FResCA: A Fault-Resistant Cellular Automata Based Stream Cipher

Transcription

1 FResCA: A Fault-Resistant Cellular Automata Based Stream Cipher Jimmy Jose 1,2 Dipanwita Roy Chowdhury 1 1 Crypto Research Laboratory, Department of Computer Science and Engineering, Indian Institute of Technology Kharagpur, India 2 Department of Computer Science and Engineering, National Institute of Technology Calicut, India September 5, 2016 Jimmy Jose, D Roy Chowdhury (IIT KGP) FResCA September 5, / 36

2 estream project estream project [1] - an effort to find out compact efficient stream ciphers divided into two categories: software oriented fast encryption in software hardware oriented fast encryption with less hardware Jimmy Jose, D Roy Chowdhury (IIT KGP) FResCA September 5, / 36

3 ACRI 2014 Trivium cipher is a hardware oriented estream finalist Inapplicability of fault attacks against Trivium on a cellular automata based stream cipher was shown in ACRI 2014 [2] Jimmy Jose, D Roy Chowdhury (IIT KGP) FResCA September 5, / 36

4 Fault Resistant Cipher Grain, another hardware oriented estream finalist, is vulnerable to fault attacks [3, 4] We have shown that 4-neighbourhood CA has good cryptographic properties [5] We design a fault-resistant 4-neighbourhood CA based Grain-like cipher Jimmy Jose, D Roy Chowdhury (IIT KGP) FResCA September 5, / 36

5 Fault-Resistant CA Based Stream Cipher - FResCA 4-neighbourhood Nonlinear Uniform CA 3-neighbourhood Linear Maximum Length CA 8 8 Highly Nonlinear Mixing Function (NMIX) i Jimmy Jose, D Roy Chowdhury (IIT KGP) FResCA September 5, / 36

6 FResCA intialisation 4-neighbourhood Nonlinear Uniform CA 3-neighbourhood Linear Maximum Length CA 8 8 Highly Nonlinear Mixing Function (NMIX) Jimmy Jose, D Roy Chowdhury (IIT KGP) FResCA September 5, / 36

7 FResCA - Nonlinear Block Rule 43350: q i (t + 1) = q i 2 (t) q i+1 (t) (q i 1 (t) + q i (t)) Jimmy Jose, D Roy Chowdhury (IIT KGP) FResCA September 5, / 36

8 FResCA - Rule q 1 q i-2 q i-1 q i q i+1 q 128 OR XOR Rule 43350: q i (t + 1) = q i 2 (t) q i+1 (t) (q i 1 (t) + q i (t)) Jimmy Jose, D Roy Chowdhury (IIT KGP) FResCA September 5, / 36

9 FResCA - Linear Block Rule 90: q i (t + 1) = q i 1 (t) q i+1 (t) Rule 150: q i (t + 1) = q i 1 (t) q i (t) q i+1 (t) Jimmy Jose, D Roy Chowdhury (IIT KGP) FResCA September 5, / 36

10 Nonlinear Mixing Block nonlinear mixing is achieved by using NMIX function [6] two n-bit inputs X = (x n 1 x n 2 x 0 ), Y = (y n 1 y n 2 y 0 ), and output Z = (z n 1 z n 2 z 0 ) z i x i y i c i 1 c i x 0 y 0 x i y i x i 1 x i y i 1 y i and x 1 = y 1 = c 1 = 0, 0 i n 1 c i - carry term propagated from i-th bit position to (i + 1)-st bit position Jimmy Jose, D Roy Chowdhury (IIT KGP) FResCA September 5, / 36

11 Working - FResCA cipher initialisation phase 32 cycles taps positions 1, 22, 43, 64, 65, 86, 107, and cycles sufficient for all the 256 state bits to influence the cipher output Jimmy Jose, D Roy Chowdhury (IIT KGP) FResCA September 5, / 36

