Stream ciphers I...Stream ciphers I Thomas Johansson Dept. of EIT, Lund Universit,y.O.P Box 118, 221...

Stream ciphers I

Thomas Johansson

Dept. of EIT, Lund University,

P.O. Box 118, 221 00 Lund, Sweden

[email protected]

May 16, 2011

Thomas Johansson Stream ciphers I

Outline:

• Introduction to stream ciphers

• Distinguishers

• Basic constructions of distinguishers

• Various types of distinguishing attacks

• eSTREAM and two ciphers from the portfolio


Introduction to stream ciphers

• Stream ciphers are important in cryptography since they formone of the two possible ways to provide symmetric encryption.

• Stream ciphers encrypt individual characters of a plaintextmessage one by one, using an encryption transformation thatvaries with time.

• Stream ciphers are generally faster than block ciphers inhardware, and have less complex hardware circuitry. They alsohave some other nice features that in some applications(typically communications applications) tend to be quiteimportant, like limited bu�ering, limited error propagation.



• There is a lot of theoretical knowledge on stream ciphers, andvarious design principles for stream ciphers have been proposedand extensively analyzed.

• Recently, we have seen a lot of fully-speci�ed stream cipherproposals through several design projects, e.g. NESSIE,eSTREAM.

• In addition, many proprietary and con�dential stream ciphersare used in practice. Some ciphers have initially beencon�dential but later been leaked to the public, e.g., A5 andRC4.



• Most stream cipher constructions use a pseudo-random

keystream generator, or simply a generator, to produce a longsequence of binary symbols.

• The security of a stream cipher is closely connected to howwell this sequence of bits resembles a truly random sequence.


Stream ciphers

• Consider a binary additive stream cipher. The output sequenceof the keystream generator, z = z1, z2, . . . is added bitwise tothe plaintext sequence m = m1,m2, . . ., producing theciphertext c = c1, c2, . . ..

• The keystream generator is initialized through a secret key K .

m- -?

keystreamgenerator

m1,m2, . . . c1, c2, . . .

z1, z2, . . .

Figure: A binary additive stream cipher


Attacks

• A known-plaintext attack (or chosen-plaintext orchosen-ciphertext) is equivalent to having access to thekeystream z = z1, z2, . . . , zN .

• Design goal: e�ciently produce random-looking sequencesthat are �indistinguishable� from truly random sequences.

m- -?

keystreamgenerator

m1,m2, . . . c1, c2, . . .

z1, z2, . . .

Figure: A binary additive stream cipher


Attacks

Two main types of attacks:

• Key recovery attack: Eve tries to recover the value of thesecret key K .

• Distinguishing attack: Eve tries to determine whether a givensequence z = z1, z2, . . . , zN is likely to have been generatedfrom the considered stream cipher or whether it is just a trulyrandom sequence. If a distinguisher, i.e., a box (algorithm)that can correctly answer the above question with highprobability, can be built, we have a distinguishing attack.


Model of a stream cipher

• Requirements in many recent applications have asked for amodi�ed model of a stream cipher including a public parametercalled IV (initial value) or nonce (number used once).

• A generator takes two input parameters, one key K and onepublic parameter IV, and produces an arbitrary long keystreamsequence z.

keyk

z

IV PUBLIC!

Figure: A keystream generator initialized by a key and an IV value


A generator in table form

Generator = a table indexed by (K , IV ) containing z.

Initial value IV Key K Keystream sequence z

00. . . 000 00. . . 000 110101010111010101010000. . . 000 00. . . 001 111010101010110000010100. . . 000 00. . . 010 0010110101011010100100

......

...

00. . . 001 00. . . 000 101000101010101011010100. . . 001 00. . . 001 001011101010101010011100. . . 001 00. . . 010 1010110101010100001110

......

......

......

11. . . 111 00. . . 000 010101010110100100010011. . . 111 00. . . 001 010111111111000001011011. . . 111 00. . . 010 1011010111010100001110

......

...11. . . 111 11. . . 111 0010111111101001000111

Figure: Visualizing the generator as a huge table


Remarks on the model

• The optimal design of a generator (ideal generator), would beif every entry in the table was generated truly at random(uniformly).

• We have some generic attacks on the ideal generator. Forexample, an exhaustive key search would require testing all thekeys and checking whether a chosen key generates the givenoutput.

• The design problem is then essentially to construct a generatorthat in all aspects implements an ideal generator, leaving onlythe generic attacks like exhaustive key search for thecryptanalyst.


Examples of insecure generators

Even if some pseudo-random generators may be suitable forsimulation purposes, they can be completely insecure in acryptographic sense.

• Output of a linear feedback shift register. The key determinesa starting state (s1, s2, . . . , sL), a sequence is de�ned bysi =

∑Lj=1 cjsi−j for i > L, and the pseudo-random sequence is

given by z = sL+1, sL+2, . . ..

• Various versions of the linear congruential generator.Generators that in some form use the recurrence

si+1 = asi + b (mod m),

where now a, b, si ∈ Zm, i = 1, 2, . . ..


De�ning a Distinguisher

• Rough description: a distinguisher for a generator X is given asfollows. Let D(z) be an algorithm that takes as input a lengthN sequence z and as output gives one out of two possibleanswers, either �X� or �RANDOM�.

• The probability that D(z) correctly determines the origin of zis written (1+ ε)/2. If ε is not very close to zero we say thatD(z) is a distinguisher for generator.

• The advantage of a distinguisher D, AdvD , as

AdvD = |P(D(z) = X|z generated by X)−P(D(z) = X|z truly random)|.

The advantage is AdvD = |ε|.


Di�erent Distinguishing Attack Scenarios

• a single keystream (from known or chosen IV),several keystreams from di�erent known values of IV,several keystreams from di�erent chosen values of IV.

• D receives m di�erent keystreams z1, z2, .., zm generated fromm di�erent IV values IV1, IV2, . . . , IVm. Write

Z =

z1z2...zm

=

z1,1 z1,2 . . . z1,Nz2,1 z2,2 . . . z2,N...

zm,1 zm,2 . . . zm,N

.

Special attention to the two special cases m = 1, and N = 1.


Basic constructions of distinguishers

• A �rst and very basic approach would then be to apply variousstatistical tests on the received keystream Z (NIST statisticaltests, DIEHARD, ...)

• These approaches may detect statistical weaknesses in someweak generators but they are not very powerful in general.

• Stronger attacks can be achieved if we take the internalstructure of the cipher into account when we design adistinguisher.


Basic constructions of distinguishers

• Try to detect some statistical deviation in the keystream Z

based on some internal relationship.

• However, symbols in Z (or even small blocks of symbols) willoften be very close to the uniform distribution.

• Instead, the internal relationship often gives dependenceamong di�erent zi ,j symbols that can be far apart in time.


Transforming keystream into samples

• So it is natural that we transform our keystream Z into a newsequence of symbols, called samples, denoted byX = x1, x2, . . .. In general, this can be done in almost any way,

xi = F (i ,Z), i = 1, 2, . . .

where F is some function.

• With a given sample sequence, we would �nally try todistinguish if X behaves as if generated from a truly random Z

or not.

• Linear distinguishers, the samples are selected as linearcombinations of keystream bits. Usually, the samples areregarded as independent and the distinguisher examineswhether the sample values are consistent with a uniformdistribution or not.


Transforming keystream into samples

• Concluding, the challenge for the adversary is to somehow �nda suitable way to transform the keystreams to a samplesequence X.

• Once the sample sequence is given, we apply statistical toolsto determine which distribution the sample sequence follows.


Hypothesis Testing

Two cases:

• We want to determine if an observed sequence is distributedaccording to one of two known distributions, usually the cipherdistribution and the uniform distribution.

• We want to determine if an observed sequence is likely to bedistributed according to one known distribution.


The Case When Both Distributions Are Known

The optimal hypothesis test is given by:

Lemma (Neyman-Pearson)

Let X1,X2, . . . ,Xn be drawn i.i.d. according to mass function Pobs .

Consider the decision problem corresponding to the hypotheses

Pobs = P0 vs. Pobs = P1. For T ≥ 0 de�ne a region

An(T ) =

{P0(x1, x2, . . . , xn)

P1(x1, x2, . . . , xn)> T

}.

Let αn = Pn0 (Ac

n(T )) and βn = Pn1 (An(T )) be the error

probabilities corresponding to the decision region An. Let Bn be

any other decision region with associated error probabilities α∗ andβ∗. If α∗ ≤ α, then β∗ ≥ β.


The Case When Both Distributions Are Known

Assuming that all samples are independent this is equivalent to

An(T ) =

{n∑

i=1

log

(P0(xi )

P1(xi )

)> logT

}.


Some known facts

• There exist asymptotic expressions for the error probabilities.

• Binary distributions: The bias of a distribution ε is de�ned as

Pr(X = 0) = 0.5(1+ ε). (1)

For k binary independent variables X1,X2, . . . ,Xk , the biasεtot of the sum is given by

εtot = εk . (2)

• When α and β are about equal, a distinguisher needs roughly

n ≈ 1

ε2(3)

samples to determine if an observed distribution is the cipherdistribution or the uniform distribution.


The Case When One Distribution Is Known

If we can not �nd the distribution of the cipher.

• A chi-square test can be used to determine if an observeddistribution is likely to follow one given distribution.H0: PX = P0

H1: PX 6= P0.

• Let O(x) be the number of outcomes of x ∈ X in theobserved sequence and let the expected number of outcomesof x ∈ X according to P0 be denoted E (x). The distribution

Q =∑x∈X

(O(x)− E (x))2

E (x)(4)

can be approximated by the chi-square distribution, χ2r with r

being the degrees of freedom.


A Practical Situation

A distinguisher is used to derive information about the plaintext.

• Alice and Bob is communicating over an insecure channel. Theadversary Eve is able to passively eavesdrop the channel.

• Alice sends a message M = m1,m2, . . . ,mN to Bob.Eve knows that the data sent is eitherM1 = m11,m12, . . . ,m1N or M2 = m21,m22, . . . ,m2N . Theciphertext is C = c1, c2, . . . , cN and given by

ci = mi ⊕ zi , 1 ≤ i ≤ N. (5)

where zi is the keystream.


A Practical Situation

Attack scenario: Eve's task is to determine if M = M1 or M = M2.

• By xoring the ciphertext C with M1 Eve will get a keystreamz = C⊕M1.

• If indeed M = M1, then z is distributed according to thecipher distribution since

zi = ci ⊕m1i = m1i ⊕ zi ⊕m1i = zi , (6)

• If M = M2, then z is uniformly distributed since

zi = ci ⊕m1i = m2i ⊕ zi ⊕m1i , (7)

for 1 ≤ i ≤ N, assuming that M1 ⊕M2 is uniformlydistributed.


Generic attacks on Block Ciphers in OFB and CTR mode

Generic distinguishing attacks apply to many common modes ofoperations of block ciphers (here OFB mode and counter mode).

• EK (x) is the block cipher encryption function,B = the block size in bits.


Output feedback mode

OFB turns any block cipher into a synchronous stream cipher. TheB-bit keystream words (z1, z2, z3 . . .) are generated by repeatedlyencrypting a B-bit IV. Let z0 = IV , then

zi = EK (zi−1), i ≥ 1.

• Since a block cipher de�nes a permutation over all B-bitblocks, we expect the average period of the keystream to be inthe order of 2B−1 blocks.

• If there is a collision, then we know that all subsequent blockswill be the same. I.e., if zi = zj (i 6= j), thenzi+k = zj+k (k ≥ 0).

• The birthday paradox: in a truly random sequence we expectto �nd a collision after observing 2B/2 B-bit blocks.


Distinguisher for OFB mode

Input(z1, z2, . . . , z2B/2)

if (zi = zj and zi+1 6= zj+1 for some

i 6= j)

return Random

else

return OFB Mode

Figure: Distinguisher for OFB mode


Counter Mode

In counter mode (CTR), the B-bit keystream words (z1, z2, z3 . . .)are generated by encrypting an incrementing counter, i ,

zi = EK (IV ||i),

where a||b denotes string concatenation of bit strings a and b.

• Since a counter is used, and a block cipher together with thekey de�nes a random permutation, a keystream block willnever repeat (as long as the counter is not repeated).

• By observing 2B/2 keystream blocks, we can decide if thesequence is random or generated by a block cipher in countermode.


Distinguisher for Counter mode

Input(z1, z2, . . . , z2n/2)if (zi = zj for some i 6= j)

return Random

else

return Counter Mode

Figure: Distinguisher for Counter mode


Re�ections

• The amount of keystream needed in the distinguisher isindependent of the size of the key.

• AES de�nes a block size of 128 bits, but the key can bechosen from the set {128, 192, 256}. The above distinguisherscan be applied to AES using about 264 keystream blocks,

• For 64 bit block size (DES) this can be a practical problem.


Linear distinguishing attacks

A sequence of samples as linear combinations of keystream bits.

• Usually time-invariant, i.e.,

xt =k∑j=0

cjzt+j ,

for some k and t = 1, 2, . . ..The samples xt are considered as iid random variablesdistributed according to Pobs .

• Finding good linear distinguishers resembles a lot linearcryptanalysis of block ciphers as invented by Matsui.

• Linearize the cipher by replacing some nonlinear blocks withlinear ones.

• Find a linear relationship among keystream symbols, where therelationship involves as few approximated blocks as possible.


Distinguishers for array-based stream ciphers

Many software-oriented stream ciphers are using large arrays andapply a slow continous update (RC4).

• Examples: Py-family; HC-128 and HC-256; MUGI; Scream,RC4.

• S [] denotes an array S [0], S [1], . . . S [l ].

• Between successive outputs the array is updated as

S [](t) = G (S [](t − 1)),

where G is some updating function. An output symbol is thengenerated at time t as

zt = F (S [](t)),

where F is some function.


A basic attack strategy

Detect some dependence or statistical deviation in the update ofthe array that will be visible in the keystream sequence.

• Consider two di�erent but related events EZ and ES , where EZis some event related to the keystream and ES is some eventrelated to the array S [].

• For example, if event ES occurs then EZ occurs withprobability 1, i.e., P(EZ |ES) = 1. However, if event ES doesnot occur then we assume P(EZ |EC

S ) = PU(EZ ).

• In this way we can detect a bias since

P(EZ ) = P(EZ |ES) · P(ES) + P(EZ |ECS ) · P(EC

S )

= 1 · P(ES) + PU(EZ ) · P(ECS )

= (1− PU(EZ ))P(ES) + PU(EZ ).


A Chosen-IV Distinguisher - basics

• n-variable Boolean function f in ANF form:

• an entry in the truth table is denoted f (v) withv = (v1, v2, . . . , vn).

• There are e�cient ways to compute the ANF from the truthtable.


The d -monomial Test

(Saarinen)

• The Boolean function is de�ned as

z = f (iv0, iv1, . . . , ivn−1),

n bits of the IV are used as input variables and the output isone (�rst) bit of the keystream.

• The key and the remaining bits of the IV are kept constant.

• Compute the ANF of f .


The d -monomial Test

• In a d -monomial test the aim is to count the number ofmonomials in the ANF of degree d .

• If the observed number of d -monomials signi�cantly deviatesfrom 1

2

(nd

), the expected case, we can distinguish the cipher

from random (Pearson's chi-square test).

• Broke several eSTREAM candidates in this way.


A General Approach

• P Boolean functions by using a di�erent value for the constantbits in the IV for each polynomial. The occurrence of eachmonomial can be counted individually.

• In particular, the monomial of maximal degree. This monomialwill not occur unless all the considered IV bits have beenproperly mixed.

• Its coe�cient is calculated as the XOR of all values in thetruth table.


The max degree test

'

&

$

%

for j = 1, . . . ,Pfor iv = 1, . . . , 2n − 1

Initialize cipher with iv

z = �rst keystream bit after initializationa = a ⊕ z

end for

ifa = 1ones++

end for

if ones= 0 or ones= P

return cipher

else

return random

Figure: The maximal degree test


The eSTREAM project

• eSTREAM - an evaluation project within ECRYPT, to comeup with a portfolio of new and promising stream ciphers.Previous projects: AES competition, NESSIE, ...

• eSTREAM was decided to be more research oriented, e.g.,allowing designers to modify.

• 2004 - 2008. The eSTREAM Portfolio is announced in 2008.


The eSTREAM project

• PROFILE 1. Stream ciphers for software applications withhigh throughput requirements. (23 submissions)

• PROFILE 2. Stream ciphers for hardware applications withrestricted resources such as limited storage, gate count, and/orpower consumption. (25 submissions)


The eSTREAM portfolio

• Pro�le 1 SOFTWARE:

HC-128, Rabbit, Salsa20/12, SOSEMANUK

• Pro�le 2 HARDWARE:

Grain v1, MICKEY v2, Trivium


HC-128

• Internal state: Two tables P and Q. Each contains 512 words.

•

g1(x , y , z) = ((x≫ 10)⊕ (z≫ 23)) + (y ≫ 8)g2(x , y , z) = ((x≪ 10)⊕ (z≪ 23)) + (y ≪ 8)h1(x) = Q[x0] + Q[256+ x2]h2(x) = P[x0] + P[256+ x2]

where x = x3||x2||x1||x0.


HC-128

HC-128 Keystream Generation

Input: Tables P and Q, each containing 512 words.

Output: Keystream words si for i = 0, 1, . . ..

i = 0;repeat (until enough keystream bits are generated) {

j = i mod 512;if ((i mod 1024) < 512) {

P[j ] += g1(P[j � 3],P[j � 10],P[j � 511]);si = h1(P[j � 12])⊕ P[j ];

} else {Q[j ] += g2(Q[j � 3],Q[j � 10],Q[j � 511]);si = h2(Q[j � 12])⊕ Q[j ];

}i += 1;

}Thomas Johansson Stream ciphers I

Wu's distinguishing attack

• P is updated as

P[i mod 512] += g1(P[i � 3],P[i � 10],P[i � 511])

But, si = h1(P[i � 12])⊕ P[i mod 512]. For most i ,

si ⊕ h1(zi ) = (si−1024 ⊕ h′1(zi−1024)) + (8)

g1(si−3 ⊕ h1(zi−3), si−10 ⊕ h1(zi−10), si−1023 ⊕ h′1(zi−1023))

• h1(x) and h′1(x) di�erent functions;zj denotes the P[j � 12] at the j-th step.

• For the least signi�cant bit,

[si ]0 ⊕ [si−3]

10 ⊕ [si−10]8 ⊕ [si−1023]

23 ⊕ [si−1024]0 = (9)

[h1(zi )]0 ⊕ [h1(zi−3)]

10 ⊕ [h1(zi−10)]8 ⊕ [h′1(zi−1023)]

23 ⊕ [h′1(zi−1024)]0



• Looking at time i and j , i 6= j , where1024× α+ 10 ≤ i , j < 1024× α+ 511

[si ]0 ⊕ [si−3]

10 ⊕ [si−10]8 ⊕ [si−1023]

23 ⊕ [si−1024]0

= [sj ]0 ⊕ [sj−3]

10 ⊕ [sj−10]8 ⊕ [sj−1023]

23 ⊕ [sj−1024]0

(10)

which holds if and only if

[h1(zi )]0 ⊕ [h1(zi−3)]

10 ⊕ [h1(zi−10)]8 ⊕ [h′1(zi−1023)]

23 ⊕ [h′1(zi−1024)]0 =

[h1(zj)]0 ⊕ [h1(zj−3)]

10 ⊕ [h1(zj−10)]8 ⊕ [h′1(zj−1023)]

23 ⊕ [h′1(zj−1024)]0



• That equation can be approximated as

H(a1) = H(a2), (11)

where H denotes a random secret 80-bit-to-1-bit S-box, a1 anda2 are two 80-bit random inputs,

a1 = z i ||z i−3||z i−10||z i−1023||z i−1024 (12)

a2 = z j ||z j−3||z j−10||z j−1023||z j−1024,

TheoremLet H be an m-bit-to-n-bit S-box and all those n-bit elements are

randomly generated, where m ≥ n. Let a1 and a2 be two m-bit

random inputs to H. Then H(a1) = H(a2) with probability

2−m + 2−n − 2−m−n.

Thus, (??) holds with probability 12+ 2−81. Number of

samples needed ≈ 4ε−2, so 2164 such samples.



• Several attempts have been made to improve this basic idea.

• Some improvements have been found, but no attack belowcomplexity 2128 have been found.


Trivium

• extremely simple hardware design

• the most challenging design in the eSTREAM portfolio

• A 288-bit internal state (s1, s2, . . . , s288) and a very simpleupdate/output function.


Trivium

Trivium Keystream Generation

Input: State (s1, s2, . . . , s288)Output: Keystream bits zi for i = 1, 2, . . ..

for i = 1to N dot1 ← s66 + s93;t2 ← s162 + s177;t3 ← s243 + s288;

zi ← t1 + t2 + t3t1 ← t1 + s91 · s92 + s171;t2 ← t2 + s175 · s176 + s264;t3 ← t3 + s286 · s287 + s69;(s1, s2, . . . , s93)← (t3, s1, . . . , s92)(s94, s95, . . . , s177)← (t1, s94, . . . , s176);(s178, s179, . . . , s288)← (t2, s178, . . . , s287);

end forThomas Johansson Stream ciphers I

Stream ciphers I...Stream ciphers I Thomas Johansson Dept. of EIT, Lund Universit,y.O.P Box 118, 221...

Documents

Transcript of Stream ciphers I...Stream ciphers I Thomas Johansson Dept. of EIT, Lund Universit,y.O.P Box 118, 221...