Analysis of Modern Stream Ciphers

Transcription

1 Analysis of Modern Stream Ciphers Josef Pieprzyk Centre for Advanced Computing Algorithms and Cryptography, Macquarie University, Australia CANS - Singapore - December 2007

2 estream Outline 1. estream Project 2. Algebraic Analysis of SOBER-t32 3. Distinguisher for SOBER-128 based on Linear Masking 4. Crossword Puzzle Attack on NLS and NLSv2 5. Distinguisher for DRAGON based on Linear Masking 6. Future Research

3 estream estream Project A multi-year project (part of ECRYPT) to promote research into stream ciphers ( ) Phase 3 of estream started in April 2007 There are two profiles in estream: PROFILE 1. Stream ciphers for software applications PROFILE 2. Stream ciphers for hardware applications The final results will be announced in April/May 2008

4 estream estream Project SW Phase 3 HW Phase 3 CryptMT no attack DRAGON distinguishing attack HC-128 (-256) no attack LEX resynchronization collision attack NLS (encrypt only) distinguishing attack Rabbit no attack Salsa20 no attack SOSEMANUK no attack DECIM no attack Edon-80 no attack F-FCSR no attack Grain no attack MICKEY (-128) no attack MOUSTIQUE CC attack POMARANCH distinguishing attack Trivium no attack there is an attack whose complexity is higher than exhaustive search there are key recovery attacks for reduced versions breakable if the secret key is longer than 224 bits

5 Algebraic Analysis of SOBER-t32 Algebraic Analysis of SOBER-t32 1. Principle of algebraic attacks 2. Structure of SOBER-t32 3. Attack on SOBER-t32 and its complexity

6 Algebraic Analysis of SOBER-t32 Principles of Algebraic Attacks Find a multivariate relation Q of a low degree d between the state bits and the bits of the output. Q(S 0, v 0 ) = 0 (degree : d) The same relation holds for all consecutive clocks t so Q(S t, v t ) = Q(L t (S 0 ), v t ) = 0 (degree : d) Solving the equations. (Linearization, XL, Grobner Bases,...)

7 Algebraic Analysis of SOBER-t32 System Description Key : Sender and Receiver share the same secret key Sender : encrypts message : c t = m t v t Receiver : decrypts message : c t v t = m t v t v t = m t t = 0 (Initial state) t = 1 t = 2 LFSR LFSR LFSR NLF v 0 NLF v 1 NLF v 2 LFSR : Linear Feedback Shift Register NLF : Non-Linear Filter (function f )

8 Algebraic Analysis of SOBER-t32 Complexity of Attack Let n the number of the initial state bits of the LFSR and d the degree of the function f (NLF) Number of monomials : T = ( n ( 1) + n ( 2) + + n ( = n ) d) d Number of keystream bits ( n d Complexity (Gaussian elimination) : 7 T log 2 7 )

9 Algebraic Analysis of SOBER-t32 Description of SOBER-t32/t-16 Major features of SOBER-t32 and SOBER-t16 Big size of LFSR Word-oriented stream cipher The size of S-Box : N M such that N < M LFSR word S-Box t bits 32 bits 8 32 bits t bits 16 bits 8 16 bits

10 Algebraic Analysis of SOBER-t32 s 16 s 15 Overall structure of SOBER-t32/-t16 s 13 s 6 s 4 f K v t stuttering β s 1 s 0

11 Algebraic Analysis of SOBER-t32 Non-linear Filter of SOBER-t32 s 0 s 16 x f(x) x H S-box α x L s 1 s 13 s 6 K v

12 Algebraic Analysis of SOBER-t32 Modular Addition : c = a + b mod 2 32 Let c i be the i-th output bit of the modular addition. Then, c 0 = a 0 b 0, c 1 = a 1 b 1 a 0 b 0 and for 2 i 31, i 2 c i = a i b i a i 1 b i 1 a t b t { t=0 i 1 r=t+1 (a r b r )} Each c i is expressed as a function of input bits of degree i + 1. c 0 = a 0 b 0 c 1 = a 1 b 1 a 0 b 0 c 2 = a 2 b 2 a 1 b 1 (a 1 b 1 )(a 1 b 1 c 1 ). c n = a n b n a n 1 b n 1 (a n 1 b n 1 )(a n 1 b n 1 c n 1 ) The degree of c i : i + 1.

13 Algebraic Analysis of SOBER-t32 Observation Let c i, where 24 i 31, be the i-th output bit of modular addition c = a + b (mod 2 32 ). If c i is multiplied by (1 a 23 b 23 ), then the degree of c i (1 a 23 b 23 ) is reduced to (i 22).

