vectorized linear approximations for attacks on snow 3g
play

Vectorized linear approximations for attacks on SNOW 3G Jing Yang 1 - PowerPoint PPT Presentation

Dec 27, 2023 •132 likes •1.09k views

Vectorized linear approximations for attacks on SNOW 3G Jing Yang 1 Thomas Johansson 1 Alexander Maximov 2 1 Dept. of Electrical and Information Technology, Lund University 2 Ericsson Research, Lund, Sweden FSE 2020 November, 2020 Outline 1

  1. Vectorized linear approximations for attacks on SNOW 3G Jing Yang 1 Thomas Johansson 1 Alexander Maximov 2 1 Dept. of Electrical and Information Technology, Lund University 2 Ericsson Research, Lund, Sweden FSE ’2020 November, 2020

  2. Outline 1 Motivation 2 The SNOW 3G Cipher 3 Linear Cryptanalysis of SNOW 3G Linear Approximation of FSM Distinguishing Attack Correlation Attack 4 Conclusions 0 / 19

  3. Outline 1 Motivation 2 The SNOW 3G Cipher 3 Linear Cryptanalysis of SNOW 3G Linear Approximation of FSM Distinguishing Attack Correlation Attack 4 Conclusions 1 / 19

  4. Confidentiality and Integrity Protection in Cellular Networks ◮ Three standardized algorithms in LTE: SNOW 3G, AES, ZUC ◮ 128-bit security level 1 / 19

  5. Confidentiality and Integrity Protection in Cellular Networks ◮ Three standardized algorithms in LTE: SNOW 3G, AES, ZUC ◮ 128-bit security level ◮ 5G: 256-bit security algorithms 1 / 19

  6. Confidentiality and Integrity Protection in Cellular Networks ◮ Three standardized algorithms in LTE: SNOW 3G, AES, ZUC ◮ 128-bit security level ◮ 5G: 256-bit security algorithms ◮ One possible solution: reuse existing algorithms ◮ Security under the 256-bit key length should be investigated 1 / 19

  7. Confidentiality and Integrity Protection in Cellular Networks ◮ Three standardized algorithms in LTE: SNOW 3G, AES, ZUC ◮ 128-bit security level ◮ 5G: 256-bit security algorithms ◮ One possible solution: reuse existing algorithms ◮ Security under the 256-bit key length should be investigated ◮ Contribution : give linear cryptanalysis of SNOW 3G ◮ Distinguishing attack 2 172 ◮ Correlation attack 2 177 1 / 19

  8. Outline 1 Motivation 2 The SNOW 3G Cipher 3 Linear Cryptanalysis of SNOW 3G Linear Approximation of FSM Distinguishing Attack Correlation Attack 4 Conclusions 2 / 19

  9. SNOW 3G ◮ A stream cipher with a linear part and a non-linear part α -1 α LFSR s 15 s 11 s 5 s 2 s 1 s 0 FSM z (t) R 1 S 1 R 2 S 2 R 3 ◮ Linear part: linear feedback shift register (LFSR) ◮ Non-linear part : finite state machine (FSM) 2 / 19

  10. LFSR in SNOW 3G α -1 α s 15 s 11 s 5 s 2 s 1 s 0 ◮ Defined over GF (2 32 ) , 16 cells × 32 bits / cell = 512 bits 3 / 19

  11. LFSR in SNOW 3G α -1 α s 15 s 11 s 5 s 2 s 1 s 0 ◮ Defined over GF (2 32 ) , 16 cells × 32 bits / cell = 512 bits ◮ Feedback polynomial : P ( x ) = αx 16 + x 14 + α − 1 x 5 + 1 ∈ GF (2 32 )[ x ] ◮ α is a root of a polynomial in GF (2 8 )[ x ] 3 / 19

