Xiutao Feng Institute of Software Chinese Academy of Sciences A Byte-Based Guess and Determine Attack on SOSEMANUK.

Slides:



Advertisements
Similar presentations
1 KCipher-2 KDDI R&D Laboratories Inc.. ©KDDI R&D Laboratories Inc. All rights Reserved. 2 Introduction LFSR-based stream ciphers Linear recurrence between.
Advertisements

Cryptography, Attacks and Countermeasures Lecture 3 - Stream Ciphers
“Advanced Encryption Standard” & “Modes of Operation”
Differential Fault Analysis on AES Variants Kazuo Sakiyama, Yang Li The University of Electro-Communications Nagoya, Japan.
1 Introduction to Practical Cryptography Lectures 3/4 Stream Ciphers.
AN IMPROVEMENT TO A CORRELATION ATTACK ON A5/1 H. Nikoonia, F. Amin, A. H. Jahangir Computer Engineering Department, Sharif University of Technology.
Modern Symmetric-Key Ciphers
Modern Symmetric-Key Ciphers
LINEAR FEEDBACK SHIFT REGISTERS, GALOIS FIELDS, AND STREAM CIPHERS Mike Thomsen Cryptography II May 14 th, 2012.
An Introduction to Stream Ciphers Zahra Ahmadian Electrical Engineering Department Sahrif University of Technology
Side Channel Attacks on CBC Encrypted Messages in the PKCS#7 Format
Fast Algorithms For Hierarchical Range Histogram Constructions
Digital Kommunikationselektroink TNE027 Lecture 6 (Cryptography) 1 Cryptography Algorithms Symmetric and Asymmetric Cryptography Algorithms Data Stream.
Stream ciphers 2 Session 2. Contents PN generators with LFSRs Statistical testing of PN generator sequences Cryptanalysis of stream ciphers 2/75.
Optimal redundancy allocation for information technology disaster recovery in the network economy Benjamin B.M. Shao IEEE Transaction on Dependable and.
Block Ciphers and the Data Encryption Standard
Cryptography and Network Security
Bounds on Code Length Theorem: Let l ∗ 1, l ∗ 2,..., l ∗ m be optimal codeword lengths for a source distribution p and a D-ary alphabet, and let L ∗ be.
An Approach to Evaluate Data Trustworthiness Based on Data Provenance Department of Computer Science Purdue University.
Introduction to Cryptography and Security Mechanisms: Unit 5 Theoretical v Practical Security Dr Keith Martin McCrea
Exploring timing based side channel attacks against i CCMP Suman Jana, Sneha K. Kasera University of Utah Introduction
PKZIP Stream Cipher 1 PKZIP PKZIP Stream Cipher 2 PKZIP  Phil Katz’s ZIP program  Katz invented zip file format o ca 1989  Before that, Katz created.
FEAL FEAL 1.
Akelarre 1 Akelarre Akelarre 2 Akelarre  Block cipher  Combines features of 2 strong ciphers o IDEA — “mixed mode” arithmetic o RC5 — keyed rotations.
Chapter 4  Hash Functions 1 Overview  Cryptographic hash functions are functions that: o Map an arbitrary-length (but finite) input to a fixed-size output.
RC4 1 RC4 RC4 2 RC4  Invented by Ron Rivest o “RC” is “Ron’s Code” or “Rivest Cipher”  A stream cipher  Generate keystream byte at a step o Efficient.
Stream Ciphers 1 Stream Ciphers. Stream Ciphers 2 Stream Ciphers  Generalization of one-time pad  Trade provable security for practicality  Stream.
Session 6: Introduction to cryptanalysis part 1. Contents Problem definition Symmetric systems cryptanalysis Particularities of block ciphers cryptanalysis.
CMEA 1 CMEA. CMEA 2 CMEA  Cellular Message Encryption Algorithm  Designed for use with cell phones o To protect confidentiality of called number o For.
MD4 1 MD4. MD4 2 MD4  Message Digest 4  Invented by Rivest, ca 1990  Weaknesses found by 1992 o Rivest proposed improved version (MD5), 1992  Dobbertin.
On Error Preserving Encryption Algorithms for Wireless Video Transmission Ali Saman Tosun and Wu-Chi Feng The Ohio State University Department of Computer.
Encryption Schemes Second Pass Brice Toth 21 November 2001.
AES Proposal: Rijndael Joan Daemen Vincent Rijmen “Rijndael is expected, for all key and block lengths defined, to behave as good as can be expected from.
