Attacks against Filter Generators Exploiting Monomial Mappings Anne - PowerPoint PPT Presentation

Attacks against Filter Generators Exploiting Monomial Mappings Anne Canteaut & Yann Rotella GT BaC, 20 October 2017 Inria - SECRET, Paris, France 1

Summary

Introduction : Stream ciphers Linear Feedback Shift Registers Monomial equivalence between filtered LFSR Univariate correlation attacks Impact on Boolean functions Conclusions 2

Stream ciphers

Stream ciphers • Symetric cryptography, � = block ciphers • Based on Vernam cipher (one-time pad) • PRNG Key IV s t : keystream PRNG plaintext ciphertext 3

Stream ciphers • Block cipher modes of operations (OFB, Counter) • Specific design (LFSR, NLFSR) • Internal state • Large period • A5/1 - A5/2, SNOW 4

Stream ciphers • Block cipher modes of operations (OFB, Counter) • Specific design (LFSR, NLFSR) • Internal state • Large period • A5/1 - A5/2, SNOW Interests • Small latency • No padding • No error propagation • Cheap 4

Generic attacks • Key recovering Φ X f 5

Generic attacks • Key recovering Φ • Initial state recovering X f 5

Generic attacks • Key recovering Φ • Initial state recovering X • Next-bit prediction f 5

Generic attacks • Key recovering Φ • Initial state recovering X • Next-bit prediction f • distinguishing s t from a random sequence 5

Generic attacks • Key recovering Φ • Initial state recovering X • Next-bit prediction f • distinguishing s t from a random sequence Always take an internal state twice bigger as the security level (i.e. key size) 5

LFSR

Linear feedback shift Register (LFSR) Definition Fibonacci representation st + n − 1 st + n − 2 st + 1 st c 1 c 2 cn − 1 cn 6

Linear feedback shift Register (LFSR) Definition Fibonacci representation st + n − 1 st + n − 2 st + 1 st c 1 c 2 cn − 1 cn Definition Gallois representation st + n − 1 st + n − 2 st + 1 st cn cn − 1 cn − 2 c 1 6

Classical properties of LFSR • Nice statistical properties • Linear • s t + L = ∑ n i = 1 c i s t + n − i , ∀ t ≤ 0 • P ( X ) = 1 − ∑ n i = 1 c i X i • P ∗ ( X ) = X n P ( 1 / X ) • We wil take P primitive 7

Filtered LFSR s t f f LFSR X Φ s t = f ( u t + γ 1 , ··· , u t + γ n ) 8

Filtered LFSR s t f f LFSR X Φ s t = f ( u t + γ 1 , ··· , u t + γ n ) Algebraic Normal Form n f ( x 1 , x 2 , ··· , x n ) = ∑ x u i ∏ a u i u ∈ F n i = 1 2 = a 0 + a 1 x 1 + a 2 x 2 + ··· + a 3 x 1 x 2 + ··· + a 2 n − 1 x 1 ··· x n 8

Monomial equivalence

LFSR over a Finite Field • α : root of the primitive characteristic polynomial in F 2 n • Identify the n -bit words with elements of F 2 n with the dual basis of { 1 , α , α 2 , ··· , α n − 1 } st + n − 1 st + n − 2 st + 1 st c 1 c 2 cn − 1 cn Proposition The state of the LFSR at time ( t + 1 ) is the state of the LFSR at time t multiplied by α . 9

LFSR over a Finite Field • α : root of the primitive characteristic polynomial in F 2 n • Identify the n -bit words with elements of F 2 n with the dual basis of { 1 , α , α 2 , ··· , α n − 1 } st + n − 1 st + n − 2 st + 1 st c 1 c 2 cn − 1 cn Proposition The state of the LFSR at time ( t + 1 ) is the state of the LFSR at time t multiplied by α . For all t , X t = X 0 α t 9

Boolean functions Proposition (Univariate representation) 2 n − 1 A i X i ∑ F ( X ) = i = 0 with A i ∈ F 2 n given by the discrete Fourier Transform of F 10

Boolean functions Proposition (Univariate representation) 2 n − 1 A i X i ∑ F ( X ) = i = 0 with A i ∈ F 2 n given by the discrete Fourier Transform of F For all t , s t = F ( X 0 α t ) 10

Monomial equivalence [Rønjom - Cid 2010] s t F X 0 ( P , α ) n For all t , s t = F ( X 0 α t ) 11

Monomial equivalence [Rønjom - Cid 2010] s ′ t G Y 0 ( Q , β ) n β = α k with gcd ( k , 2 n − 1 ) = 1 11

Monomial equivalence [Rønjom - Cid 2010] s ′ t G Y 0 ( Q , β ) n β = α k with gcd ( k , 2 n − 1 ) = 1 s ′ t = G ( Y 0 β t ) = G ( Y 0 α kt ) 11

Monomial equivalence [Rønjom - Cid 2010] s ′ t G Y 0 ( Q , β ) n β = α k with gcd ( k , 2 n − 1 ) = 1 s ′ t = G ( Y 0 β t ) = G ( Y 0 α kt ) If G ( x ) = F ( x r ) with rk ≡ 1 mod ( 2 n − 1 ) Then s ′ t = F ( Y r 0 α t ) 11

Monomial equivalence [Rønjom - Cid 2010] s t s ′ t F G X 0 ( P , α ) Y 0 ( Q , β ) n n β = α k with gcd ( k , 2 n − 1 ) = 1 For all t , s t = F ( X 0 α t ) s ′ t = G ( Y 0 β t ) = G ( Y 0 α kt ) If G ( x ) = F ( x r ) with rk ≡ 1 mod ( 2 n − 1 ) Then s ′ t = F ( Y r 0 α t ) For all t , s ′ t = s t if Y 0 = X k 0 11

Example F ( x ) = Tr ( x r ) , with gcd ( r , 2 n − 1 ) = 1 : Let k be such that rk ≡ 1 mod ( 2 n − 1 ) . s t Tr ( x r ) s t ( Q , β = α k ) n ( P , α ) n = ⇒ The initial generator is equivalent to a plain LFSR of the same size. 12

Consequence The security level of a filtered LFSR is the minimal security level for a generator of its equivalence class. 13

Consequence The security level of a filtered LFSR is the minimal security level for a generator of its equivalence class. • Algebraic attacks • Correlation attacks 13

Algebraic attacks Λ : Linear complexity Proposition (Massey-Serconek 94) Let an LFSR of size n filtered by a Boolean function F: 2 n − 1 A i X i ∑ F ( X ) = i = 0 Then Λ = # { 0 ≤ i ≤ 2 n − 2 : A i � = 0 } 14

Algebraic attacks Λ : Linear complexity Proposition (Massey-Serconek 94) Let an LFSR of size n filtered by a Boolean function F: 2 n − 1 A i X i ∑ F ( X ) = i = 0 Then Λ = # { 0 ≤ i ≤ 2 n − 2 : A i � = 0 } The monomial equivalence does not affect the complexity of algebraic attacks [Gong et al. 11] 14

Univariate correlation attacks

Correlation attack [Siegenthaler 85] LFSR 1 LFSR i LFSR 2 σ t s t Compare f LFSR k − 1 LFSR k 15

Criterion The criterion besides the correlation attack is the resiliency . 16

Fast correlation attack [Meier - Staffelbach 88] Tr ( Ax ) X 0 P α σ t Compare s t X 0 P α F 17

Criterion The criterion besides the fast correlation attack is the non-linearity . 18

Generalized fast correlation attacks G ( x ) = Tr ( Ax k ) X 0 P α P α k G σ t σ t X k 0 Compare Compare s t s t X 0 P α X 0 P α F F 19

Generalized non-linearity [Gong & Youssef 01] Relevant security criterion: Generalized non-linearity GNL ( f ) = d ( f , { Tr ( λ x k , λ ∈ F 2 n , gcd ( k , 2 n − 1 ) = 1 } ) 20

Generalized non-linearity [Gong & Youssef 01] Relevant security criterion: Generalized non-linearity GNL ( f ) = d ( f , { Tr ( λ x k , λ ∈ F 2 n , gcd ( k , 2 n − 1 ) = 1 } ) And if k is not coprime to 2 n − 1 ? 20

A more efficient correlation attack When gcd ( k , 2 n − 1 ) > 1 and F correlated to G ( X ) = H ( X k ) . X k X 0 P α P α k G H 0 σ t σ t Compare Compare s t s t X 0 P α X 0 P α F F 21

A more efficient correlation attack When gcd ( k , 2 n − 1 ) > 1 and F correlated to G ( X ) = H ( X k ) . X k X 0 P α P α k G H 0 σ t σ t Compare Compare s t s t X 0 P α X 0 P α F F • Number of states of the small generator: τ k = ord ( α k ) . 21

A more efficient correlation attack When gcd ( k , 2 n − 1 ) > 1 and F correlated to G ( X ) = H ( X k ) . X k X 0 P α P α k G H 0 σ t σ t Compare Compare s t s t X 0 P α X 0 P α F F • Number of states of the small generator: τ k = ord ( α k ) . 0 : Time = τ k log ( τ k ) • Exhaustive search on X k ε 2 21

Recovering the remaining bits of the initial state Property We get log 2 ( τ k ) bits of information on X 0 where τ k = ord ( α k ) : 22

Recovering the remaining bits of the initial state Property We get log 2 ( τ k ) bits of information on X 0 where τ k = ord ( α k ) : If we perform two distinct correlation attacks with k 1 et k 2 , then we get log 2 ( lcm ( τ k 1 , τ k 2 )) bits of information. 22

First improvement The complexity Time = τ k log ( τ k ) ε 2 can be reduced to Time = τ k log τ k + 2log ( τ k ) . ε 2 with a fast Fourier transform [Canteaut - Naya-Plasencia 2012] 23

Second improvement G ( X ) = H ( X k ) when H is linear: X 0 P α P α k G σ t σ t X k 0 Compare Compare s t s t X 0 P α X 0 P α F F • Size of the small LFSR: L ( k ) = ord ( 2 ) mod τ k . • If L ( k ) < n and H is linear − → fast correlation attack. 24

What we really do • Split the state on the multiplicative subgroups • recover independantly the information • gather information 25

Impact on Boolean functions

New criterion Definition (Multiplicative subgroup resiliency ?) Let F be a Boolean function with n variables, let k dividing 2 n − 1 , and τ the multiplicative order of α k and d = gcd ( k , τ ) , we say that F is k - MS resilient if and only if G ( x )= H ( x k ) ε ( F ( x ) , G ( x )) = τ d 2 − n max Question Is it possible to reach the value of τ / d for every possible τ ? 26

When H is linear Question What is the value of G ( x )= Tr ( λ x k ) ε ( F ( x ) , G ( x )) min max f 27

Conclusions