On the Security of IV Dependent Stream Ciphers

Côme Berbain and Henri Gilbert France Telecom R&D

{[email protected]}

research & development Stream Ciphers

„ IV-less „ IV-dependent

key K key K IV (initial value)

number ? generator

keystream keystream plaintext ⊕ ciphertext plaintext ⊕ ciphertext

„ e.g. RC4, Shrinking Generator „ e.g. SNOW, Scream, eSTREAM ciphers

„ well founded theory [S81,Y82,BM84] „ less unanimously agreed theory

„ practical limitations: „ prior work [RC94, HN01, Z06] - no reuse of K „ numerous chosen IV attacks - synchronisation - key and IV setup not well understood

IV setup – H. Gilbert (2) research & developement Orange Group Outline

„ security requirements on IV-dependent stream ciphers

„ whole cipher

„ key and IV setup

„ key and IV setup constructions satisfying these requirements

„ blockcipher based

„ tree based

„ application example: QUAD

„ incorporate key and IV setup in QUAD's provable security argument

IV setup – H. Gilbert (3) research & developement Orange Group Security in IV-less case: PRNG notion

m K∈R{0,1} number truly random VS generator g generator g

g(K) ∈{0,1}L L OR Z ∈R{0,1}

1 input

A 0 or 1

PRNG A tests number distributions: Adv g (A) = PrK [A(g(K)) = 1] − PrZ [A(Z) = 1]

PRNG PRNG Advg (t) = maxA,T(A)≤t (Advg (A))

PRNG 80 g is a secure cipher ⇔ g is a PRNG ⇔ Advg (t < 2 ) <<1

IV setup – H. Gilbert (4) research & developement Orange Group Security in IV-dependent case: PRF notion

stream cipher perfect random fct. IV∈ {0,1}n function generator VSOR g* gK G = {gK}

gK(IV)

q oracle queries

• A 0 or 1

PRF gK g* A tests function distributions: Adv G (A) = Pr[A = 1] − Pr[A = 1]

PRF PRF Adv G (t, q) = max A (Adv G (A))

PRF 80 40 G is a secure cipher ⇔ G is a PRF ⇔ Adv G (t < 2 ,2 ) << 1

IV setup – H. Gilbert (5) research & developement Orange Group Structure of the stream ciphers considered here

IV (n bits)

key & IV K setup typical KG structure initial state (m bits)

state transition keystream function generation λ iterations output function

keystream (L bits)

IV setup – H. Gilbert (6) research & developement Orange Group Security: sufficient conditions

IV IV

key & IV F = {fK} setup is a PRF

initial state ⇒ G = {g ο fK} is a PRF keystream g generation is a PRNG

keystream keystream

[informally]: the key & IV setup is a PRF and the keystream generator is a PRNG ⇒ the whole stream cipher is secure

IV setup – H. Gilbert (7) research & developement Orange Group This is due to a simple composition theorem

„ Composition of {fK} and g function F = {f } generator K ≡ G = {g ο fK} number g generator (comp. time Tg)

„ PRF PRF PRNG Composition Theorem: Adv G (t,q) ≤ Adv F (t',q) + qAdv g (t')

where t' = t + qTg

IV setup – H. Gilbert (8) research & developement Orange Group Key & IV setup = PRF is "almost" a necessary condition

IV (n bits) F = {f } K time TK&IV (key and IV setup) initial state (m bits)

g time TKG (keystream generation)

m first keystream bits

TK&IV + TKG ≥ TPRF

(where TPRF is the time needed by the fastest n-bit to m-bit PRF)

For a fast cipher,TKG is small, so TK&IV cannot be much lower than TPRF

IV setup – H. Gilbert (9) research & developement Orange Group Key & IV setup: candidate PRF constructions

„ Block cipher based (not detailed here) Examples: LEX (based on AES), Sosemanuk (based on Serpent)

Pros: more conservative than many existing constructions

Cons: heterogeneous construction ⇒ increased implementation complexity (except for LEX)

„ Tree based (detailed in the sequel)

Example: QUAD

Conducting idea: re-use essentially the same PRNG as in the keystream generation

Pros: low implementation complexity Cons: relatively slow

IV setup – H. Gilbert (10) research & developement Orange Group Tree based construction [GGM86]

m-bit to 2m-bit PRNG f ⇒ n-bit to m-bit PRF F = {fy} y (parameter)

(m bits) f x1 = 0 0 1 f f f x = 1 0 1 (2m bits) 2 f f x3 = 1 0 1 x f f (input) f xn-1= 0 0 1 f f x = 1 n 0 1

fy(x) PRF PRNG Theorem[≈GGM86]: Adv F (t,q) ≤ nqAdv f (t')

where t' = t + q(n+1)Tf

IV setup – H. Gilbert (11) research & developement Orange Group Tree based key & IV setup truncated IV-less cipher⇒ key and IV setup K

m-bit state f IV1 0 1 f f f IV 0 1 2 m-bit sequence 2 f f IV3 0 1 IV f f (input) f

IVn-1 0 1 f f IVn Is this practical? 0 1 f (IV) Cons: relatively slow. If |IV|=80 bits and |state|=160 bits, K key & IV setup ≡ generation of 3200 keystream bytes Pros: very low extra implementation complexity in hardware

IV setup – H. Gilbert (12) research & developement Orange Group The Stream Cipher QUAD [BGP06]

„ Based on the multivariate quadratic problem (MQ) Given a system of m quadratic equations in n variables over GF(q)

k k k Qk (x1 ,..., xn ) = ∑αi,j xi x j + ∑βi xi + γ = yk ,k = 1,...,m i≤j i Find a solution n (if any) x = (x1 ,..., x n ) ∈ GF(q)

„ NP hard even over GF(2) „ best solving algorithms so far are exponential [Faugère, Bardet]

„ QUAD iterates a fixed quadratic function S

S keystream

IV setup – H. Gilbert (13) research & developement Orange Group QUAD: keystream generation

n „ internal state: x = (x1 ,..., xn ) ∈ GF(q) „ fixed public quadratic function S: n var., m = tn eq. (typically 2n eq.)

(n bits)

q = 2 S

„ recommended parameters: q=2, n=160 bits, t=2

IV setup – H. Gilbert (14) research & developement Orange Group Security argument for the keystream generation

„ Keystream generation, GF(2) case

initial state (n bits)

number λ iterations of S generator g

keystream (L bits)

„ Th [BGP06]: in the GF(2) case, if there exists a distinguisher for g allowing to distinguish a sequence of L = λ ( t − 1 ) n keystream bits associated with a random quadratic systems S and a random initial state value x in time T with advantage ε, then there is an MQ solver that n2λ2T ε solves a random instance of MQ in time T'≅ O( ) with probabilityε'= . ε2 22 λ

„ Example of application: q=2, n = 350 bits, t = 2, L=240, T=280, ε = 1% (no such concrete reduction for the recommend value n = 160)

IV setup – H. Gilbert (15) research & developement Orange Group QUAD: Key and IV Setup

„ uses two public quadratic functions S0 and S1 of n eq. in n var. each

„ set x with the key K

„ for each IV bit IVi: tree based construction • if IVi = 0 then update x with S0(x)

• if IVi = 1 then update x with S1(x)

„ runup: clock the cipher n times without outputting the keystream typical key and IV lengths: 160 bits each

IV setup – H. Gilbert (16) research & developement Orange Group Extending the proof to the whole cipher

„ Whole cipher, GF(2) case

IV (n bits) t =2 L + n 2 function λ iterations of S (λ = ) G={gofK} generator n keystream (L bits)

„ Th: in the GF(2) case, if there exists a (T,q) PRF-distinguisher for the family G of IV to keystream functions associated with a random key and a random quadratic systems S with PRF-advantage ε, then there is an MQ solver that solves a random instance of MQ in time n2λ2q2T ε T'≅ O( ) with probability at least ε ' = 3 . ε 2 3.2 qλ

„ Example of application: q=2, n = 760 bits, t = 2, L=240, T=280, ε = 1%

IV setup – H. Gilbert (17) research & developement Orange Group Conclusions

„ Requirements: a PRF is needed

„ Conservative IV setup

„ seems demanding w.r.t. computational complexity

„ is not demanding w.r.t. implementation complexity

„ "Provable security" can be extended to IV-dependent stream ciphers

IV setup – H. Gilbert (18) research & developement Orange Group