Design Principles for Combiners with Memory
Frederik Armknecht, Matthias Krause, and Dirk Stegemann
Theoretical Computer Science, University of Mannheim, Germany {armknecht, krause, stegemann}@th.informatik.uni-mannheim.de
Abstract. Stream ciphers are widely used for online-encryption of ar- bitrarily long data, for example when transmitting speech-data between a mobile phone and a base station. An important class of stream ciphers are combiners with memory, with the E0 generator from the Bluetooth standard for wireless communication being their most prominent exam- ple. In this paper, we develop design principles for increasing the resis- tance of combiners with memory against the most dangerous types of cryptanalytic attacks, namely correlation attacks and algebraic attacks. In the case of algebraic attacks, we introduce the first method to guar- antee lower bounds on the attack complexity. Starting from the design of the E0 generator, we combine our results in order to construct ciphers that are simultaneously strengthened against both kinds of attacks. Our analysis shows that small changes in the design of E0 already suffice to improve its security enormously.
Keywords: Stream cipher, combiners with memory, algebraic attacks, correlation attacks, Bluetooth E0.
1 Introduction
Today, electronic communication has gained more and more importance, in- voking an increasing demand for confidential data transmission. Widely used are keystream generators which produce bitstreams z := z1,z2,... of arbitrary length in dependence on a secret initial value K ∈{0, 1}n. The sender en- crypts a stream of plaintext bits p := p1,p2,... to a stream of ciphertext bits c := c1,c2,... by XOR-ing p and z componentwise, i.e., ct := pt ⊕ zt. A receiver who shares the secret key K can produce z in the same way as the sender and decrypt ct via pt = ct ⊕ zt. Following Kerckhoff’s principle, it is assumed that an adversary knows the specification of the keystream generator and some of the keystream bits zt,whereasK is secret to him. Consequently, an attack consists of recovering the secret key K. An important class of keystream generators are combiners with memory. Since their introduction in [17] to overcome the trade-off between linear com- plexity and correaltion immunity, they have been widely examined in cryptog- raphy and have found their way into practical applications. The perhaps best known example used in practice is the E0 keystream generator which is part of
S. Maitra et al. (Eds.): INDOCRYPT 2005, LNCS 3797, pp. 104–117, 2005. c Springer-Verlag Berlin Heidelberg 2005 Design Principles for Combiners with Memory 105 the Bluetooth standard, a widely applied standard for short- to mid-distance wireless communication between mobile devices. The best attacks against combiners with memory that are currently known are correlation attacks [10, 11, 18, 14, 15] and algebraic attacks [1, 6]. A correla- tion attack consists of finding and exploiting linear functions
L(Xt,...,Xt+r−1,zt,...,zt+r−1) which are biased, i.e., equal to zero with some probability =1 /2. Algebraic at- tacks mark somehow the opposite. Here, valid non-linear equations of preferably low degree are used to describe K by a system of equations. Although much effort has been put into the refinement of these attacks, only little is known about how to resist them. Our results are design principles for combiners with memory to improve the security in respect of both kinds of attacks. In general, finding highly biased linear functions L for correlation attacks are only feasible for small values of r. However, in the case of E0, the best currently known attack [14] uses a special class of biased linear functions which allow for an exhaustive search for the best correlations even for relatively large values of r, more precisely for r up to 25. We show how to avert this approach completely. Further on, we introduce a design principle which guarantees that all valid equations in Xt,...,Xt+r−1,zt,...,zt+r−1 have a degree greater than or equal to a certain lower bound. This marks the first lower bound on the complexity of algebraic attacks derived so far. Our proposals can be easily combined to construct combiners with memory which are strengthend against both correlation and algebraic attacks. The paper is structured as follows. Section 2 defines combiners with memory and explains correlation and algebraic attacks against them. In Sects. 3 and 4, we put correlation attacks and algebraic attacks into theoretical frameworks and derive according countermeasures, which we use in Sect. 5 to introduce and examine modified versions of E0. Section 6 concludes the paper.
2 Combiners with Memory
A combiner with memory, or shortly a (k, )-combiner, consists of k driving devices, a finite state machine (FSM) C with an bit state and two mappings k k k f : {0, 1} ×{0, 1} →{0, 1} and δ : {0, 1} ×{0, 1} →{0, 1} .LetXt ∈{0, 1} denote the output of the driving devices and Ct ∈{0, 1} the state of the FSM at clock t ≥ 1. Combiners with memory are regulary clocked. At each clock, one keystream bit is produced as zt = f(Ct,Xt), and the state of the FSM is updated to Ct+1 := δ(Ct,Xt). Combiners with memory have the advantage that they combine high algebraic degree with high correlation immunity (cf. [19]). Correlation immunity means that the output zt is not or only weakly correlated to the sum of a subset of the input bits. 106 F. Armknecht, M. Krause, and D. Stegemann
For the rest of the paper, we focus on the well-studied subclass of combin- ers with memory that use Linear Feedback Shift Registers (LFSRs) as driv- ing devices. The output xt of an LFSR is computed as xt = Lt(K), where Lt denotes a known linear Boolean function and K ∈{0, 1}n the LFSR’s secret initial state. A famous practical LFSR-based combiner with memory is the (4, 4)-combiner E0, which uses four LFSRs of lengths 25, 31, 33 and 39, respectively. Based on an internal key K that is re-initialized frequently, the Bluetooth stream cipher utilizes E0 to produce consecutive, fixed-length frames of keystream. In [3], it was shown that an efficient attack on E0 implies an efficient attack on the whole cipher. Consequently, improving the security of E0 is a natural demand. Amongst all publicly known attacks on combiners with memory, the fastest are correlation attacks and algebraic attacks. In the following, we give a brief description of these attacks. Correlation attacks exploit linear equations
L(Xt,...,Xt+r−1,zt,...,zt+r−1)=0 which are true with probability 1/2+λ with λ =0. λ is called the bias. General methods to systematically compute the equations with the highest value of |λ| exist (e.g., cf. [10]), but since their complexity is exponential in k, and r,these methods are only feasible for small values. However, if the output function f(C, X) can be written as the sum of two functions α(X)andβ(C), i.e., zt = α(Xt) ⊕ β(Ct), one can try to use biased linear combinations in the expressions β(Ct). More precisely, an attacker looks for coefficients γ =(γ0,...,γr−1) such that r−1 r−1 λ := λ(γ):= Pr γi · βt+i =0 − Pr γi · βt+i =1 =0 . (1) i=0 i=0 Amongst all non-trivial biases, the attacker is interested in finding and using the maximum bias, which is defined as λmax := max{|λ(γ)|}. The output function of E0 is exactly of the desired type. In [14], it was proved that λmax =25/256 for r ≤ 25, where 25 is the length of the shortest LFSR. This observation and the exploit of a synchronization flaw led to the best currently known attack on the Bluetooth cipher [15]. The complexities of this attack are given in Table 1.
Table 1. The complexity of the fastest correlation attack on E0 as presented in [15]
λmax Frames Data Time Space 1 236.59 · 18 · 18 λ m =max(λ10 , λ8 ) 24m 36m +3 2 min(m, 2 ) m 25 34.74 39.32 40.17 34.74 256 2 2 2 2 Design Principles for Combiners with Memory 107
Algebraic attacks are based on solving systems of equations. An attacker uses a Boolean function F : {0, 1}k·r →{0, 1} such that for all clocks t, it holds that
F (Xt,...,Xt+r−1,zt,...,zt+r−1)=0 . (2) The existence of such equations has been proved in [1]. Using the equivalence Xt = Lt(K), (2) allows to write a system of equations which describes the secret key K in dependence of the observed keystream (zt). Accordingly, the secret key K can be recovered by solving the system of equations. Although computing the solution is NP-hard in general, it might become eas- ier if the number of known keystream bits and therefore the number of equations increases. Let R denote the number of accessible equations and µ the number of occurring monomials. If R µ, the best method known today is to compute Groebner bases. Unfortunately, until now it is impossible to predict the time effort, albeit simulations indicate that the effort drops with increasing number of equations (cf. [9]). In the case of R ≈ µ, linearization [7] is the first choice. The idea of lin- earization is to substitute each occurring monomial by a new variable and to treat the whole system as a system of linear equations, making it easily solvable by Gaussian elimination. For the case that the number of equations exceeds the number of monomials, one might reduce the degree of the equations in a precomputation step. This idea is known as ”fast algebraic attacks”, which have been introduced in [6] and further improved in [2, 12]. However, the attack scenario is more restrictive as it requires the attacker to know many successive keystream bits and (2) to have a special structure. All theses approaches have in common that their time effort strongly depends on the degree d of the incorporated equations. The lower the degree, the faster the attacks. Hence, a natural countermeasure against such attacks is to avoid low degree equations. For this subject, the terminology ”algebraic immunity” has been introduced in [16] and extended to combiners with memory in [4]. For the rest of the paper, we will concentrate on algebraic attacks where ≈ n R µ and µ is approximately d .Ifϕ denotes the number of functions F of | | degree d fulfilling (2) and n denotes the key size K , then the amount of data ≈ n n 2 n 3 is d /ϕ, and the memory and time efforts are in O d and O d , respectively. The currently best algebraic attack on E0 in this scenario uses a function F of degree 4 over 4 clocks. The corresponding attack complexities are given in Table 2.
Table 2. The efforts of an algebraic attack on E0 with key size n and an equation of degree d
#F Data Time Space n n 3 n 2 General ϕ O d /ϕ O d O d 23.35 70.04 46.69 E0: n = 128, d =4 1 2 2 2 108 F. Armknecht, M. Krause, and D. Stegemann
Observe that the performance of algebraic attacks drops if the minimum possible degree d increases. The same is true for the correlation attack if λmax shrinks. In the following, we derive several countermeasures against these at- tacks for general (k, l)-combiners. In Sect. 5, we will then apply these results to construct variations of E0 with improved security.
3 Design Principles Against Correlation Attacks
As stated in Sect. 2, the correlation attack exploits biased linear equations L(Xt,...,Xt+r−1,zt,...,zt+r−1)=0. Finding functions with the highest ab- solute bias is difficult in general. In the case that the output function can be written as the sum of two functions α(X)andβ(C), i.e., zt = α(Xt) ⊕ β(Ct) for all keybits zt, one can instead try to find biased linear combinations in the expressions β(Ct). This allows to treat much higher values of r than the general method. In the case of E0, this approach yielded the fastest attack known so far (cf. [15]). The theory in this section is motivated by this setting. Goli´c[11]already established a theoretical framework and a lot of interesting results on estimat- ing correlations between XOR-sums of X-inputs and Z-outputs for functions Z = F (X, Y ), which matches exactly the situation of combiners with memory. What we do in the following is to derive a formula (Theorem 1) allowing to efficiently compute the special correlations that the correlation attack of Lu and Vaudenay [15] is based on. We then conclude some design criteria for avoiding this type of correlations and show how these correlations can be reduced by a local optimization of the E0-design. We consider the scenario that for each time unit t ≥ 1, there is a separate k Boolean function βt : {0, 1} ×{0, 1} →{0, 1}, revealing information about Ct and Xt. Let F r : {0, 1} ×{0, 1}k·r →{0, 1} be defined by r F (C1,X1,...,Xr):=β1(C1,X1) ⊕ ...⊕ βr(Cr,Xr) , k where C1 ∈{0, 1} , X1,...,Xr ∈{0, 1} and Ct+1 := δ(Ct,Xt). We are inter- ested in the value λ := λ(F r):=Pr[F r =0]− Pr[F r =1]. Observe that (1) is captured in this scenario by setting βt(Ct,Xt):=β(Ct) if γt =1andβt :≡ 0otherwise. We will express λ in terms of the transition matrix P and the bias matrices Bt of the FSM C, which are defined as follows. Definition 1. For all states C, C ∈{0, 1} ,wedenotebyp(C, C ) the proba- bility that state C will change into C , i.e., p(C, C )=2−k |{X; δ(C, X)=C }| . Additionally, let bt(C, C ) be the value −k 2 · (|{X; βt(C, X)=0,δ(C, X)=C }| − |{X; βt(C, X)=1,δ(C, X)=C }|) . We call the matrix P =(p(C, C ))C,C ∈{0,1} the transition matrix of C and the matrix Bt =(bt(C, C ))C,C ∈{0,1} the bias matrix of C corresponding to time unit t. Design Principles for Combiners with Memory 109
Theorem 1. It holds for all r ≥ 1 that r − T λ = λ(F )=2 e ◦ B1 ◦···◦Br ◦ e, (3) where e denotes the constant-1 vector of length 2 . As usual, we denote by BT the transpose of a given matrix B. The proof of Theorem 1 can be found in Appendix A. Formula (3) allows to compute the biases which are relevant for correlation attacks against combiners with memory and to derive corresponding design cri- teria to immunize them against these types of attacks. In particular, (3) yields r two different criteria for δ and βt in order to achieve that λ(F ) = 0 for all r ≥ 1. Note that these and more general criteria could also be derived from the more general and somewhat different calculations in [11]. k The first one considers the situation that βt is independent of X ∈{0, 1} , i.e., β(C, X)=β(C) for all X. This reflects the situation of E0. | −1 | | −1 | Definition 2. We call βt to be balanced if βt (0) = βt (1) .Furthermore, we say that δ is balanced if k = and p(C, C )=2−k for all C, C .
Theorem 2. Let βt either be ≡ 0 or depend only on C and be balanced, the latter being true for at least one time unit t.Ifδ is also balanced, then λ =0.
T T Proof. If βt ≡ 0, then Bt = P . Because of (e ) · P = e , we can assume ≡ w.l.o.g. that β1 0. Observe that the property of βt being balanced implies that − β1(C) { } C( 1) =0.LetX(C,C ) := X; δ(C, X)=C .Ifβt depends only on C, then bt(C, C ) can be rewritten to ⎧ ⎫ ⎨ 0ifX(C,C ) = ∅ ⎬ k βt(C) bt(C, C )= |X(C,C )|/2 if X(C,C ) = ∅,β(C)=0 =(−1) · p(C, C ) ⎩ k ⎭ −|X(C,C )|/2 if X(C,C ) = ∅,β(C)=1
T T Let v := (e ) · B1. We show that v is already the all-zero vector which T T concludes the proof. Let (v )C denote the C-th entry of v . Then, T β1(C) −k β1(C) (v )C = (−1) p(C, C )=2 · (−1) =0 . C C =0
In the case that the functions βt are not independent of X, it is also possible to entirely avoid correlations if we put some additional conditions on βt. Definition 3. The function β : {0, 1} ×{0, 1}k →{0, 1} is called C-balanced if for all states C ∈{0, 1} it holds that X ∈{0, 1}k,β(C, X)=0 = X ∈{0, 1}k,β(C, X)=1 .
Lemma 1. Let B denote the bias matrix with respect to the state transition function δ : {0, 1} ×{0, 1}k →{0, 1} and a C-balanced function β : {0, 1} × {0, 1}k →{0, 1}.ThenB ◦ e = 0. 110 F. Armknecht, M. Krause, and D. Stegemann
Proof. It can be easily checked that for all C ∈{0, 1} it is X ∈{0, 1}k,β(C, X)=0 − X ∈{0, 1}k,β(C, X)=1 (B ◦ e) = , C 2k which, by definition, equals 0 if β is C-balanced.
Theorem 3. Let r ≥ 1 and βt be either C-balanced or constant 0 for all t, 1 ≤ t ≤ r.Thenλ(F r)=0.
Proof. Note that for βt ≡ 0, the bias matrix Bt equals the state transition func- tion P of the FSM C. As each row of P corresponds to a probability distribution over {0, 1} ,weobtainP ◦e = e. The rest follows straightforwardly from (3) and Lemma 1. We want to point out that the previous statements are only true as long as the k corresponding input words Xt are independent values in {0, 1} .Inthecasethat LFSRs are used as driving devices, this is only the case as long as r is at most the length of the shortest LFSR. For example, in the case of E0,thiswould mean that r ≤ 25. This imposes no serious drawback, because so far, no feasible methods are known to compute the bias while considering the LFSR-structure. The previous results immediately imply two different design criteria to avoid any biased linear combinations in the expressions β(Ct). Actually, they have even wider applications. For example, the output function f c1,c2,c3,c4 , x1,x2,x3,x4 = c2 ⊕ x1 ⊕ x2 ⊕ x3 ⊕ x4 used in E0 is C-balanced. This guarantees that no biased linear combinations of the keystream bits zt exist for r ≤ 25, the length of the shortest LFSR. Goli´c [11] showed that there is a lower bound t0 such that for all t ≥ t0 there are nontrivial correlations between certain XOR-sums of the inputs of t consecutive time units and the corresponding outputs. It would be interesting to investigate if the correlation attack of Lu and Vaudenay [15] can be generalized towards exhibiting this type of correlations.
4 Design Principles Against Algebraic Attacks
In this section, we examine the existence of low-degree equations and introduce the first method to guarantee a lower bound for the effort of algebraic attacks. Let Z ∈{0, 1}r for r ≥ 1 be fixed. We say that a function F := {0, 1}k·r →{0, 1} is a Z-function if F ≡ 0andforeachclockt, it holds that
(zt,...,zt+r−1)=Z ⇒ F (Xt,...,Xt+r−1)=0 . (4) In [1], Z-functions were introduced and their existence was proved. An algebraic r attack consists of computing for each Z ∈{0, 1} a Z-function FZ of the lowest possible degree and to set up the system of equations
F(zt,...,zt+r−1)(Xt,...,Xt+r−1)=0,t=1, 2,... Design Principles for Combiners with Memory 111
4 In [1], Z-functions of degree 4 for all Z ∈{0, 1} were developed for E0.In [6], a method was proposed to obtain equations of degree 3, however with the enormous value r ≈ 8.822.188. It is still an open question whether Z-functions exist of degree < 4andr 8.822.188. In this section, we provide a general construction which guarantees a lower bound on the degrees of all possible Z- functions if r is at most the length of the shortest LFSR. This is the first general countermeasure against algebraic attacks on combiners with memory proposed so far.
r Definition 4. Let r ≥ 1 be fixed and Z =(z1,...,zr) ∈{0, 1} .WesetXZ k·r to be the set of inputs (X1,...,Xr) ∈{0, 1} which possibly can produce the output Z, more precisely, for which there exist C1,...,Cr ∈{0, 1} such that zi = f(Ci,Xi) for 1 ≤ i ≤ r and Ci+1 = δ(Ci,Xi)} for 1 ≤ i ≤ r − 1. We will later need the additional property that C1 equals some fixed value C and denote the corresponding subset of XZ by XC,Z. With (4), one can easily see that F is a Z-function if and only if F (X)=0for all X ∈ XZ . This leads directly to the notion of annihilators. Definition 5. We say that a Boolean function p ≡ 0 is an annihilator of a subset A ⊆{0, 1}n if p(x)=0for all x ∈ A. We denote the set of annihila- tors of A by Ann(A).Furthermore,wedefineforA ⊂{0, 1}n mindeg(A):= min{deg(f); f ∈ Ann(A)}.IfA = {0, 1}n,wesetmindeg(A):=∞.
The idea is that if we can prove a lower bound for mindeg(XZ ) for all Z,this gives a lower bound for the effort of algebraic attacks. In the following, we will propose a construction which makes it possible to derive such a lower bound. We first show that under certain conditions, each ”local” lower bound for mindeg(Xzr,C ) is also a ”global” lower bound for mindeg(X(z ,...,z )). 1 r k −1 Theorem 4. For a Boolean function α : {0, 1} →{0, 1},letmindeg α (0) and mindeg α−1(1) both be equal to a value d and let β : {0, 1} →{0, 1}.If the output function f can be expressed as
f(C, X):=α(X) ⊕ β(C)=z, (5)
r then it holds for all r ≥ 1, Z =(z1,...,zr) ∈{0, 1} ,andC ∈{0, 1} that
mindeg(XZ ) ≥ mindeg(XC,Z)=d.
Proof. Because of XZ,C ⊆ XZ , each annihilator of XZ is an annihilator of XZ,C as well. This shows the first inequality. Moreover, it holds for all choices z ∈{0, 1} and C ∈{0, 1} that XC,z = −1 α (β(C) ⊕ z) and therefore mindeg(XC,z)=d. r Let r ≥ 1, Z =(z1,...,zr) ∈{0, 1} , C1 ∈{0, 1} and f(Y1) ∈ IF 2[Y1]bean annihilator of XC1,z1 . Then, f can be seen as an element in IF2[Y1,...,Yr]which ≤ annihilates XC1,Z, too. This shows that mindeg (XC1,Z ) mindeg (XC1,z1 )=d. ≥ We prove now by induction over r that mindeg(XC1,Z ) d for all choices of C1 and Z.Forr = 1, the claim is certainly true. Now let r>1andthe 112 F. Armknecht, M. Krause, and D. Stegemann