stream ciphers, a perspective - al akhawayn university · 2015-09-02 · stream ciphers, a...
TRANSCRIPT
![Page 2: Stream Ciphers, a Perspective - Al Akhawayn University · 2015-09-02 · Stream Ciphers, a Perspective AfricaCrypt 2012, Ifrane, July 10 - 12, 2012 1 willi.meier@fhnw.ch](https://reader034.vdocuments.site/reader034/viewer/2022042915/5f515fda208de5221d7778c1/html5/thumbnails/2.jpg)
Overview
• Stream Ciphers: A short Introduction
• Stream Ciphers based on Linear Feedback Shift Registers
• Cryptanalysis principles
• Correlation attacks
• Algebraic attacks
2
• Algebraic attacks
• The European NoE eSTREAM project
• A few eSTREAM candidates
• Recent cryptanalysis: conditional and high-order differentials
• Conclusions
![Page 3: Stream Ciphers, a Perspective - Al Akhawayn University · 2015-09-02 · Stream Ciphers, a Perspective AfricaCrypt 2012, Ifrane, July 10 - 12, 2012 1 willi.meier@fhnw.ch](https://reader034.vdocuments.site/reader034/viewer/2022042915/5f515fda208de5221d7778c1/html5/thumbnails/3.jpg)
Why stream ciphers?
Applied in:
Environments with high throughput requirements.
Stream ciphers can be up to 5 times faster than AES.
Devices with restricted resources, e.g., in RFIDs
(lightweight crypto).
3
(lightweight crypto).
![Page 4: Stream Ciphers, a Perspective - Al Akhawayn University · 2015-09-02 · Stream Ciphers, a Perspective AfricaCrypt 2012, Ifrane, July 10 - 12, 2012 1 willi.meier@fhnw.ch](https://reader034.vdocuments.site/reader034/viewer/2022042915/5f515fda208de5221d7778c1/html5/thumbnails/4.jpg)
Introduction
Stream cipher:
Encrypts sequence of plaintext symbols, e.g., from a
binary alphabet {0,1}.
Synchronous stream cipher:
The output of a pseudorandom generator, the keystream,
4
The output of a pseudorandom generator, the keystream,
is used together with plaintext to produce ciphertext.
Additive stream cipher:
Ciphertext symbols ci obtained from plaintext symbols mi
and keystream symbols bi by xor addition.
![Page 5: Stream Ciphers, a Perspective - Al Akhawayn University · 2015-09-02 · Stream Ciphers, a Perspective AfricaCrypt 2012, Ifrane, July 10 - 12, 2012 1 willi.meier@fhnw.ch](https://reader034.vdocuments.site/reader034/viewer/2022042915/5f515fda208de5221d7778c1/html5/thumbnails/5.jpg)
Model of a binary additive stream cipher:
b
mi
5
Keystream
GeneratorK ⊕
bi
ci
![Page 6: Stream Ciphers, a Perspective - Al Akhawayn University · 2015-09-02 · Stream Ciphers, a Perspective AfricaCrypt 2012, Ifrane, July 10 - 12, 2012 1 willi.meier@fhnw.ch](https://reader034.vdocuments.site/reader034/viewer/2022042915/5f515fda208de5221d7778c1/html5/thumbnails/6.jpg)
Some popular stream ciphers:
• RC4, used in Netscape’s Secure Socket Layer (SSL)
protocol
• A5, used in the Global System for Mobile
Communication (GSM)
6
• Bluetooth stream cipher, standard for wireless short-
range connectivity, specified by the Bluetooth Special
Interest Group
![Page 7: Stream Ciphers, a Perspective - Al Akhawayn University · 2015-09-02 · Stream Ciphers, a Perspective AfricaCrypt 2012, Ifrane, July 10 - 12, 2012 1 willi.meier@fhnw.ch](https://reader034.vdocuments.site/reader034/viewer/2022042915/5f515fda208de5221d7778c1/html5/thumbnails/7.jpg)
Prototype stream cipher: One-time-pad (F. Miller 1882, G.
Vernam, 1917)
Provably secure (Shannon, 1945)
In practical applications:
Random keystream of OTP is replaced by output of an
efficient deterministic pseudorandom generator.
7
Initial state depends on short random string K of binary
digits (e.g. of 128 bits).
Only secret key K needs to be securely transmitted.
![Page 8: Stream Ciphers, a Perspective - Al Akhawayn University · 2015-09-02 · Stream Ciphers, a Perspective AfricaCrypt 2012, Ifrane, July 10 - 12, 2012 1 willi.meier@fhnw.ch](https://reader034.vdocuments.site/reader034/viewer/2022042915/5f515fda208de5221d7778c1/html5/thumbnails/8.jpg)
For most practical constructions provable security is
lost.
Attacks known on many implemented stream ciphers.
Stream ciphers: Often proprietary designs
(unpublished).
8
(unpublished).
