Cryptanalysis of Achterbahn-128/80. Maria Naya-Plasencia. INRIA-Projet CODES FRANCE

Similar documents
Computing the biases of parity-check relations

Cryptanalysis of Achterbahn

Stream Ciphers: Cryptanalytic Techniques

Achterbahn-128/80: Design and Analysis

Improved Fast Correlation Attacks Using Parity-Check Equations of Weight 4 and 5

On Stream Ciphers with Small State

Fast correlation attacks on certain stream ciphers

On the computation of best second order approximations of Boolean Functions ΕΤΗΣΙΑ ΕΚΘΕΣΗ 2010

THEORETICAL SIMPLE POWER ANALYSIS OF THE GRAIN STREAM CIPHER. A. A. Zadeh and Howard M. Heys

Chosen IV Statistical Analysis for Key Recovery Attacks on Stream Ciphers

Attacks against Filter Generators Exploiting Monomial Mappings

Cryptanalysis of Grain

Fast Correlation Attacks: an Algorithmic Point of View

A new simple technique to attack filter generators and related ciphers

Attacks Against Filter Generators Exploiting Monomial Mappings

Cryptanalysis of Full Sprout

Key Recovery with Probabilistic Neutral Bits

A New Distinguisher on Grain v1 for 106 rounds

Fast Correlation Attacks: An Algorithmic Point of View

Lecture 12: Block ciphers

New Methods for Cryptanalysis of Stream Ciphers. The Selmer Centre Department of Informatics University of Bergen Norway

ACHTERBAHN: A Proposal for a Profile 2 Stream Cipher to ECRYPT s Call for Stream Cipher Primitives

Correlation Analysis of the Shrinking Generator

Linear Approximations for 2-round Trivium

Data Complexity and Success Probability for Various Cryptanalyses

Sieve-in-the-Middle: Improved MITM Attacks (Full Version )

a fast correlation attack implementation

Practical Complexity Cube Attacks on Round-Reduced Keccak Sponge Function

Cellular Automata in Cryptography" Information Security Group,Royal Holloway, Abstract The cipher systems based on Cellular Automata proposed by Nandi

Cryptanalysis of the Stream Cipher ABC v2

Related-Key Statistical Cryptanalysis

Quantum Differential and Linear Cryptanalysis

Solving LPN Using Covering Codes

Fast Near Collision Attack on the Grain v1 Stream Cipher

Cryptanalysis of SP Networks with Partial Non-Linear Layers

Searching for Nonlinear Feedback Shift Registers with Parallel Computing

Analysis of Modern Stream Ciphers

Sequences, DFT and Resistance against Fast Algebraic Attacks

Cryptographic D-morphic Analysis and Fast Implementations of Composited De Bruijn Sequences

Multiple Differential Cryptanalysis: Theory and Practice

Breaking the F-FCSR-H Stream Cipher in Real Time

Correlation Cube Attacks: From Weak-Key Distinguisher to Key Recovery

Modified Alternating Step Generators

L9: Galois Fields. Reading material

Lecture Notes on Cryptographic Boolean Functions

Algebraic Immunity of S-boxes and Augmented Functions

Cryptanalysis of the Stream Cipher DECIM

Maximum Correlation Analysis of Nonlinear S-boxes in Stream Ciphers

Nonlinear Equivalence of Stream Ciphers

Yet another side-channel attack: Multi-linear Power Analysis attack (MLPA)

How to strengthen pseudo-random generators by using compression

Modified version of Latin Dances Revisited: New Analytic Results of Salsa20 and ChaCha

Open problems related to algebraic attacks on stream ciphers

Lecture 10-11: General attacks on LFSR based stream ciphers

Differential-Linear Cryptanalysis of Serpent

Zero-Correlation Linear Cryptanalysis with Fast Fourier Transform and Applications to Camellia and CLEFIA

A TMDTO Attack Against Lizard

Generalized Correlation Analysis of Vectorial Boolean Functions

A Fast Correlation Attack on the Shrinking Generator

Characterization of Column Parity Kernel and Differential Cryptanalysis of Keccak

