Cube Attack on Reduced-Round Quavium

Transcription

1 3rd Internatonal onference on Mechatroncs and Industral Informatcs (IMII 05 ube Attac on Reduced-Round Quavum Shyong Zhang, a *, Gonglang hen,b and Janhua L,c School of Informaton Securty Engneerng, Shangha Jaotong Unversty, hna a poetzhangz@sjtu.edu.cn, bchengl@sjtu.edu.cn, cljh888@sjtu.edu.cn Keywords: Quavum, Trvum, Securty, ube Attac. Abstract. Trvum s a notable lght-weght synchronous stream cpher submtted to the European estream project n Aprl 005. Quavum s a Trvum-le algorthm whch s almost as fast as Trvum. In ths paper, the securty of Quavum s concerned under cube attac, whch s one of the best nown attac on the reduced round Trvum proposed by Dnur and Shamr at EURORYPT 09. Trvum wth 576 ntalzaton rounds can be recovered n. We show that t s dffcult to search the cubes of Quavum wth the same rounds and after 88 rounds the attac complexty s reduced to 59. Therefore, comparng wth Trvum, Quavum has a better performance under cube attac. Introducton Trvum s a notable lght-weght synchronous stream cpher desgned by hrstophe De annere and Bart Preneel, whch s submtted to the European estream project n Aprl 005 []. Ths algorthm s desgned to be both effcent and secure. Durng 3 phases of estream evaluaton on the stream cpher proposals, the performance of Trvum s outstandng compared wth other stream cphers such as A5. Trvum outperforms other estream canddates consdered n the paper n terms of the two most mportant optmzaton crtera, mnmum area and maxmum throughput to area rato, by a factor of at least two []. Quavum, proposed by Tan n 0, s a 4-round Trvum-le algorthm [3]. It s desgned based on the Trvum-le shft regster. The expermental results on software usng ++ code show that the speed of eystream generaton of Quavum s nearly the same as that of Trvum and the performance of Quavum both on hardware and software s almost as good as Trvum [3]. However, the securty of Quavum s not concerned by Tan. Snce now, there are many wors about the securty of Trvum. Raddum presents a technque to solve systems of equatons assocated wth Trvum [4]. But hs attac s very complex when appled to the full cpher and s no faster than exhaustve search. Borghoff presents a numercal attac [5]. However the estmated tme complexty of ths attac s about 63.7 seconds. Maxmov studes two attacs on Trvum [6], whch are state recoverng and statstcal tests. The nternal state of Trvum can be recovered n tme around 83.5, whch s stll too complex for applcaton. ube attac proposed by Dnur and Shamr at EURORYPT 09 s one of the best nown attac on the reduced round Trvum [7]. Velhaber try to recover 47 bts of the ey after 576 rounds usng an algebrac method [8]. Later Dnur and Shamr descrbed a full ey recovery n less than 30 queres to Trvum reduced to 735 rounds and also recovered 35 ey bts after 767 rounds n about 36 queres [7, 9]. Fouque and Vannet requres 39 queres to brea 784 round Trvum [0]. Srnvasan gves 69 equatons after 576 rounds to reduce the complexty to []. In ths paper, the structure of Quavum s studed and we study the securty of Quavum under cube attac. We analyss Quavum reduced to 88 rounds usng cube attac gves lnear equatons, whch can recover bts of the ey and reduces the attac complexty to The authors - Publshed by Atlants Press 35

