resynchronization attacks on wg and lex hongjun wu and bart preneel katholieke universiteit leuven...

Resynchronization Attacks Resynchronization Attacks on WG and LEXon WG and LEX

Hongjun Wu and Bart PreneelHongjun Wu and Bart Preneel

Katholieke Universiteit Leuven Katholieke Universiteit Leuven ESAT/COSICESAT/COSIC

KULeuven, ESAT/COSICKULeuven, ESAT/COSIC 22

OverviewOverview

1. Introduction to WG1. Introduction to WG

2. Differential Attack on WG2. Differential Attack on WG

3. Introduction to LEX3. Introduction to LEX

4. Slide Attack on LEX4. Slide Attack on LEX


Description of WG (1)Description of WG (1)

submission to the eStreamsubmission to the eStream

key up to 128 bits, IV up to 128 bitskey up to 128 bits, IV up to 128 bits

hardware efficient stream cipher (profile II)hardware efficient stream cipher (profile II)

consists of consists of

a regularly clocked LFSR over GF(2a regularly clocked LFSR over GF(22929))

defined by defined by p(x) = x11 + x10 + x9 + x6 + x3 + x + γγ

and a WG transform that maps GF(2and a WG transform that maps GF(22929) ) GF(2) GF(2)



Keystream generation of WG



WG TransformationWG Transformation



Key and IV setup of WG (22 Steps)


Differential Attack on WG (1)Differential Attack on WG (1)

Overview of the Attack Overview of the Attack

the taps of LFSR are poorly chosenthe taps of LFSR are poorly chosen

22 steps fail to randomize the differential propagation 22 steps fail to randomize the differential propagation

at the end of the 22at the end of the 22ndnd step, the differential in the step, the differential in the

LFSR is exploited to recover the secret keyLFSR is exploited to recover the secret key

=> 48 key bits recovered with about 2=> 48 key bits recovered with about 23131 chosen IVs chosen IVs

(80-bit key and 80-bit IV) (80-bit key and 80-bit IV)



Attack - differential propagation in key/IV setup of WGAttack - differential propagation in key/IV setup of WG



Attack - differential propagation in key/IV setup of WG Attack - differential propagation in key/IV setup of WG (Contd.)(Contd.)



At the end of the 22At the end of the 22ndnd step, the difference at S(10) is step, the difference at S(10) is

S(10) is related to the first keystream bit. S(10) is related to the first keystream bit.

Observing the values of the first keystream bits generated Observing the values of the first keystream bits generated

from the related IV, we are able to determine whether the from the related IV, we are able to determine whether the

value of is 0, then we can recover 29 bits of key. value of is 0, then we can recover 29 bits of key.

223131 IVs for the version with 80-bit IV, 80-bit key IVs for the version with 80-bit IV, 80-bit key

(details are omitted here)(details are omitted here)



The differential attack on WG is different from the differentialThe differential attack on WG is different from the differentialattack on block ciphersattack on block ciphers

Difference generation --Difference generation -- change the input difference and SOME input value to generate change the input difference and SOME input value to generate

many differentmany different

Filtering --Filtering -- change OTHER input value (without modifying ) to change OTHER input value (without modifying ) to

generate keystream bits to see whether the related keystream generate keystream bits to see whether the related keystream bits are always identical, then to identify whether is 0 bits are always identical, then to identify whether is 0


How to Improve WGHow to Improve WG

WG designers proposed 44-step key/IV setupWG designers proposed 44-step key/IV setup

=> small change=> small change

secure against the differential attacksecure against the differential attack

=> but not that efficient=> but not that efficient

with properly chosen LFSR taps and output tap,with properly chosen LFSR taps and output tap,

it is possible to use only 22 stepsit is possible to use only 22 steps


Description of LEX (1)Description of LEX (1)

submission to the eStreamsubmission to the eStream

128-bit key, 128-bit IV128-bit key, 128-bit IV

software and hardware efficient (profile I & II)software and hardware efficient (profile I & II)

Design:Design:

based on AES OFB modebased on AES OFB mode

4 bytes extracted from each round to form keystream 4 bytes extracted from each round to form keystream



Initialization and keystream generationInitialization and keystream generation



Extracted bytes in the even and odd roundsExtracted bytes in the even and odd rounds


Slide Attack on LEX (1)Slide Attack on LEX (1)

Security of LEX depends on that only a Security of LEX depends on that only a

small fraction of information is leakedsmall fraction of information is leaked

from each roundfrom each round

If one round input in LEX is known, then If one round input in LEX is known, then

the key could be recovered easily.the key could be recovered easily.



In LEX, the same key with two IVs, In LEX, the same key with two IVs,

if keystreamif keystream11 is the shifted version of keystream is the shifted version of keystream22, ,

then one input to AES for generating keystreamthen one input to AES for generating keystream1 1 isis

equivalent to IVequivalent to IV22

=> The input to AES is known=> The input to AES is known

32 bits of the first round output are known32 bits of the first round output are known

=> 32 bits of the key could be recovered easily=> 32 bits of the key could be recovered easily



If each IV is used to generate about 500 outputs,If each IV is used to generate about 500 outputs,

then with about 2then with about 26161 IVs, 3 pairs of the shifted IVs, 3 pairs of the shifted

keystreams could be observed and 96 key bits could keystreams could be observed and 96 key bits could

be recovered. be recovered.



LEX is as strong as AES counter mode?LEX is as strong as AES counter mode?

No.No.

AES counter mode =>AES counter mode => A particular key can never be recovered fasterA particular key can never be recovered faster than brute force searchthan brute force search

LEX => LEX => A particular key recovered with 2A particular key recovered with 260.860.8 random IVs, random IVs, 20,000 bytes from each IV, faster than brute force search20,000 bytes from each IV, faster than brute force search


How to Improve LEXHow to Improve LEX

Our suggestion =>Our suggestion =>

For each LEX IV, use LEX key and LEX IV to generateFor each LEX IV, use LEX key and LEX IV to generate

an AES key and AES IVan AES key and AES IV


Conclusion (1)Conclusion (1)

Lesson from the WG design =>Lesson from the WG design =>

To ensure that the tap distances are co-prime To ensure that the tap distances are co-prime

in a FSR (including the LFSR on GF(2in a FSR (including the LFSR on GF(2mm))))


Conclusion (2)Conclusion (2)

Lessons from the LEX design => Lessons from the LEX design =>

1) It is better to mix the key and IV in a non-linear way, then 1) It is better to mix the key and IV in a non-linear way, then

use the mixed values to generate the keystream use the mixed values to generate the keystream

2) try to avoid using the stream cipher key directly in the2) try to avoid using the stream cipher key directly in the

keystream generation keystream generation

(more general, try to avoid using static secret parameters in the (more general, try to avoid using static secret parameters in the

keystream generation) (LEX, Salsa20, ABC, SEAL …) keystream generation) (LEX, Salsa20, ABC, SEAL …)


Thank you!Thank you!

Q & AQ & A

resynchronization attacks on wg and lex hongjun wu and bart preneel katholieke universiteit leuven...

Documents