Attack on cascaded convolutional transducers cryptosystem

Transcription

1 INTERNATINA JRNA of MATHEMATICS AND CMPTERS IN SIMATIN Attack on cascaded convolutonal transducers cryptosystem M. A. rumechha S. F. Mohebpoor Abstract Recently the dea of desgn of dynamc symmetrc cryptosystems s proposed. The man dea s proposed by Trnca n two separate papers whch are publshed n IEEE and eprnt. Securty of proposed cphers s compared to Randal algorthm called AES. Accordng to ths scheme the cpher system characterstc vares respect to secret key and nput plantext. Namely for each certan secret key and plantex a dfferent codng s provded and cphertext s created. By changng the secret key or plantex other codng system s consdered. But unfortunately ths cpher s not safer than whatever s clamed. In ths paper we present two attacks on the proposed scheme. The frst one s a partal key recovery whch for a (kkm) - cascaded convolutonal transducers s determned a fragment of cphertext wthout calculatng master key wth complexty (k ). Also the attack needs about k 6 plantext-cphertext pars to solve a lnear euaton system. The other attack s a weak key on ths system that attacker can recover longer fragment of plantexts wth complexty ( k ). Keywords Convoluton Codes Cryptanalyss Symmetrc Cryptosystem Seuental and parallel cascaded convolutonal encrypton. W I. INTRDCTIN orldwde symmetrc encrypton standards such as DES (Data Encrypton Standard)AES (Advanced Encrypton Standard) and EES (Escrowed Encrypton Standard) have been and some of them stll are extensvely used to solve the problem of communcaton over an nsecure channel but wth today s advanced technologes they seem to not be as secure as one would lke. Symmetrc encrypton cphers play an mportant role n practcal cryptography. They are categored as Stream Cphers and Block Cphers accordng to ther applcatons. In a stream cpher the output keystream s btwse XRed to the plantext stream n order to obtan the cphertext stream. They are utled for encryptng long streams of data over fast communcaton applcatons such as SM. Block cphers are other fundamental prmtves n cryptography. A block cpher can encrypt fxed length strngs such that cphertext s mxed n a nonlnear manner by secret key and plantext. Applcatons n general reure encrypton of long and arbtrary length strngs. A mode of operaton of a block cpher Manuscrpt receved February 5 7; revsed verson June 7. Mohammad Al rumehchha s wth Zaem Electronc Ind. R&D Departmen No. Nlo St. Bral St. Vanak S. Tehran Iran phone: ; fax: ; e-mal: orumehch@ {aem.co.r or yahoo.com}. S. Fahmeh Mohebbpoor s wth Zaem Electronc Ind. R&D Departmen No. Nlo St. Bral St. Vanak S. Tehran Iran phone: ; fax: ; (e-mal: {aem.co.r }). s used to extend the doman of applcablty from fxed length strngs to long and varable length strngs. But symmetrc cryptosystems such as trple DES AES and others have been all desgned as statc cphers n the sense that ther structure do not change at all durng encrypton/decrypton. Recently a dynamc symmetrc cryptosystem [] s proposed that whose structure s based on nvertble convoluton codes. The scheme s consdered to two versons. The frst one uses lnear combnatons of convoluton codes and the other one explots more complcated and nonlnear combnatons. These symmetrc encrypton technues have at least four advantages over tradtonal schemes based on Festel cphers. Frs the secret key of a cascaded convolutonal cryptosystem s usually much easer to generate. Second the encrypton and decrypton procedures are much smpler and conseuentally much faster. Thrd the desred securty level can be obtaned by ust settng approprate values for the parameters of the convolutonal cryptosystem. Fnally they are much more parallelable than symmetrc encrypton standards based on Festel cphers. However there are some weaknesses whch breach the clamed securty. In ths paper a partal attack whch recovers the part of plantext wthout determnng secret key s nvestgated. Ths attack s applcable on both versons. For smplcty we focus attack for veson and