  12. LFSR in SNOW 3G α -1 α s 15 s 11 s 5 s 2 s 1 s 0 ◮ Defined over GF (2 32 ) , 16 cells × 32 bits / cell = 512 bits ◮ Feedback polynomial : P ( x ) = αx 16 + x 14 + α − 1 x 5 + 1 ∈ GF (2 32 )[ x ] ◮ α is a root of a polynomial in GF (2 8 )[ x ] ◮ LFSR update : s ( t +1) = s ( t ) i +1 (0 ≤ i ≤ 14) , i s ( t +1) = α − 1 s ( t ) 11 + s ( t ) 2 + αs ( t ) 0 . 15 3 / 19

  13. LFSR in SNOW 3G α -1 α s 15 s 11 s 5 s 2 s 1 s 0 ◮ Defined over GF (2 32 ) , 16 cells × 32 bits / cell = 512 bits ◮ Feedback polynomial : P ( x ) = αx 16 + x 14 + α − 1 x 5 + 1 ∈ GF (2 32 )[ x ] ◮ α is a root of a polynomial in GF (2 8 )[ x ] ◮ LFSR update : s ( t +1) = s ( t ) i +1 (0 ≤ i ≤ 14) , i s ( t +1) = α − 1 s ( t ) 11 + s ( t ) 2 + αs ( t ) 0 . 15 ◮ s ( t ) 15 , s ( t ) 5 , s ( t ) used to update FSM and generate keystream 0 3 / 19

  14. FSM in SNOW 3G ( t ) ( t ) s 15 s 5 ( t ) s 0 z ( t ) R 1 S 1 R 2 S 2 R 3 4 / 19

  15. FSM in SNOW 3G ( t ) ( t ) s 15 s 5 ( t ) s 0 z ( t ) R 1 S 1 R 2 S 2 R 3 ◮ Keystream block : z ( t ) = ( R 1 ( t ) ⊞ s ( t ) 15 ) ⊕ R 2 ( t ) ⊕ s ( t ) 0 4 / 19

  16. FSM in SNOW 3G ( t ) ( t ) s 15 s 5 ( t ) s 0 z ( t ) R 1 S 1 R 2 S 2 R 3 ◮ Keystream block : z ( t ) = ( R 1 ( t ) ⊞ s ( t ) 15 ) ⊕ R 2 ( t ) ⊕ s ( t ) 0 ◮ FSM update : R 1 ( t +1) = R 2 ( t ) ⊞ 32 ( R 3 ( t ) ⊕ s ( t ) 5 ) R 2 ( t +1) = S 1 ( R 1 ( t ) ) R 3 ( t +1) = S 2 ( R 2 ( t ) ) ◮ S 1 , S 2 are 32-to-32 S-transforms 4 / 19

  17. S-transforms in FSM w 0 Sbox r 0 MixColumn w 1 r 1 Sbox w 2 r 2 Sbox w 3 r 3 Sbox 5 / 19

  18. S-transforms in FSM w 0 Sbox r 0 MixColumn w 1 r 1 Sbox w 2 r 2 Sbox w 3 r 3 Sbox ◮ S 1 = L 1 · S R , S R is the AES S-box       r 0 x x + 1 1 1 S R ( w 0 ) r 1 1 x x + 1 1 S R ( w 1 )        =  ·       r 2 1 1 x x + 1 S R ( w 2 )     r 3 x + 1 1 1 x S R ( w 3 ) 5 / 19

  19. S-transforms in FSM w 0 Sbox r 0 MixColumn w 1 r 1 Sbox w 2 r 2 Sbox w 3 r 3 Sbox ◮ S 1 = L 1 · S R , S R is the AES S-box       r 0 x x + 1 1 1 S R ( w 0 ) r 1 1 x x + 1 1 S R ( w 1 )        =  ·       r 2 1 1 x x + 1 S R ( w 2 )     r 3 x + 1 1 1 x S R ( w 3 ) ◮ S 2 = L 2 · S Q , S Q is derived from the Dickson polynomials       r 0 y y + 1 1 1 S Q ( w 0 ) r 1 1 y y + 1 1 S Q ( w 1 )        =  ·       r 2 1 1 y y + 1 S Q ( w 2 )     r 3 y + 1 1 1 y S Q ( w 3 ) 5 / 19

