A Key-recovery Attack on 855-Round Trivium Ximing Fu, Xiaoyun Wang, - - PowerPoint PPT Presentation

A Key-recovery Attack on 855-Round Trivium

Ximing Fu, Xiaoyun Wang, Xiaoyang Dong, Willi Meier

Tsinghua University, Beijing, China FHNW, Windisch, Switzerland

June 6,2018

Introduction to Trivium

Outline

1

Introduction to Trivium

2

Related Works

3

Basic Ideas

4

Attack on 855-round Trivium

X Fu ( Tsinghua University, Beijing, China FHNW, Windisch, Switzerland ) A Key-recovery Attack on 855-Round Trivium June 6,2018 2 / 24

Introduction to Trivium

Trivium

Initialization: (s1, s2, . . . , s93) ← (K0, . . . , K79, 0, . . . , 0) (s94, s95, . . . , s177) ← (IV0, . . . , IV79, 0, . . . , 0) (s178, s179, . . . , s288) ← (0, . . . , 0, 1, 1, 1). for i ← 1 : 4 · 288 do t1 ← s66 + s91 · s92 + s93 + s171 t2 ← s162 + s175 · s176 + s177 + s264 t3 ← s243 + s286 · s287 + s288 + s69 (s1, s2, . . . , s93) ← (t3, s1, . . . , s92) (s94, s95, . . . , s177) ← (t1, s94, . . . , s176) (s178, s179, . . . , s288) ← (t2, s178, . . . , s287) end for

X Fu ( Tsinghua University, Beijing, China FHNW, Windisch, Switzerland ) A Key-recovery Attack on 855-Round Trivium June 6,2018 3 / 24

Introduction to Trivium

Trivium

Generate the keystreams: for i ← N do t1 ← s66 + s91 · s92 + s93 + s171 t2 ← s162 + s175 · s176 + s177 + s264 t3 ← s243 + s286 · s287 + s288 + s69

• i ← s66 + s93 + s162 + s177 + s243 + s288

(s1, s2, . . . , s93) ← (t3, s1, . . . , s92) (s94, s95, . . . , s177) ← (t1, s94, . . . , s176) (s178, s179, . . . , s288) ← (t2, s178, . . . , s287) end for

X Fu ( Tsinghua University, Beijing, China FHNW, Windisch, Switzerland ) A Key-recovery Attack on 855-Round Trivium June 6,2018 4 / 24

Introduction to Trivium

Trivium

Iterative expression: let sr

w (0 ≤ w ≤ 2) denote s1, s94 and s178 at round

r. sr = sr−66

2

+ sr−109

2

sr−110

2

+ sr−111

2

+ sr−69 , sr

1

= sr−66 + sr−91 sr−92 + sr−93 + sr−78

1

, sr

2

= sr−69

1

+ sr−82

1

sr−83

1

+ sr−84

1

+ sr−87

2

. (1) Output: zr = sr−65 + sr−92 + sr−68

1

+ sr−83

1

+ sr−65

2

+ sr−110

2

X Fu ( Tsinghua University, Beijing, China FHNW, Windisch, Switzerland ) A Key-recovery Attack on 855-Round Trivium June 6,2018 5 / 24

Related Works

Outline

1

Introduction to Trivium

2

Related Works

3

Basic Ideas

4

Attack on 855-round Trivium

X Fu ( Tsinghua University, Beijing, China FHNW, Windisch, Switzerland ) A Key-recovery Attack on 855-Round Trivium June 6,2018 6 / 24

Related Works

Cube-like Attack

ANF: The output bit or state bit for a stream cipher over m IV bits and n key bits is s =

• I,J
• i∈I

vi

• j∈J

kj. (2) IV term: tI =

i∈I vi

Coefficient function: gI(k) =

j∈J kj

Theorem 1 Cube sum of s over set I is gI(k), i.e.,

• i∈I

s = gI(k), (3) where the IV bits vk (k / ∈ I) are fixed.

