230 likes | 376 Views
Resynchronization Attacks on WG and LEX. Hongjun Wu and Bart Preneel Katholieke Universiteit Leuven ESAT/COSIC. Overview. 1. Introduction to WG 2. Differential Attack on WG 3. Introduction to LEX 4. Slide Attack on LEX. Description of WG (1). submission to the eStream
E N D
Resynchronization Attacks on WG and LEX Hongjun Wu and Bart Preneel Katholieke Universiteit Leuven ESAT/COSIC
Overview 1. Introduction to WG 2. Differential Attack on WG 3. Introduction to LEX 4. Slide Attack on LEX KULeuven, ESAT/COSIC
Description of WG (1) submission to the eStream key up to 128 bits, IV up to 128 bits hardware efficient stream cipher (profile II) consists of a regularly clocked LFSR over GF(229) defined by p(x) = x11 + x10 + x9 + x6 + x3 + x + γ and a WG transform that maps GF(229) GF(2) KULeuven, ESAT/COSIC
Description of WG (2) Keystream generation of WG KULeuven, ESAT/COSIC
Description of WG (3) WG Transformation KULeuven, ESAT/COSIC
Description of WG (4) Key and IV setup of WG (22 Steps) KULeuven, ESAT/COSIC
Differential Attack on WG (1) Overview of the Attack the taps of LFSR are poorly chosen 22 steps fail to randomize the differential propagation at the end of the 22nd step, the differential in the LFSR is exploited to recover the secret key => 48 key bits recovered with about 231 chosen IVs (80-bit key and 80-bit IV) KULeuven, ESAT/COSIC
Differential Attack on WG (2) Attack - differential propagation in key/IV setup of WG KULeuven, ESAT/COSIC
Differential Attack on WG (3) Attack - differential propagation in key/IV setup of WG (Contd.) KULeuven, ESAT/COSIC
Differential Attack on WG (4) At the end of the 22nd step, the difference at S(10) is S(10) is related to the first keystream bit. Observing the values of the first keystream bits generated from the related IV, we are able to determine whether the value of is 0, then we can recover 29 bits of key. 231 IVs for the version with 80-bit IV, 80-bit key (details are omitted here) KULeuven, ESAT/COSIC
Differential Attack on WG (5) The differential attack on WG is different from the differential attack on block ciphers Difference generation -- change the input difference and SOME input value to generate many different Filtering -- change OTHER input value (without modifying ) to generate keystream bits to see whether the related keystream bits are always identical, then to identify whether is 0 KULeuven, ESAT/COSIC
How to Improve WG WG designers proposed 44-step key/IV setup => small change secure against the differential attack => but not that efficient with properly chosen LFSR taps and output tap, it is possible to use only 22 steps KULeuven, ESAT/COSIC
Description of LEX (1) submission to the eStream 128-bit key, 128-bit IV software and hardware efficient (profile I & II) Design: based on AES OFB mode 4 bytes extracted from each round to form keystream KULeuven, ESAT/COSIC
Description of LEX (2) Initialization and keystream generation KULeuven, ESAT/COSIC
Description of LEX (3) Extracted bytes in the even and odd rounds KULeuven, ESAT/COSIC
Slide Attack on LEX (1) Security of LEX depends on that only a small fraction of information is leaked from each round If one round input in LEX is known, then the key could be recovered easily. KULeuven, ESAT/COSIC
Slide Attack on LEX (2) In LEX, the same key with two IVs, if keystream1 is the shifted version of keystream2, then one input to AES for generating keystream1 is equivalent to IV2 => The input to AES is known 32 bits of the first round output are known => 32 bits of the key could be recovered easily KULeuven, ESAT/COSIC
Slide Attack on LEX (3) If each IV is used to generate about 500 outputs, then with about 261 IVs, 3 pairs of the shifted keystreams could be observed and 96 key bits could be recovered. KULeuven, ESAT/COSIC
Slide Attack on LEX (4) LEX is as strong as AES counter mode? No. AES counter mode => A particular key can never be recovered faster than brute force search LEX => A particular key recovered with 260.8 random IVs, 20,000 bytes from each IV, faster than brute force search KULeuven, ESAT/COSIC
How to Improve LEX Our suggestion => For each LEX IV, use LEX key and LEX IV to generate an AES key and AES IV KULeuven, ESAT/COSIC
Conclusion (1) Lesson from the WG design => To ensure that the tap distances are co-prime in a FSR (including the LFSR on GF(2m)) KULeuven, ESAT/COSIC
Conclusion (2) Lessons from the LEX design => 1) It is better to mix the key and IV in a non-linear way, then use the mixed values to generate the keystream 2) try to avoid using the stream cipher key directly in the keystream generation (more general, try to avoid using static secret parameters in the keystream generation) (LEX, Salsa20, ABC, SEAL …) KULeuven, ESAT/COSIC
Thank you! Q & A KULeuven, ESAT/COSIC