14 Algebraic Analysis of SOBER-t32 c = Justification of Observation c 0 = a 0 b 0 c 1 = a 1 b 1 a 0 b 0 c 2 = a 2 b 2 a 1 b 1 a 0 b 0 (a 1 b 1 ) c 24 = a 24 b 24 a 23 b 23 a 22 b 22 (a 23 b 23 ) a 21 b 21 (a 22 b 22 )(a 23 b 23 ) a 0 b 0 (a 1 b 1 ) (a 23 b 23 ) c 25 = a 25 b 25 a 24 b 24 a 23 b 23 (a 24 b 24 ) a 22 b 22 (a 23 b 23 )(a 24 b 24 ) a 0 b 0 (a 1 b 1 ) (a 24 b 24 ) c 31 = a 31 b 31 a 30 b 30 a 29 b 29 (a 30 b 30 ) a 28 b 28 (a 29 b 29 )(a 30 b 30 ) a 0 b 0 (a 1 b 1 ) (a 30 b 30 )

15 Algebraic Analysis of SOBER-t32 Justification of Observation If c 24,..., c 31 are multiplied by (1 a 23 b 23 ), then c 24 (1 a 23 b 23 ) = a 24 b 24 a 23 b 23 c 25 (1 a 23 b 23 ) = a 25 b 25 a 24 b 24 a 23 b 23 (a 24 b 24 ) c 31 (1 a 23 b 23 ) = a 31 b 31 a 30 b 30 a 29 b 29 (a 30 b 30 ) a 28 b 28 (a 29 b 29 )(a 30 b 30 ) a 23 b 23 (a 24 b 24 ) (a 30 b 30 ) For 24 i 31, the degree of c i (1 a 23 b 23 ) is (i 22).

16 Algebraic Analysis of SOBER-t32 How to Use the Observation s 0 s 16 x f(x) x H S-box α x L s 1 s 13 s 6 K v

17 Algebraic Analysis of SOBER-t32 How to Use the Observation Let s consider the least significant bit of α, i.e. α 0 = s 0,0 s 16,0 s 1,0 s 6,0 s 13,0 v 0 K 0 Let s construct the following table. Rows : all the possibilities for (x 31,, x 24 ) 2 8 rows. The columns : all the monomials A i of degree up to 8 which are coming from the input bits (x 31,, x 24 ) and the least significant output bit α columns. By applying the Gaussian elimination to this matrix, we can obtain a non-linear equation as follows. α 0 = A i = 1 x 24 x 24 x 25 x 24 x 28 x 29 x 30 x 31

18 Algebraic Analysis of SOBER-t32 How to Use the Observation By Observation, x i (1 s 0,23 s 16,23 ) becomes x i (1 s 0,23 s 16,23 ) = g(s 0,23 i, s 16,23 i ) for 24 i 31, where g is a multivariate equation of degree up to (i 22). For example, x 24 (1 s 0,23 s 16,23 ) = s 0,24 s 16,24 s 0,23 s 16,23 x 25 (1 s 0,23 s 16,23 ) = s 0,25 s 16,25 s 0,24 s 16,24 s 0,23 s 16,23 (s 0,24 s 16,24 ) So we get α 0 (1 s 0,23 s 16,23 ) = A i (1 s 0,23 s 16,23 ) By a computer experiment, the degree of α 0 (1 s 0,23 s 16,23 ) is at most 14.

19 Algebraic Analysis of SOBER-t32 Getting Algebraic Relations Let us recall α 0 = s 0,0 s 16,0 s 1,0 s 6,0 s 13,0 v 0 K 0 If we multiply the equation by (1 s 0,23 s 16,23 ), then we have α 0 (1 s 0,23 s 16,23 ) = (s 0,0 s 16,0 s 1,0 s 6,0 s 13,0 v 0 K 0 ) (1 s 0,23 s 16,23 ) The degree of the equation is 14 Let s arrange the equation as a following form where g(s) = h(s, V) g(s) = α 0 (1 s 0,23 s 16,23 ) (s 0,0 s 16,0 s 1,0 s 6,0 s 13,0 K 0 ) (1 s 0,23 s 16,23 ) h(s, V) = v 0 (1 s 0,23 s 16,23 )

20 Algebraic Analysis of SOBER-t32 Algebraic Attack ( 544 If we collect N > 14 ) i i consecutive equations, a linear dependency γ = (γ 0,...,γ N 1 ) for left side equations must exist and To recover γ: N 1 t=0 γ t g(l t (S 0 )) = 0, γ i GF(2) 1. Collect N consecutive equations such that N > 2T = 2 14 ) i ( 544 i 2. Choose a random key S 0 3. Compute 2T outputs bits c t of the left side equations c t = g(l t (S 0 )), for t = 0,...,2T 1 4. By applying the Berlekamp-Massey algorithm, find the smallest connection polynomial that generates the sequence c = (c 0,...,c 2T 1 ).

