Differential-Linear Attacks against the Stream Cipher Phelix Hongjun Wu and Bart Preneel Katholieke Universiteit Leuven ESAT/COSIC Overview 1. Introduction to Helix and Phelix 2. Description of Phelix 3. Differential propagation of addition 4. A basic attack on Phelix 5. Improving the attack on Phelix 6. Improving the security of Phelix 7. Open problems 8. Conclusion K.U. Leuven, ESAT/COSIC 2 1 Background (1) Stream Cipher Helix (FSE 2003) stream cipher + message authentication message is applied to update the internal state encryption: message is XORed with the keystream MAC: generated from internal state after finishing encryption gain – no separate MAC cost – error propagation + security concern K.U. Leuven, ESAT/COSIC 3 1 Background (2) Attacks against Helix Differential key recovery attack (Muller, 2004): nonce reuse; 212 adaptively chosen plaintext words, 288 operations Reducing the number of plaintext words (Paul-Preneel, 2005) about 210 adaptively chosen plaintext words; or 235.6 chosen plaintext words K.U. Leuven, ESAT/COSIC 4 1. Background (3) Stream Cipher Phelix (2005) Phelix: the strengthened version of Helix 1) message passing through more operations before affecting the keystream: half block in Helix, one full block in Phelix 2) more internal state words in generating a keystream word: one internal state word in Helix, two in Phelix Is Phelix secure? Still vulnerable to the differential key recovery attack, effective key size being reduced to 41.5 bits K.U. Leuven, ESAT/COSIC 5 2. Stream Cipher Phelix (1) Stream Cipher Phelix stream cipher + message authentication code 256-bit key, 128-bit IV eSTREAM Phase II software and hardware focus cipher Fast in software: 6.6 cycles/byte on Pentium M processor Hardware: twelve 32-bit additions are required for one 32-bit keystream word: efficient ? K.U. Leuven, ESAT/COSIC 6 2. Stream Cipher Phelix (2) Stream Cipher Phelix 160-bit internal state: updated by message 512-bit internal state: simply related to the key and IV incremented during the encryption K.U. Leuven, ESAT/COSIC 7 Phelix: one block Z0, Z1, Z2, Z3, Z4 : 160-bit internal state updated by message Xi,0, Xi,1 : 512-bit internal state, determined by key, IV; Encryption: Ci = Pi ⊕ Si K.U. Leuven, ESAT/COSIC 8 3. Differential Propagation of Addition Observation: addend bits strongly correlated with the difference of the sums => By observing the distribution of the difference of the sums, the value of addend bits can be determined with the linear attack technique K.U. Leuven, ESAT/COSIC 9 3. Differential Propagation of Addition The following theorem shows that the check sum of two adjacent addend bits does affect significantly the distribution of the difference of the sums K.U. Leuven, ESAT/COSIC 10 4. A Basic Attack on Phelix (1) 1) Introducing one bit difference in Pi (i+1) (i+1) 2) B 3 ⊕ B 3′ heavily biased K.U. Leuven, ESAT/COSIC 11 4. A Basic Attack on Phelix (2) (i+1) (i+1) (i+1) (i+1) (i+1) 3) Since T 0 = A 0 ⊕ ( B 3 + X i + 1 ,0 ) and that B 3 ⊕ B3′ is heavily biased, we can predict which bits of Xi+1,0 may have significant effect on the distribution of the difference of the keystream according to Theorem 2. K.U. Leuven, ESAT/COSIC 12 4. A Basic Attack on Phelix (3) 4) When the one-bit difference is in the least significant bit of 15 14 th Pi , for X i + 1 ,0 ⊕ X i + 1 ,0 = 0 , the 17 least significant bit of 15 14 Si+1 ⊕ Si′+1 is 0 with probability 0.50227; for X i + 1 ,0 ⊕ X i + 1 , 0 = 1 , the probability is 0.50117 15 14 => The value of X i + 1 , 0 ⊕ X i + 1 , 0 is highly correlated to the 17 17 distribution of S i + 1 ⊕ S i′ + 1 . 15 14 22.3 => Recovering X i + 1 , 0 ⊕ X i + 1 , 0 with 2 plaintext pairs K.U. Leuven, ESAT/COSIC 13 4. A Basic Attack on Phelix (4) Experiment 1. With 225 chosen plaintext pairs with difference in 15 14 the least significant bit of Pi, the values of X i + 1 , 0 ⊕ X i + 1 ,0 of 192 keys among 200 keys are determined correctly. The success rate is about 0.96. Lower than expected. 15 14 Reason: the other bits of X i + 1 ,0 interfere with X i+1,0 ⊕ X i+1,0 Shifting the one-bit difference, 23 bits of X i+ 1 , 0 are recovered. K.U. Leuven, ESAT/COSIC 14 5. Improving the Attack on Phelix (1) Aims: Recovering more key bits and improving the success rate Reducing the number of chosen plaintext pairs Methods: (i−3) Recovering Z 4 before recovering X i+1,0 Fine tuning of the threshold values in the attack K.U. Leuven, ESAT/COSIC 15 5. Improving the Attack on Phelix (2) (i−3) Recovering Z4 1) Introducing difference in the least significant bit of Pi (i+1) (i+1) 2) Y 4 ⊕ Y 4 ′ is heavily biased K.U. Leuven, ESAT/COSIC 16 5. Improving the Attack on Phelix (3) (i+1) (i+1) (i+1) (i−3) 3) Since Y 4 ⊕ Y 4′ is heavily biased and S i+ 1 = Y4 ⊕ Z4 , (i−3) the value of the bits of Z 4 affects the distribution of Si+1 ⊕ Si′+1 (i+1),3 (i+1),2 th 4) When P i ⊕ P i ′ = 1 , for Y 4 ⊕ Y 4 = 0 , the 5 least significant bit of S i − 3 ⊕ S i′ − 3 is 0 with probability 0.5461; (i+1),3 (i+1),2 for Y 4 ⊕ Y 4 = 1 , this probability is 0.5193 (i+1),3 (i+1),2 14 => Recovering Y 4 ⊕ Y 4 requires 2 plaintext pairs K.U. Leuven, ESAT/COSIC 17 5. Improving the Attack on Phelix (4) 5) In the attack, we determine the least significant bit of (i−3) first, then proceed to determine the more significant Z4 (i−3) bits of Z 4 by shifting the one-bit difference. (i−3), j (i−3), j−1 (i−3), j−2 (i−3),0 6) When Z 4 is analyzed, Z 4 Z 4 LZ4 is ′ (i−3), j−1 (i−3), j−2 (i−3),0 subtracted from S i and S i so that Z4 Z4 LZ4 (i−3), j does not interfere with Z 4 . The success rate becomes very close to 1 with small number of plaintext pairs. K.U. Leuven, ESAT/COSIC 18 5. Improving the Attack on Phelix (5) 17 (i−3) 7) With 2 plaintext pairs, 30 bits of Z 4 (except the two (i−3) most significant bits of Z 4 ) can be determined with success rate about 0.999. (i−3) After recovering Z 4 , we recover X i + 1 ,0 from the (i+1) (i+1) ′ distribution of Y 4 ⊕ Y ' 4 instead of S i+ 1 ⊕ Si+1 . K.U. Leuven, ESAT/COSIC 19 5. Improving the Attack on Phelix (6) (i+1) (i+1) Recovering X i + 1 , 0 from Y4 ⊕Y4′ Due to the interference between the bits of X i + 1 ,0 on the i+1 i+1 distribution of Y 4 ⊕ Y 4′ , we need the fine tuning of the threshold values in the attack. 9 For example, when P i ⊕ P i ′ = 1 , if X i+ 1 , 0 = 0 and the value of 11 10 i+1,13 i+1,13 X i+1,0 || X i+1,0 is 00, 11, 01, 10, then Y 4 ⊕ Y 4 ′ = 0 with prob. 9 0.53033, 0.52334, 0.51946, 0.51864; if X i + 1 ,0 = 1 , the prob. becomes 0.52334, 0.53030, 0.51861, 0.51948. 9 11 10 Y i+1,13 ⊕Y ′i+1,13 => X i + 1 ,0 and X i + 1 ,0 || X i+ 1 , 0 affect the distribution of 4 4 K.U. Leuven, ESAT/COSIC 20 5. Improving the Attack on Phelix (7) i+1,13 i+1,13 Other bits of X i + 1 , 0 also affect the distribution of Y4 ⊕Y4′ In the attack, we need to tune the threshold value to 0.52035, 11 10 so that the value of X i+ 1 , 0 ⊕ X i + 1 , 0 can be recovered with success rate 0.99 with 221 chosen plaintext pairs. j+1 j The values of X i + 1 , 0 ⊕ X i + 1 , 0 ( 2 ≤ j ≤ 28 ) can be determined in a similar way K.U. Leuven, ESAT/COSIC 21 5. Improving the Attack on Phelix (8) 0 The lsb X i+1,0 is recovered in a different way: 16 21 2 chosen plaintext pairs with Pi ⊕ Pi′= 2 (i+1),2 (i+1),2 observing the distribution of Y4 ⊕Y4′ 1 0 The second lsb X i+1,0 can be recovered if X i+1,0 = 0 16.4 22 2 chosen plaintext pairs with Pi ⊕ Pi′= 2 (i+1),3 (i+1),3 observing the distribution of Y4 ⊕Y4′ X 2 0 1 The value of i + 1 ,0 can be recovered if X i + 1 ,0 = 0 and X i+1,0 = 0 K.U. Leuven, ESAT/COSIC 22 5. Improving the Attack on Phelix (9) The above attack recovers 28.75 bits of X i+1,0 After recovering eight consecutive X i + 1 , 0 , 230 key bits are recovered. Considering the error rate of about 0.01, the effective key size is reduced to 41.5 bits.