MILP-based Cube Attack on the Reduced-Round WG-5 Lightweight Stream Cipher Raghvendra Rohit, Riham AlTawy, & Guang Gong Department of Electrical and Computer Engineering, University of Waterloo Waterloo, ON, N2L 3G1, CANADA IMACC 2017, 12-14 December 2017 St Catherines College, University of Oxford, Oxford
Outline Introduction WG stream cipher Cube attack on WG-5 Comparison with Grain128a & Trivium Conclusions 1
Introduction
Cube attacks Proposed in 2007 1, 2009 2 Basic idea: Let f : F 5 2 F 2 given by f (k 0, k 1, k 2, v 0, v 1 ) = v 0 v 1 k 0 + v 0 v 1 k 2 + v 0 v 1 + k 0 k 1 + v 1 k 2 + k 2 + 1 = f (k 0, k 1, k 2, v 0, v 1 ) = v 0 v 1 (k 0 + k 2 + 1) + k 0 k 1 + v 1 k 2 + k 2 + 1 Summing f over all possible choices of v 0, v 1 gives f (k 0, k 1, k 2, 0, 0) + f (k 0, k 1, k 2, 0, 1) + f (k 0, k 1, k 2, 1, 0)+ f (k 0, k 1, k 2, 1, 1) = k 0 + k 2 + 1, which gives a linear relation of the two key bits k 0 and k 2. 1 Vielhaber, M.: Breaking ONE.FIVIUM by AIDA an algebraic IV differential attack. Cryptology eprint Archive, Report 2007/413 2 Dinur, I., and Shamir, A. Cube attacks on tweakable blackbox polynomials. EUROCRYPT 2009 2
Cube attacks (ctd.) Mathematical description Initialization phase k v Update state k = (k 0, k 1,..., k n 1 ): secret variables v = (v 0, v 1,..., v m 1 ): public variables z = f (k, v): first keystream bit z = f (k, v) I = {i 1, i 2,, i I } {0, 1,, m 1}: cube indices f (k, v) can be represented as : f (k, v) = t I p(k, v) + q(k, v), where, t I = v i1 v i2 v i I, p(k, v) is a polynomial that does not contain any of the cube indices variables (v i1, v i2,, v i I ), and q(k, v) is independent of at least one variable from (v i1, v i2,, v i I ). 3
Cube attacks (ctd) Let C I denote the set of all the possible 2 I values of (v i1, v i2,, v i I ), and the remaining input n + m I variables are set to some constant values, then C I f (k, v) = p(k, v) p(k, v) is called superpoly corresponding to cube C I. Simpler p(k, v) leads to algebraic attacks by solving equations. 4
Division property Definition: Division property 3 Let X F n 2, 0 k n, we say that X has the division property Dk n if π u (x) = 0, for all u F n 2 s.t w u < k. x X Definition: Bit based Division property 4 Let X be a multiset whose elements take a value of F n 2. Let W be a set whose elements take an n-dimensional vector of binary elements. The multiset X has the division property D 1,n W if it fulfills the following conditions: { unknown if there exists w W s.t u w, π u (x) = 0 otherwise, x X where u, w, x F n 2, π u(x) = n 1 i=0 x u i i and u w if u i w i for all i. 3 Todo, Y.: Structural evaluation by generalized integral property. EUROCRYPT 2015. 4 Todo, Y., and Morii, M. Bit-based division property and application to simon family. FSE 2016 5
MILP models for bit-based division property propagation Mixed Integer Linear Programming models M.var a, b 1, b 2,..., b m a COPY {b 1, b 2,..., b m } as binary. M.con a = b 1 + b 2 +... + b m. {a 1, a 2,..., a m } XOR b M.var a 1, a 2, a m, b as binary. M.con a 1 + a 2 + + a m = b. {a 1, a 2,..., a m } AND b M.var a 1, a 2, a m, b as binary. M.con b a i for i = 1, 2,, m. Solutions of inequalities corresponds to all division trails. 6
