17th

Mar

ch 2

006

FSE

2006

1

Spe

aker

:Sou

rady

utiP

aul

(wor

k jo

intly

with

B.P

rene

elan

d G

. Sek

ar)

Com

pute

r Sec

urity

and

Indu

stria

l Cry

ptog

raph

y (C

OS

IC)

Dep

artm

ent o

f Ele

ctric

al E

ngin

eerin

g-E

SA

TK

atho

lieke

Uni

vers

iteit

Leuv

en, B

elgi

um

Emai

l: S

oura

dyut

i.Pau

l@es

at.k

uleu

ven.

be

Dis

tingu

ishi

ng A

ttack

s on

the

Stre

am C

iphe

r Py

(Roo

)

17th

Mar

ch 2

006

FSE

2006

2

Out

line

Pyan

d a

Shor

t H

isto

ryD

escr

iptio

n of

Py

Basi

c Id

ea o

f At

tack

and

Ass

umpt

ions

Obs

erva

tion:

Inp

ut-O

utpu

t Co

rrel

atio

nTh

e Bi

as a

nd t

he D

istin

guis

her

Com

plex

ities

of th

e At

tack

Bias

es in

oth

er P

airs

of

Bits

Conc

lusi

ons

and

Rem

arks

17th

Mar

ch 2

006

FSE

2006

3

Pyan

d th

e ev

olut

ion

of R

C4RC4

(19

87)

by

Riv

est

IA, I

B, I

SAAC

(19

96)

by J

enki

ns J

r.RC4

A (2

004)

by

Pau

l and

Pre

neel

VMPC

(20

04)

by

Zolta

kH

C-25

6 (2

004)

by

Wu

GG

HN

(20

05)

by

Gon

g et

al.

Py, P

y6 (

2005

) by

Bih

aman

d Se

berr

yPy

Py(2

006)

b

y Bi

ham

and

Sebe

rry

17th

Mar

ch 2

006

FSE

2006

4

Stag

e I

: Ke

y/IV

set

-up

of P

y

P Y IVKey

Key/

IV s

et-u

p Al

go(S

tep

1)

Initi

aliz

atio

n

s YP

256

bits

128

bits

256x

8 bi

ts

260x

32 b

its

32 b

its

256x

8 bi

ts

260x

32 b

its

17th

Mar

ch 2

006

FSE

2006

5

Stag

e II

: K

eyst

ream

byt

es

gene

ratio

n of

Py

. . .

mix

ing

mix

ing

Out

put

1O

utpu

t 2

Out

put

3

XOR

Plai

ntex

t 1

…

Ciph

erte

xt 1

…

s YPs’ Y’P’

s’’

Y’’

P’’

Ciph

erte

xt 2

XOR

Plai

ntex

t 2

Rou

nd 1

Rou

nd 2

Rou

nd 3

mix

ing

17th

Mar

ch 2

006

FSE

2006

6

Sing

le r

ound

of

Py:

ithro

und

000

233

001

113

002

001

… ...

094

093

095

165

096

079

… ...

254

096

255

143

-3 X

-2 Y

-1 ZM

… …

094

N

095 P

…

Q

256 L

025

5

000

113

001

001

… …

093

093

094

233

095

079

… …

253

096

254

143

255

165

P Y

O(1,i)

-3 Y

-2 Z

-1 M

… …

094 P

095 F

… …L

256

X’

X’

233

165

O(2,i)

17th

Mar

ch 2

006

FSE

2006

7

The

basi

c id

ea o

f ou

r at

tack

s an

d as

sum

ptio

nsAs

sum

ptio

n: K

ey/I

V se

t-up

is p

erfe

ctFo

cus:

mix

ing

of b

its in

a r

ound

Id

entif

y:a

clas

s of

inte

rnal

sta

tes

intr

oduc

ing

bias

in t

he o

utpu

tsO

bser

ve:

rest

of

the

stat

esdo

not

ca

ncel

bia

s (r

easo

n: r

igor

ous

mix

ing)

Conc

lude

: ou

tput

is b

iase

don

a

rand

omly

cho

sen

inte

rnal

sta

te

8

Mai

n ob

serv

atio

n: A

luck

yca

se in

th

e ar

ray

P

1…

239

…20

8…

116

…72

…26

…

Y-1

8 m

od32

X…

239

…20

8…

116

…72

…26

…

X+1

254

7m

od32

Y+1

…23

9…

208

…11

6…

72…

26…

P P P

Rou

nd 1

Rou

nd 2

Rou

nd 3

17th

Mar

ch 2

006

FSE

2006

9

GH

Out

puts

at

1stan

d 3r

dro

unds G

H25

625

525

4…

……

10

-1-2

-3Y

Rou

nd 1

Rou

nd 2

Rou

nd 3

O(1

,1)

= (

S XO

R G

) +

H

O(2

,3)

= (

S XO

R H

) +

G

Bias

in t

he ls

b’s.

z=O

(1,1

)[0]

XO

R O

(2,3

)[0]

P(z=

0)=

1

17th

Mar

ch 2

006

FSE

2006

10

The

luck

y ca

seL

occu

rs w

ith p

rob.

2-4

1.9

For

the

luck

y ca

seth

e P(

z=0|

L)=

1Fo

r th

e re

st o

f th

e ca

ses,

we

obse

rve

that

P(z

=0|

L’)

=1/

2 (s

ee t

he p

aper

)

The

over

all p

rob.

P(z

=0)

=½

·(1+

2-4

1.9 )

Qua

ntify

ing

the

bias

17th

Mar

ch 2

006

FSE

2006

11

The

dist

ingu

ishe

r (I

)

Py

……

Key/

IVBi

ased

Out

put

z

n

Opt

imal

Dis

tingu

ishe

r: I

f #

of 0’

s ≥

# o

f 1’

s th

en P

yel

seRan

dom

The

adva

ntag

e is

clo

se t

o 0%

for

n=1

If n

=28

4.7th

en a

dvan

tage

is m

ore

than

50%

17th

Mar

ch 2

006

FSE

2006

12

The

dist

ingu

ishe

r (I

I)Re

quire

men

ts:

# o

f Ke

y/IV

’s=

284

.7

key

stre

am p

er K

ey/I

V=24

byte

stim

e =

284

.7·

T ini

The

dist

ingu

ishe

r w

orks

w

ithin

Py

spec

ifica

tions

with

less

tha

n ex

haus

tive

sear

ch

17th

Mar

ch 2

006

FSE

2006

13

A va

riant

of

the

dist

ingu

ishe

r w

orks

in a

si

ngle

key

stre

ambu

t ta

kes

long

er

outp

uts

than

spe

cifie

d 26

4

To r

educ

e w

ork

load

, a h

ybrid

di

stin

guis

her

with

man

y ke

y/IV

’san

d le

ss t

han

264

outp

ut b

ytes

per

Key

/IV

is

also

pos

sibl

e w

ithin

the

sco

pe o

f th

e Py

spec

ifica

tion

The

dist

ingu

ishe

r (I

II)

17th

Mar

ch 2

006

FSE

2006

14

Bias

in o

ther

pai

rs o

f bi

ts

O(1

,1)

= (

S XO

R G

) +

H

O(2

,3)

= (

S XO

R H

) +

G

Bias

in t

he it

hbi

ts.

z=O

(1,1

)[i]

XOR

O(2

,3)[

i]

P(z=

0)=

1/2+

µ

17th

Mar

ch 2

006

FSE

2006

15

Conc

lusi

on a

nd r

emar

ksLa

test

New

s: P

aul C

row

ley

redu

ced

the

wor

kloa

d of

the

dis

tingu

ishe

r to

272

by

com

bini

ng a

ll th

e in

divi

dual

bia

sed

bits

The

mod

ified

ver

sion

PyP

yce

rtai

nly

does

not

con

tain

thi

s w

eakn

ess

A co

mpl

etel

y un

subs

tant

iate

d pe

rson

al

opin

ion:

PyP

ym

ay c

ome

unde

r di

stin

guis

hing

att

ack

with

wor

kloa

d le

ss

than

exh

aust

ive

sear

ch

17th

Mar

ch 2

006

FSE

2006

16

Than

ks.