Analysis of Modern Stream Ciphers

Similar documents
Stream Ciphers: Cryptanalytic Techniques

Improved Linear Cryptanalysis of SOSEMANUK

An Improved Estimate of the Correlation of Distinguisher for Dragon

Lecture 10-11: General attacks on LFSR based stream ciphers

ON DISTINGUISHING ATTACK AGAINST THE REDUCED VERSION OF THE CIPHER NLSV2

Chosen IV Statistical Analysis for Key Recovery Attacks on Stream Ciphers

4.3 General attacks on LFSR based stream ciphers

Algebraic Attack Against Trivium

Cryptanalysis of Sosemanuk and SNOW 2.0 Using Linear Masks

On Stream Ciphers with Small State

On The Nonlinearity of Maximum-length NFSR Feedbacks

Stream ciphers I. Thomas Johansson. May 16, Dept. of EIT, Lund University, P.O. Box 118, Lund, Sweden

THEORETICAL SIMPLE POWER ANALYSIS OF THE GRAIN STREAM CIPHER. A. A. Zadeh and Howard M. Heys

Breaking the F-FCSR-H Stream Cipher in Real Time

Key Recovery with Probabilistic Neutral Bits

A New Distinguisher on Grain v1 for 106 rounds

Fast correlation attacks on certain stream ciphers

Linear Approximations for 2-round Trivium

A survey of algebraic attacks against stream ciphers

Publication VI Springer Science+Business Media. Reprinted with kind permission from Springer Science and Business Media.

A Byte-Based Guess and Determine Attack on SOSEMANUK

Algebraic attack on stream ciphers Master s Thesis

STREAM CIPHER. Chapter - 3

Cryptanalysis of Achterbahn

Cryptographic D-morphic Analysis and Fast Implementations of Composited De Bruijn Sequences

Dynamic Cube Attack on 105 round Grain v1

Algebraic Immunity of S-boxes and Augmented Functions

Cryptanalysis of the Stream Cipher ABC v2

Impact of Extending Side Channel Attack on Cipher Variants: A Case Study with the HC Series of Stream Ciphers

MILP-based Cube Attack on the Reduced-Round WG-5 Lightweight Stream Cipher

Public-key Cryptography: Theory and Practice

Towards non-linear feedbacks

Algebraic Aspects of Symmetric-key Cryptography

Searching Cubes for Testing Boolean Functions and Its Application to Trivium

Differential Fault Analysis of Trivium

A new simple technique to attack filter generators and related ciphers

A GENERAL FRAMEWORK FOR GUESS-AND-DETERMINE AND TIME-MEMORY-DATA TRADE-OFF ATTACKS ON STREAM CIPHERS

On the Design of Trivium

Open problems related to algebraic attacks on stream ciphers

Characterizations on Algebraic Immunity for Multi-Output Boolean Functions

SOBER Cryptanalysis. Daniel Bleichenbacher and Sarvar Patel Bell Laboratories Lucent Technologies

ACORN: A Lightweight Authenticated Cipher (v3)

A Byte-Based Guess and Determine Attack on SOSEMANUK

Sequences, DFT and Resistance against Fast Algebraic Attacks

Linear Cryptanalysis of Reduced-Round Speck

Numerical Solvers in Cryptanalysis

Computing the biases of parity-check relations

Deterministic Cube Attacks:

New Methods for Cryptanalysis of Stream Ciphers. The Selmer Centre Department of Informatics University of Bergen Norway

Cryptanalysis of Lightweight Cryptographic Algorithms

Algebraic Attacks and Stream Ciphers

Cryptanalysis of the Stream Cipher DECIM

F-FCSR: Design of a New Class of Stream Ciphers

Cryptanalysis of Grain

Near Collision Attack on the Grain v1 Stream Cipher

Modified version of Latin Dances Revisited: New Analytic Results of Salsa20 and ChaCha

Introduction to Modern Cryptography. (1) Finite Groups, Rings and Fields. (2) AES - Advanced Encryption Standard

Optimizing the placement of tap positions. joint work with Enes Pasalic, Samed Bajrić and Yongzhuang Wei

Fast Near Collision Attack on the Grain v1 Stream Cipher

Algebraic Attacks on Stream Ciphers with Linear Feedback

A Scalable Method for Constructing Galois NLFSRs with Period 2 n 1 using Cross-Join Pairs

Improved Linear Distinguishers for SNOW 2.0

FResCA: A Fault-Resistant Cellular Automata Based Stream Cipher

Cryptanalysis of the Light-Weight Cipher A2U2 First Draft version

Distinguishing Attack on Common Scrambling Algorithm

A block cipher enciphers each block with the same key.

A Five-Round Algebraic Property of the Advanced Encryption Standard

Resilience to Distinguishing Attacks on WG-7 Cipher and Their Generalizations

Fast Correlation Attacks: an Algorithmic Point of View

A TMDTO Attack Against Lizard

CRC Press has granted the following specific permissions for the electronic version of this book:

Linear Extension Cube Attack on Stream Ciphers ABSTRACT 1. INTRODUCTION

Overtaking VEST. 45, avenue des États-Unis, Versailles Cedex, France 3 DCSSI Crypto Lab

Characterization of 2 n -Periodic Binary Sequences with Fixed 2-error or 3-error Linear Complexity

Maximum Correlation Analysis of Nonlinear S-boxes in Stream Ciphers

Correlated Keystreams in Moustique

ORYX. ORYX not an acronym, but upper case Designed for use with cell phones. Standard developed by. Cipher design process not open