Division property & Cube attacks To check if secret variable k j is involved in superpoly 1. For a given cube C I, start with the initial division property D 1,n W, where W = {(v, e j)} and v i = 1 if i {i 1, i 2,, i I }, k j = 1 and v i = 0, k j = 0 for all remaining indices. 2. Add the constraint z = 1 3. If there is no division trial s.t steps 1 & 2 are satisfied, then k j is not involved in the superpoly of C I [Todo et al.] 5. 5 Todo, Y., Isobe, T., Hao, Y., and Meier, W. Cube attacks on non-blackbox polynomials based on division property. CRYPTO 2017 7
Our Contributions We investigate the security of nonlinear intialization phase of WG-5 with respect to cube attacks. We present an argument to show WG-5 initialization phase is more resistant to cube attacks than that of Grain128a and Trivium. 8
WG stream cipher
General architecture for WG ciphers cl 1 cl 2 c2 c1 m m m m m a l 1 a l 2...... a 2 a 1 a 0 Initialization phase m x d W GP -m(x d ) m T r(.) 1 Mathematical parameters m : Bit width of LFSR g(x) : Generating polynomial for GF(2 m ) p(x) = l 1 i=1 c ix i + x l Primitive polynomial for LFSR l : Degree of p Find k s.t 3k 1 mod m r 1 = 2 k + 1 r 2 = 2 2k + 2 k + 1 r 3 = 2 2k 2 k + 1 r 4 = 2 2k + 2 k 1 W GP -m(x) = t(x + 1) + 1 t(x) = x + x r1 + x r2 + x r3 + x r4, where x GF (2 m ) gcd(d, 2 m 1 ) = 1 9
WG ciphers: Randomness properties Randomness properties of WG keystream Long period: 2 lm 1 Balanced Ideal 2-level autocorrelation Ideal t-tuple distribution 10
WG-5 Specification WG-5 6 is a lightweight version of estream submission WG cipher 7 5 γ 5 5 5 5 5 5 S i [31] S i [30]...... S i [8] S i [7] S i [6] S i [5] S i [4] S i [3] S i [2] S i [1] S i [0] Initialization phase 5 x 3 W GP -5(x 3 ) 5 T r(.) g(x) = x 5 + x 4 + x 2 + x + 1 p(x) = x 32 + x 7 + x 6 + x 4 + x 3 + x 2 + γ γ = α 4 + α 3 + α 2 + α + 1 Initial state { S 0 K[j mod 2], if j 0 mod 2 [j] = IV [j mod 2], if j 0 mod 2 # initialization rounds: 64 1 6 Aagaard, M. D., Gong, G., and Mota, R. K. Hardware implementations of the wg-5 cipher for passive rfid tags. 7 Nawaz, Y., and Gong, G. Wg: A family of stream ciphers with designed randomness properties. 11
Cube attack on WG-5
Attack framework Notations key: k = (k 0, k 1,..., k 79 ), IV: v = (v 0, v 1,..., v 79 ) first keystream bit: z = f (k, v) superpoly: CI f (k, v) = p( k, v), where C I is the cube of length I, v = {{v 0, v 1,..., v 79 } {v i1, v i2,..., v i I }}, k = {k j1, k j2,..., k j J }, and J is the number of variables in k 12
Attack framework The attack consists of two phases: 1) Offline phase 2) Online phase Offline phase Goal: To recover a superpoly that is almost balanced for a given cube C I. Steps: 1. Create a MILP model M that encodes the division trails for WG-5 reduced to R rounds. 2. Evaluate the secret variables k involved in the superpoly p. 3. Choose a value for v and recover p( k, v) by trying out all 2 I + J possible values. Also, store p( k, v) for all values of k. 13
Attack framework (ctd.) Goal: Online phase To recover the entire secret key. Steps: 1. Query the cube C I to the encryption oracle to obtain the value of p( k, v) and compare to the previously stored values. This step reduces the keyspace by half. We use multiple cubes to reduce keyspace further. 2. Guess the remaining secret key values. 14
MILP model for WG-5 initialization Algorithm 1 MILP model for the initialization of WG-5 1: function WG5Eval(R) 2: Prepare empty MILP Model M 3: M.var S 0 [j] for 0 j 31 4: for i = 1 to R do S 0 [j] = (s 0 5j, s0 5j+1, s0 5j+2, s0 5j+3, s0 5j+4 ) 5: (M, S, a) = WGP(S i 1 ) 6: (M, S, b) = FBK(S, [0, 2, 3, 4, 6, 7]) 7: for j = 0 to 30 do 8: S i [j] = S [j + 1] 9: end for 10: M.con S [0] = 0 11: M.var S i [31] as binary 12: M.con S i [31] = a + b 13: end for 14: (M, S, z) = KSG(S R ) 15: for j = 0 to 31 do 16: S [j] = 0 17: end for 18: M.con z = 1 19: end function 15
MILP model for WG permutation (WGP-5) WGP-5 = [ 0x0, 0x1, 0x1C, 0x4, 0x12, 0x10, 0x1F, 0x13, 0x1E, 0x3, 0x19, 0x15, 0x5, 0x16, 0x18, 0x8, 0xB, 0xF, 0x7, 0xE, 0x17, 0xA, 0xC, 0x6, 0xD, 0x2, 0x14, 0x1D, 0x1B, 0x11, 0x9, 0x1A ] Modeling division trails of WGP-5 Let (x 0, x 1, x 2, x 3, x 4 ) and (y 0, y 1, y 2, y 3, y 4 ) be the input and output of the WGP-5 Sbox, respectively. Reduce the #inequalities using inequality generator() function in Sage and Algorithms 1 and 2 in [XZBL] 8. 8 Xiang, Z., Zhang, W., Bao, Z., and Lin, D.: Applying milp method to searching integral distinguishers based on division property for 6 lightweight block ciphers. ASIACRYPT 2016 16
MILP model for WG permutation (WGP-5) (ctd.) 2x 0 + 2x 1 + 2x 2 + 2x 3 + 6x 4 3y 0 3y 1 3y 2 3y 3 3y 4 1 4x 3 y 0 y 1 y 2 y 3 y 4 1 4x 0 y 0 y 1 y 2 y 3 y 4 1 x 0 x 2 x 3 y 0 + 4y 1 y 2 y 3 2y 4 4 6x 0 3x 1 6x 3 6x 4 + 2y 0 4y 1 + 3y 2 y 3 + 2y 4 19 3x 0 x 1 x 2 3x 3 2x 4 + 9y 0 + 7y 1 + 8y 2 + 9y 3 + 9y 4 0 x 0 + x 1 + x 2 + x 3 + x 4 3y 0 3y 1 3y 2 3y 3 + 5y 4 2 x 0 3x 2 3x 3 2x 4 + y 0 + y 2 + y 3 2y 4 8 x 0 x 1 + 2x 2 x 3 x 4 y 0 2y 1 2y 2 + 3y 3 y 4 5 x 0 2x 1 2x 2 2x 3 x 4 2y 0 y 1 y 2 y 3 + 5y 4 8 2x 0 x 1 2x 2 2x 4 + y 0 + y 1 y 2 + y 4 6 x 0 x 2 x 3 + y 0 y 4 3. 17
MILP model for FBK and KSG MILP model for FBK The feedback function is given by S i [0] S i [2] S i [3] S i [4] S i [6] S i [7] Model division property of bitwise XOR only. MILP model for KSG The keystream bit at R-th round is given by z = Tr(WGP-5(S R [31]) 3 ) = s R 155 + sr 156 + sr 157 + sr 158 + sr 159 + s R 155 sr 156 + sr 155 sr 157 + sr 155 sr 159 + sr 156 sr 158 + sr 156 sr 159 + sr 155 sr 156 sr 157 + s R 155 sr 157 sr 158 + sr 155 sr 157 sr 159 + sr 155 sr 158 sr 159 + sr 156 sr 157 sr 158 + sr 156 sr 158 sr 159 Model division property of bitwise XOR and AND. 18
Number of MILP variables & constraints Function # of variables # of constraints WGP 15 17 FBK 65 35 KSG 79 63 R round of WG-5 160+159R + 5R 161 + 115R + 10R 19
MILP model to find involved secret variables in superpoly Step 4-6 sets the input initial division property. 20
Results Rounds Involved secret variables J Time complexity log 2 (.) 15 {k 5, k 6,..., k 54 } 54 16 {k 5, k 6,..., k 54 } 54 17 {k 5, k 6,..., k 59 } 59 18 {k 5, k 6,..., k 59 } 59 19 {k 5, k 6,..., k 64 } 64 20 {k 5, k 6,..., k 64 } 64 21 {k 5, k 6,..., k 69 } 69 22 {k 5, k 6,..., k 69 } 69 23 {k 5, k 6,..., k 74 } 74 24 {k 5, k 6,..., k 74 } 74 Table 1: Involved secret variables in superpoly for cube indices I {I 1, I 2, I 3, I 4, I 5} I 1 = {0, 1, 2, 3}, I 2 = {0, 1, 2, 4}, I 3 = {0, 1, 3, 4}, I 4 = {0, 2, 3, 4}, I 5 = {1, 2, 3, 4} 21
Key recovery for 24 rounds Key recovery procedre 1. Choose a value in the constant part of the IV and vary all 2 4 2 70 values to recover p(k 5, k 6,..., k 74, v) where v = ({v 0, v 1,..., v 79 } {v j j I i }) for 1 i 5 and R = 24. 2. Store 2 70 values of p( k, v). 3. Query the cube C Ii to the encryption oracle and compute the sum CIi f (k, v). 4. Compare above sum with values of p stored in the offline phase and discard the values of {k 5, k 6,..., k 74 } for which the sum is different. Data complexity: 5 2 4 2 6.32 Time complexity: 5 2 74 + 2 75 2 76.81 22
