Stream ciphers I. Thomas Johansson. May 16, Dept. of EIT, Lund University, P.O. Box 118, Lund, Sweden

Transcription

1 Dept. of EIT, Lund University, P.O. Box 118, Lund, Sweden May 16, 2011

2 Outline: Introduction to stream ciphers Distinguishers Basic constructions of distinguishers Various types of distinguishing attacks estream and two ciphers from the portfolio

3 Introduction to stream ciphers Stream ciphers are important in cryptography since they form one of the two possible ways to provide symmetric encryption. Stream ciphers encrypt individual characters of a plaintext message one by one, using an encryption transformation that varies with time. Stream ciphers are generally faster than block ciphers in hardware, and have less complex hardware circuitry. They also have some other nice features that in some applications (typically communications applications) tend to be quite important, like limited buering, limited error propagation.

4 Introduction to stream ciphers There is a lot of theoretical knowledge on stream ciphers, and various design principles for stream ciphers have been proposed and extensively analyzed. Recently, we have seen a lot of fully-specied stream cipher proposals through several design projects, e.g. NESSIE, estream. In addition, many proprietary and condential stream ciphers are used in practice. Some ciphers have initially been condential but later been leaked to the public, e.g., A5 and RC4.

5 Introduction to stream ciphers Most stream cipher constructions use a pseudo-random keystream generator, or simply a generator, to produce a long sequence of binary symbols. The security of a stream cipher is closely connected to how well this sequence of bits resembles a truly random sequence.

6 Stream ciphers Consider a binary additive stream cipher. The output sequence of the keystream generator, z = z 1, z 2,... is added bitwise to the plaintext sequence m = m 1, m 2,..., producing the ciphertext c = c 1, c 2,.... The keystream generator is initialized through a secret key K. keystream generator z 1, z 2,... m 1, m 2,... c 1, c 2,... Figure: A binary additive stream cipher

7 Attacks A known-plaintext attack (or chosen-plaintext or chosen-ciphertext) is equivalent to having access to the keystream z = z 1, z 2,..., z N. Design goal: eciently produce random-looking sequences that are indistinguishable from truly random sequences. keystream generator z 1, z 2,... m 1, m 2,... c 1, c 2,... Figure: A binary additive stream cipher

8 Attacks Two main types of attacks: Key recovery attack: Eve tries to recover the value of the secret key K. Distinguishing attack: Eve tries to determine whether a given sequence z = z 1, z 2,..., z N is likely to have been generated from the considered stream cipher or whether it is just a truly random sequence. If a distinguisher, i.e., a box (algorithm) that can correctly answer the above question with high probability, can be built, we have a distinguishing attack.

9 Model of a stream cipher Requirements in many recent applications have asked for a modied model of a stream cipher including a public parameter called IV (initial value) or nonce (number used once). A generator takes two input parameters, one key K and one public parameter IV, and produces an arbitrary long keystream sequence z. IV PUBLIC! key k z Figure: A keystream generator initialized by a key and an IV value

10 Generator = a table indexed by (K, IV ) containing z. A generator in table form Initial value IV Key K Keystream sequence z

11 Remarks on the model The optimal design of a generator (ideal generator), would be if every entry in the table was generated truly at random (uniformly). We have some generic attacks on the ideal generator. For example, an exhaustive key search would require testing all the keys and checking whether a chosen key generates the given output. The design problem is then essentially to construct a generator that in all aspects implements an ideal generator, leaving only the generic attacks like exhaustive key search for the cryptanalyst.

12 Examples of insecure generators Even if some pseudo-random generators may be suitable for simulation purposes, they can be completely insecure in a cryptographic sense. Output of a linear feedback shift register. The key determines a starting state (s 1, s 2,..., s L ), a sequence is dened by s i = L j=1 c j s i j for i > L, and the pseudo-random sequence is given by z = s L+1, s L+2,.... Various versions of the linear congruential generator. Generators that in some form use the recurrence s i+1 = as i + b (mod m), where now a, b, s i Z m, i = 1, 2,....

