stream ciphers: wg and lex

22
Stream Ciphers: WG Stream Ciphers: WG and LEX. and LEX. Eduard Dvorný, & Emil Halko Eduard Dvorný, & Emil Halko University of Pavol Jozef University of Pavol Jozef Šafárik Šafárik

Upload: amie

Post on 12-Jan-2016

54 views

Category:

Documents


0 download

DESCRIPTION

Stream Ciphers: WG and LEX. Eduard Dvorný, & Emil Halko University of Pavol Jozef Šafárik. WG abstract. Stream cipher WG: The cipher is based on Welch-Gong transformations. The WG cipher has been designed to produce keystream with guaranteed randomness properties, - PowerPoint PPT Presentation

TRANSCRIPT

Page 1: Stream Ciphers: WG and LEX

Stream Ciphers: WG Stream Ciphers: WG and LEX.and LEX.

Eduard Dvorný, & Emil HalkoEduard Dvorný, & Emil Halko

University of Pavol Jozef ŠafárikUniversity of Pavol Jozef Šafárik

Page 2: Stream Ciphers: WG and LEX

WG WG abstractabstract

Stream cipher WG:Stream cipher WG: The cipher is based on Welch-Gong The cipher is based on Welch-Gong

transformations. The WG cipher hastransformations. The WG cipher has been designed to produce keystream with been designed to produce keystream with

guaranteed randomness properties, guaranteed randomness properties, It is resistant to Time/Memory/DataIt is resistant to Time/Memory/Data

tradeoff attacks, algebraic attacks and tradeoff attacks, algebraic attacks and correlation attacks. correlation attacks.

The cipher can be implemented with a The cipher can be implemented with a small amount of hardware.small amount of hardware.

Page 3: Stream Ciphers: WG and LEX

LEX abstractLEX abstract

Stream cipher LEX:Stream cipher LEX:

A proposal for a simple AES-based A proposal for a simple AES-based stream cipher which is at least 2.5 stream cipher which is at least 2.5 times faster than AES both in times faster than AES both in software and in hardware.software and in hardware.

LEX stands for Leak EXtraction,LEX stands for Leak EXtraction,

Page 4: Stream Ciphers: WG and LEX

WG CIPHERWG CIPHER

The WG cipherThe WG cipher can be used with keys of can be used with keys of length 80, 96, 112 and 128 bits.length 80, 96, 112 and 128 bits.

An initial vector of size 32 or 64 bits can be An initial vector of size 32 or 64 bits can be used with any of the above key lengths.used with any of the above key lengths.

To increaseTo increase security, IVs of the same length security, IVs of the same length as the secret key can also be used. as the secret key can also be used.

WG cipherWG cipher is a synchronous stream cipher is a synchronous stream cipher which consists of a WG keystream which consists of a WG keystream generator. generator.

Page 5: Stream Ciphers: WG and LEX

WG keystream generatWG keystream generationion

Page 6: Stream Ciphers: WG and LEX

WG TransformationWG Transformation

Page 7: Stream Ciphers: WG and LEX

Resynchronization (Key/IV setup)Resynchronization (Key/IV setup)

Page 8: Stream Ciphers: WG and LEX

Differential Attack on WGDifferential Attack on WG

Overview of the Attack Overview of the Attack

the taps of LFSR are poorly chosenthe taps of LFSR are poorly chosen

22 steps fail to randomize the differential propagation 22 steps fail to randomize the differential propagation

at the end of the 22at the end of the 22ndnd step, the differential in the step, the differential in the

LFSR is exploited to recover the secret keyLFSR is exploited to recover the secret key

=> 48 key bits recovered with about 2=> 48 key bits recovered with about 23131 chosen IVs chosen IVs

(80-bit key and 80-bit IV) (80-bit key and 80-bit IV)

Page 9: Stream Ciphers: WG and LEX

Differential Attack on WGDifferential Attack on WG

Page 10: Stream Ciphers: WG and LEX

Differential Attack on WGDifferential Attack on WG

Page 11: Stream Ciphers: WG and LEX

Differential Attack on WGDifferential Attack on WG

At the end of the 22At the end of the 22ndnd step, the difference at S(10) is step, the difference at S(10) is

S(10) is related to the first keystream bit. S(10) is related to the first keystream bit.

Observing the values of the first keystream bits Observing the values of the first keystream bits generated from the related IV, we are able to generated from the related IV, we are able to determine whether the value ofdetermine whether the value of is 0, then is 0, then we can recover 29 bits of key.we can recover 29 bits of key.

Page 12: Stream Ciphers: WG and LEX

Security Against AttacksSecurity Against Attacks

Time/Memory/Data tradeoffTime/Memory/Data tradeoff has two phaseshas two phases During precomputation phase the attacker During precomputation phase the attacker

exploits the structure of the stream exploits the structure of the stream cipher and summarizes his findings in cipher and summarizes his findings in large tables.large tables.

