1 / 26

Cryptanalysis on Clock Controlled Stream Ciphers

Cryptanalysis on Clock Controlled Stream Ciphers. Shinsaku Kiyomoto KDDI R&D Laboratories Inc. 2005.2.22. This is a joint work with Kyushu University (Prof. Kouichi Sakurai). Information about Myself. Shinsaku Kiyomoto (age 29) B.E. and M.E. from Tsukuba Univ. (1998 and 2000)

yelena
Download Presentation

Cryptanalysis on Clock Controlled Stream Ciphers

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Cryptanalysis on Clock Controlled Stream Ciphers Shinsaku Kiyomoto KDDI R&D Laboratories Inc. 2005.2.22 This is a joint work with Kyushu University (Prof. Kouichi Sakurai)

  2. Information about Myself • Shinsaku Kiyomoto (age 29) • B.E. and M.E. from Tsukuba Univ. (1998 and 2000) • Researcher of Security Lab. in KDDI R&D Labs. Inc. (from April, 2000) • Current Interests: Stream Cipher, Security protocols, and Mobile Security

  3. KDDI R&D Laboratories Inc. http://www.kddilabs.jp ●Incorporated April 1, 2003 (Merged KDI in April 1, 2001) ●Capital 2.28 billion Yen ●Shareholders KDDI , Kyocera corporation, Toyota motor corporation ●PresidentTohru ASAMI ●Staff 197(April 1, 2004) ●Office Kamifukuoka, Saitama, Japan ●Research Area Photonic NW, Wireless NW, IP, Multimedia, Ubiquitous NW, and Information Security

  4. Security Laboratory • Current Research Topics • Secret and Public Key Cryptosystems • Cryptographic Protocols • Mobile Security • PKI (Public Key Infrastructure) • Software Security • Secure Overlay Networks • P.P. (Privacy Protection) • DRM (Digital Rights Management) • Intrusion Detection System • Virus Protection

  5. Cryptanalysis on Clock Controlled Stream Ciphers Shinsaku Kiyomoto KDDI R&D Laboratories Inc. 2005.2.22 This is a joint work with Kyushu University (Prof. Kouichi Sakurai)

  6. Introduction: History of Stream Cipher Hardware based random generator LFSR based Stream Cipher Berlekamp-Massey Algorithm A5 RC4 Time-Memory Trade off Attack Correlation Attack Re-synchronization Attack From Bit-Oriented to Word-Oriented NESSIE Project (SNOW, BGML, SOBER, LILI etc.) Guess-and-Determine Attack Distinguishing Attack XL, XSL

  7. Clock Controlled Stream Cipher • Using irregular clocking as a non-linear function. • Example • A5: Stop-and-Go Clocking according to tap bits from 3 LFSRs. • LILI-128: 1-2-3-4 Clocking by a clock controller and special LFSR

  8. Analysis of Irregular Clocking • Motivation • Is the irregular clocking more effective than other non-linear functions ? • Drawback of irregular clocking • Reduce efficiency of generating keystreams • Shorten a period of keystreams • How to construct or choose an algorithm of generating irregular clocking

  9. Theoretical and Experimental Analysis • Theoretical Analysis • Analysis on an ideal environment. • Experiments (Minutia Model Approach) • Constructing a minutia model of evaluating stream cipher. • How to make a minutia model • Shorten the lengths of LFSRs (in case of bit-oriented stream ciphers) • Shrink the sizes of registers in LFSRs (in case of word-oriented stream ciphers) • Modifying non-linear parts

  10. G: Guess some registers of an internal states D: Determine other internal states A: Check the validity of guessed registers. Guess-and-Determine Attack An assumption is required to remove nonlinearity. • ◆SOBER, SOBER-II • Blackburn, Murphy, Piper, Wild (1998) • Bleichenbacher, Patel (1999) • ◆SOBER-t16/t32 • -Hawkes, Rose (2000) • ◆SNOW1.0 • -Hawkes, Rose (2002)