13 Dening a Distinguisher Rough description: a distinguisher for a generator X is given as follows. Let D(z) be an algorithm that takes as input a length N sequence z and as output gives one out of two possible answers, either X or RANDOM. The probability that D(z) correctly determines the origin of z is written (1 + ε)/2. If ε is not very close to zero we say that D(z) is a distinguisher for generator. The advantage of a distinguisher D, Adv D, as Adv D = P(D(z) = X z generated by X) P(D(z) = X z truly random) The advantage is Adv D = ε.

14 Dierent Distinguishing Attack Scenarios a single keystream (from known or chosen IV), several keystreams from dierent known values of IV, several keystreams from dierent chosen values of IV. D receives m dierent keystreams z1, z2,.., zm generated from m dierent IV values IV 1, IV 2,..., IV m. Write z1 z 1,1 z 1,2... z 1,N z2 z 2,1 z 2,2... z 2,N Z =. zm =. z m,1 z m,2... z m,n. Special attention to the two special cases m = 1, and N = 1.

15 Basic constructions of distinguishers A rst and very basic approach would then be to apply various statistical tests on the received keystream Z (NIST statistical tests, DIEHARD,...) These approaches may detect statistical weaknesses in some weak generators but they are not very powerful in general. Stronger attacks can be achieved if we take the internal structure of the cipher into account when we design a distinguisher.

16 Basic constructions of distinguishers Try to detect some statistical deviation in the keystream Z based on some internal relationship. However, symbols in Z (or even small blocks of symbols) will often be very close to the uniform distribution. Instead, the internal relationship often gives dependence among dierent z i,j symbols that can be far apart in time.

17 Transforming keystream into samples So it is natural that we transform our keystream Z into a new sequence of symbols, called samples, denoted by X = x 1, x 2,.... In general, this can be done in almost any way, where F is some function. x i = F (i, Z), i = 1, 2,... With a given sample sequence, we would nally try to distinguish if X behaves as if generated from a truly random Z or not. Linear distinguishers, the samples are selected as linear combinations of keystream bits. Usually, the samples are regarded as independent and the distinguisher examines whether the sample values are consistent with a uniform distribution or not.

18 Transforming keystream into samples Concluding, the challenge for the adversary is to somehow nd a suitable way to transform the keystreams to a sample sequence X. Once the sample sequence is given, we apply statistical tools to determine which distribution the sample sequence follows.

19 Hypothesis Testing Two cases: We want to determine if an observed sequence is distributed according to one of two known distributions, usually the cipher distribution and the uniform distribution. We want to determine if an observed sequence is likely to be distributed according to one known distribution.

20 The Case When Both Distributions Are Known The optimal hypothesis test is given by: Lemma (Neyman-Pearson) Let X 1, X 2,..., X n be drawn i.i.d. according to mass function P obs. Consider the decision problem corresponding to the hypotheses P obs = P 0 vs. P obs = P 1. For T 0 dene a region { } P0 (x 1, x 2,..., x n ) A n (T ) = P 1 (x 1, x 2,..., x n ) > T. Let α n = P n 0 (Ac n(t )) and β n = P n 1 (A n(t )) be the error probabilities corresponding to the decision region A n. Let B n be any other decision region with associated error probabilities α and β. If α α, then β β.

21 The Case When Both Distributions Are Known Assuming that all samples are independent this is equivalent to { n ( ) } P0 (x i ) A n (T ) = log > log T. P 1 (x i ) i=1

22 Some known facts There exist asymptotic expressions for the error probabilities. Binary distributions: The bias of a distribution ε is dened as Pr(X = 0) = 0.5(1 + ε). (1) For k binary independent variables X 1, X 2,..., X k, the bias ε tot of the sum is given by ε tot = ε k. (2) When α and β are about equal, a distinguisher needs roughly n 1 ε 2 (3) samples to determine if an observed distribution is the cipher distribution or the uniform distribution.

23 The Case When One Distribution Is Known If we can not nd the distribution of the cipher. A chi-square test can be used to determine if an observed distribution is likely to follow one given distribution. H 0 : P X = P 0 H 1 : P X P 0. Let O(x) be the number of outcomes of x X in the observed sequence and let the expected number of outcomes of x X according to P 0 be denoted E(x). The distribution Q = x X (O(x) E(x)) 2 E(x) (4) can be approximated by the chi-square distribution, χ 2 r being the degrees of freedom. with r

24 A Practical Situation A distinguisher is used to derive information about the plaintext. Alice and Bob is communicating over an insecure channel. The adversary Eve is able to passively eavesdrop the channel. Alice sends a message M = m 1, m 2,..., m N to Bob. Eve knows that the data sent is either M1 = m 11, m 12,..., m 1N or M2 = m 21, m 22,..., m 2N. The ciphertext is C = c 1, c 2,..., c N and given by where z i is the keystream. c i = m i z i, 1 i N. (5)

25 A Practical Situation Attack scenario: Eve's task is to determine if M = M1 or M = M2. By xoring the ciphertext C with M1 Eve will get a keystream ^z = C M1. If indeed M = M1, then ^z is distributed according to the cipher distribution since ẑ i = c i m 1i = m 1i z i m 1i = z i, (6) If M = M2, then ^z is uniformly distributed since ẑ i = c i m 1i = m 2i z i m 1i, (7) for 1 i N, assuming that M1 M2 is uniformly distributed.

26 Generic attacks on Block Ciphers in OFB and CTR mode Generic distinguishing attacks apply to many common modes of operations of block ciphers (here OFB mode and counter mode). E K (x) is the block cipher encryption function, B = the block size in bits.

27 Output feedback mode OFB turns any block cipher into a synchronous stream cipher. The B-bit keystream words (z 1, z 2, z 3...) are generated by repeatedly encrypting a B-bit IV. Let z 0 = IV, then z i = E K (z i 1 ), i 1. Since a block cipher denes a permutation over all B-bit blocks, we expect the average period of the keystream to be in the order of 2 B 1 blocks. If there is a collision, then we know that all subsequent blocks will be the same. I.e., if z i = z j (i j), then z i+k = z j+k (k 0). The birthday paradox: in a truly random sequence we expect to nd a collision after observing 2 B/2 B-bit blocks.

28 Distinguisher for OFB mode Input(z 1, z 2,..., z 2 B/2) if (z i = z j and z i+1 z j+1 for some i j) return Random else return OFB Mode Figure: Distinguisher for OFB mode

29 Counter Mode In counter mode (CTR), the B-bit keystream words (z 1, z 2, z 3...) are generated by encrypting an incrementing counter, i, z i = E K (IV i), where a b denotes string concatenation of bit strings a and b. Since a counter is used, and a block cipher together with the key denes a random permutation, a keystream block will never repeat (as long as the counter is not repeated). By observing 2 B/2 keystream blocks, we can decide if the sequence is random or generated by a block cipher in counter mode.

30 Distinguisher for Counter mode Input(z 1, z 2,..., z 2 n/2) if (z i = z j for some i j) return Random else return Counter Mode Figure: Distinguisher for Counter mode

31 Reections The amount of keystream needed in the distinguisher is independent of the size of the key. AES denes a block size of 128 bits, but the key can be chosen from the set {128, 192, 256}. The above distinguishers can be applied to AES using about 2 64 keystream blocks, For 64 bit block size (DES) this can be a practical problem.

32 Linear distinguishing attacks A sequence of samples as linear combinations of keystream bits. Usually time-invariant, i.e., x t = k j=0 c j z t+j, for some k and t = 1, 2,.... The samples x t are considered as iid random variables distributed according to P obs. Finding good linear distinguishers resembles a lot linear cryptanalysis of block ciphers as invented by Matsui. Linearize the cipher by replacing some nonlinear blocks with linear ones. Find a linear relationship among keystream symbols, where the relationship involves as few approximated blocks as possible.

