algebraic attacks on stream ciphers
play

Algebraic Attacks on Stream Ciphers Trial Lecture Rune Steinsmo - PowerPoint PPT Presentation

Oct 04, 2022 •214 likes •716 views

Algebraic Attacks on Stream Ciphers Trial Lecture Rune Steinsmo degrd Centre for Quantifiable Quality of Service in Communication Systems Centre of Excellence NTNU, Norway NTNU, Trondheim, 2012-04-23 www.q2s.ntnu.no Rune Steinsmo

  1. Algebraic Attacks on Stream Ciphers Trial Lecture Rune Steinsmo Ødegård Centre for Quantifiable Quality of Service in Communication Systems Centre of Excellence NTNU, Norway NTNU, Trondheim, 2012-04-23 www.q2s.ntnu.no Rune Steinsmo Ødegård, Trial Lecture

  2. 2 Stream Ciphers Overview Stream Ciphers Attack Model Principles of Algebraic Attacks Finding Low Degree Equations Solving the Equations Summary References www.q2s.ntnu.no Rune Steinsmo Ødegård, Trial Lecture

  3. 3 Stream Ciphers Vernam Cipher Encryption: c t = p t ⊕ k t for t = 1 , 2 , 3 , . . . Decryption: p t = c t ⊕ k t for t = 1 , 2 , 3 , . . . • Proven information-theoretically secure [Shannon, 1949]. • Problem: Keys and Key-distribution. • Motivates the design of stream ciphers. www.q2s.ntnu.no Rune Steinsmo Ødegård, Trial Lecture

  4. 4 Stream Ciphers ETCRRM by STK www.q2s.ntnu.no Rune Steinsmo Ødegård, Trial Lecture

  5. 5 Stream Ciphers Stream Cipher Eve Alice Bob K K Keystream Keystream generator generator z t z t c t c t p t p t www.q2s.ntnu.no Rune Steinsmo Ødegård, Trial Lecture

  6. 6 Stream Ciphers Advantages of Stream Ciphers • Encrypt strings of arbitrary length. • Mandatory when buffering is limited, or when characters must be processed when they are received. • Encrypt data streams with high speed both in software and hardware. – phone calls – video streams • Little to no error propagation. www.q2s.ntnu.no Rune Steinsmo Ødegård, Trial Lecture

  7. 7 Stream Ciphers Examples Name Deployed in Attack E 0 Bluetooth [Hermelin and Nyberg, 2000] RC4 WEP ,WPA,SSL [Klein, 2008] A5/1 GSM [Barkan et al., 2003] f 8 3G “[Dunkelman et al., 2010]” Crypto-1 Mifare RFID [Soos et al., 2009] Hitag2 Car keys [Soos et al., 2009] www.q2s.ntnu.no Rune Steinsmo Ødegård, Trial Lecture

  8. 8 Stream Ciphers Stream Cipher Eve Alice Bob K K Keystream Keystream generator generator z t z t c t c t p t p t www.q2s.ntnu.no Rune Steinsmo Ødegård, Trial Lecture

  9. 9 Stream Ciphers Linear Feedback Shift Registers • Well-suited for hardware implementations. • Can produce sequences of large period. • Can produce sequences of good statistical properties. • Easy to analyze using algebraic techniques. [Menezes et al., 1996] www.q2s.ntnu.no Rune Steinsmo Ødegård, Trial Lecture

  10. 10 Stream Ciphers Linear Feedback Shift Registers   0 0 . . . . . . λ 0 . ... .   1 . λ 1   . . S t = S 0 · L t ... ... L =   . . 0 . .     . . ... ...  . .  . 0 . 0 0 1 . . . λ n − 1 Recovering initial state takes O ( n 2 ) time using 2 n output bits [Massey, 1969]. www.q2s.ntnu.no Rune Steinsmo Ødegård, Trial Lecture

  11. 11 Stream Ciphers Introducing Non-Linearity Three popular approaches: 1. Make the clocking irregular. 2. Apply a non-linear function to the output of several LFSRs. 3. Include a second finite state machine with a non-linear update function. www.q2s.ntnu.no Rune Steinsmo Ødegård, Trial Lecture

  12. 12 Stream Ciphers Simple Combiner LFSR 1 LFSR 2 K t z t P f LFSR s   L 1 0 ... S t = S 0 · L t L =     0 L s K t = S 0 · L t · P f ( K t ) = z t www.q2s.ntnu.no Rune Steinsmo Ødegård, Trial Lecture

  13. 13 Stream Ciphers ( m , ℓ ) -Combiner S ∈ F m q × F n L ∈ M n × n ( F q ) q S 0 = ( M 0 , K ) P ∈ M n × ℓ ( F q ) K t = K · L T · P Ψ : F m q → F m q × F ℓ q f : F m q → F o S t �→ S t + 1 = (Ψ( M t , K t ) , K t ) q × F ℓ q www.q2s.ntnu.no Rune Steinsmo Ødegård, Trial Lecture

  14. 14 Attack Model Overview Stream Ciphers Attack Model Principles of Algebraic Attacks Finding Low Degree Equations Solving the Equations Summary References www.q2s.ntnu.no Rune Steinsmo Ødegård, Trial Lecture

  15. 15 Attack Model Attack Model A cryptosystem should be secure even if everything about the system, except the key, is public knowledge [Kerckhoffs, 1883]. • The attacker knows both the structure of the combiner and parts of the keystream. • Attacker goal is to find initial state S 0 = ( M 0 , K ) . • Usually M ≪ K . • Efficiency of attack measured in – minimum number of keystream outputs. – the number of basic operations. – the amount of memory required. www.q2s.ntnu.no Rune Steinsmo Ødegård, Trial Lecture

  16. 16 Principles of Algebraic Attacks Overview Stream Ciphers Attack Model Principles of Algebraic Attacks Finding Low Degree Equations Solving the Equations Summary References www.q2s.ntnu.no Rune Steinsmo Ødegård, Trial Lecture

  17. 17 Principles of Algebraic Attacks Algebraic Attack  F 1 ( K , z , . . . ) = 0   . . ⇒ .   F N ( K , z , . . . ) = 0 Breaking a good cipher should require as much work as solving a system of simultaneous equations in a large number of unknows of a complex type [Shannon, 1949]. www.q2s.ntnu.no Rune Steinsmo Ødegård, Trial Lecture

  18. 18 Principles of Algebraic Attacks One Equation is Enough Assume we have found an equation that holds for all t : F ( K t , . . . , K t + r − 1 , z t , . . . , z t + r − 1 ) = 0 Then we have a new equation for each new keystream bit: F ( K 0 , . . . , K r − 1 , z 0 , . . . , z r − 1 ) = 0 F ( K 1 , . . . , K r , z 1 , . . . , z r ) = 0 F ( K 2 , . . . , K r + 1 , z 2 , . . . , z r + 1 ) = 0 . . . If the number of linearly independent equations is equal to the number of monomials we can use linearization. www.q2s.ntnu.no Rune Steinsmo Ødegård, Trial Lecture

  19. 19 Principles of Algebraic Attacks Linearization   xy = 0 v 3 = 0   x + xy = 1 v 1 + v 3 = 1 ⇒  y + xy = 0  v 2 + v 3 = 0 • System of equations of degree d in n = | K | unknowns. • # of monomials ≤ � d � n � ∈ O ( n d ) . i = 0 i • Work effort of linearization is O ( n ω d ) operations 1 , and O ( n 2 d ) space. 1 Here 2 ≤ ω ≤ 3 is the effort for Gaussian elimination. www.q2s.ntnu.no Rune Steinsmo Ødegård, Trial Lecture

  20. 20 Finding Low Degree Equations Overview Stream Ciphers Attack Model Principles of Algebraic Attacks Finding Low Degree Equations Solving the Equations Summary References www.q2s.ntnu.no Rune Steinsmo Ødegård, Trial Lecture

  21. 21 Finding Low Degree Equations Simple Combiner f ( K t ) = z t LFSR 1 LFSR 2 K t z t P f LFSR s www.q2s.ntnu.no Rune Steinsmo Ødegård, Trial Lecture

  22. 22 Finding Low Degree Equations Annihilators AN ( f ) = { g ( X ) ∈ F q [ X ] | g ( X ) · f ( X ) = 0 ∀ X ∈ F n q } • Find a low degree g ∈ AN ( f ) , and/or h ∈ AN ( f + 1 ) . • Then f ( K t ) = z t � = 0 ⇒ g ( K t ) · f ( K t ) = g ( K t ) · z t = 0 f ( K t ) = z t = 0 ⇒ h ( K t ) · ( 1 + f ( K t )) = h ( K t ) = 0 • Similar strategy is to find low degree g , h such that f · g = h • These strategies have been used by for instance [Courtois and Meier, 2003]. www.q2s.ntnu.no Rune Steinsmo Ødegård, Trial Lecture

  23. 23 Finding Low Degree Equations ( m , ℓ ) -Combiner F m F o f : q × F ℓ → q q ( M t , K t ) z t �→ www.q2s.ntnu.no Rune Steinsmo Ødegård, Trial Lecture

  24. 24 Finding Low Degree Equations Dealing with the Memory f ( M t , K t ) = z t r r � �� � � �� � . . . z t − r − 1 z t − r z t − r + 1 . . . z t − 1 z t z t + 1 . . . z t + r − 1 z t + r z t + r + 1 . . . � �� � r • Consider r = m + 1 consecutive output bits. • Then you can always find non-trivial equations relating the keystate K t and keystream bits z t . . . z t + r which is independent of the memory [Armknecht and Krause, 2003, Ars and Faugère, 2005]. • Used to attack bluetooth stream cipher E 0 . www.q2s.ntnu.no Rune Steinsmo Ødegård, Trial Lecture

  25. 25 Finding Low Degree Equations Fast Algebraic Attacks 0 = F ( K t , z t , . . . , z t + r ) = F ( K t , Z t ) = ˆ F ( K t ) + G ( K t , Z t ) • Find c 0 , . . . , c T − 1 ∈ { 0 , 1 } such that � T − 1 i = 0 c i ˆ F ( K t + i ) = 0 • Then T − 1 � c i G ( K t + i , Z t + i ) = 0 i = 0 • Used to improve attack on Toyocrypt and E 0 [Courtois, 2003, Armknecht, 2004, Hawkes and Rose, 2004]. • It is also possible to find linear combinations that decreases the number of variables [Armknecht and Ars, 2005]. www.q2s.ntnu.no Rune Steinsmo Ødegård, Trial Lecture

  26. 26 Finding Low Degree Equations Fast Algebraic Attacks Expected solving effort for good stream cipher: 2 128 Cipher Pre-Com Sub Solving Keystream 2 32 2 47 2 49 2 23 E 0 2 26 2 39 2 39 2 21 LILI -128 2 23 2 30 2 20 2 18 Toyocrypt [Hawkes and Rose, 2004] www.q2s.ntnu.no Rune Steinsmo Ødegård, Trial Lecture

  27. 27 Solving the Equations Overview Stream Ciphers Attack Model Principles of Algebraic Attacks Finding Low Degree Equations Solving the Equations Summary References www.q2s.ntnu.no Rune Steinsmo Ødegård, Trial Lecture

  28. 28 Solving the Equations Linearization Advantages Disadvantages • Effort polynomial in • Need to store large (sparse) key size. matrices. • Easy to analyze. • Need to know many keystream bits. Example Attack on E 0 requires 2 23 . 07 keystream bits to find the 128-bit key [Armknecht and Krause, 2003]. www.q2s.ntnu.no Rune Steinsmo Ødegård, Trial Lecture

Recommend

Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22

Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22

Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22 Overview What is a stream cipher? Classification of attacks Different Attacks Exhaustive Key Search Time Memory Tradeoffs

656 views • 22 slides
Algebraic Attacks and Stream Ciphers Mikko Kiviharju Helsinki University of Technology

Algebraic Attacks and Stream Ciphers Mikko Kiviharju Helsinki University of Technology

T-79.514 Special Course on Cryptology November 25 th , 2004 Algebraic Attacks and Stream Ciphers Mikko Kiviharju Helsinki University of Technology mkivihar@cc.hut.fi T-79.514 Special Course on Cryptology Mikko Kiviharju 1 Overview

493 views • 28 slides
Stream Ciphers Stream Ciphers 1 Stream Ciphers Generalization of one-time pad Trade

Stream Ciphers Stream Ciphers 1 Stream Ciphers Generalization of one-time pad Trade

Stream Ciphers Stream Ciphers 1 Stream Ciphers Generalization of one-time pad Trade provable security for practicality Stream cipher is initialized with short key Key is stretched into long keystream Keystream is used like

512 views • 35 slides
Fast correlation attacks on certain stream ciphers Willi Meier FHNW Switzerland 1 Overview

Fast correlation attacks on certain stream ciphers Willi Meier FHNW Switzerland 1 Overview

FSE 2011, February 14 -16, Lyngby, Denmark Fast correlation attacks on certain stream ciphers Willi Meier FHNW Switzerland 1 Overview A decoding problem LFSR-based stream ciphers Correlation attacks Fast correlation

908 views • 54 slides
A Countermeasure Against Power Analysis Attacks for FSR-Based Stream Ciphers Shohreh Sharif

A Countermeasure Against Power Analysis Attacks for FSR-Based Stream Ciphers Shohreh Sharif

A Countermeasure Against Power Analysis Attacks for FSR-Based Stream Ciphers Shohreh Sharif Mansouri and Elena Dubrova Department of Electronic Systems, School of ICT, KTH - Royal Institute of Technology, Stockholm Email:{shsm,dubrova}@kth.se

457 views • 17 slides
Practical Algebraic Attacks on the HITAG2 TM Stream Cipher Nicolas T. Courtois 1 Sean O Neil 2

Practical Algebraic Attacks on the HITAG2 TM Stream Cipher Nicolas T. Courtois 1 Sean O Neil 2

Practical Algebraic Attacks on the HITAG2 TM Stream Cipher Nicolas T. Courtois 1 Sean O Neil 2 Jean-Jacques Quisquater 3 1 - University College London, UK 2 - VEST Corporation, France 3 - Universit Catholique de Louvain, Belgium Algebraic

995 views • 61 slides
B.e) Stream Ciphers W. Schindler: Cryptography, B-IT, winter 2006 / 2007 2 B.125 Stream Ciphers

B.e) Stream Ciphers W. Schindler: Cryptography, B-IT, winter 2006 / 2007 2 B.125 Stream Ciphers

1 B.e) Stream Ciphers W. Schindler: Cryptography, B-IT, winter 2006 / 2007 2 B.125 Stream Ciphers Normally, stream ciphers are symmetric algorithms with encryption = decryption In this course we only consider symmetric stream ciphers.

828 views • 44 slides
Stream Ciphers and Coding Theory Tor Helleseth University of Bergen Norway Outline Stream

Stream Ciphers and Coding Theory Tor Helleseth University of Bergen Norway Outline Stream

Stream Ciphers and Coding Theory Tor Helleseth University of Bergen Norway Outline Stream ciphers Building blocks in stream ciphers m-sequences Clock-control registers / Nonlinear combiner / Filter generator Correlation

666 views • 39 slides
Block Ciphers Eli Biham - May 3, 2005 c 83 Block Ciphers (4) Block Ciphers and Stream

Block Ciphers Eli Biham - May 3, 2005 c 83 Block Ciphers (4) Block Ciphers and Stream

Block Ciphers Eli Biham - May 3, 2005 c 83 Block Ciphers (4) Block Ciphers and Stream Ciphers In practical ciphers the plaintext M is divided into fixed-length blocks M = M 1 M 2 . . . M N . Then, each block M i is encrypted to the

1.11k views • 63 slides
Outline Analytic Attacks on Block Ciphers 1 CPSC 418/MATH 318 Introduction to Cryptography

Outline Analytic Attacks on Block Ciphers 1 CPSC 418/MATH 318 Introduction to Cryptography

Outline Analytic Attacks on Block Ciphers 1 CPSC 418/MATH 318 Introduction to Cryptography Linear Cryptanalysis Differential Cryptanalysis Analytic Cryptanalysis of Block Ciphers, Stream Ciphers, Modes of Other Advanced Attacks Operation,

933 views • 11 slides
Linear Cryptanalysis of Stream Ciphers T-79.514 Special Course on Cryptology Seminar talk Emilia

Linear Cryptanalysis of Stream Ciphers T-79.514 Special Course on Cryptology Seminar talk Emilia

Linear Cryptanalysis of Stream Ciphers T-79.514 Special Course on Cryptology Seminar talk Emilia K asper 1 Overview Basic concept of correlation attacks on stream ciphers A correlation attack on the GSM cipher A5/1 A correlation

256 views • 22 slides
Secret Key: stream ciphers & block ciphers Stream Ciphers Idea: try to simulate one-time pad

Secret Key: stream ciphers & block ciphers Stream Ciphers Idea: try to simulate one-time pad

Secret Key: stream ciphers & block ciphers Stream Ciphers Idea: try to simulate one-time pad define a secret key (seed) Using the seed generates a byte stream ( Keystream): i-th byte is function only of the key

822 views • 69 slides
Attacks on Stream Ciphers: A Perspective Palash Sarkar Applied Statistics Unit Indian

Attacks on Stream Ciphers: A Perspective Palash Sarkar Applied Statistics Unit Indian

Attacks on Stream Ciphers: A Perspective Palash Sarkar Applied Statistics Unit Indian Statistical Institute, Kolkata India palash@isical.ac.in First Asian Workshop on Symmetric Key Cryptography ASK 2011, 30th August 2011 isilogo Palash

1.76k views • 148 slides
Algebraic attacks and decomposition of Boolean functions Willi Meier 1 and Enes Pasalic 2 and

Algebraic attacks and decomposition of Boolean functions Willi Meier 1 and Enes Pasalic 2 and

Algebraic attacks and decomposition of Boolean functions Willi Meier 1 and Enes Pasalic 2 and Claude Carlet 2 1 FH Aargau, Switzerland 2 INRIA, Rocquencourt, France Overview Algebraic attacks in general ... and on LFSR-based stream

316 views • 27 slides
Recent Results on Stream Ciphers Willi Meier 1 / 47 Overview - Stream Ciphers with Small State

Recent Results on Stream Ciphers Willi Meier 1 / 47 Overview - Stream Ciphers with Small State

ASK 2018, ISI Kolkata November 13, 2018 Recent Results on Stream Ciphers Willi Meier 1 / 47 Overview - Stream Ciphers with Small State - A generic TMD tradeoff distinguisher - High-order differentials - Cryptanalysis with division property

944 views • 47 slides
T-79.159 Cryptography and Data Security Lecture 4: 4.1 Stream ciphers 4.2 Block cipher

T-79.159 Cryptography and Data Security Lecture 4: 4.1 Stream ciphers 4.2 Block cipher

T-79.159 Cryptography and Data Security Lecture 4: 4.1 Stream ciphers 4.2 Block cipher confidentiality modes of operation Kaufman et al: Ch 4 Stallings: Ch 6, Ch 3 1 Stream ciphers Stream ciphers are generally faster than block

535 views • 12 slides
B) Symmetric Ciphers B.a) Fundamentals B.b) Block Ciphers B.c) Stream Ciphers 2 B.a)

B) Symmetric Ciphers B.a) Fundamentals B.b) Block Ciphers B.c) Stream Ciphers 2 B.a)

1 B) Symmetric Ciphers B.a) Fundamentals B.b) Block Ciphers B.c) Stream Ciphers 2 B.a) Fundamentals 3 B.1 Definition A mapping Enc: P K C for which k := Enc( ,k): P C is bijective for each k K is called an

1.1k views • 32 slides
Pseudo-Random Numbers and Stream PRNG+Block Ciphers Stream Ciphers RC4 CSS441: Security and

Pseudo-Random Numbers and Stream PRNG+Block Ciphers Stream Ciphers RC4 CSS441: Security and

CSS441 Random Numbers Principles PRNGs Pseudo-Random Numbers and Stream PRNG+Block Ciphers Stream Ciphers RC4 CSS441: Security and Cryptography Sirindhorn International Institute of Technology Thammasat University Prepared by Steven

460 views • 24 slides
Feedback shift register based stream ciphers Thomas Johansson, Lund University, Lund, Sweden

Feedback shift register based stream ciphers Thomas Johansson, Lund University, Lund, Sweden

Feedback shift register based stream ciphers Thomas Johansson, Lund University, Lund, Sweden 5/15/2007 1 CONTENTS Efficient encryption and possible solutions Stream ciphers Basic security analysis of stream ciphers LFSR sequences Design

497 views • 45 slides
Objectives Non-linear feedback shift registers Stream ciphers using LFSRs: Non-linear

Objectives Non-linear feedback shift registers Stream ciphers using LFSRs: Non-linear

Stream Ciphers (contd.) Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and Engineering Indian Institute of Technology Kharagpur INDIA -721302 Objectives Non-linear feedback shift registers Stream ciphers using

445 views • 13 slides
Cube Attacks on Stream Ciphers Based on Division Property Chaoyun Li ESAT-COSIC, KU Leuven

Cube Attacks on Stream Ciphers Based on Division Property Chaoyun Li ESAT-COSIC, KU Leuven

Cube Attacks on Stream Ciphers Based on Division Property Chaoyun Li ESAT-COSIC, KU Leuven 12-10-2017, Crete Chaoyun Li (ESAT-COSIC, KU Leuven) Cube attacks 12-10-2017, Crete 1 / 23 Plan Cube Attack: An Introduction 1 Cube Attacks with

389 views • 24 slides
Objectives Classifications Feedback Based Stream Ciphers Linear Feedback Shift

Objectives Classifications Feedback Based Stream Ciphers Linear Feedback Shift

Stream Ciphers Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and Engineering Indian Institute of Technology Kharagpur INDIA -721302 Objectives Classifications Feedback Based Stream Ciphers Linear Feedback

263 views • 15 slides
Symmetric Key Crypto, Part 1 Prof. Tom Austin San Jos State University Stream Ciphers &

Symmetric Key Crypto, Part 1 Prof. Tom Austin San Jos State University Stream Ciphers &

CS 166: Information Security Symmetric Key Crypto, Part 1 Prof. Tom Austin San Jos State University Stream Ciphers & Block Ciphers Stream ciphers based on the one-time pad Block ciphers based on codebook ciphers Symmetric

650 views • 52 slides
Block Ciphers and Stream Ciphers In practical ciphers the plaintext M is divided into fixed-length

Block Ciphers and Stream Ciphers In practical ciphers the plaintext M is divided into fixed-length

Block Ciphers and Stream Ciphers In practical ciphers the plaintext M is divided into fixed-length blocks M = M 1 M 2 . . . M N . Then, each block M i is encrypted to the ciphertext block C i = E K ( M i ), and the results are concatenated to the

334 views • 8 slides

More recommend