2 The followng part of the paper s organzed as follows. The algorthm of Quavum wll be descrbed n secton. The method of cube attac wll be shown n detal n Secton 3. Secton 4 wll compare the securty of Trvum and Quavum under cube attac. The concluson wll be gven n secton 5. Quavum Algorthm 64 Quavum s desgned to generate up to bts of ey stream from an 80-bt secret ey Key and an 80-bt ntal value IV [3]. The process conssts of two phases: frst the nternal state of the cpher s ntalzed usng Key and IV, then the state s repeatedly updated and used to generate ey stream bts. s = s, s, L, s. Quavum has four There are 88 bts n the nternal state, whch s denoted as ( 88 rounds wth smlar structure. Denote the ntermedate varable as t, t, t 3, t 4 and the output stream as z = ( z, z, L, zn, wth N standng for the number of output bts. The process of Quavum s shown as Algorthm : Algorthm Quavum Algorthm for = to N do z t + t + t + t ( s, s, L, s5 ( t4, s, L, s50 ( s5, s53, L, s08 ( t, s5, L, s07 ( s09, s0, L, s9 5 ( t, s09, L, s94 ( s, s, L, s ( t, s, L, s end for Key and IV are loaded as follows: ( s, s, L, s5 ( K, K, L, K5 ( s5, s53, L, s08 ( K5, L, K80, IV, IV, L, IV8 s( t = ( ( s09, s0, L, s95 ( IV9, L, IV80 ( s96, s97, L, s88 ( 0, L,0,,, Evaluaton on mplementaton of Quavum s gven by Tan wth comparson to Trvum [3, 4, 5]. The comparson s based on the gate equvalent (GE count whch are shown n Table I. The results show that Quavum extends Trvum to 4 rounds and only ncreases 8 NAND gates [3]. Table I: Resource onsumpton of Trvum and Quavum Algorthm Flp-flops AND gates XOR gates total Trvum Quavum

3 ube Attac ube attac s ntroduced n EURORYPT 09 by Dnur and Shamr as chosen IV attac on symmetrc prmtves [7, ]. The attac allows one to fnd lnear relatons between ey bts. Then usng smple lnear algebra technques, t s possble to recover the bt values. The process can be descrbed as follows: In the rng R= F K, K, L, Kn, IV, IV, L, IV p, we consder the polynomal representaton of the frst output bt of the cpher as the polynomal P( K, K,, Kn, IV, IV,, IVp cube of the publc varables = { IVc IVc L IVc } of sze, P can be expressed as: P= IV P + P = ( where P, P R c R,,, R, no monomal of P R s dvsble by IVc. = L L n R. Gven a Then we can compute P as follows: P = P (3 P s called the superpoly yelded by and IVc s called a maxterm f the superpoly yelded by = s lnear. For Quavum, n=p=80. In the real attac, to test the constant and lnearty, the most common lnearty test for polynomals s the BLR(Blum Luby Rubnfeld test [3]. Gven a blac-box polynomal P on n varables one wants to test for lnearty, the BLR test requres the computaton on random nputs X and Y, on the 0 vector and on X+Y. One then smply checs whether P(0+P(X+P(Y+P(X+Y=0. The algorthm of searchng the maxterm on Quavum s gven n Algorthm. Algorthm ube Attac on Quavum Select the ube randomly. Select XY, { 0,} n, compute P(0, P(X, P(Y,P(X+Y$ and chec whether P(0+P(X+P(Y+P(X+Y=0. Test for more than 00 tmes. for = to n do e = 0,0, L,0,,0, L 0, where all the varants are zero expect the th bt. Denote ( ompute P( e end for n + = The maxterm can be expressed as ( 0 ( P P e K Attac Results We frst try to search the maxterm on Quavum after 576 rounds. However, we fal to fnd any superpoly. In fact, f P has a low-enough degree, even though t has a large number of varables, t s possble to fnd the lnear maxterms. However, f P s a unformly random polynomal of hgh degree, then t s extremely unlely that there exsts maxterms. For Trvum, the polynomals are expected to retan a low degree even after hundreds of ntalzaton rounds. However for Quavum, the 37

