Quasigroups and stream cipher Edon80

Size: px

Start display at page:

Download "Quasigroups and stream cipher Edon80"

Rodger Johnson
6 years ago
Views:

1 Department of Algebra, Charles University in Prague June 3, 2010

2 Stream cipher Edon80 Edon80 is a binary additive stream cipher Input stream m i ( c i ) K Edon80 KEYSTREAM GENERATOR k i Output stream c i ( m i ) K k i m i c i is a key is a ith bit of the keystream is a ith bit of the message is a ith bit of the ciphertext

3 Properties of keystream The keystream should

4 Properties of keystream The keystream should be a psedorandom sequence

5 Properties of keystream The keystream should be a psedorandom sequence have no period (or period longer than any admissible message)

6 Properties of keystream The keystream should be a psedorandom sequence have no period (or period longer than any admissible message)

7 Properties of keystream The keystream should be a psedorandom sequence have no period (or period longer than any admissible message) If this condition is not satisfied, two parts of the message will be encrypted by the same binary sequence, which opens ways to attack the cipher:

8 Why is the period of keystream a security problem? Let + be an operation of addition in Z t 2 Then c = m + k c = m + k

9 Why is the period of keystream a security problem? Let + be an operation of addition in Z t 2 Then c = m + k c = m + k and c + c = (m + k) + (m + k) = m + (k + k) + m = m + m

10 Why is the period of keystream a security problem? Let + be an operation of addition in Z t 2 Then c = m + k c = m + k and c + c = (m + k) + (m + k) = m + (k + k) + m = m + m Hence m = c + c + m

11 Why is the period of keystream a security problem? Let + be an operation of addition in Z t 2 Then c = m + k c = m + k and c + c = (m + k) + (m + k) = m + (k + k) + m = m + m Hence m = c + c + m Because most messages contain enough redundancy, it is possible to recover both m and m from m + m

12 Description of the keystream generator

13 Description of the keystream generator INPUT: K = K 0 K 79 4 fixed quasigroup operations on the set {0, 1, 2, 3}

14 Description of the keystream generator INPUT: K = K 0 K 79 4 fixed quasigroup operations on the set {0, 1, 2, 3} OUTPUT: keystream = (k i ) i=0

15 Description of the keystream generator INPUT: K = K 0 K 79 4 fixed quasigroup operations on the set {0, 1, 2, 3} OUTPUT: keystream = (k i ) i=0 Step 1: K 0,, 79

16 Description of the keystream generator INPUT: K = K 0 K 79 4 fixed quasigroup operations on the set {0, 1, 2, 3} OUTPUT: keystream = (k i ) i=0 Step 1: K 0,, 79 Step 2: K, 0,, 79 y = y 0 y 79, y i {0, 1, 2, 3}

17 Description of the keystream generator INPUT: K = K 0 K 79 4 fixed quasigroup operations on the set {0, 1, 2, 3} OUTPUT: keystream = (k i ) i=0 Step 1: K 0,, 79 Step 2: K, 0,, 79 y = y 0 y 79, y i {0, 1, 2, 3}

18 Description of the keystream generator INPUT: K = K 0 K 79 4 fixed quasigroup operations on the set {0, 1, 2, 3} OUTPUT: keystream = (k i ) i=0 Step 1: K 0,, 79 Step 2: K, 0,, 79 y = y 0 y 79, y i {0, 1, 2, 3}

19 Description of the keystream generator INPUT: K = K 0 K 79 4 fixed quasigroup operations on the set {0, 1, 2, 3} OUTPUT: keystream = (k i ) i=0 Step 1: K 0,, 79 Step 2: K, 0,, 79 y = y 0 y 79, y i {0, 1, 2, 3} K 0 K 1 K 79

20 Description of the keystream generator INPUT: K = K 0 K 79 4 fixed quasigroup operations on the set {0, 1, 2, 3} OUTPUT: keystream = (k i ) i=0 Step 1: K 0,, 79 Step 2: K, 0,, 79 y = y 0 y 79, y i {0, 1, 2, 3} 0 K 79 1 K K 0 K 0 K 1 K 79

