Differential-Linear Attacks against the Stream Cipher Phelix - PowerPoint PPT Presentation

Differential-Linear Attacks against the Stream Cipher Phelix Hongjun Wu and Bart Preneel Katholieke Universiteit Leuven ESAT/COSIC

Overview 1. Introduction to Helix and Phelix 2. Description of Phelix 3. Differential propagation of addition 4. A basic attack on Phelix 5. Improving the attack on Phelix 6. Improving the security of Phelix 7. Open problems 8. Conclusion K.U. Leuven, ESAT/COSIC 2

1 Background (1) Stream Cipher Helix (FSE 2003) stream cipher + message authentication message is applied to update the internal state encryption: message is XORed with the keystream MAC: generated from internal state after finishing encryption gain – no separate MAC cost – error propagation + security concern K.U. Leuven, ESAT/COSIC 3

1 Background (2) Attacks against Helix Differential key recovery attack (Muller, 2004): nonce reuse; 2 12 adaptively chosen plaintext words, 2 88 operations Reducing the number of plaintext words (Paul-Preneel, 2005) about 2 10 adaptively chosen plaintext words; or 2 35.6 chosen plaintext words K.U. Leuven, ESAT/COSIC 4

1. Background (3) Stream Cipher Phelix (2005) Phelix: the strengthened version of Helix 1) message passing through more operations before affecting the keystream: half block in Helix, one full block in Phelix 2) more internal state words in generating a keystream word: one internal state word in Helix, two in Phelix Is Phelix secure? Still vulnerable to the differential key recovery attack, effective key size being reduced to 41.5 bits K.U. Leuven, ESAT/COSIC 5

2. Stream Cipher Phelix (1) Stream Cipher Phelix stream cipher + message authentication code 256-bit key, 128-bit IV eSTREAM Phase II software and hardware focus cipher Fast in software: 6.6 cycles/byte on Pentium M processor Hardware: twelve 32-bit additions are required for one 32-bit keystream word: efficient ? K.U. Leuven, ESAT/COSIC 6

2. Stream Cipher Phelix (2) Stream Cipher Phelix 160-bit internal state: updated by message 512-bit internal state: simply related to the key and IV incremented during the encryption K.U. Leuven, ESAT/COSIC 7

Phelix: one block Z 0 , Z 1 , Z 2 , Z 3 , Z 4 : 160-bit internal state updated by message X i ,0 , X i ,1 : 512-bit internal state, determined by key, IV; Encryption: = ⊕ C P S i i i K.U. Leuven, ESAT/COSIC 8

3. Differential Propagation of Addition Observation: addend bits strongly correlated with the difference of the sums => By observing the distribution of the difference of the sums, the value of addend bits can be determined with the linear attack technique K.U. Leuven, ESAT/COSIC 9

3. Differential Propagation of Addition The following theorem shows that the check sum of two adjacent addend bits does affect significantly the distribution of the difference of the sums K.U. Leuven, ESAT/COSIC 10

4. A Basic Attack on Phelix (1) 1) Introducing one bit difference in P i ′ + ⊕ + 2) heavily biased ( 1 ) ( 1 ) i i B B 3 3 K.U. Leuven, ESAT/COSIC 11

4. A Basic Attack on Phelix (2) ′ + = + ⊕ + + + ⊕ + ( 1 ) ( 1 ) ( 1 ) ( 1 ) ( 1 ) 3) Since and that i i i i i is heavily ( ) T A B X B B + 0 0 3 1 , 0 3 3 i biased, we can predict which bits of X i+ 1 , 0 may have significant effect on the distribution of the difference of the keystream according to Theorem 2. K.U. Leuven, ESAT/COSIC 12

4. A Basic Attack on Phelix (3) 4) When the one-bit difference is in the least significant bit of P i , for , the 17 th least significant bit of ⊕ = 15 14 0 X X + + 1 , 0 1 , 0 i i ′ ⊕ ⊕ = 15 14 is 0 with probability 0.50227; for , 1 X X S S + + + + 1 , 0 1 , 0 1 1 i i i i the probability is 0.50117 ⊕ 15 14 => The value of is highly correlated to the X X + + 1 , 0 1 , 0 i i ′ ⊕ 17 17 distribution of . S S + + 1 1 i i => Recovering with 2 22.3 plaintext pairs ⊕ 15 14 X X + + 1 , 0 1 , 0 i i K.U. Leuven, ESAT/COSIC 13

4. A Basic Attack on Phelix (4) Experiment 1. With 2 25 chosen plaintext pairs with difference in ⊕ the least significant bit of P i , the values of of 192 15 14 X X + + 1 , 0 1 , 0 i i keys among 200 keys are determined correctly. The success rate is about 0.96. Lower than expected. ⊕ 15 14 Reason: the other bits of interfere with X X X + + + 1 , 0 1 , 0 1 , 0 i i i Shifting the one-bit difference, 23 bits of are recovered. X + 1 , 0 i K.U. Leuven, ESAT/COSIC 14

5. Improving the Attack on Phelix (1) Aims: Recovering more key bits and improving the success rate Reducing the number of chosen plaintext pairs Methods: − ( 3 ) Recovering before recovering i Z X + 4 1 , 0 i Fine tuning of the threshold values in the attack K.U. Leuven, ESAT/COSIC 15

5. Improving the Attack on Phelix (2) − Recovering ( 3 ) i Z 4 1) Introducing difference in the least significant bit of P i + ′ + ⊕ ( 1 ) ( 1 ) 2) is heavily biased i i Y Y 4 4 K.U. Leuven, ESAT/COSIC 16

5. Improving the Attack on Phelix (3) + ′ + = + ⊕ − ⊕ ( 1 ) ( 1 ) ( 1 ) ( 3 ) 3) Since is heavily biased and i i i i , S Y Z Y Y + 1 4 4 4 4 i − the value of the bits of affects the distribution of ( 3 ) i Z 4 ′ ⊕ S S + + 1 1 i i , the 5 th least ′ ⊕ = + + ⊕ = 4) When , for ( 1 ), 3 ( 1 ), 2 i i 1 P P 0 Y Y i i 4 4 ′ ⊕ significant bit of is 0 with probability 0.5461; S S − − 3 3 i i + + ⊕ = ( 1 ), 3 ( 1 ), 2 for , this probability is 0.5193 i i 1 Y Y 4 4 => Recovering requires 2 14 plaintext pairs + ⊕ + ( 1 ), 3 ( 1 ), 2 i i Y Y 4 4 K.U. Leuven, ESAT/COSIC 17

5. Improving the Attack on Phelix (4) 5) In the attack, we determine the least significant bit of − first, then proceed to determine the more significant ( 3 ) i Z 4 − − ( ( 3 3 ) ) bits of by shifting the one-bit difference. i i Z Z 4 4 − − − − − − ( 3 ), 1 ( 3 ), 2 ( 3 ), 0 ( 3 ), i j i j i i j L 6) When is analyzed, is Z Z Z Z 4 4 4 4 S ′ − − − − − ( 3 ), 1 ( 3 ), 2 ( 3 ), 0 subtracted from and so that i j i j i L S Z Z Z i i 4 4 4 − ( 3 ), does not interfere with . The success rate becomes i j Z 4 very close to 1 with small number of plaintext pairs. K.U. Leuven, ESAT/COSIC 18

5. Improving the Attack on Phelix (5) 7) With 2 17 plaintext pairs, 30 bits of (except the two − ( 3 ) i Z 4 − ( 3 ) most significant bits of ) can be determined i Z 4 with success rate about 0.999. − ( 3 ) i After recovering , we recover from the Z X + 1 , 0 4 i + ⊕ ′ ' + ⊕ ( 1 ) ( 1 ) i i distribution of instead of . S S Y Y + + 1 1 i i 4 4 K.U. Leuven, ESAT/COSIC 19

5. Improving the Attack on Phelix (6) ′ + ⊕ + ( 1 ) ( 1 ) i i Recovering from X Y Y + 4 4 1 , 0 i Due to the interference between the bits of on the X + 1 , 0 i + ′ + ⊕ 1 1 distribution of , we need the fine tuning of the i i Y Y 4 4 threshold values in the attack. ′ ⊕ = For example, when , if and the value of 1 = 9 1 0 P P X + , 0 i i i + ⊕ ′ + = 11 10 1 , 13 1 , 13 is 00, 11, 01, 10 , then with prob. i i 1 || 0 X X Y Y + + , 0 1 , 0 i i 4 4 1 = 0.53033, 0.52334, 0.51946, 0.51864 ; if , the prob. becomes 9 1 X + , 0 i 0.52334, 0.53030, 0.51861, 0.51948 . ′ + ⊕ + 1 , 13 1 , 13 i i 9 11 10 Y Y => affect the distribution of and || X X X + + + 4 4 1 , 0 1 , 0 1 , 0 i i i K.U. Leuven, ESAT/COSIC 20

5. Improving the Attack on Phelix (7) ′ + ⊕ + Other bits of also affect the distribution of X 1 , 13 1 , 13 i i Y Y + 1 , 0 i 4 4 In the attack, we need to tune the threshold value to 0.52035, ⊕ 11 10 so that the value of can be recovered with X X + + 1 , 0 1 , 0 i i success rate 0.99 with 2 21 chosen plaintext pairs. + ⊕ 1 ≤ j ≤ j j The values of can be determined X X ( 2 28 ) + + 1 , 0 1 , 0 i i in a similar way K.U. Leuven, ESAT/COSIC 21