![Page 9: Stream Ciphers, a Perspective - Al Akhawayn University · 2015-09-02 · Stream Ciphers, a Perspective AfricaCrypt 2012, Ifrane, July 10 - 12, 2012 1 willi.meier@fhnw.ch](https://reader034.vdocuments.site/reader034/viewer/2022042915/5f515fda208de5221d7778c1/html5/thumbnails/9.jpg)
Cryptanalysis results known on:
• RC4 (Maitra-Paul, Maximov, Sepehrad-Vaudenay-
Vuagnoux)
• A5/1 (Biryukov-Shamir-Wagner, Biham-Dunkelman,
Ekdahl-Johansson)
9
• Bluetooth (Bagini-Golić-Morgari, Lu-Vaudenay)
![Page 10: Stream Ciphers, a Perspective - Al Akhawayn University · 2015-09-02 · Stream Ciphers, a Perspective AfricaCrypt 2012, Ifrane, July 10 - 12, 2012 1 willi.meier@fhnw.ch](https://reader034.vdocuments.site/reader034/viewer/2022042915/5f515fda208de5221d7778c1/html5/thumbnails/10.jpg)
Stream Ciphers based on LFSR‘s
A LFSR of length n:
Consists of a bit vector (xn,...,x1). In one step, each bit is
shifted one position to the right, except the rightmost bit x1which is output.
On the left, a new bit is shifted in, by a linear recursion
10
On the left, a new bit is shifted in, by a linear recursion
xj = (c1xj-1 + c2xj-2 + ... + cLxj-n) mod 2,
for j > n.
![Page 11: Stream Ciphers, a Perspective - Al Akhawayn University · 2015-09-02 · Stream Ciphers, a Perspective AfricaCrypt 2012, Ifrane, July 10 - 12, 2012 1 willi.meier@fhnw.ch](https://reader034.vdocuments.site/reader034/viewer/2022042915/5f515fda208de5221d7778c1/html5/thumbnails/11.jpg)
Depending on the chosen linear recursion, LFSRs have
desirable properties:
• Produce output sequences of large period (e.g.
maximum period 2n-1 )
• Produce sequences with good statistical properties
11
• Can be readily analyzed using algebraic techniques
• Easy to implement in hardware
![Page 12: Stream Ciphers, a Perspective - Al Akhawayn University · 2015-09-02 · Stream Ciphers, a Perspective AfricaCrypt 2012, Ifrane, July 10 - 12, 2012 1 willi.meier@fhnw.ch](https://reader034.vdocuments.site/reader034/viewer/2022042915/5f515fda208de5221d7778c1/html5/thumbnails/12.jpg)
Drawback of LFSRs for cryptography: Output is easily
predictable, even for unknown initial state of bit vector
(xn,...,x1), and unknown recursion:
Solve a system of linear equations in unknown state bits
(and coefficients for the recursion).
Common methods for destroying linearity properties of
12
Common methods for destroying linearity properties of
LFSRs:
• Use nonlinear filter/combining function on outputs
of one/several LFSRs
• Use output of one/several LFSRs to control the
clock of one/more other LFSRs.
![Page 13: Stream Ciphers, a Perspective - Al Akhawayn University · 2015-09-02 · Stream Ciphers, a Perspective AfricaCrypt 2012, Ifrane, July 10 - 12, 2012 1 willi.meier@fhnw.ch](https://reader034.vdocuments.site/reader034/viewer/2022042915/5f515fda208de5221d7778c1/html5/thumbnails/13.jpg)
non-linear
b0 , b
1 , b
2 , ...
Nonlinear filter generator:
Generate key-stream bits b0, b1, b2 ,..., as some nonlinear
function f of the stages of a single LFSR.
13
state
non-linear
filter
linear
feedback
![Page 14: Stream Ciphers, a Perspective - Al Akhawayn University · 2015-09-02 · Stream Ciphers, a Perspective AfricaCrypt 2012, Ifrane, July 10 - 12, 2012 1 willi.meier@fhnw.ch](https://reader034.vdocuments.site/reader034/viewer/2022042915/5f515fda208de5221d7778c1/html5/thumbnails/14.jpg)
Generating LFSR, ASelection
logic
The Shrinking generator
Proposed in 1993 by Coppersmith, Krawczyk and Mansour
14
Selection LFSR, SSelection logic
The output of A is taken as
a keystream output if the
current output bit of S is 1,
otherwise it is discarded.
![Page 15: Stream Ciphers, a Perspective - Al Akhawayn University · 2015-09-02 · Stream Ciphers, a Perspective AfricaCrypt 2012, Ifrane, July 10 - 12, 2012 1 willi.meier@fhnw.ch](https://reader034.vdocuments.site/reader034/viewer/2022042915/5f515fda208de5221d7778c1/html5/thumbnails/15.jpg)
Other types of stream ciphers:
• Word-oriented stream ciphers, suitable for software
implementation (e.g. SNOW)
• Stream cipher modes of operation of block ciphers:
Cipher Feedback
Output Feedback
15
Output Feedback
Counter mode
of Triple DES or AES
![Page 16: Stream Ciphers, a Perspective - Al Akhawayn University · 2015-09-02 · Stream Ciphers, a Perspective AfricaCrypt 2012, Ifrane, July 10 - 12, 2012 1 willi.meier@fhnw.ch](https://reader034.vdocuments.site/reader034/viewer/2022042915/5f515fda208de5221d7778c1/html5/thumbnails/16.jpg)
Stream ciphers with provable security:
• QUAD (Berbain-Gilbert-Patarin, 2006)
Based on difficulty of solving systems of multivariate
quadratic equations mod 2.
