Outline ABC v.2 Security Scalability Performance Summary Security and Implementation Properties of ABC v.2 Vladimir Anashin † Andrey Bogdanov ‡ 1 Ilya Kizhvatov † 2 † Russian State University for the Humanities, Moscow, Russia ‡ escrypt GmbH – Embedded Security, Bochum, Germany SASC 2006, Leuven, Belgium 1Partially supported by Ruhr-Universität Bochum 2Partially supported by the ECRYPT stipend V. Anashin, A. Bogdanov, I. Kizhvatov http://crypto.rsuh.ru ABC v.2 Security and Implementation 1/15
Outline ABC v.2 Security Scalability Performance Summary Outline ABC v.2 Status Tweaks Security Keystream Properties Attacks and Remedies Scalability Performance V. Anashin, A. Bogdanov, I. Kizhvatov http://crypto.rsuh.ru ABC v.2 Security and Implementation 2/15
Outline ABC v.2 Security Scalability Performance Summary Status ABC v.2 The status of the cipher ◮ Originally submitted to eSTREAM ◮ Attacked (Berbain, Gilbert, Khazaei; July 2005) ◮ Tweaks − → ABC v.2 V. Anashin, A. Bogdanov, I. Kizhvatov http://crypto.rsuh.ru ABC v.2 Security and Implementation 3/15
Outline ABC v.2 Security Scalability Performance Summary Status ABC v.2 The status of the cipher ◮ Originally submitted to eSTREAM ◮ Attacked (Berbain, Gilbert, Khazaei; July 2005) ◮ Tweaks − → ABC v.2 V. Anashin, A. Bogdanov, I. Kizhvatov http://crypto.rsuh.ru ABC v.2 Security and Implementation 3/15
Outline ABC v.2 Security Scalability Performance Summary Status ABC v.2 The status of the cipher ◮ Originally submitted to eSTREAM − → ABC v.1 ◮ Attacked (Berbain, Gilbert, Khazaei; July 2005) ◮ Tweaks − → ABC v.2 V. Anashin, A. Bogdanov, I. Kizhvatov http://crypto.rsuh.ru ABC v.2 Security and Implementation 3/15
Outline ABC v.2 Security Scalability Performance Summary Tweaks ABC v.2 B Tweaks B ( x ) ◮ 128-bit LFSR A x z 3 ¯ ◮ Faster transform B B ( x ) + ¯ z 3 x ◮ Adjusted setup z x A z = (¯ z 3 , ¯ z 2 , ¯ z 1 , ¯ z 0 ) procedures A ( z ) C C ( x ) z 0 ¯ y = C ( x ) + ¯ z 0 plain text stream cipher text stream Result: Elimination of the known attacks V. Anashin, A. Bogdanov, I. Kizhvatov http://crypto.rsuh.ru ABC v.2 Security and Implementation 4/15
Outline ABC v.2 Security Scalability Performance Summary Tweaks ABC v.2 B Tweaks B ( x ) ◮ 128-bit LFSR A x z 3 ¯ ◮ Faster transform B B ( x ) + ¯ z 3 x ◮ Adjusted setup z x A z = (¯ z 3 , ¯ z 2 , ¯ z 1 , ¯ z 0 ) procedures A ( z ) C 64 128 C ( x ) z 0 ¯ y = C ( x ) + ¯ z 0 plain text stream cipher text stream Result: Elimination of the known attacks V. Anashin, A. Bogdanov, I. Kizhvatov http://crypto.rsuh.ru ABC v.2 Security and Implementation 4/15
Outline ABC v.2 Security Scalability Performance Summary Tweaks ABC v.2 B Tweaks B ( x ) ◮ 128-bit LFSR A x z 3 ¯ ◮ Faster transform B B ( x ) + ¯ z 3 x ◮ Adjusted setup z x A z = (¯ z 3 , ¯ z 2 , ¯ z 1 , ¯ z 0 ) procedures A ( z ) C 64 128 C ( x ) z 0 ¯ y = C ( x ) + ¯ z 0 plain text stream cipher text stream Result: Elimination of the known attacks V. Anashin, A. Bogdanov, I. Kizhvatov http://crypto.rsuh.ru ABC v.2 Security and Implementation 4/15
Outline ABC v.2 Security Scalability Performance Summary Tweaks ABC v.2 Key B Tweaks IV B ( x ) ◮ 128-bit LFSR A x z 3 ¯ ◮ Faster transform B B ( x ) + ¯ z 3 x ◮ Adjusted setup z x A z = (¯ z 3 , ¯ z 2 , ¯ z 1 , ¯ z 0 ) procedures A ( z ) C 64 128 C ( x ) z 0 ¯ y = C ( x ) + ¯ z 0 plain text stream cipher text stream Result: Elimination of the known attacks V. Anashin, A. Bogdanov, I. Kizhvatov http://crypto.rsuh.ru ABC v.2 Security and Implementation 4/15
Outline ABC v.2 Security Scalability Performance Summary Tweaks ABC v.2 Key B Effects IV B ( x ) ◮ Longer keystream x z 3 ¯ period B ( x ) + ¯ z 3 x ◮ Larger secret state z x A z = (¯ z 3 , ¯ z 2 , ¯ z 1 , ¯ z 0 ) ◮ Negligible A ( z ) performance overhead C 64 128 C ( x ) z 0 ¯ y = C ( x ) + ¯ z 0 plain text stream cipher text stream Result: Elimination of the known attacks V. Anashin, A. Bogdanov, I. Kizhvatov http://crypto.rsuh.ru ABC v.2 Security and Implementation 4/15
Outline ABC v.2 Security Scalability Performance Summary Tweaks ABC v.2 Key B Effects IV B ( x ) ◮ Longer keystream x z 3 ¯ period B ( x ) + ¯ z 3 x ◮ Larger secret state z x A z = (¯ z 3 , ¯ z 2 , ¯ z 1 , ¯ z 0 ) ◮ Negligible A ( z ) performance overhead C 64 128 C ( x ) z 0 ¯ y = C ( x ) + ¯ z 0 plain text stream cipher text stream Result: Elimination of the known attacks V. Anashin, A. Bogdanov, I. Kizhvatov http://crypto.rsuh.ru ABC v.2 Security and Implementation 4/15
Outline ABC v.2 Security Scalability Performance Summary Tweaks ABC v.2 Key B Effects IV B ( x ) ◮ Longer keystream x z 3 ¯ period B ( x ) + ¯ z 3 x ◮ Larger secret state z x A z = (¯ z 3 , ¯ z 2 , ¯ z 1 , ¯ z 0 ) ◮ Negligible A ( z ) performance overhead C 64 128 C ( x ) z 0 ¯ y = C ( x ) + ¯ z 0 plain text stream cipher text stream Result: Elimination of the known attacks V. Anashin, A. Bogdanov, I. Kizhvatov http://crypto.rsuh.ru ABC v.2 Security and Implementation 4/15
Outline ABC v.2 Security Scalability Performance Summary Tweaks ABC v.2 Key B Effects IV B ( x ) ◮ Longer keystream x z 3 ¯ period B ( x ) + ¯ z 3 x ◮ Larger secret state z x A z = (¯ z 3 , ¯ z 2 , ¯ z 1 , ¯ z 0 ) ◮ Negligible A ( z ) performance overhead C 64 128 C ( x ) z 0 ¯ y = C ( x ) + ¯ z 0 plain text stream cipher text stream Result: Elimination of the known attacks V. Anashin, A. Bogdanov, I. Kizhvatov http://crypto.rsuh.ru ABC v.2 Security and Implementation 4/15
Outline ABC v.2 Security Scalability Performance Summary Keystream Properties ABC v.2 Proven Keystream Properties ◮ The length P of the shortest period of 32 -bit words P = 2 32 · (2 127 − 1) ◮ Uniform distribution of 32 -bit words � � { number of word occurrences } − 1 1 � � � < √ � � 2 32 P P � ◮ High linear complexity λ 2 31 · (2 127 − 1) + 1 � λ � 2 31 + 1 V. Anashin, A. Bogdanov, I. Kizhvatov http://crypto.rsuh.ru ABC v.2 Security and Implementation 5/15
Outline ABC v.2 Security Scalability Performance Summary Keystream Properties ABC v.2 Proven Keystream Properties ◮ The length P of the shortest period of 32 -bit words P = 2 32 · (2 127 − 1) ◮ Uniform distribution of 32 -bit words � � { number of word occurrences } − 1 1 � � � < √ � � 2 32 P P � ◮ High linear complexity λ 2 31 · (2 127 − 1) + 1 � λ � 2 31 + 1 V. Anashin, A. Bogdanov, I. Kizhvatov http://crypto.rsuh.ru ABC v.2 Security and Implementation 5/15
Outline ABC v.2 Security Scalability Performance Summary Keystream Properties ABC v.2 Proven Keystream Properties ◮ The length P of the shortest period of 32 -bit words P = 2 32 · (2 127 − 1) ◮ Uniform distribution of 32 -bit words � � { number of word occurrences } − 1 1 � � � < √ � � 2 32 P P � ◮ High linear complexity λ 2 31 · (2 127 − 1) + 1 � λ � 2 31 + 1 V. Anashin, A. Bogdanov, I. Kizhvatov http://crypto.rsuh.ru ABC v.2 Security and Implementation 5/15
Outline ABC v.2 Security Scalability Performance Summary Attacks and Remedies Attacks and Remedies Attack on ABC v.1 ◮ Divide and conquer (Berbain, Gilber; Khazaei) Non-bijective C → biased output → guessing the LFSR state Remedies ◮ Bijective C Distinguishing the right guess becomes impossible ◮ 128 -bit LFSR Attack complexity exceeds 2 128 V. Anashin, A. Bogdanov, I. Kizhvatov http://crypto.rsuh.ru ABC v.2 Security and Implementation 6/15
Outline ABC v.2 Security Scalability Performance Summary Attacks and Remedies Attacks and Remedies Attack on ABC v.1 ◮ Divide and conquer (Berbain, Gilber; Khazaei) Non-bijective C → biased output → guessing the LFSR state Remedies ◮ Bijective C Distinguishing the right guess becomes impossible ◮ 128 -bit LFSR Attack complexity exceeds 2 128 V. Anashin, A. Bogdanov, I. Kizhvatov http://crypto.rsuh.ru ABC v.2 Security and Implementation 6/15
Outline ABC v.2 Security Scalability Performance Summary Attacks and Remedies Attacks and Remedies Attack on ABC v.1 ◮ Divide and conquer (Berbain, Gilber; Khazaei) Non-bijective C → biased output → guessing the LFSR state Remedies ◮ Bijective C Distinguishing the right guess becomes impossible ◮ 128 -bit LFSR Attack complexity exceeds 2 128 V. Anashin, A. Bogdanov, I. Kizhvatov http://crypto.rsuh.ru ABC v.2 Security and Implementation 6/15
Outline ABC v.2 Security Scalability Performance Summary Attacks and Remedies Attacks and Remedies Attack on ABC v.1 ◮ Divide and conquer (Berbain, Gilber; Khazaei) Non-bijective C → biased output → guessing the LFSR state Remedies ◮ Bijective C − → attack possibility Distinguishing the right guess becomes impossible ◮ 128 -bit LFSR Attack complexity exceeds 2 128 V. Anashin, A. Bogdanov, I. Kizhvatov http://crypto.rsuh.ru ABC v.2 Security and Implementation 6/15
Recommend
More recommend