NESSIE Reports [Stream Cipher]

21世紀COEプログラム乱数生成とｽﾄﾘｰﾑ暗号研究会 2003.02.25

■Agenda; 一般的なストリーム暗号に関する評価基準および評価方法論を NESSIE プロジェクトのレポートから考察する．

1. NESSIEの概要 2. Evaluation (Block cipher,Asymmetric...) 3. Stream ciphers ~ Security Requirements (Attacks,Statistical Tests) 4. Stream ciphers ~ Evaluation 5. BMGL 6. Leviathan 7. LILI-128 8. SNOW 9. SOBER-t○ 10. Stream ciphers ~ Evaluation (Deliverables D18,D20)

New European Schemes for Signatures, Integrity, and Encryption

NESSIE is a project within the IST (Information Society Technologies)

Programme of the EC (European Commission)

http://www.cryptonessie.org ↓ https://www.cosic.esat.kuleuven.ac.be/nessie/index.html

1. Block ciphers 2. Synchronous stream ciphers 3. Self-synchronising stream ciphers 4. Message Authentication Codes (MACs) 5. Collision-resistant hash functions 6. One-way hash functions 7. Families of pseudo-random functions 8. Asymmetric encryption schemes 9. Asymmetric digital signature schemes 10. Asymmetric identification schemes

2000 January Beginning of first phase of NESSIE 2000 November First NESSIE workshop 2001 July Beginning of second phase of NESSIE 2001 September Second NESSIE workshop 2002 November Third NESSIE workshop 2003 February Fourth NESSIE workshop 2003 March End of second phase of NESSIE

AES NESSIE CRYPTREC 主催 NIST IST Program 総務省，経済産業省目的新米国標準ブロック EC(産学)のコンセンサス電子政府利用暗号リスト

技術要求 128/192/256-bit 暗号プリミティブほぼ全般暗号プリミティブほぼ全般ブロック選択唯一に決定唯一に決定しない唯一に決定しない

64bit block ciphers: MAC & hash CS-Cipher CSCommunication &Systems Two-Track-MAC Boer,Rompay Hierocrypt-L1 東芝 UMAC Rogawa他 IDEA Mediacrypt Whirlpool Boer,Rompay Khazad Baretto, Rijmen Asymmetric encryption Misty1 三菱電機 ACE Encrypt IBM Nimbus Machado ECIES Certicom 128bit block ciphers: EPOC-1,-2,-3 NTT Anubis Baretto, Rijmen PSEC-1,-2,-3 NTT Camellia NTT,三菱電機 RSA-OAEP RSA Grand Cru Borst Asymmetric digital signature Hierocrypt-3 東芝 ACE Sign IBM Noekeon Dawson 他 ECDSA Certicom Q McBride ESIGN NTT SC2000 富士通 FLASH BULL CP8 160bit block ciphers: (variable length) QUARTZ BULL CP8 SHACAL Gemplus RSA-PSS RSA SAFER++ Cylink SFLASH BULL CP8 NUSH LAN Crypto Asymmetric identification schemes RC6 RSA GPS France Telecom Copyright (c) 2003 C4Technology,Inc. 7 2, Phase 2nd Evaluation

stream ciphers (Self-synchronising / Synchronous) a) High; Key length of at least 256 bits. Internal memory of at least 256 bits. b) Normal; Key length of at least 128 bits. Internal memory of at least 128 bits.

General Evaluation

Stream Cipher - statistical properties,length of period & linear complexity - resistance against well known attack and heuristic attack

PRNG - statistical properties with randomness tests etc. - resistance against attacks, unpredictability Full Evaluation

Stream Cipher - statistical properties (period, Linear complexity, etc) - known attack (correlation, divide & conquer,..) - heuristic attack

PRNG - statistical properties with randomness (FIPS140-1) - unpredictability, heuristic attack

