On the Security of IV Dependent Stream Ciphers
Côme Berbain and Henri Gilbert France Telecom R&D
research & development Stream Ciphers
IV-less IV-dependent
key K key K IV (initial value)
number ? generator
keystream keystream plaintext ⊕ ciphertext plaintext ⊕ ciphertext
e.g. RC4, Shrinking Generator e.g. SNOW, Scream, eSTREAM ciphers
well founded theory [S81,Y82,BM84] less unanimously agreed theory
practical limitations: prior work [RC94, HN01, Z06] - no reuse of K numerous chosen IV attacks - synchronisation - key and IV setup not well understood
IV setup – H. Gilbert (2) research & developement Orange Group Outline
security requirements on IV-dependent stream ciphers
whole cipher
key and IV setup
key and IV setup constructions satisfying these requirements
blockcipher based
tree based
application example: QUAD
incorporate key and IV setup in QUAD's provable security argument
IV setup – H. Gilbert (3) research & developement Orange Group Security in IV-less case: PRNG notion
m K∈R{0,1} number truly random VS generator g generator g
g(K) ∈{0,1}L L OR Z ∈R{0,1}
1 input
A 0 or 1
PRNG A tests number distributions: Adv g (A) = PrK [A(g(K)) = 1] − PrZ [A(Z) = 1]
PRNG PRNG Advg (t) = maxA,T(A)≤t (Advg (A))
PRNG 80 g is a secure cipher ⇔ g is a PRNG ⇔ Advg (t < 2 ) <<1
IV setup – H. Gilbert (4) research & developement Orange Group Security in IV-dependent case: PRF notion
stream cipher perfect random fct. IV∈ {0,1}n function generator VSOR g* gK G = {gK}
gK(IV)
q oracle queries
• A 0 or 1
PRF gK g* A tests function distributions: Adv G (A) = Pr[A = 1] − Pr[A = 1]
PRF PRF Adv G (t, q) = max A (Adv G (A))
PRF 80 40 G is a secure cipher ⇔ G is a PRF ⇔ Adv G (t < 2 ,2 ) << 1
IV setup – H. Gilbert (5) research & developement Orange Group Structure of the stream ciphers considered here
IV (n bits)
key & IV K setup typical KG structure initial state (m bits)
state transition keystream function generation λ iterations output function
keystream (L bits)
IV setup – H. Gilbert (6) research & developement Orange Group Security: sufficient conditions
IV IV
key & IV F = {fK} setup is a PRF
initial state ⇒ G = {g ο fK} is a PRF keystream g generation is a PRNG
keystream keystream
[informally]: the key & IV setup is a PRF and the keystream generator is a PRNG ⇒ the whole stream cipher is secure
IV setup – H. Gilbert (7) research & developement Orange Group This is due to a simple composition theorem
Composition of {fK} and g function F = {f } generator K ≡ G = {g ο fK} number g generator (comp. time Tg)
PRF PRF PRNG Composition Theorem: Adv G (t,q) ≤ Adv F (t',q) + qAdv g (t')
where t' = t + qTg
IV setup – H. Gilbert (8) research & developement Orange Group Key & IV setup = PRF is "almost" a necessary condition
IV (n bits) F = {f } K time TK&IV (key and IV setup) initial state (m bits)
g time TKG (keystream generation)
m first keystream bits
TK&IV + TKG ≥ TPRF
(where TPRF is the time needed by the fastest n-bit to m-bit PRF)
For a fast cipher,TKG is small, so TK&IV cannot be much lower than TPRF
IV setup – H. Gilbert (9) research & developement Orange Group Key & IV setup: candidate PRF constructions
Block cipher based (not detailed here) Examples: LEX (based on AES), Sosemanuk (based on Serpent)
Pros: more conservative than many existing constructions
Cons: heterogeneous construction ⇒ increased implementation complexity (except for LEX)
Tree based (detailed in the sequel)
Example: QUAD
Conducting idea: re-use essentially the same PRNG as in the keystream generation
Pros: low implementation complexity Cons: relatively slow
IV setup – H. Gilbert (10) research & developement Orange Group Tree based construction [GGM86]
m-bit to 2m-bit PRNG f ⇒ n-bit to m-bit PRF F = {fy} y (parameter)
(m bits) f x1 = 0 0 1 f f f x = 1 0 1 (2m bits) 2 f f x3 = 1 0 1 x f f (input) f xn-1= 0 0 1 f f x = 1 n 0 1
fy(x) PRF PRNG Theorem[≈GGM86]: Adv F (t,q) ≤ nqAdv f (t')
where t' = t + q(n+1)Tf
IV setup – H. Gilbert (11) research & developement Orange Group Tree based key & IV setup truncated IV-less cipher⇒ key and IV setup K
m-bit state f IV1 0 1 f f f IV 0 1 2 m-bit sequence 2 f f IV3 0 1 IV f f (input) f
IVn-1 0 1 f f IVn Is this practical? 0 1 f (IV) Cons: relatively slow. If |IV|=80 bits and |state|=160 bits, K key & IV setup ≡ generation of 3200 keystream bytes Pros: very low extra implementation complexity in hardware
IV setup – H. Gilbert (12) research & developement Orange Group The Stream Cipher QUAD [BGP06]
Based on the multivariate quadratic problem (MQ) Given a system of m quadratic equations in n variables over GF(q)
k k k Qk (x1 ,..., xn ) = ∑αi,j xi x j + ∑βi xi + γ = yk ,k = 1,...,m i≤j i Find a solution n (if any) x = (x1 ,..., x n ) ∈ GF(q)
NP hard even over GF(2) best solving algorithms so far are exponential [Faugère, Bardet]
QUAD iterates a fixed quadratic function S
S keystream
IV setup – H. Gilbert (13) research & developement Orange Group QUAD: keystream generation
n internal state: x = (x1 ,..., xn ) ∈ GF(q) fixed public quadratic function S: n var., m = tn eq. (typically 2n eq.)
(n bits)
q = 2 S
recommended parameters: q=2, n=160 bits, t=2
IV setup – H. Gilbert (14) research & developement Orange Group Security argument for the keystream generation
Keystream generation, GF(2) case
initial state (n bits)
number λ iterations of S generator g
keystream (L bits)
Th [BGP06]: in the GF(2) case, if there exists a distinguisher for g allowing to distinguish a sequence of L = λ ( t − 1 ) n keystream bits associated with a random quadratic systems S and a random initial state value x in time T with advantage ε, then there is an MQ solver that n2λ2T ε solves a random instance of MQ in time T'≅ O( ) with probabilityε'= . ε2 22 λ
Example of application: q=2, n = 350 bits, t = 2, L=240, T=280, ε = 1% (no such concrete reduction for the recommend value n = 160)
IV setup – H. Gilbert (15) research & developement Orange Group QUAD: Key and IV Setup
uses two public quadratic functions S0 and S1 of n eq. in n var. each
set x with the key K
for each IV bit IVi: tree based construction • if IVi = 0 then update x with S0(x)
• if IVi = 1 then update x with S1(x)
runup: clock the cipher n times without outputting the keystream typical key and IV lengths: 160 bits each
IV setup – H. Gilbert (16) research & developement Orange Group Extending the proof to the whole cipher
Whole cipher, GF(2) case
IV (n bits) t =2 L + n 2 function λ iterations of S (λ = ) G={gofK} generator n keystream (L bits)
Th: in the GF(2) case, if there exists a (T,q) PRF-distinguisher for the family G of IV to keystream functions associated with a random key and a random quadratic systems S with PRF-advantage ε, then there is an MQ solver that solves a random instance of MQ in time n2λ2q2T ε T'≅ O( ) with probability at least ε ' = 3 . ε 2 3.2 qλ
Example of application: q=2, n = 760 bits, t = 2, L=240, T=280, ε = 1%
IV setup – H. Gilbert (17) research & developement Orange Group Conclusions
Requirements: a PRF is needed
Conservative IV setup
seems demanding w.r.t. computational complexity
is not demanding w.r.t. implementation complexity
"Provable security" can be extended to IV-dependent stream ciphers
IV setup – H. Gilbert (18) research & developement Orange Group