1 gI(k) is linear or of low degree over partial key bits (key-recovery) 2 gI(k) = 0: tI(k) is a missing IV term (distinguisher) X Fu ( Tsinghua University, Beijing, China FHNW, Windisch, Switzerland ) A Key-recovery Attack on 855-Round Trivium June 6,2018 7 / 24

Basic Ideas

Outline

1

Introduction to Trivium

2

Related Works

3

Basic Ideas

4

Attack on 855-round Trivium

X Fu ( Tsinghua University, Beijing, China FHNW, Windisch, Switzerland ) A Key-recovery Attack on 855-Round Trivium June 6,2018 8 / 24

Basic Ideas

A new polynomial reduction technique

Lemma 2 Suppose z is the output polynomial of a cipher, and z = P1P2 + P3. (4) Then the polynomial can be reduced to a simpler one (1 + P1)z = (1 + P1)P3 by multiplying 1 + P1 in both sides of Eq. (4) if deg(P1P2) > deg((1 + P1)P3). How to distinguish right and wrong key guesses

1 Right guess: (1 + P1)z = (1 + P1)P3 2 Wrong guesses: (1 + P ′

1)z = (1 + P ′ 1)P1P2 + (1 + P ′ 1)P3

X Fu ( Tsinghua University, Beijing, China FHNW, Windisch, Switzerland ) A Key-recovery Attack on 855-Round Trivium June 6,2018 9 / 24

Basic Ideas

Outline of our attack

Preprocess phase

1 Determine P1 and obtain the reduced polynomial (1 + P1)P3. There

are 3 criteria for choice of P1: (1) the frequency of P1 in high degree state terms is high; (2) the degree of P1 is low; (3) the equivalent key guesses in P1 are minimized.

2 Compute the degree bound of (1 + P1)P3 as d, then

d + 1-dimensional cubes can serve as distinguishers. Online attack phase Guess the partial key bits in P1 and compute the sum of (1 + P1)z over d + 1 cubes:

1 For right guess, the result is always 0. 2 For wrong guesses, the results are 0-1 balanced. X Fu ( Tsinghua University, Beijing, China FHNW, Windisch, Switzerland ) A Key-recovery Attack on 855-Round Trivium June 6,2018 10 / 24

Basic Ideas

The preprocessing phase

1 80 1 80

( ,..., , ,..., ) k k v v

Forward Internal State bits

j i

s

IV Representation discarding monomials Step 1 Step 3 j i

s

  Internal State bits Step 2

1 3

(1 ) P P 

1 Compute the state bits sj

i (j ∈ [0, 2]) for i ∈ [0, 340] over key and

IV bits.

2 Decompose the output bit and obtain (1 + P1)P3 over state bits at

rounds less than 450.

3 ”Meet-in-the-middle”: decomposition & IV representation X Fu ( Tsinghua University, Beijing, China FHNW, Windisch, Switzerland ) A Key-recovery Attack on 855-Round Trivium June 6,2018 11 / 24

Basic Ideas

Key techniques

In Step 2 and Step 3, repeated-term removing algorithm and fast discarding techniques are used during decomposition, including degree evaluation and degree reduction techniques, set a bound d:

1 if the evaluated degree of a state term deg Ti, then Ti can be

deleted;

2 if deg(Ti) − dt(Ti) < d, then Ti can be deleted, where dt(Ti) is the

degree reduction of Ti.

X Fu ( Tsinghua University, Beijing, China FHNW, Windisch, Switzerland ) A Key-recovery Attack on 855-Round Trivium June 6,2018 12 / 24

Basic Ideas

Repeated-(state)term Removing Algorithm

Algorithm 1 Repeated-(state)term Removing Algorithm Input: The vector T with n terms, i.e., T1, T2, . . ., Tn. Output: Updated T with m terms, where m ≤ n.

1: Initialize an empty Hash Set H. 2: for i ← 1 : n do 3:

Compute the Hash value of Ti, i.e., H(Ti)

4:

if H.contains(Ti) is true then

5:

H.delete(Ti)

6:

else

7:

H.insert(Ti)

8:

end if

9: end for

The complexity of Algorithm 1 is O(n) for processing n state terms.

X Fu ( Tsinghua University, Beijing, China FHNW, Windisch, Switzerland ) A Key-recovery Attack on 855-Round Trivium June 6,2018 13 / 24

Basic Ideas

Degree evaluation algorithm

Algorithm 2 Degree Evaluation Algorithm (DEG) of State Bit

Input: The value t and r which indicates the state bit sr

t .

Output: DEG(sr

t )=d.