then expand to veson. Also we show that there are weak keys whch can obtan partally useful nformaton from plantext block. The paper s organed as follows. In secton we provde a bref descrpton of the convolutonal codes and globally nvertble convolutonal transducer. And then a new partal attack and one weak key for ths system s descrbed (secton 3). II. SEQENTIA AND PARAE CASCADED CNVTINA ENCRYPTIN PRCEDRE FR PAPER SBMISSIN In [] were proposed a class of convolutonal transducers called cascaded convolutonal transducers wth local propagaton. An overvew of the cascaded convolutonal transducers s provded below. A. Convolutonal codes: a short survey Convolutonal codes are appled n applcatons that reure good performance wth low mplementaton cost. Convolutonal codes map nformaton to code bts seuentally by convolvng a seuence of nformaton bts wth generator seuences. A convolutonal encoder encodes K nformaton bts to N>K code bts at one tme step. Encodng s very Issue Volume 7 57

2 smple ust use the fnte state. machne to produce the codewords We use the trells dagram of the code and apply Vterb algorthm Hard decson decodng or soft decson decodng could be used. Performance wth soft decson decodng s better. These desgns are based on -cascaded dynamc convolutonal transducers and are comprsed n the followng defnton. A key step n understandng convolutonal codes s to dstngush between the convolutonal encoder the convolutonal encodng operaton and the convolutonal code. Rgorous defntons of all these concepts are provded below. We denote by B the set of arrays wth bnary components. If u B then the number of components of u s denoted by u.e. u. Also we denote by u[ ] the -th row of u and by u[ ] the -th column of u. Note that u[ ] B and u[ ] B. If u s a row vector (or a column vector) then we wll denote by u[] the -th element of u and by u : the subvector [u[]... u[]]. If u... u h are bnary vectors then we denote by vect(u... u h ) the vector consstng of the components of u... u h n the same order. For example vect([ ][ ]) [ ]. Defnton.. et n k and m be nonero natural numbers. An (nkm) convolutonal transducer s a functon t : B B gven by () Where k n INTERNATINA JRNA of MATHEMATICS AND CMPTERS IN SIMATIN t ( u) u t u m t m assocated wth t. For a more detaled ntroducton to convolutonal codes we refer the reader to [3]. et us take an example. Example et t and t be ( ) convolutonal transducers wth t t t and t t t The correspondng convolutonal encoders are represented graphcally n Fg. (a) and (b) respectvely. It s easy to see that only t s globally nvertble. For example assume that M M M M and the two output bts beng decrypted are and respectvely. m m m s an element of B (pn+ mn) Bk n for all { m} and the arthmetc n () s carred out over the bnary feld F(). The entres blank are assumed to be flled n wth eros. Defnton.. et t : B k B n be an (nkm) convolutonal transducer. The (n km) convolutonal code nduced by t s the mage t ( B k ) of t. Defnton.3. et t : B B k n be an (n km) convolutonal transducer. An (n km) convolutonal encoder s a realaton by lnear seuental crcuts of the sem-nfnte generator matrx t Fg. (a) A globally nvertble ( ) convolutonal encoder (b) A ( ) convolutonal encoder that s not globally nvertble. ven that the frst output bt depends on M and the frst nput b we conclude that the frst nput bt was a. Then gven that we already know the frst nput b we fnd that the second nput bt was a. Thus we conclude that t s globally nvertble snce at each step we can decode unuely the current block of k output bts. The convolutonal transducer t s not globally nvertble snce each of the two output bts depends on both nput bts. Therefore the current block of k output bts cannot be unuely decoded nto the correspondng nput block. et u [ ] be an nput vector. More precsely we have p blocks of se k each. ne can verfy that t(u) u t k [ ]. We can encrypt u by p v [ ].e. the frst k p bts of t(u). ven that t s globally nvertble we can unuely decrypt v nto u. Issue Volume 7 58

