4-7 Security Evaluation of Cryptographic Technology

TANAKA Hidema

Cryptography is the fundamental technology for information security. It plays in the function of confidential, authentication, signature in the various information security technologies. Since the status of security evaluation influences the reliability of information security, the security evaluation of cryptographic technologies is very important. In particular, the security evaluation of cryptographic technologies which is used in electrical government service now is requested to be executed by an impartial aspect. In addition it is necessary to estimate the cost of the attack and its feasibility. So it is appropriate that the National institute executes such research activity. In this paper, we show the outline of the security evaluation activity for symmetric ciphers of Security Fundamentals Group between 2006 and 2010. Keywords Symmetric cipher, Higher order differential attack, Side-channel attack, Fault based attack, Pseudo random number generator

1 Introduction as a trusted technique, it needs to be validated by a third party. This is because the security Cryptography is the fundamental technol- of public electronic services in Japan such as ogy for information security. It provides confi- electronic government services and the basic dentiality of communication, authentication for residential registers network system rely on validating communication partners, and signa- cryptographic technology, and if information ture functions for proving authenticity of data is provided by only one side, there is a danger in various attack scenarios. These are based that vulnerabilities may remain. In addition, on cryptographic technology (cryptographic studying academic trends will not be sufficient. primitives) and designed from various points There is a gap between academic achievements of view. Outside Japan, it is not unusual that and actual usage environments, and the argu- these are designed not only by private compa- ments of a paper are not always appropriate. nies but also by research organizations such as For the above reasons, security evaluation of universities. In Japan, private companies and cryptographic technologies should be carried universities loosely share roles. Private compa- out from a fair and neutral viewpoint, and in nies play the role of technology development, order to achieve this, initiatives of the public and universities the role of academic develop- sector are indispensable. ment. Since evaluation as academic achieve- In this paper, we show the outline of the ment (development of cryptanalysis methods) security evaluation activity for symmetric and development of cryptographic primitives ciphers of the Security Fundamentals Group are inextricably linked, at a glance it seems between 2006 and 2010. The activity of the that development of cryptographic technol- Security Fundamentals Group especially ogy is completed by collaboration between focused on the following points. private companies and universities; however, ● Improvement against algebraic attacks for in order for the technology to be recognized which the theory of proving security is

TANAKA Hidema 219 immature car doors by radio signal). The security of a ● Effectiveness of attack methods against pseudo random number generator can be eval- cryptographic modules such as FPGA uated by long range periodicity, linear com- implementation plexity and correlation immunity, and thanks ● Reduction of evaluation costs to the improved performance of cryptographic We chose 64-bit block ciphers as the main modules, it is now possible to use a pseudo ran- subject of the security evaluation. Although dom number generator which is so large that it 128-bit block ciphers are becoming the main- cannot be evaluated by computer. As a result, stream in recent years, in some cases 64-bit it has become difficult to verify the security, block ciphers are more advantageous in terms and thus new evaluation methods are required. of implementability, and they are often used The Security Fundamentals Group developed for familiar services such as electronic money an algorithm that computes linear complexity type services as represented by Felica, and by a linearization method that is based on an smart cards for the basic residential registers algebraic attack. network system. Therefore, we consider it is This paper first describes scenarios of important to estimate the period for which they evaluation of cryptographic technologies in 2, can be used securely. We chose fault based as well as the presumption, purpose and valid- attacks that use electromagnetic emanation to ity of security evaluation of cryptography. In evaluate the security of cryptographic modules. 3, we outline a higher order differential attack Generally it is considered that attacks causing against a 64-bit block cipher, MISTY1. In 4, malfunction by electromagnetic emanation are we describe experiments on fault based attacks relatively low cost, and attack methods based that use electromagnetic emanation against on this assumption have been proposed in aca- FPGA implementations. In 5, we introduce demic conferences now and then; therefore, we evaluation of linear complexity by a lineariza- decided it was necessary to verify the viability. tion method for pseudo random number gen- The aforementioned evaluation of 64-bit block erators, and 6 provides a summary. ciphers is closely related to evaluation of cryp- tographic modules. This is because migration 2 Scenarios of evaluation of of a cryptographic technology that has already cryptographic technologies come into wide use will require services to be stopped, and because migration will be The security of cryptography requires that a huge risk for the service provider since the confidential information such as keys should mixture of new and old cryptographic primi- not be found more efficiently than by exhaus- tives could reduce the security, and as a result tive search. Generally, cryptanalysis means to the migration process will be slowed down. recover plaintext from ciphertext, and has the Therefore, 64-bit block ciphers and their cryp- following two meanings. tographic modules, which are still used and 1) Directly recover plaintext from ciphertext. becoming popular, have a significant impact 2) Recover the key from ciphertext to decrypt on the reliability of future electronic services. the ciphertext to plaintext. In addition, performance of smart cards and As for 1), for example, 2n of plaintext can chips that provide the base for cryptographic be recovered from n bits of ciphertext, and modules has been improving rapidly, helping all of them are the candidates for the correct to improve the performance of a pseudo ran- plaintext; therefore, it is only necessary to dom number generator that is implemented on prevent the correct candidate from being dis- top of it. Pseudo random number generators tinguished from the incorrect ones. Although are used for key generation and authentication linguistic meanings of plaintext could have protocols. For example, they are widely imple- influences, since modern cryptography is mented and used for car keys (to lock/unlock based on the assumption that plaintext is

220 Journal of the National Institute of Information and Communications Technology Vol. 58 Nos. 3/4 2011 binary information, it is considered to be suf- they have obtained ciphertext that correspond ficient if the plaintext is not distinguished from to numbers 0, 1, 2, and 3. The key point in this random numbers. As for 2), consider a problem example is that all bits except the low two bits where Y = f(X, K) and Y is given, and find X should be fixed to 0. There are a number of and K. In this case, (X, K) will be underspeci- such attack methods against block ciphers, and fied as it is. In order to solve this problem as typical examples include differential attacks equation, it needs to be set up as simultaneous and higher order differential attacks. As for equations to eliminate one of the variables, or stream ciphers, some attack methods have been either X or K must be given. In the former case, proposed which are used when only the Initial since the key is an invariable, it is only neces- Value (IV, publicly known parameters exclud- sary to eliminate the key: this is equal to the ing the key) is changed, and the key is fixed. scenario 1). In the latter case, it is trivial that X Incidentally, the key size commonly used can be decrypted if the key is given. Therefore, for symmetric ciphers is generally 128 bits. an appropriate scenario for security evaluation In the above-mentioned attack method, it is would be to provide information of plaintext regarded that it is not secure if even one bit of to find the key. Thus, we evaluate the security the key has been determined. It is generally by estimating the required cost for recovering considered that it is not secure if one bit of an a key from plaintext and the corresponding expanded key (an internal key used in crypto- ciphertext. graphic algorithm) generated from a 128-bit The cost consists of computational cost key has been determined. On the other hand, and amount of data. For example, if no limit even the most advanced computer in the world is set to computer capability (assume unlimited can recover 60 bits of a key by exhaustive computational cost), the key can be found from search, and therefore, there is a gap between a pair of plaintext and ciphertext by conducting the actual computer security and theoretical an exhaustive search. This is the limit of the cryptanalysis. The gap between the limit of security of cryptography. So we conclude that exhaustive search by computer and theoretical even if a pair of plaintext and ciphertext that is cryptanalysis can be seen as the margin of the convenient for the attacker is provided, it will security and the period in which the cryptogra- be still secure if the key cannot be found more phy can be used securely. efficiently than it can be found by exhaustive search. There are two attack scenarios depend- 3 Security evaluation of 64-bit ing on how plaintext is provided. block cipher MISTY1 ● Known plaintext attack ● Chosen plaintext attack 3.1 64-bit block cipher MISTY1 A known plaintext attack is a method to 64-bit block cipher MISTY1 is a Feistel carry out attacks under the condition that a type block cipher developed by Mitsubishi pair of plaintext/ciphertext has been simply Electronics Corporation in 1996 (Fig. 1)[2]. given. The only such method against block The data length is 64 bits and the key length is ciphers is linear cryptanalysis. As for the 128 bits. Plaintext is divided as follows. attack method against stream ciphers, which  GF(2)7 : i = even are symmetric ciphers that use pseudo random P = (PL || PR ) = (X15,...,X 8 || X 7,...,X 0 ) → X i ∈  (1) GF(2)9 : i = odd number generators, correlation attack and its  advanced versions fall under this category. A It generates an expanded key from a 128-bit chosen plaintext attack is a method to carry out key in accordance with Table 1. attacks under the condition that attackers have K = (K ,...,K ), K ∈GF(2)16 chosen plaintext that is advantageous for them 7 0 i (2) ′ = and obtained the corresponding ciphertext. For Ki FI(Ki ;Ki+1) example, it is advantageous for the attackers if Figure 2 shows the variables that will be used

TANAKA Hidema 221 Fig.1 64-bit block cipher MISTY1

Table 1 Key schedule

below. project in Europe)[7]. The security of MISTY1 is characterized as As described earlier, the low algebraic providing provable security against differential degree of the S-box contributes largely toward attacks[3] and linear attacks[4] by performing maintaining high implementation performance only three rounds of FO function. In addition, while providing provable security against dif- low algebraic degree is chosen for the S-box ferential attacks and linear attacks. On the (substitution table generated by non-linear other hand, the low algebraic degree could function) of S7 and S9 in order to realize com- compromise the security against algebraic pact hardware implementation, and the degree attacks. The purpose of our evaluation is to of S7 is 3 and the degree of S9 is 2. High secu- confirm the security against algebraic attacks. rity and implementation performance has been Algebraic attacks include higher order differ- achieved in this way, and it has been adopted as ential attacks, interpolation attacks, and inte- the standard 64-bit block cipher for the inter- gral attacks, and we chose higher order differ- national standard ISO[5], CRYPTREC (Japan’s ential attacks in our research. This is because e-Government recommended ciphers)[6], and higher order differential attacks are the most NESSIE (cryptographic technology evaluation basic method among algebraic attacks, and potentially the evaluation can be applied to various cases.

3.2 Higher order differential attack Let F(X ;K) be a function of GF(2)n × GF(2)s → GF(2)n. Y = F(X ;K) (3) ∈ n ∈ n ∈ s Fig.2 Locations of variables X GF(2), YGF(2), KGF(2)

222 Journal of the National Institute of Information and Communications Technology Vol. 58 Nos. 3/4 2011 Let (a0, a1,.., aN−1) denote linear indepen- Equations (6), (7), and (8) yield the following n dent vectors of GF(2) , and let V[ a0, a1,.., aN−1] equation. denote the subspace spanned by them. Here, if (N) {F(C (X + A);K (r)) + C (X + A)} = const ∆V is the N-th order differential of X of ∑ L R (9) [ a0, a1,.., aN−1] A∈V[ a0,a1,...,ad−1] F(X ;K), it is computed as follows. If the value of const has been obtained, the (N) (r) ∆V F(X;K) = ∑F(X + A;K) [ a0, a1,.., aN−1] (4) value of K can be obtained by solving this A∈V [ a0,a1,...,aN−1] equation. Therefore, hereafter this equation is

Hereafter when V[ a0, a1,.., aN−1] is known, called the attack equation. (N) (N) ∆V is abbreviated as ∆ . If Consider solutions for the attack equation [ a0, a1,.., aN−1] degX{F(X;K)} = d, the following property is by applying the linearization method described satisfied. in reference [8]. This method significantly Property 1: reduces computational cost by transforming the attack equation to linear equations. For ∆ (d +1)F (X;K) = 0 deg {F(X;K)} = d → (5) further details refer to [8][9]. Let L denote the X  (d ) ∆ F (X;K) = const. total of independent unknowns that have been Figure 3 shows the final round of r-round Feis- redefined by linearization, and let H denote the tel type block cipher. H (r)(X) denotes output  L  width of the attack equation, then the × 2N from the (r−2)th round, and is computed as  H follows,  L  N numbers of chosen plaintext and   × 2 × L ~  H H (r)(X) = F (X;K (1,2,...,(r−2))) (6) rounds of F function computation will be ~ where, F(⋅) is a function of GF(2)n × required. Compared to an exhaustive search, GF(2)s×(r−2) → GF(2)n, and K (1,2,...,(r−2)) denotes the number of required chosen plaintext will the keys from the first round to the (r−2)th be significantly increased; however, the com- round. Thus, H (r)(X) is computed from the putational cost will be reduced to a negligible plaintext side. On the other hand, it is also amount. computed from the ciphertext side by assum- ing the key of the final round K (r) as follows. 3.3 Higher order differential attack against MISTY1 H (r)(X) = F (C (X );K(r)))+ C (X (7) L R MISTY1 is known to have the following (r) If degX{)H (X } = d, then the following equa- algebraic property (reference [9]). tion is satisfied. Property 2: When MISTY1 does not have FL ~ function, computation of seventh order differ- ∆(d )F(X;K(1,2,...,(r−2))) = const (8) ential with a variable that consists of the right

seven bits of FOi satisfies the following equa- tion, regardless the value of the fixed part of plaintext and expanded key.

(7) L 7 ∆ Zi+2 = 0x6d (10)

For example, let X0 be a variable, then the fol- lowing equation is satisfied:

(7) L 7 ∆ Z3 = 0x6d (11)

Reference [9] describes attacks that utilize the above against 5-round MISTY1 without FL Fig.3 The final round of r-round Feistel type function. Analysis results of the characteristics block cipher of seventh order differential are also described

TANAKA Hidema 223 [ ] in reference 10 . Thus, the use of low algebraic In order to fix KL3, K1, K2, K3, K4, K5, and K8 degree for the S-box causes a flaw in the secu- should be fixed, and this is not a very realistic rity. This paper describes applied attacks based attack condition. However, if KL3 is not fixed, on Property 2. only the following condition is required: Since FL function consists of AND and K = K ′ = 0xffff (15) OR operations, if the following key is input, 5 7 the output value of FL function can be con- Nevertheless, the value of seventh order differ- trolled. ential is not fixed as Fig. 5 shows, and it cannot be used for attack as it is. Then, we discovered KL =KL = 0x0000, KL =KL = 0xffff (12) 21 31 22 32 from computer results that if eighth order dif- If these conditions are satisfied, Property 2 ferential is used with one randomly chosen bit will be satisfied even with FL function. The from X0 and X1, the following equation is satis- problem is whether there is a 128-bit key that fied. satisfies such an expanded key. According to ∆(8)Z L7 = 0 (16) the key schedule (Table 1), 3 Further details are described in reference [11]. K ′ = K = 0x0000, K = K ′ = 0xffff (13) 3 2 5 8 The use of this property derives the attack However, equation shown in Fig. 6. That is,

L7 A = FL8 (CR ;KL8 ) = FL8 (CR ;K6′, K8 ) K3′ = FI(K3;K4 ), K8′ = FI(K8; K1) (14) B = FO (C;KO , KI )L7 = FO (C;K , K′, K , K , K′, K , K′)L7 5 5 5 5 1 2 4 5 6 7 8 (17) C = FL (C ;KL ) + FO (FL (C ;K′, K );KO , KI ) From the above, if K1, K2, K3, K4, K5, and K8 7 L 7 6 8 R 6 8 6 6 = FL (C ;K′ , K ) + FO (FL (C ;K′, K );K′, K , K′, K , K′, K′) are fixed, it is possible to carry out attacks 7 L 2 4 6 8 R 6 8 1 2 3 5 7 8 based on Property 2 of seventh order differ- it is not possible to solve them by applying the ential characteristics, even with FL function. solution described in 3.2 as it is due to numer- Figure 4 shows the estimate of formal alge- ous variables. It is more appropriate to use braic degree in FI function, but the input of algebraic solution for one part and exhaustive expanded key is omitted. Figure 5 shows the search for the other part to solve them. estimate of formal algebraic degree both when ● K5, K7 = fixed

KL3 is fixed and when it is not fixed. ● K3′, K6, K8 = exhaustive search

Fig.4 Estimate of formal algebraic degree

224 Journal of the National Institute of Information and Communications Technology Vol. 58 Nos. 3/4 2011 Fig.5 Estimate of formal algebraic degree of FO3 (left: KL3 is fixed, right:KL3 is not fixed)

● K7′ = linearization method When categorized as above, H = 7, L = 13269 + 64 are given, then the computational cost can be estimated as 280.6, and the amount of data can be estimated as 218.9. For further details on computation, refer to reference [11]. The unit of computational cost is the computation counts for one round of FO function, and the amount of data is the number of pairs of chosen plain- text and the corresponding ciphertext. Fig.6 Attack equation against 6-round MISTY1 Variables A, B, C are shown in the equation (17) 3.4 The meaning of the result of attacks The result of attacks described in 3.3 is use of such keys. In addition, the computa- obtained when a key has a specific value. In tional cost required for the attack is not realis- such condition, it is possible to solve up to tic at the time of writing in 2011. Therefore, we the sixth round of an 8-round structure. This conclude that MISTY1 is secure enough to be means that the security that was proposed as used in practice. being provable with three rounds has been However, MISTY1 is not always used compromised. From this result, it can be said based on algorithms. When it is implemented that the margin of the security of MISTY1 has on FPGA, even if legitimate keys are used and been reduced from five rounds to two rounds. the full spec has been implemented, it could On the other hand, even if the given con- be attacked by obtaining intermediate com- ditions were very advantageous to attackers, putational information or by using some kind the attack did not result in a full spec attack of interference, and the data could be altered. against MISTY1. The above-mentioned attack When taking account of such attacks, suffi- will be only successful when a certain weak cient security could not be completely main- key is chosen as in equation (15). Sufficient tained. Therefore, we verify the feasibility of security can be maintained by eliminating the attacks against such implementation.

TANAKA Hidema 225 4 Fault based attacks against could be altered as intended and not to perform FPGA cryptographic modules actual cryptanalysis, we chose circuits and data transfer in which alteration of information Electronic devices generate noise in accor- could be observed easily. dance with their operations. The character- First, as shown in Fig. 8, we verified istics of the noise depend on the information whether it was possible to alter signals by irra- processed by the device and the content of the diating electromagnetic emanation directly to operation. Side-channel attacks utilize such the board. Most of the experiments resulted properties, and analyze confidential informa- in failure. This is because when the amount tion by analyzing power consumption wave- of irradiated electromagnetic emanation is forms and electromagnetic emanation. In 3, we large enough to add interference to signals, described attacks in the case where an 8-round the capacitors on the power circuit will be structure has been reduced to 6-round, but it destroyed, and as a result the board itself will is not realistic to consider a 6-round would be stop operating. One of the other reasons of the used in the actual implementation. Therefore, failure was that due to the property of electro- there is no way that an attacker can obtain magnetic emanation, it was difficult to irradi- intermediate computational results; however, ate them to one location and they could not be this is possible in side-channel attack scenar- controlled. We conducted other experiments by ios. Consequently, if attackers obtain the out- replacing the power source with batteries, but put from FO5, it will become a realistic threat. they were not effective. On the other hand, it is not known whether Next, we verified alteration of signals using the input data consists of an eighth order dif- a surge (Fig. 9). For example, when an elec- ferential structure as the attackers intended. tronic lighter is ignited near the coin slot of In addition, if the key is stored in the memory, arcade video game, it is wrongly recognized there are no such weak keys that the attackers as coins were inserted and false operation will expect. They need to tamper with the value be caused. Similar to this, we experimented of the expanded key or input information by to alter signals by causing spike-like potential some method. The following two methods are changes. We confirmed that signals had been known to be used for such attacks [12]. altered by conducting the operation in the loca- ● Invasive attack tions shown in Fig. 10. However, we could not ● Non-invasive attack change signals to arbitrary ones. In invasive attacks, the attackers alter the Finally, we developed a device that input operation to their intended operation by tam- enough signal to change the voltage directly pering with circuit, and it is not possible to restore the circuit or device back to the origi- nal state. In non-invasive attacks, the attackers cause a brief malfunction but do not modify the circuit itself. Since non-invasive attacks could allow illegal modules to be produced, they are more serious threats for consumer products. There are various methods to carry out non-invasive attacks, and we performed attacks that use electromagnetic emana- tion in this research. The target of attack was SASEBO, Side-channel Attack Standard Eval- uation Board (Fig. 7)[13]. In addition, since our Fig.7 Side-channel attack standard evaluation purpose was to verify whether information board SASEBO-G

226 Journal of the National Institute of Information and Communications Technology Vol. 58 Nos. 3/4 2011 Fig.8 Radiation experiment inside a chamber

Fig.10 Locations where signals were successfully altered by surge irradiation Fig.9 Experiment of surge irradiation experiment (red frame) into the signal lines (Fig. 11). When we used it, and smart cards. We also conducted we were able to input arbitrary signals into the experiments of local irradiation using a FPGA. probe, but we did not observe the phenom- From the results of the experiments, we ena described in reference [14], at least on found the following. SASEBO. ● Simply irradiating electromagnetic emana- ● Some fault based attacks do not require tion is a difficult method to attack FPGA altering signals to arbitrary ones but sim-

TANAKA Hidema 227 Fig.11 The board for carrying out attacks

[ ] ply need errors to be caused 15 . Such example, for f (x1, x2) = x1x2 + x1 + x2, redefine as

purposes can be fully achieved by using a y1 = x1x2, y2 = x1, y3 = x2, then f (x1, x2) → f’(y1, y2,

surge, which is very easy to execute. y3) = y1 + y2 + y3 is obtained, thus a quadratic

● A device similar to that shown in Fig. 11 is equation with respect to x1, x2 can be expressed

sufficient to arbitrarily alter the input to an as a linear equation with respect to y1, y2, y3. FPGA. Its structure is simple, and it is inex- Multi-degree equations can be expressed as pensive. For further details, refer to [12]. linear equations, but on the other hand, rede- We were not able to alter the data that was fined variables may be increased significantly. being processed in the FPGA by using electro- In this example, variables were increased from magnetic emanation. Conversely, the impor- two to three. tant processes for security reasons should be When a sequence is given, linear complex- processed in the FPGA. For example, if all ity is given as the minimum required num- processes to generate and read expanded keys ber of rounds of LFSR to generate the same are executed in the FPGA, it is not possible to sequence. From the viewpoint of linear com- carry out fault based attacks that use weak keys plexity, replacing terms of quadratic or higher as described in 3. On the other hand, it became order that are generated by non-linear func- clear that it is possible to prevent legitimate tions with new independent terms is equal to input and carry out chosen plaintext attacks. adding new registers to construct an equiva- It is apparent that tamper resistant implemen- lent LFSR. In addition, linear complexity is tation has an importance as it prevents circuit estimated by computing each AND operation, networks from being directly operated. XOR operation, and NOT operation using logic operation circuit and totaling the results. 5 Evaluation of linear complexity of pseudo random number  AND Operation generator Consider a product sequence of the output from LFSR#1 and LFSR#2. The linearization method described in 3 is r ( t ) = x ( t ) x ( t ) an algebraic attack, which redefines non-linear 1 2 variable terms of quadratic or higher order as Here, when r ( t ) is expressed in Boolean alge- one new variable and transforms a quadratic bra equation, it can be expressed only by qua- or higher degree equation into a linear equa- dratic terms, a1i, (i = 1 〜 s1) and a2j, (j = 1 〜 s2). tion in order to make it easy to solve. For Since there are s1 × s2 types of quadratic terms,

228 Journal of the National Institute of Information and Communications Technology Vol. 58 Nos. 3/4 2011 if s1 and s2 are coprime and generator polyno- gle round LFSR with the initial value 1 and mials f1(x) and f2(x) are both primitive polyno- LFSR#1. Therefore, in accordance with Prop- mial and irreducible, the output sequence r ( t ) erty 2, linear complexity = s1 + 1. can be generated by s1 s2-round LFSR that has On the other hand, from the viewpoint of a a s1 s2 degree polynomial as a generator polyno- linearization attack, mial. Therefore, the linear complexity is given r ( t ) = x1( t ) ⊕ 1 by s1 s2 in this case. On the other hand, from the viewpoint of Here, only constant terms are included and the linearization method, r ( t ) can be expressed variable terms are not affected. Therefore, the by s1 s2 quadratic terms as described above. number of variables is given by s1. Therefore, Therefore, Property 3 is derived as follows. Property 5 is derived as follows. Property 3: A product sequence of two LFSR Property 5: When the output from LFSR#1 where s1 and s2 are coprime and generator is inverted by NOT operation, in terms of the polynomials f1(x) and f2(x) are both primitive output sequence, the linear complexity is com- polynomial and irreducible satisfies the condi- puted by s1 + 1 with the general method, and by tion: linear complexity = s1 s2. s1 with the linearization method. As above, there is a difference in the esti- XOR Operation mated values between the linearization method Consider an exclusive OR sequence of the out- and general method. This becomes clear when put from LFSR#1 and LFSR#2. considering unoptimized logic circuits as shown in Fig. 12. r ( t ) = x1( t ) ⊕ x2( t ) Figure 12 can be estimated as s1 + s2 + 2 by In this case, r ( t ) can be generated from LFSR the general method; however, it is clear that it that has the least common multiple polyno- is s1 + s2. Therefore, the linearization method mial of generator polynomials f1(x) and f2(x) is more effective for computing more accurate as a generator polynomial. If f1(x) and f2(x) are linear complexity. irreducible to each other, and if s1 and s2 are In addition, the required conditions for coprime, the generator polynomial of r ( t ) is computing linear complexity, computational given by f (x) = f1(x) f2(x). Therefore, the degree cost, and length of series are shown in Table of f (x) is given by s1 + s2, and the number of 2, comparing to the Belekamp-Massey method rounds is given by s1 + s2. and Games-Chan method. We confirmed that On the other hand, from the viewpoint of the linearization method is an effective method linearization method, since r ( t ) is linear, the to compute linear complexity. number of variables is given by s1 + s2. There- fore, Property 4 is derived as follows. 6 Summary Property 4: An exclusive OR sequence of two

LFSR where s1 and s2 are coprime and genera- This paper outlined of the achievements tor polynomials f1(x) and f2(x) are both primi- of security evaluation activity for symmetric tive polynomial and irreducible satisfies the condition: linear complexity = s1 + s2.

NOT Operation Consider a sequence that inverts the output from LFSR#1.

r ( t ) = x1( t ) As a logic operation circuit, this operation is realized by exclusive OR sequences of a sin- Fig.12 Unoptimized logic circuit

TANAKA Hidema 229 Table 2 Comparison of condition, computational cost, and memory space

ciphers of the Security Fundamentals Group obtain better evaluation results than the previ- between 2006 and 2011. The activity is linked ous ones; therefore, we only gave a verbal pre- to the initiatives of CRYPTREC (Cryptogra- sentation regarding this matter in Japan. phy Research and Evaluation Committees) that There have been improvements in the is described in 4-9. Although it is omitted in theories to construct cryptographic technolo- this paper, we also conducted security evalua- gies securely in recent years. We consider it is tion for 128-bit block cipher AES and HyRAL, important to continue evaluation activities in 64-bit block cipher KASUMI and ICEBERG, order for these cryptographic technologies to stream cipher Multi-S01, and hash function be used securely, which is the mission assigned SHA-1. However, we only managed to confirm to NICT, a fair and neutral organization. that they were secure, and were not able to

References 1 Naional Institute of Standards and Technology, “ADVANCED ENCRYPTION STANDARD (AES),” Federal Information Processing Standards Publication (FIPS-PUB) 197, 2001. 2 M.Matsui, “New block encryption algorithm MISTY,” Proceedings in Fast Software Encryption 1997, LNCS. 1267, Springer-Verlag, 1997, pp. 54–68. 3 E.Biham and A.Shamir, “Differential Cryptanalysis of the Data Encryption Standard,” Springer Verlag, 1993. 4 M.Matsui, “The First Experimental Cryptanalysis of the Data Encryption Standard,” Advances in Cryptology - CRYPTO '94, 14th Annual International Cryptology Conference, LNCS. 839, Springer- Verlag, 1994, pp. 1–11. 5 International Organization for Standardization. ISO/IEC WD 18033-3: information technology—security techniques—encryption algorithms—Part 3: block ciphers, 2002. 6 CRYPTographic Research and Evaluation Committees: CRYPTREC, http://www.cryptrec.go.jp 7 NESSIE (New European Schemes for Signatures, Integrity and Encryption), https://www.cosic.esat.ku- leuven.be/nessie/ 8 S.Moriai, T.Shimoyama, and T.Kaneko, “Higher Order Differential Attack of a CAST Cipher,” Proceedings in Fast Software Encryption 1998, LNCS. 1372, Springer-Verlag, 1998, pp. 17–31. 9 H.Tanaka, K.Hisamatsu, and T.Kaneko, “Strength of MISTY1 without FL Function for Higher Order Differential Attack,” Applied Algebra, Algebraic Algorithms and Error-Correcting Codes, 13th International Symposium, AAECC-13, LNCS. 1719, Springer-Verlag, 1999, pp. 221–230. 10 S.Babbage and L.Frisch, “On MISTY1 Higher Order Differential Cryptanalysis,” ICISC2000, LNCS. 2015, Springer-Verlag, 2001, pp. 22–36. 11 H.Tanaka, Y.Hatano, N.Sugio, and T.Kaneko, “Security Analysis of MISTY1,” Information Security Applications, 8th International Workshop, WISA 2007, LNCS. 4867, Springer-Verlag, 2008, pp. 215–226. 12 Hidema Tanaka, “A study on experiment method of fault induction attack using electro-magnetic ema- nation,” Symposium on Cryptography and Information Security 2009 : SICS2009 2A3-1.

230 Journal of the National Institute of Information and Communications Technology Vol. 58 Nos. 3/4 2011 13 SASEBO Side-channel Attack Standard Evaluation Board, http://www.rcis.aist.go.jp/special/SASEBO/ index-ja.html 14 D.Agrawal, B.Archambeault, J.R.Rao, and P.Rohatgi, “The EM Side-Channel(s),” CRYPTOGRAPHIC HARDWARE AND EMBEDDED SYSTEMS - CHES 2002, LNCS. 2523, Springer-Verlag, 2003, pp. 29–45. 15 J.S. Coron, A. Joux, I. Kizhvatov, and P. Paillier, “Fault Attacks on RSA Signatures with Partially Unknown Messages,” CRYPTOGRAPHIC HARDWARE AND EMBEDDED SYSTEMS - CHES 2009, LNCS. 5747, Springer-Verlag, 2009, pp. 444–456.

(Accepted June 15, 2011)

TANAKA Hidema, Ph.D. Director, Security Fundamentals Laboratory, Network Security Research Institute Information Security, Cryptographic Technology, Information Theory

TANAKA Hidema 231