Stream Ciphers: WG
and LEX.
Eduard Dvorný, & Emil Halko
University of Pavol Jozef Šafárik
WG abstract




Stream cipher WG:
The cipher is based on Welch-Gong
transformations. The WG cipher has
been designed to produce keystream with
guaranteed randomness properties,
It is resistant to Time/Memory/Data
tradeoff attacks, algebraic attacks and
correlation attacks.
The cipher can be implemented with a
small amount of hardware.
LEX abstract



Stream cipher LEX:
A proposal for a simple AES-based
stream cipher which is at least 2.5
times faster than AES both in
software and in hardware.
LEX stands for Leak EXtraction,
WG CIPHER
The WG cipher can be used with keys of
length 80, 96, 112 and 128 bits.
An initial vector of size 32 or 64 bits can be
used with any of the above key lengths.
To increase security, IVs of the same length
as the secret key can also be used.
WG cipher is a synchronous stream cipher
which consists of a WG keystream
generator.
WG keystream generation
WG Transformation
Resynchronization (Key/IV setup)
Differential Attack on WG
Overview of the Attack
the taps of LFSR are poorly chosen
22 steps fail to randomize the differential propagation
at the end of the 22nd step, the differential in the
LFSR is exploited to recover the secret key
=> 48 key bits recovered with about 231 chosen IVs
(80-bit key and 80-bit IV)
Differential Attack on WG
Differential Attack on WG
Differential Attack on WG
At the end of the 22nd step, the difference at S(10) is
S(10) is related to the first keystream bit.
Observing the values of the first keystream bits
generated from the related IV, we are able to
determine whether the value of
is 0, then
we can recover 29 bits of key.
Security Against Attacks
Time/Memory/Data tradeoff has two phases


During precomputation phase the attacker
exploits the structure of the stream
cipher and summarizes his findings in
large tables.
During the attack phase, the attacker uses
these tables and the observed data to
determine the secret key or the internal
state of the stream cipher.
A tradeoff TM2D2 = N2 for D2 ≤ T ≤ N,
where
T is the time required for the attack,
M is the memory required to store the tables,
D represents the realtime data or the keystream
required,
N is the size of the search space.
A simple way to provide security against this attack
in stream ciphers is to increase the search space.
Algebraic attacks
have been used recently to break many well
known stream ciphers.
 complexity of these attack depends on the
nonlinear filter and the number of outputs
generated by the cipher.

If the nonlinear filter can be approximated
by a multivariate equation of low degree
this complexity can be reduced
significantly.
Correlation attacks


These attacks exploit any correlation that
may exist between the keystream and
the output of the LFSR in the cipher.
In these attacks the keystream is
regarded as a distorted or noisy version of
the the LFSR output.
Conclusion


WG cipher, suitable for hardware
implementations.
WG is vulnerable to a differential
attack
LEX Cipher



LEX is based on the block cipher AES. The
keystream bits are generated by extracting 32
bits from each round of AES in the 128-bit
Output Feedback mode.
First a standard AES key-schedule for a secret
128-bit key K is performed.
Then a given 128-bit IV is encrypted by a single
AES invocation: S = AESK(IV). The S and the
subkeys are the output of the initialization
process.
Initialization and keystream generation
Extracted bytes in the even and odd
rounds
The bytes b0,0, b0,2, b2,0, b2,2 at every odd round
and the bytes b0,1, b0,3, b2,1, b2,3 at every
even round are selected.
Algebraic Attacks
Algebraic attacks on stream ciphers are a recent
and a very powerful type of attack.
If one could write a non-linear equation in terms of
the outputs and the key – that could lead to an
attack in Lex.
Re-keying every 500 AES encryptions may help to
avoid such attacks by limiting the number of
samples the attacker might obtain while targeting
a specific subkey.
Dedicated Attacks

An obvious line of attack would be to
concentrate on every 10th round,
since it reuses the same subkey, and
thus if the attacker guesses parts of
this subkey he still can reuse this
information
10t, t = 1, 2, . . . rounds later.
Conclusion


Since LEX could reuse existing AES
implementations it might provide a
simple and cheap speedup option in
addition to the already existing base
AES encryption.
It is better to mix the key and IV in a
non-linear way, then use the mixed
values to generate the keystream .