During the attack phase, the attacker uses During the attack phase, the attacker uses these tables and the observed data to these tables and the observed data to determine the secret key or the internal determine the secret key or the internal state of the stream cipher.state of the stream cipher.

Page 13: Stream Ciphers: WG and LEX

A tradeoff A tradeoff TMTM22DD22 = N = N22 for D for D22 ≤ T ≤ N, ≤ T ≤ N,

where where TT is the time required for the attack, is the time required for the attack,

MM is the memory required to store the tables, is the memory required to store the tables,

DD represents the realtime data or the keystream represents the realtime data or the keystream requiredrequired, ,

NN is the size of the search space. is the size of the search space.

A simple way to provide security against this attack A simple way to provide security against this attack in stream ciphers is to increase the search space.in stream ciphers is to increase the search space.

Page 14: Stream Ciphers: WG and LEX

Algebraic attacksAlgebraic attacks

have been used recently to break many well have been used recently to break many well known stream ciphers. known stream ciphers.

complexity of these attack depends on the complexity of these attack depends on the

nonlinear filter and the number of outputs nonlinear filter and the number of outputs generated by the cipher. generated by the cipher.

If the nonlinear filter can be approximated If the nonlinear filter can be approximated by a multivariate equation of low degree by a multivariate equation of low degree this complexity can be reducedthis complexity can be reduced significantly.significantly.

Page 15: Stream Ciphers: WG and LEX

Correlation attacksCorrelation attacks

These attacks exploit any correlation that These attacks exploit any correlation that may exist between the keystream andmay exist between the keystream and

the output of the LFSR in the cipher. the output of the LFSR in the cipher.

In these attacks the keystream is regardedIn these attacks the keystream is regarded as a distorted or noisy version of the the as a distorted or noisy version of the the LFSR output.LFSR output.

Page 16: Stream Ciphers: WG and LEX

ConclusionConclusion

WG cipher, suitable for hardware WG cipher, suitable for hardware implementations. implementations.

WG is vulnerable to a differential WG is vulnerable to a differential attack attack

Page 17: Stream Ciphers: WG and LEX

LEX CipherLEX Cipher

LEX is based on the block cipher AES. The LEX is based on the block cipher AES. The keystream bits are generated bykeystream bits are generated by extracting 32 extracting 32 bits from each round of AES in the 128-bit Output bits from each round of AES in the 128-bit Output Feedback mode.Feedback mode.

First a standard AES key-schedule for a secretFirst a standard AES key-schedule for a secret

128-bit key 128-bit key KK is performed. is performed. Then a given 128-bit IV is encrypted by a singleThen a given 128-bit IV is encrypted by a single

AES invocation: AES invocation: S = AESS = AESKK(IV)(IV). The . The SS and the and the subkeys are the output of thesubkeys are the output of the initialization initialization process.process.

Page 18: Stream Ciphers: WG and LEX

Initialization and keystream generationInitialization and keystream generation

Page 19: Stream Ciphers: WG and LEX

Extracted bytes in the even and odd Extracted bytes in the even and odd roundsrounds

The bytes b0,0, b0,2, b2,0, b2,2 at every odd round and the bytes b0,1, b0,3, b2,1, b2,3 at every even round are selected.

Page 20: Stream Ciphers: WG and LEX

Algebraic AttacksAlgebraic Attacks

Algebraic attacks on stream ciphers are a recent Algebraic attacks on stream ciphers are a recent and a very powerful type of attack. and a very powerful type of attack.

If one could write a non-linear equation in terms of If one could write a non-linear equation in terms of the outputs and the key – thatthe outputs and the key – that could lead to an could lead to an attack in Lex. attack in Lex.

Re-keying every 500 AES encryptions may help to Re-keying every 500 AES encryptions may help to avoid such attacks by limiting the number of avoid such attacks by limiting the number of samples the attacker might obtain whilesamples the attacker might obtain while targeting targeting a specific subkey.a specific subkey.

Page 21: Stream Ciphers: WG and LEX

Dedicated AttacksDedicated Attacks

An obvious line of attack would be to An obvious line of attack would be to concentrate on every 10th round,concentrate on every 10th round,

since itsince it reuses the same subkey, and reuses the same subkey, and thus if the attacker guesses parts of thus if the attacker guesses parts of this subkey hethis subkey he still can reuse this still can reuse this information information

1010t, t t, t = 1, 2, . . . rounds later. = 1, 2, . . . rounds later.

Page 22: Stream Ciphers: WG and LEX

ConclusionConclusion

Since LEX could reuse existing AES Since LEX could reuse existing AES implementations it might provide a implementations it might provide a simple and cheap speedup option in simple and cheap speedup option in addition to the already existing base addition to the already existing base AES encryption.AES encryption.

It is better to mix the key and IV in a It is better to mix the key and IV in a non-linear way, then use the mixed non-linear way, then use the mixed values to generate the keystream .values to generate the keystream .