21 Algebraic Analysis of SOBER-t32 Algebraic Attack The same linear dependency holds for the right hand side. 0 = N+i 1 t=i linear equation. γ t i h(l t (S 0 ), V t ), i = 0, 1,... Collect a system of equations for consecutive keystreams and solve them.

22 Algebraic Analysis of SOBER-t32 Complexity of Algebraic Attack The number of monomials of degree up to 14 that are chosen from n = 544 unknowns T = 14 i=0 ( ) 544 = 2 91 i Pre-computation : O(T log(t) + Tn) = O(2 100 ) CPU clocks by using improved versions of the Berlekamp-Massey algorithm. Keystream observations required : 2T = 2 92 Memory requirements : (the size of the γ) + ( 544) 1 equations around 2 91 bits

23 Distinguisher for SOBER-128 Distinguishing Attack on SOBER Principle of attack 2. Structure of SOBER Attack on SOBER-128

24 Distinguisher for SOBER-128 Linear Feedback Shift Register X x t x t+1 x t+n = 0 y t+1 Non-linear Filter y t+2 Keystream y t+m Y Distinguisher Z z t z t+1 z t+n = 0

25 Distinguisher for SOBER-128 Definition of Bias ǫ and Piling-up Lemma p = ǫ Pr(X1 = 0) : ǫ Pr(X2 = 0) : ǫ Pr(X1 X2 = 0) : 2 ǫ 2 p = 1 2 (1 + ǫ) Pr(X1 = 0) : ǫ Pr(X2 = 0) : ǫ Pr(X1 X2 = 0) : ǫ 2 In general, 2 n 1 ǫ n vs. ǫ n

26 Distinguisher for SOBER-128 Structure of NLF in SOBER-128 ω (H) : most sig. byte of ω S-box s 0 s 16 ω ω (H) s 1 α ω 8 K s 6 ω ω (H) : most sig. byte of ω ω (H) S-box α (8) β (0) ω (8) s 1,(0) s 13 β z ω s 6,(0) s 13,(0) K (0) = z (0)

27 Distinguisher for SOBER-128 Low Weight LFSR Polynomial and Approximations Observed (by Ekdale and Johansson at FSE 2002) that s t+τ1 s t+τ2 s t+τ3 s t+τ4 s t+τ5 s t+τ6 = 0, where s t stands for a state of LFSR at clock t and τ 1 = 0, τ 2 = 11, τ 3 = 13, τ 4 = , τ 5 = , τ 6 = Linear approximations of α (8) : p = 1 2 ( ) α (8) = s 0,(25) s 0,(26) s 0,(28) s 0,(29) s 16,(26) s 16,(29) Linear approximation of β (0) : p = 1 2 ( ) β (0) = s 13,(29) s 13,(30) z (29) z (30) Linear approximations of ω (8) : p = 1 2 ( ) ω (8) = s 0,(8) s 16,(8) s 0,(7)

28 Distinguisher for SOBER-128 Linear Approximation of NLF From three approximations, L(s, z) = s 0,(25) s 0,(26) s 0,(28) s 0,(29) s 16,(26) s 16,(29) }{{} α (8) s 13,(29) s 13,(30) z (29) z (30) }{{} β (0) s 0,(8) s 16,(8) s 0,(7) }{{} ω (8) s 1,(0) s 6,(0) s 13,(0) K (0) z (0) Bias : p = 1 2 ( ) = 1 2 ( )

29 Distinguisher for SOBER-128 Distinguishing Attack on SOBER-128 The approximation is simply described as L(s, z) = linear(s) z (0) z (29) z (30) If we apply the linear masking method, then, linear(s) vanishes by the low weight LFSR polynomial. Then, the distinguisher will be τ 6 t=τ 1 (z (0) z (29) z (30) ) with the bias of (2 8.8 ) 6 =

30 Crossword Puzzle Attack on NLS Crossword Puzzle Attack on NLS 1. Principle of attack 2. Structure of NLS 3. Distinguishing attack on NLS

31 Crossword Puzzle Attack on NLS Principle of Attack Target system : Non-linear Feedback Shift Register (NFSR) + Non-linear filter (NLF) Derive linear approximations of NFSR and NLF Combine a set of both linear approximations Eliminate the internal state bits Build a distinguisher using the observable output bits only.