3 Example et a t : Β Β be a ( ) convolutonal transducer wth [ ] [ ] and [ ]. Thus the number of nput bts s k the number of output bts s n and the number of memory regsters s km. The assocated convolutonal encoder can be represented graphcally as n Fg. Note that the two output bts at each step are seraled usng a multplexer. et us now descrbe the encodng mechansm. et b be the current nput bt beng encoded and let b and b be the current bts stored n the memory regsters M and M respectvely. The frst output bt s b [ ] + b [] + b[] b [] + bt [] Whereas the second output bt s b [ ] + bt [] + b[] b [] + b [] After both output bts have been obtaned b s shfted nto the memory regster M and b s shfted nto the memory regster M. et us assume that the nput vector u has length k p. The actual nput vector s u followed by km eros. Thus the total length of the output vector s pn + mn. For example let us take u [ ] as an nput vector. Then one can verfy that the output vector s t(u) u [ ] Where INTERNATINA JRNA of MATHEMATICS AND CMPTERS IN SIMATIN ( u) uh t u Fg. A ( ) convolutonal encoder.. As usual the mssng entres n are assumed to be eros. Note that the se of the output vector t(u) s pn + mn 8 +. Defnton.. A (kkm) convolutonal cryptosystem s a globally nvertble (kkm) convolutonal transducer f each output block of k bts can be unuely nto correspondng block of k nput bts. et us explan how we encrypt an nput vector usng a globally nvertble (k km) convolutonal transducer. Remark Snce we always need for encrypton only the frst u bts of t(u) we can change the standard defnton of an (n km) convolutonal transducer by replacng euaton () wth t () where H u s the restrcton of u to the frst u columns. Thus f t s a (k km) convolutonal cryptosystem then we always encrypt u by t(u). B. Dynamc convolutonal cryptosystem In the prevous subsecton we have descrbed some symmetrc encrypton schemes based on globally nvertble (k km) (-cascaded) convolutonal transducers.the dea n [] s based on lnear cascaded dynamc convolutonal and s comprsed n the followng defnton. Defnton. 5. et k and m be nonero natural numbers. A (k k m) lnear -cascaded convolutonal transducer wth propagaton s an ( +) -tuple ( S S S ) where t s a functon gven by t(u) uh (v )H (v)...h (v- ) for all u Β where v u v v-h (v- ) for all {... } H (w) s the restrcton of ( ) t m m p p m+ p m Descrpton of Algorthm Input: vector u as plantext. utput: vector v as cphertext. Prvate key: the sets S { t () {... m}} { () {... {... }. lenght plant ext u. set p k m. v u 3. For to do 3.. H (v- ) s Constructed by the restrcton of matrx (3) to the frst columns 3.. v v-h (v- ) end do;. v v. Fg. 3Descrpton of algorthm }} Issue Volume 7 59

4 INTERNATINA JRNA of MATHEMATICS AND CMPTERS IN SIMATIN Fg. A ( ) -cascaded convolutonal encoder wth propagaton: (a) the ntal structure of the cascaded encoder and (b) the structure after encodng the frst block [ ]. to the frst columns vect(w[... ]) r () ( f ( r )) for all r {... m + p -} f(s ) (sk + :(s+ )k[] sk+ :(s+ )k[k]) mod and S () {... m}} { () {... }} { m s the set of state matrces correspondng to the -th transducer of the cascade. As usual all the operatons are performed over the bnary feld F(). And also t ( ) t () B and are nvertble. The entres left k k blank n t ( ) are assumed to be flled n wth eros. Defnton.6. A (kkm) lnear -cascaded convolutonal cryptosystem wth propagaton s a globally nvertble (kkm) -cascaded convolutonal transducer wth propagaton wth encrypton functon t n whch the sets S S are kept prvate. The man loop of ths cryptosystem descrbed n Fg.3. Example3 et t : Β a Β be a ( ) - k n cascaded convolutonal transducer where t t t t t t ( ) ( ) ( ) ( ) ( ) ( ) t t t t t t () () () () () () Issue Volume 7 6 et u [] be an nput vector then p v u and t H t ( ) t where [] therefore () ( f ( )) () ( f ( ) + ) ( f ( )) () and () t () H ( ) () v uh t ( v ) [] and t H t ( ) Where [ ] () ( f ( )) () ( f ( ) + ) ( f ( )) () and t () t () H t ( ) () Thus encrypt u by t u) uh ( v ) H ( v ) [ ] ( t. The ntal structure of the correspondng cascaded convolutonal encoder can be represented graphcallyas n Fg. (a). By examnng the matrces ( ) one can remark that t b the cascaded encoder s globally nvertble whatever ts structure would be at the current step. More precsely the structure of the frst encoder n the cascade changes after

