230 likes | 491 Views
Stream Ciphers: WG and LEX. Eduard Dvorný, & Emil Halko University of Pavol Jozef Šafárik. WG abstract. Stream cipher WG: The cipher is based on Welch-Gong transformations. The WG cipher has been designed to produce keystream with guaranteed randomness properties,
E N D
Stream Ciphers: WG and LEX. Eduard Dvorný, & Emil Halko University of Pavol Jozef Šafárik
WG abstract • Stream cipher WG: • The cipher is based on Welch-Gong transformations. The WG cipher has been designed to produce keystream with guaranteed randomness properties, • It is resistant to Time/Memory/Data tradeoff attacks, algebraic attacks and correlation attacks. • The cipher can be implemented with a small amount of hardware.
LEX abstract • Stream cipher LEX: • A proposal for a simple AES-based stream cipher which is at least 2.5 times faster than AES both in software and in hardware. • LEX stands for Leak EXtraction,
WG CIPHER The WG ciphercan be used with keys of length 80, 96, 112 and 128 bits. An initial vector of size 32 or 64 bits can be used with any of the above key lengths. To increasesecurity, IVs of the same length as the secret key can also be used. WG cipheris a synchronous stream cipher which consists of a WG keystream generator.
Differential Attack on WG Overview of the Attack the taps of LFSR are poorly chosen 22 steps fail to randomize the differential propagation at the end of the 22nd step, the differential in the LFSR is exploited to recover the secret key => 48 key bits recovered with about 231 chosen IVs (80-bit key and 80-bit IV)
Differential Attack on WG At the end of the 22nd step, the difference at S(10) is S(10) is related to the first keystream bit. Observing the values of the first keystream bits generated from the related IV, we are able to determine whether the value ofis 0, then we can recover 29 bits of key.
Security Against Attacks Time/Memory/Data tradeoffhas two phases • During precomputation phase the attacker exploits the structure of the stream cipher and summarizes his findings in large tables. • During the attack phase, the attacker uses these tables and the observed data to determine the secret key or the internal state of the stream cipher.
A tradeoff TM2D2 = N2 for D2 ≤ T ≤ N, where T is the time required for the attack, M is the memory required to store the tables, D represents the realtime data or the keystream required, N is the size of the search space. A simple way to provide security against this attack in stream ciphers is to increase the search space.
Algebraic attacks have been used recently to break many well known stream ciphers. • complexity of these attack depends on the nonlinear filter and the number of outputs generated by the cipher. • If the nonlinear filter can be approximated by a multivariate equation of low degree this complexity can be reducedsignificantly.
Correlation attacks • These attacks exploit any correlation that may exist between the keystream and the output of the LFSR in the cipher. • In these attacks the keystream is regardedas a distorted or noisy version of the the LFSR output.
Conclusion • WG cipher, suitable for hardware implementations. • WG is vulnerable to a differential attack
LEX Cipher • LEX is based on the block cipher AES. The keystream bits are generated byextracting 32 bits from each round of AES in the 128-bit Output Feedback mode. • First a standard AES key-schedule for a secret 128-bit key K is performed. • Then a given 128-bit IV is encrypted by a single AES invocation: S = AESK(IV). The S and the subkeys are the output of theinitialization process.
Extracted bytes in the even and odd rounds The bytes b0,0, b0,2, b2,0, b2,2 at every odd round and the bytes b0,1, b0,3, b2,1, b2,3 at every even roundare selected.
Algebraic Attacks Algebraic attacks on stream ciphers are a recent and a very powerful type of attack. If one could write a non-linear equation in terms of the outputs and the key – thatcould lead to an attack in Lex. Re-keying every 500 AES encryptions may help to avoid such attacks by limiting the number of samples the attacker might obtain whiletargeting a specific subkey.
Dedicated Attacks • An obvious line of attack would be to concentrate on every 10th round, since itreuses the same subkey, and thus if the attacker guesses parts of this subkey hestill can reuse this information 10t, t = 1, 2, . . . rounds later.
Conclusion • Since LEX could reuse existing AES implementations it might provide a simple and cheap speedup option in addition to the already existing base AES encryption. • It is better to mix the key and IV in a non-linear way, then use the mixed values to generate the keystream .