xiutao feng institute of software chinese academy of sciences a byte-based guess and determine...
TRANSCRIPT
Xiutao Feng
Institute of SoftwareChinese Academy of Sciences
A Byte-Based Guess and A Byte-Based Guess and Determine Attack on Determine Attack on SOSEMANUKSOSEMANUK
2
Outline
1 Introduction
2 Description of SOSEMANUK
3 Basic properties of SOSEMANUK
4 Our attack
5 Further discussion on our attack
6 Conclusion
3
1 Introduction1 Introduction
1.1 On SOSEMANUK
SOSEMANUK is a software-oriented stream cipher proposed by C. Berbain et al for the eSTREAM project and has been selected into the final portfolio with other six algorithms together.
Its design adopted the ideas of both the stream cipher SNOW 2.0 and the block cipher SERPENT, and aimed at improving SNOW 2.0 from two aspects of both security and efficiency.
4
1.2 Known cryptanalytic results on SOSEMANUK
The designers of SOSEMANUK presented a guess and determine
attack, whose time complexity is 2256 operations;
In 2006 H. Ahmadi et al revised the above attack and reduced
the time complexity to 2226 operations;
In 2006 Y. Tsunoo et al improved Ahmadi et al's result and
further reduced it to 2224 operations;
In 2008 Jung-Keun Lee et al proposed a correlation attack,
which needs about 2147.88 time, 2145.50 key bits, and 2147.10 bit
memories;
5
In 2009 Lin and Jie gave a new guess and determine attack, and claimed that their attack only needs 2192 operations.
6
1.3 Our work
7
2 Description of SOSEMANUK
Figure 1 The structure of SOSEMANUK
LFSR
FSM
Serpent1
8
2.1 The LFSR
9
2.2 The FSM
10
2.3 The Serpent1
2s 2s 2s 2s 2s 2s 2s 2s 2s 2s 2s 2s 2s 2s 2s 2s 2s 2s 2s 2s 2s 2s 2s 2s 2s 2s 2s 2s 2s 2s 2s 2s
tf1tf
2tf
3tf
ty1ty
2ty
3ty
31 30 2 1 0
Figure 2 The round function Serpent1 in the bit-slice mode
11
2.4 Generation of Keystream
3 Basic properties on SOSEMANUK
12
13
1s 2s 3s 4s 5s 6s 7s 8s 9s 10s 11s 12s 13s 14s 15s 16s
0
1
2
3
Let x be a 32-bit word. Denote by x(i) the i-th byte of x, where i=0,1,2,3.
For example, s1(3), s4
(0), s4(1) and s10
(0) are known, then we can calculate s11
(0).
Figure 3 The feedback of the LFSR in the byte form
14
4 Our attack
4.1 Basic idea of the guess and determine attack
The guess and determine attack is a common cryptographic attack method. Its basic idea is that
Guess: first guess the values of a portion of the internal state of the target algorithm;
Deduce: then deduce the values of all the rest of the internal state of the algorithm by making use of the values of the guessed portion of the internal state and a few known keystream;
Test: finally generate a phase of keystream by using the above recovered values, and test their correctness by comparing the generated keystream with the known keystream. If NOT, then return Step 1.
15
4.2 The execution of our attack
Our attack is based on the following assumption:
The guessing and deducing procedure of the attack can be subdivided into five phases:
1. Guess the values of s1, s2, s3, R21(0), R21
(1), R21(2) and the
rest 31-bit values of R11, and deduce the value of s10(0),
R12(0), R22, s11
(0), s4(1), s10
(1), R12(1), s11
(1), s4(2), s10
(2), R12(2), S11
(2) and s4
(3).
16
1s 2s 3s 4s 5s 6s 7s 8s 9s 10s 11s 12s 13s 14s 15s 16s
0
1
2
3
11R 21R 31R 41R 51R 61R71R 12R 22R 32R 42R 52R
62R 72R
0
1
2
3
0
1
2
31f 2f 3f 4f 5f 6f 7f 8f
The deduced byte
The guessed byte
Figure 4 The illustration of the deduction in Phase 1
17
2. By the assumption lsb(R11)=1, which implies R12=R21⊞(s3⊕s10), we get the equation on the variable s10
(3):
where a, b, c, and d are known.
Since s10(3) occurs three times in the above equation, it is easy to
check equation (12) has exactly one solution on s10(3)
. So we can solve it and get s10
(3). Further we deduce s11(3), R21
(3) and R22(3).
Up to now we have obtained s1, s2, s3, s4, s10, s11, R11, R21, R12 and R22.
3. Further deduce R13, R23, R14, R24, R15, R25, R26, s5, s6, s12 and s13.
18
1s 2s 3s 4s 5s 6s 7s 8s 9s 10s 11s 12s 13s 14s 15s 16s
0
1
2
3
11R 21R 31R 41R 51R 61R71R 12R 22R 32R 42R 52R
62R 72R
0
1
2
3
0
1
2
31f 2f 3f 4f 5f 6f 7f 8f
The deduced byte in phase 2
The known byte
Figure 5 The illustration of the deduction in Phase 2 and 3
The deduced byte in phase 3
19
4. Further guess s7(0) and s8
(0), and deduce the rest bytes of s7
and s8.
5. Final deduce s9.
20
1s 2s 3s 4s 5s 6s 7s 8s 9s 10s 11s 12s 13s 14s 15s 16s
0
1
2
3
11R 21R 31R 41R 51R 61R71R 12R 22R 32R 42R 52R
62R 72R
0
1
2
3
0
1
2
31f 2f 3f 4f 5f 6f 7f 8f
The deduced byte
The known byte
Figure 6 The illustration of the deduction in Phase 4 and 5
The guessed byte
21
4.3 Time and data complexity
Time complexity: 2176 operations In Phase 1 and Phase 4, we guess a total of 175 bits of
the internal state, including s1, s2, s3, R21(0), R21
(1),
R21(2), s7
(0), s8(0) and the rest 31-bit values of R11.
Consider the assumption which holds true with probability 2-1.
Data complexity: about 20 words used In the guessing phase: 8 words used; In the testing phase: about 8 words used (When 16 words
are given, which has totally 512 bits and is larger than the 384 bits of the internal state, the internal state is determined by them. So we can use them to test the correctness of the recovered internal state.);
Consider the assumption: another 4 words used (By shifting the keystream by 4 words we can test two cases).
22
5 Further discussion on our attack
Here it should be pointed out that the assumption lsb(R11)=1 is NOT necessary for our attack to work.
In fact when lsb(R11)=0, which implies that R12=R21⊞s3, similarly we get the equation on s10
(3):
The above equation has no solution or 2k solutions for some integer k. However when a’, b’, c’ and d’ go through all possible values, the sum of the number of all solutions is just equal to 232.
We directly guess total 160-bit values of the internal state in phase 1, and after phase 2 we get total 2160 possible values. For each of them, we go on phases 3, 4 and 5. So the time complexity is still 2176 operations, but the data complexity reduces to about 16 key words.
23
6 Conclusion
In this work we presented a byte-based guess and determine attack on SOSEMANUK, which only needs a few words of known keystream to recover the whole internal state of SOSEMANUK with time complexity 2176 operations.
Since SOSEMANUK has a key with the length varying from 128 and 256 bits, it shows that when the length of a chosen encryption key is larger than 176 bits, our attack is more efficient than an exhaustive key search.
24
Thank youThank you !!