12 Nonlinear Mixing Block nonlinear bits - (b 1,, b 128 ) linear bits - (s 1,, s 128 ) z 1 = b 128 s 128 b 1 s 1 b 22 s 22 b 43 s 43 b 64 s 64 b 65 s 65 b 86 s 86 b 107 s 107 b 86 b 107 s 86 s variables from the nonlinear block and 8 variables from the linear block nonlinearity correlation immunity - 1 resiliency - 1 algebraic degree - 2 Jimmy Jose, D Roy Chowdhury (IIT KGP) FResCA September 5, / 36

13 Nonlinear Mixing Block z 2 = b 126 b 127 b 128 s 127 (b 1 s 1 ) (b 1 s 2 ) (b 105 b 84 ) (b 105 b 85 ) (b 105 b 86 ) (b 105 b 87 ) (b 105 s 106 ) (b 105 s 108 ) (b 106 b 84 ) (b 106 b 85 ) (b 106 b 86 ) (b 106 b 87 ) (b 106 s 106 ) (b 106 s 108 ) (b 107 b 84 ) (b 107 b 85 ) (b 107 b 86 ) (b 107 b 87 ) (b 107 s 106 ) (b 107 s 108 ) (b 108 b 84 ) (b 108 b 85 ) (b 108 b 86 ) (b 108 b 87 ) (b 108 s 106 ) (b 108 s 108 ) (b 127 b 128 ) (b 2 s 1 ) (b 2 s 2 ) (b 20 s 21 ) (b 20 s 23 ) (b 21 s 21 ) (b 21 s 23 ) (b 22 s 21 ) (b 22 s 23 ) (b 23 s 21 ) (b 23 s 23 ) (b 41 s 42 ) (b 41 s 44 ) (b 42 s 42 ) (b 42 s 44 ) (b 43 s 42 ) (b 43 s 44 ) (b 44 s 42 ) (b 44 s 44 ) (b 62 s 63 ) (b 62 s 65 ) (b 63 s 63 ) (b 63 s 64 ) (b 63 s 65 ) (b 63 s 66 ) (b 64 s 63 ) (b 64 s 64 ) (b 64 s 65 ) (b 64 s 66 ) (b 65 s 63 ) (b 65 s 64 ) (b 65 s 65 ) (b 65 s 66 ) (b 66 s 64 ) (b 66 s 66 ) (b 84 s 85 ) (b 84 s 87 ) (b 85 s 85 ) (b 85 s 87 ) (b 86 s 85 ) (b 86 s 87 ) (b 87 s 85 ) (b 87 s 87 ) (s 106 s 85 ) (s 106 s 87 ) (s 108 s 85 ) (s 108 s 87 ) (b 105 b 85 b 86 ) (b 106 b 107 b 84 ) (b 106 b 107 b 85 ) (b 106 b 107 b 86 ) (b 106 b 107 b 87 ) (b 106 b 107 s 106 ) (b 106 b 107 s 108 ) (b 106 b 85 b 86 ) (b 107 b 85 b 86 ) (b 108 b 85 b 86 ) (b 21 b 22 s 21 ) (b 21 b 22 s 23 ) (b 42 b 43 s 42 ) (b 42 b 43 s 44 ) (b 63 b 64 s 63 ) (b 63 b 64 s 65 ) (b 64 b 65 s 64 ) (b 64 b 65 s 66 ) (b 85 b 86 s 85 ) (b 85 b 86 s 87 ) (b 106 b 107 b 85 b 86 ) Jimmy Jose, D Roy Chowdhury (IIT KGP) FResCA September 5, / 36

14 Nonlinear Mixing Block z 2 contains 26 variables from the nonlinear block and 15 variables from the linear block algebraic degree increases from 2 to 4 Jimmy Jose, D Roy Chowdhury (IIT KGP) FResCA September 5, / 36