33 Distinguishers for array-based stream ciphers Many software-oriented stream ciphers are using large arrays and apply a slow continous update (RC4). Examples: Py-family; HC-128 and HC-256; MUGI; Scream, RC4. S[] denotes an array S[0], S[1],... S[l]. Between successive outputs the array is updated as S[](t) = G(S[](t 1)), where G is some updating function. An output symbol is then generated at time t as where F is some function. z t = F (S[](t)),

34 A basic attack strategy Detect some dependence or statistical deviation in the update of the array that will be visible in the keystream sequence. Consider two dierent but related events E Z and E S, where E Z is some event related to the keystream and E S is some event related to the array S[]. For example, if event E S occurs then E Z occurs with probability 1, i.e., P(E Z E S ) = 1. However, if event E S does not occur then we assume P(E Z E C S ) = P U(E Z ). In this way we can detect a bias since P(E Z ) = P(E Z E S ) P(E S ) + P(E Z E C S ) P(E C S ) = 1 P(E S ) + P U (E Z ) P(E C S ) = (1 P U (E Z ))P(E S ) + P U (E Z ).

35 A Chosen-IV Distinguisher - basics n-variable Boolean function f in ANF form: an entry in the truth table is denoted f (v) with v = (v 1, v 2,..., v n ). There are ecient ways to compute the ANF from the truth table.

36 The d-monomial Test (Saarinen) The Boolean function is dened as z = f (iv 0, iv 1,..., iv n 1 ), n bits of the IV are used as input variables and the output is one (rst) bit of the keystream. The key and the remaining bits of the IV are kept constant. Compute the ANF of f.

37 The d-monomial Test In a d-monomial test the aim is to count the number of monomials in the ANF of degree d. If the observed number of d-monomials signicantly deviates from 1 2( n d), the expected case, we can distinguish the cipher from random (Pearson's chi-square test). Broke several estream candidates in this way.

38 A General Approach P Boolean functions by using a dierent value for the constant bits in the IV for each polynomial. The occurrence of each monomial can be counted individually. In particular, the monomial of maximal degree. This monomial will not occur unless all the considered IV bits have been properly mixed. Its coecient is calculated as the XOR of all values in the truth table.

39 The max degree test for j = 1,..., P for iv = 1,..., 2 n 1 Initialize cipher with iv z = rst keystream bit after initialization a = a z end for ifa = 1 ones++ end for if ones= 0 or ones= P return cipher else return random Figure: The maximal degree test

40 The estream project estream - an evaluation project within ECRYPT, to come up with a portfolio of new and promising stream ciphers. Previous projects: AES competition, NESSIE,... estream was decided to be more research oriented, e.g., allowing designers to modify The estream Portfolio is announced in 2008.

41 The estream project PROFILE 1. Stream ciphers for software applications with high throughput requirements. (23 submissions) PROFILE 2. Stream ciphers for hardware applications with restricted resources such as limited storage, gate count, and/or power consumption. (25 submissions)

42 The estream portfolio Prole 1 SOFTWARE: HC-128, Rabbit, Salsa20/12, SOSEMANUK Prole 2 HARDWARE: Grain v1, MICKEY v2, Trivium

43 HC-128 Internal state: Two tables P and Q. Each contains 512 words. g 1 (x, y, z) = ((x 10) (z 23)) + (y 8) g 2 (x, y, z) = ((x 10) (z 23)) + (y 8) h 1 (x) = Q[x 0 ] + Q[256 + x 2 ] h 2 (x) = P[x 0 ] + P[256 + x 2 ] where x = x 3 x 2 x 1 x 0.

44 HC-128 HC-128 Keystream Generation Input: Tables P and Q, each containing 512 words. Output: Keystream words s i for i = 0, 1,.... i = 0; repeat (until enough keystream bits are generated) { j = i mod 512; if ((i mod 1024) < 512) { P[j] += g 1 (P[j 3], P[j 10], P[j 511]); s i = h 1 (P[j 12]) P[j]; } else { Q[j] += g 2 (Q[j 3], Q[j 10], Q[j 511]); s i = h 2 (Q[j 12]) Q[j]; } i += 1; }

45 Wu's distinguishing attack P is updated as P[i mod 512] += g 1 (P[i 3], P[i 10], P[i 511]) But, s i = h 1 (P[i 12]) P[i mod 512]. For most i, s i h 1 (z i ) = (s i 1024 h 1(z i 1024 )) + (8) g 1 (s i 3 h 1 (z i 3 ), s i 10 h 1 (z i 10 ), s i 1023 h 1(z i 1023 )) h 1 (x) and h 1 (x) dierent functions; z j denotes the P[j 12] at the j-th step. For the least signicant bit, [s i ] 0 [s i 3 ] 10 [s i 10 ] 8 [s i 1023 ] 23 [s i 1024 ] 0 = (9) [h 1 (z i )] 0 [h 1 (z i 3 )] 10 [h 1 (z i 10 )] 8 [h 1(z i 1023 )] 23 [h 1(z i 1024 )] 0

46 Wu's distinguishing attack Looking at time i and j, i j, where 1024 α + 10 i, j < 1024 α [s i ] 0 [s i 3 ] 10 [s i 10 ] 8 [s i 1023 ] 23 [s i 1024 ] 0 = [s j ] 0 [s j 3 ] 10 [s j 10 ] 8 [s j 1023 ] 23 [s j 1024 ] 0 (10) which holds if and only if [h 1 (z i )] 0 [h 1 (z i 3 )] 10 [h 1 (z i 10 )] 8 [h 1(z i 1023 )] 23 [h 1(z i 1024 )] 0 = [h 1 (z j )] 0 [h 1 (z j 3 )] 10 [h 1 (z j 10 )] 8 [h 1(z j 1023 )] 23 [h 1(z j 1024 )] 0

47 Wu's distinguishing attack That equation can be approximated as H(a 1 ) = H(a 2 ), (11) where H denotes a random secret 80-bit-to-1-bit S-box, a 1 and a 2 are two 80-bit random inputs, Theorem a 1 = z i z i 3 z i 10 z i 1023 z i 1024 (12) a 2 = z j z j 3 z j 10 z j 1023 z j 1024, Let H be an m-bit-to-n-bit S-box and all those n-bit elements are randomly generated, where m n. Let a 1 and a 2 be two m-bit random inputs to H. Then H(a 1 ) = H(a 2 ) with probability 2 m + 2 n 2 m n. Thus, (??) holds with probability Number of samples needed 4ε 2, so such samples.

48 Wu's distinguishing attack Several attempts have been made to improve this basic idea. Some improvements have been found, but no attack below complexity have been found.

49 Trivium extremely simple hardware design the most challenging design in the estream portfolio A 288-bit internal state (s 1, s 2,..., s 288 ) and a very simple update/output function.

50 Trivium Trivium Keystream Generation Input: State (s 1, s 2,..., s 288 ) Output: Keystream bits z i for i = 1, 2,.... for i = 1to N do t 1 s 66 + s 93 ; t 2 s s 177 ; t 3 s s 288 ; z i t 1 + t 2 + t 3 t 1 t 1 + s 91 s 92 + s 171 ; t 2 t 2 + s 175 s s 264 ; t 3 t 3 + s 286 s s 69 ; (s 1, s 2,..., s 93 ) (t 3, s 1,..., s 92 ) (s 94, s 95,..., s 177 ) (t 1, s 94,..., s 176 ); (s 178, s 179,..., s 288 ) (t 2, s 178,..., s 287 ); end for