32 Crossword Puzzle Attack on NLS Simple Example Prob(X1 X2 = 0) = ǫ 1 Prob(X3 X4 = 0) = ǫ 1 Prob(X1 X2 X3 X4 = 0) = ǫ 2 1 Prob(X1 X3 = Z1) = ǫ 2 Prob(X2 X4 = Z2) = ǫ 2 Prob(X1 X2 X3 X4 = Z1 Z2) = ǫ 2 2 Then, Prob(Z1 Z2 = 0) = ǫ 2 1 ǫ2 2

33 Crossword Puzzle Attack on NLS Probabilistic Model Linear approximations of NFSR : l 1 (s) = 0 with ǫ 1 Linear approximations of NLF : u i (s) = l 2 (z) with ǫ 2 l 1 (s i1 ) = u 1 (s i1 ) + u 2 (s i1 ) + + u n (s i1 ) l 1 (s i2 ) = u 1 (s i2 ) + u 2 (s i2 ) + + u n (s i2 ) l 1 (s im ) = u 1 (s im ) + u 2 (s im ) + + u n (s im ) l 2 (z j1 ) l 2 (z j2 ) l 2 (z jn ) Distinguisher : l 2 (z j1 ) + + l 2 (z jn ) = 0 Bias : ǫ m 1 ǫn 2 (by Piling-up lemma)

34 Crossword Puzzle Attack on NLS NLS Cipher NFSR has r[0],, r[16] states. Each state is 32-bit. Konst is a 32-bit key-dependent constant. r t+1 [i] = r t [i + 1] for i = 0,...,15 r t+1 [16] = f((r t [0] 19) (r t [15] 9) Konst) r t [4], where : the addition modulo f(a) = S-box(a H ) a where a H is the most significant 8 bits of 32-bit word a. If t = 0 (modulo 65537), r t+1 [2] = r t+1 [2] t NLF (non-linear filter) : ν t = (r t [0] r t [16]) (r t [1] r t [13]) (r t [6] Konst)

35 Crossword Puzzle Attack on NLS f - function of NFSR Konst r t [0] 19 r t [15] 9 S-Box α t r t [4] r t+1 [16]

36 Crossword Puzzle Attack on NLS Linear Approximations of NFSR The input of the S-box = (r t [0] 9) (H) (r t [15] 19) (H) carry bit 2 17 Linear combination of bits from (r t [0] 9) (H) and (r t [15] 19) (H) 2 16 We build the truth table with 2 17 rows and 2 16 columns. linear approximations of α t,(0) bias r t [0] (10) r t [0] (6) r t [15] (20) r t [15] (16) r t [15] (15) 1/2( ) r t [0] (10) r t [0] (6) r t [0] (5) r t [15] (20) r t [15] (16) 1/2( ) r t [0] (12) r t [15] (22) 1/2( ) r t [0] (10) r t [15] (20) 1/2( ) r t [0] (12) r t [0] (11) r t [0] (10) r t [15] (22) r t [15] (21) r t [15] (20) 1/2( )

37 Crossword Puzzle Attack on NLS Linear Approximation for NLF r[z] = r[x] r[y] Prob(r[z] (0) = r[x] (0) r[y] (0) ) = 1 Prob(r[z] (i) r[z] (i 1) = r[x] (i) r[y] (i) r[x] (i 1) r[y] (i 1) ) = 1/2( ). ν t = (r t [0] r t [16]) (r t [1] r t [13]) (r t [6] Konst) ν t,(0) = (r t [0] (0) r t [16] (0) ) (r t [1] (0) r t [13] (0) ) (r t [6] (0) Konst (0) ) ν t,(i) ν t,(i 1) = (r t [0] (i) r t [16] (i) r t [0] (i 1) r t [16] (i 1) ) (r t [1] (i) r t [13] (i) r t [1] (i 1) r t [13] (i 1) ) (r t [6] (i) Konst (i) r t [6] (i 1) Konst (i 1) ) When Konst = 0, Prob = 1/2(1 + (2 1 ) 2 ) = 1/2( )

38 Crossword Puzzle Attack on NLS Attack on NLS with Konst = 0 Since r t+p [0] = r t [p], r t[0] (10) r t[0] (6) r t+15 [0] (20) r t+17 [0] (0) = 0 r t[1] (10) r t[1] (6) r t+15 [1] (20) r t+17 [1] (0) = 0 r t[6] (10) r t[6] (6) r t+15 [6] (20) r t+17 [6] (0) = 0 r t[13] (10) r t[13] (6) r t+15 [13] (20) r t+17 [13] (0) = 0 r t[16] (10) r t[16] (6) r t+15[16] (20) r t+17[16] (0) = 0 {z } {z } {z } {z } µ t,(10) µ t,(6) µ t+15,(20) µ t+17,(0) A distinguisher will be µ t,(10) µ t,(6) µ t+15,(20) µ t+15,(16) µ t+15,(15) µ t,(13) µ t+15,(23) µ t+4,(0) µ t+17,(0) = K where, K = Konst (10) Konst (6) Konst (20) Konst (16) Konst (15) Konst (13) Konst (23) Bias : (2 1 ) 2 ( ) 5 =

