Some cryptanalytic results on Stream ciphers with short internal - PowerPoint PPT Presentation

Some cryptanalytic results on Stream ciphers with short internal states Subhadeep Banik EPF, Lausanne Invited Talk to ASK 2019 14th December 2019

Outline • Introduction • Sprout (FSE15) • Previous Work • Attack by Esgin/Kara (SAC 2015) • Distinguishing Attack • State Recovery Attack • After Sprout • Attack on Plantlet 2 Subhadeep Banik Some cryptanalytic results on Stream ciphers with short internal states 13.12.2019

Introduction The Stream Cipher Sprout Sprout • Biryukov, Shamir [Asiacrypt 2001] : State size must be 1.5 to 2 times size of Secret Key. • Radical Departure: Sprout by Armknecht and Mikhalev in FSE 2015. → State Size equal to size of Secret Key. → Avoids Generic TMD Tradeoff Attacks due to Key mixing in state update. • Grain like structure: LFSR and NFSR of size 40 bits each. • Much smaller in area than any known stream cipher. 3 Subhadeep Banik Some cryptanalytic results on Stream ciphers with short internal states 13.12.2019

b b b b b b b b b b Introduction State twice the size of Secret Key Biryukov, Shamir [Asiacrypt 2001] • Let N denote the size of the set of internal states. • f denotes the function mapping state to keystream. invertible g( · ) g( · ) g( · ) Key mix( · ) S D S 1 S 2 S 3 IV f( · ) f( · ) f( · ) f( · ) oneway keystream Z D Z 1 Z 2 Z 3 M 1 M 2 M 3 M D ⊕ ⊕ ⊕ ⊕ C 1 C 2 C 3 C D 4 Subhadeep Banik Some cryptanalytic results on Stream ciphers with short internal states 13.12.2019

b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b Introduction State twice the size of Secret Key Biryukov, Shamir [Asiacrypt 2001] • Randomly choose m initial states and form a function chain. • f is the function that maps state to keystream segment. f f f m t 5 Subhadeep Banik Some cryptanalytic results on Stream ciphers with short internal states 13.12.2019

b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b Introduction State twice the size of Secret Key Biryukov, Shamir [Asiacrypt 2001] • Construct some tables to cover a fixed fraction of the state space. • Online Stage: for every successive segment see if present in one of the tables. f f f m t 6 Subhadeep Banik Some cryptanalytic results on Stream ciphers with short internal states 13.12.2019

b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b Introduction State twice the size of Secret Key Biryukov, Shamir [Asiacrypt 2001] • Total complexity T , memory M , data D , state space N , offline complexity P . • Get the tradeoff curve TM 2 D 2 = N 2 , with the limitation that T ≥ D 2 . f f f m t 7 Subhadeep Banik Some cryptanalytic results on Stream ciphers with short internal states 13.12.2019

b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b Introduction State twice the size of Secret Key Biryukov, Shamir [Asiacrypt 2001] • Typical point on curve is T = N 2 / 3 , M = N 1 / 3 , D = N 1 / 3 , P = N 2 / 3 . • If N = K this is a valid attack. Rule of the thumb is N = K 2 . f f f m t 8 Subhadeep Banik Some cryptanalytic results on Stream ciphers with short internal states 13.12.2019

b b b Introduction Structure k 0 k 1 k 2 k 79 Round Key Function 3 7 3 k ∗ t g Counter f 29 6 NFSR LFSR 2 7 h 7 Initialization Phase Initialization Phase 9 Subhadeep Banik Some cryptanalytic results on Stream ciphers with short internal states 13.12.2019

b b b b b b b b b b Introduction One way inversion not possible without key invertible g( · ,Key) g( · ,Key) g( · ,Key) Key mix( · ) S D S 1 S 2 S 3 IV f( · , Key) f( · , Key) f( · , Key) f( · , Key) oneway keystream Z 1 Z 2 Z 3 Z D M 1 M 2 M 3 M D ⊕ ⊕ ⊕ ⊕ C 1 C 2 C 3 C D 10 Subhadeep Banik Some cryptanalytic results on Stream ciphers with short internal states 13.12.2019

Sprout (FSE15) Algebraic Description Description • Uses an 80 bit Key and a 70 bit IV. • Initialization: IV[0 to 39] → NFSR, IV[40 to 69]|| 0x3fe → LFSR • Key-IV Mixing : Clock 320 cycles without producing Keystream. → Xor z t to update functions of NFSR, LFSR. • Keystream: After 320 cycles, discontinue feedback and produce keystream bit 11 Subhadeep Banik Some cryptanalytic results on Stream ciphers with short internal states 13.12.2019

Sprout (FSE15) Algebraic Description Description • Update of LFSR : l t +40 = f ( L t ) = l t + l t +5 + l t +15 + l t +20 + l t +25 + l t +34 . • Update of NFSR : n t +40 = g ( N t ) + c 4 t + k ∗ t + l t 0 t denotes the 4 th LSB of the modulo 80 up-counter. → c 4 → k ∗ t is the output of the Round Key function defined as: � K t mod 80 , if t < 80 , k ∗ t = K t mod 80 · ( l t +4 + l t +21 + l t +37 + n t +9 + n t +20 + n t +29 ) , otherwise. → The non-linear function g is given as: g ( N t ) = n t +0 + n t +13 + n t +19 + n t +35 + n t +39 + n t +2 n t +25 + n t +3 n t +5 + n t +7 n t +8 + n t +14 n t +21 + n t +16 n t +18 + n t +22 n t +24 + n t +26 n t +32 + n t +33 n t +36 n t +37 n t +38 + n t +10 n t +11 n t +12 + n t +27 n t +30 n t +31 . 12 Subhadeep Banik Some cryptanalytic results on Stream ciphers with short internal states 13.12.2019

Sprout (FSE15) Algebraic Description Description • Keystream bit is produced as � z t = l t +30 + n t + i + h ( N t , L t ) . i ∈A → A = { 1 , 6 , 15 , 17 , 23 , 28 , 34 } → h ( N t , L t ) = n t +4 l t +6 + l t +8 l t +10 + l t +32 l t +17 + l t +19 l t +23 + n t +4 l t +32 n t +38 . 13 Subhadeep Banik Some cryptanalytic results on Stream ciphers with short internal states 13.12.2019

Previous Work Known Attacks Known Attacks • Related Key Distinguisher : Yonglin Hao [eprint 2015/231] • Partial State Exposure : Maitra et al [eprint 2015/236] → Guess 54 bits of the state. → Remaining bits of state and Key found by solving keystream equations in SAT solver. • Guess and Determine: Lallemand and Naya-Plasencia [CRYPTO 2015] → Faster than Brute Force by 2 10 , takes 2 46 bits of memory. 14 Subhadeep Banik Some cryptanalytic results on Stream ciphers with short internal states 13.12.2019

b b b b b Attack by Esgin/Kara (SAC 2015) Attack by Esgin/Kara (SAC 2015) Offline Offline S t ⊕ ℓ t + 4 + i ⊕ ℓ t + 21 + i ⊕ ℓ t + 37 + i ⊕ Tabulate Tabulate n t + 9 + i ⊕ n t + 20 + i ⊕ n t + 29 + i = 0 for all i = 0 to 39 S t + 40 S t S t Z t Z t ⊕ S t + 40 = F(S t ) F independent of key F independent of key Offline Phase • Note that the key mixing function is non linear. k ∗ t = K t mod 80 · ( l t +4 + l t +21 + l t +37 + n t +9 + n t +20 + n t +29 ) • Enumerate class of states for which l t +4 + l t +21 + l t +37 + n t +9 + n t +20 + n t +29 = 0 for t = 0 , 1 , . . . , 39 15 Subhadeep Banik Some cryptanalytic results on Stream ciphers with short internal states 13.12.2019

Attack by Esgin/Kara (SAC 2015) Online stage Online stage • For every keystream segment try to match in table. 1 Does not exist in table 2 Exists in table, but not produced by a weak state 3 Exists in table, and produced by a weak state ‘ • If match exists: from knowledge of keystream and state: find secret key. • Use SAT method for this. • The time complexity is practical 2 33 encryptions 16 Subhadeep Banik Some cryptanalytic results on Stream ciphers with short internal states 13.12.2019

Distinguishing Attack Sliding Key-IV pairs Idea • Fix Secret Key K and experiment with random states S 0 • 2 20 trials to satisfy both requirements → ( K, IV 1 ) and ( K, IV 2 ) are slid pairs. 17 Subhadeep Banik Some cryptanalytic results on Stream ciphers with short internal states 13.12.2019

b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b Distinguishing Attack Sliding Key-IV pairs Idea • 2 80 possible choices of S 0 → for every K we have 2 60 such IV pairs. • Define a graph G = ( V, E ) such that Secret Key K IV 1 IV 2 ( IV 1 , IV 2 ) ∈ E iff ( K, IV 1 ) and ( K, IV 2 ) are slid pairs • So we have | E | = 2 60 . 18 Subhadeep Banik Some cryptanalytic results on Stream ciphers with short internal states 13.12.2019

b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b Distinguishing Attack Distinguisher Attack • For any K get keystream from random IVs until we get one pair that slide. • How many random trials necessary ? Secret Key K IV 1 IV 2 N IV trials give exactly � edges to test � N 2 · 2 60 = � 2 70 ⇒ N ≈ 2 40 and 2 48 bits memory. � N � � • By Birthday rule 2 2 19 Subhadeep Banik Some cryptanalytic results on Stream ciphers with short internal states 13.12.2019