Advanced Cryptanalysis of Stream Ciphers Willi Meier Albena, June - - PowerPoint PPT Presentation

advanced cryptanalysis of stream ciphers
SMART_READER_LITE
LIVE PREVIEW

Advanced Cryptanalysis of Stream Ciphers Willi Meier Albena, June - - PowerPoint PPT Presentation

Aug 06, 2023 211 likes •632 views

Advanced Cryptanalysis of Stream Ciphers Willi Meier Albena, June 30 - July 5, 2013 1 / 41 Overview Introduction Conditional differentials High-order differentials Applications to Trivium and Grain Recent results Open

slide-1
SLIDE 1

Advanced Cryptanalysis of Stream Ciphers

Willi Meier

Albena, June 30 - July 5, 2013

1 / 41

slide-2
SLIDE 2

Overview

◮ Introduction ◮ Conditional differentials ◮ High-order differentials ◮ Applications to Trivium and Grain ◮ Recent results ◮ Open Problems ◮ Joint work with Simon Knellwolf, Michael Lehmann, Mar´

ıa Naya-Plasencia

2 / 41

slide-3
SLIDE 3

Introduction

Model of a stream cipher: Key IV

f()

. . . 1 1 . . .

3 / 41

slide-4
SLIDE 4

Introduction

Formally, a stream cipher consists of: Initialization function F : {0, 1}κ × {0, 1}n → {0, 1}m. State update function G : {0, 1}m → {0, 1}m Output function H : {0, 1}m → {0, 1}. st: state at time instant t. st+1 = G(st, k), zt = H(st, k).

4 / 41

slide-5
SLIDE 5

Introduction

Shall investigate initialization modes of NLFSR-based stream ciphers Trivium and Grain. Methods:

  • Conditional differentials
  • High-order differentials (cube attacks)

5 / 41

slide-6
SLIDE 6

Introduction

Initialization of Trivium (s1, s2, ..., s93) ← (k0, ..., k79, 0, 0, .., ) (s94, s95, ..., s177) ← (x0, x1, ..., x79, 0., , , , 0) (s178, s179, ..., s288) ← (0, 0, ..., 0, 1, 1, 1) for i = 1 to 4 · 288 do t1 ← s66 + s93 t2 ← s162 + s177 t3 ← s243 + s288 t1 ← t1 + s91 · s92 + s171 t2 ← t2 + s175 · s176 + s264 t3 ← t3 + s286 · s287 + s69 (s1, s2, ..., s93) ← (t3, s1, ..., s92) (s94, s95, ..., s177) ← (t1, s94, ..., s176) (s178, ..., s288) ← (t2, s178, ..., s287) end for

6 / 41

slide-7
SLIDE 7

Introduction

Output generation of Trivium for i = 1 to ℓ do t1 ← s66 + s93 t2 ← s162 + s177 t3 ← s243 + s288 zi ← t1 + t2 + t3 t1 ← t1 + s91 · s92 + s171 t2 ← t2 + s175 · s176 + s264 t3 ← t3 + s286 · s287 + s69 (s1, s2, ..., s93) ← (t3, s1, ..., s92) (s94, s95, ..., s177) ← (t1, s94, ..., s176) (s178, ..., s288) ← (t2, s178, ..., s287) end for

7 / 41

slide-8
SLIDE 8

Introduction

Initialization of Grain-128a NLFSR LFSR g f h f: Primitive feedback polynomial of the LFSR. g: Nonlinear feedback polynomial of the NLFSR of order 4. h(x) = x0x1 + x2x3 + x4x5 + x6x7 + x0x4x8.

8 / 41

slide-9
SLIDE 9

Introduction

State size: 256 bit. Key size: 128 bit. Loaded in NLFSR. IV size: 96 bit. Loaded in LFSR. Remaining 32 bits fixed to 1, except last bit, which is set to 0. Grain-128a is update of Grain-128, which has been cryptanalyzed with complexity lower than 2128 operations.