Fast Correlation Attacks: An Algorithmic Point of View

Dan Boneh. Stream ciphers. The One Time Pad

RC4 State Information at Any Stage Reveals the Secret Key

Impossible Differential-Linear Cryptanalysis of Reduced-Round CLEFIA-128

X-FCSR: a new software oriented stream cipher based upon FCSRs

Shift Cipher. For 0 i 25, the ith plaintext character is. E.g. k = 3

University of Bergen Faculty of Mathematical and Natural Sciences Department of Informatics The Selmer Center

Fast Correlation Attack on Stream Cipher ABC v3

Alternative Approaches: Bounded Storage Model

The LILI-128 Keystream Generator

Two Generic Methods of Analyzing Stream Ciphers

Outline. 1 Arithmetic on Bytes and 4-Byte Vectors. 2 The Rijndael Algorithm. 3 AES Key Schedule and Decryption. 4 Strengths and Weaknesses of Rijndael

Design of Filter Functions for Key Stream Generators using Boolean Power Functions Jong-Min Baek

New Distinguishers for Reduced Round Trivium and Trivia-SC using Cube Testers (Extended Abstract)

Combinatorics of p-ary Bent Functions

Breaking One.Fivium by AIDA an Algebraic IV Differential Attack

On the computation of best second order approximations of Boolean Functions ΕΤΗΣΙΑ ΕΚΘΕΣΗ 2010

The Hash Function JH 1

Appendix A. Pseudo-random Sequence (Number) Generators

Lecture 1: Introduction to Public key cryptography

Security Evaluation of Stream Cipher Enocoro-128v2

Some New Weaknesses in the RC4 Stream Cipher

Filtering Nonlinear Feedback Shift Registers using Welch-Gong Transformations for Securing RFID Applications

Transcription:

Analysis of Modern Stream Ciphers Josef Pieprzyk Centre for Advanced Computing Algorithms and Cryptography, Macquarie University, Australia CANS - Singapore - December 2007

estream Outline 1. estream Project 2. Algebraic Analysis of SOBER-t32 3. Distinguisher for SOBER-128 based on Linear Masking 4. Crossword Puzzle Attack on NLS and NLSv2 5. Distinguisher for DRAGON based on Linear Masking 6. Future Research

estream estream Project A multi-year project (part of ECRYPT) to promote research into stream ciphers (2004-2008) Phase 3 of estream started in April 2007 There are two profiles in estream: PROFILE 1. Stream ciphers for software applications PROFILE 2. Stream ciphers for hardware applications The final results will be announced in April/May 2008

estream estream Project SW Phase 3 HW Phase 3 CryptMT no attack DRAGON distinguishing attack HC-128 (-256) no attack LEX resynchronization collision attack NLS (encrypt only) distinguishing attack Rabbit no attack Salsa20 no attack SOSEMANUK no attack DECIM no attack Edon-80 no attack F-FCSR no attack Grain no attack MICKEY (-128) no attack MOUSTIQUE CC attack POMARANCH distinguishing attack Trivium no attack there is an attack whose complexity is higher than exhaustive search there are key recovery attacks for reduced versions breakable if the secret key is longer than 224 bits

Algebraic Analysis of SOBER-t32 Algebraic Analysis of SOBER-t32 1. Principle of algebraic attacks 2. Structure of SOBER-t32 3. Attack on SOBER-t32 and its complexity

Algebraic Analysis of SOBER-t32 Principles of Algebraic Attacks Find a multivariate relation Q of a low degree d between the state bits and the bits of the output. Q(S 0, v 0 ) = 0 (degree : d) The same relation holds for all consecutive clocks t so Q(S t, v t ) = Q(L t (S 0 ), v t ) = 0 (degree : d) Solving the equations. (Linearization, XL, Grobner Bases,...)

Algebraic Analysis of SOBER-t32 System Description Key : Sender and Receiver share the same secret key Sender : encrypts message : c t = m t v t Receiver : decrypts message : c t v t = m t v t v t = m t t = 0 (Initial state) t = 1 t = 2 LFSR LFSR LFSR NLF v 0 NLF v 1 NLF v 2 LFSR : Linear Feedback Shift Register NLF : Non-Linear Filter (function f )

Algebraic Analysis of SOBER-t32 Complexity of Attack Let n the number of the initial state bits of the LFSR and d the degree of the function f (NLF) Number of monomials : T = ( n ( 1) + n ( 2) + + n ( = n ) d) d Number of keystream bits ( n d Complexity (Gaussian elimination) : 7 T log 2 7 )

Algebraic Analysis of SOBER-t32 Description of SOBER-t32/t-16 Major features of SOBER-t32 and SOBER-t16 Big size of LFSR Word-oriented stream cipher The size of S-Box : N M such that N < M LFSR word S-Box t32 544 bits 32 bits 8 32 bits t16 272 bits 16 bits 8 16 bits

Algebraic Analysis of SOBER-t32 s 16 s 15 Overall structure of SOBER-t32/-t16 s 13 s 6 s 4 f K v t stuttering β s 1 s 0

Algebraic Analysis of SOBER-t32 Non-linear Filter of SOBER-t32 s 0 s 16 x f(x) x H S-box α x L s 1 s 13 s 6 K v

Algebraic Analysis of SOBER-t32 Modular Addition : c = a + b mod 2 32 Let c i be the i-th output bit of the modular addition. Then, c 0 = a 0 b 0, c 1 = a 1 b 1 a 0 b 0 and for 2 i 31, i 2 c i = a i b i a i 1 b i 1 a t b t { t=0 i 1 r=t+1 (a r b r )} Each c i is expressed as a function of input bits of degree i + 1. c 0 = a 0 b 0 c 1 = a 1 b 1 a 0 b 0 c 2 = a 2 b 2 a 1 b 1 (a 1 b 1 )(a 1 b 1 c 1 ). c n = a n b n a n 1 b n 1 (a n 1 b n 1 )(a n 1 b n 1 c n 1 ) The degree of c i : i + 1.

