Improved Correlation Attacks on SOSEMANUK and SOBER-128 Joo Yeon Cho Helsinki University of Technology Department of Information and Computer Science, Espoo, Finland 24th March 2009 1 / 35 SOSEMANUK Attack Approximations SOBER-128 Outline SOSEMANUK Attack Method Searching Linear Approximations SOBER-128 2 / 35 SOSEMANUK Attack Approximations SOBER-128 SOSEMANUK (from Wiki) • A software-oriented stream cipher designed by Come Berbain, Olivier Billet, Anne Canteaut, Nicolas Courtois, Henri Gilbert, Louis Goubin, Aline Gouget, Louis Granboulan, Cedric` Lauradoux, Marine Minier, Thomas Pornin and Herve` Sibert. • One of the final four Profile 1 (software) ciphers selected for the eSTREAM Portfolio, along with HC-128, Rabbit, and Salsa20/12. • Influenced by the stream cipher SNOW and the block cipher Serpent. • The cipher key length can vary between 128 and 256 bits, but the guaranteed security is only 128 bits. • The name means ”snow snake” in the Cree Indian language because it depends both on SNOW and Serpent. 3 / 35 SOSEMANUK Attack Approximations SOBER-128 Overview 4 / 35 SOSEMANUK Attack Approximations SOBER-128 Structure 1. The states of LFSR : s0,..., s9 (320 bits) −1 st+10 = st+9 ⊕ α st+3 ⊕ αst, t ≥ 1 where α is a root of the primitive polynomial. 2. The Finite State Machine (FSM) : R1 and R2 R1t+1 = R2t ¢ (rtst+9 ⊕ st+2) R2t+1 = Trans(R1t) ft = (st+9 ¢ R1t) ⊕ R2t where rt denotes the least significant bit of R1t. F 3. The trans function Trans on 232 : 32 Trans(R1t) = (R1t × 0x54655307 mod 2 )≪7 4. The output of the FSM : (zt+3, zt+2, zt+1, zt)= Serpent1(ft+3, ft+2, ft+1, ft)⊕(st+3, st+2, st+1, st) 5 / 35 SOSEMANUK Attack Approximations SOBER-128 Previous Attacks • Authors state that ”No linear relation holds after applying Serpent1 and there are too many unknown bits...”. • In Asiacrypt’08, the best linear approximation with the correlation of 2−21.41 was derived as FSM : Γ · ft ⊕ Γ · ft+1 ⊕ Γ · st+10 ⊕ Γ · st+2 = 0 Serpent1 : Γ · ft ⊕ Γ · ft+1 ⊕ Γ · (st ⊕ zt) ⊕ Γ · (st+3 ⊕ zt+3)= 0 • Using this approximation, a correlation attack was applied, which is the similar attack applied to Grain stream cipher. • The complexity of attack was estimated around 2140.5 data, 2148 computing time and 2147 memory. 6 / 35 SOSEMANUK Attack Approximations SOBER-128 Motivation of Our Work • We may obtain better approximations if we use different masks for FSM and Serpent1. • We may reduce the data complexity of the attack by using multiple linear approximations with equal correlations. 7 / 35 SOSEMANUK Attack Approximations SOBER-128 LFSR and Linear Approximations 1. The linear recurrence of SOSEMANUK is expressed as 0 s0 0 1 0 ··· 0 s0 s0 0 0 1 ··· 0 s 1 = 1 ··· 0 0 0 ··· 1 ··· 0 s9 b0 b1 b2 ··· b9 s9 −1 Since st+10 = st+9 ⊕ α st+3 ⊕ αst, we get −1 32 (b0 b1 ··· b9) = (α 0 0 α 0 ··· 1) where si, bi, α ∈ GF(2 ). t 2. We can simply denote St+1 = ASt. Then, St = A S0. 