1: Initialize the degree bound d similar to the above Step 2., the end point end. 2: len ← 0 3: while len = 0 do 4:

Iteratively express sr

t using state bits sj i , where 0 ≤ j ≤ 2 and 0 ≤ j < end. During

each expression, discard the state terms of degree lower than d. Let len be the number

• f remaining state terms.

5:

if len = 0 then

6:

d ← d − 1

7:

end if

8: end while 9: return d

Where end = ⌊ r

32⌋ × 32 − 128 in the cryptanalysis of Trivium.

X Fu ( Tsinghua University, Beijing, China FHNW, Windisch, Switzerland ) A Key-recovery Attack on 855-Round Trivium June 6,2018 14 / 24

Basic Ideas

Degree evaluation: example

Degree evaluation of s341

1

(end = ⌊ r

32⌋ × 32 − 128 = 192):

Step 1. First, we decompose s341

2

= s272

1

+ s259

1

s258

1

+ s257

1

+ s254

2

. Step 2. Let d = max{deg(s272

1

), deg(s259

1

)+deg(s258

1

), deg(s257

1

), deg(s254

2

} = 10. Step 3. Discarding the state terms of degree lower than 10, we get s341∗

2

= s259

1

s258

1

. Decompose and discard again, there is no state term surviving. Reset d = d − 1 = 9 and repeat the above process. We can get the result s341∗∗

2

= s166 s167 s193 + s167 s168 s192 + .... Step 4. Continue to decompose and discard, and we get: s341∗∗∗

2

= s56

2 s57 2 s83 2 s84 2 s101 2

+ s57

2 s58 2 s83 2 s84 2 s100 2

+ ... (5) Step 5. The decomposition ends and there are still state terms

• surviving. d = 9 is the estimated degree of s341

2

. Step 6. Note that, if there is no state item in s341∗∗∗

2

surviving, which means the degree must be less than 9. We reset d = 8 and continue the above steps 3-5.

X Fu ( Tsinghua University, Beijing, China FHNW, Windisch, Switzerland ) A Key-recovery Attack on 855-Round Trivium June 6,2018 15 / 24

Basic Ideas

Degree reduction algorithm

Algorithm 3 Degree Evaluation Algorithm (DEG) of State Bit

Input: The value i, r, t which indicates the state term degree reduction. Output: The degree reduction dt = l+t−1

j=l

deg(sj

i ) − deg(l+t−1 j=l

sj

i ).

1: Initialize the degree bound d = l+t−1

i=l

DEG(sj

i ) , degree reduction dt = 0, end point end

and number of survived state terms len.

2: while len = 0 do 3:

Express the state term l+t−1

j=l

sj

i using state bits sj i , where 0 ≤ i ≤ 2 and 0 ≤ j < end,

discard the state terms of degree lower than d − dt. Let len be the number of remaining state terms.

4:

if len = 0 then

5:

dt ← dt + 1

6:

end if

7: end while 8: return dt

Where end = ⌊ r

32⌋ × 32 − 128 in the cryptanalysis of Trivium.

X Fu ( Tsinghua University, Beijing, China FHNW, Windisch, Switzerland ) A Key-recovery Attack on 855-Round Trivium June 6,2018 16 / 24

Basic Ideas

Degree reduction: example

Degree reduction of s340

1

s341

1

(end = ⌊ r

32⌋ × 32 − 128 = 192):

Initialize d = DEG(s340

1

) + DEG(s341

1

) and dt = 0. Express the s340

1

s341

1

, discard the state terms of degree lower than d − dt = d, there is no state term surviving. Increase the dt by 1, such that dt = 1. Express s340

1

s341

1

again and discard the state terms of degree lower than d − dt = d − 1, the result is s249 s250 s262

1

+ s248 s249 s263

1

. Continue to compute iteratively, the remaining state terms are s170 s171 s180 s140

2

s141

2

+ s170 s171 s181 s139

2

s140

2

+ s171 s172 s179 s139

2

s140

2

+ s171 s172 s180 s138

2

s139

2

. There is no state bits sj

i with j bigger than

end = 192 in all the state terms, hence the expression ends. Degree reduction dt = 1 is returned. Thus deg(s340

1

s341

1

) ≤ DEG(s340

1

) + DEG(s341

1

) − dt = 7 + 7 − 1 = 13.

