On the Security of IV Dependent Stream Ciphers Côme Berbain and Henri Gilbert France Telecom R&D {[email protected]} research & development Stream Ciphers IV-less IV-dependent key K key K IV (initial value) number ? generator keystream keystream plaintext ⊕ ciphertext plaintext ⊕ ciphertext e.g. RC4, Shrinking Generator e.g. SNOW, Scream, eSTREAM ciphers well founded theory [S81,Y82,BM84] less unanimously agreed theory practical limitations: prior work [RC94, HN01, Z06] - no reuse of K numerous chosen IV attacks - synchronisation - key and IV setup not well understood IV setup – H. Gilbert (2) research & developement Orange Group Outline security requirements on IV-dependent stream ciphers whole cipher key and IV setup key and IV setup constructions satisfying these requirements blockcipher based tree based application example: QUAD incorporate key and IV setup in QUAD's provable security argument IV setup – H. Gilbert (3) research & developement Orange Group Security in IV-less case: PRNG notion m K∈R{0,1} number truly random VS generator g generator g g(K) ∈{0,1}L L OR Z ∈R{0,1} 1 input A 0 or 1 PRNG A tests number distributions: Adv g (A) = PrK [A(g(K)) = 1] − PrZ [A(Z) = 1] PRNG PRNG Advg (t) = maxA,T(A)≤t (Advg (A)) PRNG 80 g is a secure cipher ⇔ g is a PRNG ⇔ Advg (t < 2 ) <<1 IV setup – H. Gilbert (4) research & developement Orange Group Security in IV-dependent case: PRF notion stream cipher perfect random fct. IV∈ {0,1}n function generator VSOR g* gK G = {gK} gK(IV) q oracle queries • A 0 or 1 PRF gK g* A tests function distributions: Adv G (A) = Pr[A = 1] − Pr[A = 1] PRF PRF Adv G (t, q) = max A (Adv G (A)) PRF 80 40 G is a secure cipher ⇔ G is a PRF ⇔ Adv G (t < 2 ,2 ) << 1 IV setup – H. Gilbert (5) research & developement Orange Group Structure of the stream ciphers considered here IV (n bits) key & IV K setup typical KG structure initial state (m bits) state transition keystream function generation λ iterations output function keystream (L bits) IV setup – H. Gilbert (6) research & developement Orange Group Security: sufficient conditions IV IV key & IV F = {fK} setup is a PRF initial state ⇒ G = {g ο fK} is a PRF keystream g generation is a PRNG keystream keystream [informally]: the key & IV setup is a PRF and the keystream generator is a PRNG ⇒ the whole stream cipher is secure IV setup – H. Gilbert (7) research & developement Orange Group This is due to a simple composition theorem Composition of {fK} and g function F = {f } generator K ≡ G = {g ο fK} number g generator (comp. time Tg) PRF PRF PRNG Composition Theorem: Adv G (t,q) ≤ Adv F (t',q) + qAdv g (t') where t' = t + qTg IV setup – H. Gilbert (8) research & developement Orange Group Key & IV setup = PRF is "almost" a necessary condition IV (n bits) F = {f } K time TK&IV (key and IV setup) initial state (m bits) g time TKG (keystream generation) m first keystream bits TK&IV + TKG ≥ TPRF (where TPRF is the time needed by the fastest n-bit to m-bit PRF) For a fast cipher,TKG is small, so TK&IV cannot be much lower than TPRF IV setup – H. Gilbert (9) research & developement Orange Group Key & IV setup: candidate PRF constructions Block cipher based (not detailed here) Examples: LEX (based on AES), Sosemanuk (based on Serpent) Pros: more conservative than many existing constructions Cons: heterogeneous construction ⇒ increased implementation complexity (except for LEX) Tree based (detailed in the sequel) Example: QUAD Conducting idea: re-use essentially the same PRNG as in the keystream generation Pros: low implementation complexity Cons: relatively slow IV setup – H. Gilbert (10) research & developement Orange Group Tree based construction [GGM86] m-bit to 2m-bit PRNG f ⇒ n-bit to m-bit PRF F = {fy} y (parameter) (m bits) f x1 = 0 0 1 f f f x = 1 0 1 (2m bits) 2 f f x3 = 1 0 1 x f f (input) f xn-1= 0 0 1 f f x = 1 n 0 1 fy(x) PRF PRNG Theorem[≈GGM86]: Adv F (t,q) ≤ nqAdv f (t') where t' = t + q(n+1)Tf IV setup – H. Gilbert (11) research & developement Orange Group Tree based key & IV setup truncated IV-less cipher⇒ key and IV setup K m-bit state f IV1 0 1 f f f IV 0 1 2 m-bit sequence 2 f f IV3 0 1 IV f f (input) f IVn-1 0 1 f f IVn Is this practical? 0 1 f (IV) Cons: relatively slow. If |IV|=80 bits and |state|=160 bits, K key & IV setup ≡ generation of 3200 keystream bytes Pros: very low extra implementation complexity in hardware IV setup – H. Gilbert (12) research & developement Orange Group The Stream Cipher QUAD [BGP06] Based on the multivariate quadratic problem (MQ) Given a system of m quadratic equations in n variables over GF(q) k k k Qk (x1 ,..., xn ) = ∑αi,j xi x j + ∑βi xi + γ = yk ,k = 1,...,m i≤j i Find a solution n (if any) x = (x1 ,..., x n ) ∈ GF(q) NP hard even over GF(2) best solving algorithms so far are exponential [Faugère, Bardet] QUAD iterates a fixed quadratic function S S keystream IV setup – H. Gilbert (13) research & developement Orange Group QUAD: keystream generation n internal state: x = (x1 ,..., xn ) ∈ GF(q) fixed public quadratic function S: n var., m = tn eq. (typically 2n eq.) (n bits) q = 2 S recommended parameters: q=2, n=160 bits, t=2 IV setup – H. Gilbert (14) research & developement Orange Group Security argument for the keystream generation Keystream generation, GF(2) case initial state (n bits) number λ iterations of S generator g keystream (L bits) Th [BGP06]: in the GF(2) case, if there exists a distinguisher for g allowing to distinguish a sequence of L = λ ( t − 1 ) n keystream bits associated with a random quadratic systems S and a random initial state value x in time T with advantage ε, then there is an MQ solver that n2λ2T ε solves a random instance of MQ in time T'≅ O( ) with probabilityε'= . ε2 22 λ Example of application: q=2, n = 350 bits, t = 2, L=240, T=280, ε = 1% (no such concrete reduction for the recommend value n = 160) IV setup – H. Gilbert (15) research & developement Orange Group QUAD: Key and IV Setup uses two public quadratic functions S0 and S1 of n eq. in n var. each set x with the key K for each IV bit IVi: tree based construction • if IVi = 0 then update x with S0(x) • if IVi = 1 then update x with S1(x) runup: clock the cipher n times without outputting the keystream typical key and IV lengths: 160 bits each IV setup – H. Gilbert (16) research & developement Orange Group Extending the proof to the whole cipher Whole cipher, GF(2) case IV (n bits) t =2 L + n 2 function λ iterations of S (λ = ) G={gofK} generator n keystream (L bits) Th: in the GF(2) case, if there exists a (T,q) PRF-distinguisher for the family G of IV to keystream functions associated with a random key and a random quadratic systems S with PRF-advantage ε, then there is an MQ solver that solves a random instance of MQ in time n2λ2q2T ε T'≅ O( ) with probability at least ε ' = 3 . ε 2 3.2 qλ Example of application: q=2, n = 760 bits, t = 2, L=240, T=280, ε = 1% IV setup – H. Gilbert (17) research & developement Orange Group Conclusions Requirements: a PRF is needed Conservative IV setup seems demanding w.r.t. computational complexity is not demanding w.r.t. implementation complexity "Provable security" can be extended to IV-dependent stream ciphers IV setup – H. Gilbert (18) research & developement Orange Group.