Chosen IV Statistical Analysis for Key Recovery Attacks on Stream Ciphers

Similar documents
Key Recovery with Probabilistic Neutral Bits

New Directions in Cryptanalysis of Self-Synchronizing Stream Ciphers

Cube Testers and Key-Recovery Attacks on Reduced-Round MD6 and Trivium

Stream Ciphers: Cryptanalytic Techniques

On Stream Ciphers with Small State

Algebraic Immunity of S-boxes and Augmented Functions

A New Distinguisher on Grain v1 for 106 rounds

Some Randomness Experiments on TRIVIUM

Analysis of Modern Stream Ciphers

Searching Cubes for Testing Boolean Functions and Its Application to Trivium

Security Evaluation of Stream Cipher Enocoro-128v2

Salsa20 Cryptanalysis: New Moves and Revisiting Old Styles

Cube Attacks on Non-Blackbox Polynomials Based on Division Property (Full Version)

Linear Approximations for 2-round Trivium

Cryptanalysis of Achterbahn

Stream ciphers I. Thomas Johansson. May 16, Dept. of EIT, Lund University, P.O. Box 118, Lund, Sweden

Cube Testers and Key Recovery Attacks On Reduced-Round MD6 and Trivium

Salsa20 Cryptanalysis: New Moves and Revisiting Old Styles

Cube Testers and Key Recovery Attacks on Reduced-Round MD6 and Trivium

On the Design of Trivium

Numerical Solvers in Cryptanalysis

MILP-based Cube Attack on the Reduced-Round WG-5 Lightweight Stream Cipher

Improved Division Property Based Cube Attacks Exploiting Algebraic Properties of Superpoly (Full Version)

Modified version of Latin Dances Revisited: New Analytic Results of Salsa20 and ChaCha

Correlation Cube Attacks: From Weak-Key Distinguisher to Key Recovery

Fast correlation attacks on certain stream ciphers

Some thoughts on Trivium

Differential Fault Analysis of Trivium

Cube Attacks on Stream Ciphers Based on Division Property

Linear Extension Cube Attack on Stream Ciphers ABSTRACT 1. INTRODUCTION

On the pseudo-random generator ISAAC

Dynamic Cube Attack on 105 round Grain v1

Lecture 10-11: General attacks on LFSR based stream ciphers

Cube Analysis of KATAN Family of Block Ciphers

On The Nonlinearity of Maximum-length NFSR Feedbacks

Breaking One.Fivium by AIDA an Algebraic IV Differential Attack

Optimized Interpolation Attacks on LowMC

Some Randomness Experiments on TRIVIUM

Deterministic Cube Attacks:

Quantum Differential and Linear Cryptanalysis

Algebraic Attack Against Trivium

Correlated Keystreams in Moustique

New Features of Latin Dances: Analysis of Salsa, ChaCha, and Rumba

A Practical Attack on Bluetooth Encryption

MILP-based Cube Attack on the Reduced-Round WG-5 Lightweight Stream Cipher

A Byte-Based Guess and Determine Attack on SOSEMANUK

4.3 General attacks on LFSR based stream ciphers

On the Statistically Optimal Divide and Conquer Correlation Attack on the Shrinking Generator

Cryptanalysis of Achterbahn-128/80. Maria Naya-Plasencia. INRIA-Projet CODES FRANCE

Dependence in IV-related bytes of RC4 key enhances vulnerabilities in WPA

FResCA: A Fault-Resistant Cellular Automata Based Stream Cipher

New Distinguishers for Reduced Round Trivium and Trivia-SC using Cube Testers (Extended Abstract)

Block Ciphers/Pseudorandom Permutations

Parallel Cube Tester Analysis of the CubeHash One-Way Hash Function

A TMDTO Attack Against Lizard

Comparison of cube attacks over different vector spaces

Cryptanalysis of Grain

Algebraic Aspects of Symmetric-key Cryptography

A new simple technique to attack filter generators and related ciphers

Cube attack in finite fields of higher order

Analysis of Trivium Using Compressed Right Hand Side Equations

Distinguishing Attack on Common Scrambling Algorithm

A Scalable Method for Constructing Galois NLFSRs with Period 2 n 1 using Cross-Join Pairs

Practical Complexity Cube Attacks on Round-Reduced Keccak Sponge Function

Another View on Cube Attack, Cube Tester, AIDA and Higher Order Differential Cryptanalysis