Cryptanalysis. The Speaker  Chuck Easttom  
Copyright © Cengage Learning. All rights reserved. CHAPTER 11 ANALYSIS OF ALGORITHM EFFICIENCY ANALYSIS OF ALGORITHM EFFICIENCY.
Section 2.2: Affine Ciphers; More Modular Arithmetic Practice HW (not to hand in) From Barr Textbook p. 80 # 2a, 3e, 3f, 4, 5a, 7, 8 9, 10 (Use affinecipherbreaker.
1 AN EFFICIENT METHOD FOR FACTORING RABIN SCHEME SATTAR J ABOUD 1, 2 MAMOUN S. AL RABABAA and MOHAMMAD A AL-FAYOUMI 1 1 Middle East University for Graduate.
Linear Fault Analysis of Block Ciphers Zhiqiang Liu 1, Dawu Gu 1, Ya Liu 1, Wei Li 2 1. Shanghai Jiao Tong University 2. Donghua University ACNS 2012 June.
One-Time Pad Or Vernam Cipher Sayed Mahdi Mohammad Hasanzadeh Spring 2004.
INTEGRALS Areas and Distances INTEGRALS In this section, we will learn that: We get the same special type of limit in trying to find the area under.
CS555Spring 2012/Topic 51 Cryptography CS 555 Topic 5: Pseudorandomness and Stream Ciphers.
Section 2.1: Shift Ciphers and Modular Arithmetic Practice HW from Barr Textbook (not to hand in) p.66 # 1, 2, 3-6, 9-12, 13, 15.
Resynchronization Attacks on WG and LEX Hongjun Wu and Bart Preneel Katholieke Universiteit Leuven ESAT/COSIC.
Cryptanalysis of the Stream Cipher DECIM Hongjun Wu and Bart Preneel Katholieke Universiteit Leuven ESAT/COSIC.
CRYPTANALYSIS OF STREAM CIPHER Bimal K Roy Cryptology Research Group Indian Statistical Institute Kolkata.
Stream Ciphers and Block Ciphers A stream cipher is one that encrypts a digital data stream one bit or one byte at a time. Examples of classical stream.
©KDDI R&D Laboratories Inc. ALL Rights Reserved. Cryptanalysis on Clock Controlled Stream Ciphers Shinsaku Kiyomoto KDDI R&D Laboratories Inc
PRBG Based on Couple Chaotic Systems & its Applications in Stream- Cipher Cryptography Li Shujun, Mou Xuanqin, Cai Yuanlong School of Electronics & Information.
Yu-Li Lin and Chien-Lung Hsu Department of Information Management, Chang-Gung University Information Science(SCI) Reporter: Tzer-Long Chen.
CHES 2002 Presented at the workshop CHES 2002, August 13-15, 2002, Redwood Shores, California, USA.
Data Encryption Standard CS-471/971. Category of Standard: Computer Security. Explanation: The Data Encryption Standard (DES) specifies a FIPS approved.
Differential Distinguishing Attack of Shannon Stream Cipher Mehdi Hassanzadeh University of Bergen Selmer Center, Norway Yaser.
Exploiting Cache-Timing in AES: Attacks and Countermeasures Ivo Pooters March 17, 2008 Seminar Information Security Technology.
The RC5 Encryption Algorithm: Two Years On Lisa Yin RC5 Encryption –Ron Rivest, December 1994 –Fast Block Cipher –Software and Hardware Implementations.
Block Ciphers and the Advanced Encryption Standard
Chapter 2 Symmetric Encryption.
Unique Games Approximation Amit Weinstein Complexity Seminar, Fall 2006 Based on: “Near Optimal Algorithms for Unique Games" by M. Charikar, K. Makarychev,
1/16 Seeing through M IST given a Small Fraction of an RSA Private Key Colin D. Walter Comodo Research Lab (Bradford, UK)
1 Analysis of Non-fortuitous Predictive States of the RC4 Keystream Generator Souradyuti Paul and Bart Preneel K.U. Leuven, ESAT/COSIC Indocrypt 2003 India.
Module :MA3036NI Symmetric Encryption -3 Lecture Week 4.
Differential Distinguishing Attack on the Shannon Stream Cipher Based on Fault Analysis Mehdi Hassanzadeh University of Bergen Selmer Center, Norway
Solving Weakened Cryptanalysis Problems for the Bivium Keystream Generator in the Volunteer Computing Project Oleg Zaikin, Alexander Semenov,
Trigonometric Identities
Trigonometric Identities
Cryptography Lecture 16.
STREAM CIPHERS by Jennifer Seberry.
Copyright © Cengage Learning. All rights reserved.
Cryptography Lecture 15.
Presentation transcript:

