On the Security of IV Dependent Stream Ciphers Côme Berbain and Henri Gilbert France Telecom R&D {firstname.lastname@orange-ftgroup.com} research & development
Stream Ciphers � IV-less � IV-dependent key K IV (initial value) key K number ? generator keystream keystream ⊕ ⊕ ciphertext plaintext ciphertext plaintext � e.g. RC4, Shrinking Generator � e.g. SNOW, Scream, eSTREAM ciphers � less unanimously agreed theory � well founded theory [S81,Y82,BM84] � prior work [RC94, HN01, Z06] � practical limitations: - no reuse of K � numerous chosen IV attacks - synchronisation - key and IV setup not well understood IV setup – H. Gilbert (2) Orange Group research & developement
Outline � security requirements on IV-dependent stream ciphers � whole cipher � key and IV setup � key and IV setup constructions satisfying these requirements � blockcipher based � tree based � application example: QUAD � incorporate key and IV setup in QUAD's provable security argument IV setup – H. Gilbert (3) Orange Group research & developement
Security in IV-less case: PRNG notion K ∈ R {0,1} m truly random number VS generator g generator g g(K) ∈ {0,1} L Z ∈ R {0,1} L OR 1 input A 0 or 1 = = − = PRNG A tests number distributions: Adv A A g K A Z ( ) Pr [ ( ( )) 1 ] Pr [ ( ) 1 ] g K Z ( ) = PRNG PRNG Adv t Adv A ( ) max ( ) ≤ g A T A t g , ( ) 80 << g is a secure cipher ⇔ g is a PRNG ⇔ < Adv PRNG t ( 2 ) 1 g IV setup – H. Gilbert (4) Orange Group research & developement
Security in IV-dependent case: PRF notion stream cipher perfect random fct. IV ∈ {0,1} n function VS generator OR g* g K G = {g K } g K (IV) q oracle queries A • 0 or 1 * = = = − A tests function distributions: PRF g g Adv A A A ( ) Pr[ 1 ] Pr[ 1 ] K G ( ) = PRF PRF Adv t q Adv A ( , ) max ( ) G A G G is a secure cipher ⇔ G is a PRF ⇔ < << Adv PRF 80 40 t ( 2 , 2 ) 1 G IV setup – H. Gilbert (5) Orange Group research & developement
Structure of the stream ciphers considered here IV (n bits) key & IV K setup typical KG structure initial state (m bits) state transition keystream function generation λ iterations output function keystream (L bits) IV setup – H. Gilbert (6) Orange Group research & developement
Security: sufficient conditions IV IV F = {f K } key & IV is a PRF setup ⇒ initial state G = {g ο f K } is a PRF keystream g generation is a PRNG keystream keystream [informally]: the key & IV setup is a PRF and the keystream generator is a PRNG ⇒ the whole stream cipher is secure IV setup – H. Gilbert (7) Orange Group research & developement
This is due to a simple composition theorem � Composition of {f K } and g function F = {f K } generator ≡ G = {g ο f K } g number generator (comp. time T g ) ≤ + PRF PRF PRNG � Composition Theorem: Adv t q Adv t q qAdv t ( , ) ( ' , ) ( ' ) G F g where t' = t + qT g IV setup – H. Gilbert (8) Orange Group research & developement
Key & IV setup = PRF is "almost" a necessary condition IV (n bits) F = {f K } time T K&IV (key and IV setup) initial state (m bits) g time T KG (keystream generation) m first keystream bits T K&IV + T KG ≥ T PRF (where T PRF is the time needed by the fastest n-bit to m-bit PRF) For a fast cipher,T KG is small, so T K&IV cannot be much lower than T PRF IV setup – H. Gilbert (9) Orange Group research & developement
Key & IV setup: candidate PRF constructions � Block cipher based (not detailed here) Examples: LEX (based on AES), Sosemanuk (based on Serpent) Pros: more conservative than many existing constructions Cons: heterogeneous construction ⇒ increased implementation complexity (except for LEX) � Tree based (detailed in the sequel) Example: QUAD Conducting idea: re-use essentially the same PRNG as in the keystream generation Pros: low implementation complexity Cons: relatively slow IV setup – H. Gilbert (10) Orange Group research & developement
Tree based construction [GGM86] ⇒ n-bit to m-bit PRF F = {f y } m-bit to 2m-bit PRNG f y (parameter) f (m bits) x 1 = 0 0 1 f f f x 2 = 1 0 1 (2m bits) f f x 3 = 1 0 1 x f f (input) f x n-1 = 0 0 1 f f x n = 1 0 1 f y (x) Theorem[ ≈ GGM86]: ≤ PRF PRNG Adv t q nqAdv t ( , ) ( ' ) F f where t' = t + q(n+1)T f IV setup – H. Gilbert (11) Orange Group research & developement
Tree based key & IV setup ⇒ truncated IV-less cipher key and IV setup K f m-bit state IV 1 0 1 f f f IV 2 0 1 2 m-bit sequence f f IV 3 0 1 IV f f (input) f IV n-1 0 1 f f IV n 0 1 Is this practical? f K (IV) Cons: relatively slow. If |IV|=80 bits and |state|=160 bits, key & IV setup ≡ generation of 3200 keystream bytes Pros: very low extra implementation complexity in hardware IV setup – H. Gilbert (12) Orange Group research & developement
The Stream Cipher QUAD [BGP06] � Based on the multivariate quadratic problem (MQ) Given a system of quadratic equations in variables over m GF ( q n ) ∑ ∑ = α + β + γ = = k k k Q x x x x x y k m ( ,..., ) , 1 ,..., k 1 n i , j i j i i k ≤ i j i = ∈ n Find a solution (if any) x x x GF q ( ,..., ) ( ) 1 n NP hard even over GF(2) � best solving algorithms so far are exponential [Faugère, Bardet] � � QUAD iterates a fixed quadratic function S S keystream IV setup – H. Gilbert (13) Orange Group research & developement
QUAD: keystream generation = ∈ n x x x GF q ( ,..., ) ( ) � internal state: n 1 � fixed public quadratic function S: n var., m = tn eq. (typically 2n eq.) ( n bits) q = 2 S � recommended parameters: q=2, n=160 bits, t=2 IV setup – H. Gilbert (14) Orange Group research & developement
Security argument for the keystream generation � Keystream generation, GF(2) case initial state (n bits) number λ iterations of S g generator keystream (L bits) � Th [BGP06]: in the GF(2) case, if there exists a distinguisher for g allowing to distinguish = λ ( − a sequence of keystream bits associated with a random quadratic systems S L t n 1 ) and a random initial state value x in time T with advantage ε , then there is an MQ solver that ε λ 2 2 n T ≅ ε = solves a random instance of MQ in time with probability . T ' O ( ) ' ε λ 2 2 2 � Example of application: q=2, n = 350 bits, t = 2, L=2 40 , T=2 80 , ε = 1% (no such concrete reduction for the recommend value n = 160) IV setup – H. Gilbert (15) Orange Group research & developement
QUAD: Key and IV Setup � uses two public quadratic functions S 0 and S 1 of n eq. in n var. each � set x with the key K � for each IV bit IV i : tree based construction • if IV i = 0 then update x with S 0 (x) • if IV i = 1 then update x with S 1 (x) � runup: clock the cipher n times without outputting the keystream typical key and IV lengths: 160 bits each IV setup – H. Gilbert (16) Orange Group research & developement
Extending the proof to the whole cipher � Whole cipher, GF(2) case IV (n bits) t =2 L + 2 n λ iterations of S λ = function G={gof K } ( ) n generator keystream (L bits) � Th: in the GF(2) case, if there exists a (T,q) PRF-distinguisher for the family G of IV to keystream functions associated with a random key and a random quadratic systems S with PRF-advantage ε , then there is an MQ solver that solves a random instance of MQ in time ε λ 2 2 2 n q T ε = ≅ ' with probability at least . T O ' ( ) λ ε 3 q 3 . 2 2 � Example of application: q=2, n = 760 bits, t = 2, L=2 40 , T=2 80 , ε = 1% IV setup – H. Gilbert (17) Orange Group research & developement
Conclusions � Requirements: a PRF is needed � Conservative IV setup � seems demanding w.r.t. computational complexity � is not demanding w.r.t. implementation complexity � "Provable security" can be extended to IV-dependent stream ciphers IV setup – H. Gilbert (18) Orange Group research & developement
Recommend
More recommend