3. A linear approximation U · St ⊕ W · Zt = 0 is expressed as t U · A S0 ⊕ W · Zt = 0, t > 0. Note that U = (u0 u1 ··· u9) and U · St = u0 · st ⊕···⊕ u9 · st+9 32 where ui ∈ GF(2 ). Similar for W · Zt. 8 / 35 SOSEMANUK Attack Approximations SOBER-128 Naive Attack 1. Assume U · St ⊕ W · Zt = 0 has the correlation of csose. 2. Observe N keystreams. Then, we obtain U · AS0 W · Z1 0 2 U · A S0 W · Z2 0 . ⊕ . = . . . . N U · A S0 W · ZN 0 T where S0 = (s0 s1 ··· s9) . 3. Guess S0. For each candidate, compute D which is defined as 1 D = (#{U · AtS ⊕ W · Z = 0}− #{U · AtS ⊕ W · Z = 1}) N 0 t 0 t If guessed S0 is correct, D is close to csose. Otherwise, D is close to zero. 9 / 35 SOSEMANUK Attack Approximations SOBER-128 Fast Walsh Transform and Complexity t 1. Assume S0 = (x1 x2 ··· xl) and U · A = (a1t a2t ··· alt) where xi, ai ∈ {0, 1}. Then, a11 a12 ··· a1l x1 W · Z1 0 a21 a22 ··· a2l x2 W · Z2 0 . . ⊕ . = . . . . . aN1 aN2 ··· aNl xl W · ZN 0 l 2. Since there are 2 candidates for S0, the complexity is around N × 2l. 3. If Fast Walsh Transform is used, the complexity is reduced to around N + 2l log 2l = N + l × 2l. 4. This is worse than state exhaustive search. 10 / 35 SOSEMANUK Attack Approximations SOBER-128 Simple Example on Fast Walsh Transform x1 x2 x3 x1 ⊕ x2 ··· (0) 000 0 1 0 0 (1) 100 1 0 1 1 x1 (0) 010 1 1 0 1 x2 ⇒ (0) 110 0 1 1 1 x3 (1) 001 0 1 0 1 (2) 101 1 0 0 1 (1) 011 1 (1) 111 0 11 / 35 SOSEMANUK Attack Approximations SOBER-128 Reducing Time Complexity 1. Let Ωm = {(x1 x2 ... xl)|xi ∈ {0, 1}, xm+1 = ··· = xl = 0} for m 1 ≤ m ≤ l. Clearly, |Ωm| = 2 . t 2. Among N approximations, take U · A S0 ⊕ W · Zt = 0 such that t U · A S0 ∈ Ωm. τ1 U · A S0 W · Zτ1 0 τ2 U · A S0 W · Zτ2 0 . ⊕ . = . . . . τ 0 U A N S W · Z 0 0 · 0 τN 3. The probability that such approximation occurs is 2m/2l. Hence, we obtain around N0 ≈ N × 2m/2l ’good’ approximations. 4. By Fast Walsh Transform, time complexity is reduced to N0 + m × 2m. 12 / 35 SOSEMANUK Attack Approximations SOBER-128 Second LFSR Derivative Technique 1. Used for the attack on Grain Version 0 by Berbain et al. 2. Obtain more ”good” approximations without further the keystream observations. 3. Perform pairwize combinations of N approximations as i j (U · A ⊕ U · A )S0 ⊕ (W · Zi ⊕ W · Zj)= 0, 1 ≤ i, j ≤ N 4. Choose combined approximations such as i j 2 (U · A S0 ⊕ U · A S0) ∈ Ωm. with the correlation of csose. 5. The number of approximations that satisfy this condition is expected to be N0 = 2m−l N ≈ 2m−l × N2. ¡2¢ 13 / 35 SOSEMANUK Attack Approximations SOBER-128 Sorting and Combining 1. A simple pairing requires N ≈ N2 operations. ¡2¢ 2. The number of operations can be reduced by applying sorting-and-combining technique. 3. First, N approximations are sorted out according to the value of (l − m) state bits. 4. Let the sorted approximations be represented by X1, X2,..., XN. Then, two consecutive approximations Xi and Xi+1 are checked whether their (l − m) state bits are same. 5. If they are same, we know Xi ⊕ Xi+1 ∈ Ωm. 6. The fastest sorting algorithm takes O(N log N). 7. Time complexity : T = N × log(N)+ m × 2m. 14 / 35 SOSEMANUK Attack Approximations SOBER-128 Linear Approximations of FSM 1. Using five masks (Γ1, Γ2, Γ3, Γ4, Γ5), we get Γ2 · R2t+1 = Φ · R1t Λ · R1t+1 = Γ1 · R2t ⊕ Γ4 · (st+2 ⊕ rist+9) Γ1 · ft = Γ3 · st+9 ⊕ Φ · R1t ⊕ Γ1 · R2t Γ2 · ft+1 = Γ5 · st+10 ⊕ Λ · R1t+1 ⊕ Γ2 · R2t+1 2. By combining above approximations Γ1 · ft ⊕ Γ2 · ft+1 =Γ3 · st+9 ⊕ Γ5 · st+10 ⊕ Γ4 · (st+2 ⊕ rist+9) 3. The correlation is cFSM = cTranPlus × cPlusPlus where 232−1 c = c (Γ , Φ; Γ )c (Φ; Γ ) TransPlus X + 3 1 Trans 2 Φ=1 32− 1 2 1 c = c (Γ , Γ ; Λ)c (Γ , Λ;Γ ) PlusPlus 2 X + 1 4 + 5 2 Λ=1 15 / 35 SOSEMANUK Attack Approximations SOBER-128 Linear Masking of FSM st+9 R1 R2 t ?Γ3 t Φ- Γ1 - Γ1 m Φ Γ Γ ? ? 1 1? Γ4 f st+2 ⊕ rtst+9 Trans t Λ h ( Γ2 hhhh (((( hhhh (((( (((h(hhh R1t+1 ((( hhh R2t+1 (((( st+10 hhhh ?Γ5 Λ- Γ2 - Γ2 ? m Γ2 ? Trans ? st+3 ⊕ rt+1st+10 ft+1 ? ? 16 / 35 SOSEMANUK Attack Approximations SOBER-128 Observations on Trans Function 32 1. Recall Trans(R1) = (R1 × 0x54655307 mod 2 )≪7. 2. Multiplication : 14 consecutive modular additions (Ham(0x54655307) = 14) (R1 × 0x54655307 mod 232) = R1 ¢ (R1 ¿ 1) ¢ (R1 ¿ 2) ¢ (R1 ¿ 8) ¢ ··· ¢ (R1 ¿ 30) 3. Due to the rotation ≪ 7, Linear masks must have ones in the bit positions of {i + 25}, i = 0, 1,..., or 6. In particular, Γ2 must have one in the bit positions of {i + 25, ··· , i}, i = 0, 1,..., or 6. 4. Provided x ¢ y = z, let a linear approximation be Ψ1 · x ⊕ Ψ2 ·⊕y =Ψ3 · z. Then, the positions of most significant effective bit of Ψ1, Ψ2, Ψ3 are same. 17 / 35 SOSEMANUK Attack Approximations SOBER-128 Linear Approximations of Serpent1 (zt+3, zt+2, zt+1, zt)= Serpent1(ft+3, ft+2, ft+1, ft)⊕(st+3, st+2, st+1, st) 3 ⇒ Γ · f ⊕ Γ · f = ζ · (s ⊕ z ). 1 t 2 t+1 M i t+i t+i i=0 31 2524 14 0 ft+3 ft+2 ft+1 ft ???????????????????????????????? S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S ???????????????????????????????? st+3 ⊕ zt+3 st+2 ⊕ zt+2 st+1 ⊕ zt+1 st ⊕ zt Figure: Γ1 = 0x02004001, Γ2 = 0x03004001 18 / 35 SOSEMANUK Attack Approximations SOBER-128 Correlation of Serpent1 1. One of the best approximations is ζ0 = 0x00004001, ζ1 = 0x03000000, ζ2 = 0x03000000, ζ3 = 0x03004001 2. The correlation is −4 cS(3; 14) × cS(2; 14) × cS(3; 9) × cS(3; 9)= 2 where cS(γi; λj) denote a correlation of a single S-box induced by the input mask γi and the output mask λj.