4 polynomals ncreases to a very hgh degree only n one hundred rounds. Therefore, we search the maxterm on Quavum after 88 rounds. The maxterms and the cube ndexes are lsted n Table II. Table III: omparson of Two Algorthm Under ube Attac Algorthm Intalzaton rounds Breang omplexty Trvum 576 Trvum Quavum From the result, t can be seen that compared to the 3-round Trvum, Quavum have better performance of securty due to more nternal rounds. Furthermore, the degree of equatons of Quavum ncreases more faster than the degree of Trvum. It s dffcult to attac Quavum after 576 rounds. 59 After 88 rounds the breang complexty s stll whch s hgher than Trvum after 576 rounds. Therefore, Quavum has a better performance under cube attac than Trvum. oncluson In ths paper, we study the nternal structure of Quavum and the securty of Quavum under cube attac. We try to recover the secret ey of Quavum wth reduced round, gven a pece of a nown eystream. We show that Quavum after 88 rounds can be recovered n tme around 59, whle for Trvum after 576 rounds the complexty s. Therefore, comparng wth Trvum, Quavum has a better performance under cube attac. Acnowledgment Ths wor was supported n part by Internatonal Researcher Exchange Project of Natonal Scence Foundaton of hna and entre natonal de la recherche scentfque de France (NSF-NRS under Grant No and Natonal Scence Foundaton of hna under Grants No

5 References []. De annre and B. Preneel. TRIVIUM Specfcatons. estream, ERYPT Stream pher Project ( Report 005/030, Aprl 005. [] K. Gaj, G. Southern and R. Bachmanch, "omparson of hardware performance of selected phase II estream canddates", 7/06.pdf, 007. [3] Tan, Y., hen, G., L, J. "QUAVIUM - a new stream cpher" TRIVIUM. J. omput, pp (0. [4] H. Raddum, "ryptanalytc results on Trvum", [5] J. Borghoff, L. R. Knudsen and M. Stolpe, "Bvum as a mxed-nteger lnear programmng problem", n LNS vol.59, M. G. Parer Eds. Hedelberg: Sprnger, 009, pp. 33-5, 009. [6] A. Maxmov, A. Bryuov. "Two trval attacs on TRIVIUM", n SAS007: The State of the Art of Stream phers, pp. -6, 007. [7] Dnur,I.,Shamr,A. "ube Attacs on weaable Blac Box Polynomals." n Joux,A. (ed. EURORYPT 009. LNS, Sprnger, Hedelberg, vol. 5479, pp , 009. [8] M.Velhaber "Breang one.fvum by ada an algebrac v dfferental attac", ryptology eprnt Archve, Report 007/43, 007, [9] J.-P. aumasson, I. Dnur, W. Meer, and a. Shamr, "ube testers and ey recovery attacs on reduced-round MD6 and trvum," n Fast Software Encrypton, 009, pp. -. [0] Fouque, P.A., Vannet, T, "Improvng Key Recovery to 784 and 799 rounds of Trvum usng Optmzed ube Attacs." nmora, S. (ed. FSE 03. LNS, Sprnger, Hedelberg, vol. 844, pp , 04. [] hungath Srnvasana, Utarsh Umesan Pllaa, K.V. Lashmya and M. Sethumadhavan "ube Attac on Stream phers usng a Modfed Lnearty Test" n Journal of Dscrete Mathematcal Scences and ryptography, 05, pp [] Dnur,I.,Shamr,A. "applyng cube attacs to stream cphers n realstc scenaros," ryptography and ommuncatons, vol. 4, pp. 7-3, 0. [3] M. Blum, M. Luby et R. Rubnfeld - "Self-testng/correctng wth applcatons to numercal problems", Proceedngs of the twenty-second annual AM symposum on Theory of computng (New Yor, NY, USA, STO 90, AM, 990, pp [4] M. Feldhofer and J. Wolerstorfer. "Hardware Implementaton of Symmetrc Algorthms for RFID Securty". n RFID Securty: Technques, Protocols and System-on-hp Desgn, pp Sprnger, September 008. [5] M. Feldhofer. "omparson of Low-Power Implementatons of Trvum and Gran". \textt{worshop on The State of the Art of Stream phers (SAS007} pp 36-46,