9 / 41

slide-10
SLIDE 10

Introduction

Output mode of Grain-128a NLFSR LFSR g 24 5 6 f 2 7 h 7

10 / 41

slide-11
SLIDE 11

Conditional Differentials

Conditional differential characteristics introduced by Ben-Aroya and Biham (CRYPTO’93) for analysis of DES-like cryptosystems. In differential cryptanalysis: Input difference is suitably chosen and differences are traced over several rounds. Input difference is fixed but input values arbitrary.

11 / 41

slide-12
SLIDE 12

Conditional differentials

Goal of conditional differentials: Find both, sample inputs and suitable input difference so that difference in (truncated) output is biased. If bias detected, it is used for a distinguisher or for key recovery.

12 / 41

slide-13
SLIDE 13

Conditional differentials

Scenario: Chosen IV attack Keystream modelled as a Boolean function f : {0, 1}κ × {0, 1}n → {0, 1} mapping key k and IV x to keystream bit b. Suppose: Bit b = f(k, x) is computed using a NLFSR which is initialized with k and x, and updated many times, before b is

  • utput from resulting state.

After initialization, b is a huge polynomial in bits of k and x: Out

  • f reach to express for analysis purposes.

13 / 41

slide-14
SLIDE 14

Conditional differentials

Can we still analyze f for distinguishing or key recovery purpose by evaluating it at many well chosen values x (and for unknown but fixed key k)? Difference propagation through NLFSR. At each round i, a single state bit ti is newly generated; other bits are merely shifted. Enough to consider propagation of differences to bits ti. Let ∆x be a difference in the IV. Say that ∆x propagates to ti if

14 / 41

slide-15
SLIDE 15

Conditional differentials

∆ti = ti(k, x) + ti(k, x + ∆x) = 1. Consider ∆ti as a polynomial in the key and the IV variables. Value of ∆ti determines whether difference ∆x propagates to ti

  • r not.

Wish to predict ∆b. Hundreds of iterations of NLFSR: Symbolic description of ∆b as a function of key and IV out of reach.

15 / 41

slide-16
SLIDE 16

Conditional differentials

Impose conditions to influence difference propagation. Goal: Find a sample of IV’s for which difference ∆b is biased. Observation: In first few iterations, explicit conditions can be set

  • n some IV bits to control difference propagation.

If right conditions are set: many terms in (hypothetical) polynomial describing output difference cancel out, and bias may be detected.

16 / 41

slide-17
SLIDE 17

Conditional differentials

Tradeoff between maximum number of conditions to be set and sample size of initial values to do the statistics. Approach quite effective against several NLFSR-based ciphers. Finding and controlling conditions delicate task. Conditional differentials in initialization of Grain v1: Practical distinguisher on 97 out of 160 initialization rounds.

17 / 41

slide-18
SLIDE 18

High-order differentials

Let V be a linear subspace of {0, 1}n of dimension d. Boolean function f : {0, 1}n → {0, 1}. Derivative of order d of f with respect to V: ∆Vf(x) =

  • v∈V

f(x + v).

18 / 41

slide-19
SLIDE 19

High-order differentials

Methods based on high-order differentials: Maximum-degree test, Englund-Johansson-Turan, 2007. Key recovery with derived functions (FKM, 2008). Cube attack, Vielhaber, Dinur-Shamir 2008. Cube testers, 2009. Dynamic cube attack on Grain-128, Dinur-Shamir 2011.

19 / 41

slide-20
SLIDE 20

High-order differentials

Cube attack on f(k, x), k secret, x public: For index set I ⊂ {1, .., n} define tI as monomial containing all public variables (cube variables), with index in I. For fixed I, there is unique polynomial p such that ANF of f(k, x) can be written as f(k, x) = tIp(k, x) + q(k, x), where p does not contain any cube variable, and no monomial in q is divisble by tI.

20 / 41

slide-21
SLIDE 21

High-order differentials

Terminology: tI: maxterm. p: superpoly of I in f, f: masterpoly. Can compute superpolys by summing the master polynomial

  • ver all possible configurations of the cube variables.

21 / 41

slide-22
SLIDE 22

High-order differentials

Example (cube attack) f(k1, k2, x1, x2, x3, x4) = k1x1 + k2x1x2x3 + x1x2x4 + x3. Superpoly of I = {1, 2} in f computes as

  • x1,x2

f(k1, k2, x1, x2, x3, x4) = k2x3 + x4, which is the polynomial that multiplies tI = x1x2 in f: f(k1, k2, x1, x2, x3, x4) = x1x2(k2x3 + x4) + k1x1 + x3. Translation of superpolys into derivatives straightforward: p(k, x) = ∆Vif(k, x), where Vi = {x ∈ {0, 1}n|x i}, for 0 ≤ i ≤ 2n − 1.

22 / 41

slide-23
SLIDE 23

High-order differentials

In preprocessing phase: Search of ”good” cubes with linear or very sparse low-degree superpolys. In online phase, values of sums over each cube are computed, to give equations out of superpolys. These are solved subsequently for the key. Cube attacks applied mainly on reduced versions of Trivium intialization. Best cube attack on Trivium: 799 out of 1152 rounds. Verified in experiments (Fouque-Vannet, FSE 2013). Cube attacks have practical complexity where they work. Hard to get estimates on their limits.

23 / 41

slide-24
SLIDE 24

High-order differentials

In cube attacks on Trivium, key bits k69, ..., k79 never occur in linear superpolys. Explanation: Look at first few initialization rounds. Consider k69 as an example. Enters mixing process via t1 at rounds 21, 22, and 23. After 24 rounds it appears in the state exclusively as s94 = x54 + k42 + k67k68 + k69, s95 = x55 + k43 + k68k69 + k70, s96 = x56 + k44 + k69k70 + k71.

24 / 41

slide-25
SLIDE 25

High-order differentials

Only way for k69 to appear in a derived linear expression is that the quadratic term in s94 cancels out during the initialization process. Cannot prove that this doesn’t happen, but it is very unlikely. Question: Can analysis of initial rounds serve for choice of ”good” cube indices? Question: Why are superpolys just sparse sums of copies of initial values of t1, t3?

25 / 41

slide-26
SLIDE 26

High-order differentials

If superpoly does not depend on all key bits, divide-and-conquer for reduced key search is possible. Refined scenarios where influence of key is not zero but small enough.

26 / 41

slide-27
SLIDE 27

High-order differentials

Dynamic cube attack on Grain-128 Certain variables which are not part of maxterm tI are assigned a function of public and private variables instead of a constant value. Functions chosen so that symbolic expressions of certain variables simplifies. Cryptanalysis of Grain-128 with complexity about 290 and memory usage of 263 bit.

27 / 41

slide-28
SLIDE 28

High-order differentials

Cube testers

◮ give distinguishers rather than key-recovery ◮ don’t require low-degree functions ◮ need no precomputation ◮ black box analysis

Detect structure (nonrandomness) in the superpoly, using algebraic property testers

28 / 41

slide-29
SLIDE 29

High-order differentials

A tester for property P on the function f:

◮ makes (adaptive) queries to f ◮ accepts when f satisfies P ◮ rejects with bounded probability otherwise

29 / 41

slide-30
SLIDE 30

High-order differentials

Examples of efficiently testable properties:

◮ balance ◮ linearity ◮ low-degree ◮ constantness ◮ presence of linear variables ◮ presence of neutral variables

General characterization by Kaufman/Sudan, STOC’ 08

30 / 41

slide-31
SLIDE 31

High-order differentials

Cube testers applied: to detect nonrandomness of reduced round intialization of Trivium up to 885 rounds. to detect nonrandomness in reduced round initialization of Grain-128. Dynamic cube attack on full round Grain-128 by Dinur-Shamir. Cube testers useful for determining number of rounds in new schemes (e.g., NLFSR-based Quark hash function).