21 Description of the keystream generator INPUT: K = K 0 K 79 4 fixed quasigroup operations on the set {0, 1, 2, 3} OUTPUT: keystream = (k i ) i=0 Step 1: K 0,, 79 Step 2: K, 0,, 79 y = y 0 y 79, y i {0, 1, 2, 3} 0 K 79 K 79 0 K 0 1 K K 0 K 0 K 1 K 79

22 Description of the keystream generator INPUT: K = K 0 K 79 4 fixed quasigroup operations on the set {0, 1, 2, 3} OUTPUT: keystream = (k i ) i=0 Step 1: K 0,, 79 Step 2: K, 0,, 79 y = y 0 y 79, y i {0, 1, 2, 3} K 0 K 1 K 79 0 K 79 K 79 0 K 0 (K 79 0 K 0 ) 0 K 1 1 K K 0

23 Description of the keystream generator INPUT: K = K 0 K 79 4 fixed quasigroup operations on the set {0, 1, 2, 3} OUTPUT: keystream = (k i ) i=0 Step 1: K 0,, 79 Step 2: K, 0,, 79 y = y 0 y 79, y i {0, 1, 2, 3} K 0 K 1 K 79 0 K 79 K 79 0 K 0 (K 79 0 K 0 ) 0 K 1 1 K K 0

24 Description of the keystream generator INPUT: K = K 0 K 79 4 fixed quasigroup operations on the set {0, 1, 2, 3} OUTPUT: keystream = (k i ) i=0 Step 1: K 0,, 79 Step 2: K, 0,, 79 y = y 0 y 79, y i {0, 1, 2, 3} K 0 K 1 K 79 0 K 79 K 79 0 K 0 (K 79 0 K 0 ) 0 K 1 1 K 78 K 78 1 (K 79 0 K 0 ) 79 K 0

25 Description of the keystream generator INPUT: K = K 0 K 79 4 fixed quasigroup operations on the set {0, 1, 2, 3} OUTPUT: keystream = (k i ) i=0 Step 1: K 0,, 79 Step 2: K, 0,, 79 y = y 0 y 79, y i {0, 1, 2, 3} K 0 K 1 K 79 0 K 79 K 79 0 K 0 (K 79 0 K 0 ) 0 K 1 1 K 78 K 78 1 (K 79 0 K 0 ) 79 K 0

26 Description of the keystream generator INPUT: K = K 0 K 79 4 fixed quasigroup operations on the set {0, 1, 2, 3} OUTPUT: keystream = (k i ) i=0 Step 1: K 0,, 79 Step 2: K, 0,, 79 y = y 0 y 79, y i {0, 1, 2, 3} K 0 K 1 K 79 0 K 79 K 79 0 K 0 (K 79 0 K 0 ) 0 K 1 1 K 78 K 78 1 (K 79 0 K 0 ) 79 K 0 y 0 y 1 y 79

27 Description of the keystream generator Step 2: K, 0,, 79 y = y 0 y 79, y i {0, 1, 2, 3}

28 Description of the keystream generator Step 2: K, 0,, 79 y = y 0 y 79, y i {0, 1, 2, 3} Formally y = τ K0, 79 τ K1, 78 τ K79, 0 (K 0,, K 79 ), where τ y, : (a i ) (b i ) such that b 0 = y a 0, b i = b i 1 a i for i > 0

29 Description of the keystream generator Step 3: y, 0,, 79 keystream

30 Description of the keystream generator Step 3: y, 0,, 79 keystream Figure: System A

31 Description of the keystream generator Step 3: y, 0,, 79 keystream Figure: System A

32 Description of the keystream generator Step 3: y, 0,, 79 keystream 0 y 0 1 y 1 79 y 79 Figure: System A

33 Description of the keystream generator Step 3: y, 0,, 79 keystream 0 y 0 1 y 1 79 y Figure: System A

34 Description of the keystream generator Step 3: y, 0,, 79 keystream y 0 y (y 0 0 0) y 1 79 y 79 Figure: System A

35 Description of the keystream generator Step 3: y, 0,, 79 keystream y 0 y (y 0 0 0) y 1 y 1 1 (y 0 0 0) 79 y 79 Figure: System A