5 encodng the frst nput block snce the number of s n the frst nput block s odd. Regardng the second encoder n the cascade ts structure changes after encodng the frst nput block snce the number of s n the frst nput block s even. Thus we encrypt u by t(u) and gven that t s globally nvertble we can unuely decrypt t(u)nto u. And also In [] proposed a new class of dynamc convolutonal cryptosystems called automata-based dynamc convolutonal cryptosystems. Defnton.7. et km be nonero natural numbers. A (kkm) automata-based dynamc convolutonal transducer (abbrevated ADCT) wth states s a ( + )-tuple ( f S... S ) where t( u) uh ( u) for all u Β f : {... } B k {... } s the transton functon H (u) s the restrcton of ( ) t m m p p m+ p m to the frst columns vect( u[ 3 ] mk t g ( ) INTERNATINA JRNA of MATHEMATICS AND CMPTERS IN SIMATIN f ( : k ) f g( ) f ( g( ) ) ( ) k+ f s the tuple of matrces correspondng to the -th state. {... m + p } et t be a globally nvertble (k km) -cascaded convolutonal transducer wth propagaton. Suppose that we have k processors denoted p p... p k and consder a bnary vector u B. The processors work as follows. Frs each processor copes (concurrently) the nput vector u and the matrces t ( b) from the global memory nto ts local memory. Second for all l {... } each processor p computes the columns l l H u)[ ] H ( u)[ + ( p ) ] ( k Defnton.8. A (kkm) automata-based dynamc convolutonal cryptosystem (abbrevated ADCC)wth states s a globally nvertble (k km) ADCT wth states n whch the transton functon f and the tuples S... S are kept prvate. Remark Snce the transton functon of an ADCC reures k memory locatons we should defne t n such a way that the amount of memory reured s sgnfcantly reduced. For a ( ) ADCC wth ten states the transton functon reures 56 memory locatonswhch s unacceptable. ne possblty would be to transform f nto a perodc functon. For a (k km) ADCC ths can be done by defnng f by f( u ) f( u ) f and only f nt(u ) mod P nt(u ) mod P where nt(u) k u[] u[k] and P {... k }. It can be easly seen that the perod s P. Thus the number of memory locatons reured by the transton functon s reduced to P. Cascaded convolutonal transducers wth propagaton are hghly parallelable. More precsely n [] descrbed a parallel algorthm for cascaded convolutonal cryptosystems wth propagaton usng the shared-memory model of computaton under the asynchronous mode of operaton. Fg. 5Asynchronous parallel cascaded convolutonal encrypton wth propagaton Asynchronous parallel cascaded convolutonal encrypton wth propagaton. Then computes the products l l uh ( u)[ ] uh ( u)[ + ( p ) k] and fnally stores the correspondng output bts nto the shared locaton v. The shared varable Var ensures tha at any tme each processor ether works on the current vector-matrx product or stays dle. In other words we do not allow the processors to work on dfferent vector-matrx products. In lne each processor p copes (concurrently) the current output vector v nto ts local memory snce at the next teraton v becomes the new nput vector. (startng at lne 6) s fnshed the product les n the shared locaton v. A complete descrpton of the parallel encrypton algorthm (for processor p ) s provded n Fg.5. The parallel decrypton algorthm s esentally the same seuence of operatons but n reverse order. When the man loop nes 658 and are executed concurrently whereas the other lnes are executed ndependently by each processor. et us denote by W the maxmum amount of tme Issue Volume 7 6

6 spent by each processor to read (concurrently) the vector u (lne and also lne for v) by W the amount of tme spent by each processor to read the matrces ( b) from the global memory (lnes 35)by W3 the maxmum amount of tme spent by each processor to execute (concurrently) the lnes 9 at the current teraton and by T se the runtme of the seuental algorthm. Then the parallel runnng tme s at most W +W + (T se /k +W3 +W) snce each processor spends at most W tme to execute lne at most W tme to execute the lnes 5 and at each of the teratons startng at lne 6 each processor spends exactly T se /k tme to execute the lnes 7 3 at most W3 tme to execute the lnes through 9 and at most W tme to execute lne. Ths encrypton technue has at least four advantages over tradtonal schemes based on Festel cphers. Frs the secret key of a convolutonal cryptosystem s usually much easer to generate (ust generate the matrces ( b) such that the cascaded encoder s globally nvertble whatever ts structure would be at the current step). Second the encrypton and decrypton procedures are much smpler and conseuentally much faster. Thrd the desred securty level can be obtaned by ust settng approprate values for the parameters of the convolutonal cryptosystem. Fnally they are much more parallelable than symmetrc encrypton standards based on Festel cphers. C. Clamed Securty and performance The securty level can be obtaned by ust settng approprate values for (m + ) + 3 parameters: k m and (m + ) elements of sets S (... ). As clamed n [] the hghest level of securty s obtaned when all the parameters are kept secre snce ths ncreases the complexty of any cryptanalytc attack. If the nput vector has length p k and f d(p k ) denotes the number of dvsors of p k that are less than or eual to k then the maxmum number of decodng attempts s d ( pk ) m l INTERNATINA JRNA of MATHEMATICS AND CMPTERS IN SIMATIN [ l( + ) + snce the maxmum number of trals for k s d(p k ) and we have (m+ ) bnary matrces of se k each. Note that for each of l( ) the + maxmum trals for fxed values of and l there are two decodng attempts: one attempt for the case n whch the number of s n the frst nput block s even and another attempt for the case n whch the number of s n the frst nput block s odd. In fac n [] the measure of safety consdered s huge secret key entropy. We show that ths measure s only a necessary condton not a suffcent condton. Regardng the performance n [] have made several comparsons between a globally nvertble (6 6 ) - cascaded convolutonal transducer t wth propagaton and the well-known AES Encrypton Benchmark. It s shown that the Issue Volume 7 6 ] proposed cpher s much faster than a certan AES mplementaton. Also due to beng more complex t s consdered that ths dynamc cryptosystem s secure aganst standard cryptanalytc attacks such as lnear and dfferental cryptanalyss. Although these standard attacks may be nfeasble but there are attacks whch are able breach the proposed securty. III. CRYPTANAYSIS F SCHEME The dea desgn of cpher s attractve but unfortunately cpher s not as safe as s clamed. The clamed securty s comparable to a homogeneous strong block cpher. A dynamc convolutonal cryptosystem s consderd Broken as soon as attacker fnds the bts of the matrces... t m... t... t m. Breakng the cpher completely s a very dffcult task However fndng partal nformaton about the cpher s easy the dea of such an attack descrbed n detal n followng. In [] s clamed that securty of desgn s based prvacy of the sets S S. But n ths secton t s shown that one can easly obtan the frst sub-block plantext wthout any nformaton from the sets S S. Also f these sets are chosen mproper then one recovers more sub-block plantexts. A. Partal attack In ths scheme the frst output sub-block cphertext s constructed only by multplyng the frst nput sub-block plantext (denoteu ) and matrx A t ( ) t () t (). Therefore wth changng the other nput sub-blocks and fxng the frst nput sub-block the frst cpher sub-block remans fxed. And also the contents of matrxes ( ) () () are always fxed and hence A s fxed for all of arbtrary plantext. The number of contents of matrx A s K hence one can determne all of contents A. By usng about K output bts belong to the frst output sub-blocks and wrte a lnear system and solve t. Therefore for each cphertext one can calculate the frst subblock of plantext wthout recoverng master key. Addtonally f plantext s chosen such that the frst subblock be eual to ero and other sub-blocks of plantext be random then always the frst sub-block wll be ero and s dstngushable wth probablty from a random seuence. we can descrbed smlar to ths attack for a (kkm) automaton-based dynamc convlutonal cryptosystem. Example et t : Β a Β be a ( ) - k n cascaded convolutonal transducer where