31 / 41

slide-32
SLIDE 32

High-order differentials

Conditions in high-order differentials? Impose conditions on ”basic differences” involved in summation, viewed as first-order difference. Many differences involved: Conditions for differences may contradict each other.

32 / 41

slide-33
SLIDE 33

Application to Trivium

Careful analysis of conditions for high-order differentials in Trivium initialization: Practical distinguisher for 961 out of 1152 rounds. IV-bits x72, x78 neutral for a small subset of (weak) key bits.

33 / 41

slide-34
SLIDE 34

Application to Grain128a

(Conditional) high-order differentials allow for comparison of security of Grain-128a and its predecessor Grain-128. Dynamic cube attack on Grain-128: Possible as growth of degree and number of terms slow and irregular with increasing number of rounds. Update function of NLFSR in Grain-128 only quadratic. Grain-128a: Added two monomials of degree 3 and one of degree 4 in update function g(x) of NLFSR.

34 / 41

slide-35
SLIDE 35

Application to Grain-128a

Comparison of degrees of monomials and number of terms of mximum order: Increase of density and degree much larger.

35 / 41

slide-36
SLIDE 36

Application to Grain-128a

Conditional differentials: Table lists best results, i.e. the number of rounds attacked, on Grain-128 and Grain-128a for various cube dimensions. Use 2048 random IVs and a significance level of 0.01: Cube dimension 12 16 20 24 28 33 Grain-128 207 215 219 225 231 236 Grain-128a 164 165 167 172 175 177

36 / 41

slide-37
SLIDE 37

Application to Grain-128a

Best cube is of dimension 33. Results in a bias of approximately 0.463 at round 177. The public variables used as cube are the following: v1, v2, v3, v20, v21, v22, v23, v24, v25, v26, v34, v35, v36, v37, v48, v49, v50, v51, v52, v53, v54, v63, v64, v65, v66, v67, v68, v69, v77, v78, v79, v80, v95 Apply the same cube to Grain-128: Find a bias of approximately 0.469 at round 236. Best cube previously found is of dimension 40 and results in a bias up to round 237.

37 / 41

slide-38
SLIDE 38

Application to Grain-128a

Find that initialisation of Grain-128a is clearly much better as we find the last bias 59 rounds earlier with the same cube. Results presented achieved by imposing conditions only in the public variables. Consider conditions in the private variables of Grain-128a as well: Get even better results in much less computing time. Evaluating the sum over the cube v64, v65, v66, v67, v68, v69

  • f dimension 6, we find a significant bias at round 189.

The conditions, i.e. the public and private variables set to a certain value, imposed here are the following:

38 / 41

slide-39
SLIDE 39

Application to Grain-128a

v57, v58, v59, v60, v61, v62, v71, v72, v73, v74, v75, v76, v83, v84, v85, v86, v87, v k117, k118, k119, k120, k121, k122 For attack on 189 rounds, all conditions have to be set to zero. Best attack so far using conditional differential analysis.

39 / 41

slide-40
SLIDE 40

Recent results

  • New results on RC4: TLS security, WEP (FSE 2013)
  • Near collisions in Grain v1 (FSE 2013)
  • Improved analysis of initialization of E0 (CRYPTO 2013)
  • Differential fault attacks on Grain and MICKEY (CHES

2012, 2013)

40 / 41

slide-41
SLIDE 41

Open Problems

Analysis of RC4 Book by G. Paul, S. Maitra: RC4 Stream Cipher and Its Variants

  • State recovery for given keystream (MK, Crypto 2008)
  • Long-term biases

Analysis of eSTREAM finalists

  • Monomial structure in Trivium initialization?
  • (Truncated) differentials in Salsa in how many rounds?

Stream ciphers for CAESAR competition for Authenticated Encryption?

41 / 41