• SYND (Gaborit-Lauradoux-Sendrier, 2007)
16
• SYND (Gaborit-Lauradoux-Sendrier, 2007)
Code-Based stream cipher
Efficiency comparable to that of AES
![Page 17: Stream Ciphers, a Perspective - Al Akhawayn University · 2015-09-02 · Stream Ciphers, a Perspective AfricaCrypt 2012, Ifrane, July 10 - 12, 2012 1 willi.meier@fhnw.ch](https://reader034.vdocuments.site/reader034/viewer/2022042915/5f515fda208de5221d7778c1/html5/thumbnails/17.jpg)
Cryptanalysis principles
In cryptanalysis of stream ciphers: Common to assume
either that
• some part of plaintext is known, (known-
plaintext attack), or
• plaintext has redundancy (e.g., has ASCII
17
• plaintext has redundancy (e.g., has ASCII
format).
For additive stream cipher, a known part of plaintext is
equivalent to a known part of keystream.
![Page 18: Stream Ciphers, a Perspective - Al Akhawayn University · 2015-09-02 · Stream Ciphers, a Perspective AfricaCrypt 2012, Ifrane, July 10 - 12, 2012 1 willi.meier@fhnw.ch](https://reader034.vdocuments.site/reader034/viewer/2022042915/5f515fda208de5221d7778c1/html5/thumbnails/18.jpg)
• Attack: Recover secret key K or the initial state out of
observed keystream
• Distinguishinger: Distinguish observed keystream from
being a truly random sequence
Distinguishing attacks weaker than key recovery attacks.
18
Distinguishing attacks weaker than key recovery attacks.
Still a threat, if they allow to deduce information on
unknown plaintext out of known part of plaintext.
Strong form of attack: Side channel cryptanalysis
![Page 19: Stream Ciphers, a Perspective - Al Akhawayn University · 2015-09-02 · Stream Ciphers, a Perspective AfricaCrypt 2012, Ifrane, July 10 - 12, 2012 1 willi.meier@fhnw.ch](https://reader034.vdocuments.site/reader034/viewer/2022042915/5f515fda208de5221d7778c1/html5/thumbnails/19.jpg)
A basic analysis method: Berlekamp-Massey algorithm
Efficient procedure to deliver shortest LFSR, together
with initial state, that can generate given sequence.
Linear complexity of a binary sequence:
Length of shortest LFSR that can produce the given se-
19
Length of shortest LFSR that can produce the given se-
quence.
![Page 20: Stream Ciphers, a Perspective - Al Akhawayn University · 2015-09-02 · Stream Ciphers, a Perspective AfricaCrypt 2012, Ifrane, July 10 - 12, 2012 1 willi.meier@fhnw.ch](https://reader034.vdocuments.site/reader034/viewer/2022042915/5f515fda208de5221d7778c1/html5/thumbnails/20.jpg)
Consequences: Linear complexity and period of
keystream need to be large.
Early designs: Have optimized these criteria, and
have ignored others.
20
![Page 21: Stream Ciphers, a Perspective - Al Akhawayn University · 2015-09-02 · Stream Ciphers, a Perspective AfricaCrypt 2012, Ifrane, July 10 - 12, 2012 1 willi.meier@fhnw.ch](https://reader034.vdocuments.site/reader034/viewer/2022042915/5f515fda208de5221d7778c1/html5/thumbnails/21.jpg)
Correlation Attacks
Example: Combination generator
The outputs am of s LFSR‘s are used as input of a Boolean
function f to produce keystream,
f(a1m,...,asm) = bm
Correlation: Prob(b = a ) = p, 5.0≠p
21
Correlation: Prob(bm = aim ) = p, 5.0≠p
Example: s = 3
f(x1, x2, x3) = x1x2 + x1x3 + x2x3p = 0.75
![Page 22: Stream Ciphers, a Perspective - Al Akhawayn University · 2015-09-02 · Stream Ciphers, a Perspective AfricaCrypt 2012, Ifrane, July 10 - 12, 2012 1 willi.meier@fhnw.ch](https://reader034.vdocuments.site/reader034/viewer/2022042915/5f515fda208de5221d7778c1/html5/thumbnails/22.jpg)
Statistical Model:
BAS
azm
22
⊕LFSRam
zm
bm
BAS: Binary asymmetric source,
Prob(zm = 0) = p > 0.5
![Page 23: Stream Ciphers, a Perspective - Al Akhawayn University · 2015-09-02 · Stream Ciphers, a Perspective AfricaCrypt 2012, Ifrane, July 10 - 12, 2012 1 willi.meier@fhnw.ch](https://reader034.vdocuments.site/reader034/viewer/2022042915/5f515fda208de5221d7778c1/html5/thumbnails/23.jpg)
Problem: Given N digits of b (and the structure of the
LFSR, of length n)
Find correct output sequence a of LFSR
Known solution: By exhaustive search over all initial
states of LFSR find a such that
23
}0,|{# NjabjTjj ≤≤==
is maximum. Complexity: O(2n)
Feasible for n up to about 50.
