Algebraic Attacks on Stream Ciphers Trial Lecture Rune Steinsmo - - PowerPoint PPT Presentation

algebraic attacks on stream ciphers
SMART_READER_LITE
LIVE PREVIEW

Algebraic Attacks on Stream Ciphers Trial Lecture Rune Steinsmo - - PowerPoint PPT Presentation

Oct 04, 2022 214 likes •721 views

Algebraic Attacks on Stream Ciphers Trial Lecture Rune Steinsmo degrd Centre for Quantifiable Quality of Service in Communication Systems Centre of Excellence NTNU, Norway NTNU, Trondheim, 2012-04-23 www.q2s.ntnu.no Rune Steinsmo

slide-1
SLIDE 1

Algebraic Attacks on Stream Ciphers

Trial Lecture Rune Steinsmo Ødegård Centre for Quantifiable Quality of Service in Communication Systems Centre of Excellence NTNU, Norway NTNU, Trondheim, 2012-04-23

www.q2s.ntnu.no Rune Steinsmo Ødegård, Trial Lecture

slide-2
SLIDE 2

Stream Ciphers

2

Overview

Stream Ciphers Attack Model Principles of Algebraic Attacks Finding Low Degree Equations Solving the Equations Summary References

www.q2s.ntnu.no Rune Steinsmo Ødegård, Trial Lecture

slide-3
SLIDE 3

Stream Ciphers

3

Vernam Cipher

Encryption: ct = pt ⊕ kt for t = 1, 2, 3, . . . Decryption: pt = ct ⊕ kt for t = 1, 2, 3, . . .

  • Proven information-theoretically secure [Shannon, 1949].
  • Problem: Keys and Key-distribution.
  • Motivates the design of stream ciphers.

www.q2s.ntnu.no Rune Steinsmo Ødegård, Trial Lecture

slide-4
SLIDE 4

Stream Ciphers

4

ETCRRM by STK

www.q2s.ntnu.no Rune Steinsmo Ødegård, Trial Lecture

slide-5
SLIDE 5

Stream Ciphers

5

Stream Cipher

Keystream generator Keystream generator

Alice Bob

K K

zt zt pt pt ct ct Eve

www.q2s.ntnu.no Rune Steinsmo Ødegård, Trial Lecture

slide-6
SLIDE 6

Stream Ciphers

6

Advantages of Stream Ciphers

  • Encrypt strings of arbitrary length.
  • Mandatory when buffering is limited, or when characters

must be processed when they are received.

  • Encrypt data streams with high speed both in software and

hardware.

– phone calls – video streams

  • Little to no error propagation.

www.q2s.ntnu.no Rune Steinsmo Ødegård, Trial Lecture

slide-7
SLIDE 7

Stream Ciphers

7

Examples

Name Deployed in Attack E0 Bluetooth [Hermelin and Nyberg, 2000] RC4 WEP ,WPA,SSL [Klein, 2008] A5/1 GSM [Barkan et al., 2003] f8 3G “[Dunkelman et al., 2010]” Crypto-1 Mifare RFID [Soos et al., 2009] Hitag2 Car keys [Soos et al., 2009]

www.q2s.ntnu.no Rune Steinsmo Ødegård, Trial Lecture

slide-8
SLIDE 8

Stream Ciphers

8

Stream Cipher

Keystream generator Keystream generator

Alice Bob

K K

zt zt pt pt ct ct Eve

www.q2s.ntnu.no Rune Steinsmo Ødegård, Trial Lecture

slide-9
SLIDE 9

Stream Ciphers

9

Linear Feedback Shift Registers

  • Well-suited for hardware implementations.
  • Can produce sequences of large period.
  • Can produce sequences of good statistical properties.
  • Easy to analyze using algebraic techniques.

[Menezes et al., 1996]

www.q2s.ntnu.no Rune Steinsmo Ødegård, Trial Lecture

slide-10
SLIDE 10

Stream Ciphers

10

Linear Feedback Shift Registers

L =       

. . . . . . λ0 1 ... . . . λ1 ... ... . . . . . . . . . ... ... . . . . . . 1 λn−1

       St = S0 · Lt Recovering initial state takes O(n2) time using 2n output bits [Massey, 1969].

www.q2s.ntnu.no Rune Steinsmo Ødegård, Trial Lecture

slide-11
SLIDE 11

Stream Ciphers

11

Introducing Non-Linearity

Three popular approaches:

  • 1. Make the clocking irregular.
  • 2. Apply a non-linear function to the output of several LFSRs.
  • 3. Include a second finite state machine with a non-linear

update function.

www.q2s.ntnu.no Rune Steinsmo Ødegård, Trial Lecture

slide-12
SLIDE 12

Stream Ciphers

12

Simple Combiner

LFSR1 LFSR2 LFSRs

P Kt f zt

L =    L1 ... Ls    St = S0 · Lt Kt = S0 · Lt · P f(Kt) = zt

www.q2s.ntnu.no Rune Steinsmo Ødegård, Trial Lecture

slide-13
SLIDE 13

Stream Ciphers

13

(m, ℓ)-Combiner

S ∈ Fm

q × Fn q

L ∈ Mn×n(Fq) S0 = (M0, K) P ∈ Mn×ℓ(Fq) Kt = K · LT · P Ψ : Fm

q × Fℓ q → Fm q

St → St+1 = (Ψ(Mt, Kt), Kt) f : Fm

q × Fℓ q → Fo q

www.q2s.ntnu.no Rune Steinsmo Ødegård, Trial Lecture

slide-14
SLIDE 14

Attack Model

14

Overview

Stream Ciphers Attack Model Principles of Algebraic Attacks Finding Low Degree Equations Solving the Equations Summary References

www.q2s.ntnu.no Rune Steinsmo Ødegård, Trial Lecture

slide-15
SLIDE 15

Attack Model

15

Attack Model

A cryptosystem should be secure even if everything about the system, except the key, is public knowledge [Kerckhoffs, 1883].

  • The attacker knows both the structure of the combiner and

parts of the keystream.

  • Attacker goal is to find initial state S0 = (M0, K).
  • Usually M ≪ K.
  • Efficiency of attack measured in

– minimum number of keystream outputs. – the number of basic operations. – the amount of memory required.

www.q2s.ntnu.no Rune Steinsmo Ødegård, Trial Lecture

slide-16
SLIDE 16

Principles of Algebraic Attacks

16

Overview

Stream Ciphers Attack Model Principles of Algebraic Attacks Finding Low Degree Equations Solving the Equations Summary References

www.q2s.ntnu.no Rune Steinsmo Ødegård, Trial Lecture

slide-17
SLIDE 17

Principles of Algebraic Attacks

17

Algebraic Attack

⇒      F1(K, z, . . . ) = 0 . . . FN(K, z, . . . ) = 0 Breaking a good cipher should require as much work as solving a system of simultaneous equations in a large number of unknows of a complex type [Shannon, 1949].

www.q2s.ntnu.no Rune Steinsmo Ødegård, Trial Lecture

slide-18
SLIDE 18

Principles of Algebraic Attacks

18

One Equation is Enough

Assume we have found an equation that holds for all t: F(Kt, . . . , Kt+r−1, zt, . . . , zt+r−1) = 0 Then we have a new equation for each new keystream bit: F(K0, . . . , Kr−1, z0, . . . , zr−1) = 0 F(K1, . . . , Kr, z1, . . . , zr) = 0 F(K2, . . . , Kr+1, z2, . . . , zr+1) = 0 . . . If the number of linearly independent equations is equal to the number of monomials we can use linearization.

www.q2s.ntnu.no Rune Steinsmo Ødegård, Trial Lecture

slide-19
SLIDE 19

Principles of Algebraic Attacks

19

Linearization

   xy = 0 x+ xy = 1 y+ xy = 0 ⇒    v3 = 0 v1+ v3 = 1 v2+ v3 = 0

  • System of equations of degree d in n = |K| unknowns.
  • # of monomials≤ d

i=0

n

i

  • ∈ O(nd).
  • Work effort of linearization is O(nωd) operations1, and O(n2d)

space.

1Here 2 ≤ ω ≤ 3 is the effort for Gaussian elimination. www.q2s.ntnu.no Rune Steinsmo Ødegård, Trial Lecture

slide-20
SLIDE 20

Finding Low Degree Equations

20

Overview

Stream Ciphers Attack Model Principles of Algebraic Attacks Finding Low Degree Equations Solving the Equations Summary References

www.q2s.ntnu.no Rune Steinsmo Ødegård, Trial Lecture

slide-21
SLIDE 21

Finding Low Degree Equations

21

Simple Combiner

f(Kt) = zt

LFSR1 LFSR2 LFSRs

P Kt f zt

www.q2s.ntnu.no Rune Steinsmo Ødegård, Trial Lecture

slide-22
SLIDE 22

Finding Low Degree Equations

22

Annihilators

AN(f) = {g(X) ∈ Fq[X] | g(X) · f(X) = 0 ∀X ∈ Fn

q}

  • Find a low degree g ∈ AN(f), and/or h ∈ AN(f + 1).
  • Then

f(Kt) = zt = 0 ⇒ g(Kt) · f(Kt) = g(Kt) · zt = 0 f(Kt) = zt = 0 ⇒ h(Kt) · (1 + f(Kt)) = h(Kt) = 0

  • Similar strategy is to find low degree g, h such that f · g = h
  • These strategies have been used by for instance

[Courtois and Meier, 2003].

www.q2s.ntnu.no Rune Steinsmo Ødegård, Trial Lecture

slide-23
SLIDE 23

Finding Low Degree Equations

23

(m, ℓ)-Combiner

f : Fm

q × Fℓ q

→ Fo

q

(Mt, Kt) → zt

www.q2s.ntnu.no Rune Steinsmo Ødegård, Trial Lecture

slide-24
SLIDE 24

Finding Low Degree Equations

24

Dealing with the Memory

f(Mt, Kt) = zt . . . zt−r−1

r

  • zt−r zt−r+1 . . . zt−1zt
  • r

r

  • zt+1 . . . zt+r−1zt+r zt+r+1 . . .
  • Consider r = m + 1 consecutive output bits.
  • Then you can always find non-trivial equations relating the

keystate Kt and keystream bits zt . . . zt+r which is independent of the memory [Armknecht and Krause, 2003, Ars and Faugère, 2005].

  • Used to attack bluetooth stream cipher E0.

www.q2s.ntnu.no Rune Steinsmo Ødegård, Trial Lecture

slide-25
SLIDE 25

Finding Low Degree Equations

25

Fast Algebraic Attacks

0 = F(Kt, zt, . . . , zt+r) = F(Kt, Zt) = ˆ F(Kt) + G(Kt, Zt)

  • Find c0, . . . , cT−1 ∈ {0, 1} such that T−1

i=0 ci ˆ

F(Kt+i) = 0

  • Then

T−1

  • i=0

ciG(Kt+i, Zt+i) = 0

  • Used to improve attack on Toyocrypt and E0

[Courtois, 2003, Armknecht, 2004, Hawkes and Rose, 2004].

  • It is also possible to find linear combinations that decreases

the number of variables [Armknecht and Ars, 2005].

www.q2s.ntnu.no Rune Steinsmo Ødegård, Trial Lecture

slide-26
SLIDE 26

Finding Low Degree Equations

26

Fast Algebraic Attacks

Expected solving effort for good stream cipher: 2128 Cipher Pre-Com Sub Solving Keystream E0 232 247 249 223 LILI -128 226 239 239 221 Toyocrypt 223 230 220 218 [Hawkes and Rose, 2004]

www.q2s.ntnu.no Rune Steinsmo Ødegård, Trial Lecture

slide-27
SLIDE 27

Solving the Equations

27

Overview

Stream Ciphers Attack Model Principles of Algebraic Attacks Finding Low Degree Equations Solving the Equations Summary References

www.q2s.ntnu.no Rune Steinsmo Ødegård, Trial Lecture

slide-28
SLIDE 28

Solving the Equations

28

Linearization

Advantages Disadvantages

  • Effort polynomial in

key size.

  • Easy to analyze.
  • Need to store large (sparse)

matrices.

  • Need to know many keystream bits.

Example

Attack on E0 requires 223.07 keystream bits to find the 128-bit key [Armknecht and Krause, 2003].

www.q2s.ntnu.no Rune Steinsmo Ødegård, Trial Lecture

slide-29
SLIDE 29

Solving the Equations

29

Extended Linearization

XL

  • Introduced in [Courtois et al., 2000].
  • Used to break Toyocrypt and LILI-128

[Courtois and Meier, 2003].

  • Proven inferior Gröbner bases [Ars et al., 2004].

XSL

  • Introduced in [Courtois and Pieprzyk, 2002].
  • Claimed effort is doubted

[Cid and Leurent, 2005].

www.q2s.ntnu.no Rune Steinsmo Ødegård, Trial Lecture

slide-30
SLIDE 30

Solving the Equations

30

Gröbner Bases

  • Informally can be explained as Gaussian elimination for

non-linear functions.

  • Transform the equations to a well behaving basis such that

you can solve for one variabel at a time.

  • Over F2 the computation of Gröbner bases directly gives you

the solution to the equation system.

www.q2s.ntnu.no Rune Steinsmo Ødegård, Trial Lecture

slide-31
SLIDE 31

Solving the Equations

31

Gröbner Bases

Advantages Disadvantages

  • Has proven to be one of the fastest

methods for solving non-linear systems of equations [Faugère, 2002].

  • Solving time decreases with each new

equation.

  • A lot of work has been done on the

complexity of computing Gröbner bases [Bardet, 2004, Bardet et al., 2004, Bardet et al., 2002, Bardet et al., 2005].

  • Also for stream ciphers

[Ars and Faugère, 2005, Armknecht and Ars, 2009].

  • Needs a lot of

memory.

  • Hard to predict

running time as soon as there is some kind of structure in the equation system.

www.q2s.ntnu.no Rune Steinsmo Ødegård, Trial Lecture

slide-32
SLIDE 32

Solving the Equations

32

SAT solver

(x ∨ ¬y ∨ ¬z) ∧ (¬x ∨ ¬y ∨ ¬z) ∧ (x ∨ y ∨ z) ∧ (¬x ∨ y ∨ ¬z)

  • Solves a system of equations in Conjunctive Normal Form, or

returns UNSAT if the system is not satisfiable.

  • Used to solve Bivium much faster then Gröbner bases

[Eibach et al., 2008].

  • Also the fastest for Crypto-1 and HiTag2 [Soos et al., 2009].

www.q2s.ntnu.no Rune Steinsmo Ødegård, Trial Lecture

slide-33
SLIDE 33

Solving the Equations

33

SAT solver

Advantages Disadvantages

  • Proven to be even faster than

Gröbner bases for some instances.

  • Active reseach field

(SAT-race).

  • Efficient and flexible

dedicated software.

  • Requires little memory.
  • Hard to predict running time.
  • Hard to convert from ANF to

CNF when the system is dense.

www.q2s.ntnu.no Rune Steinsmo Ødegård, Trial Lecture

slide-34
SLIDE 34

Summary

34

Overview

Stream Ciphers Attack Model Principles of Algebraic Attacks Finding Low Degree Equations Solving the Equations Summary References

www.q2s.ntnu.no Rune Steinsmo Ødegård, Trial Lecture

slide-35
SLIDE 35

Summary

35

Summary

  • Stream ciphers are widely deployed because of their high

speed in software and hardware.

  • Algebraic attacks on stream ciphers with linear feedback is
  • nly polynomial in the key size.
  • Simple combiners can be attack by finding low degree

annihilators.

  • Combiners with memory can be attacked by considering

multiple consecutive keystream outputs.

  • Many solvers to choose from when equations are found.

www.q2s.ntnu.no Rune Steinsmo Ødegård, Trial Lecture

slide-36
SLIDE 36

References

36

Overview

Stream Ciphers Attack Model Principles of Algebraic Attacks Finding Low Degree Equations Solving the Equations Summary References

www.q2s.ntnu.no Rune Steinsmo Ødegård, Trial Lecture

slide-37
SLIDE 37

References

37

References I

[Armknecht, 2004] Armknecht, F . (2004). Improving fast algebraic attacks. In Fast Software Encryption, pages 65–82. [Armknecht and Ars, 2005] Armknecht, F . and Ars, G. (2005). Introducing a new variant of fast algebraic attacks and minimizing their successive data complexity. In Dawson, E. and Vaudenay, S., editors, Progress in Cryptology - Mycrypt 2005, volume 3715 of Lecture Notes in Computer Science, pages 16–32. Springer Berlin / Heidelberg.

www.q2s.ntnu.no Rune Steinsmo Ødegård, Trial Lecture

slide-38
SLIDE 38

References

38

References II

[Armknecht and Ars, 2009] Armknecht, F . and Ars, G. (2009). Algebraic Attacks on Stream Ciphers with Gröbner Bases. In Gröbner Bases, Coding, and Cryptography, pages 329–348. Springer Berlin Heidelberg. [Armknecht and Krause, 2003] Armknecht, F . and Krause, M. (2003). Algebraic attacks on combiners with memory. In Boneh, D., editor, Advances in Cryptology - CRYPTO 2003, volume 2729 of Lecture Notes in Computer Science, pages 162–175. Springer Berlin / Heidelberg.

www.q2s.ntnu.no Rune Steinsmo Ødegård, Trial Lecture

slide-39
SLIDE 39

References

39

References III

[Ars and Faugère, 2005] Ars, G. and Faugère, J. (2005). Algebraic immunities of functions over finite fields. In Boolean Function : Cryptography and Applications - BFCA 05, pages 21–38. [Ars et al., 2004] Ars, G., Faugère, J.-C., Imai, H., Kawazoe, M., and Sugita, M. (2004). Comparison between xl and gröbner basis algorithms. In Lee, P ., editor, Advances in Cryptology - ASIACRYPT 2004, volume 3329 of Lecture Notes in Computer Science, pages 157–167. Springer Berlin / Heidelberg.

www.q2s.ntnu.no Rune Steinsmo Ødegård, Trial Lecture

slide-40
SLIDE 40

References

40

References IV

[Bardet, 2004] Bardet, M. (2004). Étude des systèmes algébriques surdéterminés. Applications aux codes correcteurs et à la cryptographie. PhD thesis, Université de Paris VI. [Bardet et al., 2002] Bardet, M., Faugère, J.-C., and Salvy, B. (2002). Complexity study of Gröbner basis computation. Technical report, INRIA. http://www.inria.fr/rrrt/rr-5049.html.

www.q2s.ntnu.no Rune Steinsmo Ødegård, Trial Lecture

slide-41
SLIDE 41

References

41

References V

[Bardet et al., 2004] Bardet, M., Faugère, J.-C., and Salvy, B. (2004). On the complexity of Gröbner basis computation of semi-regular overdetermined algebraic equations. In Proc. International Conference on Polynomial System Solving (ICPSS), pages 71–75. [Bardet et al., 2005] Bardet, M., Faugère, J.-C., Salvy, B., and Yang, B.-Y. (2005). Asymptotic behaviour of the degree of regularity of semi-regular polynomial systems. In Proc. of MEGA 2005, Eighth International Symposium on Effective Methods in Algebraic Geometry.

www.q2s.ntnu.no Rune Steinsmo Ødegård, Trial Lecture

slide-42
SLIDE 42

References

42

References VI

[Barkan et al., 2003] Barkan, E., Biham, E., and Keller, N. (2003). Instant ciphertext-only cryptanalysis of gsm encrypted communication. pages 600–616. Springer-Verlag. [Cid and Leurent, 2005] Cid, C. and Leurent, G. (2005). An analysis of the xsl algorithm. In Roy, B., editor, Advances in Cryptology - ASIACRYPT 2005, volume 3788 of Lecture Notes in Computer Science, pages 333–352. Springer Berlin / Heidelberg.

www.q2s.ntnu.no Rune Steinsmo Ødegård, Trial Lecture

slide-43
SLIDE 43

References

43

References VII

[Courtois, 2003] Courtois, N. (2003). Fast algebraic attacks on stream ciphers with linear feedback. In Advances in Cryptology - CRYPTO 2003, pages 176–194. [Courtois et al., 2000] Courtois, N., Klimov, A., Patarin, J., and Shamir, A. (2000). Efficient algorithms for solving overdefined systems of multivariate polynomial equations. In Preneel, B., editor, Advances in Cryptology - EUROCRYPT 2000, volume 1807 of Lecture Notes in Computer Science, pages 392–407. Springer Berlin / Heidelberg.

www.q2s.ntnu.no Rune Steinsmo Ødegård, Trial Lecture

slide-44
SLIDE 44

References

44

References VIII

[Courtois and Pieprzyk, 2002] Courtois, N. and Pieprzyk, J. (2002). Cryptanalysis of block ciphers with overdefined systems of equations. In Zheng, Y., editor, Advances in Cryptology - ASIACRYPT 2002, volume 2501 of Lecture Notes in Computer Science, pages 267–287. Springer Berlin / Heidelberg. [Courtois and Meier, 2003] Courtois, N. T. and Meier, W. (2003). Algebraic attacks on stream ciphers with linear feedback. In Advances in Cryptology - EUROCRYPT 2003, pages 345–359. Springer-Verlag.

www.q2s.ntnu.no Rune Steinsmo Ødegård, Trial Lecture

slide-45
SLIDE 45

References

45

References IX

[Dunkelman et al., 2010] Dunkelman, O., Keller, N., and Shamir, A. (2010). A practical-time attack on the a5/3 cryptosystem used in third generation gsm telephony. Cryptology ePrint Archive, Report 2010/013. http://eprint.iacr.org/. [Eibach et al., 2008] Eibach, T., Pilz, E., and Völkel, G. (2008). Attacking bivium using sat solvers. In Kleine BÃ1

4ning, H. and Zhao, X., editors, Theory and

Applications of Satisfiability Testing - SAT 2008, volume 4996

  • f Lecture Notes in Computer Science, pages 63–76.

Springer Berlin / Heidelberg.

www.q2s.ntnu.no Rune Steinsmo Ødegård, Trial Lecture

slide-46
SLIDE 46

References

46

References X

[Faugère, 2002] Faugère, J.-C. (2002). A new efficient algorithm for computing Gröbner bases without reduction to zero (F5). In Proceedings of the 2002 International Symposium on Symbolic and Algebraic Computation, New York. ACM. [Hawkes and Rose, 2004] Hawkes, P . and Rose, G. G. (2004). Rewriting variables: The complexity of fast algebraic attacks

  • n stream ciphers.

In Advances in Cryptology - CRYPTO 2004, pages 390–406.

www.q2s.ntnu.no Rune Steinsmo Ødegård, Trial Lecture

slide-47
SLIDE 47

References

47

References XI

[Hermelin and Nyberg, 2000] Hermelin, M. and Nyberg, K. (2000). Correlation properties of the bluetooth combiner generator. In Proceedings of the Second International Conference on Information Security and Cryptology, ICISC ’99, pages 17–29, London, UK, UK. Springer-Verlag. [Kerckhoffs, 1883] Kerckhoffs, A. (1883). La cryptographie militaire. (French) [Military cryptography]. Journal des Sciences Militaires. [Klein, 2008] Klein, A. (2008). Attacks on the rc4 stream cipher.

  • Des. Codes Cryptography, 48(3):269–286.

www.q2s.ntnu.no Rune Steinsmo Ødegård, Trial Lecture

slide-48
SLIDE 48

References

48

References XII

[Massey, 1969] Massey, J. (1969). Shift-register synthesis and BCH decoding. Information Theory, IEEE Transactions on, 15(1):122 – 127. [Menezes et al., 1996] Menezes, A. J., Vanstone, S. A., and Oorschot, P . C. V. (1996). Handbook of Applied Cryptography. CRC Press, Inc., Boca Raton, FL, USA, 1st edition. [Shannon, 1949] Shannon, C. E. (1949). Communication Theory of Secrecy Systems. Bell Systems Technical Journal, 28:656–715.

www.q2s.ntnu.no Rune Steinsmo Ødegård, Trial Lecture

slide-49
SLIDE 49

References

49

References XIII

[Soos et al., 2009] Soos, M., Nohl, K., and Castelluccia, C. (2009). Extending sat solvers to cryptographic problems. In Proceedings of the 12th International Conference on Theory and Applications of Satisfiability Testing, SAT ’09, pages 244–257, Berlin, Heidelberg. Springer-Verlag.

www.q2s.ntnu.no Rune Steinsmo Ødegård, Trial Lecture