Algebraic Analysis of SOBER-t32 Observation Let c i, where 24 i 31, be the i-th output bit of modular addition c = a + b (mod 2 32 ). If c i is multiplied by (1 a 23 b 23 ), then the degree of c i (1 a 23 b 23 ) is reduced to (i 22).

Algebraic Analysis of SOBER-t32 c = Justification of Observation c 0 = a 0 b 0 c 1 = a 1 b 1 a 0 b 0 c 2 = a 2 b 2 a 1 b 1 a 0 b 0 (a 1 b 1 ) c 24 = a 24 b 24 a 23 b 23 a 22 b 22 (a 23 b 23 ) a 21 b 21 (a 22 b 22 )(a 23 b 23 ) a 0 b 0 (a 1 b 1 ) (a 23 b 23 ) c 25 = a 25 b 25 a 24 b 24 a 23 b 23 (a 24 b 24 ) a 22 b 22 (a 23 b 23 )(a 24 b 24 ) a 0 b 0 (a 1 b 1 ) (a 24 b 24 ) c 31 = a 31 b 31 a 30 b 30 a 29 b 29 (a 30 b 30 ) a 28 b 28 (a 29 b 29 )(a 30 b 30 ) a 0 b 0 (a 1 b 1 ) (a 30 b 30 )

Algebraic Analysis of SOBER-t32 Justification of Observation If c 24,..., c 31 are multiplied by (1 a 23 b 23 ), then c 24 (1 a 23 b 23 ) = a 24 b 24 a 23 b 23 c 25 (1 a 23 b 23 ) = a 25 b 25 a 24 b 24 a 23 b 23 (a 24 b 24 ) c 31 (1 a 23 b 23 ) = a 31 b 31 a 30 b 30 a 29 b 29 (a 30 b 30 ) a 28 b 28 (a 29 b 29 )(a 30 b 30 ) a 23 b 23 (a 24 b 24 ) (a 30 b 30 ) For 24 i 31, the degree of c i (1 a 23 b 23 ) is (i 22).

Algebraic Analysis of SOBER-t32 How to Use the Observation s 0 s 16 x f(x) x H S-box α x L s 1 s 13 s 6 K v

Algebraic Analysis of SOBER-t32 How to Use the Observation Let s consider the least significant bit of α, i.e. α 0 = s 0,0 s 16,0 s 1,0 s 6,0 s 13,0 v 0 K 0 Let s construct the following table. Rows : all the possibilities for (x 31,, x 24 ) 2 8 rows. The columns : all the monomials A i of degree up to 8 which are coming from the input bits (x 31,, x 24 ) and the least significant output bit α 0. 2 8 + 1 columns. By applying the Gaussian elimination to this matrix, we can obtain a non-linear equation as follows. α 0 = A i = 1 x 24 x 24 x 25 x 24 x 28 x 29 x 30 x 31

Algebraic Analysis of SOBER-t32 How to Use the Observation By Observation, x i (1 s 0,23 s 16,23 ) becomes x i (1 s 0,23 s 16,23 ) = g(s 0,23 i, s 16,23 i ) for 24 i 31, where g is a multivariate equation of degree up to (i 22). For example, x 24 (1 s 0,23 s 16,23 ) = s 0,24 s 16,24 s 0,23 s 16,23 x 25 (1 s 0,23 s 16,23 ) = s 0,25 s 16,25 s 0,24 s 16,24 s 0,23 s 16,23 (s 0,24 s 16,24 ) So we get α 0 (1 s 0,23 s 16,23 ) = A i (1 s 0,23 s 16,23 ) By a computer experiment, the degree of α 0 (1 s 0,23 s 16,23 ) is at most 14.

Algebraic Analysis of SOBER-t32 Getting Algebraic Relations Let us recall α 0 = s 0,0 s 16,0 s 1,0 s 6,0 s 13,0 v 0 K 0 If we multiply the equation by (1 s 0,23 s 16,23 ), then we have α 0 (1 s 0,23 s 16,23 ) = (s 0,0 s 16,0 s 1,0 s 6,0 s 13,0 v 0 K 0 ) (1 s 0,23 s 16,23 ) The degree of the equation is 14 Let s arrange the equation as a following form where g(s) = h(s, V) g(s) = α 0 (1 s 0,23 s 16,23 ) (s 0,0 s 16,0 s 1,0 s 6,0 s 13,0 K 0 ) (1 s 0,23 s 16,23 ) h(s, V) = v 0 (1 s 0,23 s 16,23 )

Algebraic Analysis of SOBER-t32 Algebraic Attack ( 544 If we collect N > 14 ) i i consecutive equations, a linear dependency γ = (γ 0,...,γ N 1 ) for left side equations must exist and To recover γ: N 1 t=0 γ t g(l t (S 0 )) = 0, γ i GF(2) 1. Collect N consecutive equations such that N > 2T = 2 14 ) i ( 544 i 2. Choose a random key S 0 3. Compute 2T outputs bits c t of the left side equations c t = g(l t (S 0 )), for t = 0,...,2T 1 4. By applying the Berlekamp-Massey algorithm, find the smallest connection polynomial that generates the sequence c = (c 0,...,c 2T 1 ).

Algebraic Analysis of SOBER-t32 Algebraic Attack The same linear dependency holds for the right hand side. 0 = N+i 1 t=i linear equation. γ t i h(l t (S 0 ), V t ), i = 0, 1,... Collect a system of equations for consecutive keystreams and solve them.