X Fu ( Tsinghua University, Beijing, China FHNW, Windisch, Switzerland ) A Key-recovery Attack on 855-Round Trivium June 6,2018 17 / 24

Basic Ideas

IV representation

Definition 3 Given a Boolean polynomial s =

• I,J
• i∈I

vi

• j∈J

kj, the corresponding IV representation is sIV =

• I,J
• i∈I

vi. Example 4 For s = v0k1 + v0k0k2 + v1k1k2 + v0v1k2, the representation is sIV = v0 + v0 + v1 + v0v1 Property 1 If an IV term exists in s, it must also exist in sIV , but not the opposite. If an IV term is not in sIV , it can be concluded that it is not in s. Using IV representation can compute the missing IV terms, which can serve as distinguishers.

X Fu ( Tsinghua University, Beijing, China FHNW, Windisch, Switzerland ) A Key-recovery Attack on 855-Round Trivium June 6,2018 18 / 24

Basic Ideas

Repeated-IV term Removing Algorithm

Algorithm 4 Repeated-IV term Removing Algorithm Input: The vector T with n IV terms, i.e., T1, T2, . . ., Tn. Output: Updated T with m IV terms, where m ≤ n.

1: Initialize an empty Hash set H. 2: for i ← 1 : n do 3:

Compute the Hash value of Ti, i.e., H(Ti).

4:

if H.contains(Ti) is false then

5:

H.insert(Ti).

6:

end if

7: end for

The time complexity is O(n) for processing n IV terms.

X Fu ( Tsinghua University, Beijing, China FHNW, Windisch, Switzerland ) A Key-recovery Attack on 855-Round Trivium June 6,2018 19 / 24

Attack on 855-round Trivium

Outline

1

Introduction to Trivium

2

Related Works

3

Basic Ideas

4

Attack on 855-round Trivium

X Fu ( Tsinghua University, Beijing, China FHNW, Windisch, Switzerland ) A Key-recovery Attack on 855-Round Trivium June 6,2018 20 / 24

Attack on 855-round Trivium

Attack on Trivium

Compute the exact Boolean polynomial of state bits sr

w (w ∈ [0, 2]) for

r ≤ 340 and obtain the degree bound of the other state bits by applying Algorithm 2. Determine P1 = s210

1

: decompose the output bit of 855-round Trivium and preserve the high degree state terms (1) s210

1

• ccurs in

about 3

4 of all the preserved high state terms; (2) the degree of s210 1

is 5 and can be reduced to 2 after nullifying the 5 IV bits; (3) there are only 3 equivalent key bits to be guessed. Nullify 5 IV bits to reduce the degree of s210

1

and update the Boolean polynomials and degrees of state bits. Determine the key bits in P1, i.e., k19, k20, k57 + k63 + k21 + k28k29 + k3 + k30 + k12 + k37k38 + k39.

X Fu ( Tsinghua University, Beijing, China FHNW, Windisch, Switzerland ) A Key-recovery Attack on 855-Round Trivium June 6,2018 21 / 24

Attack on 855-round Trivium

Preprocessing Phase

… … State Terms … … Repeated Term Removing Degree Evaluation Degree Reduction Discarding Monomials Repeat (Algorithm 4) IV Representation

70-degree IV terms

Left State Terms Deleted State Terms

degree evaluation: remove the state terms of degree lower than 70 degree reduction: remove the state terms of degree lower than d < 70 + dt, where dt is the corresponding degree reduction for state terms IV representation: compute the existent 70-degree IV terms It is proved that deg((1 + s210

1

)z855) < 70.

X Fu ( Tsinghua University, Beijing, China FHNW, Windisch, Switzerland ) A Key-recovery Attack on 855-Round Trivium June 6,2018 22 / 24

Attack on 855-round Trivium

Online Phase

Algorithm 5 On-line Attack

1: Initialize the possible key space KEY with size of 23. 2: for i ← 1 : 3 do 3:

for Each possible key in KEY do

4:

Compute the value s210

1

, so that obtain the value of (1 + s210

1

)z,

5:

Compute cube sums zsum of (1 + s210

1

)z,

6:

if zsum = 1 then

7:

Delete key from KEY .

8:

end if

9:

end for

10: end for

Complexity analysis: the time complexity is (23 + 22 + 21)270 ≈ 274 bit

• perations.

X Fu ( Tsinghua University, Beijing, China FHNW, Windisch, Switzerland ) A Key-recovery Attack on 855-Round Trivium June 6,2018 23 / 24

Thanks for Your Attention