE DVD PROTOCOC,

Figure 3.3: A Revised Petri Net Mode1 of the DVD Protocol

CHAPTER 3. C P N BASED ANALYSlS OF THE DVD PROTOCOL 30

In the revised version or the DVD protocol, the disk key and its hash are removed-

A player key serial number (PSN) for each DVD player is introduced in the title key

encryption and decryption, The title key is encrypted a number of times by different

player keys (in place pd2). In eacti encryption, a player's PSN is appended to the

ti tle key More the title key is encrypted by the key of the same player. Then a DVD

player uses its player key to decrypt the title keys one by one. After each decryption

operation, the player compares the appended PSN rvith its O\VTI PSN. If the two PSNs

are equal, the title key is decrypted successfully. Otherwise, the decrypt ion opemt ion

is continued (depicted in transitions I p l , Ip2, tp3 and t p 4 ) .

Preserving the same security objective, the reviscd protocol has a tkvofold enhance-

ment. In one aspect, an intruder can no longer conduct an attack against the hash

value of the disk key. Besides, the revised protocol offers more efficient performance

without the operation or disk key encryptionldecrypt ion.

An intrinsic weakness of the DVD playback control protocol is located. A player

key has to be stored in a DVD player. If an intruder obtains the key of ariy licensed

DVD player, he/she can use the player key to decrypt al1 DVD disks in the market.

This is a system attack. To protect the sensitive DVD player key, a special type

of hardware called trusted hardware [32] could be used to store il. In the trusted

hardware, there is a Lamper detecting mechanism that generates a signal shortly

before an int ruder gains physical access to the system. Detection of an attempt to

gain access to the trusted hardware will result in erasure or the sensitive data (player

CHAPTER 3. CPN BASED ANALYSlS OF THE DVD PROTOCOL 31

key) in it.

Chapter 4

Analysis of DVD Stream Cipher

In Chapter 3: the DVD playback control protocol is modeled in the Coloured Petri

Net Modeler (CPNM) and potential weaknesses in the protocol are uncovered. An

enhanced version OF the protocol is proposed. However, the underlying cipher in DVD

applications is ignored there. Analysis of the cipher in a security application is as

important as analysis of the protocol, both of which provide us with insightful and

useful information about t h e security system. In this chapter, the underlying stream

cipher iri CSS, the DVD copyright protection scheme: is discussed. An s-box based

stream cipher RC4 is reviewed.

4.1 The Underlying Cipher in the DVD System

In DVD applications, movie contents and certain types of keys are encrypted and

stored on DVD disks. DVD players extract and decrypt them for playing. The

32

CHAPTER 4. ANALYSE OF DVD STREAM CIPHER 33

mat hemat ical operat ions of encryption and decryption are defined in the underlying

cipher. The cipher in CSS is an LFSR-based stream cipher.

4.1.1 Keystream Generator

The key stream generator of this stream cipher is based on tivo LFSRs. The first

one (LFSRl) has a degree 17. The corresponding polynomial fomied from its tap

seqiience is x15 + x + 1. The second one (LFSR2) has a degree 25 with corresponding

polynomial xI3 + x5 + x4 + x + 1. The keystream generator is shoivn in Figure 4.1.

To prevent it from generating never-eriding zeros stream: the most significant bit of

LFSRl (b17) and the 4th bit from least significant bit of LFSR2 (b4) are set to one

initially. Other bits in the tivo LFSRs are set according to the user key. The length

of the user key is 40 bits by design to comply with the US government export control

policy at the Lime. The first two bytes (16 bits) of the user key initialize LFSRl

and t h e other tbree bytes (24 bits) of the user key initialize LFSR2. At every clock

tick: each LFSR generates one bit output. After every eight ticks, an 8-bit keystream

output is generated by adding iip the outputs or LFSRl and LFSR.2 with the carry

bit from the previous addition.

4.1.2 Encryption/Decryption Function

The encryptionldecryption functiori is shown in Figure 4.2. The encryption function

is executed from the top down and the decryption furiction is carried out in the reverse

CHAPTER 4. ANALYSlS OF DVD STREAM ClPHER

Figure 4.1: Keystream Generator in DVD Stream Cipher

direction. The A(1,2,3,4,5) are 5 input plaintext bytes. C(1,2,3,4,5) are 5 output

ciphertext bytes. ki, . . . , k5 are 5 keystream bytes generated from the keystream

generator. B(1,2,3,4,5) are 5 intermediate bytes. F is a pre-defined byte permutation

table. Major mat hematical operations in the en~ry~t ionldecrypt ion include exclusive

ORS and byte permutations. We note the encryption function is also used as the hash

functian to generate the hash value of the disk key.

A(I. 2.3.4.5): 5 input bytes

ë3( 1.1.3.4.5): 5 intermediate bytes

C( 1.3.3.4.5): 5 ouiput bytes

k 1. k2. W. k4. :?.: 5 kcy strrsun output bytes

E byte permutation table

Figure 4.2: Encryplion/Decrypt ion Funct ion in DVD Stream Cipher

CHAPTER 4- ANALYSlS OF DVD STREAM ClPHER

4.1.3 Cryptanalysis of Keystream Generator

According to [35], there exist two known ciphertext attacks on the CSS keystream

generator. Six bytes of keystream output are required in the first attack. The compu-

tational complexity to recover the user key is in the order of 216. In the second attack,

only five keystream output bytes are needed but the computational complexity is in

the order of 2''. There is also a known plaintext attack on the encryption function.

Given A(1,2,3,4,5) and associated C(1,2,3,4,5), the five bytes of keystream ki,.. . : ks

could be obtained with only 256 trials.

The first attack on the CSS keystream generator is reviewed as follows.

Legends in the keys t ream generator at t ack:

O1 (1): 0i(2), . . .: output bytes of LFSRl

02(1): 02(2), . . .: output bytes of LFSR2

0(1), 0(2), . . .: output bytes of the keystream, where O(i) = Oi (i) + Oz(i) + c, and c is the carry bit from O(i-1)

The b17 in LFSRl and b4 in LFSR2 are set to one initially. Other bits in LFSRl

(16 bits) and LFSR2 (24 bits) are initialieed by the 5 bytes (40 bits) user key.

Attack: known O(1): 0(2), O(3): 0(4), O(5): O(6)

2 . Guess initial state of LFSRl

2. Generate 6 bytes 01 (1): 01 (2): 01 (3), Oi (4), O1 (8): O1 (6) from LFSRl

CHAPTER 4. ANALYSlS OF DVD STREAM ClPHER

4. Generate 02(5), 02 (6 ) from LFSR.2 given Oz(l), 02(2), O2(3), 0 2 (4)

5. Compare O(6) with 01(6) + 02(6) +c. If equal, stop. Otherwise repeat the

above steps.

A fter the execu tion or the above algorithm, the initial state of LFSRI is resumed.

Then the initial state of LFSR2 is deduced from its 32-bits output

02(1),02(2):02(3), 0 2 ( 4 ) . The user key, i.e., the initial states of both LFSRs, is

discovered wit h 216 computational complexity. Other attacks are reviewed in detail

in Appendix A.

While t h e stream cipher has a 40-bit key, its security strength turns out not even

to match ttie 40-bi t key length. This is partially due to the following facts.

First, in the keystream generator, neither of the two LFSRs is in full use. The

tiighest orders of the polynornials of the two LFSRs are 15 and 13: wtiich are smaller

than their respective degrees 17 and 25. This iridicates the most significant bits of

both LFSRs are not in the feedback bits and thus the effective degrees for the trvo

LFSRs are 15 and 13.

Moreover, the non-linear combiner used in the keystream generator is an &bit

addition with carry. The reason for using a non-liriear combiner is to conceal the

output of the LFSRs and add some degree of non-linearity to ttie keystream so that a


correlation attack cannot be applied directly. But the &bit addit ion wit h carry offers

little non-linear property. All its non-linearity relies on the one bit carry from the

previous addition.

LFSR-bas4 stream ciphers are vulnerable to various versions of the correlation

attack. LiLi-128 [7], an LFSR-based stream cipher submitted to NESSIE (New Eu-

ropean Schemes for Signatures, Integrity and Encryption), is another exarnple, which

has been cryptanalyzed recently [Il. In practice, other types of stream ciphers such

as an s-box based stream cipher or a cascaded s-box cipher could be a candidate to

enhance the security performance of the DVD copyright protection system.