39 Crossword Puzzle Attack on NLS Attack on NLS with Konst = 0 Recall that α t,(0) = r t [0] (12) r t [15] (22) p = 1/2( ). ν t = (r t [0] r t [16]) (r t [1] r t [13]) (r t [6] Konst) Linear approximation of NFSR (from LSB): α t,(0) z } { r t[4] (0) r t+1 [16] (0) r t[0] (12) r t[15] (22) r t[0] (13) r t[15] (23) = 0 {z } {z } l 1 (r t ) l 2 (r t ) For l 1 (r t ), 9 l 1 (r t) = r t[4] (0) r t+1 [16] (0) l 1 (r t+1 ) = r t+1 [4] (0) r t+2 [16] (0) >= l 1 (r t+6 ) = r t+6 [4] (0) r t+7[16] (0) = ν t+4,(0) ν t+17,(0) l 1 (r t+13 ) = r t+13 [4] (0) r t+14 [16] (0) >; l 1 (r t+16 ) = r t+16 [4] (0) r t+17 [16] (0)

40 Crossword Puzzle Attack on NLS Attack on NLS with Konst = 0 l 2 (r t ) = r t [0] (12) r t [0] (13) r t [15] (22) r t [15] (23) For the clocks t, t + 1, t + 6, t + 13, and t + 16, l 2 (r t) = r t[0] (12) r t[0] (13) r t[15] (22) r t[15] (23) l 2 (r t+1 ) = r t+1 [0] (12) r t+1 [0] (13) r t+1 [15] (22) r t+1 [15] (23) l 2 (r t+6 ) = r t+6 [0] (12) r t+6 [0] (13) r t+6 [15] (22) r t+6 [15] (23) l 2 (r t+13 ) = r t+13 [0] (12) r t+13 [0] (13) r t+13 [15] (22) r t+13 [15] (23) l 2 (r t+16 ) = r t+16 [0] (12) r t+16 [0] (13) r t+16 [15] (22) r t+16 [15] (23) Since r t+p [0] = r t [p], l 2 (r t) = r t[0] (12) r t[0] (13) r t+15 [0] (22) r t+15 [0] (23) l 2 (r t+1 ) = r t[1] (12) r t[1] (13) r t+15 [1] (22) r t+15 [1] (23) l 2 (r t+6 ) = r t[6] (12) r t[6] (13) r t+15 [6] (22) r t+15 [6] (23) l 2 (r t+13 ) = r t[13] (12) r t[13] (13) r t+15 [13] (22) r t+15 [13] (23) l 2 (r t+16 ) = r t[16] (12) r t[16] (13) r t+15[16] (22) r t+15[16] (23) {z } {z } ν t,(12) ν t,(13) ν t+15,(22) ν t+15,(23)

41 Crossword Puzzle Attack on NLS Attack on NLS with Konst = 0 Therefore, l 2 (r t ) l 2 (r t+1 ) l 2 (r t+6 ) l 2 (r t+13 ) l 2 (r t+16 ) = ν t,(12) ν t,(13) ν t+15,(22) ν t+15,(23) By combining l 1 (t) and l 2 (t), the distinguisher will be l 1 (r t ) l 1 (r t+1 ) l 1 (r t+6 ) l 1 (r t+13 ) l 1 (r t+16 ) l 2 (r t ) l 2 (r t+1 ) l 2 (r t+6 ) l 2 (r t+13 ) l 2 (r t+16 ) = ν t,(12) ν t,(13) ν t+15,(22) ν t+15,(23) ν t+4,(0) ν t+17,(0) = 0 Approximation of NFSR (5 times) and approximation of NLF (twice) Bias : ( ) 5 (2 2 ) 2 =

42 Crossword Puzzle Attack on NLS Attack on NLS with Konst 0 Konst 0 the biases of linear approximations of NFSR and NLF has been changed. Denote Konst (H) = (Konst (31),..., Konst (24) ), and Konst (L) = (Konst (23),..., Konst (0) ). Bias variation of α t,(0) = r t [0] (12) r t [15] (22) by Konst (H)