Another view of the division property

4.3 General attacks on LFSR based stream ciphers

Overtaking VEST. 45, avenue des États-Unis, Versailles Cedex, France 3 DCSSI Crypto Lab

Cryptanalysis of the Sidelnikov cryptosystem

Fast Correlation Attack on Stream Cipher ABC v3

The LILI-128 Keystream Generator

Algebraic analysis of Trivium-like ciphers (Poster)

Data complexity and success probability of statisticals cryptanalysis

Division Property: a New Attack Against Block Ciphers

Improved Linear Cryptanalysis of SOSEMANUK

On the Design of Trivium

On The Nonlinearity of Maximum-length NFSR Feedbacks

Improvements to Correlation Attacks Against Stream. Ciphers with Nonlinear Combiners. Brian Stottler Elizabethtown College

Large Deviations for Channels with Memory

A Scalable Method for Constructing Galois NLFSRs with Period 2 n 1 using Cross-Join Pairs

ACORN: A Lightweight Authenticated Cipher (v3)

Cryptanalysis of the Light-Weight Cipher A2U2 First Draft version

Recognition of a code in a noisy environment

The Filter-Combiner Model for Memoryless Synchronous Stream Ciphers

Cryptanalysis of the McEliece Public Key Cryptosystem Based on Polar Codes

Breaking Symmetric Cryptosystems Using Quantum Algorithms

Optimizing the placement of tap positions. joint work with Enes Pasalic, Samed Bajrić and Yongzhuang Wei

Cryptanalysis of Sosemanuk and SNOW 2.0 Using Linear Masks

arxiv: v1 [cs.it] 27 Sep 2016

Algebraic properties of SHA-3 and notable cryptanalysis results

Sample Test Paper - I

A New Baby-Step Giant-Step Algorithm and Some Applications to Cryptanalysis

Introducing a new variant of fast algberaic attacks and minimizing their successive data complexity

Impossible Differential-Linear Cryptanalysis of Reduced-Round CLEFIA-128

List decoding of binary Goppa codes and key reduction for McEliece s cryptosystem

Decoding One Out of Many

Cube Attacks on Non-Blackbox Polynomials Based on Division Property (Full Version)

Fast Low Order Approximation of Cryptographic Functions

Breaking One.Fivium by AIDA an Algebraic IV Differential Attack

Cube Attacks on Stream Ciphers Based on Division Property

arxiv: v2 [cs.cr] 19 Jan 2019

AES side channel attacks protection using random isomorphisms

Transform Domain Analysis of DES. Guang Gong and Solomon W. Golomb. University of Southern California. Tels and

STREAM CIPHER. Chapter - 3

Algebraic Attacks and Decomposition of Boolean Functions

Transcription:

Cryptanalysis of Achterbahn-128/80 Maria Naya-Plasencia INRIA-Projet CODES FRANCE

Outline 1 Achterbahn 2 Tools used in our cryptanalysis 3 Cryptanalysis of Achterbahn-128/80

Achterbahn [Gammel-Göttfert-Kniffler05]... f keystream NLFSR 1 NLFSR 2 NLFSR N Achterbahn version 1, version 2, 128-80. version 1 cryptanalysed by Johansson, Meier, Muller. version 2 cryptanalysed by Hell, Johansson. 1/23

Achterbahn-128/80 (July 2006) Achterbahn-128: key size = 128 bits 13 primitive NLFSRs of length L i = 21 + i, 0 i 12 Least significant bit of each NLFSR forced to 1 at the initialization process. Boolean combining function F : balanced correlation immunity order = 8 Inputs of F shifted outputs of NLFSRs. Keystream length limited to 2 63. 2/23

Achterbahn-128/80 (July 2006) Achterbahn-80: key size = 80 bits 11 primitive NLFSRs of length L i = 21 + i, 1 i 11 Least significant bit of each NLFSR forced to 1 at the initialization process. Boolean function G(x 1,..., x 11 ) = F (0, x 1,..., x 11, 0): balanced correlation immunity order = 6 Inputs of G shifted outputs of NLFSRs. Keystream length limited to 2 63. 3/23

Tools used in our cryptanalysis Parity checks Exhaustive search for the internal states of some registers Decimation by the period of a register Linear approximations Speeding up the exhaustive search 4/23

Parity checks Let (s 1 (t)) t 0,..., (s n (t)) t 0 be n sequences of periods T 1,..., T n, and t 0, S(t) = n i=1 s i(t). Then, for all t 0, τ T 1,...,T n S(t + τ) = 0, T 1,..., T n : set of all 2 n possible sums of T 1,..., T n. Example: (s 1 (t)), (s 2 (t)) with periods T 1 and T 2 S(t) + S(t + T 1 ) + S(t + T 2 ) + S(t + T 1 + T 2 ) = 0 5/23

Cryptanalysis with parity checks Linear approximation l(t) = m j=1 x i j (t) where: Pr[S(t) = l(t)] = 1 (1 + ε) 2 Parity check: τ T i1,...,t i m l(t + τ) = 0 Pr S(t + τ) = 0 1 ( 1 + ε 2 m ) 2 τ T i1,...,t i m 6/23

Exhaustive search over some registers Exhaustive search for the initial states of m registers Pr S(t) = m j=1 x ij (t) + m j=m +1 x ij (t) = 1 (1 + ε). 2 Pr The parity check has 2 m m terms and satisfies: τ T im +1,...,T i m S(t + τ) + m j=1 x ij (t + τ) = 0 = 1 2 (1 + ε 2m m ) 7/23

Required keystream length m j=1 Decoding problem = 2 (L i j 1) sequences of length N transmitted through a binary symmetric channel of capacity C(p) = C ( ) 1 m m (1 + ε2 ) (ε2m m ) 2 2 2 ln 2 N m j=1 (L i j 1) C(p) 2 ln 2 m j=1 (L i j 1) (ε 2m m ) 2 Keystream bits needed: (ε 2m m ) 2 2 ln 2 (L ij 1) + m m T ij j=1 i=m +1 8/23

Decimation [Hell-Johansson06] Parity check: pc(t) = S(t + τ) + m x ij (t + τ) τ T im +1,...,T i m j=1 Decimate by the periods of p linear terms i 1,..., i p : pc p (t) = pc(tt i1... T ip ) Exhaustive search for the remaining (m p) terms 9/23

Complexity Keystream bits needed: (ε 2m m ) 2 2 ln 2 m j=p+1 (L ij 1) 2 p j=1 L i j + m j=m +1 2 L i j Time complexity: (ε 2m m ) 2 2 ln 2 m j=p+1 m j=p+1 (L ij 1) 2 (L i j 1) 10/23

Cryptanalysis of Achterbahn-80 We use a linear approximation: as G has correlation immunity order 6, the best approximation by a 7-variable function is affine [Canteaut-Trabia00] We use the following one: g 2 (x 1,..., x 10 ) = x 1 +x 3 +x 4 +x 5 +x 6 +x 7 +x 10 with ε = 2 3. 11/23

Cryptanalysis of Achterbahn-80 Linear approximation: g 2 (x 1,..., x 10 ) = (x 4 +x 7 )+(x 5 +x 6 )+x 1 +x 3 +x 10 with ε = 2 3. Parity check: ll(t) = l(t) + l(t + T 4 T 7 ) + l(t + T 6 T 5 ) + l(t + T 4 T 7 + T 6 T 5 ) Decimate by the period of the register 10. Exhaustive search over registers 1 and 3. 12/23

Cryptanalysis of Achterbahn-80 Keystream bits needed: (ε 4 ) 2 2 ln 2 (L 1 +L 3 2) 2 L 10 +2 L 4+L 7 +2 L 5+L 6 = 2 61 bits. Time complexity: (ε 4 ) 2 2 ln 2 (L 1 +L 3 2) 2 L1 1 2 L3 1 = 2 74 operations. Time complexity can be reduced: final complexity 2 61. We recover the initial states of registers 1 and 3. 13/23

Cryptanalysis of Achterbahn-128 Linear approximation: l(x 0,..., x 12 ) = (x 0 +x 3 +x 7 )+(x 4 +x 10 )+(x 8 +x 9 )+x 1 +x 2 with ε = 2 3. Parity check: lll(t) = τ T 0,3,7,T 4,10,T 8,9 l(t + τ), where T 0,3,7 = lcm(t 0, T 3, T 7 ) Exhaustive search over registers 1 and 2 we can reduce this complexity making profit of the independence of the registers 14/23

Improving the exhaustive search ϕ = 2 54 2 8 1 t =0 τ T 0,3,7,T 4,10,T 8,9 (S(t ) x 1 (t ) x 2 (t )) = = T 2 1 k=0 T 2 1 k=0 2 31 +2 8 1 t=0 (σ 2 (k) 1) σ(tt 2 + k) σ 1 (tt 2 + k) σ 2 (tt 2 + k) σ 2 (k) (2 31 + 2 8 ) 2 31 +2 8 1 t=0 2 31 +2 8 1 t=0 σ(tt 2 + k) σ 1 (tt 2 + k) + σ(tt 2 + k) σ 1 (tt 2 + k) 15/23

Improving the exhaustive search for k = 0 to T 2 1 do V 2 [k] = σ 2 (k) for the all-one initial state. end for for each possible initial state of R1 do for k = 0 to T 2 1 do V 1 [k] = 2 31 +2 8 1 t=0 σ(t 2 t + k) σ 1 (T 2 t + k) end for for each [ possible initial state i of R2 do (V2 [k+imodt 2 ] 1) V 1 [k] + V 2 [k+imodt 2 ] ( 2 31 +2 8 V 1 [k] )] T2 1 k=0 if we find the bias then return the initial states of R1 and R2 end if end for end for 16/23

Reducing complexity with an FFT T 2 1 k=0 [ (V2 [k + i] 1) V 1 [k] + V 2 [k + i] ( 2 31 + 2 8 V 1 [k] )] 2 L 2 1 T 2 2 2 5 T 2 1 k=0 ( 1)V 2[k+i] ( V 1 [k] 231 +2 8 2 ) + T 2 2 31 +2 8 2 T 2 log 2 T 2 with an FFT. 17/23

Cryptanalysis of Achterbahn-128 Keystream bits needed: (ε 8 ) 2 2 ln 2 (L 1 +L 2 2)+T 0,3,7 +T 4,10 +T 8,9 < 2 61 bits. Time complexity: 2 L 1 1 [ 2 31 T 2 ( 2 4 + 31 ) + T 2 log T 2 ] +T2 2 3 = 2 80.58. 18/23

Achterbahn-128 limited to 2 56 bits The same attack as before using the linear approximation: l(x 0,..., x 12 ) = (x 3 +x 8 )+(x 1 +x 10 )+(x 2 +x 9 )+x 0 +x 4 +x 7 Improved exhaustive search over registers 0,4 and 7, considering R 0 and R 4 together. keystream bits needed< 2 56 time complexity:2 104 operations. 19/23

Achterbahn-80 limited to 2 52 bits Linear approximation: l(x 1,..., x 11 ) = (x 3 + x 7 ) + (x 4 + x 5 ) + x 1 + x 6 + x 10 With the same attack as before, we need more than 2 52 keystream bits. We can adapt the algorithm in order to reduce the data complexity. 20/23

Achterbahn-80 limited to 2 52 bits Instead of one decimated sequence of parity checks of length L, 4 decimated sequences of length L/4: S(t(T 1 ) + i) + S(t(T 1 ) + i + T 7 T 3 ) + S(t(T 1 ) + i + T 4 T 5 ) +S(t(T 1 ) + i + T 7 T 3 + T 4 T 5 ), for i {0,..., 3}. Keystream bits needed < 2 52 Time complexity: 2 67 operations. 21/23

Recovering the key From the previously recovered initial states of some registers: Meet-in-the-middle attack on the key-loading. No need to invert all the clocking steps. Additional complexity: Achterbahn-80: 2 40 in time and 2 41 in memory. Achterbahn-128: 2 73 in time and 2 48 in memory. 22/23

Conclusions Attacks complexities against all versions of Achterbahn version data complexity time complexity references v1 (80-bit) 2 32 2 55 [JMM06] v2 (80-bit) 2 64 2 67 [HJ06] v2 (80-bit) 2 52 2 53 v80 (80-bit) 2 61 2 55 v128 (128-bit) 2 60 2 80.58 23/23

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback