attacks on stream ciphers a perspective
play

Attacks on Stream Ciphers: A Perspective Palash Sarkar Applied - PowerPoint PPT Presentation

Attacks on Stream Ciphers: A Perspective Palash Sarkar Applied Statistics Unit Indian Statistical Institute, Kolkata India palash@isical.ac.in First Asian Workshop on Symmetric Key Cryptography ASK 2011, 30th August 2011 isilogo Palash


  1. Linear Feedback Shift Register Given (non-zero) initial state ( a 0 , . . . , a n − 1 ) generates a sequence a 0 , a 1 , a 2 , . . . , a i , . . . where a i = c n − 1 a i − 1 ⊕ · · · ⊕ c 1 a i − n + 1 + c 0 a i − n . Characteristic (connection) polynomial: τ ( x ) = x n ⊕ c n − 1 x n − 1 ⊕ · · · ⊕ c 1 x ⊕ c 0 . If τ ( x ) is primitive over GF ( 2 ) , then the period of { a i } is 2 n − 1. Other well-understood “randomness-like” properties. isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 15 / 55

  2. Linear Feedback Shift Register Given (non-zero) initial state ( a 0 , . . . , a n − 1 ) generates a sequence a 0 , a 1 , a 2 , . . . , a i , . . . where a i = c n − 1 a i − 1 ⊕ · · · ⊕ c 1 a i − n + 1 + c 0 a i − n . Characteristic (connection) polynomial: τ ( x ) = x n ⊕ c n − 1 x n − 1 ⊕ · · · ⊕ c 1 x ⊕ c 0 . If τ ( x ) is primitive over GF ( 2 ) , then the period of { a i } is 2 n − 1. Other well-understood “randomness-like” properties. Any bit of the sequence is a linear combination of the first n bits. Given any n bits of the sequence, it is easy to get the initial state. Unsuitable for direct use in cryptography. isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 15 / 55

  3. Nonlinear Combiner Model (1) X i LFSR 1 m i (2) X i LFSR k c 2 i i f � � � � � � � � � � � � (n) X i LFSR n m i = length of LFSR i isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 16 / 55

  4. Correlation Attacks. isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 17 / 55

  5. Correlation Attack Suppose � � = p � = 1 X ( i ) = k i 2 . Pr 1 Divide-and-conquer attack. Collect ℓ bits of the keystream. From each possible 2 m 1 − 1 non-zero initial states of LFSR 1 , generate ℓ bits of the LFSR sequence. Let s be the number of places where the LFSR sequence equals the keystream sequence. If s ≈ ℓ p , then the corresponding state is likely to be the correct intial state. If s ≈ ℓ/ 2, then the corresponding state is unlikely to be the correct intial state. isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 18 / 55

  6. Correlation Attack (contd.) For the attack to work ℓ must be at least m 1 / ( 1 − H ( p )) . If p = 1 / 2 the attack does not work. isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 19 / 55

  7. Correlation Attack (contd.) For the attack to work ℓ must be at least m 1 / ( 1 − H ( p )) . If p = 1 / 2 the attack does not work. � � X ( i ) ⊕ X ( i ) = k i = p � = 1 But, if Pr 2 then the LFSRs 1 and 2 can 1 2 be attacked simultaneously. isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 19 / 55

  8. Correlation Attack (contd.) For the attack to work ℓ must be at least m 1 / ( 1 − H ( p )) . If p = 1 / 2 the attack does not work. � � X ( i ) ⊕ X ( i ) = k i = p � = 1 But, if Pr 2 then the LFSRs 1 and 2 can 1 2 be attacked simultaneously. In general, if � � = p � = 1 X ( i ) j 1 ⊕ · · · ⊕ X ( i ) = k i Pr j r 2 then the LFSRs j 1 , . . . , j r can be attacked simulatenously. isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 19 / 55

  9. Correlation Attack (contd.) For the attack to work ℓ must be at least m 1 / ( 1 − H ( p )) . If p = 1 / 2 the attack does not work. � � X ( i ) ⊕ X ( i ) = k i = p � = 1 But, if Pr 2 then the LFSRs 1 and 2 can 1 2 be attacked simultaneously. In general, if � � = p � = 1 X ( i ) j 1 ⊕ · · · ⊕ X ( i ) = k i Pr j r 2 then the LFSRs j 1 , . . . , j r can be attacked simulatenously. Leads to Boolean function design criteria and trade-offs. Balancedness. Correlation immunity (resilience). Algebraic degree. Nonlinearity. isilogo Other properties: propagation criteria, strict avalanche criteria, .... Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 19 / 55

  10. Fast Correlation Attacks Coding theory framework: State S of an LFSR is expanded to sequence a which is perturbed by non-linear noise e to obtain ciphertext c with p = Pr [ e i = 0 ] � = 1 / 2. isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 20 / 55

  11. Fast Correlation Attacks Coding theory framework: State S of an LFSR is expanded to sequence a which is perturbed by non-linear noise e to obtain ciphertext c with p = Pr [ e i = 0 ] � = 1 / 2. View the expansion of S to a as the encoding procedure of a linear code. isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 20 / 55

  12. Fast Correlation Attacks Coding theory framework: State S of an LFSR is expanded to sequence a which is perturbed by non-linear noise e to obtain ciphertext c with p = Pr [ e i = 0 ] � = 1 / 2. View the expansion of S to a as the encoding procedure of a linear code. Given c , using suitable decoding technique to obtain S . isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 20 / 55

  13. An Iterative Decoding Procedure Generation of parity checks: find a number of linear relations that a bit a i in the sequence a should satisfy. isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 21 / 55

  14. An Iterative Decoding Procedure Generation of parity checks: find a number of linear relations that a bit a i in the sequence a should satisfy. Shifting, squaring and multiples of the connection polynomial. isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 21 / 55

  15. An Iterative Decoding Procedure Generation of parity checks: find a number of linear relations that a bit a i in the sequence a should satisfy. Shifting, squaring and multiples of the connection polynomial. Use k as an approximation of a and find the number of equations involving a i that hold for k i . If this number is less than a threshold, then complement k i . isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 21 / 55

  16. An Iterative Decoding Procedure Generation of parity checks: find a number of linear relations that a bit a i in the sequence a should satisfy. Shifting, squaring and multiples of the connection polynomial. Use k as an approximation of a and find the number of equations involving a i that hold for k i . If this number is less than a threshold, then complement k i . Iterate the procedure until the sequence satisfies the LFSR recurrence. isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 21 / 55

  17. An Iterative Decoding Procedure Generation of parity checks: find a number of linear relations that a bit a i in the sequence a should satisfy. Shifting, squaring and multiples of the connection polynomial. Use k as an approximation of a and find the number of equations involving a i that hold for k i . If this number is less than a threshold, then complement k i . Iterate the procedure until the sequence satisfies the LFSR recurrence. Works well if the number of taps in the LFSR is small. isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 21 / 55

  18. Improvements to Correlation Attacks Identify an embedded low-rate convolutional code in the LFSR code; use Viterbi algorithm for decoding. isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 22 / 55

  19. Improvements to Correlation Attacks Identify an embedded low-rate convolutional code in the LFSR code; use Viterbi algorithm for decoding. Turbo code techniques. Identify “parallel” embedded convolutional code in the LFSR code. The keystream sequence is used to construct received sequences for the convolutional codes. These are decoded using an iterative algorithm. isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 22 / 55

  20. Improvements to Correlation Attacks Identify an embedded low-rate convolutional code in the LFSR code; use Viterbi algorithm for decoding. Turbo code techniques. Identify “parallel” embedded convolutional code in the LFSR code. The keystream sequence is used to construct received sequences for the convolutional codes. These are decoded using an iterative algorithm. List decoding techniques. isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 22 / 55

  21. Improvements to Correlation Attacks A different view: Reconstruction of linear polynomials. m 1 − 1 � Bit a i is a linear combination a i = w i , j a j ; where w i , j s can be j = 0 computed from τ ( x ) . isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 23 / 55

  22. Improvements to Correlation Attacks A different view: Reconstruction of linear polynomials. m 1 − 1 � Bit a i is a linear combination a i = w i , j a j ; where w i , j s can be j = 0 computed from τ ( x ) . m 1 − 1 � Let w i = ( w i , 0 , . . . , w i , m 1 − 1 ) and define A ( x ) = x j a j . j = 0 The values a 0 , . . . , a m 1 − 1 define the polynomial and are unknown. Then A ( x ) is a linear polynomial and a i = A ( w i ) for i ≥ m 1 . isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 23 / 55

  23. Improvements to Correlation Attacks A different view: Reconstruction of linear polynomials. m 1 − 1 � Bit a i is a linear combination a i = w i , j a j ; where w i , j s can be j = 0 computed from τ ( x ) . m 1 − 1 � Let w i = ( w i , 0 , . . . , w i , m 1 − 1 ) and define A ( x ) = x j a j . j = 0 The values a 0 , . . . , a m 1 − 1 define the polynomial and are unknown. Then A ( x ) is a linear polynomial and a i = A ( w i ) for i ≥ m 1 . k i is a noisy output of the unknown polynomial A ( x ) evaluated at the known point w i . isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 23 / 55

  24. Improvements to Correlation Attacks A different view: Reconstruction of linear polynomials. m 1 − 1 � Bit a i is a linear combination a i = w i , j a j ; where w i , j s can be j = 0 computed from τ ( x ) . m 1 − 1 � Let w i = ( w i , 0 , . . . , w i , m 1 − 1 ) and define A ( x ) = x j a j . j = 0 The values a 0 , . . . , a m 1 − 1 define the polynomial and are unknown. Then A ( x ) is a linear polynomial and a i = A ( w i ) for i ≥ m 1 . k i is a noisy output of the unknown polynomial A ( x ) evaluated at the known point w i . Use of techniques from computational learning theory due to Goldreich, Rubinfeld and Sudan to reconstruct f from the k i s. isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 23 / 55

  25. Improvements to Correlation Attacks A different view: Reconstruction of linear polynomials. m 1 − 1 � Bit a i is a linear combination a i = w i , j a j ; where w i , j s can be j = 0 computed from τ ( x ) . m 1 − 1 � Let w i = ( w i , 0 , . . . , w i , m 1 − 1 ) and define A ( x ) = x j a j . j = 0 The values a 0 , . . . , a m 1 − 1 define the polynomial and are unknown. Then A ( x ) is a linear polynomial and a i = A ( w i ) for i ≥ m 1 . k i is a noisy output of the unknown polynomial A ( x ) evaluated at the known point w i . Use of techniques from computational learning theory due to Goldreich, Rubinfeld and Sudan to reconstruct f from the k i s. The application is not straightforward, there are a few tricks isilogo involved. Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 23 / 55

  26. Other Kinds of Correlations Correlations between linear functions of several output bits and linear functions of a subset of LFSR bits. For strong enough correlations, a number of stochastic equations may be derived. If the known keystream sequence is long enough, then the equations can be solved. isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 24 / 55

  27. Other Kinds of Correlations Correlations between linear functions of several output bits and linear functions of a subset of LFSR bits. For strong enough correlations, a number of stochastic equations may be derived. If the known keystream sequence is long enough, then the equations can be solved. Keystream (or simply key) correlation: leads to distinguishing attacks. Bias in a particular keystream bit or a linear combination of keystream bits, eg. Pr [ k 16 = 0 ] � = 1 / 2. Attack types: multiple keys; or, single key but, multiple IVs. Bias in a subsequence of key bits, eg. Pr [ k i = k i + 3 ] � = 1 / 2 for all i ≥ 0. isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 24 / 55

  28. Some References: Correlation Attacks T. Siegenthaler: Decrypting a Class of Stream Ciphers Using Ciphertext Only. IEEE Trans. Computers 34(1): (1985). T. Siegenthaler: Correlation-immunity of nonlinear combining functions for cryptographic applications. IEEE Trans. on Inf. Th. 30(5): (1984). isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 25 / 55

  29. Some References: Correlation Attacks T. Siegenthaler: Decrypting a Class of Stream Ciphers Using Ciphertext Only. IEEE Trans. Computers 34(1): (1985). T. Siegenthaler: Correlation-immunity of nonlinear combining functions for cryptographic applications. IEEE Trans. on Inf. Th. 30(5): (1984). W. Meier, O. Staffelbach: Fast Correlation Attacks on Certain Stream Ciphers. J. Cryptology 1(3): (1989). J. Dj. Goli´ c: Correlation Properties of a General Binary Combiner with Memory. J. Cryptology 9(2): (1996). isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 25 / 55

  30. Some References: Correlation Attacks T. Siegenthaler: Decrypting a Class of Stream Ciphers Using Ciphertext Only. IEEE Trans. Computers 34(1): (1985). T. Siegenthaler: Correlation-immunity of nonlinear combining functions for cryptographic applications. IEEE Trans. on Inf. Th. 30(5): (1984). W. Meier, O. Staffelbach: Fast Correlation Attacks on Certain Stream Ciphers. J. Cryptology 1(3): (1989). J. Dj. Goli´ c: Correlation Properties of a General Binary Combiner with Memory. J. Cryptology 9(2): (1996). T. Johansson, F. Jönsson: Fast Correlation Attacks Based on Turbo Code Techniques. CRYPTO 1999. T. Johansson, F. Jönsson: Fast Correlation Attacks through Reconstruction of Linear Polynomials. CRYPTO 2000. M. J. Mihaljevic, M. P . C. Fossorier, H. Imai: Fast Correlation Attack Algorithm with List Decoding and an Application. FSE isilogo 2001. Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 25 / 55

  31. Algebraic Attacks. isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 26 / 55

  32. Algebraic Attacks: Basic Idea Let L be the update functions of all the LFSRs. Each LFSR is updated using a linear function and let L be the applications of these linear functions to the respective states. L is a linear function on the whole state. isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 27 / 55

  33. Algebraic Attacks: Basic Idea Let L be the update functions of all the LFSRs. Each LFSR is updated using a linear function and let L be the applications of these linear functions to the respective states. L is a linear function on the whole state. Let ( s 0 , . . . , s n − 1 ) be the n -bit state at time i . Keystream: f ( s 0 , . . . , s n − 1 ) k i = f ( L ( s 0 , . . . , s n − 1 )) k i + 1 = f ( L 2 ( s 0 , . . . , s n − 1 )) k i + 2 = · · · · · · · · · Each of the expressions on the left have degree d ∆ = deg ( f ) . isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 27 / 55

  34. Solving Equations There are � d � n � monomials of degree at most d . j = 1 j Replace each monomial by a new variable. Solve the resulting system of linear equations. Sufficient number of keystream bits required to get an over-defined system of equations. From the solution to the linear system, obtain the solution to the original system. isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 28 / 55

  35. Solving Equations There are � d � n � monomials of degree at most d . j = 1 j Replace each monomial by a new variable. Solve the resulting system of linear equations. Sufficient number of keystream bits required to get an over-defined system of equations. From the solution to the linear system, obtain the solution to the original system. Use Gröbner basis based technique to directly solve the system of multivariate polynomial equations over I F 2 . Becomes progressively inefficient as d increases. The linearisation technique also essentially computes the Gröbner basis. isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 28 / 55

  36. Controlling the Degree Suppose g is a function such that deg ( f × g ) < deg ( g ) . Example: f ( x 1 , x 2 , x 3 ) = x 1 ⊕ x 2 ⊕ x 1 x 2 x 3 and g ( x 1 , x 2 , x 3 ) = x 2 x 3 . isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 29 / 55

  37. Controlling the Degree Suppose g is a function such that deg ( f × g ) < deg ( g ) . Example: f ( x 1 , x 2 , x 3 ) = x 1 ⊕ x 2 ⊕ x 1 x 2 x 3 and g ( x 1 , x 2 , x 3 ) = x 2 x 3 . f ( s 0 , . . . , s n − 1 ) g ( s 0 , . . . , s n − 1 ) k i · g ( s 0 , . . . , s n − 1 ) = f ( L ( s 0 , . . . , s n − 1 )) g ( L ( s 0 , . . . , s n − 1 )) k i + 1 · g ( L ( s 0 , . . . , s n − 1 )) = f ( L 2 ( s 0 , . . . , s n − 1 )) g ( L 2 ( s 0 , . . . , s n − 1 )) k i + 2 · g ( L 2 ( s 0 , . . . , s n − 1 )) = · · · · · · · · · isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 29 / 55

  38. Controlling the Degree Suppose g is a function such that deg ( f × g ) < deg ( g ) . Example: f ( x 1 , x 2 , x 3 ) = x 1 ⊕ x 2 ⊕ x 1 x 2 x 3 and g ( x 1 , x 2 , x 3 ) = x 2 x 3 . f ( s 0 , . . . , s n − 1 ) g ( s 0 , . . . , s n − 1 ) k i · g ( s 0 , . . . , s n − 1 ) = f ( L ( s 0 , . . . , s n − 1 )) g ( L ( s 0 , . . . , s n − 1 )) k i + 1 · g ( L ( s 0 , . . . , s n − 1 )) = f ( L 2 ( s 0 , . . . , s n − 1 )) g ( L 2 ( s 0 , . . . , s n − 1 )) k i + 2 · g ( L 2 ( s 0 , . . . , s n − 1 )) = · · · · · · · · · If deg ( g ) < d or k j = 0 (which happens roughly half of the times), then we get a system of equations whose degrees are less than d . Finding a “good” g is important. isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 29 / 55

  39. A General Formulation Let s = ( s 0 , . . . , s n − 1 ) . Find a Boolean function � f such that for some δ ≥ 0 f ( L t ( s ) , . . . , L t + δ ( s ) , k t , . . . , k t + δ ) = 0 . � For δ = 0, take � f = f . isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 30 / 55

  40. A General Formulation Let s = ( s 0 , . . . , s n − 1 ) . Find a Boolean function � f such that for some δ ≥ 0 f ( L t ( s ) , . . . , L t + δ ( s ) , k t , . . . , k t + δ ) = 0 . � For δ = 0, take � f = f . Suppose � f can be written as f ( L t ( s ) , . . . , L t + δ ( s ) , k t , . . . , k t + δ ) � h ( L t ( s ) , . . . , L t + δ ( s )) ⊕ g ( L t ( s ) , . . . , L t + δ ( s ) , k t , . . . , k t + δ ) = h t ( s ) ⊕ g t ( s , k t , . . . , k t + δ ) = where the degree e of s in g is less than the degree d of s in � f . isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 30 / 55

  41. A General Formulation (contd.) Assume that the attacker can find constants c 0 , . . . , c T − 1 such that T − 1 � c j h t + j ( s ) = 0 . j = 0 isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 31 / 55

  42. A General Formulation (contd.) Assume that the attacker can find constants c 0 , . . . , c T − 1 such that T − 1 � c j h t + j ( s ) = 0 . j = 0 Using f ( L t ( s ) , . . . , L t + δ ( s ) , k t , . . . , k t + δ ) = h t ( s ) ⊕ g t ( s , k t , . . . , k t + δ ) 0 = � we can write T − 1 � c j g t + j ( s , k t , . . . , k t + δ ) = 0 . j = 0 isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 31 / 55

  43. A General Formulation (contd.) Assume that the attacker can find constants c 0 , . . . , c T − 1 such that T − 1 � c j h t + j ( s ) = 0 . j = 0 Using f ( L t ( s ) , . . . , L t + δ ( s ) , k t , . . . , k t + δ ) = h t ( s ) ⊕ g t ( s , k t , . . . , k t + δ ) 0 = � we can write T − 1 � c j g t + j ( s , k t , . . . , k t + δ ) = 0 . j = 0 This is an equation of lower degree e in the unknown s . isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 31 / 55

  44. A General Formulation (contd.) Finding the constants c 0 , . . . , c T − 1 . Choose a “reasonable” value s ∗ of s . k t = h t ( s ∗ ) for t = 0 , . . . , 2 T − 1. Compute ˆ isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 32 / 55

  45. A General Formulation (contd.) Finding the constants c 0 , . . . , c T − 1 . Choose a “reasonable” value s ∗ of s . k t = h t ( s ∗ ) for t = 0 , . . . , 2 T − 1. Compute ˆ Use Berlekamp-Massey algorithm to find c 0 , . . . , c T − 1 such that T − 1 � c j ˆ k t + j 0 = j = 0 isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 32 / 55

  46. A General Formulation (contd.) Finding the constants c 0 , . . . , c T − 1 . Choose a “reasonable” value s ∗ of s . k t = h t ( s ∗ ) for t = 0 , . . . , 2 T − 1. Compute ˆ Use Berlekamp-Massey algorithm to find c 0 , . . . , c T − 1 such that T − 1 � c j ˆ k t + j 0 = j = 0 T − 1 � c j h t + j ( s ∗ ) . = j = 0 isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 32 / 55

  47. A General Formulation (contd.) Finding the constants c 0 , . . . , c T − 1 . Choose a “reasonable” value s ∗ of s . k t = h t ( s ∗ ) for t = 0 , . . . , 2 T − 1. Compute ˆ Use Berlekamp-Massey algorithm to find c 0 , . . . , c T − 1 such that T − 1 � c j ˆ k t + j 0 = j = 0 T − 1 � c j h t + j ( s ∗ ) . = j = 0 Requires O ( T 2 ) time. The proof that these c 0 , . . . , c T − 1 work for all s is non-trivial. isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 32 / 55

  48. Some References: Algebraic Attacks N. Courtois, W. Meier: Algebraic Attacks on Stream Ciphers with Linear Feedback. EUROCRYPT 2003. isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 33 / 55

  49. Some References: Algebraic Attacks N. Courtois, W. Meier: Algebraic Attacks on Stream Ciphers with Linear Feedback. EUROCRYPT 2003. N. Courtois: Fast Algebraic Attacks on Stream Ciphers with Linear Feedback. CRYPTO 2003. F. Armknecht, M. Krause: Algebraic Attacks on Combiners with Memory. CRYPTO 2003. Frederik Armknecht: Improving Fast Algebraic Attacks. FSE 2004. isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 33 / 55

  50. Some References: Algebraic Attacks N. Courtois, W. Meier: Algebraic Attacks on Stream Ciphers with Linear Feedback. EUROCRYPT 2003. N. Courtois: Fast Algebraic Attacks on Stream Ciphers with Linear Feedback. CRYPTO 2003. F. Armknecht, M. Krause: Algebraic Attacks on Combiners with Memory. CRYPTO 2003. Frederik Armknecht: Improving Fast Algebraic Attacks. FSE 2004. N. Courtois, A. Klimov, J. Patarin, A. Shamir: Efficient Algorithms for Solving Overdefined Systems of Multivariate Polynomial Equations. EUROCRYPT 2000. C. Diem: The XL-Algorithm and a Conjecture from Commutative Algebra. ASIACRYPT 2004. G. Ars, J.-C. Faugére, H. Imai, M. Kawazoe, M. Sugita: Comparison Between XL and Gröbner Basis Algorithms. isilogo ASIACRYPT 2004. Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 33 / 55

  51. Differential Attacks. isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 34 / 55

  52. Trivium: A Counter-Point to Correlation and Algebraic Attacks State: ( s ( i ) 1 , . . . , s ( i ) 288 ) : (Super-script i is omitted for simplicity.) State update function is non-linear. Output function is linear. isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 35 / 55

  53. Trivium: A Counter-Point to Correlation and Algebraic Attacks State: ( s ( i ) 1 , . . . , s ( i ) 288 ) : (Super-script i is omitted for simplicity.) State update function is non-linear. Output function is linear. t 1 = s 66 ⊕ s 93 ; t 2 = s 162 ⊕ s 177 ; t 3 = s 243 ⊕ s 288 ; k i = t 1 ⊕ t 2 ⊕ t 3 ; isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 35 / 55

  54. Trivium: A Counter-Point to Correlation and Algebraic Attacks State: ( s ( i ) 1 , . . . , s ( i ) 288 ) : (Super-script i is omitted for simplicity.) State update function is non-linear. Output function is linear. t 1 = s 66 ⊕ s 93 ; t 2 = s 162 ⊕ s 177 ; t 3 = s 243 ⊕ s 288 ; k i = t 1 ⊕ t 2 ⊕ t 3 ; t 1 = t 1 ⊕ s 91 · s 92 ⊕ s 171 ; t 2 = t 2 ⊕ s 175 · s 176 ⊕ s 264 ; t 3 = t 3 ⊕ s 286 · s 287 ⊕ s 69 ; isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 35 / 55

  55. Trivium: A Counter-Point to Correlation and Algebraic Attacks State: ( s ( i ) 1 , . . . , s ( i ) 288 ) : (Super-script i is omitted for simplicity.) State update function is non-linear. Output function is linear. t 1 = s 66 ⊕ s 93 ; t 2 = s 162 ⊕ s 177 ; t 3 = s 243 ⊕ s 288 ; k i = t 1 ⊕ t 2 ⊕ t 3 ; t 1 = t 1 ⊕ s 91 · s 92 ⊕ s 171 ; t 2 = t 2 ⊕ s 175 · s 176 ⊕ s 264 ; t 3 = t 3 ⊕ s 286 · s 287 ⊕ s 69 ; ( s 1 , s 2 , . . . , s 93 ) ← ( t 3 , s 1 , . . . , s 92 ) ; ( s 94 , s 95 . . . , s 177 ) ← ( t 1 , s 94 , . . . , s 176 ) ; ( s 178 , s 179 , . . . , s 288 ) ← ( t 2 , s 178 , . . . , s 287 ) ; isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 35 / 55

  56. Derivatives Given an n -variable Boolean function f ( x ) and a ∈ { 0 , 1 } n , the derivative of f at a is defined to be a Boolean function ∆ a f ( x ) ∆ = f ( x ⊕ a ) ⊕ f ( x ) . isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 36 / 55

  57. Derivatives Given an n -variable Boolean function f ( x ) and a ∈ { 0 , 1 } n , the derivative of f at a is defined to be a Boolean function ∆ a f ( x ) ∆ = f ( x ⊕ a ) ⊕ f ( x ) . Extension: ∆ ( 2 ) a 1 , a 2 f ( x ) = f ( x ⊕ a 1 ⊕ a 2 ) ⊕ f ( x ⊕ a 1 ) ⊕ f ( x ⊕ a 2 ) ⊕ f ( x ) . isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 36 / 55

  58. Derivatives Given an n -variable Boolean function f ( x ) and a ∈ { 0 , 1 } n , the derivative of f at a is defined to be a Boolean function ∆ a f ( x ) ∆ = f ( x ⊕ a ) ⊕ f ( x ) . Extension: ∆ ( 2 ) a 1 , a 2 f ( x ) = f ( x ⊕ a 1 ⊕ a 2 ) ⊕ f ( x ⊕ a 1 ) ⊕ f ( x ⊕ a 2 ) ⊕ f ( x ) . Other direction: f ( x ⊕ a 1 ⊕ a 2 ) = ∆ ( 2 ) a 1 , a 2 f ( x ) ⊕ ∆ a 1 f ( x ) ⊕ ∆ a 2 f ( x ) ⊕ f ( x ) . isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 36 / 55

  59. Derivatives Given an n -variable Boolean function f ( x ) and a ∈ { 0 , 1 } n , the derivative of f at a is defined to be a Boolean function ∆ a f ( x ) ∆ = f ( x ⊕ a ) ⊕ f ( x ) . Extension: ∆ ( 2 ) a 1 , a 2 f ( x ) = f ( x ⊕ a 1 ⊕ a 2 ) ⊕ f ( x ⊕ a 1 ) ⊕ f ( x ⊕ a 2 ) ⊕ f ( x ) . Other direction: f ( x ⊕ a 1 ⊕ a 2 ) = ∆ ( 2 ) a 1 , a 2 f ( x ) ⊕ ∆ a 1 f ( x ) ⊕ ∆ a 2 f ( x ) ⊕ f ( x ) . n � � ∆ ( i ) f ( x ⊕ a 1 ⊕ · · · ⊕ a n ) = a j 1 ,..., a ji f ( x ) . i = 0 1 ≤ j 1 < ··· < j i ≤ n isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 36 / 55

  60. Derivatives (contd.) Properties. deg (∆ a f ) < deg ( f ) . ∆ ( 2 ) a 1 , a 2 f ( x ) = ∆ ( 2 ) a 2 , a 1 f ( x ) . ∆ a ( f ⊕ g ) = ∆ a f ⊕ ∆ a g . ∆ a ( f ( x ) g ( x )) = f ( x ⊕ a )∆ a g ( x ) ⊕ (∆ a f ( x )) g ( x ) . If a ∈ { 0 , 1 } n is such that supp ( a ) ⊂ { 1 , . . . , i } , then ∆ a ( x 1 · · · x i f ( x i + 1 , . . . , x n )) = f ( x i + 1 , . . . , x n )∆ a ( x 1 · · · x i ) . isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 37 / 55

  61. Derivatives (contd.) Properties. deg (∆ a f ) < deg ( f ) . ∆ ( 2 ) a 1 , a 2 f ( x ) = ∆ ( 2 ) a 2 , a 1 f ( x ) . ∆ a ( f ⊕ g ) = ∆ a f ⊕ ∆ a g . ∆ a ( f ( x ) g ( x )) = f ( x ⊕ a )∆ a g ( x ) ⊕ (∆ a f ( x )) g ( x ) . If a ∈ { 0 , 1 } n is such that supp ( a ) ⊂ { 1 , . . . , i } , then ∆ a ( x 1 · · · x i f ( x i + 1 , . . . , x n )) = f ( x i + 1 , . . . , x n )∆ a ( x 1 · · · x i ) . Nothing special about x 1 · · · x i ; easy modification for the monomial x j 1 · · · x j i . isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 37 / 55

  62. Derivatives (contd.) Let C [ a 1 , . . . , a i ] be the set of all linear combinations of a 1 , . . . , a i . Then � ∆ ( i ) a 1 ,..., a i f ( x ) = f ( x ⊕ c ) . c ∈ C [ a 1 ,..., a i ] isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 38 / 55

  63. Derivatives (contd.) Let C [ a 1 , . . . , a i ] be the set of all linear combinations of a 1 , . . . , a i . Then � ∆ ( i ) a 1 ,..., a i f ( x ) = f ( x ⊕ c ) . c ∈ C [ a 1 ,..., a i ] If a i is linearly dependent on a 1 , . . . , a i − 1 , then ∆ ( i ) a 1 ,..., a i f ( x ) = 0. isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 38 / 55

  64. Using Derivatives Suppose f ( x 1 , . . . , x n ) can be written as f ( x 1 , . . . , x n ) = x 1 · · · x i g ( x i + 1 , . . . , x n ) ⊕ h ( x 1 , . . . , x n ) where x 1 · · · x i does not divide any monomial of h ( x 1 , . . . , x n ) . isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 39 / 55

  65. Using Derivatives Suppose f ( x 1 , . . . , x n ) can be written as f ( x 1 , . . . , x n ) = x 1 · · · x i g ( x i + 1 , . . . , x n ) ⊕ h ( x 1 , . . . , x n ) where x 1 · · · x i does not divide any monomial of h ( x 1 , . . . , x n ) . Let a 1 , . . . , a i be linearly independent vectors such that supp ( a 1 ) , . . . , supp ( a i ) ⊂ { 1 , . . . , i } . isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 39 / 55

  66. Using Derivatives Suppose f ( x 1 , . . . , x n ) can be written as f ( x 1 , . . . , x n ) = x 1 · · · x i g ( x i + 1 , . . . , x n ) ⊕ h ( x 1 , . . . , x n ) where x 1 · · · x i does not divide any monomial of h ( x 1 , . . . , x n ) . Let a 1 , . . . , a i be linearly independent vectors such that supp ( a 1 ) , . . . , supp ( a i ) ⊂ { 1 , . . . , i } . Then g ( x i + 1 , . . . , x n ) ∆ a 1 ,..., a i f ( x 1 , . . . , x n ) = isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 39 / 55

  67. Using Derivatives Suppose f ( x 1 , . . . , x n ) can be written as f ( x 1 , . . . , x n ) = x 1 · · · x i g ( x i + 1 , . . . , x n ) ⊕ h ( x 1 , . . . , x n ) where x 1 · · · x i does not divide any monomial of h ( x 1 , . . . , x n ) . Let a 1 , . . . , a i be linearly independent vectors such that supp ( a 1 ) , . . . , supp ( a i ) ⊂ { 1 , . . . , i } . Then g ( x i + 1 , . . . , x n ) ∆ a 1 ,..., a i f ( x 1 , . . . , x n ) = � f ( x ⊕ c ) . = c ∈ C [ a 1 ,..., a i ] isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 39 / 55

  68. Using Derivatives Suppose f ( x 1 , . . . , x n ) can be written as f ( x 1 , . . . , x n ) = x 1 · · · x i g ( x i + 1 , . . . , x n ) ⊕ h ( x 1 , . . . , x n ) where x 1 · · · x i does not divide any monomial of h ( x 1 , . . . , x n ) . Let a 1 , . . . , a i be linearly independent vectors such that supp ( a 1 ) , . . . , supp ( a i ) ⊂ { 1 , . . . , i } . Then g ( x i + 1 , . . . , x n ) ∆ a 1 ,..., a i f ( x 1 , . . . , x n ) = � f ( x ⊕ c ) . = c ∈ C [ a 1 ,..., a i ] Nothing special about x 1 · · · x i ; easy modification for x j 1 · · · x j i . isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 39 / 55

  69. Using Derivatives (contd.) Maxterm: x j 1 · · · x j i is a maxterm if the corresponding g is of degree 1. isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 40 / 55

  70. Using Derivatives (contd.) Maxterm: x j 1 · · · x j i is a maxterm if the corresponding g is of degree 1. Observation: If f is a random polynomial of degree d , then with high probability every degree ( d − 1 ) monomial is a maxterm. isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 40 / 55

  71. Using Derivatives (contd.) Maxterm: x j 1 · · · x j i is a maxterm if the corresponding g is of degree 1. Observation: If f is a random polynomial of degree d , then with high probability every degree ( d − 1 ) monomial is a maxterm. Suppose x 1 · · · x i is a maxterm. f ( x ) = x 1 · · · x i g ( x i + 1 , . . . , x n ) + h ( x ) . isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 40 / 55

  72. Using Derivatives (contd.) Maxterm: x j 1 · · · x j i is a maxterm if the corresponding g is of degree 1. Observation: If f is a random polynomial of degree d , then with high probability every degree ( d − 1 ) monomial is a maxterm. Suppose x 1 · · · x i is a maxterm. f ( x ) = x 1 · · · x i g ( x i + 1 , . . . , x n ) + h ( x ) . Constant term of g is obtained by setting x i + 1 , . . . , x n to 0 and XORing together the values of f for all possible choices of x 1 , . . . , x i . isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 40 / 55

  73. Using Derivatives (contd.) Maxterm: x j 1 · · · x j i is a maxterm if the corresponding g is of degree 1. Observation: If f is a random polynomial of degree d , then with high probability every degree ( d − 1 ) monomial is a maxterm. Suppose x 1 · · · x i is a maxterm. f ( x ) = x 1 · · · x i g ( x i + 1 , . . . , x n ) + h ( x ) . Constant term of g is obtained by setting x i + 1 , . . . , x n to 0 and XORing together the values of f for all possible choices of x 1 , . . . , x i . The coefficient of x j in g ( j > i ) is obtained by setting x j to 1, all other x i + 1 , . . . , x n to 0 and XORing together the values of f for all possible choices of x 1 , . . . , x i . isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 40 / 55

  74. Using Derivatives (contd.) Maxterm: x j 1 · · · x j i is a maxterm if the corresponding g is of degree 1. Observation: If f is a random polynomial of degree d , then with high probability every degree ( d − 1 ) monomial is a maxterm. Suppose x 1 · · · x i is a maxterm. f ( x ) = x 1 · · · x i g ( x i + 1 , . . . , x n ) + h ( x ) . Constant term of g is obtained by setting x i + 1 , . . . , x n to 0 and XORing together the values of f for all possible choices of x 1 , . . . , x i . The coefficient of x j in g ( j > i ) is obtained by setting x j to 1, all other x i + 1 , . . . , x n to 0 and XORing together the values of f for all possible choices of x 1 , . . . , x i . Nothing special about x 1 · · · x i ; easy modification for x j 1 · · · x j i . isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 40 / 55

Recommend


More recommend