Advanced Cryptanalysis of Stream Ciphers Willi Meier Albena, June - PowerPoint PPT Presentation

Advanced Cryptanalysis of Stream Ciphers Willi Meier Albena, June 30 - July 5, 2013 1 / 41

Overview ◮ Introduction ◮ Conditional differentials ◮ High-order differentials ◮ Applications to Trivium and Grain ◮ Recent results ◮ Open Problems ◮ Joint work with Simon Knellwolf, Michael Lehmann, Mar´ ıa Naya-Plasencia 2 / 41

Introduction Model of a stream cipher: Key f () 0 1 . . 1 . . IV . . 3 / 41

Introduction Formally, a stream cipher consists of: Initialization function F : { 0 , 1 } κ × { 0 , 1 } n �→ { 0 , 1 } m . State update function G : { 0 , 1 } m �→ { 0 , 1 } m Output function H : { 0 , 1 } m �→ { 0 , 1 } . s t : state at time instant t . s t + 1 = G ( s t , k ) , z t = H ( s t , k ) . 4 / 41

Introduction Shall investigate initialization modes of NLFSR-based stream ciphers Trivium and Grain. Methods: - Conditional differentials - High-order differentials (cube attacks) 5 / 41

Introduction Initialization of Trivium ( s 1 , s 2 , ..., s 93 ) ← ( k 0 , ..., k 79 , 0 , 0 , .., ) ( s 94 , s 95 , ..., s 177 ) ← ( x 0 , x 1 , ..., x 79 , 0 ., , , , 0 ) ( s 178 , s 179 , ..., s 288 ) ← ( 0 , 0 , ..., 0 , 1 , 1 , 1 ) for i = 1 to 4 · 288 do t 1 ← s 66 + s 93 t 2 ← s 162 + s 177 t 3 ← s 243 + s 288 t 1 ← t 1 + s 91 · s 92 + s 171 t 2 ← t 2 + s 175 · s 176 + s 264 t 3 ← t 3 + s 286 · s 287 + s 69 ( s 1 , s 2 , ..., s 93 ) ← ( t 3 , s 1 , ..., s 92 ) ( s 94 , s 95 , ..., s 177 ) ← ( t 1 , s 94 , ..., s 176 ) ( s 178 , ..., s 288 ) ← ( t 2 , s 178 , ..., s 287 ) end for 6 / 41

Introduction Output generation of Trivium for i = 1 to ℓ do t 1 ← s 66 + s 93 t 2 ← s 162 + s 177 t 3 ← s 243 + s 288 z i ← t 1 + t 2 + t 3 t 1 ← t 1 + s 91 · s 92 + s 171 t 2 ← t 2 + s 175 · s 176 + s 264 t 3 ← t 3 + s 286 · s 287 + s 69 ( s 1 , s 2 , ..., s 93 ) ← ( t 3 , s 1 , ..., s 92 ) ( s 94 , s 95 , ..., s 177 ) ← ( t 1 , s 94 , ..., s 176 ) ( s 178 , ..., s 288 ) ← ( t 2 , s 178 , ..., s 287 ) end for 7 / 41

Introduction Initialization of Grain-128a g f NLFSR LFSR h f : Primitive feedback polynomial of the LFSR. g : Nonlinear feedback polynomial of the NLFSR of order 4. h ( x ) = x 0 x 1 + x 2 x 3 + x 4 x 5 + x 6 x 7 + x 0 x 4 x 8 . 8 / 41

Introduction State size: 256 bit. Key size: 128 bit. Loaded in NLFSR. IV size: 96 bit. Loaded in LFSR. Remaining 32 bits fixed to 1, except last bit, which is set to 0. Grain-128a is update of Grain-128, which has been cryptanalyzed with complexity lower than 2 128 operations. 9 / 41

Introduction Output mode of Grain-128a g f 24 5 6 NLFSR LFSR 7 2 7 h 10 / 41

Conditional Differentials Conditional differential characteristics introduced by Ben-Aroya and Biham (CRYPTO’93) for analysis of DES-like cryptosystems. In differential cryptanalysis: Input difference is suitably chosen and differences are traced over several rounds. Input difference is fixed but input values arbitrary. 11 / 41

Conditional differentials Goal of conditional differentials: Find both, sample inputs and suitable input difference so that difference in (truncated) output is biased. If bias detected, it is used for a distinguisher or for key recovery. 12 / 41

Conditional differentials Scenario: Chosen IV attack Keystream modelled as a Boolean function f : { 0 , 1 } κ × { 0 , 1 } n �→ { 0 , 1 } mapping key k and IV x to keystream bit b . Suppose: Bit b = f ( k , x ) is computed using a NLFSR which is initialized with k and x , and updated many times, before b is output from resulting state. After initialization, b is a huge polynomial in bits of k and x : Out of reach to express for analysis purposes. 13 / 41

Conditional differentials Can we still analyze f for distinguishing or key recovery purpose by evaluating it at many well chosen values x (and for unknown but fixed key k )? Difference propagation through NLFSR. At each round i , a single state bit t i is newly generated; other bits are merely shifted. Enough to consider propagation of differences to bits t i . Let ∆ x be a difference in the IV. Say that ∆ x propagates to t i if 14 / 41