![Page 24: Stream Ciphers, a Perspective - Al Akhawayn University · 2015-09-02 · Stream Ciphers, a Perspective AfricaCrypt 2012, Ifrane, July 10 - 12, 2012 1 willi.meier@fhnw.ch](https://reader034.vdocuments.site/reader034/viewer/2022042915/5f515fda208de5221d7778c1/html5/thumbnails/24.jpg)
Fast correlation attacks
Fast correlation attack: Significantly faster than
exhaustive search over all initial states of target LFSR.
Based on using certain parity check equations created
24
Based on using certain parity check equations created
from feedback polynomial of LFSR (R. Gallager, Low-
density parity-check codes 1963, MS 1988, CJM
2003,…).
![Page 25: Stream Ciphers, a Perspective - Al Akhawayn University · 2015-09-02 · Stream Ciphers, a Perspective AfricaCrypt 2012, Ifrane, July 10 - 12, 2012 1 willi.meier@fhnw.ch](https://reader034.vdocuments.site/reader034/viewer/2022042915/5f515fda208de5221d7778c1/html5/thumbnails/25.jpg)
Correlation attacks are successful if cipher allows for
good approximations of the output function by linear
functions in state bits of LFSR‘s involved.
In design of stream ciphers, Boolean functions f used
should
• be correlation immune
25
• be correlation immune
• have large distance to affine functions
• have large algebraic degree (to counter Berlekamp-
Massey synthesis)
![Page 26: Stream Ciphers, a Perspective - Al Akhawayn University · 2015-09-02 · Stream Ciphers, a Perspective AfricaCrypt 2012, Ifrane, July 10 - 12, 2012 1 willi.meier@fhnw.ch](https://reader034.vdocuments.site/reader034/viewer/2022042915/5f515fda208de5221d7778c1/html5/thumbnails/26.jpg)
Distance of Boolean functions: Measured by
Hamming weight of truth tables.
f is correlation immune if output is uncorrelated to
single inputs.
Tradeoff between correlation immunity and
26
Tradeoff between correlation immunity and
algebraic degree (Siegenthaler, 1985).
Alternative option: Combiner with memory (Rueppel,
1985)
Combiners with memory: stream ciphers E0,
SNOW.
![Page 27: Stream Ciphers, a Perspective - Al Akhawayn University · 2015-09-02 · Stream Ciphers, a Perspective AfricaCrypt 2012, Ifrane, July 10 - 12, 2012 1 willi.meier@fhnw.ch](https://reader034.vdocuments.site/reader034/viewer/2022042915/5f515fda208de5221d7778c1/html5/thumbnails/27.jpg)
Belief: Ciphers using LFSR‘s can be made secure
against attacks by using output functions that are
correlation immune and have large distance to affine
functions.
Algebraic Attacks: Solve systems of algebraic equations
Algebraic Attacks
27
Algebraic Attacks: Solve systems of algebraic equations
(CM, 2003).
Type of equations: System of multivariate polynomial
equations over a finite field, e.g., GF(2).
x1 + x0x1 + x0x2 + ... = 1
x1x2 + x0x3 + x7 + ... = 0
............
![Page 28: Stream Ciphers, a Perspective - Al Akhawayn University · 2015-09-02 · Stream Ciphers, a Perspective AfricaCrypt 2012, Ifrane, July 10 - 12, 2012 1 willi.meier@fhnw.ch](https://reader034.vdocuments.site/reader034/viewer/2022042915/5f515fda208de5221d7778c1/html5/thumbnails/28.jpg)
Breaking a „good“ cipher should require:
„ ... as much work as solving a system of simultaneous
equations in a large number of unknowns of a complex
type“ [Shannon, 1949, Communication theory of
secrecy systems]
Common experience: Large systems of equations
28
Common experience: Large systems of equations
become intractable soon with increasing number of
unknowns (is NP hard problem) .
![Page 29: Stream Ciphers, a Perspective - Al Akhawayn University · 2015-09-02 · Stream Ciphers, a Perspective AfricaCrypt 2012, Ifrane, July 10 - 12, 2012 1 willi.meier@fhnw.ch](https://reader034.vdocuments.site/reader034/viewer/2022042915/5f515fda208de5221d7778c1/html5/thumbnails/29.jpg)
However
Systems that are
• Overdefined, i. e. have more equations than
unknowns, or
• Sparse
29
are easier to solve than expected:
• Linearization
• Gröbner bases
![Page 30: Stream Ciphers, a Perspective - Al Akhawayn University · 2015-09-02 · Stream Ciphers, a Perspective AfricaCrypt 2012, Ifrane, July 10 - 12, 2012 1 willi.meier@fhnw.ch](https://reader034.vdocuments.site/reader034/viewer/2022042915/5f515fda208de5221d7778c1/html5/thumbnails/30.jpg)
Direct algebraic approach:
Derive equations in key/state bits
=
=
−
−
)),...,((
),...,(
110
010
bkkLf
bkkf
n
n
30
=
=
−
−
...................................
)),...,((
)),...,((
210
2
110
bkkLf
bkkLf
n
n
L( ): Linear recursion.
![Page 31: Stream Ciphers, a Perspective - Al Akhawayn University · 2015-09-02 · Stream Ciphers, a Perspective AfricaCrypt 2012, Ifrane, July 10 - 12, 2012 1 willi.meier@fhnw.ch](https://reader034.vdocuments.site/reader034/viewer/2022042915/5f515fda208de5221d7778c1/html5/thumbnails/31.jpg)
Solve this system of equations.
