Key Recovery with Probabilistic Neutral Bits

Similar documents
Chosen IV Statistical Analysis for Key Recovery Attacks on Stream Ciphers

Salsa20 Cryptanalysis: New Moves and Revisiting Old Styles

Salsa20 Cryptanalysis: New Moves and Revisiting Old Styles

Cryptanalysis of Achterbahn

On Stream Ciphers with Small State

New Directions in Cryptanalysis of Self-Synchronizing Stream Ciphers

Algebraic Immunity of S-boxes and Augmented Functions

Stream Ciphers: Cryptanalytic Techniques

Stream ciphers I. Thomas Johansson. May 16, Dept. of EIT, Lund University, P.O. Box 118, Lund, Sweden

Modified version of Latin Dances Revisited: New Analytic Results of Salsa20 and ChaCha

New Features of Latin Dances: Analysis of Salsa, ChaCha, and Rumba

Cube Testers and Key-Recovery Attacks on Reduced-Round MD6 and Trivium

Numerical Solvers in Cryptanalysis

Cube Attacks on Non-Blackbox Polynomials Based on Division Property (Full Version)

Analysis of Modern Stream Ciphers

A New Distinguisher on Grain v1 for 106 rounds

Linear Approximations for 2-round Trivium

Security Evaluation of Stream Cipher Enocoro-128v2

Cube Attacks on Stream Ciphers Based on Division Property

Fast correlation attacks on certain stream ciphers

Some thoughts on Trivium

Optimized Interpolation Attacks on LowMC

Cube Testers and Key Recovery Attacks On Reduced-Round MD6 and Trivium

Differential-Linear Cryptanalysis of Serpent

Improved Division Property Based Cube Attacks Exploiting Algebraic Properties of Superpoly (Full Version)

Differential Fault Analysis of Trivium

Cryptanalysis of the Light-Weight Cipher A2U2 First Draft version

Dynamic Cube Attack on 105 round Grain v1

Algebraic Attack Against Trivium

Improved Differential-Linear Cryptanalysis of 7-round Chaskey with Partitioning

Correlation Cube Attacks: From Weak-Key Distinguisher to Key Recovery

MILP-based Cube Attack on the Reduced-Round WG-5 Lightweight Stream Cipher

Some Randomness Experiments on TRIVIUM

4.3 General attacks on LFSR based stream ciphers

Quantum Differential and Linear Cryptanalysis

A Practical Attack on Bluetooth Encryption

Searching Cubes for Testing Boolean Functions and Its Application to Trivium

A Byte-Based Guess and Determine Attack on SOSEMANUK

Algebraic Aspects of Symmetric-key Cryptography

Cryptanalysis of Luffa v2 Components

On the Design of Trivium

Deterministic Cube Attacks:

On the pseudo-random generator ISAAC

Cryptanalysis of the Stream Cipher ABC v2

Cube Testers and Key Recovery Attacks on Reduced-Round MD6 and Trivium

Lecture 12: Block ciphers

Truncated differential cryptanalysis of five rounds of Salsa20

On the Statistically Optimal Divide and Conquer Correlation Attack on the Shrinking Generator

Fast Near Collision Attack on the Grain v1 Stream Cipher

An average case analysis of a dierential attack. on a class of SP-networks. Distributed Systems Technology Centre, and

Breaking One.Fivium by AIDA an Algebraic IV Differential Attack

Data Complexity and Success Probability for Various Cryptanalyses

Block Cipher Cryptanalysis: An Overview

Lecture 10-11: General attacks on LFSR based stream ciphers

FResCA: A Fault-Resistant Cellular Automata Based Stream Cipher

Dependence in IV-related bytes of RC4 key enhances vulnerabilities in WPA

A Byte-Based Guess and Determine Attack on SOSEMANUK

Cube Analysis of KATAN Family of Block Ciphers

A TMDTO Attack Against Lizard

Computing the biases of parity-check relations

Linear Extension Cube Attack on Stream Ciphers ABSTRACT 1. INTRODUCTION

ON DISTINGUISHING ATTACK AGAINST THE REDUCED VERSION OF THE CIPHER NLSV2

Breaking the F-FCSR-H Stream Cipher in Real Time

MasterMath Cryptology /2 - Cryptanalysis

Correlated Keystreams in Moustique

A new simple technique to attack filter generators and related ciphers

New Distinguishers for Reduced Round Trivium and Trivia-SC using Cube Testers (Extended Abstract)

Stream ciphers. Pawel Wocjan. Department of Electrical Engineering & Computer Science University of Central Florida

Breaking Symmetric Cryptosystems Using Quantum Algorithms

Algebraic Techniques in Differential Cryptanalysis

Some Randomness Experiments on TRIVIUM

7 Cryptanalysis. 7.1 Structural Attacks CA642: CRYPTOGRAPHY AND NUMBER THEORY 1

Fault Analysis of the KATAN Family of Block Ciphers

Distinguishing Attacks on T-functions

Cryptanalysis of Grain

Experiments on the Multiple Linear Cryptanalysis of Reduced Round Serpent

Cube attack in finite fields of higher order

Algebraic Attacks on Stream Ciphers with Linear Feedback

Analysis of Message Injection in Stream Cipher-based Hash Functions

How to strengthen pseudo-random generators by using compression

A Forgery Attack on the Candidate LTE Integrity Algorithm 128-EIA3 (updated version)

Impossible Differential-Linear Cryptanalysis of Reduced-Round CLEFIA-128

Distinguishing Attack on Common Scrambling Algorithm

First-Order DPA Attack Against AES in Counter Mode w/ Unknown Counter. DPA Attack, typical structure

ACORN: A Lightweight Authenticated Cipher (v3)

Open problems related to algebraic attacks on stream ciphers

Comparison of cube attacks over different vector spaces

On the Salsa20 Core Function

On The Nonlinearity of Maximum-length NFSR Feedbacks

Low Complexity Differential Cryptanalysis and Fault Analysis of AES

arxiv: v1 [cs.it] 27 Sep 2016

Overtaking VEST. 45, avenue des États-Unis, Versailles Cedex, France 3 DCSSI Crypto Lab

Cryptanalysis of the Knapsack Generator

Differential Cryptanalysis of the Stream Ciphers Py, Py6 and Pypy

A survey of algebraic attacks against stream ciphers

Key reconstruction from the inner state of RC4

Impact of Extending Side Channel Attack on Cipher Variants: A Case Study with the HC Series of Stream Ciphers

New attacks on Keccak-224 and Keccak-256

Correlation Analysis of the Shrinking Generator

SOBER Cryptanalysis. Daniel Bleichenbacher and Sarvar Patel Bell Laboratories Lucent Technologies

Transcription:

ESC 7.1. 11. 1. 2007 Key Recovery with Probabilistic Neutral Bits Simon Fischer 1, Shahram Khazaei 2 and Willi Meier 1 1 FHNW, Windisch, Switzerland 2 EPFL, Lausanne, Switzerland

Outline Motivation Probabilistic Neutral Bits Description of Salsa Analysis of Salsa Attack based on polynomial description Application to Trivium Application to Grain-128 Conclusions

Given a Boolean function Motivation F(K,V): {0,1} n x {0,1} m {0,1} where K is the secret key and V is the initial vector of a stream cipher. F: Key/IV mixing function, or function derived from it. Oracle chooses random unknown key K = (k 0,,k n-1 ) and returns (exact or biased) value z = F(K,V) for every query V = (v 0,,v m-1 ) of our choice.

Goal: Determine key K in chosen IV attack. If F mixes its inputs properly, we need to try all 2 n keys, by sending O(n) queries to oracle. Investigate methods which can lead to faster recovery of key in case mixing of inputs is not complete. Existence of faster methods highly depends on structure of F. 1st direction: Analysis of reduced round variants of Salsa20. Based on truncated differentials and approximate backwards computation.

2nd direction: Recent framework for chosen IV statistical analysis of stream ciphers (Saarinen, O'Neil, Englund-Johansson-Turan): Based on polynomial description of F. Open problem: Can distinguishers be exploited for key recovery? Of interest for stream ciphers with round based initialization function F with sparse Boolean functions as components. Examples: estream candidates Grain, Trivium.

Probabilistic Neutral Bits Neutral bits: Known from hash function cryptanalysis (Biham-Chen, 2004). Our goal: Find functions approximating F(K,V) that depend on less than all key bits. Can sometimes be achieved, e.g., when V is restricted to a suitable subset W.

Function approximation conceivable if some key bits have no influence on value of z with high probability, i.e., if complementing these key bits is likely to leave value of z unchanged: Probabilistic neutral key bits Reduced complexity key recovery?

Formally: approximate function F, F(K,W): {0,1} n x W {0,1} by functions A(L,W) that depend only on subset L of key bits, where W is a suitable subset of V. Appropriate partitioning of key K as K = (L,M), with L of t bits, and M of n-t bits. Partitioning identified according to (probabilistic) neutral bits.

Single key bit k i is called a neutral bit of function F if complementation of k i does not change output of F, for all inputs in K and W. Define approximations A(L,W) to be F(K,W), either with a fixed or randomly chosen value for non-significant key bits in M. Approximations A(L,W) of function F(K,W) expected to hold with some probability. If M consists of neutral key bits, get exact approximation A(L,W) of function F(K,W) that depends only on the (significant) key bits in L.

More generally, the neutrality measure of a key bit k i is defined as γ i where 1/2(1 +γi) is the probability that complementing k i does not change the output of F. Set threshold γ such that all key bits with γ i < γ are included in the subkey L: significant bits. Probabilistic neutral bits often inexistent in original key/iv mixing procedure of a cipher, but: Can occur in intermediate computation derived from mixing process.

Description of Salsa State: matrix of 16 words of 32 bits, 256-bit key Update: Increment of a counter Output function: compression function, achieved through iteration of simple operation, called quarterround: Input y = (y 0, y 1, y 2, y 3 ), Output z = (z 0, z 1, z 2, z 3 ) z z z z 1 2 3 0 = = = = y y y y 1 2 3 0 (( y (( z (( z (( z 0 1 2 3 + + + + y y z z 3 0 1 2 ) ) ) ) <<< <<< <<< <<< 7 ) 9 ) 13 ) 18 )

State as a matrix: x x x x 0 4 8 12 x x x x 1 5 9 13 x x x x 2 6 10 14 x x x x 3 7 11 15 Update below diagonal words first. Repeat for all words in columns, then in rows. 10 rounds columns, 10 rounds rows. Output the keystream X 0 + X 20.

Nonce, counter, of 64 bits Initialization of Salsa: Fill state with (key, counter, nonce), counter = 0 Initial vector (known): IV = (counter, nonce) const key counter key key const counter key key nonce const key key nonce key const

Analysis of Salsa Analysis of Salsa20 reduced to 8 rounds. Steps: Identify optimal choices for truncated differentials (over 1 st 4 rounds) Search for probabilistic neutral key bits to approximate backwards computation from 8 th round to 4 th round, so that bias in 4 th round is still detectable. For approximation to hold need to guess only significant key bits. Enables reduced complexity search of these key bits.

Choosing a differential: Consider truncated differentials with 1-bit input difference in the nonce and 1-bit difference in a specified word after 4 rounds. Probabilistic backwards computation: Assume differential with known bias is fixed. Corresponding outputs Z and Z are observed. If full key is known, can invert operations in Z = X + X R and Z = X + (X ) R to observe r-round differential (R > r) with its bias, by computing R - r rounds backwards.

If only subkey of m = 256 n bits is known, could approximate inversion by fixing remaining n key bits (e.g., by 0) and invert R - r rounds. However, observable bias depends on n and positions of these n bits. Probabilistic neutral key bits Identify a large subset of key bits which can be replaced by fixed bits so that detectable bias after approximate backwards computation is still significant.

Precomputation Find high probability differential with difference in nonce. Identify subset of n key bits which are PNB s for this differential. Determine bias of differential with respect to subset of PNB s, as observed after working R - r rounds backwards from pairs of keystream blocks, a correct key portion, and randomly chosen values for remaining key bits (PNB ).

Effective attack Collect N pairs of keystream blocks generated with selected input difference (N to be determined according to optimal Neyman-Pearson distinguisher). For each choice of the m = 256 n remaining key bits, use the N keystream blocks to filter candidate keys with respect to optimal distinguisher. For each filtered key, check correctness by performing exhaustive search over n remaining bits.

Experimental results Attack on Salsa20/7 Use 4-round differential optimal for 3-round backwards computation. Find 125 key bits with neutrality measure greater than 0.6. Take these as PNB s. Build attack in time 2 153 and data 2 23 (best previous attack: Tsunoo et. al., 2 190 trials and 2 12 data). Attack on Salsa20/8 Use 4-round differential optimal for 4-round backwards computation. Identify 28 key bits with neutrality measure greater than 0.2, which are taken as PNB s. Have to guess m = 256 28 = 228 bits. Get attack in 2 249 time and 2 21 data.

Attack based on polynomial description Algebraic description of key/iv mixing function F too complex. Derive simpler Boolean functions C(K,W) with help of oracle, where W is a subset of V. If C(K,W) has imbalance in algebraic structure, e.g., for high degree monomials, this can be exploited in cryptanalysis. Example Partition IV as V=(U,W) with U of l bits and W of m-l bits. C(K,W): Coefficient in ANF of a function deduced from F by varying over bits in U only.

Scenarios: 1. If algebraic structure of C(K,W) is imbalanced for chosen set W and many fixed values of unknown K: Stream cipher can be distinguished from random (Saarinen, O'Neil, EJT). 2. If C(K,W) is evaluated for some fixed W: C(K,W) is an expression in key bits only. Sometimes does involve not all key bits. 3. More generally, if for C(K,W) many key bits have only a limited influence on values of C(K,W): Suitable approximations may be identified that enable reduced complexity key recovery.

Scenario 2: Find relation C(K,W), evaluated for some W, that depends on subset of t < n key bits only. Determine functional form with 2 t evaluations of C(K,W). Can filter those keys which don t satisfy relation. Example (Vielhaber) C(K,W) sometimes depends on only few key bits and can be a linear expression for well chosen IV part W: Trivium initialization reduced to 576 iterations. Allows reduced complexity key recovery in simplified Trivium.

Scenario 3: Idea is to find function A(L,W) that depends on sub window L of t < n key bits only, and which is correlated to C(W,K). Ask oracle N queries to get information about t bits of key in time N2 t ( N to be specified). Problem: Find suitable function C and approximating function A.

Derived Functions Partition IV according to V = (U,W) with U of l bits and W of m-l bits. Write F as F ( K, V ) = α β κ C( α, β κu W K = α, β, κ ), α C α ( K, W ) U α where α, β, κ are multi-indices. For every l {0,1} α the function ( K, W) C α can serve as a function C = C(K,W) derived from F.

Adversary with help of oracle evaluates C α ( K, W) for the unknown key K at chosen input W and for any chosen α by sending at most 2 l queries. For l small enough, this is a feasible computation.

Attack: Description Assume suitable function C and partitioning of K = (L,M) for setting of approximation A. Probabilistic guess and determine: Find small set of candidate subkeys in L. Filter set of all 2 t subkeys in L into smaller set: Need to distinguish correct guess L from incorrect ones. Depends on correlation coefficient between A(L,W) and C(K,W) with K = (L,M) under hypotheses H o : guessed part L is incorrect H 1 : guessed part L is correct

Pr Pr W L', 1 { A( L', W)} = C( K, W) K = ( L, M)} = (1+ ε0) 2 1 W{ A( L', W) = C( K, W) K = ( L', M)} = (1+ ε1) 2 ε 1 Both correlation coefficients and ε 0 are random variables depending on the key. If distributions of and well separated, can achieve small non detection probability p mis and false alarm probability p fa at most 2 -c. ε 1 ε 0 ε 1 ε < If 0and ε assumed to be constants with 0 ε 1, the optimum distinguisher is Neyman-Pearson. Determine required number N of values C(K,W) for different W to achieve prescribed p fa and p mis.

Complexity of attack: For each guess of L of subkey, correlation ε of A( L', W ) C ( K, W ) is computed. Requires computation of coefficients A(L,W) by adversary, and computation of coefficient C(K,W) through oracle, for N values of W. Has cost N2 l. Repeat for all 2 t guesses for L. Set of candidates for subkey L has size 2 t p fa = 2 t-c. Entire key verified by exhaustive search over key part M with cost 2 t-c 2 n-t evaluations of function F. Total complexity: N2 l 2 t + 2 t-c 2 n-t = N2 l+t + 2 n-c.

Application to Trivium Trivium has 288 bit internal state consisting of three shift registers of different lengths. Initialization: n = 80 key bits and m = 80 IV bits are written into two shift registers with remaining part being set to fixed pattern. Cipher state updated R = 18 x 64 = 1152 times without producing output. Consider Boolean function F(K,V) which computes 1 st key stream bit after r rounds of initialization. Derived functions C(K,W).

Previous results: Distinguisher based on monomial tests (Englund- Johansson-Turan), for r up to 11.5 x 64 rounds, and l up to 33 variable IV bits. Key recovery (Vielhaber), similar to scenario 2, for r = 9 x 64. New results: Provide examples with respect to scenario 3 for r = 10 x 64 as well as for r = 10.5 x 64.

Example 1 Number of rounds r = 10 x 64, variable IV part U with l = 10 (non-consecutive) bit positions. Index α of coefficient C= C α ( K, W) is 1023. C (virtually) only depends on t = 10 key bits L. Leads to exact approximating function A(L,W). 65 equivalence classes for L with respect to A: one with 512 members, and 64 classes with 8 members, i.e., get ½ x 1 + ½ x 7 = 4 bits of information about key. Example 2 r = 672 rounds, l = 11 bit positions. Consider W s of weight 5 and compute neutrality measure of key bits: A set of t = 29 key bits ruled out as significant. Correct subkey of 29 bits can be detected using approximations with time complexity 2 55.

Application to Grain-128 Grain-128 consists of a LFSR and a NFSR, and an output function h. It has n = 128 key bits, m = 96 IV bits and full initialization takes R = 256 rounds. Example r = 180, l = 7 suitable bit positions. Identify t = 110 significant key bits for L. Can detect these in estimated time complexity 2 124, i.e., improvement factor 2 4.

Conclusions Have introduced technique of probabilistic neutral bits. Useful in analysis of initialization of stream ciphers. Contributes to applicability of recent chosen IV statistical distinguishers. Key recovery with complexity lower than exhaustive key search for simplified versions of three phase 3 estream candidates.

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback