Quick viewing(Text Mode)

Improved Cryptanalysis of the Stream Cipher Polar Bear

Improved Cryptanalysis of the Stream Cipher Polar Bear

中国科技论文在线 http://www.paper.edu.cn C h inese Journa1 of E lectron ics V o1.16,N o.3,July 20 07

Im proved C ryptanalysis of the Stream C ipher P olar B ear冰

H U A N G X iaoli1,2 and W U C huankun1 (1.The S tate K ey Laboratory of Inform ation Security,Institute of S oftw aFe, C hinese A cadem y of Sciences,Beijing 1 00080, C hina) (2.Graduate S chool of C hinese A cadem y of Sciences,Beijing 1 00080, C hina)

A b stract ---—— T his PaP er gives a guess-and-.determ ine th e first ev alu a tio n ro u n d ,i.e.,th e eS T R E A M w ish es to carry attack against p olar b ear,w hich is one of th e cand idate p o lar b ea r to th e se con d p h as e o f it. st r e a m s o f e STREA M . V le cho s e thr e e diffler e n t T here are m any attacks ap plicable to stream ,such c le a r t e xt gro u p s unde r differe n t ass u m p t io n s , a nd only as recovery attac ks[¨ lin ear cry p tan aly sis[7。,a lge b raic considered the flrst th ree cy cles in each grou P.Som e values , attac k s[ ,引 d istin g u ish in g a tta ck s [2,1 11 a n d so o n . . L a t e ly J . in each gro uP w ere recovered through k now n constant va l— M a ttsso n [101 a n d M H asanzadeh e£以 【9】presented guess—and- u es an d som e relation s in th e p revious and current g rou ps. . W _e recover th e in itial state of p olar bear com pletely w ith determ ine attacks on polar b ear w ith tim e com plexity O (2 ) tim e com plex ity 0 (236·80).In this respect,our results are and O (2 · ) resp ectively. m ugh better than that of the tw o recent attacks w hose tim e W e use a g uess—an d-determ ine attack on p olar bear.W e com plexities ar e 0 (2 0) and 0 (2 · ) resp ectively.O ur at— re d u ce th e a tta ck tim e co m p ity to O f2 00· 0 ) w h ich is m u ch tack is bas ed on know n p laintex t scenar io w h ich requ ires kn ow ledge of three d ifierent clear text grou ps,w h ere the low er th an th at in R efs.1 10 ,91.W e ch o se th ree different plain— flrst 12 bytes of each grou P cleartext n eed to be know n . text groups bas ed on different as sum ptions,and only consid— ered th e first th ree cy cles in each gro u p .T h en m ad e a gu ess o n K ey w ords —— C ryptan alysis,P olar b ear,S tream ci- tw o in te r n a l—s t a t e v a lu e s in t h e firs t g ro u p .an d o b t a in e d so m e p her,G uess-and-determ ine attack ,eS T R E A M . oth er in tern a l—state valu es.T h en m a d e a g uess on on e intern a1. state value in the second grou p.O n th e bas is of the obtained I.Introdu ction values an d som e relations in the first tw o groups.som e other values w ere com puted.In the third group,w ithout any guess Stream cip hers are im p ortant sym m etric sys— w e com p uted the rem aining unk now n initial—state values bas ed tern .M an y strea m ciph ers are used w id ely in rea l lire su ch as o n th e o bta ine d va lue s in th e first tw o gro u p s. th e strea m cip h er E 0 Lf】.w h ich is u se d in th e B lu eto oth tech — n o lo g y fo r w ire les s c o m m u n ic a t io n s .H o w t o d e s ig n se c u re a n d fast stream ciphers has been a h ot research topic.M any old II.D escrip tion of P olar B ear strea m cip h ers ,w h ich w ere co n sidered se cu re a t earlier tim e , L et lI,0 ,田 denote concaten ation ,bit—w ise m odulo-2 ad — a re fo u n d to b e in sec u re la ter d u e to m o re e ffi c ien t cry p ta n al— dition.and ad d ition m odulo 2 resp ectively. L et + and . y sis.S o co ntin u o us effo rts to ca ll for sec ure an d fas t stream den ote addition and m ultip lication operations in the finite c iph ers h av e b ee n m a d e in recen t y ea rs . field G F (2 1 respectively.For sim plicity ·一m ay be om itted. In 1999 the E uropean C om m ission launched a project B yte/word are used to denote S/16一bit quantities resp ectively. N E S SIE 【 J. T he m ain objective of the project w as to p ut If a,b,c are bytes,in allbllc,a is the m ost sign ificant byte etc. forw ard good stream cip hers that w ere obtained after an op en L et Ts den ote the R ijndaelt~J S—box.If w = W l I1w2 is a 2-byte call and evaluation .B ut after seversl evaluation rounds.no w ord,then (叫)denotes Ts(叫1)IIT8(~ 2). strea m ciph ers are selected b ec au se o f insu ffi cient se cu rity .In P olar bear is a synchr onous . It uses a 7一 2004,E C R Y P T -E uropean netw ork of excellence fo r cryptol- w ord Linear feedbac k (LF SR 、R 0 and a 9一word ogy.started a new stream cipher project eST R E A M [ .It is L F SR R .T hese are view ed as acting over G F (2 1.B esides a m ulti—year e肋 rt to select new and secure enough stream the se reg iste rs.th e in tern a l sta te o f th e c ip h er a lso d ep e n d s o n ciphers that m ay becom e suitable for w idesp read adoption . a w ord quantity S and a dynam ic perm utation of bytes D 8. P o la r b e a r tsJ is o n e o f th e c a n d id a t e st r e a m c ip h e r s o f e S . T he cip her is m ainly designed for a 128.bit keY an d 256.bit T R E A M .It w as claim ed to be suitable for both softw are and internal state.T he Initial vector (IV ) can b e any num ber of h ar d w are im p lem en ta tio n .P o lar b e ar b elo n g s to P h as e 2 a fter bytes up to a m axim um of 3 1.

M a nu script R eceived J uly 200 6 ;A ccep ted A p r.2007 .T h is w o rk is sup po rted by th e N ation al N atu ral Scien ce Fo un d ation o f C h in a (N o.60673068) and the C hina N ational 973 P rogram (N o.2oo4c B 3l8oo4). 转载 中国科技论文在线 http://www.paper.edu.cn Chinese Journal of Electronics Electronics Chinese Journalof 2007

On each messageto be processed.the cipher initializedis cycles,R。is three (1)In first the stepped2,3,3 steps by taking the expanded key,interpreting the IV as a cleart— orderly and R isstepped 2,2,2steps orderly.Because S is ext blockand modified applyingroundslightly a five Rijndael initializedto 0,the cycle first of registers alwaysis clocked 2 encryption with block length 256.The resulting cipher text steps. block isloaded into R0 and R .D8 and S are initializedto Thereforethe probability that this assumption can be met equal to and zero respectively. The two LFSRs are first 0.5 is : 2一 . irregularly clocked through S.Two selectedwords fromeach for different.Thea;are probability 8 all first the (2)Let ofR0 and R arerun through Ds to produce4 bytes output. this is Then selected entries in D8 are swapped. Finally S and R are modified inpreparation for the next output cycle. 2 ×(2 一1)×...×(2 一7)/(2 ) ≈0.90 N ext state function Let l0= 7 and Z1= 9 be the (3)Let the following 16 a are all different.The probabil— different.Theprobabil— aall 16 are following the (3)Let lengths of the registers.R the 2+(【S/2stepped of is lengths mod2) J ityfor this is steps,where【s/2H morenot integer largest the denotes J thanS/2 .Andfollowing: the of consists stepeach 2 ×(2 一1)×⋯ ×(2 一15)/(2 ) ≈0.62 ·Set f +-- ·Setf +-- 。+Rt ,where, 0 。areconstants,J = 1 andJ = 5: The probabilitythat the three assumptions are allmet is ·SetR;+--R;+l'J=0,1,·一,f 一2; about 2一 × 0.90× 0.62≈ 2一 · . ·FeedbackR;一】 ,. assumptionsweguess瞒 Basedthese on andR 0.R and Afterstepping the two registers,do the following steps first from瞒 calculated beRgcan Ri0.Once and stages four the for i= 0.then repeat fori= 1. R ,R2,威andknown,T are R}0 known.Because fol— is the (1)d lla lIa lla lla lIa (1)d lla (R 一 ,R。t一2). lowing 16a aredifferent.T all caxlbe regarded as aconstant (2)Let (2)Let =Ds(a~),J=0,1,2,3. during the followingtwo cycles.The notation T usedstill is (3)Swap elements in Ds (3)SwapDs(aby in elements ) ,Ds(ai) , to denote Ds duringthe followingtwo cycles. Ds(a~)卜俄,Ds(a~) i. possible瞒 all through 0(2。 takes ) R}0Searching and Next, time.The successful probability of this attack step is about ·UpdateS accordingtoS S田 ll . 2一 ’ .Sothe time complexityof the firststep for successful ·UpdateR。according to磁 磁 田 ll 0(2。。· is attack and、.Therela- output groupinternal first where bj= where 0田.Output generation Output four bytes bo[[bzll62lIb3 tions and nonlinear update ofthe three first cycles under our assumptions are shown in Table 1.For the detailed process Let denote the ith output word,i = 0,1,that is, ofgetting other values,see Table 4.Table 4 means that we Z0=b0lIblandZ1=62lIb3. useknown caa-1 words and Table..cycle..relationto getdeduced Ifmore output bytes areneeded,go back andrepeat the wordsin each step. above process. In thesecond attackstep we choose the second cleartext group whichdifferent is fromthe group.W first make le three assumptions similarto those ofthe group.0nly first the first III.Description ofthe Attack assumption different is fromthat ofthe group.Thefirst first Let( 一1,R;+f +f 一2,·一, R oft )be state theafter assumptionas follows:Inis the threefirst cycles. stepped is steps ofprocessing,where theli is length of R . denotes 2,3,3 steps orderly and R is stepped 2,3,2 steps orderly. after update.Let z ,begroup,tththeith andcycle jth As statedbefore,the probabilitythat this assumption can be , m etis 2-4 outputword,1 i 3,1 t 3,0 J 1.Tomake simple, . let letT= Ts andT bethe permutation Ds afterthe cycle. first Theprobability that allthe three assumptions aremet is An importantobservation that is no matterhow each cy_ about 2一 ’ . cle of Ro is clocked,鹋,R2,.一,R24 Ro is of cle because constants are weR§.Under guess step this In and theobservation our

, R2,.一,磁,R9, matter no that and R9,Roconstants are assumptions,wethree caD_recover some otherR:through the howeach cycle of R clocked,R is constant is becauseentries obtainedvalues and some relationsin thetwo first groups and in R arenot modifiedapart from the LFSR stepping.Based possible威 磁all 0(216). is trying .Theof complexity time on this observation,first we choose the first cleartext group Thesuccessful probability of this step aboutis 2一 ‘ .There— and makethree assumptions as follows: 0(2 。·。、. is step attack second the of complexity time the fore

Table 1.T he first group relations ofthe first three cycles under our assum ptions Cycle R o Relations R Relations Output relations R 。 Nonlinear update l l (1)R0=0oRo+ 。no (3)R =01R + R6 (5) }.0= (Rg)0 (R}0) (7) R :砩 田T(R1) (2)no: 0ono+ 。no (4)R}0=01R3+ R} (6) }.1= (R9)0 ) (R (1)R3=0o + 。 2 2 (2) 0=00R2+ 。R3 (4)R{1=0 R{+ R5 (6)z}.0=T T (R}2) (no1)0 (8) R 0=R00田 (R}1) (3)R0 1=00no+ (3)R0 。R0 (5)R}2=01R5+ R5 (7) 1= (R20)0 (R}1) (1)R02=8。R2+ 。飕 3 3 (2)R23:p。 R + 。R2 (4)R}3:p R5+ Rj }.0= (6) (R24)0 (R}4) (8) Ro3=Ro3田 (R} ) (3)R 4:p。R2+(3)R 。 R (5)R}4=p R}0+ 磁 (7) }.1= (R23)0 (R}3) 3 中国科技论文在线 http://www.paper.edu.cn

Improved Cryptanalysisof the Stream Cipher PolarBear 441

Table 2. T he second group relations of the first three cycles under our assum ptions Cycle Ro Relations R 1 Relations O utput relations R。 Nonlinear update 1 1 }R =0oR(1: + 。R8 (3)R =0 R{+ R6 (5)z!.0:T(R2)0 T(Ri0) no=no田T(R5) (7) (6) (6) (2: no=0ono+(2: 0no (4)Ri0=01R6+ Ri . 1:T(R )0T(R5) (1 (1 R3=0oR3+ 。R2 (4)Ri1=0 R{+ R{ 2 2 no0 (2 00no+ 0no (5)Ri2=01R{+ R5 (7) .0=T (Ri3) T Ro(n01)0 (9) 0=no0田T (Ri2) (3 no1:00R0+(3 。R2 (6)R{3:0 R + Rj (8)z;.1=T (Ri2) T (R20)0 (1 (1 no2:0oRg+ 。Rg 3 3 Ro3 (2 00 no+ 0no (4)Ri4:0 Ri0+ R{ (6)z;.0:T (Ri5) T no(R?4)0 (8) 3=no3田T (Ri4) (3. R 4:0o磺+ R (3. 鹋 (5)Ri5:01Ri1+ R (7) :1:T(Ri4) T (R23)0

Cycle R0 Relations R1 Relations Output relations R 。 Nonlinear update (1)R = R + 。R8 (3)R =01R{+ R (5) ,0:T(R2)0T(冗i0) 1 (2)no=0ono+ 。no (4)Ri0=p R3+ Ri (6) .1:T(R )0T(冗5) Ro=Ro田T(R5) (7) 2 2 (1)no=00no+ 。no (3)Ri1:0 R}+ R5 (2)R00:00R0+ 。no (4)Ri2:01R{+ R{ (6)瑶。0:T T (Ri3) (R?0)0no=no田T(8) (Ri ) ) (5)R 3=0(5)R R + R (7)瑶,1=T (Ri2) T(R3)0 2 (1) (1) 1:0o硝+ R2 (4)R}4:0 R}0+ R{ 3 3 (2)no2=00no+ 。no (5)Ri5:01Ri1+ R6 (7)召,0:T (Ri6) T (R23)0 no(9) 2=R02田T (Ri5) (3)R 3:0。 (3)R Ro+ 。no (6)R6:0 R2+ R{ (8)召.1:T (Ri5) T (n02)0

Thesecond group internal and output relations and nonlinear update ofthe first three first cycles under our assumptions S K nown Table-cycle Deduced K nown Table-cycle Deduced areshown inTable 2.Forthe detailed tep Step words .relation words words .relation words processof getting other values.seeTa. 1 碟 1-1一(6),(7) , 16 R , 2-3-(5) 碟 ble 4. 2 科。 1-1-(5) 17 R。,磁 2.1-(4) R In the last attackstep we choose 3 , 1—3-(3) R4 18 礤,R 2—2一(5) 磷 the third cleartext group which isdif- 4 R 1—3-(6) R{4 19 R 3-2-(7) 硝 ferent from the firsttwo groups. Ⅵ 5 ,科。 1-3-(5) 碟 20 R3 3—3-(7) R。 m akethree assumptions similarto the 6 碟 , 1-1一(3) 础 21 。,R 3-3-(6) R 7 7 R}4 2—3一(7) R3 22 ,R 3—2-(3) first firsttwogroups.The lasttwo assump- 8 R0。 1-3-(7) R}3 23 R}5 3-3-(8) R tionsare the sameas those ofthe first 9 科。,瑞 2-2-(6) 24 R , 3-3一(2) two groups.The assumptionfirst asis 10 R3 2—2一(7) R 25 , 3-3-(1) R2 follows:In the threefirst cycles,R0 is 11 R1 1—2一(6) R}2 26 ,Ron 3-2-(2) stepped 2,2,3 stepsorderly and R is 12 R2 2—2-(8) RUn 27 , 3-2一(1) 13 13 Ru 1—2-(7) Rl 28 ,磷 3-1一(2) stepped2,3,3 steps orderly.The prob- 14 14 R。, 础 2—3一(2) 29 R ,硝 3-1-(1) abilitythat thisassumption can be met 15 R4 2-3一(6) Ri5 js js 2—4 .

Thep ro bability that theall three assumptions are met is 12 first byteseachof group

. , about 2一 ·85 . In this step no value isguessed. Under our observation IV.Com parisonof Our Attackwith the and the three assumptions,we can recover allthe values of K nown Attacks 瑞 , ,⋯,磁 and础 ,Ri,⋯,磁 onob- thebased finally tained values in the first two groups.So we have recovered Upto now,themost known papers on of po- the initialstate of registers.The successful probability of this lar bear are Refs.[9】and【10].They are bear lar guess-and-determine use stepabout is 2一 ‘ .Sothe time complexity of the last attack attack.Theyhave thesame attackprinciple,i.e undersom e ., step is 0(2 is step ).Therela- and output internal group third assumptions with certain probability a few unknown R are tionsand nonlinear update of the threefirst cycles under our guessedthen future calculated is or the initialstate assumptionsare shown in Table3.For thedetailed process of is isrecovered. recoveringthe registers’initial state,see Table 4. In Ref.[1O],the author made three assumptions similar to to similar assumptions madeRef.[1O],the Inauthorthree The time complexity of our attack is the sum of allthe ours. The different one isthat in each first six cycles R。 , three-steptime complexities.That is,thecomplexity about is and R are always stepped for 2 steps.The author guessed 236.85+22o·85+ 24·B5≈ 236·86 . Ourinitial-state recoverv attack re of state 瞒internal the ,recovered then R13 and 0,R11 is basedis on known plaintext scenario which needs toknow the isters,S and D8 aftersix cycles.Hencefuture keystream can 中国科技论文在线 http://www.paper.edu.cn

442 ChineseJournal o/Electronics 2007

be calculated completely.In Ref.[9】1 the authors made the as— as— madethe authors the completely.InRef.[9】1 calculated be N.Courtois.“Fast algebraic attack on stream ciphers with lin- sumptions that in the first 8 cycles R。 isstepped 2 steps in feedback”,Proc.olAdvances ear Cryptology(CRYPTOin , Santa Barbara,California,USA,Lecture Notes in Computer each cycle,R stepped is 2,3,3,3,3,2,3,2 steps orderly Science 2729,PP.176-194,2003. andthe all 64 :aredifierent.Based on theassumptions,the N. Courtois, W . M eier, “Algebraic attacks on stream ci- authors guessed Ri8 and Ri9 then recovered the initial state state initial the recovered Ri8 thenRi9and guessed authors phers with feedback”.Proc.ol linear Advances in Cryptology ofregisters. (EUROCRyPT ,Warsaw,Poland,Lecture Notes in Com- In our attack,we absorb the attack principle ofthe two puter Science 2656,PP.345-359,2003. papers.But we use some techniques whichreduce the attack J.Daemen,V.Rijmen, Design Rijndael,Springer-Verlag,e ol time complexity.One thatis three different plaintextgroups Berlin,G ermany,2002. eSTREAM. the ECRYPT Stream Cipher Project. are chosen. The second isthat onlythe firstthree cycles in http:// ww·ecrypt·eu·org/stream/· each step are considered. The third is that we recover some J.D. Golid,V . Bagini,G . M orgari,“ of valuesin each stepusing some known constant values andre- stream cipher”.Proc. ol Advances in Cryptol— lations in the previous and current steps.In the stepfirst we oqY(EUR0GRYPT'02、,Amsterdam TheNetherlands,Lecture guess瞒R:o.In and guess weonly step second the .In Notes in Computer Science 2332,PP.238—255,2002. J.H ~stad,M . N~slund, “The stream cipher '’, the thirdstep novalue guessed.Using is the all techniques we eSTREAM , the ECRYPT Stream Cipher Project,Report finallyrecover the initial state of registers.AU the techniques 2005/021,2005.http://www.ecrypt.eu.org/stream/. decreasethe attacktime complexity largely.The comparison M . Hasanzadeh, E. Shakour, S. K hazaei, “Improved ofour attackresult with the twoknown attacks asis in Table cryptanalysis of polar bear” e State ol the Art ol 5. Stream CiphersSASC’06、,Leuven I Belgium Feb 2006. http://www.ecrypt.eu.org/stvl/sasc2006/. 【10】J. Mattsson, “A guess-and-determine attack on the Table 5.C om parison ofour attack result stream cipher polar bear”, The State ol the Art oI w ith the know n attacks 3 4 5 6 7 8 9 Stream Ciphers(SASC'0 ,Leuven,Belgium,Feb. 2006. Attack by Our Ref.[10】 Ref.[9】 http://www.ecrypt.eu.org/stvl/sasc2006/. Required cleartext A .M aximov.“Cryptanalysis of the ‘’family of stream l 36 24 32 【1l】 ength(byte) ciphers”,Proc. the 2006 ACM Symposium on Informa— Timecomplexity 0(2。。· 。、 0(2 。、 0(2 、· tion,Computer and CommunicationsSecurity(ASIACCS’oo), Taipei,Taiwan, China, New York: ACM Press,PP.283-288, 2006. 【12】 NESSIE,New European Schemes for Signatures,Integrity,and V .Conclusion Encryption.http://www.nessie.eu.org/nessie/. H U A N G X iaoli was born in 1978 W epresented a guess-and-determineattack offpolar bear. in Hubei Province.She received M .S.de- Using sometechniques,we recovered the initialstate ofreg- gree in algebra and coding at School of isters with time complexity0(2。。· isters 。),which much is better M athematics and Statistics.Wuhan Uni- than that of thetwothan knownof that Refs.f91andin as attacksf101.All versity in 2004. She is currently a Ph.D.逮豆 candidate ofInstitute of Software.Chinese the attackresults show that Polar Bear has weakness and is Academy of Sciences and Graduate School not secure enough.As Refs.【9】and【10],initializingsecure in not stated of Chinese Academy of Sciences.Her cur— the dynamic permutation ofbytes Ds to a key dependent or rent research interests include design and key-IVdependent S-box can preventthis weakness. analysis of stream cipher algorithm s. Acknowledgm entWe thank the anonymousreferees for W U Chuankan was born in 1964 their helpful comm ents. in Shandong Province.He received Ph.D. degree in engineering in 1994. H e is cur— rently a professor at Institute of Software, References ChineseAcademy ofSciences.He served as a Program Com m ittee M ember,Program 【1】C.Berbain,H.Gilbert,A.Maximov,“Cryptanalysisgrain”,of Com m ittee Chair,or Organizing Com m it. The State theof Art oI Stream Ciphers(SASC 06、 Leuven. teeChair foranumber ofinternational con— Belgium.Feb.2006.http://www.ecrypt.eu.org/stvl/sasc2006/. ferences.He isa member of International 『2l 『2l D.Coppersmith,S.Halevi,C.S.Jutla,“Cryptanalysisstream of A ssociation for Cryptology Research,and cipherswith masking linear Proc.o{Advances inCryptology a senior member ofIEEE.His current research interests include de- (C ’ T0'02),SantaBarbara,California,USA,Lecture Notes sign and analysis of cryptographic algorithms,design and analysis in Com puter Science 2442.PP.515-532.2002. of network security protocols.