43 Crossword Puzzle Attack on NLS Attack on NLS with Konst 0 When Konst (H) is around 1 or 120, ν t,(i) ν t,(i 1) = (r t[0] (i) r t[16] (i) r t[0] (i 1) r t[16] (i 1) ) (r t[1] (i) r t[13] (i) r t[1] (i 1) r t[13] (i 1) ) (r t[6] (i) Konst (i) r t[6] (i 1) Konst (i 1) ) When Konst (H) is around 51 or 179, ν t,(i) ν t,(i 1) ν t,(i 2) ν t,(i 3) = (r t[0] (i) r t[16] (i) r t[0] (i 1) r t[16] (i 1) r t[0] (i 2) r t[16] (i 2) r t[0] (i 3) r t[16] (i 3) ) (r t[1] (i) r t[13] (i) r t[1] (i 1) r t[13] (i 1) r t[1] (i 2) r t[13] (i 2) r t[1] (i 3) r t[13] (i 3) ) (r t[6] (i) Konst (i) r t[6] (i 1) Konst (i 1) r t[6] (i 2) Konst (i 2) r t[6] (i 3) Konst (i 3) ) For the new approximation, we need (r[x] r[y]) (i) (r[x] r[y]) (i 1) (r[x] r[y]) (i 2) (r[x] r[y]) (i 3) = r[x] (i) r[y] (i) r[x] (i 1) r[y] (i 1) r[x] (i 2) r[y] (i 2) r[x] (i 3) r[y] (i that has the bias of 2 3.

44 Crossword Puzzle Attack on NLS Attack on NLS with Konst 0 The bias of the approximation depends on Konst (L). (r t [6] Konst) i (r t [6] Konst) i 1 = (r t [6] (i) Konst (i) r t [6] (i 1) Konst (i 1) ) The bias variation by Konst (L) when i = 13

45 Crossword Puzzle Attack on NLS Attack on NLS with Konst 0 Distinguisher 1 : ν t,(12) ν t,(13) ν t+15,(22) ν t+15,(23) ν t+4,(0) ν t+17,(0) = 0 The average bias of approximation of NFSR : The average bias of approximation of NLF : 2 3 The average bias : ((2 5.4 ) 5 ) ((2 3 ) 2 ) = 2 33 For some values of Konst, the bias of the distinguisher becomes less than (e.g. Konst (H) = 51 or 179)

46 Crossword Puzzle Attack on NLS Attack on NLS with Konst 0 Distinguisher 2 : ν t,(10) ν t,(11) ν t,(12) ν t,(13) ν t+15,(20) ν t+15,(21) ν t+15,(22) ν t+15,(23) ν t+4,(0) ν t+17,(0) = 0 When Konst (H) = 51 or 179, the bias of approximation of NFSR : the bias of approximation of NLF : 2 6 average bias : (( ) 5 ) ((2 6 ) 2 ) = An adversary observes the distinguisher 1 and 2 simultaneously Since the keystream is produced by words, the data complexity for attack has not been changed.

47 Distinguisher for Dragon Distinguisher for Dragon 1. Structure of Dragon 2. Linear Approximations of Functions used in Dragon 3. Building Distinguisher 4. Generalized Masks and Distinguishers 5. Future Research

48 Distinguisher for Dragon Structure of Dragon Dragon is a word-oriented stream cipher submitted to the estream project. During Phase 1, Englund and Maximov presented a distinguishing attack against Dragon that requires around keystream words and 2 96 memory. Dragon consists of a 1024-bit nonlinear feedback register a nonlinear state update function, and a 64-bit internal memory. Two sizes of key : 128 or 256 bits 64-bit (two words) output keystream The nonlinear state update function (F function): 192 bits (six words) 192 bits (six words)

49 Distinguisher for Dragon Structure of Dragon - Function F a b c d e f G 1 G 2 G 3 H 1 H 2 H 3 a b c d e f

50 Distinguisher for Dragon Structure of Dragon - Functions G and H The functions G and H are constructed by using two 8 32 S-boxes :S 1 and S 2. If the 32-bit input x is split into four bytes such as x = x 0 x 1 x 2 x 3, then G 1 (x) = S 1 (x 0 ) S 1 (x 1 ) S 1 (x 2 ) S 2 (x 3 ) G 2 (x) = S 1 (x 0 ) S 1 (x 1 ) S 2 (x 2 ) S 1 (x 3 ) G 3 (x) = S 1 (x 0 ) S 2 (x 1 ) S 1 (x 2 ) S 1 (x 3 ) H 1 (x) = S 2 (x 0 ) S 2 (x 1 ) S 2 (x 2 ) S 1 (x 3 ) H 2 (x) = S 2 (x 0 ) S 2 (x 1 ) S 1 (x 2 ) S 2 (x 3 ) H 3 (x) = S 2 (x 0 ) S 1 (x 1 ) S 2 (x 2 ) S 2 (x 3 )