Attack comparison with algebraic attacks Existing algebraic attack 9 on WG-5 require data and time complexity 2 15 and 2 33, resp. Not applicable if WGP-5 is feedback into the state during KSG phase. Our attack remains unaffected by feedback of WGP-5 during KSG phase. 9 Ronjom, S. Improving algebraic attacks on stream ciphers based on linear feedback shift register over F2 K. DCC 2017. 23
Comparison with Grain128a & Trivium
Grain128a 24 5 NLFSR b 7 2 g 6 f LFSR s 7 1 h z Key : 128-bit, IV : 96 bit, #initialization rounds : 256 Initial state : (b 0, b 1,..., b 127 ) = (k 0, k 1,..., k 127 ), (s 0, s 1,..., s 127 ) = (iv 0, iv 1,..., iv 95, 1,..., 1, 0). State update function: g b 0 + b 26 + b 56 + b 91 + b 96 + b 3 b 67 + b 11 b 13 + b 17 b 18 + b 27 b 59 + b 40 b 48 + b 61 b 65 + b 68 b 84 + b 88 b 92 b 93 b 95 + b 22 b 24 b 25 + b 70 b 78 b 82 f s 0 + s 7 + s 38 + s 70 + s 81 + s 96 h b 12 s 8 + s 13 s 20 + b 95 s 42 + s 60 s 79 + b 12 b 95 s 94 z h + s 93 + b 2 + b 15 + b 36 + b 45 + b 64 + b 73 + b 89 (b 0, b 1,..., b 127 ) (b 1, b 2,..., b 127, g + s 0 + z) (s 0, s 1,..., s 127 ) (s 1, s 2,..., s 127, f + z) 24
Trivium + Key: 80 bit s0... s65... s68... s90 s91 s92 IV : 80 bit #initialization rounds: 1152 Initial state: + (s 0, s 1,..., s 92 ) = (k 0, k 1,..., k 79, 0,..., 0) + (s 93, s 94,..., s 176 ) = (iv 0, iv 1,..., iv 79, 0,..., 0) + (s 177, s 178,..., s 287 ) = (0, 0,..., 0, 1, 1, 1) s93... s161... s170... s174 s175 s176 State update function: t 1 s 65 + s 92 + t 2 s 161 + s 176 + + z t 3 s 242 + s 287 z t 1 + t 2 + t 3 + t 1 t 1 + s 90 s 91 + s 170 s177... s242... s263... s285 s286 s287 t 2 t 2 + s 174 s 175 + s 263 t 3 t 3 + s 285 s 286 + s 68 + + (s 0, s 1,..., s 92 ) (t 3, s 0,..., s 91 ) (s 93, s 1,..., s 176 ) (t 1, s 93,..., s 175 ) (s 177, s 1,..., s 287 ) (t 2, s 177,..., s 286 ). 25
Comparison of initialization phases g(y 0, y 1,..., y m 1) f(x 0, x 1,..., x n 1) NLFSR LFSR ) G(Yi2) G(Yik) G(Yi1 n+m bits 26
Comparison of initialization phases (cont.) Observations on keystream bit For Trivium, the degree of z is 3 after 81 rounds. For Grain128a, the degree of z is 6 after 32 rounds. For WG-5 the degree of z is 6 after 1 round. Degree of WG-5 grows much faster than Grain128a and Trivium. 27
Comparison of initialization phases (cont.) More observations For WG-5, 5 bits processed by WGP-5 at the i-th round are used to generate the keystream bit at round (i + 1) along with 5 6 = 30 new bits from the feedback function. For Grain128a, updated bits b 127 and s 127 in i-th round are used in keystream bit at i + 32 and i + 33, respectively. For Trivium, the values of t 1, t 2 and t 3 at i-th round are used in keystream bit at i + 90, i + 81 and i + 108 rounds, respectively. Cube attack can cover more than half number of rounds for Grain128a (183/256) and Trivium (832/1152) ([Todo et al.] 10 ) compared to WG-5 (24/64). 10 Todo, Y., Isobe, T., Hao, Y., and Meier, W. Cube attacks on non-blackbox polynomials based on division property. CRYPTO 2017 28
Conclusions
Conclusions In this paper: we investigated the security of reduced-round WG-5 with respect to cube attacks. the attack require data complexity: 5 2 4 2 6.32 and time complexity: 5 2 74 + 2 75 2 76.81 for 24 rounds. we compared WG-5 initialization phase with that of Grain128a and Trivium and showed that WG-5 is more resistant to cube attacks. Full paper can be found at: http://cacr.uwaterloo.ca/techreports/2017/cacr2017-06.pdf 29
Thank you for your attention! Communication Security (ComSec) Lab Department of Electrical and Computer Engineering University of Waterloo Waterloo, ON, N2L 3G1, CANADA www.comsec.uwaterloo.ca 30