7 t t t t t t ( ) ( ) ( ) ( ) ( ) ( ) t t t t t t ( ) ( ) ( ) ( ) ( ) ( ) In ths example the matrces A t () t () the contents of matrxes A t () t () are always A s fxed for all of arbtrary plantext. The fxed and hence number of contents of matrx A s hence one can determne all of contents A. By usng about K output bts belong to the frst output sub-blocks and wrte a lnear system and solve t. Therefore for each cphertext one can calculate the frst sub-block of plantext wthout recoverng master key e. for any plantext the frst of sub block of cpher text obtan of multply frst th A. sub block plantext and matrx Example5 et a (66) - cascaded convolutonal transducer that proposed n []. For an nput vector of length 6 can determne the frst 6 bts of nput block wth 8 output bts belong to the frst output sub-blocks and wrte a lnear system and solve t. Addtonally f plantext s chosen such that the frst sub-block be eual to ero and other subblocks of plantext be random then always the frst sub-block wll be ero and s dstngushable wth probablty from a random seuence. B. Weak key In ths system If matrces ( ) () () n the sets S S be eual means that A ( t ()) and so we can obtan matrx A and. Regardng to the hammng weght of v v v INTERNATINA JRNA of MATHEMATICS AND CMPTERS IN SIMATIN u are ether even or odd we can parse all possble frst sub-blocks u to classes. et whch for ths matrx only second column s unknown. Hence by usng about K output bts belong to the second output subblock attacker can wrte a lnear system and solve so A can be determned. Therefore wth determnng u we can deduce the second sub-block. If ths weak pont contnues for system attacker can decrypt longer fragments of cphertexts. Ths attack s descrbed n the followng example. Example6 et t : Β a Β be a ( ) - k n cascaded convolutonal transducer t t t t t t ( ) ( ) ( ) ( ) ( ) ( ) t t t t t t ( ) ( ) ( ) ( ) ( ) ( ) In ths example the matrces () () are dentcal. Hence A ( ()) and so we can obtan matrx and (). Regardng that the hammng weght of u v sub-block A are ether even or odd we can parse all possble frst u to classes. () () et A whch for ths matrx only second column s unknown. Hence by usng about K output bts belong to the second output sub-block attacker can wrte a lnear system and solve so can determne A and then the second sub-block plantexts are recovered too. Example7 et a (66) - cascaded convolutonal transducer that proposed n []. For an nput vector of length 6 f the key be weak as mentoned before then for any output block we can calculate the frst 3 bts of nput block and also f the key s not week then can determne the frst 6 bts of nput block. IV. CNCSIN In ths paper we nvestgated two attacks on the proposed desgn. The frst attack s a partal key recovery whch for a (kkm) -cascade was determned a fragment of cphertext wthout calculatng master key wth complexty (k ). In addton a weak key on ths system was found that one could recover longer fragment of plantexts wth complexty ( k ). Issue Volume 7 63

8 INTERNATINA JRNA of MATHEMATICS AND CMPTERS IN SIMATIN REFERENCES [] D. Trnca Seuental and Parallel Cascaded Convolutonal Encrypton wth ocal Propagaton: Toward Future Drectons n Symmetrc Cryptography the 3 rd Internatonal Conference on Informaton Technology: SA 6 pp IEEE Computer Socety Press. [] D. Trnca Effcent FPA Implementatons and Cryptanalyss of Automata-based Dynamc Convolutonal Cryptosystems Avalable: http;// [3] A. Dholaka.: Introducton to Convolutonal Codes wth Applcatons. Kluwer (99). [] Ph. Pret : Convolutonal Codes: An Algebrac Approach. MIT Press Cambrdge MA SA(988). Issue Volume 7 6