Algebraic Analysis of SOBER-t32 Complexity of Algebraic Attack The number of monomials of degree up to 14 that are chosen from n = 544 unknowns T = 14 i=0 ( ) 544 = 2 91 i Pre-computation : O(T log(t) + Tn) = O(2 100 ) CPU clocks by using improved versions of the Berlekamp-Massey algorithm. Keystream observations required : 2T = 2 92 Memory requirements : (the size of the γ) + ( 544) 1 equations around 2 91 bits

Distinguisher for SOBER-128 Distinguishing Attack on SOBER-128 1. Principle of attack 2. Structure of SOBER-128 3. Attack on SOBER-128

Distinguisher for SOBER-128 Linear Feedback Shift Register X x t x t+1 x t+n = 0 y t+1 Non-linear Filter y t+2 Keystream y t+m Y Distinguisher Z z t z t+1 z t+n = 0

Distinguisher for SOBER-128 Definition of Bias ǫ and Piling-up Lemma p = 1 2 + ǫ Pr(X1 = 0) : ǫ Pr(X2 = 0) : ǫ Pr(X1 X2 = 0) : 2 ǫ 2 p = 1 2 (1 + ǫ) Pr(X1 = 0) : ǫ Pr(X2 = 0) : ǫ Pr(X1 X2 = 0) : ǫ 2 In general, 2 n 1 ǫ n vs. ǫ n

Distinguisher for SOBER-128 Structure of NLF in SOBER-128 ω (H) : most sig. byte of ω S-box s 0 s 16 ω ω (H) s 1 α ω 8 K s 6 ω ω (H) : most sig. byte of ω ω (H) S-box α (8) β (0) ω (8) s 1,(0) s 13 β z ω s 6,(0) s 13,(0) K (0) = z (0)

Distinguisher for SOBER-128 Low Weight LFSR Polynomial and Approximations Observed (by Ekdale and Johansson at FSE 2002) that s t+τ1 s t+τ2 s t+τ3 s t+τ4 s t+τ5 s t+τ6 = 0, where s t stands for a state of LFSR at clock t and τ 1 = 0, τ 2 = 11, τ 3 = 13, τ 4 = 4 2 32 4, τ 5 = 15 2 32 4, τ 6 = 17 2 32 4 Linear approximations of α (8) : p = 1 2 (1 2 4.1 ) α (8) = s 0,(25) s 0,(26) s 0,(28) s 0,(29) s 16,(26) s 16,(29) Linear approximation of β (0) : p = 1 2 (1 + 2 3.7 ) β (0) = s 13,(29) s 13,(30) z (29) z (30) Linear approximations of ω (8) : p = 1 2 (1 + 2 1 ) ω (8) = s 0,(8) s 16,(8) s 0,(7)

Distinguisher for SOBER-128 Linear Approximation of NLF From three approximations, L(s, z) = s 0,(25) s 0,(26) s 0,(28) s 0,(29) s 16,(26) s 16,(29) }{{} α (8) s 13,(29) s 13,(30) z (29) z (30) }{{} β (0) s 0,(8) s 16,(8) s 0,(7) }{{} ω (8) s 1,(0) s 6,(0) s 13,(0) K (0) z (0) Bias : p = 1 2 (1 + 2 4.1 2 3.7 2 1 ) = 1 2 (1 + 2 8.8 )

Distinguisher for SOBER-128 Distinguishing Attack on SOBER-128 The approximation is simply described as L(s, z) = linear(s) z (0) z (29) z (30) If we apply the linear masking method, then, linear(s) vanishes by the low weight LFSR polynomial. Then, the distinguisher will be τ 6 t=τ 1 (z (0) z (29) z (30) ) with the bias of (2 8.8 ) 6 = 2 52.8.

Crossword Puzzle Attack on NLS Crossword Puzzle Attack on NLS 1. Principle of attack 2. Structure of NLS 3. Distinguishing attack on NLS

Crossword Puzzle Attack on NLS Principle of Attack Target system : Non-linear Feedback Shift Register (NFSR) + Non-linear filter (NLF) Derive linear approximations of NFSR and NLF Combine a set of both linear approximations Eliminate the internal state bits Build a distinguisher using the observable output bits only.

Crossword Puzzle Attack on NLS Simple Example Prob(X1 X2 = 0) = ǫ 1 Prob(X3 X4 = 0) = ǫ 1 Prob(X1 X2 X3 X4 = 0) = ǫ 2 1 Prob(X1 X3 = Z1) = ǫ 2 Prob(X2 X4 = Z2) = ǫ 2 Prob(X1 X2 X3 X4 = Z1 Z2) = ǫ 2 2 Then, Prob(Z1 Z2 = 0) = ǫ 2 1 ǫ2 2

Crossword Puzzle Attack on NLS Probabilistic Model Linear approximations of NFSR : l 1 (s) = 0 with ǫ 1 Linear approximations of NLF : u i (s) = l 2 (z) with ǫ 2 l 1 (s i1 ) = u 1 (s i1 ) + u 2 (s i1 ) + + u n (s i1 ) l 1 (s i2 ) = u 1 (s i2 ) + u 2 (s i2 ) + + u n (s i2 ) l 1 (s im ) = u 1 (s im ) + u 2 (s im ) + + u n (s im ) l 2 (z j1 ) l 2 (z j2 ) l 2 (z jn ) Distinguisher : l 2 (z j1 ) + + l 2 (z jn ) = 0 Bias : ǫ m 1 ǫn 2 (by Piling-up lemma)