Overtaking VEST. 45, avenue des États-Unis, Versailles Cedex, France 3 DCSSI Crypto Lab

Impact of Extending Side Channel Attack on Cipher Variants: A Case Study with the HC Series of Stream Ciphers

A Byte-Based Guess and Determine Attack on SOSEMANUK

THEORETICAL SIMPLE POWER ANALYSIS OF THE GRAIN STREAM CIPHER. A. A. Zadeh and Howard M. Heys

Fast Near Collision Attack on the Grain v1 Stream Cipher

ACORN: A Lightweight Authenticated Cipher (v3)

Algebraic Attacks and Stream Ciphers

Cryptanalysis of the Light-Weight Cipher A2U2 First Draft version

On the Security of NOEKEON against Side Channel Cube Attacks

Breaking the F-FCSR-H Stream Cipher in Real Time

Extended Cubes: Enhancing the Cube Attack by Extracting Low-Degree Non-Linear Equations

Symmetric Crypto Systems

A survey of algebraic attacks against stream ciphers

A Brief Comparison of Simon and Simeck

On the computation of best second order approximations of Boolean Functions ΕΤΗΣΙΑ ΕΚΘΕΣΗ 2010

Analysis of Message Injection in Stream Cipher-based Hash Functions

New Methods for Cryptanalysis of Stream Ciphers. The Selmer Centre Department of Informatics University of Bergen Norway

Algebraic Attacks on Stream Ciphers with Linear Feedback

Cube Test Analysis of the Statistical Behavior of CubeHash and Skein

Cryptanalysis of the Stream Cipher ABC v2

Differential Fault Analysis of MICKEY Family of Stream Ciphers

Fault Analysis of the KATAN Family of Block Ciphers

Characterizations on Algebraic Immunity for Multi-Output Boolean Functions

Computing the biases of parity-check relations

Algebraic Techniques in Differential Cryptanalysis

Algebraic analysis of Trivium-like ciphers (Poster)

Experiments on the Multiple Linear Cryptanalysis of Reduced Round Serpent

Algebraic attack on stream ciphers Master s Thesis

Near Collision Attack on the Grain v1 Stream Cipher

Two Generic Methods of Analyzing Stream Ciphers

Low-weight Pseudo Collision Attack on Shabal and Preimage Attack on Reduced Shabal-512

Symmetric Crypto Systems

Finding Low Degree Annihilators for a Boolean Function Using Polynomial Algorithms

Lecture 12: Block ciphers

ORYX. ORYX not an acronym, but upper case Designed for use with cell phones. Standard developed by. Cipher design process not open

Transcription:

Chosen IV Statistical Analysis for Key Recovery Attacks on Stream Ciphers Simon Fischer 1, Shahram Khazaei 2, and Willi Meier 1 1 FHNW and 2 EPFL (Switzerland) AfricaCrypt 2008, Casablanca - June 11-14 1 / 18

Outline A framework for key recovery on a function z = F (K, V ) where attacker can choose parameter V. Application to reduced-round initialization of Grain-128 and Trivium, two estream phase 3 candidates. 2 / 18

Stream Cipher Initialization procedure of a stream cipher takes key K and initialization vector (IV) V to produce the initial state. Keystream generator produces a long output sequence from the internal state. 3 / 18

Grain-128 Initialization: Fill the registers with key, IV and some constants. Clock 256 times in initialization mode. 4 / 18

Trivium Initialization: Fill the registers with key, IV and some constants. Clock 1152 times. 5 / 18

Attack Model We define a related Boolean function F (K, V ) = z where z is the first keystream bit. Threat model: Adversary sends IV s V of his choice to the oracle and gets back z according to fixed unknown secret key K chosen by the oracle. Goal: Efficient distinguishing or key-recovery attacks. 6 / 18

Requirements Security: F (K, V ) should depend on each key bit and IV bit in a complex way. Efficiency: Because of limited resources, F is often constructed by a number of simple rounds. For example, Grain-128 and Trivium use simple round functions of low-degree. Is diffusion sufficient for specified number of rounds? If no, how to mount an attack? 7 / 18

