Improved Correlation Attacks on SOSEMANUK and SOBER-128 Joo Yeon - PowerPoint PPT Presentation

Improved Correlation Attacks on SOSEMANUK and SOBER-128 Joo Yeon Cho Helsinki University of Technology Department of Information and Computer Science, Espoo, Finland 24th March 2009 1 / 35

SOSEMANUK Attack Approximations SOBER-128 Outline SOSEMANUK Attack Method Searching Linear Approximations SOBER-128 2 / 35

SOSEMANUK Attack Approximations SOBER-128 SOSEMANUK (from Wiki) • A software-oriented stream cipher designed by Come Berbain, Olivier Billet, Anne Canteaut, Nicolas Courtois, Henri Gilbert, Louis Goubin, Aline Gouget, Louis Granboulan, C` edric Lauradoux, Marine Minier, Thomas Pornin and Herv` e Sibert. • One of the final four Profile 1 (software) ciphers selected for the eSTREAM Portfolio, along with HC-128, Rabbit, and Salsa20/12. • Influenced by the stream cipher SNOW and the block cipher Serpent. • The cipher key length can vary between 128 and 256 bits, but the guaranteed security is only 128 bits. • The name means ”snow snake” in the Cree Indian language because it depends both on SNOW and Serpent. 3 / 35

SOSEMANUK Attack Approximations SOBER-128 Overview 4 / 35

SOSEMANUK Attack Approximations SOBER-128 Structure 1. The states of LFSR : s 0 , . . . , s 9 (320 bits) s t + 10 = s t + 9 ⊕ α − 1 s t + 3 ⊕ α s t , t ≥ 1 where α is a root of the primitive polynomial. 2. The Finite State Machine (FSM) : R 1 and R 2 R 1 t + 1 = R 2 t ⊞ ( r t s t + 9 ⊕ s t + 2 ) R 2 t + 1 = Trans ( R 1 t ) f t = ( s t + 9 ⊞ R 1 t ) ⊕ R 2 t where r t denotes the least significant bit of R 1 t . 3. The trans function Trans on F 2 32 : Trans ( R 1 t ) = ( R 1 t × 0x54655307 mod 2 32 ) ≪ 7 4. The output of the FSM : ( z t + 3 , z t + 2 , z t + 1 , z t ) = Serpent 1 ( f t + 3 , f t + 2 , f t + 1 , f t ) ⊕ ( s t + 3 , s t + 2 , s t + 1 , s t ) 5 / 35

SOSEMANUK Attack Approximations SOBER-128 Previous Attacks • Authors state that ”No linear relation holds after applying Serpent 1 and there are too many unknown bits...”. • In Asiacrypt’08, the best linear approximation with the correlation of 2 − 21 . 41 was derived as FSM : Γ · f t ⊕ Γ · f t + 1 ⊕ Γ · s t + 10 ⊕ Γ · s t + 2 = 0 Serpent 1 : Γ · f t ⊕ Γ · f t + 1 ⊕ Γ · ( s t ⊕ z t ) ⊕ Γ · ( s t + 3 ⊕ z t + 3 ) = 0 • Using this approximation, a correlation attack was applied, which is the similar attack applied to Grain stream cipher. • The complexity of attack was estimated around 2 140 . 5 data, 2 148 computing time and 2 147 memory. 6 / 35

SOSEMANUK Attack Approximations SOBER-128 Motivation of Our Work • We may obtain better approximations if we use different masks for FSM and Serpent1. • We may reduce the data complexity of the attack by using multiple linear approximations with equal correlations. 7 / 35

SOSEMANUK Attack Approximations SOBER-128 LFSR and Linear Approximations 1. The linear recurrence of SOSEMANUK is expressed as s ′ s 0    · · ·    0 1 0 0 0 s ′ s 1 · · · 0 0 1 0       1  =       · · · 0 0 0 · · · 1 · · ·      s ′ b 0 b 1 b 2 b 9 s 9 · · · 9 Since s t + 10 = s t + 9 ⊕ α − 1 s t + 3 ⊕ α s t , we get ( b 0 b 1 · · · b 9 ) = ( α 0 0 α − 1 0 · · · 1 ) where s i , b i , α ∈ GF ( 2 32 ) . 2. We can simply denote S t + 1 = AS t . Then, S t = A t S 0 . 3. A linear approximation U · S t ⊕ W · Z t = 0 is expressed as U · A t S 0 ⊕ W · Z t = 0 , t > 0 . Note that U = ( u 0 u 1 · · · u 9 ) and U · S t = u 0 · s t ⊕ · · · ⊕ u 9 · s t + 9 where u i ∈ GF ( 2 32 ) . Similar for W · Z t . 8 / 35

SOSEMANUK Attack Approximations SOBER-128 Naive Attack 1. Assume U · S t ⊕ W · Z t = 0 has the correlation of c sose . 2. Observe N keystreams. Then, we obtain U · AS 0 W · Z 1       0 U · A 2 S 0 W · Z 2 0        ⊕  =       . . . . . .       . . .     U · A N S 0 W · Z N 0 where S 0 = ( s 0 s 1 · · · s 9 ) T . 3. Guess S 0 . For each candidate, compute D which is defined as D = 1 N (# { U · A t S 0 ⊕ W · Z t = 0 } − # { U · A t S 0 ⊕ W · Z t = 1 } ) If guessed S 0 is correct, D is close to c sose . Otherwise, D is close to zero. 9 / 35

SOSEMANUK Attack Approximations SOBER-128 Fast Walsh Transform and Complexity 1. Assume S 0 = ( x 1 x 2 · · · x l ) and U · A t = ( a 1 t a 2 t · · · a lt ) where x i , a i ∈ { 0 , 1 } . Then, a 11 a 12 a 1 l x 1 W · Z 1         · · · 0 a 21 a 22 a 2 l x 2 W · Z 2 · · · 0          ⊕  =  .   .   .   .  . . . .         . . . .       a N 1 a N 2 a Nl x l W · Z N · · · 0 2. Since there are 2 l candidates for S 0 , the complexity is around N × 2 l . 3. If Fast Walsh Transform is used, the complexity is reduced to around N + 2 l log 2 l = N + l × 2 l . 4. This is worse than state exhaustive search. 10 / 35

SOSEMANUK Attack Approximations SOBER-128 Simple Example on Fast Walsh Transform x 1 x 2 x 3 x 1 ⊕ x 2 · · · ( 0 ) 0 0 0 0   1 0 0 ( 1 ) 1 0 0 1 0 1 1 x 1     ( 0 ) 0 1 0 1   1 0 1  ⇒   x 2 ( 0 ) 1 1 0 0    1 1 1   x 3 ( 1 ) 0 0 1 0   1 0 1   ( 2 ) 1 0 1 1 0 0 1 ( 1 ) 0 1 1 1 ( 1 ) 1 1 1 0 11 / 35

SOSEMANUK Attack Approximations SOBER-128 Reducing Time Complexity 1. Let Ω m = { ( x 1 x 2 . . . x l ) | x i ∈ { 0 , 1 } , x m + 1 = · · · = x l = 0 } for 1 ≤ m ≤ l . Clearly, | Ω m | = 2 m . 2. Among N approximations, take U · A t S 0 ⊕ W · Z t = 0 such that U · A t S 0 ∈ Ω m . U · A τ 1 S 0 W · Z τ 1       0 U · A τ 2 S 0 W · Z τ 2 0        ⊕  =  .   .    . . . .       . . .     U · A τ ′ N S 0 W · Z τ ′ 0 N 3. The probability that such approximation occurs is 2 m / 2 l . Hence, we obtain around N ′ ≈ N × 2 m / 2 l ’good’ approximations. 4. By Fast Walsh Transform, time complexity is reduced to N ′ + m × 2 m . 12 / 35

SOSEMANUK Attack Approximations SOBER-128 Second LFSR Derivative Technique 1. Used for the attack on Grain Version 0 by Berbain et al. 2. Obtain more ”good” approximations without further the keystream observations. 3. Perform pairwize combinations of N approximations as ( U · A i ⊕ U · A j ) S 0 ⊕ ( W · Z i ⊕ W · Z j ) = 0 , 1 ≤ i , j ≤ N 4. Choose combined approximations such as ( U · A i S 0 ⊕ U · A j S 0 ) ∈ Ω m . with the correlation of c 2 sose . 5. The number of approximations that satisfy this condition is expected to be N ′ = 2 m − l � N ≈ 2 m − l × N 2 . � 2 13 / 35

SOSEMANUK Attack Approximations SOBER-128 Sorting and Combining � N ≈ N 2 operations. � 1. A simple pairing requires 2 2. The number of operations can be reduced by applying sorting-and-combining technique. 3. First, N approximations are sorted out according to the value of ( l − m ) state bits. 4. Let the sorted approximations be represented by X 1 , X 2 , . . . , X N . Then, two consecutive approximations X i and X i + 1 are checked whether their ( l − m ) state bits are same. 5. If they are same, we know X i ⊕ X i + 1 ∈ Ω m . 6. The fastest sorting algorithm takes O ( N log N ) . 7. Time complexity : T = N × log ( N ) + m × 2 m . 14 / 35

SOSEMANUK Attack Approximations SOBER-128 Linear Approximations of FSM 1. Using five masks (Γ 1 , Γ 2 , Γ 3 , Γ 4 , Γ 5 ) , we get Γ 2 · R 2 t + 1 Φ · R 1 t = Λ · R 1 t + 1 Γ 1 · R 2 t ⊕ Γ 4 · ( s t + 2 ⊕ r i s t + 9 ) = Γ 1 · f t Γ 3 · s t + 9 ⊕ Φ · R 1 t ⊕ Γ 1 · R 2 t = Γ 2 · f t + 1 Γ 5 · s t + 10 ⊕ Λ · R 1 t + 1 ⊕ Γ 2 · R 2 t + 1 = 2. By combining above approximations Γ 1 · f t ⊕ Γ 2 · f t + 1 = Γ 3 · s t + 9 ⊕ Γ 5 · s t + 10 ⊕ Γ 4 · ( s t + 2 ⊕ r i s t + 9 ) 3. The correlation is c FSM = c TranPlus × c PlusPlus where 2 32 − 1 c TransPlus = � c + (Γ 3 , Φ; Γ 1 ) c Trans (Φ; Γ 2 ) Φ= 1 2 32 − 1 c PlusPlus = 1 � c + (Γ 1 , Γ 4 ; Λ) c + (Γ 5 , Λ; Γ 2 ) 2 Λ= 1 15 / 35

SOSEMANUK Attack Approximations SOBER-128 Linear Masking of FSM s t + 9 R 1 t R 2 t Γ 3 Φ ❄ Γ 1 Γ 1 ♠ ✲ ✲ ✛ Φ ❄ Γ 1 Γ 1 ❄ ❄ Γ 4 ✛ s t + 2 ⊕ r t s t + 9 f t Trans Λ Γ 2 ❤❤❤❤❤❤❤❤❤❤❤❤❤❤❤❤❤❤❤❤ ✭ ✭ ✭ ✭ ✭ ✭ ✭ ✭ ✭ ✭ R 1 t + 1 ✭ R 2 t + 1 ✭ ✭ s t + 10 ✭ ✭ ✭ ✭ ✭ ✭ ✭ Γ 5 Λ ❄ Γ 2 Γ 2 ✲ ♠ ✲ ✛ ❄ Γ 2 ✛ s t + 3 ⊕ r t + 1 s t + 10 ❄ Trans ❄ f t + 1 ❄ ❄ 16 / 35