RC4 Py SPP attack Improving on the attack

Improved Cryptanalysis of Py

Paul Crowley

LShift Ltd

Royal Holloway Information Security Group Seminar, May 2006 RC4 Py SPP attack Improving on the attack Overview

• RC4 • Py • SPP attack • Our attack RC4 Py SPP attack Improving on the attack RC4

7 15 11 5 14 3 12 13 6 0 2 8 4 1 10 9 RC4 Py SPP attack Improving on the attack RC4

i j

7 15 11 5 14 3 12 13 6 0 2 8 4 1 10 9 RC4 Py SPP attack Improving on the attack RC4

i j 11 + 3 = 14

7 15 11 5 14 3 12 13 6 0 2 8 4 1 10 9 10 RC4 Py SPP attack Improving on the attack RC4

i j

7 15 11 5 14 3 12 13 6 0 2 8 4 1 10 9 10 RC4 Py SPP attack Improving on the attack RC4

i j

7 15 11 5 14 3 12 13 6 0 2 8 4 1 10 9 10 RC4 Py SPP attack Improving on the attack RC4

7 15 11 5 14 3 12 13 6 0 2 8 4 1 10 9 10

7 15 11 2 14 3 12 13 6 0 5 8 4 1 10 9

i j RC4 Py SPP attack Improving on the attack RC4

7 15 11 5 14 3 12 13 6 0 2 8 4 1 10 9 10

7 15 11 2 14 3 12 13 6 0 5 8 4 1 10 9 13

i 2 + 5 = 7 j RC4 Py SPP attack Improving on the attack Events in RC4

i = a j

1 0 a RC4 Py SPP attack Improving on the attack Events in RC4

i = a j

1 0 a 0 RC4 Py SPP attack Improving on the attack Events in RC4

a i j

1 0 a 0 RC4 Py SPP attack Improving on the attack Events in RC4

1 0 a 0

1 a 0

a i j RC4 Py SPP attack Improving on the attack Events in RC4

1 0 a 0

1 a 0 1

a i j RC4 Py SPP attack Improving on the attack Py

• eSTREAM entrant by Eli Biham and Jennifer Seberry • Fast in software (2.6 cycles/byte on some platforms) • SPP attack: 288 bytes of output • Our attack: 272 bytes RC4 Py SPP attack Improving on the attack Rolling arrays RC4 Py SPP attack Improving on the attack Rolling swaps RC4 Py SPP attack Improving on the attack Py internal state

P

s Y [0] Y [255] Y [−3] Y [256] RC4 Py SPP attack Improving on the attack Output

O1

P

O2 RC4 Py SPP attack Improving on the attack Update

P

P RC4 Py SPP attack Improving on the attack SPP attack

• Gautham Sekar, Souradyuti Paul, Bart Preneel • Defines event L with Pr[L] ≈ 2−41.91 • When L occurs, two output bits are the same RC4 Py SPP attack Improving on the attack Event L (1)

S

P

S RC4 Py SPP attack Improving on the attack Event L (2)

O1,1

A B

S A B

A B

O2,3 RC4 Py SPP attack Improving on the attack Result of event L

A S B

O1,1 O2,3 RC4 Py SPP attack Improving on the attack SPP distinguisher

85 88 • Examine 2 O1,1, O2,3 pairs (ie 2 bytes) • Count how many pairs have equal low bits • Report “Py” if above a certain threshold, otherwise “random” • How do we choose the threshold? RC4 Py SPP attack Improving on the attack Optimal distinguisher

• Thomas Baignères, Pascal Junod, Serge Vaudenay • Optimal distinguisher chooses the distribution which has the highest probability of producing the observed output • Neyman-Pearson likelihood ratio test RC4 Py SPP attack Improving on the attack Optimal distinguisher

s0 s1 s2 RC4 Py SPP attack Improving on the attack Optimal distinguisher

|Z|−1 |Z|−1 |Z|−1

s0 s1 s2 RC4 Py SPP attack Improving on the attack Optimal distinguisher

|Z|−3

|Z|−1 |Z|−1 |Z|−1

s0 s1 s2 RC4 Py SPP attack Improving on the attack Optimal distinguisher

|Z|−3

|Z|−1 |Z|−1 |Z|−1

s0 s1 s2

Pr[s0|L] Pr[s1|L] Pr[s2|L] RC4 Py SPP attack Improving on the attack Optimal distinguisher

|Z|−3

|Z|−1 |Z|−1 |Z|−1

s0 s1 s2

−1 −1 −1 Pr[s0|L] |Z| Pr[s1|L] |Z| Pr[s2|L] |Z| RC4 Py SPP attack Improving on the attack Optimal distinguisher

|Z|−3

|Z|−1 |Z|−1 |Z|−1

s0 s1 s2

−1 −1 −1 Pr[s0|L] |Z| Pr[s1|L] |Z| Pr[s2|L] |Z|

Pr[s0] Pr[s1] Pr[s2] RC4 Py SPP attack Improving on the attack Optimal distinguisher

|Z|−3

|Z|−1 |Z|−1 |Z|−1

s0 s1 s2

−1 −1 −1 Pr[s0|L] |Z| Pr[s1|L] |Z| Pr[s2|L] |Z|

Pr[s0] Pr[s1] Pr[s2]

Pr[s0 ∧ s1 ∧ s2] RC4 Py SPP attack Improving on the attack Optimal distinguisher

• Pr[s|Py] We score each sample s with LLR(s) = log( Pr[s|Random] ) • Sum of scores is log-likelihood ratio for whole sample • If score is positive, output Py • Otherwise, output Random • 2 1 Need around β samples for advantage > 2 • If output only biased when event L occurs: 2 P 2

β = Pr[L] |Z| z∈Z Pr[z|L] − 1 • SPP attack: β = Pr[L]2 so around 285 samples

RC4 Py SPP attack Improving on the attack Efficacy of optimal distinguisher

• Where distribution is “close” to uniform random, efficacy 2 P  1  β = |Z| z∈Z Pr[z] − |Z| • If output only biased when event L occurs: 2 P 2

β = Pr[L] |Z| z∈Z Pr[z|L] − 1 • SPP attack: β = Pr[L]2 so around 285 samples

RC4 Py SPP attack Improving on the attack Efficacy of optimal distinguisher

• Where distribution is “close” to uniform random, efficacy 2 P  1  β = |Z| z∈Z Pr[z] − |Z| • 2 1 Need around β samples for advantage > 2 • SPP attack: β = Pr[L]2 so around 285 samples

RC4 Py SPP attack Improving on the attack Efficacy of optimal distinguisher

• Where distribution is “close” to uniform random, efficacy 2 P  1  β = |Z| z∈Z Pr[z] − |Z| • 2 1 Need around β samples for advantage > 2 • If output only biased when event L occurs: 2 P 2

β = Pr[L] |Z| z∈Z Pr[z|L] − 1 RC4 Py SPP attack Improving on the attack Efficacy of optimal distinguisher

• Where distribution is “close” to uniform random, efficacy 2 P  1  β = |Z| z∈Z Pr[z] − |Z| • 2 1 Need around β samples for advantage > 2 • If output only biased when event L occurs: 2 P 2

β = Pr[L] |Z| z∈Z Pr[z|L] − 1 • SPP attack: β = Pr[L]2 so around 285 samples RC4 Py SPP attack Improving on the attack Improving on the attack

• Use all bits of O1,1, O2,3 • Group output by column bitwise

• Find exact probability Pr[O1,1, O2,3 = o1,1, o2,3|L] • Apply optimal distinguisher RC4 Py SPP attack Improving on the attack Addition

[X]3 [Y ]3 [X]2 [Y ]2 [X]1 [Y ]1 [X]0 [Y ]0

[c]0 [c]3 [c]2 [c]1

[X + Y ]3 [X + Y ]2 [X + Y ]1 [X + Y ]0 RC4 Py SPP attack Improving on the attack Carry propagation

[A]i [S]i [B]i

[c1]i+1 [c1]i

[c3]i+1 [c3]i

[O1,1]i [O2,3]i RC4 Py SPP attack Improving on the attack Carry propagation

[A]i [S]i [B]i

[c1]i+1 [c1]i

[c3]i+1 [c3]i

[O1,1]i [O2,3]i RC4 Py SPP attack Improving on the attack Markov process

1, 0 1, 0 0, 0 0, 0 RC4 Py SPP attack Improving on the attack Transition probabilities

5 1 8 8

0, 0 0, 1

1 8

1 8

1, 0 1, 1 RC4 Py SPP attack Improving on the attack Markov process

5 1 5 8 8 8

1, 0 1, 0 0, 0 0, 0 RC4 Py SPP attack Improving on the attack Markov process

5 1 5 8 8 8

1, 0 1, 0 0, 0 0, 0

25 5 5 512 64 8 1 RC4 Py SPP attack Improving on the attack Markov process

1, 0 1, 0 0, 0 0, 0

1 0 1 0 0 1 RC4 Py SPP attack Improving on the attack Transition and output probabilities

0 1 ( ) 0 0 8 ( 1 ) 0 8

1 ( 1 ) 0, 0 0, 1 1 2

0 ( 1 ) 0 0 8 ( 1 ) 0 8

1, 0 1, 1 RC4 Py SPP attack Improving on the attack Hidden Markov model

1 1 1 8 8 2

1, 0 1, 0 0, 0 0, 0

1 0 1 0 0 1 RC4 Py SPP attack Improving on the attack Hidden Markov model

1 1 1 8 8 2

1, 0 1, 0 0, 0 0, 0

1 1 1 128 16 2 1

1 0 1 0 0 1 RC4 Py SPP attack Improving on the attack Hidden Markov model

1 1 1 8 8 2

1, 0 1, 0 0, 0 0, 0

1 0 1 0 0 1 RC4 Py SPP attack Improving on the attack Hidden Markov model

1 1 1 8 8 2

1, 0 1, 0 0, 0 0, 0

1 0 1  1  0 0 1  0     0  0 RC4 Py SPP attack Improving on the attack Hidden Markov model

1 1 1 8 8 2

1, 0 1, 0 0, 0 0, 0

1 1 0 1  1  0 0 1  0     0  0 RC4 Py SPP attack Improving on the attack Hidden Markov model

1 1 1 8 8 2

1, 0 1, 0 0, 0 0, 0

1 1 0 1  1   1  0 0 2 1  0   0       0   0  0 0 RC4 Py SPP attack Improving on the attack Hidden Markov model

1 1 1 8 8 2

1, 0 1, 0 0, 0 0, 0

1 2 1 1 0 1  1   1  0 0 2 1  0   0       0   0  0 0 RC4 Py SPP attack Improving on the attack Hidden Markov model

1 1 1 8 8 2

1, 0 1, 0 0, 0 0, 0

1 2 1 1  1  0  1  1   16 2 1 0 1 0 1  16   0   0   1       16   0   0  1 0 16 0 RC4 Py SPP attack Improving on the attack Hidden Markov model

1 1 1 8 8 2

1, 0 1, 0 0, 0 0, 0

1 1 4 2 1 1  1  0  1  1   16 2 1 0 1 0 1  16   0   0   1       16   0   0  1 0 16 0 RC4 Py SPP attack Improving on the attack Hidden Markov model

1 1 1 8 8 2

1, 0 1, 0 0, 0 0, 0

1 1 4 2 1  1  1  1  0  1  1   128 16 2 1 5 0 1 0 1  128   16   0   0   1   1       128   16   0   0  1 1 0 128 16 0 RC4 Py SPP attack Improving on the attack Hidden Markov model

1 1 1 8 8 2

1, 0 1, 0 0, 0 0, 0

8 1 1 128 4 2 1  1  1  1  0  1  1   128 16 2 1 5 0 1 0 1  128   16   0   0   1   1       128   16   0   0  1 1 0 128 16 0 RC4 Py SPP attack Improving on the attack Hidden Markov model

1 1 1 8 8 2

1, 0 1, 0 0, 0 0, 0

 1  1 0 1   128 1 5 0 0 1  128   0   1  = M1,0 M0,0 M1,1   128   0  1 128 0 RC4 Py SPP attack Improving on the attack The forward algorithm

 1 0 1  Pr = 1 M M M π 0 0 1 1×4 1,0 0,0 1,1 0  1 
 0  where 11×4 = 1 1 1 1 and π0 =    0  0 RC4 Py SPP attack Improving on the attack Our attack

• For each sample, use the forward algorithm to find Pr[s|L] • from which we estimate Pr[s|Py] • Pr[s|Py] We score each sample s with LLR(s) = log( Pr[s|Random] ) • Sum of scores is log-likelihood ratio for whole sample • If score is positive, output Py • Otherwise, output Random X 2 = (11×4M31M30 ... M0π0) X T = (11×4M31M30 ... M0π0)(11×4M31M30 ... M0π0)

X  T T T T T  = 11×4M31M30 ... M0π0π0 M0 ... M30M3111×4

X  T T T T  T = 11×4 M31M30 ... M0π0π0 M0 ... M30M31 11×4

Mi ∈ {M0,0, M0,1, M1,0, M1,1}

RC4 Py SPP attack Improving on the attack Efficacy of our distinguisher

X Pr[z|L]2 z∈Z X T = (11×4M31M30 ... M0π0)(11×4M31M30 ... M0π0)

X  T T T T T  = 11×4M31M30 ... M0π0π0 M0 ... M30M3111×4

X  T T T T  T = 11×4 M31M30 ... M0π0π0 M0 ... M30M31 11×4

RC4 Py SPP attack Improving on the attack Efficacy of our distinguisher

X Pr[z|L]2 z∈Z X 2 = (11×4M31M30 ... M0π0)

Mi ∈ {M0,0, M0,1, M1,0, M1,1} X  T T T T T  = 11×4M31M30 ... M0π0π0 M0 ... M30M3111×4

X  T T T T  T = 11×4 M31M30 ... M0π0π0 M0 ... M30M31 11×4

RC4 Py SPP attack Improving on the attack Efficacy of our distinguisher

X Pr[z|L]2 z∈Z X 2 = (11×4M31M30 ... M0π0) X T = (11×4M31M30 ... M0π0)(11×4M31M30 ... M0π0)

Mi ∈ {M0,0, M0,1, M1,0, M1,1} X  T T T T  T = 11×4 M31M30 ... M0π0π0 M0 ... M30M31 11×4

RC4 Py SPP attack Improving on the attack Efficacy of our distinguisher

X Pr[z|L]2 z∈Z X 2 = (11×4M31M30 ... M0π0) X T = (11×4M31M30 ... M0π0)(11×4M31M30 ... M0π0)

X  T T T T T  = 11×4M31M30 ... M0π0π0 M0 ... M30M3111×4

Mi ∈ {M0,0, M0,1, M1,0, M1,1} RC4 Py SPP attack Improving on the attack Efficacy of our distinguisher

X Pr[z|L]2 z∈Z X 2 = (11×4M31M30 ... M0π0) X T = (11×4M31M30 ... M0π0)(11×4M31M30 ... M0π0)

X  T T T T T  = 11×4M31M30 ... M0π0π0 M0 ... M30M3111×4

X  T T T T  T = 11×4 M31M30 ... M0π0π0 M0 ... M30M31 11×4

Mi ∈ {M0,0, M0,1, M1,0, M1,1} T H0 = π0π0 X T Hi+1 = MHi M

M∈{M0,0,M0,1,M1,0,M1,1} 2  64  T   β = Pr[L] 2 11×4H3211×4 − 1 ≈ 60552 Pr[L]2

RC4 Py SPP attack Improving on the attack Efficacy of our distinguisher

X T T T T T Hi = Mi−1Mi−2 ... M1M0π0π0 M0 M1 ... Mi−2Mi−1 X T Hi+1 = MHi M

M∈{M0,0,M0,1,M1,0,M1,1} 2  64  T   β = Pr[L] 2 11×4H3211×4 − 1 ≈ 60552 Pr[L]2

RC4 Py SPP attack Improving on the attack Efficacy of our distinguisher

X T T T T T Hi = Mi−1Mi−2 ... M1M0π0π0 M0 M1 ... Mi−2Mi−1 T H0 = π0π0 2  64  T   β = Pr[L] 2 11×4H3211×4 − 1 ≈ 60552 Pr[L]2

RC4 Py SPP attack Improving on the attack Efficacy of our distinguisher

X T T T T T Hi = Mi−1Mi−2 ... M1M0π0π0 M0 M1 ... Mi−2Mi−1 T H0 = π0π0 X T Hi+1 = MHi M

M∈{M0,0,M0,1,M1,0,M1,1} ≈ 60552 Pr[L]2

RC4 Py SPP attack Improving on the attack Efficacy of our distinguisher

X T T T T T Hi = Mi−1Mi−2 ... M1M0π0π0 M0 M1 ... Mi−2Mi−1 T H0 = π0π0 X T Hi+1 = MHi M

M∈{M0,0,M0,1,M1,0,M1,1} 2  64  T   β = Pr[L] 2 11×4H3211×4 − 1 RC4 Py SPP attack Improving on the attack Efficacy of our distinguisher

X T T T T T Hi = Mi−1Mi−2 ... M1M0π0π0 M0 M1 ... Mi−2Mi−1 T H0 = π0π0 X T Hi+1 = MHi M

M∈{M0,0,M0,1,M1,0,M1,1} 2  64  T   β = Pr[L] 2 11×4H3211×4 − 1 ≈ 60552 Pr[L]2 RC4 Py SPP attack Improving on the attack Conclusions

• We can efficiently calculate the efficacy of HMM-based distinguishers • Distinguisher advantage is 0.53 given 264 bytes from 28 key/IV pairs • Advantage is 0.03 given a single 264-byte stream • Can this be improved still further?

http://www.ciphergoth.org/crypto/py