Previous Works: Distinguishing Attacks Based on Polynomial Description Consider F (K, V ) with K = (k 1,..., k n ) and V = (v 1,..., v m ). Idea: Choose a list of l ( m) IV bits {v i1, v i2,..., v il }, consider all key bits and the remaining IV bits as parameters and focus on the resultant parametric Boolean function g(v i1, v i2,..., v il ). Fact: Adversary can compute the truth table (as well as the algebraic normal form (ANF)) of g with 2 l queries by dealing with the oracle. Expectation: Each monomial must appear with probability 1/2 and independent from others in the ANF of g. [Filiol 02],[Saarinen 06],[O Neil 07],[Englund-Johansson-Turan 07]. 8 / 18

Previous Works: High-degree Monomials High degree monomials in g are more suspicious to exhibit non-randomness: it will take many clockings before all selected IV bits meet in the same memory cell. Maximum degree (MD) test in [Englund-Johansson-Turan 07]: check if the maximum degree monomial is produced by g. The MD test turned out to be a suitable measure for diffusion. They reported a distinguishing attack on 192/256 rounds in Grain-128 736/1152 rounds in Trivium 9 / 18

Our Contribution: Providing key-recovery attacks 10 / 18

Generalization Make partition V = (U, W ) with U = {v i1, v i2,..., v il } as input to g. Focus on a single coefficient C of g(u), e.g. maximum degree monomial. Fact: C = C(K, W ) depends on the key and remaining IV bits, and can be evaluated for every W of our choice by dealing with the oracle. Scenarios of attacks (if mixing is not complete): Imbalance of C can be used for distinguish attacks. Sometimes, C(K, W ) for some fixed W does not involve all key bits: key recovery attack on 576/1152 rounds of Trivium [Vielhaber 07]. More generally: some key bits in C(K, W ) may have only a limited influence... 11 / 18

New Scenario Given C(K, W ), find approximation A which depends on subkey of only t < n key bits. Reduce the search space from 2 n to 2 t. Method of probabilistic neutral key bits [Aumasson-Fischer-Khazaei-Meier-Rechberger 08]. Partition of K = (L, M) with significant key bits L and non-significant key bits M. A(L, W ) is defined by replacing non-significant key bits in C(K, W ) with fixed values. Definition: Let γ i be the bias that complementing the key bit k i does not change the output of C (neutrality measure). Significant key bits L: all key bits k i with γ i < threshold. 12 / 18

Key Recovery Attacks Probabilistic guess and determine: try all possible subkeys L and distinguish correct guess L from incorrect ones. 1. Compute C(K, W ) through oracle, for unknown key and N random values of W. 2. For each choice of L do Compute A(L, W ) for the same N values of W. Check if C(K, W ) is equal to A(L, W ) for most of the N samples (optimal distinguisher) Given a candidate subkey L, the entire key is verified by exhaustive search over remaining key part M. 13 / 18

Complexity Required number of samples N depends on: Correlation ε between A(L, W ) and C(K, W ) if guessed part L is correct resp. incorrect. The desired levels of p fa and p mis. Computation of N values of A(L, W ) has a cost of N2 l. Repeat for all 2 t guesses of L, hence N2 l+t. Set of candidates for subkey L has size 2 t p fa. Verification of entire key in 2 t p fa 2 n t = 2 n p fa. Total complexity: N2 l+t + 2 n p fa. 14 / 18

Experimental Results: Trivium Trivium has internal state of 288 bits. n = 80 key bits, m = 80 IV bits, R = 1152 rounds. Example: F (K, V ) computes first keystream bit after r = 672 rounds. Variable IV part U of l = 11 bits, get f(u), focus on coefficient C(K, W ) of maximum degree monomial. Compute neutrality measure of key bits (with W =5). A set of t = 29 key bits ruled out as significant. Leads to approximating function A(L, W ) with some correlation to C(K, W ). Correct subkey can be detected with time complexity 2 55. 15 / 18

Experimental Results: Grain-128 Grain-128 has internal state of 256 bits. n = 128 key bits, m = 96 IV bits, R = 256 rounds. Example: Consider r = 180 rounds, and use IV part U of l = 7 bits. Focus on coefficient C(K, W ) of maximum degree monomial. Identify t = 110 significant key bits for L and get A(L, W ). Can detect subkey in estimated time complexity 2 124, i.e. improvement factor 2 4. Open Question: How to find weak IV bits? 16 / 18

Conclusions Have applied the recently introduced technique of probabilistic neutral bits. Useful in analysis of initialization of stream ciphers. Contributes to the recent framework of chosen IV statistical analysis. Key recovery with complexity lower than exhaustive key search for simplified versions of two phase 3 estream candidates. 17 / 18

Thank you! 18 / 18

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback