Algebraic Attacks on Stream Ciphers Trial Lecture Rune Steinsmo Ødegård Centre for Quantifiable Quality of Service in Communication Systems Centre of Excellence NTNU, Norway NTNU, Trondheim, 2012-04-23 www.q2s.ntnu.no Rune Steinsmo Ødegård, Trial Lecture
2 Stream Ciphers Overview Stream Ciphers Attack Model Principles of Algebraic Attacks Finding Low Degree Equations Solving the Equations Summary References www.q2s.ntnu.no Rune Steinsmo Ødegård, Trial Lecture
3 Stream Ciphers Vernam Cipher Encryption: c t = p t ⊕ k t for t = 1 , 2 , 3 , . . . Decryption: p t = c t ⊕ k t for t = 1 , 2 , 3 , . . . • Proven information-theoretically secure [Shannon, 1949]. • Problem: Keys and Key-distribution. • Motivates the design of stream ciphers. www.q2s.ntnu.no Rune Steinsmo Ødegård, Trial Lecture
4 Stream Ciphers ETCRRM by STK www.q2s.ntnu.no Rune Steinsmo Ødegård, Trial Lecture
5 Stream Ciphers Stream Cipher Eve Alice Bob K K Keystream Keystream generator generator z t z t c t c t p t p t www.q2s.ntnu.no Rune Steinsmo Ødegård, Trial Lecture
6 Stream Ciphers Advantages of Stream Ciphers • Encrypt strings of arbitrary length. • Mandatory when buffering is limited, or when characters must be processed when they are received. • Encrypt data streams with high speed both in software and hardware. – phone calls – video streams • Little to no error propagation. www.q2s.ntnu.no Rune Steinsmo Ødegård, Trial Lecture
7 Stream Ciphers Examples Name Deployed in Attack E 0 Bluetooth [Hermelin and Nyberg, 2000] RC4 WEP ,WPA,SSL [Klein, 2008] A5/1 GSM [Barkan et al., 2003] f 8 3G “[Dunkelman et al., 2010]” Crypto-1 Mifare RFID [Soos et al., 2009] Hitag2 Car keys [Soos et al., 2009] www.q2s.ntnu.no Rune Steinsmo Ødegård, Trial Lecture
8 Stream Ciphers Stream Cipher Eve Alice Bob K K Keystream Keystream generator generator z t z t c t c t p t p t www.q2s.ntnu.no Rune Steinsmo Ødegård, Trial Lecture
9 Stream Ciphers Linear Feedback Shift Registers • Well-suited for hardware implementations. • Can produce sequences of large period. • Can produce sequences of good statistical properties. • Easy to analyze using algebraic techniques. [Menezes et al., 1996] www.q2s.ntnu.no Rune Steinsmo Ødegård, Trial Lecture
10 Stream Ciphers Linear Feedback Shift Registers 0 0 . . . . . . λ 0 . ... . 1 . λ 1 . . S t = S 0 · L t ... ... L = . . 0 . . . . ... ... . . . 0 . 0 0 1 . . . λ n − 1 Recovering initial state takes O ( n 2 ) time using 2 n output bits [Massey, 1969]. www.q2s.ntnu.no Rune Steinsmo Ødegård, Trial Lecture
11 Stream Ciphers Introducing Non-Linearity Three popular approaches: 1. Make the clocking irregular. 2. Apply a non-linear function to the output of several LFSRs. 3. Include a second finite state machine with a non-linear update function. www.q2s.ntnu.no Rune Steinsmo Ødegård, Trial Lecture
12 Stream Ciphers Simple Combiner LFSR 1 LFSR 2 K t z t P f LFSR s L 1 0 ... S t = S 0 · L t L = 0 L s K t = S 0 · L t · P f ( K t ) = z t www.q2s.ntnu.no Rune Steinsmo Ødegård, Trial Lecture
13 Stream Ciphers ( m , ℓ ) -Combiner S ∈ F m q × F n L ∈ M n × n ( F q ) q S 0 = ( M 0 , K ) P ∈ M n × ℓ ( F q ) K t = K · L T · P Ψ : F m q → F m q × F ℓ q f : F m q → F o S t �→ S t + 1 = (Ψ( M t , K t ) , K t ) q × F ℓ q www.q2s.ntnu.no Rune Steinsmo Ødegård, Trial Lecture
14 Attack Model Overview Stream Ciphers Attack Model Principles of Algebraic Attacks Finding Low Degree Equations Solving the Equations Summary References www.q2s.ntnu.no Rune Steinsmo Ødegård, Trial Lecture
15 Attack Model Attack Model A cryptosystem should be secure even if everything about the system, except the key, is public knowledge [Kerckhoffs, 1883]. • The attacker knows both the structure of the combiner and parts of the keystream. • Attacker goal is to find initial state S 0 = ( M 0 , K ) . • Usually M ≪ K . • Efficiency of attack measured in – minimum number of keystream outputs. – the number of basic operations. – the amount of memory required. www.q2s.ntnu.no Rune Steinsmo Ødegård, Trial Lecture
16 Principles of Algebraic Attacks Overview Stream Ciphers Attack Model Principles of Algebraic Attacks Finding Low Degree Equations Solving the Equations Summary References www.q2s.ntnu.no Rune Steinsmo Ødegård, Trial Lecture
17 Principles of Algebraic Attacks Algebraic Attack F 1 ( K , z , . . . ) = 0 . . ⇒ . F N ( K , z , . . . ) = 0 Breaking a good cipher should require as much work as solving a system of simultaneous equations in a large number of unknows of a complex type [Shannon, 1949]. www.q2s.ntnu.no Rune Steinsmo Ødegård, Trial Lecture
18 Principles of Algebraic Attacks One Equation is Enough Assume we have found an equation that holds for all t : F ( K t , . . . , K t + r − 1 , z t , . . . , z t + r − 1 ) = 0 Then we have a new equation for each new keystream bit: F ( K 0 , . . . , K r − 1 , z 0 , . . . , z r − 1 ) = 0 F ( K 1 , . . . , K r , z 1 , . . . , z r ) = 0 F ( K 2 , . . . , K r + 1 , z 2 , . . . , z r + 1 ) = 0 . . . If the number of linearly independent equations is equal to the number of monomials we can use linearization. www.q2s.ntnu.no Rune Steinsmo Ødegård, Trial Lecture
19 Principles of Algebraic Attacks Linearization xy = 0 v 3 = 0 x + xy = 1 v 1 + v 3 = 1 ⇒ y + xy = 0 v 2 + v 3 = 0 • System of equations of degree d in n = | K | unknowns. • # of monomials ≤ � d � n � ∈ O ( n d ) . i = 0 i • Work effort of linearization is O ( n ω d ) operations 1 , and O ( n 2 d ) space. 1 Here 2 ≤ ω ≤ 3 is the effort for Gaussian elimination. www.q2s.ntnu.no Rune Steinsmo Ødegård, Trial Lecture
20 Finding Low Degree Equations Overview Stream Ciphers Attack Model Principles of Algebraic Attacks Finding Low Degree Equations Solving the Equations Summary References www.q2s.ntnu.no Rune Steinsmo Ødegård, Trial Lecture
21 Finding Low Degree Equations Simple Combiner f ( K t ) = z t LFSR 1 LFSR 2 K t z t P f LFSR s www.q2s.ntnu.no Rune Steinsmo Ødegård, Trial Lecture
22 Finding Low Degree Equations Annihilators AN ( f ) = { g ( X ) ∈ F q [ X ] | g ( X ) · f ( X ) = 0 ∀ X ∈ F n q } • Find a low degree g ∈ AN ( f ) , and/or h ∈ AN ( f + 1 ) . • Then f ( K t ) = z t � = 0 ⇒ g ( K t ) · f ( K t ) = g ( K t ) · z t = 0 f ( K t ) = z t = 0 ⇒ h ( K t ) · ( 1 + f ( K t )) = h ( K t ) = 0 • Similar strategy is to find low degree g , h such that f · g = h • These strategies have been used by for instance [Courtois and Meier, 2003]. www.q2s.ntnu.no Rune Steinsmo Ødegård, Trial Lecture
23 Finding Low Degree Equations ( m , ℓ ) -Combiner F m F o f : q × F ℓ → q q ( M t , K t ) z t �→ www.q2s.ntnu.no Rune Steinsmo Ødegård, Trial Lecture
24 Finding Low Degree Equations Dealing with the Memory f ( M t , K t ) = z t r r � �� � � �� � . . . z t − r − 1 z t − r z t − r + 1 . . . z t − 1 z t z t + 1 . . . z t + r − 1 z t + r z t + r + 1 . . . � �� � r • Consider r = m + 1 consecutive output bits. • Then you can always find non-trivial equations relating the keystate K t and keystream bits z t . . . z t + r which is independent of the memory [Armknecht and Krause, 2003, Ars and Faugère, 2005]. • Used to attack bluetooth stream cipher E 0 . www.q2s.ntnu.no Rune Steinsmo Ødegård, Trial Lecture
25 Finding Low Degree Equations Fast Algebraic Attacks 0 = F ( K t , z t , . . . , z t + r ) = F ( K t , Z t ) = ˆ F ( K t ) + G ( K t , Z t ) • Find c 0 , . . . , c T − 1 ∈ { 0 , 1 } such that � T − 1 i = 0 c i ˆ F ( K t + i ) = 0 • Then T − 1 � c i G ( K t + i , Z t + i ) = 0 i = 0 • Used to improve attack on Toyocrypt and E 0 [Courtois, 2003, Armknecht, 2004, Hawkes and Rose, 2004]. • It is also possible to find linear combinations that decreases the number of variables [Armknecht and Ars, 2005]. www.q2s.ntnu.no Rune Steinsmo Ødegård, Trial Lecture
26 Finding Low Degree Equations Fast Algebraic Attacks Expected solving effort for good stream cipher: 2 128 Cipher Pre-Com Sub Solving Keystream 2 32 2 47 2 49 2 23 E 0 2 26 2 39 2 39 2 21 LILI -128 2 23 2 30 2 20 2 18 Toyocrypt [Hawkes and Rose, 2004] www.q2s.ntnu.no Rune Steinsmo Ødegård, Trial Lecture
27 Solving the Equations Overview Stream Ciphers Attack Model Principles of Algebraic Attacks Finding Low Degree Equations Solving the Equations Summary References www.q2s.ntnu.no Rune Steinsmo Ødegård, Trial Lecture
28 Solving the Equations Linearization Advantages Disadvantages • Effort polynomial in • Need to store large (sparse) key size. matrices. • Easy to analyze. • Need to know many keystream bits. Example Attack on E 0 requires 2 23 . 07 keystream bits to find the 128-bit key [Armknecht and Krause, 2003]. www.q2s.ntnu.no Rune Steinsmo Ødegård, Trial Lecture
Recommend
More recommend