Xiutao Feng Institute of Software Chinese Academy of Sciences A Byte-Based Guess and Determine Attack on SOSEMANUK

2 Outline 1 Introduction 2 Description of SOSEMANUK 3 Basic properties of SOSEMANUK 4 Our attack 5 Further discussion on our attack 6 Conclusion

3 1 Introduction 1.1 On SOSEMANUK SOSEMANUK is a software-oriented stream cipher proposed by C. Berbain et al for the eSTREAM project and has been selected into the final portfolio with other six algorithms together. Its design adopted the ideas of both the stream cipher SNOW 2.0 and the block cipher SERPENT, and aimed at improving SNOW 2.0 from two aspects of both security and efficiency.

4 1.2 Known cryptanalytic results on SOSEMANUK The designers of SOSEMANUK presented a guess and determine attack, whose time complexity is operations; In 2006 H. Ahmadi et al revised the above attack and reduced the time complexity to operations; In 2006 Y. Tsunoo et al improved Ahmadi et al's result and further reduced it to operations; In 2008 Jung-Keun Lee et al proposed a correlation attack, which needs about time, key bits, and bit memories;

5 In 2009 Lin and Jie gave a new guess and determine attack, and claimed that their attack only needs operations.

6 1.3 Our work

7 2 Description of SOSEMANUK Figure 1 The structure of SOSEMANUK LFSR FSM Serpent1

8 2.1 The LFSR

9 2.2 The FSM

The Serpent1 Figure 2 The round function Serpent1 in the bit-slice mode

Generation of Keystream

3 Basic properties on SOSEMANUK 12

13 Let x be a 32-bit word. Denote by x (i) the i-th byte of x, where i=0,1,2,3. For example, s 1 (3), s 4 (0), s 4 (1) and s 10 (0) are known, then we can calculate s 11 (0). Figure 3 The feedback of the LFSR in the byte form

14 4 Our attack 4.1 Basic idea of the guess and determine attack The guess and determine attack is a common cryptographic attack method. Its basic idea is that Guess: first guess the values of a portion of the internal state of the target algorithm; Deduce: then deduce the values of all the rest of the internal state of the algorithm by making use of the values of the guessed portion of the internal state and a few known keystream; Test: finally generate a phase of keystream by using the above recovered values, and test their correctness by comparing the generated keystream with the known keystream. If NOT, then return Step 1.

The execution of our attack Our attack is based on the following assumption: The guessing and deducing procedure of the attack can be subdivided into five phases: 1. Guess the values of s 1, s 2, s 3, R2 1 (0), R2 1 (1), R2 1 (2) and the rest 31-bit values of R1 1, and deduce the value of s 10 (0), R1 2 (0), R2 2, s 11 (0), s 4 (1), s 10 (1), R1 2 (1), s 11 (1), s 4 (2), s 10 (2), R1 2 (2), S 11 (2) and s 4 (3).

16 The deduced byte The guessed byte Figure 4 The illustration of the deduction in Phase 1

17 2.By the assumption lsb(R1 1 )=1, which implies R1 2 =R2 1 ⊞ (s 3 ⊕ s 10 ), we get the equation on the variable s 10 (3) : where a, b, c, and d are known. Since s 10 (3) occurs three times in the above equation, it is easy to check equation (12) has exactly one solution on s 10 (3). So we can solve it and get s 10 (3). Further we deduce s 11 (3), R2 1 (3) and R2 2 (3). Up to now we have obtained s 1, s 2, s 3, s 4, s 10, s 11, R1 1, R2 1, R1 2 and R Further deduce R1 3, R2 3, R1 4, R2 4, R1 5, R2 5, R2 6, s 5, s 6, s 12 and s 13.

18 The deduced byte in phase 2 The known byte Figure 5 The illustration of the deduction in Phase 2 and 3 The deduced byte in phase 3

19 4.Further guess s 7 (0) and s 8 (0), and deduce the rest bytes of s 7 and s 8. 5.Final deduce s 9.

20 The deduced byte The known byte Figure 6 The illustration of the deduction in Phase 4 and 5 The guessed byte

Time and data complexity Time complexity: operations In Phase 1 and Phase 4, we guess a total of 175 bits of the internal state, including s 1, s 2, s 3, R2 1 (0), R2 1 (1), R2 1 (2), s 7 (0), s 8 (0) and the rest 31-bit values of R1 1. Consider the assumption which holds true with probability Data complexity: about 20 words used In the guessing phase: 8 words used; In the testing phase: about 8 words used (When 16 words are given, which has totally 512 bits and is larger than the 384 bits of the internal state, the internal state is determined by them. So we can use them to test the correctness of the recovered internal state.); Consider the assumption: another 4 words used (By shifting the keystream by 4 words we can test two cases).

22 5 Further discussion on our attack Here it should be pointed out that the assumption lsb(R1 1 )=1 is NOT necessary for our attack to work. In fact when lsb(R1 1 )=0, which implies that R1 2 =R2 1 ⊞ s 3, similarly we get the equation on s 10 (3) : The above equation has no solution or 2 k solutions for some integer k. However when a’, b’, c’ and d’ go through all possible values, the sum of the number of all solutions is just equal to We directly guess total 160-bit values of the internal state in phase 1, and after phase 2 we get total possible values. For each of them, we go on phases 3, 4 and 5. So the time complexity is still operations, but the data complexity reduces to about 16 key words.

23 6 Conclusion In this work we presented a byte-based guess and determine attack on SOSEMANUK, which only needs a few words of known keystream to recover the whole internal state of SOSEMANUK with time complexity operations. Since SOSEMANUK has a key with the length varying from 128 and 256 bits, it shows that when the length of a chosen encryption key is larger than 176 bits, our attack is more efficient than an exhaustive key search.

24 Thank you !