<<

Differential-Linear Attacks against the Stream

Hongjun Wu and

Katholieke Universiteit Leuven ESAT/COSIC Overview

1. Introduction to Helix and Phelix 2. Description of Phelix 3. Differential propagation of addition 4. A basic attack on Phelix 5. Improving the attack on Phelix 6. Improving the security of Phelix 7. Open problems 8. Conclusion

K.U. Leuven, ESAT/COSIC 2 1 Background (1)

Stream Cipher Helix (FSE 2003)

+ message is applied to update the internal state : message is XORed with the MAC: generated from internal state after finishing encryption

gain – no separate MAC cost – error propagation + security concern

K.U. Leuven, ESAT/COSIC 3 1 Background (2)

Attacks against Helix

Differential recovery attack (Muller, 2004): nonce reuse; 212 adaptively chosen words, 288 operations

Reducing the number of plaintext words (Paul-Preneel, 2005) about 210 adaptively chosen plaintext words; or 235.6 chosen plaintext words

K.U. Leuven, ESAT/COSIC 4 1. Background (3)

Stream Cipher Phelix (2005)

Phelix: the strengthened version of Helix 1) message passing through more operations before affecting the keystream: half block in Helix, one full block in Phelix 2) more internal state words in generating a keystream word: one internal state word in Helix, two in Phelix

Is Phelix secure? Still vulnerable to the differential key recovery attack, effective being reduced to 41.5 bits

K.U. Leuven, ESAT/COSIC 5 2. Stream Cipher Phelix (1)

Stream Cipher Phelix

stream cipher + message authentication 256-bit key, 128-bit IV eSTREAM Phase II software and hardware focus cipher

Fast in software: 6.6 cycles/byte on Pentium M processor Hardware: twelve 32-bit additions are required for one 32-bit keystream word: efficient ?

K.U. Leuven, ESAT/COSIC 6 2. Stream Cipher Phelix (2)

Stream Cipher Phelix

160-bit internal state: updated by message

512-bit internal state: simply related to the key and IV incremented during the encryption

K.U. Leuven, ESAT/COSIC 7 Phelix: one block

Z0, Z1, Z2, Z3, Z4 : 160-bit internal state updated by message

Xi,0, Xi,1 : 512-bit internal state, determined by key, IV;

Encryption:

Ci = Pi ⊕ Si

K.U. Leuven, ESAT/COSIC 8 3. Differential Propagation of Addition

Observation:

addend bits strongly correlated with the difference of the sums

=> By observing the distribution of the difference of the sums, the value of addend bits can be determined with the linear attack technique

K.U. Leuven, ESAT/COSIC 9 3. Differential Propagation of Addition

The following theorem shows that the check sum of two adjacent addend bits does affect significantly the distribution of the difference of the sums

K.U. Leuven, ESAT/COSIC 10 4. A Basic Attack on Phelix (1)

1) Introducing one bit difference in Pi (i+1) (i+1) 2) B 3 ⊕ B 3′ heavily biased

K.U. Leuven, ESAT/COSIC 11 4. A Basic Attack on Phelix (2)

(i+1) (i+1) (i+1) (i+1) (i+1) 3) Since T 0 = A 0 ⊕ ( B 3 + X i + 1 ,0 ) and that B 3 ⊕ B3′ is heavily biased, we can predict which bits of Xi+1,0 may have significant effect on the distribution of the difference of the keystream according to Theorem 2.

K.U. Leuven, ESAT/COSIC 12 4. A Basic Attack on Phelix (3)

4) When the one-bit difference is in the least significant bit of 15 14 th Pi , for X i + 1 ,0 ⊕ X i + 1 ,0 = 0 , the 17 least significant bit of 15 14 Si+1 ⊕ Si′+1 is 0 with probability 0.50227; for X i + 1 ,0 ⊕ X i + 1 , 0 = 1 , the probability is 0.50117

15 14 => The value of X i + 1 , 0 ⊕ X i + 1 , 0 is highly correlated to the 17 17 distribution of S i + 1 ⊕ S i′ + 1 .

15 14 22.3 => Recovering X i + 1 , 0 ⊕ X i + 1 , 0 with 2 plaintext pairs

K.U. Leuven, ESAT/COSIC 13 4. A Basic Attack on Phelix (4)

Experiment 1. With 225 chosen plaintext pairs with difference in

15 14 the least significant bit of Pi, the values of X i + 1 , 0 ⊕ X i + 1 ,0 of 192 keys among 200 keys are determined correctly.

The success rate is about 0.96. Lower than expected. 15 14 Reason: the other bits of X i + 1 ,0 interfere with X i+1,0 ⊕ X i+1,0

Shifting the one-bit difference, 23 bits of X i+ 1 , 0 are recovered.

K.U. Leuven, ESAT/COSIC 14 5. Improving the Attack on Phelix (1)

Aims: Recovering more key bits and improving the success rate Reducing the number of chosen plaintext pairs

Methods: (i−3) Recovering Z 4 before recovering X i+1,0 Fine tuning of the threshold values in the attack

K.U. Leuven, ESAT/COSIC 15 5. Improving the Attack on Phelix (2)

(i−3) Recovering Z4

1) Introducing difference in the least significant bit of Pi (i+1) (i+1) 2) Y 4 ⊕ Y 4 ′ is heavily biased

K.U. Leuven, ESAT/COSIC 16 5. Improving the Attack on Phelix (3)

(i+1) (i+1) (i+1) (i−3) 3) Since Y 4 ⊕ Y 4′ is heavily biased and S i+ 1 = Y4 ⊕ Z4 , (i−3) the value of the bits of Z 4 affects the distribution of

Si+1 ⊕ Si′+1

(i+1),3 (i+1),2 th 4) When P i ⊕ P i ′ = 1 , for Y 4 ⊕ Y 4 = 0 , the 5 least

significant bit of S i − 3 ⊕ S i′ − 3 is 0 with probability 0.5461; (i+1),3 (i+1),2 for Y 4 ⊕ Y 4 = 1 , this probability is 0.5193 (i+1),3 (i+1),2 14 => Recovering Y 4 ⊕ Y 4 requires 2 plaintext pairs

K.U. Leuven, ESAT/COSIC 17 5. Improving the Attack on Phelix (4)

5) In the attack, we determine the least significant bit of (i−3) first, then proceed to determine the more significant Z4 (i−3) bits of Z 4 by shifting the one-bit difference.

(i−3), j (i−3), j−1 (i−3), j−2 (i−3),0 6) When Z 4 is analyzed, Z 4 Z 4 LZ4 is ′ (i−3), j−1 (i−3), j−2 (i−3),0 subtracted from S i and S i so that Z4 Z4 LZ4 (i−3), j does not interfere with Z 4 . The success rate becomes very close to 1 with small number of plaintext pairs.

K.U. Leuven, ESAT/COSIC 18 5. Improving the Attack on Phelix (5)

17 (i−3) 7) With 2 plaintext pairs, 30 bits of Z 4 (except the two (i−3) most significant bits of Z 4 ) can be determined with success rate about 0.999.

(i−3) After recovering Z 4 , we recover X i + 1 ,0 from the (i+1) (i+1) ′ distribution of Y 4 ⊕ Y ' 4 instead of S i+ 1 ⊕ Si+1 .

K.U. Leuven, ESAT/COSIC 19 5. Improving the Attack on Phelix (6)

(i+1) (i+1) Recovering X i + 1 , 0 from Y4 ⊕Y4′

Due to the interference between the bits of X i + 1 ,0 on the i+1 i+1 distribution of Y 4 ⊕ Y 4′ , we need the fine tuning of the threshold values in the attack.

9 For example, when P i ⊕ P i ′ = 1 , if X i+ 1 , 0 = 0 and the value of 11 10 i+1,13 i+1,13 X i+1,0 || X i+1,0 is 00, 11, 01, 10, then Y 4 ⊕ Y 4 ′ = 0 with prob. 9 0.53033, 0.52334, 0.51946, 0.51864; if X i + 1 ,0 = 1 , the prob. becomes 0.52334, 0.53030, 0.51861, 0.51948. 9 11 10 Y i+1,13 ⊕Y ′i+1,13 => X i + 1 ,0 and X i + 1 ,0 || X i+ 1 , 0 affect the distribution of 4 4 K.U. Leuven, ESAT/COSIC 20 5. Improving the Attack on Phelix (7)

i+1,13 i+1,13 Other bits of X i + 1 , 0 also affect the distribution of Y4 ⊕Y4′

In the attack, we need to tune the threshold value to 0.52035, 11 10 so that the value of X i+ 1 , 0 ⊕ X i + 1 , 0 can be recovered with success rate 0.99 with 221 chosen plaintext pairs.

j+1 j The values of X i + 1 , 0 ⊕ X i + 1 , 0 ( 2 ≤ j ≤ 28 ) can be determined in a similar way

K.U. Leuven, ESAT/COSIC 21 5. Improving the Attack on Phelix (8)

0 The lsb X i+1,0 is recovered in a different way: 16 21 2 chosen plaintext pairs with Pi ⊕ Pi′= 2 (i+1),2 (i+1),2 observing the distribution of Y4 ⊕Y4′

1 0 The second lsb X i+1,0 can be recovered if X i+1,0 = 0 16.4 22 2 chosen plaintext pairs with Pi ⊕ Pi′= 2 (i+1),3 (i+1),3 observing the distribution of Y4 ⊕Y4′

X 2 0 1 The value of i + 1 ,0 can be recovered if X i + 1 ,0 = 0 and X i+1,0 = 0

K.U. Leuven, ESAT/COSIC 22 5. Improving the Attack on Phelix (9)

The above attack recovers 28.75 bits of X i+1,0

After recovering eight consecutive X i + 1 , 0 , 230 key bits are recovered. Considering the error rate of about 0.01, the effective key size is reduced to 41.5 bits.

The attack requires 232.7 chosen plaintext pairs.

K.U. Leuven, ESAT/COSIC 23 6. Improving the Security of Phelix

Problem in Phelix: The plaintext affects the keystream before passing through enough confusion and diffusion operations

Solution 1: plaintext passing through more operations => resulting in slow cipher

Solution 2: using strong one-way function to generate the initial internal state from key and IV => secure against key recovery attack but the leaked internal state allows message forgery

K.U. Leuven, ESAT/COSIC 24 7. Open problems (1)

Open Problem 1.

How to design an efficient stream cipher with embedded MAC, secure against the key recovery attack in the applications where an attacker has the ability to control the nonce generation for a while?

Helix and Phelix are insecure in these applications

K.U. Leuven, ESAT/COSIC 25 7. Open problems (2)

Open Problem 2.

How to design an efficient stream cipher with embedded MAC, secure against the key recovery attack only in the applications where the nonce generation is secure

Helix and Phelix are secure in these applications. But there may be dedicated and more efficient designs

K.U. Leuven, ESAT/COSIC 26 8. Conclusion

1. The computational complexity of the attack against Phelix is 241.5, less than the 288 operations required to break Helix

=> Phelix fails to strengthen Helix in this respect

2. Open problems: Efficient embedded MACs for stream cipher

K.U. Leuven, ESAT/COSIC 27 Thank you!

Q & A

K.U. Leuven, ESAT/COSIC 28