4.2 RC4 Observations

S-box based stream cipher RC4-n is discussed in Section 2.3.2, where n denotes the

operating word size. Tt has an s-box with two pointers i and j pointing to its elements.

The s-box has 2" elements, each of cvhich is n-bits in size. At each clock tick (itera-

lion), elements of the s-box are swapped once and an output is generated from the

s-box. The pointer i is incremented by one. The movement of pointer j is irregular.

The state of RC4 refers Co positions of pointers i: j and contents of the s-box. As the

cipher is evolving, slates of RC4 form cycles eventually.

An experirnent is set u p to record al1 positions of the right pointer j within a cycle

of RC4-2 stream cipher. The results suggest that pointer j cannot remain in the same

position for more t han t hree consecut ive i terat ions. Experimen ta1 resul ts for RC4-3

CHAPTER 4. ANALYSE OF DVD STREAM CIPHER

cipher imply the same conclusion. We prove that this conclusion holds for any RC4-n

cipher as follows,

Figure 4.3 shows the only RC4 state in which the right pointer j does not move

for three iterations. To make pointer j stay in the same position, i has to point to O in

each iteration. At the same time i is incremented by one in each iteration. Involving

the swap action: i can only

remain in the same position

satisfy these two conditions at most twice thus make j

for at most three consecut ive iterations.

Figure 4.3: The RC4-n Stream Cipher

The movement of the right pointer j depends on its previous position and contents

of the s-box. If contents of the s-box are shumed randomly, j moves randomly.

In RC4-3 cipher, the pointer j has 23 = 8 positions. Both the ~robabilities for

j pointing to each position and the probabilities for j pointing to each position for

three consecut i ve iterations are collected e~~erimentally. If j moves randomly, the

probability for j pointing to each position should be 1/8=0.125 and the probability

for j to stay in one position for three iterations should be ( 1 / 8 ) ~ = 0.001953.

Experimental results of such probabilities lor the cycle length of 955,496, the


longest cycle in RC4-3, are in Table 4.1. P(xyz) denotes the probability for j pointing

to position x y ~ . P(xyz,xyir,xyz) denotes the probability for j to remain in the position

xyz for three consecutive rounds. The results show that j moves randomly as the

cipher evolves.

-- - - - - - - - - - -- --

Table 4.1: Probabilities for j in RC4-3 (Cycle Length = 955:496)

Similar results for other cycles in RC4-3 are in Appendix D. In the shortest two

cycles, the joint probabilities P(xyz,xyz,xyz) are al1 equal to O: which indicates j

cannot stay in one position for three consecutive rounds.

4.3 RC4 Outputs Analysis

As previously depicted in Table 2.3, there are trvo cycles in RC4-2 cipher: 164 and 196.

Let P(O(if1) /O(i) ) denote t tie output condi tional probabili ty. By way of exarnple,

P(01/11) represents the pmbability of output of 01 given tbal the previous output is

11. The coridi tional probability discloses the correlat ion between consecut ive outputs

of RC4 stream cipher. For RC4-2 cipher, the output is of 2-bits size. If ils output

has good randomness properties, each of four outputs is equally likely to occur. And

CHAPTER 4. ANALYSlS OF DVD STREAM CIPHER

output conditional probabilities should be close to 1/4.

Table 4.2: Output Conditional Probabilities P(O(i+l)/O (i)) for Cycle Lengt h 164

In Tables 4.2 and 4.3, output conditional probabilities for cycles of length 164 and

196 are listed, In both cycles, each output occurs equaIIy likely. But there are some

fluctuations in the conditional probabili ties. Given a certain output, some output is

more likely to follow up than other outputs, which implies outputs of RC4-2 cipher

have some di fferences from a complete random sequence.

Stream ciphers wi t h bet ter randomness pmperties and longer cycles are expected

from a cascade of small scale s-boxes. Cascaded s-box stream ci phers are discussed

in the next chapter.

P(OO/OO) = 12/49 P(OO/O1) = 13/49 P(OO/lO) = 11/49 P(OO/11) = 13/49

Table 4.3: Output Conditional Probabilities P(O(i+l)/O(i)) for Cycle Length 196

P(Ol/OO) = 16/49 P(01/01) = 11/49 P(01/10) = 14/49 P(Ol/ll) = 8/49

P(lO/OO) = 8/49 P(10/01) = 11/49 P(10/10) = 15/49 P(10/11) = 15/49

P(11/00) = 13/49 P(11/01) = 14/49 ~ ( 1 1 / 1 0 ) = 9/49 P ( l l / l l ) = 13/49

Chapter 5

A New Cascaded S-Box Stream

Ciyher

In t his chapter, ~ v e propose a new mode1 lor strearn ciphers based on a cascade of small

s-boxes. Like RC4 stream cipher designed by Ron Rivest [3û]: the cascade stream

cipher makes use of evolving s-boxes and pointers. However, instead of using one

large s-box rve employ a cascade or several small s-boxes. Smaller scale RC4 ci phers

are vulnerable to attacks [23]. The cascaded cipher achieves security by combining

the contributions of many small scale s-boxes. The number of s-boxes in the cascade

can be increased if we desire more securi ty. Important properties such as keystream

cycle structure and output statistical analysis are discussed in this chapter. The new

cascade stream cipher requires relatively little storage and execiites efficiently in both

hardware and software.

CHAPTER 5. A NEW CASCADED S-BOX STREAM CCPHER 42

5.1 The General Cascaded S-Box Stream Cipher

Figure 5.1: A Cascaded S-Box Stream Cipher

Figure 5.1 depicts a cascaded s-box stream cipher, where N denotes the total

number of cascaded s-boxes (cells) and n denotes the s i x of each s-box. We adopt

the following notation in the thesis: in the case where we assume 2-bit s-boxes we

refer to the cipher as CSCN, where N is defined above. Like the RC4-n stream cipher,

the contents al each s-box may be any permutation of {0;1;. . . ;2" - 1). Every s-box

has two pointers which rearrange their contents alter each output. The s-boxes are

cascaded serially with each output connecting to the left pointer of the next s-box.

The new cascaded stream cipher operates on n-bit words. As shown in the follow-

ir~g description: there are two phases involved in the stxeam cipher algorithm. In the

initialization phase, the input is the user's key whose length can be up to N x 2" n-bit

words. This determines the initial state of the cascaded stream cipher as follows. In

step 1, the user key is expanded to N x 2" x n bits. In step 2: each s-box is lilled

linearl~. And in step 3: the contents of the s-boxes are shuffied by the expanded user

CHAPTER 5 A N E W CASCADED S-BOX STREAM ClPHER

key. All the pointers are set to zero after this phase.

Phase 1: Initiaiization

Input: b:. . . : kt,l n-bit words of user's key

Output: Initial state of CSGN cascaded cipher

1. F o r ~ f r o r n O t o N x 2 ~ - 1

{ K z = L m d r )

2. For m [rom 1 CO N

{ For z from O to 2" - 1

{ sm[z] = 2 )

im 0: jm = O

1 4. For rn from 1 to N

{ i m = O : j m = O )

In the keystream generation phase, the input is the initial state of the cascaded

CHAPTER 5- A NEW CASCADED S-BOX STREAM ClPHER

strearn cipher and the output is the next n-bit word in the keystream and the next

state. The first left pointer is incremented regularly in step 1. In step 2: the contents

of each s-box are remanged according to the movements of its Iwo pointers. The

output key stream is generated from the output or the last s-box. The first s-box

with its two pointers evolves exactly the same way as an RC4-n stream cipher. Each

of the otlier N - 1 s-boxes evolves siightly differently because their left pointers are

no longer incrernented by one each time. Instead, they are determined by the output

of the previous s-box.

