Attacks on Stream Ciphers: a Perspective

Attacks on Stream Ciphers: a Perspective

Attacks on Stream Ciphers: A Perspective Palash Sarkar Applied Statistics Unit Indian Statistical Institute, Kolkata India [email protected] First Asian Workshop on Symmetric Key Cryptography – ASK 2011, 30th August 2011 isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 1 / 55 Overview of the Talk Background. Correlation Attacks. Algebraic Attacks. Differential Attacks. Time/Memory Trade-Off Attacks. isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 2 / 55 Background. isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 3 / 55 Model of Symmetric Key Encryption Sender Receiver message M public channel Encrypt ciphertext Decrypt secret key K adversary secret key K isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 4 / 55 One-Time Pad message 1 0 0 1 1 1 true random sequence 0 01 1 1 0 ciphertext 1 0 1 0 0 1 isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 5 / 55 Model of Additive Stream Cipher secret key K Initialise initialisation state 1 update state 2 update vector output output keystream keystream blk blk message blk message blk ciphertext blk ciphertext blk Key: k bits; IV: (usually) ≤ k bits; state: (usually) ≥ 2k bits; initialise, update, output: functions (deterministic algorithms); isilogo keystream blk, msg blk, cpr blk: ≥ 1 bit. Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 6 / 55 Self-Synchronizing Stream Cipher message m0 m1 m2 ··· mi ··· keystream k0 k1 k2 ··· ki ··· ciphertext c0 c1 c2 ··· ci ··· ci = mi ⊕ ki . isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 7 / 55 Self-Synchronizing Stream Cipher message m0 m1 m2 ··· mi ··· keystream k0 k1 k2 ··· ki ··· ciphertext c0 c1 c2 ··· ci ··· ci = mi ⊕ ki . ki is completely determined by the secret key K andci−n,..., ci−1. Correctly receiving n ciphertext bits allow correct generation of the next keystream bit. Robust against channel errors: bit flip/drop/insert. isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 7 / 55 Self-Synchronizing Stream Cipher message m0 m1 m2 ··· mi ··· keystream k0 k1 k2 ··· ki ··· ciphertext c0 c1 c2 ··· ci ··· ci = mi ⊕ ki . ki is completely determined by the secret key K andci−n,..., ci−1. Correctly receiving n ciphertext bits allow correct generation of the next keystream bit. Robust against channel errors: bit flip/drop/insert. More generally, mi is completely determined by the secret key K and the last n ciphertext bits. isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 7 / 55 Attack Models: Adversarial Access Ciphertext only attack: the attacker has access to only ciphertext(s); isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 8 / 55 Attack Models: Adversarial Access Ciphertext only attack: the attacker has access to only ciphertext(s); Known plaintext attack: the attacker knows (P1, C1),..., (Pt , Ct ); isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 8 / 55 Attack Models: Adversarial Access Ciphertext only attack: the attacker has access to only ciphertext(s); Known plaintext attack: the attacker knows (P1, C1),..., (Pt , Ct ); Chosen plaintext attack: the attacker chooses P1,..., Pt ; receives C1,..., Ct ; For additive stream ciphers, this is the same as known plaintext attack. isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 8 / 55 Attack Models: Adversarial Access (contd.) Known/Chosen IV attack: (resynchronization attack) the attacker knows/chooses IV1,..., IVt ; receives the corresponding keystreams. Obtaining keystreams correspond to known plaintexts. IVs are always known. isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 9 / 55 Attack Models: Adversarial Access (contd.) Known/Chosen IV attack: (resynchronization attack) the attacker knows/chooses IV1,..., IVt ; receives the corresponding keystreams. Obtaining keystreams correspond to known plaintexts. IVs are always known. Chosen ciphertext attack. the attacker chooses C1,..., Ct ; receives P1,..., Pt ; Not very meaningful for usual additive stream ciphers. Serious threat for self-synchronising stream ciphers. Serious threat for stream ciphers which combine encryption and authentication in a single composite primitive. isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 9 / 55 Attack Models: Adversarial Goals Key recovery: the ultimate goal of the adversary. isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 10 / 55 Attack Models: Adversarial Goals Key recovery: the ultimate goal of the adversary. State recovery: This allows forward generation of the keystream. If the state update function is invertible, then this allows to move backwards. If the initialisation function is invertible, then this allows key recovery. isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 10 / 55 Attack Models: Adversarial Goals Key recovery: the ultimate goal of the adversary. State recovery: This allows forward generation of the keystream. If the state update function is invertible, then this allows to move backwards. If the initialisation function is invertible, then this allows key recovery. Distinguishing attack: Define a test statistic on a bit string such that the values it takes for uniform random strings and for the real keystream are ‘significantly’ different. Sometimes distinguishing attacks can be converted to key recovery attacks. In case of chosen IV attacks, the goal is to distinguish between the set of keystreams and a set of uniform random strings of the same lengths. isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 10 / 55 Encrypting Short Fixed Length Strings msg blk cpr blk key K Encryptkey K Decrypt cpr blk msg blk isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 11 / 55 Encrypting Short Fixed Length Strings msg blk cpr blk key K Encryptkey K Decrypt cpr blk msg blk Block Cipher. E : {0, 1}k × {0, 1}n → {0, 1}n. D : {0, 1}k × {0, 1}n → {0, 1}n. For each K ∈ {0, 1}k , isilogo DK (EK (M)) = M. Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 11 / 55 Modes of Operations message: M1, M2, M3,... (n-bit blocks); initialization vector: n-bit IV (used as nonce). Cipher block chaining (CBC) mode: C1 = EK (M1 ⊕ IV); Ci = EK (Mi ⊕ Ci−1), i ≥ 2. isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 12 / 55 CBC Mode PPPP1 2 m−1 m IV EK EK EK EK C1 C2 Cm−1 Cm isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 13 / 55 Modes of Operations (contd.) message: M1, M2, M3,... (n-bit blocks); initialization vector: n-bit IV (used as nonce). Output feedback (OFB) mode: Z1 = EK (IV); Zi = EK (Zi−1), i ≥ 2; Ci = Mi ⊕ Zi , i ≥ 1. This is essentially an additive stream cipher. isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 14 / 55 Modes of Operations (contd.) message: M1, M2, M3,... (n-bit blocks); initialization vector: n-bit IV (used as nonce). Output feedback (OFB) mode: Z1 = EK (IV); Zi = EK (Zi−1), i ≥ 2; Ci = Mi ⊕ Zi , i ≥ 1. This is essentially an additive stream cipher. Cipher feedback (CFB) mode: C1 = M1 ⊕ EK (IV); Ci = Mi ⊕ EK (Ci−1), i ≥ 2. Can be used as a self-synchronizing stream cipher in a 1-bit feedback mode. isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 14 / 55 Modes of Operations (contd.) message: M1, M2, M3,... (n-bit blocks); initialization vector: n-bit IV (used as nonce). Output feedback (OFB) mode: Z1 = EK (IV); Zi = EK (Zi−1), i ≥ 2; Ci = Mi ⊕ Zi , i ≥ 1. This is essentially an additive stream cipher. Cipher feedback (CFB) mode: C1 = M1 ⊕ EK (IV); Ci = Mi ⊕ EK (Ci−1), i ≥ 2. Can be used as a self-synchronizing stream cipher in a 1-bit feedback mode. Counter (CTR) mode: Ci = Mi ⊕ EK (nonce||bin(i)), i ≥ 1. Other variants of the CTR mode have been proposed. isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 14 / 55 Linear Feedback Shift Register Given (non-zero) initial state (a0,..., an−1) generates a sequence a0, a1, a2,..., ai ,... where ai = cn−1ai−1 ⊕···⊕ c1ai−n+1 + c0ai−n. isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 15 / 55 Linear Feedback Shift Register Given (non-zero) initial state (a0,..., an−1) generates a sequence a0, a1, a2,..., ai ,... where ai = cn−1ai−1 ⊕···⊕ c1ai−n+1 + c0ai−n. Characteristic (connection) polynomial: n n−1 τ(x)= x ⊕ cn−1x ⊕···⊕ c1x ⊕ c0. isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 15 / 55 Linear Feedback Shift Register Given (non-zero) initial state (a0,..., an−1) generates a sequence a0, a1, a2,..., ai ,... where ai = cn−1ai−1 ⊕···⊕ c1ai−n+1 + c0ai−n. Characteristic (connection) polynomial: n n−1 τ(x)= x ⊕ cn−1x ⊕···⊕ c1x ⊕ c0. n If τ(x) is primitive over GF(2), then the period of {ai } is 2 − 1. Other well-understood “randomness-like” properties. isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 15 / 55 Linear Feedback Shift Register Given (non-zero) initial state (a0,..., an−1) generates a sequence a0, a1, a2,..., ai ,... where ai = cn−1ai−1 ⊕···⊕ c1ai−n+1 + c0ai−n. Characteristic (connection) polynomial: n n−1 τ(x)= x ⊕ cn−1x ⊕···⊕ c1x ⊕ c0. n If τ(x) is primitive over GF(2), then the period of {ai } is 2 − 1. Other well-understood “randomness-like” properties. Any bit of the sequence is a linear combination of the first n bits. Given any n bits of the sequence, it is easy to get the initial state. Unsuitable for direct use in cryptography. isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 15 / 55 Nonlinear Combiner Model (1) X i LFSR 1 mi (2) X LFSR i 2 kic i f (n) X i LFSRn mi = length of LFSR i isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 16 / 55 Correlation Attacks. isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 17 / 55 Correlation Attack Suppose 1 Pr X (i) = k = p = . h 1 i i 2 Divide-and-conquer attack.

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    148 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us