51 Distinguisher for Dragon Structure of Dragon - State update The states of a nonlinear shift register: B 0, B 1,..., B 31 where B i is a 32-bit word. An internal memory: M = (M L M R ) where M L and M R is a 32-bit word, respectively. Keystream generation Input : {B 0, B 1,..., B 31 } and M = (M L M R ) a = B 0, b = B 9, c = B 16, d = B 19, e = B 30 M L, f = B 31 M R where M = M R M L. (a, b, c, d, e, f ) = F(a, b, c, d, e, f) B 0 = b, B 1 = c and B i = B i 2, 2 i 31, M = M + 1 Output : k = (a e )

52 Distinguisher for Dragon Approximations Definition of Bias Assume a function f : {0, 1} m {0, 1} n for some positive integers m and n. Given a linear input mask Λ GF(2 m ) and a linear output mask Γ GF(2 n ), the bias of an approximation Λ x = Γ f(x) is measured as ǫ f (Λ,Γ) = 2 n (#(Λ x Γ f(x) = 0) #(Λ x Γ f(x) = 1)) Pr[Λ x = Γ f(x)] = 1 2 (1 + ǫ f(λ,γ)).

53 Distinguisher for Dragon Approximations of Functions G and H The linear approximations of the functions G and H can be constructed by combining approximations of S 1 and S 2 appropriately. We need special forms of approximations: Γ G(x) = Γ x : bypassing approximations Γ H(x) = 0 : cutting approximations approximation bias example Γ H(x) = 0 ǫ H (0,Γ) ǫ H (0, 0X B) = Γ x = Γ G 1 (x) ǫ G1 (Γ,Γ) ǫ G1 (0X , 0X ) = Γ x = Γ G 2 (x) ǫ G2 (Γ,Γ) ǫ G2 (0X , 0X ) =

54 Distinguisher for Dragon Approximations of Function H Assume x = x 0 x 1 x 2 x 3, (x i : i-th byte of x) The approximation Γ H 1 (x) = 0 can be represented as Γ H 1 (x) = Γ S 2 (x 0 ) Γ S 2 (x 1 ) Γ S 2 (x 2 ) Γ S 1 (x 3 ) = 0 Hence, the bias ǫ H1 (0,Γ) is computed as ǫ H1 (0,Γ) = ǫ S2 (0,Γ) 3 ǫ S1 (0,Γ), where ǫ Si (0,Γ) denotes the bias of Γ S i (x j ) = 0. Due to the structure, ǫ H1 (0,Γ) = ǫ H2 (0,Γ) = ǫ H3 (0,Γ).

55 Distinguisher for Dragon Approximations of Function G Assume x = x 0 x 1 x 2 x 3, where x i denotes the i-th byte of x and a mask Γ = Γ 0 Γ 1 Γ 2 Γ 3, where Γ i {0, 1} 8 The approximation Γ x = Γ G(x) can be decomposed into Γ (x G 1 (x)) = (Γ 0 x 0 Γ S 1 (x 0 )) (Γ 1 x 1 Γ S 1 (x 1 )) = 0 (Γ 2 x 2 Γ S 1 (x 2 )) (Γ 3 x 3 Γ S 2 (x 3 ) Hence, the bias ǫ G (Γ,Γ) can be computed as ǫ G (Γ,Γ) = ǫ S1 (x 0 )(Γ 0,Γ)ǫ S1 (x 1 )(Γ 1,Γ)ǫ S1 (x 2 )(Γ 2,Γ)ǫ S2 (x 3 )(Γ 3,Γ) where ǫ Si (x j )(Γ,Γ j ) denotes the bias of Γ j x j Γ S i (x j ) = 0.

56 Distinguisher for Dragon Approximations of Modular Addition Given a linear mask Γ = (γ n 1,,γ 0 ) where γ i {0, 1} we assume that the Hamming weight of Γ is m. If a vector W Γ = Γ(31, 30,...,1, 0) = (w m 1,..., w m 2,...,w 0 ) denotes the bit positions of Γ, where γ i = 1, then a bias ǫ + (Γ,Γ) is ǫ + (Γ,Γ) = 2 d 1 where d 1 = when m is even, or ǫ + (Γ,Γ) = 2 d 2 where d 2 = m/2 1 i=0 (m 1)/2 (w 2i+1 w 2i ); (w 2i w 2i 1 ) + w 0 ; i=1 when m is odd. For example, if Γ = 0X D, Hamming weight of Γ is 7 and W Γ = (26, 25, 8, 7, 3, 2, 0). Hence, ǫ + (Γ, Γ) = 2 [(26 25)+(8 7)+(3 2)] = 2 3.