Conditional differentials ∆ t i = t i ( k , x ) + t i ( k , x + ∆ x ) = 1 . Consider ∆ t i as a polynomial in the key and the IV variables. Value of ∆ t i determines whether difference ∆ x propagates to t i or not. Wish to predict ∆ b . Hundreds of iterations of NLFSR: Symbolic description of ∆ b as a function of key and IV out of reach. 15 / 41

Conditional differentials Impose conditions to influence difference propagation. Goal: Find a sample of IV’s for which difference ∆ b is biased. Observation: In first few iterations, explicit conditions can be set on some IV bits to control difference propagation. If right conditions are set: many terms in (hypothetical) polynomial describing output difference cancel out, and bias may be detected. 16 / 41

Conditional differentials Tradeoff between maximum number of conditions to be set and sample size of initial values to do the statistics. Approach quite effective against several NLFSR-based ciphers. Finding and controlling conditions delicate task. Conditional differentials in initialization of Grain v1: Practical distinguisher on 97 out of 160 initialization rounds. 17 / 41

High-order differentials Let V be a linear subspace of { 0 , 1 } n of dimension d . Boolean function f : { 0 , 1 } n �→ { 0 , 1 } . Derivative of order d of f with respect to V : � ∆ V f ( x ) = f ( x + v ) . v ∈ V 18 / 41

High-order differentials Methods based on high-order differentials: Maximum-degree test, Englund-Johansson-Turan, 2007. Key recovery with derived functions (FKM, 2008). Cube attack, Vielhaber, Dinur-Shamir 2008. Cube testers, 2009. Dynamic cube attack on Grain-128, Dinur-Shamir 2011. 19 / 41

High-order differentials Cube attack on f ( k , x ) , k secret, x public: For index set I ⊂ { 1 , .., n } define t I as monomial containing all public variables (cube variables), with index in I . For fixed I , there is unique polynomial p such that ANF of f ( k , x ) can be written as f ( k , x ) = t I p ( k , x ) + q ( k , x ) , where p does not contain any cube variable, and no monomial in q is divisble by t I . 20 / 41

High-order differentials Terminology: t I : maxterm. p : superpoly of I in f , f : masterpoly. Can compute superpolys by summing the master polynomial over all possible configurations of the cube variables. 21 / 41

High-order differentials Example (cube attack) f ( k 1 , k 2 , x 1 , x 2 , x 3 , x 4 ) = k 1 x 1 + k 2 x 1 x 2 x 3 + x 1 x 2 x 4 + x 3 . Superpoly of I = { 1 , 2 } in f computes as � f ( k 1 , k 2 , x 1 , x 2 , x 3 , x 4 ) = k 2 x 3 + x 4 , x 1 , x 2 which is the polynomial that multiplies t I = x 1 x 2 in f : f ( k 1 , k 2 , x 1 , x 2 , x 3 , x 4 ) = x 1 x 2 ( k 2 x 3 + x 4 ) + k 1 x 1 + x 3 . Translation of superpolys into derivatives straightforward: p ( k , x ) = ∆ V i f ( k , x ) , where V i = { x ∈ { 0 , 1 } n | x � i } , for 0 ≤ i ≤ 2 n − 1 . 22 / 41

High-order differentials In preprocessing phase: Search of ”good” cubes with linear or very sparse low-degree superpolys. In online phase, values of sums over each cube are computed, to give equations out of superpolys. These are solved subsequently for the key. Cube attacks applied mainly on reduced versions of Trivium intialization. Best cube attack on Trivium: 799 out of 1152 rounds. Verified in experiments (Fouque-Vannet, FSE 2013). Cube attacks have practical complexity where they work. Hard to get estimates on their limits. 23 / 41

High-order differentials In cube attacks on Trivium, key bits k 69 , ..., k 79 never occur in linear superpolys. Explanation: Look at first few initialization rounds. Consider k 69 as an example. Enters mixing process via t 1 at rounds 21, 22, and 23. After 24 rounds it appears in the state exclusively as s 94 = x 54 + k 42 + k 67 k 68 + k 69 , s 95 = x 55 + k 43 + k 68 k 69 + k 70 , s 96 = x 56 + k 44 + k 69 k 70 + k 71 . 24 / 41

High-order differentials Only way for k 69 to appear in a derived linear expression is that the quadratic term in s 94 cancels out during the initialization process. Cannot prove that this doesn’t happen, but it is very unlikely. Question: Can analysis of initial rounds serve for choice of ”good” cube indices? Question: Why are superpolys just sparse sums of copies of initial values of t 1 , t 3 ? 25 / 41

High-order differentials If superpoly does not depend on all key bits, divide-and-conquer for reduced key search is possible. Refined scenarios where influence of key is not zero but small enough. 26 / 41

High-order differentials Dynamic cube attack on Grain-128 Certain variables which are not part of maxterm t I are assigned a function of public and private variables instead of a constant value. Functions chosen so that symbolic expressions of certain variables simplifies. Cryptanalysis of Grain-128 with complexity about 2 90 and memory usage of 2 63 bit. 27 / 41

High-order differentials Cube testers ◮ give distinguishers rather than key-recovery ◮ don’t require low-degree functions ◮ need no precomputation ◮ black box analysis Detect structure (nonrandomness) in the superpoly, using algebraic property testers 28 / 41

High-order differentials A tester for property P on the function f : ◮ makes (adaptive) queries to f ◮ accepts when f satisfies P ◮ rejects with bounded probability otherwise 29 / 41