Stream Cipher Operation Modes with Improved Security against Generic Collision Attacks

Most stream ciphers used in practice are vulnerable against generic collision attacks, which allow to compute the secret initial state on the basis of O(2) keystream bits in time and space O(2), where n denotes the inner state length of the underlying keystream generator. This implies the well-known rule that for reaching n-bit security, the inner state length should be at least 2n. Corresponding to this, the inner state length of recent proposals for practically used stream ciphers is quite large (e.g., n = 288 for Trivium and n = 160 for Grain v1). In this paper, we suggest a simple stream cipher operation mode, respectively a simple way how to modify existing operation modes like that in the Bluetooth system, which provides provable security near 2 against generic collision attacks. Our suggestion refers to stream ciphers (like E0 in Bluetooth) which generate keystreams that are partitioned into packets and where the initial states for each packet are computed from a packet-IV and the secret session key using a resynchronization algorithm. Our security analysis is based on modeling the resynchronization algorithm in terms of the FP (1)-construction E(x, k) = F (P (x ⊕ k) ⊕ k), where k denotes an n-bit secret key (corresponding to the symmetric session key), F denotes a publicly known n-bit function (corresponding to the output function of the underlying keystream generator), P denotes a publicly known n-bit permutation (corresponding to the iterated state update function of the generator), and the input x is a public initial value. Our security bounds follow from the results presented in [12], where a tight 2 3 n security bound for the FP (1)-construction in the random oracle model was proved.