Improved Cryptanalysis of Py

Transcription

1 Improved Cryptanalysis of Py Paul Crowley LShift Ltd State of the Art in Stream Ciphers 2006

2 Py estream entrant by Eli Biham and Jennifer Seberry Fast in software (2.6 cycles/byte on some platforms) SPP attack: 2 88 bytes of output Our attack: 2 72 bytes

3 Output O P O 2

4 Update P P

5 SPP attack Gautham Sekar, Souradyuti Paul, Bart Preneel Defines event L with Pr[L] 2 4:9 When L occurs, two output bits are the same

6 Event L () S P S

7 Event L (2) O ; A B S A B A B O 2;3

8 Result of event L A S B O ; O 2;3

9 Improving on the attack Use all bits of O ; ; O 2;3 Group output by column bitwise Find exact probability Pr[O ; ; O 2;3 = o ; ; o 2;3jL] Apply optimal distinguisher

10 Addition [ ] 3 [Y ] 3 [ ] 2 [Y ] 2 [ ] [Y ] [ ] 0 [Y ] 0 [c] 3 [c] 2 [c] [c] 0 [ + Y ] 3 [ + Y ] 2 [ + Y ] [ + Y ] 0

11 Carry propagation [A] i [S] i [B] i [c ] i+ [c 3 ] i+ [c ] i [c 3 ] i [O ;] i [O 2;3] i

12 Carry propagation [A] i [S] i [B] i [c ] i+ [c 3 ] i+ [c ] i [c 3 ] i [O ;] i [O 2;3] i

13 Hidden Markov model ; 0 ; 0 0; 0 0;

14 Hidden Markov model ; 0 ; 0 0; 0 0;

15 The forward algorithm 0 Pr 0 0 where 4 = and 0 = = 4 M ;0M 0;0M ; C A

16 Optimal distinguisher Thomas Baignères, Pascal Junod, Serge Vaudenay Optimal distinguisher chooses the distribution which has the highest probability of producing the observed output

17 Optimal distinguisher s 0 s s 2

18 Optimal distinguisher s 0 s s 2

19 Optimal distinguisher 3 s 0 s s 2

20 Optimal distinguisher 3 s 0 s s 2 Pr[s 0 jl] Pr[s jl] Pr[s 2 jl]

21 Optimal distinguisher 3 s 0 s s 2 Pr[s 0 jl] Pr[s jl] Pr[s 2 jl]

22 Optimal distinguisher 3 s 0 s s 2 Pr[s 0 jl] Pr[s jl] Pr[s 2 jl] Pr[s 0 ] Pr[s ] Pr[s 2 ]

23 Optimal distinguisher 3 s 0 s s 2 Pr[s 0 jl] Pr[s jl] Pr[s 2 jl] Pr[s 0 ] Pr[s ] Pr[s 2 ] Pr[s 0 ^ s ^ s 2 ]

24 Efficacy of optimal distinguisher Where distribution is close to uniform random, efficacy 2 Pr[z] = P z2z

25 Efficacy of optimal distinguisher Where distribution is close to uniform random, efficacy 2 Pr[z] = P z2z Need around 2 samples

26 Efficacy of optimal distinguisher Where distribution is close to uniform random, efficacy 2 Pr[z] = P z2z Need around 2 samples Both distinguishers: = Pr[L] 2 Pz2Z Pr[zjL]2

27 Efficacy of optimal distinguisher Where distribution is close to uniform random, efficacy 2 Pr[z] = P z2z Need around 2 samples Both distinguishers: = Pr[L] 2 SPP attack: = Pr[L] 2 so around 2 85 samples Pz2Z Pr[zjL]2

28 Efficacy of our distinguisher z2z Pr[zjL] 2

29 Efficacy of our distinguisher = Pr[zjL] 2 z2z ( 4 M 3 M 30 : : : M 0 0) 2 M i 2 fm 0;0 ; M 0; ; M ;0 ; M ;g

30 Efficacy of our distinguisher = = Pr[zjL] 2 z2z ( 4 M 3 M 30 : : : M 0 0) 2 ( 4 M 3 M 30 : : : M 0 0) ( 4 M 3 M 30 : : : M 0 0) T M i 2 fm 0;0 ; M 0; ; M ;0 ; M ;g

31 Efficacy of our distinguisher = = = Pr[zjL] 2 z2z ( 4 M 3 M 30 : : : M 0 0) 2 ( 4 M 3 M 30 : : : M 0 0) ( 4 M 3 M 30 : : : M 0 0) T 4 M 3 M 30 : : : M 0 0 T 0 MT 0 : : : MT 30 MT 3 T 4 M i 2 fm 0;0 ; M 0; ; M ;0 ; M ;g

32 Efficacy of our distinguisher = = = Pr[zjL] 2 z2z ( 4 M 3 M 30 : : : M 0 0) 2 ( 4 M 3 M 30 : : : M 0 0) ( 4 M 3 M 30 : : : M 0 0) T 4 M 3 M 30 : : : M 0 0 T 0 MT 0 : : : MT 30 MT 3 T 4 = 4 M 3 M 30 : : : M 0 0 T 0 MT 0 : : : MT 30 MT 3 T 4 M i 2 fm 0;0 ; M 0; ; M ;0 ; M ;g

33 Efficacy of our distinguisher H i = Mi M i 2 : : : M M 0 0 T 0 MT 0 MT : : : MT i 2 MT i

34 Efficacy of our distinguisher H i = Mi M i 2 : : : M M 0 0 T 0 MT 0 MT : : : MT i 2 MT i H 0 = 0 T 0

35 Efficacy of our distinguisher H i = Mi M i 2 : : : M M 0 0 T 0 MT 0 MT : : : MT i 2 MT i H 0 = 0 T 0 H i+ = M2fM 0;0 ;M 0; ;M ;0 ;M ;g MH i M T

36 Efficacy of our distinguisher H i = Mi M i 2 : : : M M 0 0 T 0 MT 0 MT : : : MT i 2 MT i H 0 = 0 T 0 H i+ = M2fM 0;0 ;M 0; ;M ;0 ;M ;g MH i M T = Pr[L] H 32 T 4

37 Efficacy of our distinguisher H i = Mi M i 2 : : : M M 0 0 T 0 MT 0 MT : : : MT i 2 MT i H 0 = 0 T 0 H i+ = M2fM 0;0 ;M 0; ;M ;0 ;M ;g MH i M T = Pr[L] H 32 T Pr[L] 2

38 Conclusions We can efficiently calculate the efficacy of HMM-based distinguishers Distinguisher advantage is 0.53 given 2 64 bytes from 2 8 key/iv pairs Advantage is 0.03 given a single byte stream Can this be improved still further?