21世紀COEプログラム 乱数生成とｽﾄﾘｰﾑ暗号研究会 2003.02.25 NESSIE reports [Stream cipher] ■Agenda; 一般的なストリーム暗号に関する評価基準および評価方法論を NESSIE プロジェクトのレポートから考察する． [email protected] Copyright (c) 2003 C4Technology,Inc. 1 目次 1. NESSIEの概要 2. Evaluation (Block cipher,Asymmetric...) 3. Stream ciphers ~ Security Requirements (Attacks,Statistical Tests) 4. Stream ciphers ~ Evaluation 5. BMGL 6. Leviathan 7. LILI-128 8. SNOW 9. SOBER-t○ 10. Stream ciphers ~ Evaluation (Deliverables D18,D20) Copyright (c) 2003 C4Technology,Inc. 2 1,NESSIE New European Schemes for Signatures, Integrity, and Encryption NESSIE is a project within the IST (Information Society Technologies) Programme of the EC (European Commission) http://www.cryptonessie.org ↓ https://www.cosic.esat.kuleuven.ac.be/nessie/index.html Copyright (c) 2003 C4Technology,Inc. 3 1, Submissions in categories 1. Block ciphers 2. Synchronous stream ciphers 3. Self-synchronising stream ciphers 4. Message Authentication Codes (MACs) 5. Collision-resistant hash functions 6. One-way hash functions 7. Families of pseudo-random functions 8. Asymmetric encryption schemes 9. Asymmetric digital signature schemes 10. Asymmetric identification schemes Copyright (c) 2003 C4Technology,Inc. 4 1, Schedule 2000 January Beginning of first phase of NESSIE 2000 November First NESSIE workshop 2001 July Beginning of second phase of NESSIE 2001 September Second NESSIE workshop 2002 November Third NESSIE workshop 2003 February Fourth NESSIE workshop 2003 March End of second phase of NESSIE Copyright (c) 2003 C4Technology,Inc. 5 1, NESSIE / AES / CRYPTREC AES NESSIE CRYPTREC 主催 NIST IST Program 総務省，経済産業省 目的 新米国標準ブロック EC(産学)のコンセンサス 電子政府利用暗号リスト 技術要求 128/192/256-bit 暗号プリミティブ ほぼ全般 暗号プリミティブ ほぼ全般 ブロック 選択 唯一に決定 唯一に決定しない 唯一に決定しない Copyright (c) 2003 C4Technology,Inc. 6 2,Phase 1st Evaluation 64bit block ciphers: MAC & hash CS-Cipher CSCommunication &Systems Two-Track-MAC Boer,Rompay Hierocrypt-L1 東芝 UMAC Rogawa他 IDEA Mediacrypt Whirlpool Boer,Rompay Khazad Baretto, Rijmen Asymmetric encryption Misty1 三菱電機 ACE Encrypt IBM Nimbus Machado ECIES Certicom 128bit block ciphers: EPOC-1,-2,-3 NTT Anubis Baretto, Rijmen PSEC-1,-2,-3 NTT Camellia NTT,三菱電機 RSA-OAEP RSA Grand Cru Borst Asymmetric digital signature Hierocrypt-3 東芝 ACE Sign IBM Noekeon Dawson 他 ECDSA Certicom Q McBride ESIGN NTT SC2000 富士通 FLASH BULL CP8 160bit block ciphers: (variable length) QUARTZ BULL CP8 SHACAL Gemplus RSA-PSS RSA SAFER++ Cylink SFLASH BULL CP8 NUSH LAN Crypto Asymmetric identification schemes RC6 RSA GPS France Telecom Copyright (c) 2003 C4Technology,Inc. 7 2, Phase 2nd Evaluation 64bit block ciphers: MAC & hash CS-Cipher CSCommunication &Systems Two-Track-MAC Boer,Rompay Hierocrypt-L1 東芝 UMAC Rogawa他 IDEA Mediacrypt Whirlpool Boer,Rompay Khazad Baretto, Rijmen Asymmetric encryption Misty1 三菱電機 ACE Encrypt IBM Nimbus Machado ECIES Certicom 128bit block ciphers: EPOC-1,-2,-3 NTT Anubis Baretto, Rijmen PSEC-1,-2,-3 NTT Camellia NTT,三菱電機 RSA-OAEP RSA Grand Cru Borst Asymmetric digital signature Hierocrypt-3 東芝 ACE Sign IBM Noekeon Dawson 他 ECDSA Certicom Q McBride ESIGN NTT SC2000 富士通 FLASH BULL CP8 160bit block ciphers: (variable length) QUARTZ BULL CP8 SHACAL Gemplus RSA-PSS RSA SAFER++ Cylink SFLASH BULL CP8 NUSH LAN Crypto Asymmetric identification schemes RC6 RSA GPS France Telecom Copyright (c) 2003 C4Technology,Inc. 8 3,Security Requirements stream ciphers (Self-synchronising / Synchronous) a) High; Key length of at least 256 bits. Internal memory of at least 256 bits. b) Normal; Key length of at least 128 bits. Internal memory of at least 128 bits. Copyright (c) 2003 C4Technology,Inc. 9 …CRYPTREC General Evaluation Stream Cipher - statistical properties,length of period & linear complexity - resistance against well known attack and heuristic attack PRNG - statistical properties with randomness tests etc. - resistance against attacks, unpredictability Full Evaluation Stream Cipher - statistical properties (period, Linear complexity, etc) - known attack (correlation, divide & conquer,..) - heuristic attack PRNG - statistical properties with randomness (FIPS140-1) - unpredictability, heuristic attack Copyright (c) 2003 C4Technology,Inc. 10 3, Attacks # Linear Complexity （線形複雑度） PRNG をLFSRと仮定し，最少のLFSRの長さを求める． # Statistical Properties （統計的特性） PRNG 出力の生起確率を求め，独立一様分布からのずれを求める． - Correlation Attacks （相関攻撃） PRNG の出力と相関をもつ単純な生成器を考える攻撃手法． - Divide-and-Conquer Attacks （分割統治攻撃） 部分的な系列を推測し，同様の推測条件を他の部分に適応する攻撃手法． Copyright (c) 2003 C4Technology,Inc. 11 3, Attacks - Time-Memory Trade-Offs 攻撃に使用するメモリを増やすことによって，全数探索に要する必要時間を 減らす攻撃手法． - Distinguishing Attacks （識別攻撃） 真のランダム系列（独立一様分布）と PRNG出力を識別する攻撃手法． - Rekeying attacks （鍵再使用攻撃） 同じ鍵を数回使用する攻撃手法． Copyright (c) 2003 C4Technology,Inc. 12 3, Statistical Tests (NESSIE toolbox ) - Dyadic Complexity Test - Percolation Test - Constant Runs Test - Frequency Test - Collision Test - Overlapping m-tuple Test - Gap Test - Coupon Collector's Test - Universal Maurer Test - Poker Test - Spectral Test - Correlation Test - Rank Test - Linear Complexity Test - Nonlinear Complexity Test - Ziv-Lempel Complexity Test Copyright (c) 2003 C4Technology,Inc. 13 … NIST SP 800-22 1. The Frequency (Monobit) Test. 13. The Approximate Entropy Test. 2. Frequency Test within a Block. 14. The Cumulative Sums (Cusums) Test. 3. The Runs Test. 15. The Random Excursions Test. 4. Test for the Longest-Run-of-Ones in a Block. 16. The Random Excursions Variant Test. 5. The Binary Matrix Rank Test. 6. The Discrete Fourier Transform (Spectral) Test. 7. The Non-overlapping Template Matching Test. 8. The Overlapping Template Matching Test. 9. Maurer's "Universal Statistical" Test. 10. The Lempel-Ziv Compression Test. 11. The Linear Complexity Test. http://csrc.nist.gov/rng/ 12. The Serial Test. Copyright (c) 2003 C4Technology,Inc. 14 3, Classification of attacks Classification of attacks. 前提条件及び仮定 It is customary when analysing stream ciphers to consider known plaintext attacks. ü ストリーム暗号全体の構造は既知． This essentially means assuming the ü 秘密鍵のみわからない． cryptanalyst knows a large volume of keystream. 解析手法 The cryptanalyst's task is then usually classified in one of three ways. A) Distinguishing Attack （識別攻撃） 適切な長さのキーストリームと同長の乱数系列との区別する方法を検討． B) Prediction（予測） キーストリームをランダムに推測するよりも高い精度で予測する方法を検討． C) Key Recovery（鍵回復） キーストリームから秘密鍵を求める方法を検討． Copyright (c) 2003 C4Technology,Inc. 15 4,Stream ciphers - BMGL Hasted,Haslund (Sweeden) High/Normal - Leviathan Cisco Systems (USA) High/Normal - LILI-128 Simpson,Dawson,Golic,Millan (Australia) Normal - SNOW Johannson,Ekdahl (Sweeden) High/Normal - SOBER-t16 Qualcomm International (Australia) Normal - SOBER-t32 Qualcomm International (Australia) High Copyright (c) 2003 C4Technology,Inc. 16 Deliverables D12 Toolbox version 2 D13 Security evaluation of NESSIE First Phase D14 Performance evaluation of NESSIE First Phase D15 Workshop on security and performance evaluation of NESSIE First Phase D16 Internal review report Year 2 D17 Preliminary list of realistic performance estimates D18 Update on the selection of algorithms for further investigation during NESSIE Second Phase D20 NESSIE Security report, version 1.0 D21 Performance of Optimized Implementations of the NESSIE Primitives, version 1.0 Copyright (c) 2003 C4Technology,Inc. 17 4, Evaluation 1st ⇒ 2nd (D13) Phase 1st Evaluation ⇒ Phase 2nd Evaluation o BMGL o BMGL o Leviathan － o LILI-128 － o SNOW o SNOW o SOBER-t16 o SOBER-t16 o SOBER-t32 o SOBER-t32 Copyright (c) 2003 C4Technology,Inc. 18 5,BMGL The submission BMGL is a pseudorandom number generator with the block cipher Rijndael as cryptographic core. Rijndael is considered as a one-way function from the key to the cipher-text. BMGL iterates this function and extracts a few pseudo-random bits in each iteration using hard-core predicates. The construction uses an optimization of earlier work on pseudo-random generators [19, 48]. Copyright (c) 2003 C4Technology,Inc. 19 6,Leviathan It is defined by a set of binary tree structures of height 16. Each node of each tree is associated with a triple of words (each of four bytes) z|y|x. The triple at the root of the jth tree is 1|0|j. Key-dependent functions a and b map the triple s at a node to a triple at each of its two descendants, so that its lefthand descendant is a(s) while its righthand descendant is b(s). Copyright (c) 2003 C4Technology,Inc. 20 6, Leviathan The functions fod (left) and god (right). Here and below denotes the bitwise exclusive or operation, denotes integer addition (with dashed lines indicating the carry operations), and ・indicates the bitwise complementation operation (or logical ‘not’). Copyright (c) 2003 C4Technology,Inc. 21 6, Leviathan The functions cof and cog , showing how the output of the cipher is derived from the state of the leaf nodes. Copyright (c) 2003 C4Technology,Inc. 22 7,LILI-128 It consists of two LFSRs each with primitive feedback polynomials. The first, LFSR c , has length 39 while the second, LFSR d , has length 89. Two bits from LFSR c (which is clocked regularly) are used to determine an integer c in the range {1, 2, 3, 4} and LFSR d is clocked c times. A nonlinear filter f d is then applied to ten bits of the output of LFSR d to produce the keystream. Copyright (c) 2003 C4Technology,Inc. 23 8,SNOW1.0 Copyright (c) 2003 C4Technology,Inc. 24 8,SNOW2.0 Copyright (c) 2003 C4Technology,Inc. 25 9,SOBER－ｔ Copyright (c) 2003 C4Technology,Inc. 26 9,SOBER－ｔ 32-bit Input Partition the input 8 bits 24 bits SBOX Skipjack ISRC, QUT S-box S-box 8 bits 24 bits 32-bit Output Copyright (c) 2003 C4Technology,Inc. 27 Evaluation 1st (D13) LEVIATHAN LILI-128 SOBER-t SNOW BMGL