DOCSLIB.ORG

Improved Correlation Attacks on SOSEMANUK and SOBER-128

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

Improved Correlation Attacks on SOSEMANUK and SOBER-128 Joo Yeon Cho Helsinki University of Technology Department of Information and Computer Science, Espoo, Finland 24th March 2009 1 / 35 SOSEMANUK Attack Approximations SOBER-128 Outline SOSEMANUK Attack Method Searching Linear Approximations SOBER-128 2 / 35 SOSEMANUK Attack Approximations SOBER-128 SOSEMANUK (from Wiki) • A software-oriented stream cipher designed by Come Berbain, Olivier Billet, Anne Canteaut, Nicolas Courtois, Henri Gilbert, Louis Goubin, Aline Gouget, Louis Granboulan, Cedric` Lauradoux, Marine Minier, Thomas Pornin and Herve` Sibert. • One of the final four Profile 1 (software) ciphers selected for the eSTREAM Portfolio, along with HC-128, Rabbit, and Salsa20/12. • Influenced by the stream cipher SNOW and the block cipher Serpent. • The cipher key length can vary between 128 and 256 bits, but the guaranteed security is only 128 bits. • The name means ”snow snake” in the Cree Indian language because it depends both on SNOW and Serpent. 3 / 35 SOSEMANUK Attack Approximations SOBER-128 Overview 4 / 35 SOSEMANUK Attack Approximations SOBER-128 Structure 1. The states of LFSR : s0,..., s9 (320 bits) −1 st+10 = st+9 ⊕ α st+3 ⊕ αst, t ≥ 1 where α is a root of the primitive polynomial. 2. The Finite State Machine (FSM) : R1 and R2 R1t+1 = R2t ¢ (rtst+9 ⊕ st+2) R2t+1 = Trans(R1t) ft = (st+9 ¢ R1t) ⊕ R2t where rt denotes the least significant bit of R1t. F 3. The trans function Trans on 232 : 32 Trans(R1t) = (R1t × 0x54655307 mod 2 )≪7 4. The output of the FSM : (zt+3, zt+2, zt+1, zt)= Serpent1(ft+3, ft+2, ft+1, ft)⊕(st+3, st+2, st+1, st) 5 / 35 SOSEMANUK Attack Approximations SOBER-128 Previous Attacks • Authors state that ”No linear relation holds after applying Serpent1 and there are too many unknown bits...”. • In Asiacrypt’08, the best linear approximation with the correlation of 2−21.41 was derived as FSM : Γ · ft ⊕ Γ · ft+1 ⊕ Γ · st+10 ⊕ Γ · st+2 = 0 Serpent1 : Γ · ft ⊕ Γ · ft+1 ⊕ Γ · (st ⊕ zt) ⊕ Γ · (st+3 ⊕ zt+3)= 0 • Using this approximation, a correlation attack was applied, which is the similar attack applied to Grain stream cipher. • The complexity of attack was estimated around 2140.5 data, 2148 computing time and 2147 memory. 6 / 35 SOSEMANUK Attack Approximations SOBER-128 Motivation of Our Work • We may obtain better approximations if we use different masks for FSM and Serpent1. • We may reduce the data complexity of the attack by using multiple linear approximations with equal correlations. 7 / 35 SOSEMANUK Attack Approximations SOBER-128 LFSR and Linear Approximations 1. The linear recurrence of SOSEMANUK is expressed as 0 s0 0 1 0 ··· 0 s0 s0 0 0 1 ··· 0 s 1 = 1 ··· 0 0 0 ··· 1 ··· 0 s9 b0 b1 b2 ··· b9 s9 −1 Since st+10 = st+9 ⊕ α st+3 ⊕ αst, we get −1 32 (b0 b1 ··· b9) = (α 0 0 α 0 ··· 1) where si, bi, α ∈ GF(2 ). t 2. We can simply denote St+1 = ASt. Then, St = A S0. 3. A linear approximation U · St ⊕ W · Zt = 0 is expressed as t U · A S0 ⊕ W · Zt = 0, t > 0. Note that U = (u0 u1 ··· u9) and U · St = u0 · st ⊕···⊕ u9 · st+9 32 where ui ∈ GF(2 ). Similar for W · Zt. 8 / 35 SOSEMANUK Attack Approximations SOBER-128 Naive Attack 1. Assume U · St ⊕ W · Zt = 0 has the correlation of csose. 2. Observe N keystreams. Then, we obtain U · AS0 W · Z1 0 2 U · A S0 W · Z2 0 . ⊕ . = . . . . N U · A S0 W · ZN 0 T where S0 = (s0 s1 ··· s9) . 3. Guess S0. For each candidate, compute D which is defined as 1 D = (#{U · AtS ⊕ W · Z = 0}− #{U · AtS ⊕ W · Z = 1}) N 0 t 0 t If guessed S0 is correct, D is close to csose. Otherwise, D is close to zero. 9 / 35 SOSEMANUK Attack Approximations SOBER-128 Fast Walsh Transform and Complexity t 1. Assume S0 = (x1 x2 ··· xl) and U · A = (a1t a2t ··· alt) where xi, ai ∈ {0, 1}. Then, a11 a12 ··· a1l x1 W · Z1 0 a21 a22 ··· a2l x2 W · Z2 0 . . ⊕ . = . . . . . aN1 aN2 ··· aNl xl W · ZN 0 l 2. Since there are 2 candidates for S0, the complexity is around N × 2l. 3. If Fast Walsh Transform is used, the complexity is reduced to around N + 2l log 2l = N + l × 2l. 4. This is worse than state exhaustive search. 10 / 35 SOSEMANUK Attack Approximations SOBER-128 Simple Example on Fast Walsh Transform x1 x2 x3 x1 ⊕ x2 ··· (0) 000 0 1 0 0 (1) 100 1 0 1 1 x1 (0) 010 1 1 0 1 x2 ⇒ (0) 110 0 1 1 1 x3 (1) 001 0 1 0 1 (2) 101 1 0 0 1 (1) 011 1 (1) 111 0 11 / 35 SOSEMANUK Attack Approximations SOBER-128 Reducing Time Complexity 1. Let Ωm = {(x1 x2 ... xl)|xi ∈ {0, 1}, xm+1 = ··· = xl = 0} for m 1 ≤ m ≤ l. Clearly, |Ωm| = 2 . t 2. Among N approximations, take U · A S0 ⊕ W · Zt = 0 such that t U · A S0 ∈ Ωm. τ1 U · A S0 W · Zτ1 0 τ2 U · A S0 W · Zτ2 0 . ⊕ . = . . . . τ 0 U A N S W · Z 0 0 · 0 τN 3. The probability that such approximation occurs is 2m/2l. Hence, we obtain around N0 ≈ N × 2m/2l ’good’ approximations. 4. By Fast Walsh Transform, time complexity is reduced to N0 + m × 2m. 12 / 35 SOSEMANUK Attack Approximations SOBER-128 Second LFSR Derivative Technique 1. Used for the attack on Grain Version 0 by Berbain et al. 2. Obtain more ”good” approximations without further the keystream observations. 3. Perform pairwize combinations of N approximations as i j (U · A ⊕ U · A )S0 ⊕ (W · Zi ⊕ W · Zj)= 0, 1 ≤ i, j ≤ N 4. Choose combined approximations such as i j 2 (U · A S0 ⊕ U · A S0) ∈ Ωm. with the correlation of csose. 5. The number of approximations that satisfy this condition is expected to be N0 = 2m−l N ≈ 2m−l × N2. ¡2¢ 13 / 35 SOSEMANUK Attack Approximations SOBER-128 Sorting and Combining 1. A simple pairing requires N ≈ N2 operations. ¡2¢ 2. The number of operations can be reduced by applying sorting-and-combining technique. 3. First, N approximations are sorted out according to the value of (l − m) state bits. 4. Let the sorted approximations be represented by X1, X2,..., XN. Then, two consecutive approximations Xi and Xi+1 are checked whether their (l − m) state bits are same. 5. If they are same, we know Xi ⊕ Xi+1 ∈ Ωm. 6. The fastest sorting algorithm takes O(N log N). 7. Time complexity : T = N × log(N)+ m × 2m. 14 / 35 SOSEMANUK Attack Approximations SOBER-128 Linear Approximations of FSM 1. Using five masks (Γ1, Γ2, Γ3, Γ4, Γ5), we get Γ2 · R2t+1 = Φ · R1t Λ · R1t+1 = Γ1 · R2t ⊕ Γ4 · (st+2 ⊕ rist+9) Γ1 · ft = Γ3 · st+9 ⊕ Φ · R1t ⊕ Γ1 · R2t Γ2 · ft+1 = Γ5 · st+10 ⊕ Λ · R1t+1 ⊕ Γ2 · R2t+1 2. By combining above approximations Γ1 · ft ⊕ Γ2 · ft+1 =Γ3 · st+9 ⊕ Γ5 · st+10 ⊕ Γ4 · (st+2 ⊕ rist+9) 3. The correlation is cFSM = cTranPlus × cPlusPlus where 232−1 c = c (Γ , Φ; Γ )c (Φ; Γ ) TransPlus X + 3 1 Trans 2 Φ=1 32− 1 2 1 c = c (Γ , Γ ; Λ)c (Γ , Λ;Γ ) PlusPlus 2 X + 1 4 + 5 2 Λ=1 15 / 35 SOSEMANUK Attack Approximations SOBER-128 Linear Masking of FSM st+9 R1 R2 t ?Γ3 t Φ- Γ1 - Γ1 m Φ Γ Γ ? ? 1 1? Γ4 f st+2 ⊕ rtst+9 Trans t Λ h ( Γ2 hhhh (((( hhhh (((( (((h(hhh R1t+1 ((( hhh R2t+1 (((( st+10 hhhh ?Γ5 Λ- Γ2 - Γ2 ? m Γ2 ? Trans ? st+3 ⊕ rt+1st+10 ft+1 ? ? 16 / 35 SOSEMANUK Attack Approximations SOBER-128 Observations on Trans Function 32 1. Recall Trans(R1) = (R1 × 0x54655307 mod 2 )≪7. 2. Multiplication : 14 consecutive modular additions (Ham(0x54655307) = 14) (R1 × 0x54655307 mod 232) = R1 ¢ (R1 ¿ 1) ¢ (R1 ¿ 2) ¢ (R1 ¿ 8) ¢ ··· ¢ (R1 ¿ 30) 3. Due to the rotation ≪ 7, Linear masks must have ones in the bit positions of {i + 25}, i = 0, 1,..., or 6. In particular, Γ2 must have one in the bit positions of {i + 25, ··· , i}, i = 0, 1,..., or 6. 4. Provided x ¢ y = z, let a linear approximation be Ψ1 · x ⊕ Ψ2 ·⊕y =Ψ3 · z. Then, the positions of most significant effective bit of Ψ1, Ψ2, Ψ3 are same. 17 / 35 SOSEMANUK Attack Approximations SOBER-128 Linear Approximations of Serpent1 (zt+3, zt+2, zt+1, zt)= Serpent1(ft+3, ft+2, ft+1, ft)⊕(st+3, st+2, st+1, st) 3 ⇒ Γ · f ⊕ Γ · f = ζ · (s ⊕ z ). 1 t 2 t+1 M i t+i t+i i=0 31 2524 14 0 ft+3 ft+2 ft+1 ft ???????????????????????????????? S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S ???????????????????????????????? st+3 ⊕ zt+3 st+2 ⊕ zt+2 st+1 ⊕ zt+1 st ⊕ zt Figure: Γ1 = 0x02004001, Γ2 = 0x03004001 18 / 35 SOSEMANUK Attack Approximations SOBER-128 Correlation of Serpent1 1. One of the best approximations is ζ0 = 0x00004001, ζ1 = 0x03000000, ζ2 = 0x03000000, ζ3 = 0x03004001 2. The correlation is −4 cS(3; 14) × cS(2; 14) × cS(3; 9) × cS(3; 9)= 2 where cS(γi; λj) denote a correlation of a single S-box induced by the input mask γi and the output mask λj.
Recommended publications
  • A Low-Latency Block Cipher for Pervasive Computing Applications Extended Abstract?

    A Low-Latency Block Cipher for Pervasive Computing Applications Extended Abstract?

    PRINCE { A Low-latency Block Cipher for Pervasive Computing Applications Extended Abstract? Julia Borghoff1??, Anne Canteaut1;2???, Tim G¨uneysu3, Elif Bilge Kavun3, Miroslav Knezevic4, Lars R. Knudsen1, Gregor Leander1y, Ventzislav Nikov4, Christof Paar3, Christian Rechberger1, Peter Rombouts4, Søren S. Thomsen1, and Tolga Yal¸cın3 1 Technical University of Denmark 2 INRIA, Paris-Rocquencourt, France 3 Ruhr-University Bochum, Germany 4 NXP Semiconductors, Leuven, Belgium Abstract. This paper presents a block cipher that is optimized with respect to latency when implemented in hardware. Such ciphers are de- sirable for many future pervasive applications with real-time security needs. Our cipher, named PRINCE, allows encryption of data within one clock cycle with a very competitive chip area compared to known solutions. The fully unrolled fashion in which such algorithms need to be implemented calls for innovative design choices. The number of rounds must be moderate and rounds must have short delays in hardware. At the same time, the traditional need that a cipher has to be iterative with very similar round functions disappears, an observation that increases the design space for the algorithm. An important further requirement is that realizing decryption and encryption results in minimum additional costs. PRINCE is designed in such a way that the overhead for decryp- tion on top of encryption is negligible. More precisely for our cipher it holds that decryption for one key corresponds to encryption with a re- lated key. This property we refer to as α-reflection is of independent interest and we prove its soundness against generic attacks. 1 Introduction The area of lightweight cryptography, i.e., ciphers with particularly low imple- mentation costs, has drawn considerable attention over the last years.
  • Algebraic Attacks on SOBER-T32 and SOBER-T16 Without Stuttering

    Algebraic Attacks on SOBER-T32 and SOBER-T16 Without Stuttering

    Algebraic Attacks on SOBER-t32 and SOBER-t16 without stuttering Joo Yeon Cho and Josef Pieprzyk? Center for Advanced Computing – Algorithms and Cryptography, Department of Computing, Macquarie University, NSW, Australia, 2109 {jcho,josef}@ics.mq.edu.au Abstract. This paper presents algebraic attacks on SOBER-t32 and SOBER-t16 without stuttering. For unstuttered SOBER-t32, two differ- ent attacks are implemented. In the first attack, we obtain multivariate equations of degree 10. Then, an algebraic attack is developed using a collection of output bits whose relation to the initial state of the LFSR can be described by low-degree equations. The resulting system of equa- tions contains 269 equations and monomials, which can be solved using the Gaussian elimination with the complexity of 2196.5. For the second attack, we build a multivariate equation of degree 14. We focus on the property of the equation that the monomials which are combined with output bit are linear. By applying the Berlekamp-Massey algorithm, we can obtain a system of linear equations and the initial states of the LFSR can be recovered. The complexity of attack is around O(2100) with 292 keystream observations. The second algebraic attack is applica- ble to SOBER-t16 without stuttering. The attack takes around O(285) CPU clocks with 278 keystream observations. Keywords : Algebraic attack, stream ciphers, linearization, NESSIE, SOBER-t32, SOBER-t16, modular addition, multivariate equations 1 Introduction Stream ciphers are an important class of encryption algorithms. They encrypt individual characters of a plaintext message one at a time, using a stream of pseudorandom bits.
  • VMPC-MAC: a Stream Cipher Based Authenticated Encryption Scheme

    VMPC-MAC: a Stream Cipher Based Authenticated Encryption Scheme

    VMPC-MAC: A Stream Cipher Based Authenticated Encryption Scheme Bartosz Zoltak http://www.vmpcfunction.com [email protected] Abstract. A stream cipher based algorithm for computing Message Au- thentication Codes is described. The algorithm employs the internal state of the underlying cipher to minimize the required additional-to- encryption computational e®ort and maintain general simplicity of the design. The scheme appears to provide proper statistical properties, a comfortable level of resistance against forgery attacks in a chosen ci- phertext attack model and high e±ciency in software implementations. Keywords: Authenticated Encryption, MAC, Stream Cipher, VMPC 1 Introduction In the past few years the interest in message authentication algorithms has been concentrated mostly on modes of operation of block ciphers. Examples of some recent designs include OCB [4], OMAC [7], XCBC [6], EAX [8], CWC [9]. Par- allely a growing interest in stream cipher design can be observed, however along with a relative shortage of dedicated message authentication schemes. Regarding two recent proposals { Helix and Sober-128 stream ciphers with built-in MAC functionality { a powerful attack against the MAC algorithm of Sober-128 [10] and two weaknesses of Helix [12] were presented at FSE'04. This paper gives a proposition of a simple and software-e±cient algorithm for computing Message Authentication Codes for the presented at FSE'04 VMPC Stream Cipher [13]. The proposed scheme was designed to minimize the computational cost of the additional-to-encryption MAC-related operations by employing some data of the internal-state of the underlying cipher. This approach allowed to maintain sim- plicity of the design and achieve good performance in software implementations.
  • Lecture Notes on Error-Correcting Codes and Their Applications to Symmetric Cryptography

    Lecture Notes on Error-Correcting Codes and Their Applications to Symmetric Cryptography

    Lecture Notes on Error-Correcting Codes and their Applications to Symmetric Cryptography Anne Canteaut Inria [email protected] https://www.rocq.inria.fr/secret/Anne.Canteaut/ version: December 4, 2017 Contents 10 Reed-Muller Codes and Boolean Functions 5 10.1 Boolean functions and their representations . .5 10.1.1 Truth table and Algebraic normal form . .5 10.1.2 Computing the Algebraic Normal Form . .8 10.2 Reed-Muller codes . 11 10.2.1 Definition . 11 10.2.2 The (uju + v) construction . 12 10.3 Weight distributions of Reed-Muller codes . 13 10.3.1 Minimum distance of R(r; m) ........................ 13 10.3.2 Weight distribution of R(1; m) ....................... 14 10.3.3 Weight distribution of R(m − 1; m) ..................... 15 10.3.4 Weight distribution of R(2; m) ....................... 15 10.3.5 Duality . 15 10.3.6 Other properties of the weights of R(r; m) ................. 17 11 Stream Cipher Basics 19 11.1 Basic principle . 19 11.1.1 Synchronous additive stream ciphers . 19 11.1.2 Pseudo-random generators . 21 11.1.3 General functionalities of stream ciphers and usage . 22 11.2 Models of attacks . 23 11.3 Generic attacks on stream ciphers . 24 11.3.1 Period of the sequence of internal states . 24 11.3.2 Time-Memory-Data Trade-off attacks . 27 11.3.3 Statistical tests . 36 11.4 The main families of stream ciphers . 37 11.4.1 Information-theoretically generators . 37 11.4.2 Generators based on a difficult mathematical problem . 38 11.4.3 Generators based on block ciphers .
  • Security in Wireless Sensor Networks Using Cryptographic Techniques

    Security in Wireless Sensor Networks Using Cryptographic Techniques

    American Journal of Engineering Research (AJER) 2014 American Journal of Engineering Research (AJER) e-ISSN : 2320-0847 p-ISSN : 2320-0936 Volume-03, Issue-01, pp-50-56 www.ajer.org Research Paper Open Access Security in Wireless Sensor Networks using Cryptographic Techniques Madhumita Panda Sambalpur University Institute of Information Technology(SUIIT)Burla, Sambalpur, Odisha, India. Abstract: -Wireless sensor networks consist of autonomous sensor nodes attached to one or more base stations.As Wireless sensor networks continues to grow,they become vulnerable to attacks and hence the need for effective security mechanisms.Identification of suitable cryptography for wireless sensor networks is an important challenge due to limitation of energy,computation capability and storage resources of the sensor nodes.Symmetric based cryptographic schemes donot scale well when the number of sensor nodes increases.Hence public key based schemes are widely used.We present here two public – key based algorithms, RSA and Elliptic Curve Cryptography (ECC) and found out that ECC have a significant advantage over RSA as it reduces the computation time and also the amount of data transmitted and stored. Keywords: -Wireless Sensor Network,Security, Cryptography, RSA,ECC. I. WIRELESS SENSOR NETWORK Sensor networks refer to a heterogeneous system combining tiny sensors and actuators with general- purpose computing elements. These networks will consist of hundreds or thousands of self-organizing, low- power, low-cost wireless nodes deployed to monitor and affect the environment [1]. Sensor networks are typically characterized by limited power supplies, low bandwidth, small memory sizes and limited energy. This leads to a very demanding environment to provide security.
  • Stream Ciphers

    Stream Ciphers

    View metadata, citation and similar papers at core.ac.uk brought to you by CORE provided by HAL-CEA Stream ciphers: A Practical Solution for Efficient Homomorphic-Ciphertext Compression Anne Canteaut, Sergiu Carpov, Caroline Fontaine, Tancr`edeLepoint, Mar´ıa Naya-Plasencia, Pascal Paillier, Renaud Sirdey To cite this version: Anne Canteaut, Sergiu Carpov, Caroline Fontaine, Tancr`edeLepoint, Mar´ıaNaya-Plasencia, et al.. Stream ciphers: A Practical Solution for Efficient Homomorphic-Ciphertext Compression. FSE 2016 : 23rd International Conference on Fast Software Encryption, Mar 2016, Bochum, Germany. Springer, 9783 - LNCS (Lecture Notes in Computer Science), pp.313-333, Fast Software Encryption 23rd International Conference, FSE 2016, Bochum, Germany, March 20- 23, 2016, <http://fse.rub.de/>. <10.1007/978-3-662-52993-5 16>. <hal-01280479> HAL Id: hal-01280479 https://hal.archives-ouvertes.fr/hal-01280479 Submitted on 28 Nov 2016 HAL is a multi-disciplinary open access L'archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destin´eeau d´ep^otet `ala diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publi´esou non, lished or not. The documents may come from ´emanant des ´etablissements d'enseignement et de teaching and research institutions in France or recherche fran¸caisou ´etrangers,des laboratoires abroad, or from public or private research centers. publics ou priv´es. Stream ciphers: A Practical Solution for Efficient Homomorphic-Ciphertext Compression?
  • A Bibliography of Papers in Lecture Notes in Computer Science (2002) (Part 2 of 4)

    A Bibliography of Papers in Lecture Notes in Computer Science (2002) (Part 2 of 4)

    A Bibliography of Papers in Lecture Notes in Computer Science (2002) (Part 2 of 4) Nelson H. F. Beebe University of Utah Department of Mathematics, 110 LCB 155 S 1400 E RM 233 Salt Lake City, UT 84112-0090 USA Tel: +1 801 581 5254 FAX: +1 801 581 4148 E-mail: [email protected], [email protected], [email protected] (Internet) WWW URL: http://www.math.utah.edu/~beebe/ 02 May 2020 Version 1.11 Title word cross-reference -adic [1754, 1720]. -Center [1691]. -D [1664, 84, 1060, 1019, 1637, 1647, 1364]. -Gram [1705]. -Level [50]. -List [1694]. -nearest [408]. -Partition [434]. -SAT (3; 3) [1732]. 0 [426]. 1 [426, 1647]. 1=f [420]. -Split [1732]. -Stability [164]. -Stage [1260]. 168 [1729]. 2 [1662]. -Tier [1430]. [1740, 943, 1677, 420, 50, 1732]. 3 [146, 154, 18, 1094, 1033, 1664, 196, 992, 1020, .NET [88]. 1065, 84, 29, 1640, 1075, 1093, 1662, 1023, 142, 1011, 1019, 1637, 30, 219, 1364, 1107, 1430]. /Geom/c [659]. 3 × 3 [536]. 4 [1060]. 8 · 168 [1729]. (G) [659]. 2 [1056]. st [208]. TM [596]. [213]. 2 1003.1q [1336]. 128 [1540]. 1980-88 [19]. ax7 + bx + c [1729]. ax8 + bx + c [1729]. ∆ 1989-1997 [20]. [1694]. Dy2 = x3 [1735]. k [1701, 434, 1677, 408, 1691]. kth [1711]. 2 [637]. 21 [208]. 2nd [1247]. MIN ERVA [292]. NEMESIS [358]. p [1754]. n [301]. N = pq [1752]. P [164, 1720]. 3G [649, 102, 640]. 3GPP [673]. 3rd [709]. Ψ [285]. q [1705]. x [1735]. y00 = f(x; y) [164]. 1 2 90 [186]. 95 [1328, 1329].
  • SOBER: a Stream Cipher Based on Linear Feedback Over GF\(2N\)

    SOBER: a Stream Cipher Based on Linear Feedback Over GF\(2N\)

    Turing: a fast software stream cipher Greg Rose, Phil Hawkes {ggr, phawkes}@qualcomm.com 25-Feb-03 Copyright © QUALCOMM Inc, 2002 DISCLAIMER! •This version (1.8 of TuringRef.c) is what we expect to publish. Any changes from now on will be because someone broke it. (Note: we said that about 1.5 and 1.7 too.) •This is an experimental cipher. Turing might not be secure. We've already found two attacks (and fixed them). We're starting to get confidence. •Comments are welcome. •Reference implementation source code agrees with these slides. 25-Feb-03 Copyright© QUALCOMM Inc, 2002 slide 2 Introduction •Stream ciphers •Design goals •Using LFSRs for cryptography •Turing •Keying •Analysis and attacks •Conclusion 25-Feb-03 Copyright© QUALCOMM Inc, 2002 slide 3 Stream ciphers •Very simple – generate a stream of pseudo-random bits – XOR them into the data to encrypt – XOR them again to decrypt •Some gotchas: – can’t ever reuse the same stream of bits – so some sort of facility for Initialization Vectors is important – provides privacy but not integrity / authentication – good statistical properties are not enough for security… most PRNGs are no good. 25-Feb-03 Copyright© QUALCOMM Inc, 2002 slide 4 Turing's Design goals •Mobile phones – cheap, slow, small CPUs, little memory •Encryption in software – cheaper – can be changed without retooling •Stream cipher – two-level keying structure (re-key per data frame) – stream is "seekable" with low overhead •Very fast and simple, aggressive design •Secure (? – we think so, but it's experimental) 25-Feb-03
  • A History of Syntax Isaac Quinn Dupont Facult

    A History of Syntax Isaac Quinn Dupont Facult

    Proceedings of the 2011 Great Lakes Connections Conference—Full Papers Email: A History of Syntax Isaac Quinn DuPont Faculty of Information University of Toronto [email protected] Abstract the arrangement of word tokens in an appropriate Email is important. Email has been and remains a (orderly) manner for processing by computers. Per- “killer app” for personal and corporate correspond- haps “computers” refers to syntactical processing, ence. To date, no academic or exhaustive history of making my definition circular. So be it, I will hide email exists, and likewise, very few authors have behind the engineer’s keystone of pragmatism. Email attempted to understand critical issues of email. This systems work (usually), because syntax is arranged paper explores the history of email syntax: from its such that messages can be passed. origins in time-sharing computers through Request This paper demonstrates the centrality of for Comments (RFCs) standardization. In this histori- syntax to the history of email, and investigates inter- cal capacity, this paper addresses several prevalent esting socio–technical issues that arise from the par- historical mistakes, but does not attempt an exhaus- ticular development of email syntax. Syntax is an tive historiography. Further, as part of the rejection important constraint for contemporary computers, of “mainstream” historiographical methodologies this perhaps even a definitional quality. Additionally, as paper explores a critical theory of email syntax. It is machines, computers are physically constructed. argued that the ontology of email syntax is material, Thus, email syntax is material. This is a radical view but contingent and obligatory—and in a techno– for the academy, but (I believe), unproblematic for social assemblage.
  • Cryptanalysis Techniques for Stream Cipher: a Survey

    Cryptanalysis Techniques for Stream Cipher: a Survey

    International Journal of Computer Applications (0975 – 8887) Volume 60– No.9, December 2012 Cryptanalysis Techniques for Stream Cipher: A Survey M. U. Bokhari Shadab Alam Faheem Syeed Masoodi Chairman, Department of Research Scholar, Dept. of Research Scholar, Dept. of Computer Science, AMU Computer Science, AMU Computer Science, AMU Aligarh (India) Aligarh (India) Aligarh (India) ABSTRACT less than exhaustive key search, then only these are Stream Ciphers are one of the most important cryptographic considered as successful. A symmetric key cipher, especially techniques for data security due to its efficiency in terms of a stream cipher is assumed secure, if the computational resources and speed. This study aims to provide a capability required for breaking the cipher by best-known comprehensive survey that summarizes the existing attack is greater than or equal to exhaustive key search. cryptanalysis techniques for stream ciphers. It will also There are different Attack scenarios for cryptanalysis based facilitate the security analysis of the existing stream ciphers on available resources: and provide an opportunity to understand the requirements for developing a secure and efficient stream cipher design. 1. Ciphertext only attack 2. Known plain text attack Keywords Stream Cipher, Cryptography, Cryptanalysis, Cryptanalysis 3. Chosen plaintext attack Techniques 4. Chosen ciphertext attack 1. INTRODUCTION On the basis of intention of the attacker, the attacks can be Cryptography is the primary technique for data and classified into two categories namely key recovery attack and communication security. It becomes indispensable where the distinguishing attacks. The motive of key recovery attack is to communication channels cannot be made perfectly secure. derive the key but in case of distinguishing attack, the From the ancient times, the two fields of cryptology; attacker’s motive is only to derive the original from the cryptography and cryptanalysis are developing side by side.
  • Non-Randomness in Estream Candidates Salsa20 and TSC-4

    Non-Randomness in Estream Candidates Salsa20 and TSC-4

    Non-randomness in eSTREAM Candidates Salsa20 and TSC-4 Simon Fischer1, Willi Meier1, C^omeBerbain2, Jean-Fran¸coisBiasse2, and M.J.B. Robshaw2 1 FHNW, 5210 Windisch, Switzerland fsimon.fischer,[email protected] 2 FTRD, 38{40 rue du G´en´eralLeclerc, 92794 Issy les Moulineaux, France fcome.berbain,jeanfrancois.biasse,[email protected] Abstract. Stream cipher initialisation should ensure that the initial state or keystream is not detectably related to the key and initialisa- tion vector. In this paper we analyse the key/IV setup of the eSTREAM Phase 2 candidates Salsa20 and TSC-4. In the case of Salsa20 we demon- strate a key recovery attack on six rounds and observe non-randomness after seven. For TSC-4, non-randomness over the full eight-round initial- isation phase is detected, but would also persist for more rounds. Key words: Stream Cipher, eSTREAM, Salsa20, TSC-4, Chosen IV Attack 1 Introduction Many synchronous stream ciphers use two inputs for keystream generation; a secret key K and a non-secret initialisation vector IV . The IV allows different keystreams to be derived from a single secret key and facilitates resynchroniza- tion. In the general model of a synchronous stream cipher there are three func- tions. During initialisation a function F maps the input pair (K; IV ) to a secret initial state X. The state of the cipher then evolves at time t under the action of a function f that updates the state X according to Xt+1 = f(Xt). Keystream is generated using an output function g to give a block of keystream zt = g(Xt).
  • On Distinguishing Attack Against the Reduced Version of the Cipher Nlsv2

    On Distinguishing Attack Against the Reduced Version of the Cipher Nlsv2

    Ø Ñ ÅØÑØÐ ÈÙ ÐØÓÒ× DOI: 10.2478/v10127-012-0037-5 Tatra Mt. Math. Publ. 53 (2012), 21–32 ON DISTINGUISHING ATTACK AGAINST THE REDUCED VERSION OF THE CIPHER NLSV2 Michal Braˇsko — Jaroslav Boor ABSTRACT. The Australian stream cipher NLSv2 [Hawkes, P.—Paddon, M.– –Rose, G. G.—De Vries, M. W.: Primitive specification for NLSv2, Project eSTREAM web page, 2007, 1–25] is a 32-bit word oriented stream cipher that was quite successful in the stream ciphers competition—the project eSTREAM. The cipher achieved Phase 3 and successfully accomplished one of the main require- ments for candidates in Profile 1 (software oriented proposals)—to have a better performance than AES in counter mode. However the cipher was not chosen into the final portfolio [Babbage, S.–De Canni`ere, Ch.–Canteaut, A.–Cid, C.– –Gilbert, H.–Johansson, T.–Parker, M.–Preneel, B.–Rijmen, V.–Robshaw, M.: The eSTREAM Portfolio, Project eSTREAM web page, 2008], because its per- formance was not so perfect when comparing with other finalist. Also there is a security issue with a high correlation in the used S-Box, which some effective distinguishers exploit. In this paper, a practical demonstration of the distinguish- ing attack against the smaller version of the cipher is introduced. In our experi- ments, we have at disposal a machine with four cores (IntelR CoreTM Quad @ 2.66 GHz) and single attack lasts about 6 days. We performed successful practi- cal experiments and our results demonstrate that the distingushing attack against the smaller version is working. 1. Introduction The cipher NLSv2 is a synchronous, word-oriented stream cipher developed by Australian researchers P h i l i p H a w k e s, C a m e r o n M c D o n a l d, M i - chael Paddon,Gregory G.Rose andMiriam Wiggers de Vreis in 2007 [6].