# Linear Complexity （線形複雑度）

PRNG をLFSRと仮定し，最少のLFSRの長さを求める． # Statistical Properties （統計的特性） PRNG 出力の生起確率を求め，独立一様分布からのずれを求める． - Correlation Attacks （相関攻撃） PRNG の出力と相関をもつ単純な生成器を考える攻撃手法． - Divide-and-Conquer Attacks （分割統治攻撃）部分的な系列を推測し，同様の推測条件を他の部分に適応する攻撃手法．

- Time-Memory Trade-Offs 攻撃に使用するメモリを増やすことによって，全数探索に要する必要時間を減らす攻撃手法． - Distinguishing Attacks （識別攻撃）真のランダム系列（独立一様分布）と PRNG出力を識別する攻撃手法． - Rekeying attacks （鍵再使用攻撃）同じ鍵を数回使用する攻撃手法．

- Dyadic Complexity Test - Percolation Test - Constant Runs Test - Frequency Test - Collision Test - Overlapping m-tuple Test - Gap Test - Coupon Collector's Test - Universal Maurer Test - Poker Test - Spectral Test - Correlation Test - Rank Test - Linear Complexity Test - Nonlinear Complexity Test - Ziv-Lempel Complexity Test

1. The Frequency (Monobit) Test. 13. The Approximate Entropy Test. 2. Frequency Test within a Block. 14. The Cumulative Sums (Cusums) Test. 3. The Runs Test. 15. The Random Excursions Test. 4. Test for the Longest-Run-of-Ones in a Block. 16. The Random Excursions Variant Test. 5. The Binary Matrix Rank Test. 6. The Discrete Fourier Transform (Spectral) Test. 7. The Non-overlapping Template Matching Test. 8. The Overlapping Template Matching Test. 9. Maurer's "Universal Statistical" Test. 10. The Lempel-Ziv Compression Test. 11. The Linear Complexity Test. http://csrc.nist.gov/rng/ 12. The Serial Test.

Classification of attacks. 前提条件及び仮定 It is customary when analysing stream ciphers to consider known plaintext attacks. ü ストリーム暗号全体の構造は既知． This essentially means assuming the ü 秘密鍵のみわからない． cryptanalyst knows a large volume of keystream. 解析手法 The cryptanalyst's task is then usually classified in one of three ways. A) Distinguishing Attack （識別攻撃）適切な長さのキーストリームと同長の乱数系列との区別する方法を検討． B) Prediction（予測）キーストリームをランダムに推測するよりも高い精度で予測する方法を検討． C) Key Recovery（鍵回復）キーストリームから秘密鍵を求める方法を検討．

- BMGL Hasted,Haslund (Sweeden) High/Normal - Leviathan Cisco Systems (USA) High/Normal - LILI-128 Simpson,Dawson,Golic,Millan (Australia) Normal - SNOW Johannson,Ekdahl (Sweeden) High/Normal - SOBER-t16 Qualcomm International (Australia) Normal - SOBER-t32 Qualcomm International (Australia) High

D12 Toolbox version 2 D13 Security evaluation of NESSIE First Phase D14 Performance evaluation of NESSIE First Phase D15 Workshop on security and performance evaluation of NESSIE First Phase D16 Internal review report Year 2 D17 Preliminary list of realistic performance estimates D18 Update on the selection of algorithms for further investigation during NESSIE Second Phase D20 NESSIE Security report, version 1.0 D21 Performance of Optimized Implementations of the NESSIE Primitives, version 1.0 Copyright (c) 2003 C4Technology,Inc. 17 4, Evaluation 1st ⇒ 2nd (D13)

Phase 1st Evaluation ⇒ Phase 2nd Evaluation o BMGL o BMGL o Leviathan － o LILI-128 － o SNOW o SNOW o SOBER-t16 o SOBER-t16 o SOBER-t32 o SOBER-t32

The submission BMGL is a pseudorandom number generator with the block cipher Rijndael as cryptographic core. Rijndael is considered as a one-way function from the key to the cipher-text. BMGL iterates this function and extracts a few pseudo-random bits in each iteration using hard-core predicates. The construction uses an optimization of earlier work on pseudo-random generators [19, 48].

It is defined by a set of binary tree structures of height 16. Each node of each tree is associated with a triple of words (each of four bytes) z|y|x. The triple at the root of the jth tree is 1|0|j. Key-dependent functions a and b map the triple s at a node to a triple at each of its two descendants, so that its lefthand descendant is a(s) while its righthand descendant is b(s).

The functions fod (left) and god (right). Here and below denotes the bitwise exclusive or operation, denotes integer addition (with dashed lines indicating the carry operations), and ・indicates the bitwise complementation operation (or logical ‘not’).

The functions cof and cog , showing how the output of the cipher is derived from the state of the leaf nodes.

It consists of two LFSRs each with primitive feedback polynomials. The first, LFSR c , has length 39 while the second, LFSR d , has length 89. Two bits from LFSR c (which is clocked regularly) are used to determine an integer c in the range {1, 2, 3, 4} and LFSR d is clocked c times. A nonlinear filter f d is then applied to ten bits of the output of LFSR d to produce the keystream.

32-bit Input

Partition the input

8 bits 24 bits

SBOX

Skipjack ISRC, QUT S-box S-box

8 bits 24 bits

32-bit Output

LEVIATHAN LILI-128 SOBER-t SNOW BMGL Linear complexity － (*1) －－－ Statistical properties －－－ NESSIE toolbox Jonsson and Stefan Lucks [30] X-[15] X-[15] Johansson [59] Correlation attacks Mihaljevi’c, Fossorier X-[2, 49] and Imai [89] Babbage Stefan Lucks [30] Babbage time-memory tradeoff attack Saarinen [107] Guess-and-determine X-[54] X-[23] attacks Attacks to the irregular [50, 51, 115] △ decimation 2^400 Key Loading X- ［18] precomputation memory and Related key attacks Stefan Lucks [30] Rekeying and Weak Keys Stefan Lucks [30] X (Related Key Attacks) construction has (one-way [48、52、47、80、46] permutations ) Exhaustive key － search

O BMGL tweaked version (adding IV) selected. tweaked to allow rekeying O SNOW 128-bit key selected. 256-bit key not selected. exhaustive 256-bit key search [1].tweaked version (adding IV) of 128-bit SNOW X SOBER-t16 selected, but eliminated during first part of Phase II. exhaustive key search [7]. X SOBER-t32 selected, but eliminated during first part of Phase II. exhaustive key search [7].

This means that certain generic attacks on modes of use are applicable as noted by Babbage [12]. one-way permutations [171, 183, 169, 263, 168].

[12] S. Babbage,"Simple attack on BMGL faster than exhaustive key search," 2002. NESSIE discussion forum. [185］J. Hastad and M. Naslund, "A generalized interface for the NESSIE submission BMGL," internal document, NESSIE, 2001. Available on the internal NESSIE project web site.

distinguishing attack on SNOW requiring 295 observed bits of keystream and workload about 2100.

Guess and determine attacks. Hawkes and Rose [189]

This gives us an attack requiring 2224 observed bits of keystream with workload 295.

[189] P. Hawkes and G. G. Rose, "Guess-and-determine attacks on SNOW," in Proceedings of Selected Areas in Cryptography - SAC'02 , Lecture Notes in Computer Science, Springer- Verlag, 2002.

There is a distinguishing attacks on SOBER-t16, as well as a much faster one on the unstuttered version of SOBER-t16. The nonlinear filter also exhibits significant biases.

[190] P. Hawkes and G. G. Rose, "On the applicability of distinguishing attacks against stream ciphers," in Proceedings of the Third NESSIE Workshop, 2002. [126] M. Dichtl and M. Schafheutle, "Linearity properties of SOBER-t32 key loading," in Proceedings of Fast Software Encryption - FSE'02 (J. Daemen and V. Rijmen, eds.), no. 2365 in Lecture Notes in Computer Science, pp. 225{230, Springer-Verlag, 2002. [13] S. Babbage and J. Lano, "Probabilistic factors in the SOBER-t stream ciphers," in Proceedings of the Third NESSIE Workshop, 2002.