36 Description of the keystream generator Step 3: y, 0,, 79 keystream y 0 y (y 0 0 0) y 1 y 1 1 (y 0 0 0) 79 y 79 Figure: System A

37 Description of the keystream generator Step 3: y, 0,, 79 keystream y 0 y (y 0 0 0) y 1 y 1 1 (y 0 0 0) 79 y 79 a 79,0 k 0 a 79,2 k 1 a 79,4 k 2 Figure: System A

38 Periods of the Edon80 keystream

39 Periods of the Edon80 keystream J Hong, Remarks on the Period of Edon80 He showed that there is quite a large number of the pairs ({ 0,, 80 }, y) that produce the same sequence of period 2 and also that a random key produces a short period of the keystream (2 55, 2 63 ) with some probability (2 71, 2 60 )

40 Periods of the Edon80 keystream J Hong, Remarks on the Period of Edon80 He showed that there is quite a large number of the pairs ({ 0,, 80 }, y) that produce the same sequence of period 2 and also that a random key produces a short period of the keystream (2 55, 2 63 ) with some probability (2 71, 2 60 ) D Gligoroski, S Markovski, L Kocarev and M Gušev, Understanding Periods in Edon80- Response on Remarks on the Period of Edon80, by Jin Hong Based on the previous paper they made a statistical model of Edon80 which indicates the existence of weak keys But they claim that Edon80 is a good cipher anyway because the best attack on Edon80 is still the exhaustive search in the space of all keys It is also possible to increase the security by using 160 operations instead of 80

41 Our setting We suppose that

42 Our setting We suppose that = i for all i = 1, 2,, 79, but we work with a general finite quasigroup (Q, ),

43 Our setting We suppose that = i for all i = 1, 2,, 79, but we work with a general finite quasigroup (Q, ), X = (x i ) Q N a periodic sequence with a period P X instead of sequence , and

44 Our setting We suppose that = i for all i = 1, 2,, 79, but we work with a general finite quasigroup (Q, ), X = (x i ) Q N a periodic sequence with a period P X instead of sequence , and Y = (y i ) Q N a sequence with no special property (we have arbitrary number of rows)

45 System B x 0 x 1 x 2 x 3 y 0 y 0 x 0 (y 0 x 0 ) x 1 y 1 y 1 (y 0 x 0 ) (y 1 (y 0 x 0 )) ((y 0 x 0 ) x 1 ) y 2 y 2 (y 1 (y 0 x 0 )) y 3 Figure: System B

46 Periods of System A and System B Proposition Each row of System B is periodic, for any sequence Y = (y i ) i=1 QN

47 Periods of System A and System B Proposition Each row of System B is periodic, for any sequence Y = (y i ) i=1 QN Moreover, denote by P 0 be the period of the sequence X and by P i the period of the ith row of System B Then there exists k i {1, 2,, Q } such that P i = k i P i 1 for each i 1

48 Periods of System A and System B Proposition Each row of System B is periodic, for any sequence Y = (y i ) i=1 QN Moreover, denote by P 0 be the period of the sequence X and by P i the period of the ith row of System B Then there exists k i {1, 2,, Q } such that Corollary P i = k i P i 1 for each i 1 Each row of System A is periodic

49 Periods of System A and System B Proposition Each row of System B is periodic, for any sequence Y = (y i ) i=1 QN Moreover, denote by P 0 be the period of the sequence X and by P i the period of the ith row of System B Then there exists k i {1, 2,, Q } such that Corollary P i = k i P i 1 for each i 1 Each row of System A is periodic The keystream has period 2 n for some n = 0,, 161