Overdefined: Many more equations than unknowns, even
for moderate quantity of keystream, e.g., 20 Kbytes.
An obvious linearization attack:
Assumption: f is of low degree d. Then the key is found
31
Assumption: f is of low degree d. Then the key is found
given keystream bits and within computations,
where ω is the exponent of Gaussian reduction ( ω < 3).
Linearization: One new variable for each monomial.
Solve a linear system.
=
d
nK
ωK
![Page 32: Stream Ciphers, a Perspective - Al Akhawayn University · 2015-09-02 · Stream Ciphers, a Perspective AfricaCrypt 2012, Ifrane, July 10 - 12, 2012 1 willi.meier@fhnw.ch](https://reader034.vdocuments.site/reader034/viewer/2022042915/5f515fda208de5221d7778c1/html5/thumbnails/32.jpg)
Scenarios for high degree f
f=g*h
• f*g=0 , degree of g low
• f*g=h, degrees of g and h low
32
If output bit bi = 1, first case, i.e., g(s) = 0, else get
equation h(s) = 0
![Page 33: Stream Ciphers, a Perspective - Al Akhawayn University · 2015-09-02 · Stream Ciphers, a Perspective AfricaCrypt 2012, Ifrane, July 10 - 12, 2012 1 willi.meier@fhnw.ch](https://reader034.vdocuments.site/reader034/viewer/2022042915/5f515fda208de5221d7778c1/html5/thumbnails/33.jpg)
Overview of attack
Instead of f(s) = bt with s = Lt(K), K = key:
Solve the equations
f(s) * g(s) = bt * g(s)
33
with well chosen function g.
Question: Do „good“ functions g(s) exist ?
![Page 34: Stream Ciphers, a Perspective - Al Akhawayn University · 2015-09-02 · Stream Ciphers, a Perspective AfricaCrypt 2012, Ifrane, July 10 - 12, 2012 1 willi.meier@fhnw.ch](https://reader034.vdocuments.site/reader034/viewer/2022042915/5f515fda208de5221d7778c1/html5/thumbnails/34.jpg)
In some cases, such g(s) ALWAYS do exist.
Theorem (Low degree relations)
Let f be any Boolean function in k variables. Then there
is a nonzero Boolean function g of degree at most k/2
such that f(x) * g(x) is of degree at most k/2.
(Take ceilings of k/2 if k is odd)
34
(Take ceilings of k/2 if k is odd)
Theorem has been motivated by cryptanalysis of
multivariate digital signature schemes as well as by
cryptanalysis of AES block cipher.
![Page 35: Stream Ciphers, a Perspective - Al Akhawayn University · 2015-09-02 · Stream Ciphers, a Perspective AfricaCrypt 2012, Ifrane, July 10 - 12, 2012 1 willi.meier@fhnw.ch](https://reader034.vdocuments.site/reader034/viewer/2022042915/5f515fda208de5221d7778c1/html5/thumbnails/35.jpg)
Consequences
Can break any stream cipher with linear feedback and
Boolean output function with small number k of state
bits as input, in polynomial complexity, if k considered
as small constant.
Complexity of generic attack only approx. square root
35
Complexity of generic attack only approx. square root
of known attack.
![Page 36: Stream Ciphers, a Perspective - Al Akhawayn University · 2015-09-02 · Stream Ciphers, a Perspective AfricaCrypt 2012, Ifrane, July 10 - 12, 2012 1 willi.meier@fhnw.ch](https://reader034.vdocuments.site/reader034/viewer/2022042915/5f515fda208de5221d7778c1/html5/thumbnails/36.jpg)
Extensions
Attack is very general and can be adapted to some
stream ciphers that are not regularly clocked.
Attack can be generalized to stream ciphers that use
combiner with memory (instead of memoryless output
function).
36
function).
Fast algebraic attacks (Courtois, 2003).
![Page 37: Stream Ciphers, a Perspective - Al Akhawayn University · 2015-09-02 · Stream Ciphers, a Perspective AfricaCrypt 2012, Ifrane, July 10 - 12, 2012 1 willi.meier@fhnw.ch](https://reader034.vdocuments.site/reader034/viewer/2022042915/5f515fda208de5221d7778c1/html5/thumbnails/37.jpg)
Consequences for the design of stream ciphers
For LFSR-based stream ciphers:
No multivariate equations of low degree should exist that
relate state bits and one or more output bits.
Immunity against (fast) algebraic attacks not easy to
37
Immunity against (fast) algebraic attacks not easy to
achieve.
![Page 38: Stream Ciphers, a Perspective - Al Akhawayn University · 2015-09-02 · Stream Ciphers, a Perspective AfricaCrypt 2012, Ifrane, July 10 - 12, 2012 1 willi.meier@fhnw.ch](https://reader034.vdocuments.site/reader034/viewer/2022042915/5f515fda208de5221d7778c1/html5/thumbnails/38.jpg)
Higher-order algebraic attacks
(Q. Wang, Th. Johansson, 2012):
New approach builds a low degree equation using r
different initial equations coming from evaluating the
Boolean function in r different points.