57 Distinguisher for Dragon Approximation of Function F According to the state update rule of Dragon, B 0 [t] = B 30 [t + 15], t = 0, 1,... a = B 0 and e = B 30 M L where a and e are two words out of six input words of the F function. Then, we try Γ a = Γ a and Γ e = Γ e where a and e are two output words of the F function that are produced as a keystream.

58 Distinguisher for Dragon Approximation of a An output word a is expressed as a = [(a (e f)) H 1 ] [(e f G 2 ) (H 2 ((a b) c))] Due to the linear property of Γ, we know that Γ a = Γ [(a (e f)) H 1 ] Γ [(e f G 2 ) (H 2 ((a b) c))] By approximation of modular addition, Γ [(e f G 2 ) (H 2 ((a b) c))] = Γ (e f G 2 ) Γ [(H 2 ((a b) c))] which holds with the bias of ǫ + (Γ,Γ).

59 Distinguisher for Dragon Approximation of a (Cont ) Hence, we have Γ a = Γ [(a (e f)) H 1 ] Γ (e f G 2 ) Γ [H 2 ((a b) c)]. Applying cutting and bypassing approximations, we get Γ a = Γ [(a (e f))] Γ (e f [(a b) c]) Γ [(a b) c] = Γ [(a (e f))] Γ (e f) From approximation for the modular addition, we obtain Γ a = Γ a

60 Distinguisher for Dragon Approximation of a (Cont ) We know that Γ [(a (e f))] = Γ a Γ (e f) holds with the bias of ǫ + (Γ,Γ). Therefore, the bias of approximation can be computed from the biases of the component approximations as follows: ǫ a (Γ,Γ) = ǫ + (Γ,Γ) 2 ǫ H1 (0,Γ) ǫ H2 (0,Γ) ǫ G2 (Γ,Γ). Since a is the upper part of a 64-bit keystream output, Γ k 0 [t] = Γ B 0 [t] where k 0 [t] denotes the upper part of a 64-bit k at clock t.

61 Distinguisher for Dragon Approximation of e An output word e is described as e = [((a (e f)) H 1 ) (c d G 1 )] [H 3 ((c d) e)] From approximation for modular addition, we have Γ e = Γ [(a (e f)) H 1 ] Γ (c d G 1 ) Γ [H 3 ((c d) e)] Applying cutting approximations for functions H 1, H 3 and the bypassing approximation for the function G 1, we get Γ e = Γ [(a (e f))] Γ (c d [a (e f)]) Γ [(c d) e] = Γ (c d) Γ [(c d) e].

62 Distinguisher for Dragon Approximation of e (Cont ) From approximation for modular addition, we obtain Γ e = Γ e with the bias of ǫ e (Γ,Γ) = ǫ + (Γ,Γ) 2 ǫ H1 (0,Γ) ǫ H3 (0,Γ) ǫ G1 (Γ,Γ). Since the 32-bit word e is the lower part of a 64-bit keystream output k, Γ k 1 [t] = Γ (B 30 [t] M L [t]) where k 1 [t] : the lower part of a 64-bit k, M L [t] : the upper part of a 64-bit memory word M

63 Distinguisher for Dragon Distinguisher According to Function F, we can write Γ k 0 [t] = Γ B 0 [t] = Γ B 30 [t + 15] = Γ (k 1 [t + 15] M L [t + 15]) By guessing (partially) the initial value of M, we can build the following distinguisher. Γ k 0 [t] = Γ (k 1 [t + 15]) For the correctly guessed initial value of M, the distinguisher shows the bias of ǫ D (Γ,Γ) = ǫ a (Γ,Γ)ǫ e (Γ,Γ) = ǫ + (Γ,Γ) 4 ǫ H1 (0,Γ) 2 ǫ H2 (0,Γ) ǫ H3 (0,Γ)ǫ G1 (Γ,Γ)ǫ G2 (Γ,Γ)

64 Distinguisher for Dragon Distinguisher we need to guess the first 27 bits of initial value of M L and 32 bits of M R. Hence, we need to store all possible values of the internal state which takes = 2 59 bits. The best linear approximation is to use the mask Γ = 0X D. The bias of the distinguisher in this case is Γ ǫ +(0, Γ) ǫ H (Γ, Γ) ǫ G1 (Γ, Γ) ǫ G2 (Γ, Γ) ǫ a (Γ, Γ) ǫ e (Γ, Γ) ǫ D (Γ, Γ) 0x D

65 Future Research Future Research The estream call - secure and efficient stream ciphers service to the community at large, expected several recommendations for finalists (SW and HW), further analysis of the finalists. Analysis of stream ciphers total break recovery of secret key or initial state, distinguishers indication of weaknesses. Development of new cryptanalytic tools for stream ciphers.