Crossword Puzzle Attack on NLS NLS Cipher NFSR has r[0],, r[16] states. Each state is 32-bit. Konst is a 32-bit key-dependent constant. r t+1 [i] = r t [i + 1] for i = 0,...,15 r t+1 [16] = f((r t [0] 19) (r t [15] 9) Konst) r t [4], where : the addition modulo 2 32. f(a) = S-box(a H ) a where a H is the most significant 8 bits of 32-bit word a. If t = 0 (modulo 65537), r t+1 [2] = r t+1 [2] t NLF (non-linear filter) : ν t = (r t [0] r t [16]) (r t [1] r t [13]) (r t [6] Konst)

Crossword Puzzle Attack on NLS f - function of NFSR Konst r t [0] 19 r t [15] 9 S-Box α t r t [4] r t+1 [16]

Crossword Puzzle Attack on NLS Linear Approximations of NFSR The input of the S-box = (r t [0] 9) (H) (r t [15] 19) (H) carry bit 2 17 Linear combination of bits from (r t [0] 9) (H) and (r t [15] 19) (H) 2 16 We build the truth table with 2 17 rows and 2 16 columns. linear approximations of α t,(0) bias r t [0] (10) r t [0] (6) r t [15] (20) r t [15] (16) r t [15] (15) 1/2(1 + 0.048828) r t [0] (10) r t [0] (6) r t [0] (5) r t [15] (20) r t [15] (16) 1/2(1 + 0.048828) r t [0] (12) r t [15] (22) 1/2(1 0.045410) r t [0] (10) r t [15] (20) 1/2(1 0.035156) r t [0] (12) r t [0] (11) r t [0] (10) r t [15] (22) r t [15] (21) r t [15] (20) 1/2(1 0.020020)

Crossword Puzzle Attack on NLS Linear Approximation for NLF r[z] = r[x] r[y] Prob(r[z] (0) = r[x] (0) r[y] (0) ) = 1 Prob(r[z] (i) r[z] (i 1) = r[x] (i) r[y] (i) r[x] (i 1) r[y] (i 1) ) = 1/2(1 + 2 1 ). ν t = (r t [0] r t [16]) (r t [1] r t [13]) (r t [6] Konst) ν t,(0) = (r t [0] (0) r t [16] (0) ) (r t [1] (0) r t [13] (0) ) (r t [6] (0) Konst (0) ) ν t,(i) ν t,(i 1) = (r t [0] (i) r t [16] (i) r t [0] (i 1) r t [16] (i 1) ) (r t [1] (i) r t [13] (i) r t [1] (i 1) r t [13] (i 1) ) (r t [6] (i) Konst (i) r t [6] (i 1) Konst (i 1) ) When Konst = 0, Prob = 1/2(1 + (2 1 ) 2 ) = 1/2(1 + 2 2 )

Crossword Puzzle Attack on NLS Attack on NLS with Konst = 0 Since r t+p [0] = r t [p], r t[0] (10) r t[0] (6) r t+15 [0] (20) r t+17 [0] (0) = 0 r t[1] (10) r t[1] (6) r t+15 [1] (20) r t+17 [1] (0) = 0 r t[6] (10) r t[6] (6) r t+15 [6] (20) r t+17 [6] (0) = 0 r t[13] (10) r t[13] (6) r t+15 [13] (20) r t+17 [13] (0) = 0 r t[16] (10) r t[16] (6) r t+15[16] (20) r t+17[16] (0) = 0 {z } {z } {z } {z } µ t,(10) µ t,(6) µ t+15,(20) µ t+17,(0) A distinguisher will be µ t,(10) µ t,(6) µ t+15,(20) µ t+15,(16) µ t+15,(15) µ t,(13) µ t+15,(23) µ t+4,(0) µ t+17,(0) = K where, K = Konst (10) Konst (6) Konst (20) Konst (16) Konst (15) Konst (13) Konst (23) Bias : (2 1 ) 2 (2 4.35 ) 5 = 2 22.8

Crossword Puzzle Attack on NLS Attack on NLS with Konst = 0 Recall that α t,(0) = r t [0] (12) r t [15] (22) p = 1/2(1 + 2 4.46 ). ν t = (r t [0] r t [16]) (r t [1] r t [13]) (r t [6] Konst) Linear approximation of NFSR (from LSB): α t,(0) z } { r t[4] (0) r t+1 [16] (0) r t[0] (12) r t[15] (22) r t[0] (13) r t[15] (23) = 0 {z } {z } l 1 (r t ) l 2 (r t ) For l 1 (r t ), 9 l 1 (r t) = r t[4] (0) r t+1 [16] (0) l 1 (r t+1 ) = r t+1 [4] (0) r t+2 [16] (0) >= l 1 (r t+6 ) = r t+6 [4] (0) r t+7[16] (0) = ν t+4,(0) ν t+17,(0) l 1 (r t+13 ) = r t+13 [4] (0) r t+14 [16] (0) >; l 1 (r t+16 ) = r t+16 [4] (0) r t+17 [16] (0)

Crossword Puzzle Attack on NLS Attack on NLS with Konst = 0 l 2 (r t ) = r t [0] (12) r t [0] (13) r t [15] (22) r t [15] (23) For the clocks t, t + 1, t + 6, t + 13, and t + 16, l 2 (r t) = r t[0] (12) r t[0] (13) r t[15] (22) r t[15] (23) l 2 (r t+1 ) = r t+1 [0] (12) r t+1 [0] (13) r t+1 [15] (22) r t+1 [15] (23) l 2 (r t+6 ) = r t+6 [0] (12) r t+6 [0] (13) r t+6 [15] (22) r t+6 [15] (23) l 2 (r t+13 ) = r t+13 [0] (12) r t+13 [0] (13) r t+13 [15] (22) r t+13 [15] (23) l 2 (r t+16 ) = r t+16 [0] (12) r t+16 [0] (13) r t+16 [15] (22) r t+16 [15] (23) Since r t+p [0] = r t [p], l 2 (r t) = r t[0] (12) r t[0] (13) r t+15 [0] (22) r t+15 [0] (23) l 2 (r t+1 ) = r t[1] (12) r t[1] (13) r t+15 [1] (22) r t+15 [1] (23) l 2 (r t+6 ) = r t[6] (12) r t[6] (13) r t+15 [6] (22) r t+15 [6] (23) l 2 (r t+13 ) = r t[13] (12) r t[13] (13) r t+15 [13] (22) r t+15 [13] (23) l 2 (r t+16 ) = r t[16] (12) r t[16] (13) r t+15[16] (22) r t+15[16] (23) {z } {z } ν t,(12) ν t,(13) ν t+15,(22) ν t+15,(23)

Crossword Puzzle Attack on NLS Attack on NLS with Konst = 0 Therefore, l 2 (r t ) l 2 (r t+1 ) l 2 (r t+6 ) l 2 (r t+13 ) l 2 (r t+16 ) = ν t,(12) ν t,(13) ν t+15,(22) ν t+15,(23) By combining l 1 (t) and l 2 (t), the distinguisher will be l 1 (r t ) l 1 (r t+1 ) l 1 (r t+6 ) l 1 (r t+13 ) l 1 (r t+16 ) l 2 (r t ) l 2 (r t+1 ) l 2 (r t+6 ) l 2 (r t+13 ) l 2 (r t+16 ) = ν t,(12) ν t,(13) ν t+15,(22) ν t+15,(23) ν t+4,(0) ν t+17,(0) = 0 Approximation of NFSR (5 times) and approximation of NLF (twice) Bias : (2 4.46 ) 5 (2 2 ) 2 = 2 26.3.

Crossword Puzzle Attack on NLS Attack on NLS with Konst 0 Konst 0 the biases of linear approximations of NFSR and NLF has been changed. Denote Konst (H) = (Konst (31),..., Konst (24) ), and Konst (L) = (Konst (23),..., Konst (0) ). Bias variation of α t,(0) = r t [0] (12) r t [15] (22) by Konst (H)

Crossword Puzzle Attack on NLS Attack on NLS with Konst 0 When Konst (H) is around 1 or 120, ν t,(i) ν t,(i 1) = (r t[0] (i) r t[16] (i) r t[0] (i 1) r t[16] (i 1) ) (r t[1] (i) r t[13] (i) r t[1] (i 1) r t[13] (i 1) ) (r t[6] (i) Konst (i) r t[6] (i 1) Konst (i 1) ) When Konst (H) is around 51 or 179, ν t,(i) ν t,(i 1) ν t,(i 2) ν t,(i 3) = (r t[0] (i) r t[16] (i) r t[0] (i 1) r t[16] (i 1) r t[0] (i 2) r t[16] (i 2) r t[0] (i 3) r t[16] (i 3) ) (r t[1] (i) r t[13] (i) r t[1] (i 1) r t[13] (i 1) r t[1] (i 2) r t[13] (i 2) r t[1] (i 3) r t[13] (i 3) ) (r t[6] (i) Konst (i) r t[6] (i 1) Konst (i 1) r t[6] (i 2) Konst (i 2) r t[6] (i 3) Konst (i 3) ) For the new approximation, we need (r[x] r[y]) (i) (r[x] r[y]) (i 1) (r[x] r[y]) (i 2) (r[x] r[y]) (i 3) = r[x] (i) r[y] (i) r[x] (i 1) r[y] (i 1) r[x] (i 2) r[y] (i 2) r[x] (i 3) r[y] (i that has the bias of 2 3.

Crossword Puzzle Attack on NLS Attack on NLS with Konst 0 The bias of the approximation depends on Konst (L). (r t [6] Konst) i (r t [6] Konst) i 1 = (r t [6] (i) Konst (i) r t [6] (i 1) Konst (i 1) ) The bias variation by Konst (L) when i = 13

Crossword Puzzle Attack on NLS Attack on NLS with Konst 0 Distinguisher 1 : ν t,(12) ν t,(13) ν t+15,(22) ν t+15,(23) ν t+4,(0) ν t+17,(0) = 0 The average bias of approximation of NFSR : 2 5.4 The average bias of approximation of NLF : 2 3 The average bias : ((2 5.4 ) 5 ) ((2 3 ) 2 ) = 2 33 For some values of Konst, the bias of the distinguisher becomes less than 2 40. (e.g. Konst (H) = 51 or 179)

Crossword Puzzle Attack on NLS Attack on NLS with Konst 0 Distinguisher 2 : ν t,(10) ν t,(11) ν t,(12) ν t,(13) ν t+15,(20) ν t+15,(21) ν t+15,(22) ν t+15,(23) ν t+4,(0) ν t+17,(0) = 0 When Konst (H) = 51 or 179, the bias of approximation of NFSR : 2 5.46 the bias of approximation of NLF : 2 6 average bias : ((2 5.46 ) 5 ) ((2 6 ) 2 ) = 2 39.3 An adversary observes the distinguisher 1 and 2 simultaneously Since the keystream is produced by words, the data complexity for attack has not been changed.

Distinguisher for Dragon Distinguisher for Dragon 1. Structure of Dragon 2. Linear Approximations of Functions used in Dragon 3. Building Distinguisher 4. Generalized Masks and Distinguishers 5. Future Research

Distinguisher for Dragon Structure of Dragon Dragon is a word-oriented stream cipher submitted to the estream project. During Phase 1, Englund and Maximov presented a distinguishing attack against Dragon that requires around 2 155 keystream words and 2 96 memory. Dragon consists of a 1024-bit nonlinear feedback register a nonlinear state update function, and a 64-bit internal memory. Two sizes of key : 128 or 256 bits 64-bit (two words) output keystream The nonlinear state update function (F function): 192 bits (six words) 192 bits (six words)

Distinguisher for Dragon Structure of Dragon - Function F a b c d e f G 1 G 2 G 3 H 1 H 2 H 3 a b c d e f

Distinguisher for Dragon Structure of Dragon - Functions G and H The functions G and H are constructed by using two 8 32 S-boxes :S 1 and S 2. If the 32-bit input x is split into four bytes such as x = x 0 x 1 x 2 x 3, then G 1 (x) = S 1 (x 0 ) S 1 (x 1 ) S 1 (x 2 ) S 2 (x 3 ) G 2 (x) = S 1 (x 0 ) S 1 (x 1 ) S 2 (x 2 ) S 1 (x 3 ) G 3 (x) = S 1 (x 0 ) S 2 (x 1 ) S 1 (x 2 ) S 1 (x 3 ) H 1 (x) = S 2 (x 0 ) S 2 (x 1 ) S 2 (x 2 ) S 1 (x 3 ) H 2 (x) = S 2 (x 0 ) S 2 (x 1 ) S 1 (x 2 ) S 2 (x 3 ) H 3 (x) = S 2 (x 0 ) S 1 (x 1 ) S 2 (x 2 ) S 2 (x 3 )

Distinguisher for Dragon Structure of Dragon - State update The states of a nonlinear shift register: B 0, B 1,..., B 31 where B i is a 32-bit word. An internal memory: M = (M L M R ) where M L and M R is a 32-bit word, respectively. Keystream generation Input : {B 0, B 1,..., B 31 } and M = (M L M R ) a = B 0, b = B 9, c = B 16, d = B 19, e = B 30 M L, f = B 31 M R where M = M R M L. (a, b, c, d, e, f ) = F(a, b, c, d, e, f) B 0 = b, B 1 = c and B i = B i 2, 2 i 31, M = M + 1 Output : k = (a e )

Distinguisher for Dragon Approximations Definition of Bias Assume a function f : {0, 1} m {0, 1} n for some positive integers m and n. Given a linear input mask Λ GF(2 m ) and a linear output mask Γ GF(2 n ), the bias of an approximation Λ x = Γ f(x) is measured as ǫ f (Λ,Γ) = 2 n (#(Λ x Γ f(x) = 0) #(Λ x Γ f(x) = 1)) Pr[Λ x = Γ f(x)] = 1 2 (1 + ǫ f(λ,γ)).

Distinguisher for Dragon Approximations of Functions G and H The linear approximations of the functions G and H can be constructed by combining approximations of S 1 and S 2 appropriately. We need special forms of approximations: Γ G(x) = Γ x : bypassing approximations Γ H(x) = 0 : cutting approximations approximation bias example Γ H(x) = 0 ǫ H (0,Γ) ǫ H (0, 0X4810812B) = 2 7.16 Γ x = Γ G 1 (x) ǫ G1 (Γ,Γ) ǫ G1 (0X09094102, 0X09094102) = 2 9.33 Γ x = Γ G 2 (x) ǫ G2 (Γ,Γ) ǫ G2 (0X90904013, 0X90904013) = 2 9.81

Distinguisher for Dragon Approximations of Function H Assume x = x 0 x 1 x 2 x 3, (x i : i-th byte of x) The approximation Γ H 1 (x) = 0 can be represented as Γ H 1 (x) = Γ S 2 (x 0 ) Γ S 2 (x 1 ) Γ S 2 (x 2 ) Γ S 1 (x 3 ) = 0 Hence, the bias ǫ H1 (0,Γ) is computed as ǫ H1 (0,Γ) = ǫ S2 (0,Γ) 3 ǫ S1 (0,Γ), where ǫ Si (0,Γ) denotes the bias of Γ S i (x j ) = 0. Due to the structure, ǫ H1 (0,Γ) = ǫ H2 (0,Γ) = ǫ H3 (0,Γ).

Distinguisher for Dragon Approximations of Function G Assume x = x 0 x 1 x 2 x 3, where x i denotes the i-th byte of x and a mask Γ = Γ 0 Γ 1 Γ 2 Γ 3, where Γ i {0, 1} 8 The approximation Γ x = Γ G(x) can be decomposed into Γ (x G 1 (x)) = (Γ 0 x 0 Γ S 1 (x 0 )) (Γ 1 x 1 Γ S 1 (x 1 )) = 0 (Γ 2 x 2 Γ S 1 (x 2 )) (Γ 3 x 3 Γ S 2 (x 3 ) Hence, the bias ǫ G (Γ,Γ) can be computed as ǫ G (Γ,Γ) = ǫ S1 (x 0 )(Γ 0,Γ)ǫ S1 (x 1 )(Γ 1,Γ)ǫ S1 (x 2 )(Γ 2,Γ)ǫ S2 (x 3 )(Γ 3,Γ) where ǫ Si (x j )(Γ,Γ j ) denotes the bias of Γ j x j Γ S i (x j ) = 0.