Phase 2: Keystream Generation

Input: Initial State of the CSGN cascaded stream cipher

Output: The next n-bit word in the keystream, and the next state

Repeat forever

{ i l = il + 1 mod 2"

For k from 1 to N

{ j k = j k + Sk[ik] rnod 2"

Swap &[ik ] and Skbk]

1 = Sk[ir] + SkLk] mod T

i f k < N, ik+, = Sk[l]

else output Sk[t] as the next word in the keystream

1

}

CHAPTER 5. A NEW CASCADED S-BOX STREAM ClPHER

5.2 Keystream Cycle Structure of the Cascaded

Cipher

The state of a cascaded s-box stream cipher refers to the positions of al1 the pointers

(il, il), . . . : (iN; jN) and the contents of each s-box in the cascade. Once the state

of the cipher is set up, the output keystream is completely deterrnined. In fact:

the keystream generating operation in a cascaded stream cipher is a deterministic

and reversible operation. Because the cascaded s-box stream cipher has a finite

number of states, its output repeats eventually. As the cipher is evolving, the output

keystream therefore forms cycles (rve also cal1 the period of the cipher the cycle

length). Investigation of cycle structure is important in the design and analysis of

stream ciphers.

5.2.1 Cycles in the Cascaded S-Box Stream Cipher

At the end of the initialization phase of the cascaded s-box stream cipher algorit hm,

an initial permutation is chosen for each s-box by the user key. The cipher with

dinerent initial states generates keystreams with different cycle lengths. Experiments

are carried out to determine cycle lengths in CSC-2, CSC-3, CSC-4, CSG5 and C S C

6 ciphers and the corresponding nurnber of occurrence for these cycles. For example,

Table 5.1 lists al1 the cycle lengths with the corresponding number of occurrence in

C S G 2 cipher. The decomposition of these cycles is discussed in Section 5.2.4.

CHAPTER 5- A NEW CASCADED S-BOXSTREAM CIPHER

Table 5.1: Cycle Lengths for CSC2 Stream Cipher

Cycle Length 14596

For CSG2 and CSG3 ciphen, al1 possible permutations of each s-box are tried.

There are 9 cycles in CSG2 cipher and the longest cycle has period 14,596. There

are 51 cycles in CSG3 cipher and the longest cycle has period 788,184. Detailed

information about the cycles in CSC-3 cipher can be round in Tables 5.2 and 5.3.

Number of Occurrence 265

Cycle Lengt h Decomposi tion 4*4 2 "89

CHAPTER 5. A N E W CASCADED S-BOX STREAM CIPHER

Index I 2 3 4 5 6 7 8 9

10 11 12 13 14 15 16 17 18 19 20 22 22 23 24 25 26 27 28 29 30

Cycle Length 788,184 423,284 249,900 211,288 197,568 176,792 131,712 102: 172 93,100 90,552 87:808 87,576 86,240 78,400 54,880 43,904 43,120 39,360 30,184 24:500 21,320 20,580 15,092 14,700 12,936 12,348 10,976 10,780 9,800 9,020

Number of Occurrence 3598 1895 936 872 648 821 470 461 333 390 321 406 349 306 199 147 189 197 233 99

114 88 62 62 61 55 39 44 40 42

Table 5.2: Cycle Lengths for CSC-3 Stream Cipher (1)

CHAPTER 5- A NEW CASCADED S-BOX STREAM CZPHER

Index 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51

Cycle Length 8,036 5,248 4,920 4,756 4,3 12 4,116 3,280 2,788 2,744 2,460 2,156 2,132 1,968 1,640 1 ,372 1,312 1,148 656 492 328 164

Number of Occurrence 28 27 37 20 71 24 35 12 14 25 6 6 6 7 5 8 3 5 4

Table 5.3: Cycle Lengths for CSG3

Cycle Lengt h Decomposi t ion 4*4l*l*49

itream Cipher (2)

CHAPTER 5. A NEW CASCADED S-BOX STREAM CIPHER

As N is incremented, the longest cycle lengths grow rapidly and searching for

cycles from every initial state requires long cornputer runs. To keep the experimental

time manageable, random sarnpling of initial states is adopted. Once the cycle length

of an initial state exceeds the t hreshold, the search is truncated.

Figure 5.2 depicts the relation between cycle length and cycle counts in C S G

3, C S W , CSC5 and CSG6 ciphers. The horizontal a i s represents different cycle

lengths. The vertical axis represents the cumulative frequency (CF) over al1 cycles

less than or equal to the current cycle length. Both axes are in log scale. The larger

the number of cascaded s-boxes: the longer the maximum cycle lengths are.

For CSC4: CSG5 and CSG6 ciphen, the search-threshold of cycle length is set

to IO8 and the results are based on 1000 random initial permutations or the s-boxes.

On a Sun Ultra 5 workstation, these experiments take about 10, 66 and 75 hours

respectively. In the experiment, no cycle with length greater than or equal to 10' is

found in CSC4 cipher (See Tables 5.4, 5.9 and 5.6, the longest one is 29,950,992).

Although it is Loo time-consurning to try al1 (22!)4 initial states: the cycle of length

29,950,992 is almost certainly the longest one in CSC-4 cipher. The reason is discussed

in Section 5.2.3. In Figure 5.2, only a small portion of cycles with lengths below the

threshold of 108 are discovered in CSG5 and CSG6 ciphers.

More information about cycle lengths of CSG5 and CSC-6 ciphers are Iisted in

Tables 5.7, 5.8 and 5.9.

CHAPTER 5. A N E W CASCADED S-BOX STREAM ClPHER

O : CSC-3 Cipher

+ : CSC-4 Cipher

. : CSG5 Cipher

x : CSC-6 Cipher

Figure 5.2: Cumulative Frequency (CF) of Occurrence versus Cycle Length

CHA PTER 5- A NEW CASCADED S-BOX STREAM CIPHER 51

Cycle Lengt h 29,950,992

Number of Occurrence 106 99 71 52 43 26 18 27 19 20 25 28 13 21 11 12 12 9

16 10 10 10 24 15 6 6

15 3

16 29 5

22 11 4 7

12 10

1

Cycle Lengt h Decomposi t ion 4*41*89*54*38 4*41*8g154*37

1

1

i

Table 5.4: Cycle Lengtbs for CS- Stream Cipher (1)

CHA PTER 5. A N E W CASCADED S-BOX STREAM CIPHER

Index 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76

Cycle Lengt h 1,849,920

Number of Occurrence Cycle Lengt h Decornposi t ion


CHA PTER 5. A NEW CASCADED S-BOX STREAM CIPHER

Index 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99

100 101 102 103 104 105 106 107 108 109 110 111 112

Cycle Length 423,284 422,576 351 ,232 318,500 3 10,464 3011760 286 , 748 262,728 259,284 258,720 249 ,900 245,000 241 ,080 234,612 l86JOO 172,872 166,600 146,944 137,760 12'7,920 125,460 120,736 1 18,580 103,488 102,172 90,552 78,720 64,288 54&30 54,120 49,000 46,648 25,872 9,840 3,280 1 :64O

Number of Occurrence Cycle Length Decomposit ion 4*41*89*29* 1

Table 5.6: Cycle Lengths for CSG4 Stream Cipher (3)

CHA PTER 5. A NEW CASCADED S-BOX STREAM CXPHER

5.2.2 Property of Cascaded S-Box Stream Ciphers

If the number and lengths of keystream cycles of a stream cipher are knorvn, an

intruder may conduct a ciphertext only attack on t h e strearn cipher. Details are as

follows:

Without losing generality, it is assumed t hat keystream generates one key bit each

time,

Denotations: 1: cycle length. , b , . : - : 21 bits of plaintext . k k - - - : k : 1

bits or a complete keystream cycle. Q, cl , . . . , c~1-1: 21 bits of ciphertext . Where

Assume an intruder is given 21 bits of ciphertext and the cycle length I . Step

one, the intruder shifts Che ciphertext by 1 bits. Step trvo: the shifted ciphertext

CI: CI+, : . . . , CZ[-1 : Q, ch . . . : CI-1 is bi twise XORed wi t h co: cl : . . . , cz[-~ : the original ci-

phertext. Since each bit in the same position of both ciphertexts is the result of the

same key bit XORed with a plaintext bit: key bits are removed and XORed plaintext

bits are obtained in step trvo. There is a lot of redundancy in XORed plaintext bits.

For example, English language has 50% redundancy. The reduridancy makes these

XORed plaintext bits vulnerable to attacks.

The ciphertext stiift attack requires the ciphertext longer t han the corresponding

keystream cycle length. Thus il is a desirable properly for a stream cipher lo have

long keyslrearn cycles.

CHA PTER 5. A N E W CASCADED S-BOX STREAM CXPHER

Another ciphertext only attack on the cascaded stream cipher is that an intruder

can guess the initial states of s-boxes and then generate corresponding keystreams to

be XORed with the ciphertext. After trying at most every possible state: the intruder

c m obtain the key and thus the plaintext. This is a brute-force attack.

Since CSC3 and RC4-3 have the same amount of storage capacity, they are compa-

rable. The cycle length distributions of CSG3 and RCP3 are similar (See Figure 5.3).

The longest cycle length is larger in RC4-3 than in CSC-3. When we increase the

number of cells in the cascaded stream cipher, the cycle length grows rapidly.

5.2.3 Upper Bound of the Cycle Length

In a caçcaded stream cipher, there are N + 1 pointers each of which has 2" positions.

And there are N n-bit s-boxes each of which has (2")! permutations. Thus the total

number of the possible states in the cascaded çtream cipher is (2")"+'(2"!)": which

directly determines the upper bound of cycle length of the cipher.

Lernma 1 An upper houncl on cycle length for a cascaded s-boz stream cipher is

Experimental results show that in CSC-3 cipher, the 51 cycles add up to 3,234,204

states while the upper bound is 3,538,934. This indicates that CSC-3 cipher can actu-

ally visit 3: 234: 104/3,538,944 = 91.4% of the total number of states (the rernaining

dates are not reachable). In addition to data in Tables 5.4, 5.5 and 5.6: anolher

cycle-searching experiment is carried out for CSC-4 cipher. A total of 186 cycles is


Figure 5.3: RC4-3 Vs. CSG3 Ciplier

observed (this includes 11 pairs of cycles that had the same cycle lengths) and they

add up to 308,094,256 states. The upper bound is 339,738,624 states. The percentage

of the number of states actually visited is 308,094,256/339: 738,624 = 90.7%. IL is

a desirable property of the cascaded stream cipher that it actually visits most of the

states in the complete space.

In CSC-4 cipher, the longest cycle generated frorn 1000 randoni initial states is

29,950,992. There are 34,063 keys in this cycle. The total number or initialkations

CHAPTER 5. A NEW CASCA DED S-BOX STREAM CIPHER

(Le., keys) for the cipher is (22!)4 = 331,776. Each time we randomly clioose an initial

state, we have 34,063/331; 766 = 10.3% probability to generate the cycle of length

29:950:992. In other words, we have a 89.7% probability to miss it. If rve repeat

our random sampling ZOO0 times: the probability that we miss the cycle of length

29,950,992 is (0.897)'- = 6.2 x which is extremely small and negligible. If there

rvere any cycle length in CSG4 cipher larger than 29,950,992, then the probability

of'missing it after 1000 random samples is even smaller than 6.2 x IO4'. In fact, no

such cycle is discovered. So we conclude with confidence that the longest cycle knglh

in CSC-4 cipher is Z9,950,996, With the help of probability and random sampling,

we do not have to search every initial state to determine the length of the longest

cycle in a cascaded cipher. We also use this method in CSC-5 cipher.

Cycle lengths in CSG5 and CSGG ciphers are even longer. The upper bounds

for them are 3.3 x 10'' and 3.1 x 1012 respectively. For a better understanding and

further analysis of the cascaded stream ciphers, we need more information about the

long cycle lengths. Based on the discussion in Section 5.2.4, the upper bounds or

cycle length for CSC-5 and CSG6 ciphers can be improved, W e extend our search

and more cycles are discovered. Details are in Section 5.2.4.

5.2.4 Decomposition of Cycles

As shorvn in Tables 5.1, 5.2 and 5.3, cycles in our cascaded stream cipher are decom-

posed into the products of several factors. Such a decomposi tion reveals some details

CHAPTER 5- A NEW CASCADED S-BOX STREAM CIPHER

about the cycle and the behavior oreach s-box.

The first factor represents the eflect of the first left pointer il in the cascaded

cipher. Each of the other factors represent the contribution of each s-box with its

right pointer in the cascaded cipher. All the first factors are equal to 4 in al1 cycle

decompositions. This is because il has 4 possibilities and has a cycle of length four-

The other factors have various values, but none of them exceeds 96. This is because

every s-box has 4! arrangements and its right pointer has 4 possibilities. Thus,

Lemma 2 The maximum cycle factor conlri6uled by a .?-bit s-box wilh ils righl

pointer is 4! x 4 = 96.

For each cell (s-box plus right pointer) added to the cascaded cipher, the average

growt h rate for cycle length is 45. As N is incremented, the longest cycle length

becomes closer Co its upper bound.

The method of cycle decomposition plus previous experimental results of cycle

lengths in CSC-4 cipher directly lead to the following lemma:

Lemma 3 b e r bounds on cycle lengih for Ihe CSC-5 and CSC-6 ciphers are 2.88 x

10' and 2.76 x 10" respeclively.

The longest cycle in CSC-4 ciptier is 29,950,992, thus the upper bound of cycle

length in a CSG5 cipher is 29:950,992 x 96 = 2.88 x 109. And the upper bound of

cycle length in CSC6 ciptier is 2.88 x IO9 x 96 = 2.76 x 10". It is an immediate im-

provernent of the cycle lengths upper bound in cascaded ciphers compared with those

CHAPTER 5. A NEW CASCA DED S-BOX STREAM CIPHER

in Section 5.2.3. Encouraged by this new upper bound, we repeat the experiments to

search for cycle lengths in CSG5 and CSC-6 ciphers. No threshold was put on the

cycle length, but t h e number of random initial states is reduced to keep the cornputer

time mariageable. Cycles in Tables 5.7 and 5.8 are obtained from 100 random initial

states of CSG5 cipher. The longest cycle length is 1,430,699,920. As in Section 5.2.3,

this cycle is highly likely to be the long es^ cycle in CSC-5 cipher, with a probability

of 99-42%.

CHAPTER 5. A NEW CASCADED S-BOX STREAM ClPHER

Index Cycle Lengt h 1,430,699,920 1,227,990,672 96O,OO8,l12 951,429,864 720,966,400 699,907,392 599,019,840 554,093,352 554,078,756 524,930,544 515,784,192 513,018,240 508,935,168 503,798,400 479,215,872 359,41 1 ,904 351,859,200 350,526,792 347,860,800 314,725,824 272,288,380 265,647,200 264,129,216 262,465,272 223,533,100 218,817,536 179,7O5,952

Num ber of Occurrence Cycle Lengt h Decomposi t ion

Table 5.7: Cycle Lengths for CSG5 Stream Cipher (1)


Index 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53

Cycle Length 1 73,692,400

Number of Occurrence Cycle Lengt h Decomposi t ion


CHAPTER 5. A NEW CASCADED S-BOX STREAM CIPHER 62

Searching for cycles in CSG6 ciptier needs even longer computer runs. In Ta-

ble 5.9, we found 13 big cycles. The longest one has length 108,733,193,920. Each of

t hem only occurs once in the experiment.

Index 2 2 3 4 5 6 7 8 9

10 11 12 13

Cycle Length 2 08,733,193,920

Cycle Lengt h Decom posi t ion 4*41*89*29*52*65*76

Table 5.9: Observed Longest Cycle Lengths for C S C 6 Stream Cipher

5.2.5 Typical Key Lengths for the Stream Cipher

The keys for t h e CSC are stored in tables the same size as ttie s-boxes. Thus for each

2-bit s-box in the cascade there are 2 x 4 = 8 bits of key. Hence, an CSC-N has SN

bits of nominal key. The eflective key length is determined by the number of initial

stales, generated by the keys. Each 2-bit s-box can be arranged in 4! = 24 ways.

Hence the effective key length for an CSGN is N log, 24 r N x 4.588. If we rom the

CSC cascade from 16 cells, the effective key length is 73.4 bits. For 24 ceils in the

CHA PTER 5. A N E W CASCADED S-BOX STREAM ClPHER 63

CSC the effective key length is 110 bits, for 32 cells it is approximately 146.8 bits.

In PCS wireless cellular phone applications, the CSC-16 cipher may be sufficient

(this compares with 56 bits of key for DES). The CSG24 would be immune to ex-

haus tive compu ter search wit h current and foreseen technology.

5.3 Key Spacing Distribut ion in Cascaded Ciphers

The number of keys is much larger than the number of cycles. A cycle of CSGN

cascaded cipher consists of a sequence of dimerent states of the system. Some of these

states have al1 of t heir pointers equal to zero; t hese states correspond to ini tializations

under different keys. Key spacing of the system refers to the number of states between

trvo such adjacent keys. lnvestigating the key spacing distribution in cycles gives us

useful insight irito the betiavior of CSCs.

Figure 5.4 shows the relationship between different cycles ana the number of keys

on them for CSC4 cipher. The X-axis indicates the cycle length and Y-axis indicates

the corresponding number of keys. Both of them are in log scale. It suggests very

good linearity between the cycle length and the number of keys in the cycle. The

longer the cycle, the more keys reside in it. This is a good property for the cascaded

cipher. An intruder cannot just look at a small portion of cycles to reveal a lot of

keys.

As the cascaded cipher state evolved, if each rearrangement of the s-boxes were


Figure 5.4: Nurnber of Keys Vs. Cycle Lengths

truly random, then the subsequent values of the rest of Che pointers would be com-

pletely random. Thus each Cime the first pointer returned to zero, al1 the rest of t he

pointers \vould point, to zero with Bernoulli probability p. This would give a geometric

distribution for the in terval between keys on the cycle.

For CSC-4 cipher, w e experimentally collect the key spacing data in 112 cycles.

Figure 5.5 shows Lhe key spacing distribution o n cycle 29,950,992, the longest cycle

in CSC-4 cipher.

CHAPTER 5- A N E W CASCADED S-BOX STREAM CIPHER

Total Keys: 34063

Total bins: 50

Max Key Spaüng: 9392

6000 Min Key Swing: 4

Average Key Spacing: 879.3

~ s o o o 6 C - z Y4000 C

2 Q) n

L o l l Z

7 0 0 0

O O 1000 2000 3000 4000 5000 6000 7000 8000

Bins for Key Spacing

Figure 5.5: Key Spacirig Distribution in Cycle of Length 29,950,992 in CSC-4 Cipher

The experirnental resul ts on key spacing are represented in the tiistograrn by 50

equal-sized bins collecting keys on the cycle with differerit key spacing. The vertical

axis indicates the number of keys in eacti bin. The curve is the theoretical geometric

distribution curve. The experimental results visually match the theoretical geomet-

ric distribution quite well which suggests the new cascaded strearn cipher is giving

random-looking permutations of the s-boxes.

Similarly, Figure 5.6 depicts the key spacing distribution on the longest cycle in

CHA PTER 5. A NEW CASCA DED S-BOX STREAM CIPHER 66

CSC5 cipher. There are 399,105 keys in the cycle of length 1,430,699,920. The

maximum key spacing is 43,808 and minimum is 4. The profile of the histogram also

visually matches the geometric distribution very well.

10 x 10'

I I 1 1 1 1 I i

Total Keys: 3991 O5

Total bins: 50

Max Key Spacing: 43808

Min Key Spacing: 4


Bins for Key Spacing x lo4

Figure 5.6: Key Spacing iri Cycle of Length 1,430,699:920 in CSC5 Cipher

Al1 collected key spacing data is subject ta geometric distribution except for the

shortest cycles which have very few keys in them, i.e.? there is only 1 key iri the

cycle of 1640, 2 in the cycle of 3280, etc. More key spacing distribution plots are in

Appendix B.

CHAPTER 5- A NEW CASCADED S-BOX STREAM CIPHER 67

5.4 Statistical Analysisofthe Output of Cascaded

Ciphers

Key spacing distribution in a cascaded cipher demonstrates the randomness in the

rearrangements of interna1 sboxes. Stud~ing of the keystream output is anot her

important aspect to determine randornness propert ies of the cipher.

Statistical tests are carried out on a sample output keystrearn. Each test deter-

mines whether the outpui sequence possesses a certain attribute that a twly random

bit stream exhibits. Passing such randomness tests provides evidence that the tested

sequence h a . certain characteristics of randomness.

5.4.1 Frequency Test (one-bit test)

The purpose of this test is to determine whether the number of 0:s and 1's in the

sequence are approximately the same: as would be ex~ected for a random sequence.

Let no: ni denote the number of 0% and 1 's respectively; where n denotes the total

number of bits in the sequence. The statistic used in this test is

XI = (no - n d 2 n

which appmximately follows a X 2 distribution with 1 degree of freedom if n 2 10. It

is important to choose an appropriate significance level. Too high a significance level

will cause rejection of a good random sequence generator while one that is too IOW

will cause acceptance of a sequence generator even with poor randomness property.

CHAPTER 5- A NEW CASCADED S-BOX STREAM CIPHER

In this thesis, a significance level of a = 0.05 is employed.

5.4.2 Serial Test (two-bit test)

The purpose of the serial test is to determine if the number of occurrences of 00, 01: 10

and 11 as subsequences of the tested string are approximately the same, as expected

from a random bit string. Let no: ni denote the number of 0's and 1% respectively,

and n denotes the total number of bits in the sequence. Let n m , n o ~ , n i o , n ~ ~ denote

the number of occurrences of 00: 01: 10 and 11 respectively. The statistic used here

which approximately follows a X2 distribution with 2 degrees of freedorn if n 2 21.

5.4.3 Test Results for Cascaded Stream Ciphers

For a significance level of a = 0.05: the threshold value for the frequency test with 1

degree of freedom is 3.8415; the threshold value for the serial test wiLh 2 degrees of

freedorn is 5.9915 1201.

For CSC2, CSG3: CSG4, CSG5 and CSG6 ciphers, 100 outputs with certain

number of bits from each cipher are randomly chosen and the two statistical tests

are carried out on them. Table 5.10 gives the summary of the experimental results:

in each experiment, the number of values that exceed the threshold are about 5% of

the total trials, which conforms to the a = 0.05 significance level; the remaining 95%

CHAPTER 5. A NEW CASCADED S-BOX STREAM CIPHER 69

of the outputs p a s the tests. This supports the hypothesis that the cascaded cipher

generates random-looking outputs. More detailed results of t hese experiments are in

Appendix C .

Table 5.10: Output Statistical Test Results for Cascaded Ciphers

5.4.4 Output Probability Deviation

We use the probability deviations Co describe the probabili ty differences between the

output of CSC-N cipher and a truly randorn bit sequence.

A digraph refers to each successive pair of n-bit outputs of Che cipher. A trigraph

refers to three consecutive outputs of the cipher[l5]. If CSGN cipher generates ran-

dom outputs, theri the probability for every single output sliould be 1/4: and the joint

probabilities for digrapbs and trigraphs should be 1/16, 1/64 respectively.

Detailed derinitions are as follows:

single output probability deviat ion

1 FI( ; ) = Prob(i) - -. where i = 00 , O 1 : 10 ,or I l

4 '

digraph prolability devialion

CHA PTER 5. A NEW CASCADED S-BOX STREAM ClPHER

F2(i: j) = Prob( i : j ) - '. where if j = 00 :O1 : IO :or 11 16 '

trigraph probability deviation

F3(ir j, k) = Prob(i,j: k) - 64 ' where i: j: k = 00 :O1 : 10 : o r I l

Figures 5.7; 5.8 and 5.9 dernonstrate the single, digraph and trigraph output av-

erage probability deviations with error bars indicating the error range for CSG2,

CSC3 , CSG-4: CSG5 and CSG6 ciphers. Results in these figures are obtained from

experiments. For each cipher, \ve randomly choose 10 keystream outputs and calcu-

late their probability deviations. Then we calculate the average value and standard

deviation of each of them. The average value is represented by an asteriçli sign and

the standard deviation by the error bar in the figures.

T h e probability deviations from 1/4: 1/16 and 1/64 are quite smaI1. This confirms

the output randomness of the cascaded stream cipher from another aspect. As the

number of cascaded s-boxes grows, al1 three probability deviations tend to setde down.

So we can expect a more random looking output from a cascade with more s-boxes.

CHAPTER 5- A NEW CASCADED S-BOX STREAM CfPHER

Number of Cascaded S-Boxes

Figure 5.7: Single Output Probability Deviation


loQt i I I J

l -

1 O-= - 1 2 3 4 5 6 7

Number of Cascaded S-Boxes

Figure 5.8: Digraph Probability Deviation

CHAPTER 5. A N E W CASCADED S-BOX STREAM CIPHER

Figure 5.9: Trigraph Probability Deviat ion

Chapter 6

Conclusion

6.1 Summary and Discussion

As a high quality digital medium, DVD offers a picture with twice the resolution of

tradi tiorial video tapes and has great market value. Copyright protection becornes

one of the most cri~ical issues in ttiis application. A good copyright protection system

will lead Lo the widespread use of this technology.

Essentially, the copyright protection system in the DVD application is a cryptosys-

lem, thus it is worth doing research on it from a cryptographic viewpoint. This thesis

serves such a purpose. Tt is a combination of research on cryptographic protocols and

the underlying cipher used in the DVD copyright protection scheme.

As an effective and formal method, Coloured Petri Nets are adopted for specifi-

cation and analysis of cryptographic protocols. Ambiguity is less likely to exist in a

CHAPTER 6. CONCLUSION 75

protocol modeled in Coloured Petri Nets. In this thesis, the DVD playback control

protocol is modeled using the Coloured Petri Net Modeler (CPNM): a Java-based soft-

ware tool developed and optimized by researchers at Queen's University [13: 14, 341.

Structural and intrinsic weaknesses are uncovered in the protocol and a revision is

made.

The stream cipher in the DVD application is a weak cipher based on two LFSRs.

The non-linear function used to combine these two LFSRs is just an 8-bit addition

with one bit carry. Several cryptanalytic attacks of this cipher are reviewed. The

key length is $&bits to meet the US export control rules at the time. However, its

security strength does not even match the 40-bit key length. An s-box based stream

cipher: such as RC4, would be a better solution. The RC4 stream cipher remains

secure given the analysis available to date. Observations of the interna1 structure of

RC4 are made and the statistical tests for RC4 output are conducted.

RC4 kvas a trade secret of RSA Security. Now it is made public. Motivated by

the design concept of RC4, we propose a cascaded s-box stream cipher. Interna1

details of the cascaded s-box stream cipher are studied. Experiments are carried out

on CSC-2, CSG3, C S M , CSG5 and CSC-6 ciphers. Although its cycle lengths are

not random, t be cascaded stream cipher demonstrates good cryptographic properties.

The keystreams have long cycles. Keys are distributed to various keystream cycles in

proportion to their lengths. The contents of each s-box are stiumed randomly. And

the outputs also have good random features. It is usually hard to prove the security of

CHA PTER 6. CONCLUSION 76

a cipher. But al1 of our experimental results suggest that the cascaded s-box stream

cipher develops more resistance to attacks as we increase the number of cells in t h e

cascade.

The cascaded stream ciplier offers good security scalability by cascading more s-

boxes as needed. This is one advantage of t h e cascade cipher over RC4 because key

lengths differ dramatically in various versions of RC4.

6.2 Suggestions for Further Study

A Few further aspects for study are as follows:

Modeling and analyzing more protocols using Coloured Petri Net Modeler

0 Obtaining more resiilts of cycle lengths in CSC-6 ciptier to detemine t h e longesl

one in i C

Launching cryptanalysis on the cascaded s-box stream cipher given al1 the in-

formation in this thesis to test its seciirity strength

Investigating properties of other versions of the cascaded cipher such as an N

cascaded 3-bit s-box cipher

Bibliography

[l] Steve Babbage. Cryptanalysis of' LiLi-128, Internet document

https://www.cosic.esat.hleuven.ac.be/nessie/reportç/ex~p3-001-2.pdf Jan-

uary 2001.

[2] Alan E. Bell. The dynamic digital disk, iEEE Spectrumo October 1999.

[3] N. Behki. An Integrated Approach to Protocol Design. Master% thesis, Queen's

University: Kingston, Ontario: Canada, 1990.

[4] Jeffrey A. Bloom e l al. Copy Protection for DVD Video, Proceedings of Lhe IEE.

Vo1.87, No. 7: July 1999.

[5] C. Boyd and W. Mm. On a Limitation of BAN

Proceedings of E UR OCR YP T '93, Lecture No

Springer-Verlag, Berlin: pp240-247, 1993.

Logic, Advances in Cnjptology-

tes in Cornputer Science r65,

[6] M. Burrows, M. Abadi and R. Needham. Logic of Autlientication. ACM Trans.

on Cornputer Sgslems, 8: 18-36? 2990.

[7] E. Dawson et al. The LILI-128 Keystream Generator, Internet document

https://www.cosic.esat.kuleuven.ac.be/nessie/wvorkshop/su bmissions.titml

[8] D. E. Denning and G. M. Sacco. Tirnestamps in key distribution protocols. Corn-

munications of the ACM? 24(8): 533-536, August 1981.

[9] W. Difie and M. E. Hellman. P r i ~ f y and authentication: An introduction to

cryptography. Pmceedings of the IEEE, 67(3):397-427, 1979.

[IO] D. Dolev and A. C . Yaa. On the Security of Public Key Protocols. IEEE Trans-

aclions on Information Theory, 1T-29(2):198-208, March 1983.

[11] E. M. Doyle. Au tomated Securi ty Analysis of cryptographic Pmtocols using

Caloured Petri Net Specificat ions. Master's thesis, Queen's University: Kingston,

Ontario: Canada, 1996

[12] E. M. Doyle; S. E. Tavares and H. Meijer. Automated Security Analysis of crypto-

graphie Protocols using Coloured Petri Net Specifications. Workshop on Selecled

Areas in Cqplography (SACY95) May 18-19 1995.

[13] K. Edwards. Cryptographie Pmtocol Specification and Analysis using Colored

Petri Nets and Java. Master's thesis, Queenk University: Kingston, Ontario:

Canada, 1998.

[14] K. Edwards, S. E. Tavares and H. Meijer. A Java tool for specitication and anal-

ysis of cryptographic protocols using coloured Petri Nets. 191h Biennial Sym-

posium on CommunicaLions, pp403-407. Queen's University, Kingston, Ontario:

May 1998-

1151 S. R. Fluhrer and D. A. McGrew. Statistical Anaiysis of the Alleged RC4

Keyst ream Generator, FSE 2000, April 2000, Proc. to appear, Springer-Verlag,

LNCS Vol. 1978,2001.

[16] K. Jensen. Coloured P elri Nets, volume 1, Springer-Verlag, Berlin, 1992.

[17] G-S Lee and J-S Lee. Petri Net based models for specification and analysis of

cryptographic protocols. Journal O/ Syslems So flwa7-e' 3?:ppl4l-l59, 1997.

[18] C. Meadows. The NRL Protocol AnalFer: An overview. J. Logic Programming,

26(2): 123-131, February 2 996.

[19] C . A. Meadows. Formal Verilication of Cryptographic Protocols: A Survey. Ad-

vances in Cqplology-ASIA CR YPTY94, Springer-Verlag, pp 133-1 50, 1995.

[20] Alfred J. Menezes et al. Handbook of Applied Cryplography CRC Press Inc.: 1997.

[21] M. Merritt. Cryptograplric Prolocols Ph.D. dissertation, Georgia Institute of

Technology, February 1983.

BlBLlOGRA P H Y 80

[22] J. K. Millen, S.C. Clark and S. B. Freedrnan. The Interrogator: Protocol Secu-

rity Arialysist IEEE Transaciions on SoItware Engineering, SE13(2): 274-288,

February 1987.

[23] S. Mister. Cryptanalysis of RCClike Stream Ciphers. Master's thesis, Queenzs

University, Kingston, Ontario, Canada, t 998.

[24] S. Mister and S. E. Tavares. Cryptanalysis of RCPIike Ciphers, Workîhop on

Selecl ed Areas in C q p t ograph y (SA C798) Lecture Notes in Corn pu ter Science,

Vol. 1556, Springer-Veriag: pp.131-143, 1999.

[25] T. Murata. Petri nets: Properties, analysis and applications. Proc. of lhe IEEE,

77(4), April 1989.

1261 R. M. Needham and M. D. Schroeder. Using encryption for authentication in

large networks of cornputers. Cornmunicalions 01 lhe A CM. 21 (1 2): 993-999,

December 1978.

[27] D. M. Nessett. A critique of the Burrows, Abadi and Needham logic. Opemting

Syslems Reuiew, 24(2):3538, April 1990.

[28] B. B. Nieh. Modelling and Analysis of Cryptographic Protocois using Petri Nets.

Master's thesis, Queen's University, Kingston, Ontario, Canada, 1992.

[29] B. B. Nieh and S. E. Tavares. Modelling and Analysis of Cryptographic Pro te

cols using Petri Nets. Advance in Cryplolopj(ACiSCRYPT792)~ LNCS, Springer-

Vërlag: pp-275-295, 1993.

[30] R Rivest. The RC4 Encryption Algorithm, RSA Data Security7 Inc., arch 1992.

[31] R. A. Rueppel. Analyssis and design of stream ciphers. Springer-Verlag, New

York, 1986.

1321 P. B. Schneck. Persistent Access Control to Prevent Piracy of Digital Informa-

tion. Proceedings o j Ihe IEEE: Vol. 87: No. 7, July 1999.

[33] B. Schneier. Applied Crypiography. John Wiley & Sons, Toronto, Canada, 2nd

edition, 1996.

[34] Y. Sb=. Specification and Analysis of Internet Cryptographic Protocols Using

a Petri Net Modeler. Master's Thesis: Queen's University: Kingston, Ontario,

Canada, 1999.

[35] F. A. Stevenson. Cryptanalysis of Contents Scrambling System, Internet docu-

ment http://www.lemuria.org/DeCSS/aypto.gq.n/

[36] W. Zhao and S. E. Tavares. An Analysis of MSAT Security Protocols using

Coloured Petri Nets. Technical report, Departmen t of Electrical and Corn puter

Engineering, Queen's University: April 1997.

BIBLlOGRA P H Y 82

[37] W. Zhao. Efficient Analysis of Cryptographie Protocols in Wireless Communica-

tion Systems. Masterk Thesis, Queen's University: Kingston, Ontario; Canada:

1997.

Appendix A

C S S Cipher Analysis

A.1 Another Attack on the Keystream Generator

Notations in the keystream generator:

Oi ( 1 ) : 0 1 ( 2 ) , . . .: output bytes of LFSRI

0 2 ( 1 ) , 0 2 ( 2 ) , . . .: output bytes of LFSR2

0(1), 0(2), . . .: output bytes of the keystream, and O( i ) = 01 ( O ) + O2 (é) + c: where c i s the carry bit from O(i - 1 )

Attack: known 0(1), 0 ( 2 ) , O(3): 0(4) , O(5)

1. Guess initial date of LFSRl

2. Generate 5 bytes output Oi ( 1 ) : 0 1 (2): 0, (3): 01 (4): O, ( 5 ) fram LFSRI

83

A PPENDIX A. CSS ClPHER ANA LYSCS 84

4. Generate 02(4): 0 2 (5) from LFSR2 given 02( l ) ; 0 2 ( 2 ) : 02(3). There are 2 pos-

sible sets of 02(4); 02(5) since we only have 3 bytes(24 bits) oloutput of LFSR2.

5. Compare O(5) with both sets of Oi (5) + 0 2 ( 5 ) + c. If either one equai, stop

othenvise repeat the above steps,

After this algorithm, the initial states or the user key can be easily obtained. The

computational complexity is in the order of 2".

The two attacks to keystream generator belong to the ciphertext only attack. The

one in Section 4.1.3 requires one more ciphertext byte so t hat it offers half complexi ty

as of this one.

A.2 Attack on the Encryption Function

Notations in the encryption function:

a A(1): . . . , A(5) : 5 input plaintext bytes

0 kl , . . . : k5 : 5 keystream bytes from keystrearn generator

0 B(1): . . .: B(5) : 5 intermediate bytes

C(1)' . . . : C(5) : 5 output ciphertext bytes

APPENDLX A. CSS ClPHER ANALYSE

There is a known plaintext attack to it,

Attack:

Known: A(l), . . .: A(5) and associated C(l), . . . , C(5)

1. Guess k5

11. Compare C(I) with F ( B ( 1 ) ) @ ki. If equal, we get the right ks and then deduce

4: . . . ; ki easily. Otherwise repeat the above steps.

In this attack, we only need to guess one byte of keystream so its ciphertext only

altacks to the keystream generator to get the user key to break the whole system.

Appendix B

More Key Spacing Distributions

In Chapter 5, key spacing data are only depicted Cor the longest cycles in CSC4 and

C S C 5 ciphers. Key spacing data for more cycles in C S W cipher are obtàined from

experiments and are depicted as foliows. All diagrams indicate a good match between

the experimerital results and the theoretical geornetric distribution curves.

APPENDlX B. MORE KEY SPAClNG DlSTRlBUTlONS

7000 I I l I I I 1 1

4 6000 Total Keys: 33280 -

Total bins: 50

Max Key Spacing: 8088 -

Min Key Spacing: 4

Average Key Spacing: 876.3 -

d

-

-

* T.

O 1000 2000 3000 4000 5000 6000 7000 8000 9000 Bins for Key Spacing

Figure B. 1: Key Spacing Distribution in Cycle or Lengt h 29,162,808 in CSC-4 Cipher

APPENDLX B. MORE KEY SPACING DlSTRIBUTlONS

Total Keys: 24531

Total bins: 50


Min Key Spacing: 4



Figure B.2: Key Spacing Distribut ion in Cycle of Length 22,010,768 in CSC-4 Cipher

APPENDUC B. MORE KEY SPAClNG DISTRU3UTlONS

Total Keys: 17284

Total bins: 50

Max Key Spacing: 1264û

Min Key Spacing: 4



Figure B.3: Key Spacing Distribution in Cycle or Length 16:691:752 in CSC-4 Cipher

APPENDIX B. MORE KEY SPAClNG DISTRIBUTIONS

Toîai Keys: 12745

Total bins: 50


C 2000

i3 Min Key Spacing: 4 Q C - Average Key Spacing: 865.8 (Ib )r

3 1500 C

O

ài P

5 Z

1 000

500

O O 1000 2000 3000 4000 5000 6000 7000


Figure B.4: Key Spacing Distribution in Cycle of Length 11,034:576 in CSC-4 Cipher

A PPENDlX B. M O RE KEY SPAClNG DlSTRlB UTIONS

Total Keys: 9246

Total bins: 50


Min Key Spacing: 4

Average Key Spacing: 1081 -1

8ins for Key Spacing

Figure B.5: Key Spacing Distribution in Cycle of Length 9;996:000 in CSC4 Cipher

APPENDIX B. MORE KEY SPACING DISTRIBUTIONS

Total Keys: 81 12

Total bins: 50

Max Key Spacing: 1 Z7CM

Min Key Spacing: 4

Average Key Spacing: 121 7.8


Figure B.6: Key Spacing Distribution in Cycle of Length 9,878,400 in CSC-4 Cipher

A PPENDlX B. MORE KEY SPACING DlSTRlBUTlONS

Total Keys: 8285

Total bins: 50

Max Key Spacing: 81 56

Min Key Spacing: 4



Figure B.7: Key Spacing Distribution in Cycle of Lengtti 8,192,800 in CSC-4 Cipher

A PPENDlX B. MORE K E Y SPAClNG DISTRIBUTIONS


Min Key Spacing: 4



Figure B.8: Key Spacing Distribution in Cycle of Length 7,814,912 in CSC-4 Cipher

A PPENDlX B. MORE KEY SPAClNG DISTRIBUTlONS

Total Keys: 6893

Total bins: 50


Min Key Spacing: 4

Average Key Spacing: 1 051 -4


Figure B.9: Key Spacing Distribution in Cycle of Length 7,247,100 in CSC4 Cipher

Appendix C

Output Test Results

index 001 002 003 004 005 006 007 008 009 010 01 1 012 013 014 015

Table C.l: Output Test Results for CSC-2 Cipher(1)

A PPENDLX C. OUTPUT TEST RESULTS

n10 3980 4021 3985 4001 3988 4028 4064 4018 4019 4045 3977 3975 4022 3995 4047 3989 3982 3987 4045 3984 3996 4004 2027 4067 3989 3992 101 1 IO15 1973 1989 CO09 1978 1957 5987 LOO 1

n l l 4023 4035 3973 4077 4003 3955 3963 4045 4013 3963 4083 3989 3982 4012 3970 4078 4094 4092 3966 4094 4030 4103 4037 3916 2002 $079 $039 396 1 $047 3987 5986 108 l 1684 CO19 CO68

Table C.2: Output Test Results for CSC-2 Cipher(2)

A PPENDCX C. OUTPUT TEST RESULTS

index 051 052 053 054 055 056 057 058 059 060 061 062 063 064 065 066 067 068 069 070 071 072 073 074 075


APPENDlX C. OUTPUT TEST RESULTS

index 076 077 078 079 080 081 082 083 084 085 086 087 088 089 090 091 092 093 094 095 096 097 098 099 100

Table C.4: Output Test Results for CSG2 Cipher(4)

A PPENDIX C. OUTPUT TEST RESULTS

index nll 468 510 555 506 500 490 491 530 489 507 502 523 491 503 498 527 514 499 529 475 524 474 509 488 480


A P P E N D K C. OUTPUT TEST RESULTS

index 026 027 028 029 030 031 032 033 034 035 036 037 038 039 040 041 042 043 044 045


APPENDLX C. OUTPUT TEST RESULTS

index 051 053 053 054 055 056 057 058 059 060 O6 1 062 063 064 065 066 067 068 069 070 071 072 073 074 075


A PPENDLX C. OUTPUT TEST RESULTS

index

076 077 078 079 080 O81 082 083 084 085 OS6 087 088 089 090 091 092 093 094 095 096 097 098 099 100

n l l - 497 502 521 537 496 430 487 502 500 524 507 524 486 508 497 482 481 523 493 483 517 532 502 489 486


APPENDLX C. OUTPUT TEST RESULTS

index 001 002 003 O04 005 006 007 008 009 010 011 012 013 014 O15 016 017 018 019 020 021 022 023 024 025

n l l 4962 5101 4950 4954 4977 4968 4980 5045 5109 4969 4973 5063 5039 4935 4938 5036 4932 5043 506 1 5105 4858 4907 5021 5214 4900


APPENDlX C- OUTPUT TEST RESULTS

index 026 027 028 029 030 031 032 033 034 035 036 037 038 039 040 041 042 043 044 045 046 047 048 049 050

Table C.lO: Output Test Resvlts for CSC4 Cipher(2)

APPENDlX C. OUTPUT TEST RESULTS

index 051 052 053 054 055 056 057 058 059 060 O6 1 062 063 064 065 066 067 068 069 070 071 072 073 074 075

Table C . l l : Output Test Results for CSC4 Cipher(3)

APPENDlX C. OUTPUT TEST RElSULTS

index 076 0'77 078 079 080 081 082 083 084 085 086 087 088 089 090 091 092 093 094 095 096 097 098 099 100

nll 5030 4975 4890 4903 4893 4945 4958 4894 4950 5057 5005 5053 4901 4948 4911 4844 4922 5024 4986 5071 5009 4943 5054 5105 5022

Table C-12: Output Test Results for CSC-4 Cipher(4)

APPENDIX C- OUTPUT TEST RESULTS

index 001 002 003 004 005 006 007 008 009 010 011 012 013 014 015 016 017 O18 019 020 021 022 023 024 025

n l l 50122 49907 50128 501 14 49687 50165 50043 49874 49945 501 79 49748 50209 49853 49989 49911 50269 50337 49867 49688 49779 49944 49716 50081 49883 50192

Table C.13: Output Test Results for CSC5 Cipher(1)

APPENDIX C. OUTPUT TEST RESULTS

index 026 027 028 029 030 031 032 033 034 035 036 037 038 039 040 041 042 043 044 045 046 047 048 049 050

n l l 50064 49613 50331 49980 49748 50434 49947 49820 50489 49987 49891 49850 50377 49970 49992 50302 50105 4973 t 49935 49796 49948 50165 49895 50378 498 17


A PPENDIX C. OUTPUT TEST RESULTS

index 051 052 053 054 055 056 057 058 059 060 061 062 063 064 065 066 067 068 069 070 071 072 073 074 075


A PPENDLX C- OUTPUT TEST RESULTS

index 076 077 078 079 080 081 082 083 084 085 086 087 088 089 090 091 092 093 094 095 096 097 098 099 1 O0

n l l 49826 50190 49619 49609 49831 50051 50339 50106 50031 50072 49939 50049 49708 50194 50154 49821 49797 50061 5041 1 50306 49981 50157 50403 50024 50608


APPENDlX CI O UTPUT TEST RESULTS

index 001 002 003 004 005 006 007 008 009 010 01 1 012 013 014 015 016 017 018 019 020 021 022 023 024 025


A PPENDlX C. OUTPUT TEST RESULTS

index 026 027 028 029 030 031 032 033 034 035 036 037 038 039 040 041 042 043 044 045 046 047 048 049 050


A PPENDZX C- OUTPUT TEST RESULTS

index O5 1 052 053 054 055 056 057 058 059 060 061 062 063 064 065 066 067 068 069 070 071 072 073 074 075

n l l 1999158 1999932 2002016 2000471 1997879 1998639 1999485 2002553 200 1490 1997603 1998271 1999070 200 1249 1999253 1998209 2001408 2000327 1998407 1999760 1 996585 2001217 1998619 1997912 1999783 2996429


A PPENDlX C- OUTPUT TEST RESULTS

index

076 077 078 079 080 O8 1 082 083 084 085 086 087 088 089 090 O9 1 092 093 094 095 096 097 098 099 100

n l l 2000635 2000168 2001 944 2000254 l99763O 2000495 1999297 1996944 1999777 1998323 2999356 1999791 2002516 2004322 1999399 2000998 1999699 200 1857 2001277 1999268 2001007 2000660 2001569 1999761 1999429

Table C.20: Output Test Resiilts for CSCG Cipher(4)

Appendix D

Probabilities for Right Pointer in

RC4-3

In Chapter 4, probabilities for the right pointer j in the longest cycle O C RC4-3 cipher

are listed. Similar probabilities for j in al1 the rest cycles of RC4-3 are listed as follows.

APPENDlX D- PROBABlLlTlES FOR RIGHT POlNTER IN RC4-3

Table D.1: Probabilities for j in RC4-3 (Cycle Lengt h = 322,120)

Table D.2: Pmbabilities for j in RC4-3 (Cycle Length = 53,000)

Table D.3: Probabilities for j in RC4-3 (Cycle Length = 44,264)


APPENDlX D. PROBA BILITIES FOR RlGHT POINTER 1N RC4-3 118




- P(O00) =O-123722 P(100) = 0.132453

P(O01) = 0.125852 P(101) = 0.132453

P(OOO,OOO,OOO) = 0.001491 P(010,010,010) = 0.001704 P(100,100,100) = 0.001704 P(110,110,110) = 0.001278

P(001,001,001) = 0.001491 P(011,011,01 1) = 0.001 065 P(101,101,101) = 0.004259 P(111,111,111) = 0.001917

P(O10) = 0.125213 P(110) = 0.120102

Table D.7: Probabilities Cor j in RC4-3 (Cycle Length = 4,696)

P(011) = 0.116482 P(111) = 0.123722

APPENDLX D. PROBABILITIES FOR RIGHT POINTER IN RC4-3 119

Table D.9: Probabilities for j in RC4-3 (Cycle Length = 648)

Table D. 10: Probabilities for j in RC4-3 (Cycle Length = 472)

Table D. 1 1 : Probabil i t ies for j in RC4-3 (Cycle Lengt h = 466)

Table D.12: Probabilities for j in RC4-3 (Cycle Length = 264)

APPENDLX D. PROBA BILlTlES FOR RlGHT POlNTER IN RC4-3

Table D. 13: Probabilities for j in RC4-3 (Cycle Length = 120)

Table D.14: Probabilities for j in RCP3 (Cycle Length = 24)

secure digital media distributioncsg3 cipher ..... 56 5.4 number of keys vs . cycle lengths ..... 64...

Documents