  20. Outline 1 Motivation 2 The SNOW 3G Cipher 3 Linear Cryptanalysis of SNOW 3G Linear Approximation of FSM Distinguishing Attack Correlation Attack 4 Conclusions 6 / 19

  21. Basics for Linear Cryptanalysis of Stream Ciphers ◮ Basic Idea : approximate non-linear components as linear ones, further derive some linear relationships, involving: 6 / 19

  22. Basics for Linear Cryptanalysis of Stream Ciphers ◮ Basic Idea : approximate non-linear components as linear ones, further derive some linear relationships, involving: ◮ LFSR states and keystream symbols ⇒ Correlation attacks 6 / 19

  23. Basics for Linear Cryptanalysis of Stream Ciphers ◮ Basic Idea : approximate non-linear components as linear ones, further derive some linear relationships, involving: ◮ LFSR states and keystream symbols ⇒ Correlation attacks ◮ Keystream symbols only ⇒ Distinguishing attacks 6 / 19

  24. Basics for Linear Cryptanalysis of Stream Ciphers ◮ Basic Idea : approximate non-linear components as linear ones, further derive some linear relationships, involving: ◮ LFSR states and keystream symbols ⇒ Correlation attacks ◮ Keystream symbols only ⇒ Distinguishing attacks ◮ Linear approximation: z = NF ( s ) = LF ( s ) + e [biased noise] 6 / 19

  25. Basics for Linear Cryptanalysis of Stream Ciphers ◮ Basic Idea : approximate non-linear components as linear ones, further derive some linear relationships, involving: ◮ LFSR states and keystream symbols ⇒ Correlation attacks ◮ Keystream symbols only ⇒ Distinguishing attacks ◮ Linear approximation: z = NF ( s ) = LF ( s ) + e [biased noise] ◮ Consider general vectorized linear approximation 6 / 19

  26. Basics for Linear Cryptanalysis of Stream Ciphers ◮ Basic Idea : approximate non-linear components as linear ones, further derive some linear relationships, involving: ◮ LFSR states and keystream symbols ⇒ Correlation attacks ◮ Keystream symbols only ⇒ Distinguishing attacks ◮ Linear approximation: z = NF ( s ) = LF ( s ) + e [biased noise] ◮ Consider general vectorized linear approximation ◮ e has distribution D , the SEI (Squared Euclidean Imbalance): | D |− 1 � 2 � D ( e ) − 1 � ǫ = | D | · | D | e =0 6 / 19

  27. Basics for Linear Cryptanalysis of Stream Ciphers ◮ Basic Idea : approximate non-linear components as linear ones, further derive some linear relationships, involving: ◮ LFSR states and keystream symbols ⇒ Correlation attacks ◮ Keystream symbols only ⇒ Distinguishing attacks ◮ Linear approximation: z = NF ( s ) = LF ( s ) + e [biased noise] ◮ Consider general vectorized linear approximation ◮ e has distribution D , the SEI (Squared Euclidean Imbalance): | D |− 1 � 2 � D ( e ) − 1 � ǫ = | D | · | D | e =0 ◮ Required Samples: n = O (1 /ǫ ) to distinguish e from random 6 / 19

  28. Basics for Linear Cryptanalysis of Stream Ciphers ◮ Basic Idea : approximate non-linear components as linear ones, further derive some linear relationships, involving: ◮ LFSR states and keystream symbols ⇒ Correlation attacks ◮ Keystream symbols only ⇒ Distinguishing attacks ◮ Linear approximation: z = NF ( s ) = LF ( s ) + e [biased noise] ◮ Consider general vectorized linear approximation ◮ e has distribution D , the SEI (Squared Euclidean Imbalance): | D |− 1 � 2 � D ( e ) − 1 � ǫ = | D | · | D | e =0 ◮ Required Samples: n = O (1 /ǫ ) to distinguish e from random 6 / 19

  29. Basics for Linear Cryptanalysis of Stream Ciphers ◮ Basic Idea : approximate non-linear components as linear ones, further derive some linear relationships, involving: ◮ LFSR states and keystream symbols ⇒ Correlation attacks ◮ Keystream symbols only ⇒ Distinguishing attacks ◮ Linear approximation: z = NF ( s ) = LF ( s ) + e [biased noise] ◮ Consider general vectorized linear approximation ◮ e has distribution D , the SEI (Squared Euclidean Imbalance): | D |− 1 � 2 � D ( e ) − 1 � ǫ = | D | · | D | e =0 ◮ Required Samples: n = O (1 /ǫ ) to distinguish e from random ◮ Key Point : to find a good approximation with a large bias 6 / 19

  30. Linear Approximation of FSM in SNOW 3G ( t ) (t) ( t ) s 5 s 0 s 15 z (t) R 1 S 1 R 2 S 2 R 3 7 / 19

Recommend

On nonlinear approximations and the linear hull effect Anne Canteaut Inria, Paris, France joint

On nonlinear approximations and the linear hull effect Anne Canteaut Inria, Paris, France joint

On nonlinear approximations and the linear hull effect Anne Canteaut Inria, Paris, France joint work with Christof Beierle and Gregor Leander ASK 2018, Kolkota Linear approximations 1 Linear approximations Pr[ x + F ( x ) = 0]

828 views • 27 slides
Linear and Statistical Independence of Linear Approximations and their Correlations Kaisa Nyberg

Linear and Statistical Independence of Linear Approximations and their Correlations Kaisa Nyberg

Linear and Statistical Independence of Linear Approximations and their Correlations Kaisa Nyberg Aalto University School of Science kaisa.nyberg@aalto.fi Boolean Functions and their Applications Os, Norway, July 2017 Outline Introduction

357 views • 18 slides
Linear Approximations Suppose we want to approximate the value of a function f for some value of x

Linear Approximations Suppose we want to approximate the value of a function f for some value of x

Linear Approximations Suppose we want to approximate the value of a function f for some value of x , say x 1 , close to a number x 0 at which we know the value of f . By its nature, the tangent to a curve hugs the curve fairly closely near the point

478 views • 3 slides
New Error Bounds for Approximations from Projected Linear Equations H. Yu . Bertsekas

New Error Bounds for Approximations from Projected Linear Equations H. Yu . Bertsekas

Introduction Data-Dependent Error Analysis Applications and Comparisons of Bounds Summary New Error Bounds for Approximations from Projected Linear Equations H. Yu . Bertsekas D. P Department of Computer Science University of

519 views • 18 slides
Nonlinear approximations, multi-linear tools and algorithms with finite but arbitrary accuracy

Nonlinear approximations, multi-linear tools and algorithms with finite but arbitrary accuracy

Nonlinear approximations, multi-linear tools and algorithms with finite but arbitrary accuracy Gregory Beylkin Future Directions in Tensor-Based Computation and Modeling NSF February 20, 2009 Some observations Success of Matlab or LAPACK

634 views • 36 slides
Greedy Sparse Linear Approximations of Functionals from Nodal Data R. Schaback Gttingen

Greedy Sparse Linear Approximations of Functionals from Nodal Data R. Schaback Gttingen

Greedy Sparse Linear Approximations of Functionals from Nodal Data R. Schaback Gttingen Academy of Sciences and Humanities GeorgAugustUniversitt Gttingen Institut fr Numerische und Angewandte Mathematik

506 views • 36 slides
Remarks on the Data Complexity of Zero-Correlation Linear Attacks C eline Blondeau Aalto

Remarks on the Data Complexity of Zero-Correlation Linear Attacks C eline Blondeau Aalto

Remarks on the Data Complexity of Zero-Correlation Linear Attacks C eline Blondeau Aalto University ESC, Luxembourg 2015 Outline Zero-Correlation Linear Attacks Data Complexity of Zero-Correlation Attacks Repetition of Plaintexts Data

464 views • 35 slides
Estimation based based on on vectorized vectorized surfaces surfaces Estimation for for

Estimation based based on on vectorized vectorized surfaces surfaces Estimation for for

Workshop on Anatomical Models, June 16-17 th 2009 Estimation based based on on vectorized vectorized surfaces surfaces Estimation for for Craniofacial Reconstruction Reconstruction Craniofacial Yves ROZENHOLC Yves ROZENHOLC MAP5 -

580 views • 24 slides
Todays Agenda Upcoming Homework Section 2.8: Linear Approximations and Differentials

Todays Agenda Upcoming Homework Section 2.8: Linear Approximations and Differentials

Todays Agenda Upcoming Homework Section 2.8: Linear Approximations and Differentials Lindsey K. Gamard, ASU SoMSS MAT 265: Calculus for Engineers I Friday, 2 October 2015 1 / 8 Upcoming Homework WeBWorK HW #11 (Section 2.8), due

315 views • 8 slides
Combined Attacks from Boomerangs to Sandwiches and Differential-Linear Orr Dunkelman

Combined Attacks from Boomerangs to Sandwiches and Differential-Linear Orr Dunkelman

Introduction Boomerang Diff-Lin Summary Combined Attacks from Boomerangs to Sandwiches and Differential-Linear Orr Dunkelman Department of Computer Science, University of Haifa June 5th, 2014 Orr Dunkelman Combined Attacks 1/ 36

656 views • 36 slides
Linear Approximations of Addition Modulo 2 n -1 Chunfang Zhou, Xiutao Feng and Chuankun Wu State

Linear Approximations of Addition Modulo 2 n -1 Chunfang Zhou, Xiutao Feng and Chuankun Wu State

Motivation Preliminaries Addition Modulo 2 n 1 The Limit of cor ( 1 ; 1 k ) Conclusion Linear Approximations of Addition Modulo 2 n -1 Chunfang Zhou, Xiutao Feng and Chuankun Wu State Key Laboratory of Information Security, Institute of

620 views • 25 slides
Snow Ice crystals come together in a cloud to make a snowflake . Snow is a solid.

Snow Ice crystals come together in a cloud to make a snowflake . Snow is a solid.

Snow Ice crystals come together in a cloud to make a snowflake . Snow is a solid. The most is in the North Pole. Sleet Rain that is partly frozen or mixed with snow is sleet. Sleet falls faster then snow.

486 views • 4 slides
Snow and Ice Control Update October 22, 2018 Comments from last winter Why no snow emergency?

Snow and Ice Control Update October 22, 2018 Comments from last winter Why no snow emergency?

Snow and Ice Control Update October 22, 2018 Comments from last winter Why no snow emergency? Address priority areas sooner? Start earlier? Clear snow from driveways? 2018-19 Updates Added 8 miles of snow emergency route

103 views • 7 slides
ADVANCED DATABASE SYSTEMS Vectorized Execution @ Andy_Pavlo // 15- 721 // Spring 2019 CMU

ADVANCED DATABASE SYSTEMS Vectorized Execution @ Andy_Pavlo // 15- 721 // Spring 2019 CMU

Lect ure # 20 ADVANCED DATABASE SYSTEMS Vectorized Execution @ Andy_Pavlo // 15- 721 // Spring 2019 CMU 15-721 (Spring 2019) 2 Background Hardware Vectorized Algorithms (Columbia) CMU 15-721 (Spring 2019) 3 VECTO RIZATIO N The process

1.28k views • 84 slides
A SNOW COLLEGE PROGRAM Snow College 150 College Ave. Ephraim, UT 84627 no more excuses! A SNOW

A SNOW COLLEGE PROGRAM Snow College 150 College Ave. Ephraim, UT 84627 no more excuses! A SNOW

A SNOW COLLEGE PROGRAM Snow College 150 College Ave. Ephraim, UT 84627 no more excuses! A SNOW COLLEGE PROGRAM for only $ 5 be active .00 Introduction Flyer be healthy a month be stronger be smarter be happy! fit bit flex (with option

164 views • 15 slides
GGH15 beyond permutation branching programs proofs, attacks, and candidates Yilei Chen, Vinod

GGH15 beyond permutation branching programs proofs, attacks, and candidates Yilei Chen, Vinod

GGH15 beyond permutation branching programs proofs, attacks, and candidates Yilei Chen, Vinod Vaikuntanathan, Hoeteck Wee 1 > August 21, 2018, Palo Alto, heavy snow. 2 > August 21, 2018, Palo Alto, heavy snow. > Alice finds a

1.15k views • 78 slides
Overview of Bode Plots Transfer function review Piece-wise linear approximations

Overview of Bode Plots Transfer function review Piece-wise linear approximations

Overview of Bode Plots Transfer function review Piece-wise linear approximations First-order terms Second-order terms (complex poles & zeros) J. McNames Portland State University ECE 222 Bode Plots Ver. 1.19 1 Transfer

1.3k views • 73 slides
Linear-Complexity Data-Parallel Earth Movers Distance Approximations Kubilay Atasu, Thomas

Linear-Complexity Data-Parallel Earth Movers Distance Approximations Kubilay Atasu, Thomas

Linear-Complexity Data-Parallel Earth Movers Distance Approximations Kubilay Atasu, Thomas Mittelholzer Earth/Word Movers Distance: Discrete Wasserstein Distance The Queen to tour Canada Royal visit to Halifax Canada Halifax

96 views • 5 slides
SIMD Vectorized Hashing for Grouped Aggregation Bala Gurumurthy, David Broneske, Marcus Pinnecke,

SIMD Vectorized Hashing for Grouped Aggregation Bala Gurumurthy, David Broneske, Marcus Pinnecke,

OVGU Prsentation 16.05.2017 1 SIMD Vectorized Hashing for Grouped Aggregation Bala Gurumurthy, David Broneske, Marcus Pinnecke, Gabriel Campero Durand and Gunter Saake 1 SIMD vectorized Hashing for Grouped Aggregation 04.09.2018 Bala

1.18k views • 94 slides
List decoding of RM(1,m) codes and Multi-linear Power Analysis attacks (MLPA) Ilya Dumer , Rafael

List decoding of RM(1,m) codes and Multi-linear Power Analysis attacks (MLPA) Ilya Dumer , Rafael

List decoding of the First order Reed-Muller codes Application to cryptanalysis PA Attacks overview Ideal Countermeasure MLPA List decoding of RM(1,m) codes and Multi-linear Power Analysis attacks (MLPA) Ilya Dumer , Rafael Fourquet , Grigory

675 views • 33 slides
Summary Spin waves : excited states of the Heisenberg Hamiltonian Approximations 1) Ordered

Summary Spin waves : excited states of the Heisenberg Hamiltonian Approximations 1) Ordered

Summary Spin waves : excited states of the Heisenberg Hamiltonian Approximations 1) Ordered phase 2) Small deviations around the ordered moment, large S, low T Calculation : equation of motion (linear set of L coupled equations) L ions in the

931 views • 56 slides
Linear Cryptanalysis Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and

Linear Cryptanalysis Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and

Linear Cryptanalysis Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and Engineering Indian Institute of Technology Kharagpur INDIA -721302 Objectives Linear Approximations and bias value Piling Up Lemma

540 views • 17 slides
Improved Correlation Attacks on SOSEMANUK and SOBER-128 Joo Yeon Cho Helsinki University of

Improved Correlation Attacks on SOSEMANUK and SOBER-128 Joo Yeon Cho Helsinki University of

Improved Correlation Attacks on SOSEMANUK and SOBER-128 Joo Yeon Cho Helsinki University of Technology Department of Information and Computer Science, Espoo, Finland 24th March 2009 1 / 35 SOSEMANUK Attack Approximations SOBER-128

365 views • 35 slides
THE U.S. SNOW SPORTS MARKET AND SIA SNOW SPORTS MARKET OVERVIEW v 100M Americans active in winter

THE U.S. SNOW SPORTS MARKET AND SIA SNOW SPORTS MARKET OVERVIEW v 100M Americans active in winter

Snowsports.org SIAsnowshow.com Snowlink.com #SIAsnow THE U.S. SNOW SPORTS MARKET AND SIA SNOW SPORTS MARKET OVERVIEW v 100M Americans active in winter (sledding, hiking, running, walking) v 30M Ski and Snowboard TOTAL SNOW SPORTS MARKET

310 views • 10 slides

More recommend