Distinguisher for Dragon Approximations of Modular Addition Given a linear mask Γ = (γ n 1,,γ 0 ) where γ i {0, 1} we assume that the Hamming weight of Γ is m. If a vector W Γ = Γ(31, 30,...,1, 0) = (w m 1,..., w m 2,...,w 0 ) denotes the bit positions of Γ, where γ i = 1, then a bias ǫ + (Γ,Γ) is ǫ + (Γ,Γ) = 2 d 1 where d 1 = when m is even, or ǫ + (Γ,Γ) = 2 d 2 where d 2 = m/2 1 i=0 (m 1)/2 (w 2i+1 w 2i ); (w 2i w 2i 1 ) + w 0 ; i=1 when m is odd. For example, if Γ = 0X0600018D, Hamming weight of Γ is 7 and W Γ = (26, 25, 8, 7, 3, 2, 0). Hence, ǫ + (Γ, Γ) = 2 [(26 25)+(8 7)+(3 2)] = 2 3.

Distinguisher for Dragon Approximation of Function F According to the state update rule of Dragon, B 0 [t] = B 30 [t + 15], t = 0, 1,... a = B 0 and e = B 30 M L where a and e are two words out of six input words of the F function. Then, we try Γ a = Γ a and Γ e = Γ e where a and e are two output words of the F function that are produced as a keystream.

Distinguisher for Dragon Approximation of a An output word a is expressed as a = [(a (e f)) H 1 ] [(e f G 2 ) (H 2 ((a b) c))] Due to the linear property of Γ, we know that Γ a = Γ [(a (e f)) H 1 ] Γ [(e f G 2 ) (H 2 ((a b) c))] By approximation of modular addition, Γ [(e f G 2 ) (H 2 ((a b) c))] = Γ (e f G 2 ) Γ [(H 2 ((a b) c))] which holds with the bias of ǫ + (Γ,Γ).

Distinguisher for Dragon Approximation of a (Cont ) Hence, we have Γ a = Γ [(a (e f)) H 1 ] Γ (e f G 2 ) Γ [H 2 ((a b) c)]. Applying cutting and bypassing approximations, we get Γ a = Γ [(a (e f))] Γ (e f [(a b) c]) Γ [(a b) c] = Γ [(a (e f))] Γ (e f) From approximation for the modular addition, we obtain Γ a = Γ a

Distinguisher for Dragon Approximation of a (Cont ) We know that Γ [(a (e f))] = Γ a Γ (e f) holds with the bias of ǫ + (Γ,Γ). Therefore, the bias of approximation can be computed from the biases of the component approximations as follows: ǫ a (Γ,Γ) = ǫ + (Γ,Γ) 2 ǫ H1 (0,Γ) ǫ H2 (0,Γ) ǫ G2 (Γ,Γ). Since a is the upper part of a 64-bit keystream output, Γ k 0 [t] = Γ B 0 [t] where k 0 [t] denotes the upper part of a 64-bit k at clock t.

Distinguisher for Dragon Approximation of e An output word e is described as e = [((a (e f)) H 1 ) (c d G 1 )] [H 3 ((c d) e)] From approximation for modular addition, we have Γ e = Γ [(a (e f)) H 1 ] Γ (c d G 1 ) Γ [H 3 ((c d) e)] Applying cutting approximations for functions H 1, H 3 and the bypassing approximation for the function G 1, we get Γ e = Γ [(a (e f))] Γ (c d [a (e f)]) Γ [(c d) e] = Γ (c d) Γ [(c d) e].

Distinguisher for Dragon Approximation of e (Cont ) From approximation for modular addition, we obtain Γ e = Γ e with the bias of ǫ e (Γ,Γ) = ǫ + (Γ,Γ) 2 ǫ H1 (0,Γ) ǫ H3 (0,Γ) ǫ G1 (Γ,Γ). Since the 32-bit word e is the lower part of a 64-bit keystream output k, Γ k 1 [t] = Γ (B 30 [t] M L [t]) where k 1 [t] : the lower part of a 64-bit k, M L [t] : the upper part of a 64-bit memory word M

Distinguisher for Dragon Distinguisher According to Function F, we can write Γ k 0 [t] = Γ B 0 [t] = Γ B 30 [t + 15] = Γ (k 1 [t + 15] M L [t + 15]) By guessing (partially) the initial value of M, we can build the following distinguisher. Γ k 0 [t] = Γ (k 1 [t + 15]) For the correctly guessed initial value of M, the distinguisher shows the bias of ǫ D (Γ,Γ) = ǫ a (Γ,Γ)ǫ e (Γ,Γ) = ǫ + (Γ,Γ) 4 ǫ H1 (0,Γ) 2 ǫ H2 (0,Γ) ǫ H3 (0,Γ)ǫ G1 (Γ,Γ)ǫ G2 (Γ,Γ)

Distinguisher for Dragon Distinguisher we need to guess the first 27 bits of initial value of M L and 32 bits of M R. Hence, we need to store all possible values of the internal state which takes 2 27+32 = 2 59 bits. The best linear approximation is to use the mask Γ = 0X0600018D. The bias of the distinguisher in this case is 2 75.8. Γ ǫ +(0, Γ) ǫ H (Γ, Γ) ǫ G1 (Γ, Γ) ǫ G2 (Γ, Γ) ǫ a (Γ, Γ) ǫ e (Γ, Γ) ǫ D (Γ, Γ) 0x0600018D 2 3 2 8.58 2 13.59 2 15.91 2 39.1 2 36.7 2 75.8

Future Research Future Research The estream call - secure and efficient stream ciphers service to the community at large, expected several recommendations for finalists (SW and HW), further analysis of the finalists. Analysis of stream ciphers total break recovery of secret key or initial state, distinguishers indication of weaknesses. Development of new cryptanalytic tools for stream ciphers.

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback