State of the Art in Stream Ciphers 2006State of the Art in Stream Ciphers 2006 Py SPP attack...
38
Py SPP attack Improving on the attack Improved Cryptanalysis of Py Paul Crowley LShift Ltd State of the Art in Stream Ciphers 2006
Transcript of State of the Art in Stream Ciphers 2006State of the Art in Stream Ciphers 2006 Py SPP attack...
-
Py SPP attack Improving on the attack
Improved Cryptanalysis of Py
Paul Crowley
LShift Ltd
State of the Art in Stream Ciphers 2006
-
Py SPP attack Improving on the attack
Py
� eSTREAM entrant by Eli Biham and Jennifer Seberry� Fast in software (2.6 cycles/byte on some platforms)� SPP attack: 288 bytes of output� Our attack: 272 bytes
-
Py SPP attack Improving on the attack
Output
P
O1
O2
-
Py SPP attack Improving on the attack
Update
P
P
-
Py SPP attack Improving on the attack
SPP attack
� Gautham Sekar, Souradyuti Paul, Bart Preneel� Defines event L with Pr[L] � 2�41:91� When L occurs, two output bits are the same
-
Py SPP attack Improving on the attack
Event L (1)
S
S
P
-
Py SPP attack Improving on the attack
Event L (2)
S
A
A
A
B
B
B
O1;1
O2;3
-
Py SPP attack Improving on the attack
Result of event L
SA B
O1;1 O2;3
-
Py SPP attack Improving on the attack
Improving on the attack
� Use all bits of O1;1;O2;3� Group output by column bitwise� Find exact probability Pr[O1;1;O2;3 = o1;1;o2;3jL]� Apply optimal distinguisher
-
Py SPP attack Improving on the attack
Addition
[c]0[c]1[c]2[c]3
[X ]0 [Y ]0
[X + Y ]0
[X ]1 [Y ]1
[X + Y ]1
[X ]2 [Y ]2
[X + Y ]2
[X ]3 [Y ]3
[X + Y ]3
-
Py SPP attack Improving on the attack
Carry propagation
[S]i[A]i [B]i
[O1;1]i [O2;3]i
[c1]i[c3]i
[c1]i+1[c3]i+1
-
Py SPP attack Improving on the attack
Carry propagation
[S]i[A]i [B]i
[O1;1]i [O2;3]i
[c1]i[c3]i
[c1]i+1[c3]i+1
-
Py SPP attack Improving on the attack
Hidden Markov model
0;00;01;01;0
11
00
10
12
18
18
-
Py SPP attack Improving on the attack
Hidden Markov model
0;00;01;01;0
11
00
10
12
18
18
-
Py SPP attack Improving on the attack
The forward algorithm
Pr�
1 0 10 0 1
� = 11�4M1;0M0;0M1;1�0
where 11�4 = � 1 1 1 1 � and �0 =0BB@
1000
1CCA
-
Py SPP attack Improving on the attack
Optimal distinguisher
� Thomas Baignères, Pascal Junod, Serge Vaudenay� Optimal distinguisher chooses the distribution which hasthe highest probability of producing the observed output
-
Py SPP attack Improving on the attack
Optimal distinguisher
s0 s1 s2
-
Py SPP attack Improving on the attack
Optimal distinguisher
s0 s1 s2
jZj�1 jZj�1 jZj�1
-
Py SPP attack Improving on the attack
Optimal distinguisher
s0 s1 s2
jZj�1 jZj�1 jZj�1jZj�3
-
Py SPP attack Improving on the attack
Optimal distinguisher
s0 s1 s2
jZj�1 jZj�1 jZj�1jZj�3
Pr[s0jL] Pr[s1jL] Pr[s2jL]
-
Py SPP attack Improving on the attack
Optimal distinguisher
s0 s1 s2
jZj�1 jZj�1 jZj�1jZj�3
Pr[s0jL] Pr[s1jL] Pr[s2jL]jZj�1 jZj�1 jZj�1
-
Py SPP attack Improving on the attack
Optimal distinguisher
s0 s1 s2
jZj�1 jZj�1 jZj�1jZj�3
Pr[s0jL] Pr[s1jL] Pr[s2jL]jZj�1 jZj�1 jZj�1
Pr[s0] Pr[s1] Pr[s2]
-
Py SPP attack Improving on the attack
Optimal distinguisher
s0 s1 s2
jZj�1 jZj�1 jZj�1jZj�3
Pr[s0jL] Pr[s1jL] Pr[s2jL]jZj�1 jZj�1 jZj�1
Pr[s0] Pr[s1] Pr[s2]Pr[s0 ^ s1 ^ s2]
-
Py SPP attack Improving on the attack
Efficacy of optimal distinguisher
� Where distribution is “close” to uniform random, efficacy� = jZjPz2Z �Pr[z]� 1jZj�2
� Need around 2� samples� Both distinguishers: � = Pr[L]2 �jZj �Pz2Z Pr[zjL]2�� 1�� SPP attack: � = Pr[L]2 so around 285 samples
-
Py SPP attack Improving on the attack
Efficacy of optimal distinguisher
� Where distribution is “close” to uniform random, efficacy� = jZjPz2Z �Pr[z]� 1jZj�2� Need around 2� samples
� Both distinguishers: � = Pr[L]2 �jZj �Pz2Z Pr[zjL]2�� 1�� SPP attack: � = Pr[L]2 so around 285 samples
-
Py SPP attack Improving on the attack
Efficacy of optimal distinguisher
� Where distribution is “close” to uniform random, efficacy� = jZjPz2Z �Pr[z]� 1jZj�2� Need around 2� samples� Both distinguishers: � = Pr[L]2 �jZj �Pz2Z Pr[zjL]2�� 1�
� SPP attack: � = Pr[L]2 so around 285 samples
-
Py SPP attack Improving on the attack
Efficacy of optimal distinguisher
� Where distribution is “close” to uniform random, efficacy� = jZjPz2Z �Pr[z]� 1jZj�2� Need around 2� samples� Both distinguishers: � = Pr[L]2 �jZj �Pz2Z Pr[zjL]2�� 1�� SPP attack: � = Pr[L]2 so around 285 samples
-
Py SPP attack Improving on the attack
Efficacy of our distinguisher
Xz2Z Pr[zjL]
2
= X (11�4M31M30 : : :M0�0)2= X (11�4M31M30 : : :M0�0) (11�4M31M30 : : :M0�0)T= X�11�4M31M30 : : :M0�0�T0 MT0 : : :MT30MT311T1�4�= 11�4X�M31M30 : : :M0�0�T0 MT0 : : :MT30MT31�1T1�4
Mi 2 fM0;0;M0;1;M1;0;M1;1g
-
Py SPP attack Improving on the attack
Efficacy of our distinguisher
Xz2Z Pr[zjL]
2
= X (11�4M31M30 : : :M0�0)2
= X (11�4M31M30 : : :M0�0) (11�4M31M30 : : :M0�0)T= X�11�4M31M30 : : :M0�0�T0 MT0 : : :MT30MT311T1�4�= 11�4X�M31M30 : : :M0�0�T0 MT0 : : :MT30MT31�1T1�4
Mi 2 fM0;0;M0;1;M1;0;M1;1g
-
Py SPP attack Improving on the attack
Efficacy of our distinguisher
Xz2Z Pr[zjL]
2
= X (11�4M31M30 : : :M0�0)2= X (11�4M31M30 : : :M0�0) (11�4M31M30 : : :M0�0)T
= X�11�4M31M30 : : :M0�0�T0 MT0 : : :MT30MT311T1�4�= 11�4X�M31M30 : : :M0�0�T0 MT0 : : :MT30MT31�1T1�4
Mi 2 fM0;0;M0;1;M1;0;M1;1g
-
Py SPP attack Improving on the attack
Efficacy of our distinguisher
Xz2Z Pr[zjL]
2
= X (11�4M31M30 : : :M0�0)2= X (11�4M31M30 : : :M0�0) (11�4M31M30 : : :M0�0)T= X�11�4M31M30 : : :M0�0�T0 MT0 : : :MT30MT311T1�4�
= 11�4X�M31M30 : : :M0�0�T0 MT0 : : :MT30MT31�1T1�4
Mi 2 fM0;0;M0;1;M1;0;M1;1g
-
Py SPP attack Improving on the attack
Efficacy of our distinguisher
Xz2Z Pr[zjL]
2
= X (11�4M31M30 : : :M0�0)2= X (11�4M31M30 : : :M0�0) (11�4M31M30 : : :M0�0)T= X�11�4M31M30 : : :M0�0�T0 MT0 : : :MT30MT311T1�4�= 11�4X�M31M30 : : :M0�0�T0 MT0 : : :MT30MT31�1T1�4
Mi 2 fM0;0;M0;1;M1;0;M1;1g
-
Py SPP attack Improving on the attack
Efficacy of our distinguisher
Hi = XMi�1Mi�2 : : :M1M0�0�T0 MT0 MT1 : : :MTi�2MTi�1
H0 = �0�T0Hi+1 = X
M2fM0;0;M0;1;M1;0;M1;1gMHiMT
� = Pr[L]2 �264 �11�4H321T1�4�� 1�� 60552 Pr[L]2
-
Py SPP attack Improving on the attack
Efficacy of our distinguisher
Hi = XMi�1Mi�2 : : :M1M0�0�T0 MT0 MT1 : : :MTi�2MTi�1H0 = �0�T0
Hi+1 = XM2fM0;0;M0;1;M1;0;M1;1gMHiM
T
� = Pr[L]2 �264 �11�4H321T1�4�� 1�� 60552 Pr[L]2
-
Py SPP attack Improving on the attack
Efficacy of our distinguisher
Hi = XMi�1Mi�2 : : :M1M0�0�T0 MT0 MT1 : : :MTi�2MTi�1H0 = �0�T0
Hi+1 = XM2fM0;0;M0;1;M1;0;M1;1gMHiM
T
� = Pr[L]2 �264 �11�4H321T1�4�� 1�� 60552 Pr[L]2
-
Py SPP attack Improving on the attack
Efficacy of our distinguisher
Hi = XMi�1Mi�2 : : :M1M0�0�T0 MT0 MT1 : : :MTi�2MTi�1H0 = �0�T0
Hi+1 = XM2fM0;0;M0;1;M1;0;M1;1gMHiM
T
� = Pr[L]2 �264 �11�4H321T1�4�� 1�
� 60552 Pr[L]2
-
Py SPP attack Improving on the attack
Efficacy of our distinguisher
Hi = XMi�1Mi�2 : : :M1M0�0�T0 MT0 MT1 : : :MTi�2MTi�1H0 = �0�T0
Hi+1 = XM2fM0;0;M0;1;M1;0;M1;1gMHiM
T
� = Pr[L]2 �264 �11�4H321T1�4�� 1�� 60552 Pr[L]2
-
Py SPP attack Improving on the attack
Conclusions
� We can efficiently calculate the efficacy of HMM-baseddistinguishers� Distinguisher advantage is 0.53 given 264 bytes from 28key/IV pairs� Advantage is 0.03 given a single 264-byte stream� Can this be improved still further?
http://www.ciphergoth.org/crypto/py
PySPP attackImproving on the attack