  11. Security of GD attacks Initial Key Size Same as a computational costs of a exhaustive key search Internal State Guess Assumption Determine Weak Attack is Successful

  12. 000 001 010 011 100 101 110 111 LFSRF 2 1 1 2 2 1 1 2 LFSRG 2 1 2 1 1 2 1 2 LFSRH 2 2 1 1 1 1 2 2 F, G, H Example: Attacks on AA5 Clock Controller 48bit 40bit 56bit The Clock controller decides the clocking of three LFSRs according to the least significant bits of No.2 register in LFSR F, No.2 in LFSR G, and No.3 in LFSR H as follows. 6 reg. 5 reg. 7 reg. 3 F G H 2 2 8bit M S S 8bit

  13. Strategy of proposed GD attacks • We determine LFSR H (the longest) to guess LFSR F, and G. • If we guess LFSR F, G, and internal memory M, then we can ignore influence of S-boxes. • How to remove irregularity by the clock controller. →We use assumptions that the target LFSR clocks regularly. Regular Clocking Irregular Clocking Assumption

  14. Attacks on AA5 Guess all values of all registers in F, all registers in G, and M, and least significant bits of 6,5,4 and 3 registers in H. =100bit LFSR-F 5 4 3 2 1 0 Non-linear function LFSR-G Key Stream 4 3 2 1 0 M Z LFSR-H 6 5 4 3 2 1 0 Determine 0,1,2 in H and 7bits of 3,4,5,6 in H. Assumption: H operates six times in succession =2^-36 Process Complexity = O(2^100) Data Complexity = O(2^6)

  15. Evaluation Results of GD attacks

  16. Real Probability of Assumption being Valid Clocking are determined according to tap bits from LFSRs. Ideal model Exploitable states are uniformly distributed. Short period Real model Not uniformly distributed. A Gap of experimental results exists.

  17. Experimental Results of Minutia Model

  18. Distinguishing Attack • Distinguish keystreams from stream ciphers and truly random strings. • Powerful attack on Stream Ciphers • SNOW1.0 (by Coppersmith, 2000) • SNOW 2.0 (by Watanabe, 2003) • SOBER-Family (by Ekdahl, 2002) • SCREAM (by Johansson, 2003)

  19. Distinguishing Attack Cont. Construct a linear equation only consisting of output keystreams by using linear approximation of a non-linear function and other linear equations. LFSRの Feedback Polynomial LFSR S_x1 + S_x2 + … + S_xi =0 S_(x1 +y1)+ S_(x2+y1) + … + S_(xi+y1) =0 f ・ ・ ・ S_(x1 +yj)+ S_(x2+yj) + … + S_(xi+yj) =0 =Z_t1 =Z_t2 =Z_t3 Key Stream Linear approximation Z_t1+Z_t2+Z_t3=0

  20. S1 S2 S3 S4 S5 S6 S7 S8 Complexity of irregular clocking • Regular Clocking • Irregular Clocking Key Stream Generator Get keystreams deterministically Key Stream Generator S1 S3 S4 S6 S8 Get keystreams probabilistically Complexity = (1/Probability)^2 = ? Clock Controller

  21. Detail Analysis of the Complexity (1) Required Keystreams are skipped In LILI-128 case, theoretical results fit in experimental results, if X_j > 38

  22. Detail Analysis of the Complexity (2) Fail to guess a cycle of outputting a keystream.

  23. Detail Analysis of the Complexity • Example of LILI-128

  24. Detail Analysis of the Complexity

  25. Experimental Results About 2^4 (fit in theoretical results )

  26. Conclusion • Irregular clocking is effective for several attacks. However, the algorithm should be carefully designed. • Especially, large clocking is effective for protecting distinguishing attacks, even though a trade-off exists between the effect and efficiency of generating keystreams.

More Related