50 Periods for central quasigroups

51 Periods for central quasigroups A central quasigroup (T-quasigroup, linear over an Abelian group) is a quasigroup (Q, ) such that there exists an Abelian group G = (Q, +), α, β Aut(G), and c Q such that x y = α(x) + β(y) + c for all x, y Q

52 Periods for central quasigroups A central quasigroup (T-quasigroup, linear over an Abelian group) is a quasigroup (Q, ) such that there exists an Abelian group G = (Q, +), α, β Aut(G), and c Q such that x y = α(x) + β(y) + c for all x, y Q A medial quasigroup (entropic quasigroup) is a central quasigroup such that the automorphisms α and β commute

53 Periods for central quasigroups A central quasigroup (T-quasigroup, linear over an Abelian group) is a quasigroup (Q, ) such that there exists an Abelian group G = (Q, +), α, β Aut(G), and c Q such that x y = α(x) + β(y) + c for all x, y Q A medial quasigroup (entropic quasigroup) is a central quasigroup such that the automorphisms α and β commute For central quasigroups, the problem to compute periods of System B leads to the problem to compute periods in the group ring Z eg [Aut(G)]

54 Periods for central quasigroups id G α α 2 β αβ + βα α 2 β + αβα + βα 2 β 2 αβ 2 + βαβ + β 2 α α 2 β 2 + αβαβ + αβ 2 α + βα 2 β + βαβα + β 2 α 2 β 3 αβ 3 + βαβ 2 + β 2 αβ + β 3 α β 4 αβ 4 + βαβ 3 + β 2 αβ 2 + β 3 αβ + β 4 α Figure: System C

55 Periods for central quasigroups id G α α 2 β αβ + βα α 2 β + αβα + βα 2 β 2 αβ 2 + βαβ + β 2 α α 2 β 2 + αβαβ + αβ 2 α + βα 2 β + βαβα + β 2 α 2 β 3 αβ 3 + βαβ 2 + β 2 αβ + β 3 α β 4 αβ 4 + βαβ 3 + β 2 αβ 2 + β 3 αβ + β 4 α Figure: System C Proposition Denote by P X be the period of the sequence X and by P i the period of the ith row of System C Then for each i N, e G lcm(p X, P i ) is a period (not necessary minimal) of the ith row of System B

56 Periods for central quasigroups Proposition Let e G = p r 1 1 prn n, where p k are distinct primes Let (Q, ) be a medial quasigroup Denote by P i the period of the ith row of System B Then there is a constant C > 0 such that P i < C i n holds for all sufficiently large i

57 Periods for central quasigroups Proposition Let e G = p r 1 1 prn n, where p k are distinct primes Let (Q, ) be a medial quasigroup Denote by P i the period of the ith row of System B Then there is a constant C > 0 such that P i < C i n holds for all sufficiently large i Proposition Let (Q, ) be a central quasigroup of order 4 Denote by P i the period of the ith row of System B Then there is a constant C > 0 such that P i < C i holds for all sufficiently large i

58 Periods for central quasigroups We have found that for central quasigroup (Q, ) of order 4 the periods increase at most linearly, but Edon80 needs to generate sequences whose periods grow rapidly This implies that the central quasigroups are not suitable for implementation of Edon80

59 Further directions of research Analyse System B for non-central quasigroups

60 Further directions of research Analyse System B for non-central quasigroups Prove the conjecture that periods increase exponentially for non-central quasigroups

61 Further directions of research Analyse System B for non-central quasigroups Prove the conjecture that periods increase exponentially for non-central quasigroups Find a concrete weak key for Edon80 or disprove its existence

Large Quasigroups in Cryptography and their Properties Testing

Large Quasigroups in Cryptography and their Properties Testing Jiří Dvorský, Eliška Ochodková, Václav Snášel Department of Computer Science, VŠB - Technical University of Ostrava 17. listopadu 15, 708