38
Break class of Boolean functions by Carlet-Feng
aiming for good algebraic immunity.
![Page 39: Stream Ciphers, a Perspective - Al Akhawayn University · 2015-09-02 · Stream Ciphers, a Perspective AfricaCrypt 2012, Ifrane, July 10 - 12, 2012 1 willi.meier@fhnw.ch](https://reader034.vdocuments.site/reader034/viewer/2022042915/5f515fda208de5221d7778c1/html5/thumbnails/39.jpg)
The eSTREAM Project
eSTREAM is a project to identify "new stream ciphers that
might become suitable for widespread adoption" .
Organised by the EU ECRYPT network.
Set up as result of failure of predecessor project: NESSIE
39
Set up as result of failure of predecessor project: NESSIE
project.
Start in November 2004.
Completed in May 2008.
Project goal: Find algorithms suitable for different application
profiles.
No standardization (as opposed to AES competition).
![Page 40: Stream Ciphers, a Perspective - Al Akhawayn University · 2015-09-02 · Stream Ciphers, a Perspective AfricaCrypt 2012, Ifrane, July 10 - 12, 2012 1 willi.meier@fhnw.ch](https://reader034.vdocuments.site/reader034/viewer/2022042915/5f515fda208de5221d7778c1/html5/thumbnails/40.jpg)
Profiles of submissions to eSTREAM:
Profile 1: Stream ciphers for software applications
where high throughput is required (with higher
performance than AES block cipher in counter
mode).
Profile 2: Stream ciphers for hardware applications
with restricted resources, e.g., limited storage, gate
40
with restricted resources, e.g., limited storage, gate
count, or power consumption.
Both profiles contain a subcategory with ciphers that
also provide authentication in addition to encryption.
In reaction to Call for Primitives:
34 proposals were submitted!
![Page 41: Stream Ciphers, a Perspective - Al Akhawayn University · 2015-09-02 · Stream Ciphers, a Perspective AfricaCrypt 2012, Ifrane, July 10 - 12, 2012 1 willi.meier@fhnw.ch](https://reader034.vdocuments.site/reader034/viewer/2022042915/5f515fda208de5221d7778c1/html5/thumbnails/41.jpg)
Four finalists in each category:
Profile 1 (Software):
HC-128
Rabbit
Salsa20/12
SOSEMANUK
41
Profile 2 (Hardware):
Grain v1
MICKEY 2.0
Trivium
(F-FCSR)
http://www.ecrypt.eu.org/stream/
![Page 42: Stream Ciphers, a Perspective - Al Akhawayn University · 2015-09-02 · Stream Ciphers, a Perspective AfricaCrypt 2012, Ifrane, July 10 - 12, 2012 1 willi.meier@fhnw.ch](https://reader034.vdocuments.site/reader034/viewer/2022042915/5f515fda208de5221d7778c1/html5/thumbnails/42.jpg)
General Construction Principle
A modern stream cipher is
- A pseudorandom generator that
- maintains an internal state which is initialized by a
key and an initial value (IV).
42
key and an initial value (IV).
![Page 43: Stream Ciphers, a Perspective - Al Akhawayn University · 2015-09-02 · Stream Ciphers, a Perspective AfricaCrypt 2012, Ifrane, July 10 - 12, 2012 1 willi.meier@fhnw.ch](https://reader034.vdocuments.site/reader034/viewer/2022042915/5f515fda208de5221d7778c1/html5/thumbnails/43.jpg)
Initialization phase: The key and the IV are mixed, to
produce initial state.
Pseudorandom generation: Keystream is output and
the state is continuously updated.
Reinitialization: Enables reuse of same secret key
43
Reinitialization: Enables reuse of same secret key
with different initialization vector.
![Page 44: Stream Ciphers, a Perspective - Al Akhawayn University · 2015-09-02 · Stream Ciphers, a Perspective AfricaCrypt 2012, Ifrane, July 10 - 12, 2012 1 willi.meier@fhnw.ch](https://reader034.vdocuments.site/reader034/viewer/2022042915/5f515fda208de5221d7778c1/html5/thumbnails/44.jpg)
Grain v1 (HJMM)
44
3 main parts:
80 bit LFSR, 80 bit NLFSR, nonlinear filter h.
Input to NLFSR masked with a LFSR bit.
Output bit masked with xor of 7 NFSR bits.
![Page 45: Stream Ciphers, a Perspective - Al Akhawayn University · 2015-09-02 · Stream Ciphers, a Perspective AfricaCrypt 2012, Ifrane, July 10 - 12, 2012 1 willi.meier@fhnw.ch](https://reader034.vdocuments.site/reader034/viewer/2022042915/5f515fda208de5221d7778c1/html5/thumbnails/45.jpg)
Trivium (De Cannière, Preneel)
State: 288 bits
nonlinear update
linear output function
80-bit key
45
State consists of 3 registers,
R1 = (x1,…,x93), R2 = (x94,…,x177), R3 = (x178,…, x288).
Construction influenced by design of block ciphers.
![Page 46: Stream Ciphers, a Perspective - Al Akhawayn University · 2015-09-02 · Stream Ciphers, a Perspective AfricaCrypt 2012, Ifrane, July 10 - 12, 2012 1 willi.meier@fhnw.ch](https://reader034.vdocuments.site/reader034/viewer/2022042915/5f515fda208de5221d7778c1/html5/thumbnails/46.jpg)
321
2882433
1771622
93661
xxxtt
tttz
xxt
xxt
xxt
i
++←
++←
+←
+←
+←
Update and output in Trivium
46
),...,,(),...,(
),..,...,,(),...,(
),...,,(),...,(
2871782288178
17694117794
9213931
6928728633
26417617522
171929111
xxtxx
xxtxx
xxtxx
xxxtt
xxxtt
xxxtt
←
←
←
++←
++←
++←
![Page 47: Stream Ciphers, a Perspective - Al Akhawayn University · 2015-09-02 · Stream Ciphers, a Perspective AfricaCrypt 2012, Ifrane, July 10 - 12, 2012 1 willi.meier@fhnw.ch](https://reader034.vdocuments.site/reader034/viewer/2022042915/5f515fda208de5221d7778c1/html5/thumbnails/47.jpg)
Conditional Differentials
Joint work with Simon Knellwolf, María Naya-Plasencia.
Conditional differential characteristics introduced by Ben-
Aroya and Biham (1993) for DES-like cryptosystems.
47
Differential cryptanalysis: Differences are traced over
several rounds.
Suitable input differences but no concrete input values
are fixed.
![Page 48: Stream Ciphers, a Perspective - Al Akhawayn University · 2015-09-02 · Stream Ciphers, a Perspective AfricaCrypt 2012, Ifrane, July 10 - 12, 2012 1 willi.meier@fhnw.ch](https://reader034.vdocuments.site/reader034/viewer/2022042915/5f515fda208de5221d7778c1/html5/thumbnails/48.jpg)
Goal of conditional differential cryptanalysis:
Find both, sample inputs and suitable input differen-
ces so that the difference in the (truncated) output is
biased.
If bias is detected, it is used for a distinguisher or for
(partial) key recovery.
48
(partial) key recovery.
![Page 49: Stream Ciphers, a Perspective - Al Akhawayn University · 2015-09-02 · Stream Ciphers, a Perspective AfricaCrypt 2012, Ifrane, July 10 - 12, 2012 1 willi.meier@fhnw.ch](https://reader034.vdocuments.site/reader034/viewer/2022042915/5f515fda208de5221d7778c1/html5/thumbnails/49.jpg)
Nonlinear feedback shift registers (NLFSRs): Building
blocks of several lightweight primitives.
Facilitate efficient hardware implementation; prevent
algebraic attacks.
Only few general tools available to assess security of
49
Only few general tools available to assess security of
NLFSR-based constructions.
![Page 50: Stream Ciphers, a Perspective - Al Akhawayn University · 2015-09-02 · Stream Ciphers, a Perspective AfricaCrypt 2012, Ifrane, July 10 - 12, 2012 1 willi.meier@fhnw.ch](https://reader034.vdocuments.site/reader034/viewer/2022042915/5f515fda208de5221d7778c1/html5/thumbnails/50.jpg)
Scenario: Chosen IV attack
Keystream modeled as a Boolean function
mapping a key k and an IV x to a keystream bit b.
50
Suppose: Bit b = f(k, x) is computed using an NLFSR
which is initialized with k and x, and updated many
times, before b is derived from resulting state.
After initialization, b is a huge polynomial in bits of k
and x: Out of reach to express for analysis purposes.
![Page 51: Stream Ciphers, a Perspective - Al Akhawayn University · 2015-09-02 · Stream Ciphers, a Perspective AfricaCrypt 2012, Ifrane, July 10 - 12, 2012 1 willi.meier@fhnw.ch](https://reader034.vdocuments.site/reader034/viewer/2022042915/5f515fda208de5221d7778c1/html5/thumbnails/51.jpg)
Can we still analyze f for distinguishing or key reco-
very purpose by evaluating it at many well chosen
values x (and for unknown but fixed key k)?
Difference propagation through NLFSR
At each round i, a single state bit t is newly generated;
51
At each round i, a single state bit ti is newly generated;
other bits are merely shifted.
Enough to consider propagation of differences to bits ti.
Let ∆x be a difference in the IV. Say that ∆x propa-
gates to ti if
![Page 52: Stream Ciphers, a Perspective - Al Akhawayn University · 2015-09-02 · Stream Ciphers, a Perspective AfricaCrypt 2012, Ifrane, July 10 - 12, 2012 1 willi.meier@fhnw.ch](https://reader034.vdocuments.site/reader034/viewer/2022042915/5f515fda208de5221d7778c1/html5/thumbnails/52.jpg)
Consider ∆ti as a polynomial in the key and the IV
variables.
Value of ∆ti determines whether difference ∆x
propagates to ti or not.
52
propagates to ti or not.
Wish to predict ∆b.
Hundreds of iterations of NLFSR: Symbolic
description of ∆b as a function of key and IV out of
reach.
![Page 53: Stream Ciphers, a Perspective - Al Akhawayn University · 2015-09-02 · Stream Ciphers, a Perspective AfricaCrypt 2012, Ifrane, July 10 - 12, 2012 1 willi.meier@fhnw.ch](https://reader034.vdocuments.site/reader034/viewer/2022042915/5f515fda208de5221d7778c1/html5/thumbnails/53.jpg)
Imposing conditions on difference propagations
Goal: Find a sample of IV’s for which difference ∆b is
biased.
Observation: In first few iterations, explicit conditions
can be set on some IV bits to control difference
53
can be set on some IV bits to control difference
propagation.
If right conditions are set: Many terms in (hypothetical)
polynomial describing output difference cancel out, and
bias may be detected.
![Page 54: Stream Ciphers, a Perspective - Al Akhawayn University · 2015-09-02 · Stream Ciphers, a Perspective AfricaCrypt 2012, Ifrane, July 10 - 12, 2012 1 willi.meier@fhnw.ch](https://reader034.vdocuments.site/reader034/viewer/2022042915/5f515fda208de5221d7778c1/html5/thumbnails/54.jpg)
Tradeoff between maximum number of conditions to be
set and sample size of initial values to do the statistics.
Approach quite effective against several NLFSR-based
ciphers.
Finding conditions delicate task.
54
![Page 55: Stream Ciphers, a Perspective - Al Akhawayn University · 2015-09-02 · Stream Ciphers, a Perspective AfricaCrypt 2012, Ifrane, July 10 - 12, 2012 1 willi.meier@fhnw.ch](https://reader034.vdocuments.site/reader034/viewer/2022042915/5f515fda208de5221d7778c1/html5/thumbnails/55.jpg)
Example: Initialization of Grain v1
Initial difference in IV: ∆x=0x0000002000000000
Condition in round 12: x15x58 + x58k75 + 1 = 0.
Satisfied if x58+1 = 0 and x15+K1 = 0, where K1 = k75 +1.
55
Satisfied if x58+1 = 0 and x15+K1 = 0, where K1 = k75 +1.
Two more involved conditions in rounds 34 and 40.
A few equations in key bits need to be guessed correct-
ly, so that after 104 rounds bias is detected.
![Page 56: Stream Ciphers, a Perspective - Al Akhawayn University · 2015-09-02 · Stream Ciphers, a Perspective AfricaCrypt 2012, Ifrane, July 10 - 12, 2012 1 willi.meier@fhnw.ch](https://reader034.vdocuments.site/reader034/viewer/2022042915/5f515fda208de5221d7778c1/html5/thumbnails/56.jpg)
Best attack on reduced Grain v1 so far:
Practical distinguisher and partial key recovery for 104
out of 160 initialization rounds (requires 235 chosen IVs).
56
![Page 57: Stream Ciphers, a Perspective - Al Akhawayn University · 2015-09-02 · Stream Ciphers, a Perspective AfricaCrypt 2012, Ifrane, July 10 - 12, 2012 1 willi.meier@fhnw.ch](https://reader034.vdocuments.site/reader034/viewer/2022042915/5f515fda208de5221d7778c1/html5/thumbnails/57.jpg)
High-order differentials
V a linear subspace of {0,1}n of dimension d.
Boolean function
57
Derivative of order d of f with respect to V:
![Page 58: Stream Ciphers, a Perspective - Al Akhawayn University · 2015-09-02 · Stream Ciphers, a Perspective AfricaCrypt 2012, Ifrane, July 10 - 12, 2012 1 willi.meier@fhnw.ch](https://reader034.vdocuments.site/reader034/viewer/2022042915/5f515fda208de5221d7778c1/html5/thumbnails/58.jpg)
Methods based on high-order differentials:
Maximum-degree test (Englund-Johansson-Turan,
2007)
Key recovery with derived functions (FKM, 2008)
Cube attack (Dinur-Shamir, 2008)
58
Cube attack (Dinur-Shamir, 2008)
Methods treat f as a black box.
Conditional differentials:
Impose conditions on “basis differences” involved in
summation, viewed as first order differences.
![Page 59: Stream Ciphers, a Perspective - Al Akhawayn University · 2015-09-02 · Stream Ciphers, a Perspective AfricaCrypt 2012, Ifrane, July 10 - 12, 2012 1 willi.meier@fhnw.ch](https://reader034.vdocuments.site/reader034/viewer/2022042915/5f515fda208de5221d7778c1/html5/thumbnails/59.jpg)
Many differences involved: Conditions for differences
may contradict each other.
Careful analysis of conditions for high-order differentials
on Trivium:
Distinguisher for 961 out of 1152 initialization rounds.
59
Applies only to a small subset of keys. However first
result that tackles such a large number of rounds.
![Page 60: Stream Ciphers, a Perspective - Al Akhawayn University · 2015-09-02 · Stream Ciphers, a Perspective AfricaCrypt 2012, Ifrane, July 10 - 12, 2012 1 willi.meier@fhnw.ch](https://reader034.vdocuments.site/reader034/viewer/2022042915/5f515fda208de5221d7778c1/html5/thumbnails/60.jpg)
• Stream ciphers: Development from proprietary
designs to eSTREAM finalists.
• More analysis of classical and new stream ciphers
needed.
• Practical ciphers with provable security?
Conclusions
60
• Practical ciphers with provable security?
• Standardizations.
• Stream ciphers for authenticated encryption (DIAC:
recent ECRYPT workshop on Directions in
Authenticated Ciphers).
• Design of other lightweight primitives based on
NLFSRs (block cipher KATAN, hash function Quark).