15 Security of FResCA Meier-Staffelbach Attack Exploits the many-to-one mapping from the right-hand initial states to the temporal sequence or its right adjacent sequence We have shown a class of 4-neighbourhood CA resists the attack [5]. The nonlinear rule of the cipher is from that class. Jimmy Jose, D Roy Chowdhury (IIT KGP) FResCA September 5, / 36

16 Security of FResCA Linear Attacks Derives linear approximations from the nonlinear relationships in the cipher First output bit in initialisation phase has nonlinearity Nonlinearity increases with each iteration. Keystreams available from 33rd iteration only. Jimmy Jose, D Roy Chowdhury (IIT KGP) FResCA September 5, / 36

17 Security of FResCA Correlation Attacks Exploit the statistical weakness of the Boolean function Nonlinear CA rule exhibits good correlation immunity. NMIX function guarantees correlation immunity and balancedness. Jimmy Jose, D Roy Chowdhury (IIT KGP) FResCA September 5, / 36

18 Security of FResCA Algebraic Attack Forms a system of multivariate equations. They are eventually solved to break the system Ciphers having higher algebraic degree in their Boolean function are resistant to these attacks. Rate of increase in algebraic degree is high with each iteration in the cipher. Jimmy Jose, D Roy Chowdhury (IIT KGP) FResCA September 5, / 36

19 Security of FResCA Scan-Based Side Channel Attacks The reversibility of the algorithm is used to retrieve the key. The combination of nonlinear and linear CA rules makes the cipher non-reversible. Jimmy Jose, D Roy Chowdhury (IIT KGP) FResCA September 5, / 36

20 NIST test NIST test suite [7] is used for testing the randomness of the sequences generated by pseudo-random sequence generators. Here, two key-iv pairs used. They are Key: 0xFEDCBA ABCDEF IV : 0x ABCDEFFEDCBA and Key: 0x ABCDEFFEDCBA IV : 0xFEDCBA ABCDEF Jimmy Jose, D Roy Chowdhury (IIT KGP) FResCA September 5, / 36

21 NIST test 0.1 billion keystream bits are generated. The keystream is given as input to the test suite. The test suite was allowed to partition the input into 100 bitstreams where each bitstream contains 1 million bits. Jimmy Jose, D Roy Chowdhury (IIT KGP) FResCA September 5, / 36

22 NIST test Table: NIST Test Results - FResCA with first key-iv pair Test P-val 1 Proportion 2 Test P-val Proportion Frequency /100 OverlappingTemplate /100 Block Frequency /100 Universal /100 Cumulative Sums* /100 Approximate Entropy /100 Runs /100 RandomExcursions* /50 Longest Run /100 RandomExcursionsVariant* /50 Rank /100 Serial* /100 FFT /100 LinearComplexity /100 NonOverlappingTemp.* /100 *Note: In case of tests with more than one subset, the one with lowest proportion is shown here. F corresponds to failure. 1 probability that a perfect RNG should have generated a sequence which is less random than the sequence under test 2 proportion of the sequence that pass the test Jimmy Jose, D Roy Chowdhury (IIT KGP) FResCA September 5, / 36

23 NIST test Table: NIST Test Results - FResCA with second key-iv pair Test P-val Proportion Test P-val Proportion Frequency /100 OverlappingTemplate /100 Block Frequency /100 Universal /100 Cumulative Sums* /100 Approximate Entropy /100 Runs /100 RandomExcursions* /57 Longest Run /100 RandomExcursionsVariant* /57 Rank /100 Serial* /100 FFT /100 LinearComplexity /100 NonOverlappingTemp.* /100 *Note: In case of tests with more than one subset, the one with lowest proportion is shown here. F corresponds to failure. Jimmy Jose, D Roy Chowdhury (IIT KGP) FResCA September 5, / 36

24 NIST test Table: NIST Test Results - variant of FResCA with first key-iv pair Test P-val Proportion Test P-val Proportion Frequency /100 OverlappingTemplate /100 Block Frequency /100 Universal /100 Cumulative Sums* /100 Approximate Entropy /100 Runs /100 RandomExcursions* /60 Longest Run /100 RandomExcursionsVariant* /60 Rank /100 Serial* /100 FFT /100 LinearComplexity /100 NonOverlappingTemp.* /100 *Note: In case of tests with more than one subset, the one with lowest proportion is shown here. F corresponds to failure. Jimmy Jose, D Roy Chowdhury (IIT KGP) FResCA September 5, / 36

25 NIST test Table: NIST Test Results - variant of FResCA with second key-iv pair Test P-val Proportion Test P-val Proportion Frequency /100 OverlappingTemplate /100 Block Frequency /100 Universal /100 Cumulative Sums* /100 Approximate Entropy /100 Runs /100 RandomExcursions* /62 Longest Run /100 RandomExcursionsVariant* /62 Rank /100 Serial* /100 FFT /100 LinearComplexity /100 NonOverlappingTemp.* F F *Note: In case of tests with more than one subset, the one with lowest proportion is shown here. F corresponds to failure. Jimmy Jose, D Roy Chowdhury (IIT KGP) FResCA September 5, / 36

26 NIST test Table: NIST Test Results - Comparison of FResCA and NOCAS with first key-iv pair FResCA NOCAS Test P-val Proportion P-val Proportion Frequency / /100 Block Frequency / /100 Cumulative Sums* / /100 Runs / /100 Longest Run / /100 Rank / /100 FFT / /100 NonOverlappingTemp.* /100 F F OverlappingTemplate / /100 Universal / /100 Approximate Entropy / /100 RandomExcursions* / /68 RandomExcursionsVariant* / /68 Serial* / /100 LinearComplexity / /100 *Note: In case of tests with more than one subset, the one with lowest proportion is shown here. F corresponds to failure. Jimmy Jose, D Roy Chowdhury (IIT KGP) FResCA September 5, / 36

27 NIST test Table: NIST Test Results - Comparison of FResCA and NOCAS with second key-iv pair FResCA NOCAS Test P-val Proportion P-val Proportion Frequency / /100 Block Frequency / /100 Cumulative Sums* / /100 Runs / /100 Longest Run / /100 Rank / /100 FFT / /100 NonOverlappingTemp.* /100 F F OverlappingTemplate / /100 Universal / /100 Approximate Entropy / /100 RandomExcursions* / /64 RandomExcursionsVariant* / /64 Serial* / /100 LinearComplexity / /100 *Note: In case of tests with more than one subset, the one with lowest proportion is shown here. F corresponds to failure. Jimmy Jose, D Roy Chowdhury (IIT KGP) FResCA September 5, / 36

28 Grain-128 g(x) f(x) NFSR LFSR h(x) Jimmy Jose, D Roy Chowdhury (IIT KGP) FResCA September 5, / 36

29 Grain-128 LFSR - (s i, s i+1,, s i+127 ) NFSR - (b i, b i+1,, b i+127 ) s i+128 = s i s i+7 s i+38 s i+70 s i+81 s i+96. b i+128 = s i b i b i+26 b i+56 b i+91 b i+96 b i+3 b i+67 b i+11 b i+13 b i+17 b i+18 b i+27 b i+59 b i+40 b i+48 b i+61 b i+65 b i+68 b i+84. h = b i+12 s i+8 s i+13 s i+20 b i+95 s i+42 s i+60 s i+79 b i+12 b i+95 s i+95. z i = b i+2 b i+15 b i+36 b i+45 b i+64 b i+73 b i+89 h s i+93. Jimmy Jose, D Roy Chowdhury (IIT KGP) FResCA September 5, / 36

30 Injecting Fault into Linear Block of Grain [3] Attack Description finds out fault location by analysing keystream difference bits output z i contains s i+13 s i+20 and s i+60 s i+79 terms. If fault injected at position 60, output difference gives the value of s 79. Each LFSR bit revealed in this way. Generates linear equations involving NFSR bits from the regular keystream. Grain reversible, runs backward to reveal the key. Jimmy Jose, D Roy Chowdhury (IIT KGP) FResCA September 5, / 36

31 Injecting Fault into Linear Block of Grain (continued) Prevention in FResCA fault position determination fails. A single 1 in the register generates more 1 s in different cell positions with each iteration In Grain, number of LFSR bits recovered depends on fault location and number of iterations after the fault injection In FResCA, fault gets dissipated to more and more neighbours with each iteration In Grain, more iterations produce more linear equations In FResCA, more iterations not fruitful as fault start mixing with more and more neighbours combination of nonlinear and linear CA rules makes FResCA non-reversible Jimmy Jose, D Roy Chowdhury (IIT KGP) FResCA September 5, / 36

32 Injecting Fault into Nonlinear Block of Grain[4] Attack Description For a large number of key-iv pairs, b-bits provide unique keystream difference sequence for a particular fault position thereby revealing the fault position Fault Traces Table contains the list of corrupted bit locations after t iterations on fault injection at location f Equation for b 128 contains seven terms of the form b m b n. Fault in m will reveal b n.linear b-terms in z i gives more linear equations to determine LFSR bits, b i+12 s i+8, b i+95 s i+42, b i+12 b i+95 s i+95 in z i are exploited Grain run backwards to get the key Jimmy Jose, D Roy Chowdhury (IIT KGP) FResCA September 5, / 36

33 Injecting Fault into Nonlinear Block of Grain (continued) Prevention in FResCA Fault propagation depends on the nonlinear CA rule and is propagated to neighbouring cells. Fast diffusion prevents unique pattern corresponding to a fault location. Computed fault traces look random No feedback path. Equation corresponding to b 128 absent. In Grain, 7 single b-bit output taps - b 2, b 15, b 36, b 45, b 64, b 73, b 89. But only one b 128 in FResCA. we cannot move a fault into single bit output tap Fault Traces Table cannot be created to find LFSR bits, fault propagated to specific positions (b m s n ) of NFSR without corrupting other b bits of z i in Grain which is not possible in FResCA. FResCA not reversible Jimmy Jose, D Roy Chowdhury (IIT KGP) FResCA September 5, / 36

34 Summary designed a fault-resistant 4-neighbourhood CA based Grain-like cipher Cipher initialisation 8 times faster than Grain strong against different attacks, in particular, fault attacks experimental results show cipher s robustness Jimmy Jose, D Roy Chowdhury (IIT KGP) FResCA September 5, / 36

35 References The Estream Project, accessed 30 August 2016, Jose, J., Das, S., RoyChoudhury, D.:Inapplicability of fault attacks against trivium on a cellular automata based stream cipher. In: ACRI LNCS, vol. 8751, pp , Springer (2014) Berzati, A., Canovas, C., Castagnos, G., Debraize, B., Goubin, L., Gouget, A., Paillier, P., Saldago, S.: Fault Analysis of Grain-128. In: HOST 09. pp (2009) Karmakar, S., RoyChowdhury, D.: Fault Analysis of Grain-128 by Targeting NFSR. In: AFRICACRYPT pp (2011) Jose, J., Roy Chowdhury, D.: Investigating Four Neighbourhood Cellular Automata as Better Cryptographic Primitives. J. Discrete Mathematical Sciences and Cryptography, to be published in 2016 Bhaumik, J., RoyChowdhury, D.:NMix: An Ideal Candidate for Key Mixing. In: SECRYPT pp (2009) The NIST Statistical Test Suite, accessed 30 August 2016, Jimmy Jose, D Roy Chowdhury (IIT KGP) FResCA September 5, / 36

36 Thank You Jimmy Jose, D Roy Chowdhury (IIT KGP) FResCA September 5, / 36