Resynchronization Attacks on WG and LEX Hongjun Wu and Bart Preneel Katholieke Universiteit Leuven ESAT/COSIC

KULeuven, ESAT/COSIC2 Overview 1. Introduction to WG 2. Differential Attack on WG 3. Introduction to LEX 4. Slide Attack on LEX

KULeuven, ESAT/COSIC3 Description of WG (1) submission to the eStream key up to 128 bits, IV up to 128 bits hardware efficient stream cipher (profile II) consists of a regularly clocked LFSR over GF(2 29 ) a regularly clocked LFSR over GF(2 29 ) defined by γ defined by p(x) = x 11 + x 10 + x 9 + x 6 + x 3 + x + γ and a WG transform that maps GF(2 29 )  GF(2) and a WG transform that maps GF(2 29 )  GF(2)

KULeuven, ESAT/COSIC4 Description of WG (2) Keystream generation of WG

KULeuven, ESAT/COSIC5 Description of WG (3) WG Transformation

KULeuven, ESAT/COSIC6 Description of WG (4) Key and IV setup of WG (22 Steps)

KULeuven, ESAT/COSIC7 Differential Attack on WG (1) Overview of the Attack the taps of LFSR are poorly chosen the taps of LFSR are poorly chosen 22 steps fail to randomize the differential propagation 22 steps fail to randomize the differential propagation at the end of the 22 nd step, the differential in the at the end of the 22 nd step, the differential in the LFSR is exploited to recover the secret key LFSR is exploited to recover the secret key => 48 key bits recovered with about 2 31 chosen IVs => 48 key bits recovered with about 2 31 chosen IVs (80-bit key and 80-bit IV) (80-bit key and 80-bit IV)

KULeuven, ESAT/COSIC8 Differential Attack on WG (2) Attack - differential propagation in key/IV setup of WG

KULeuven, ESAT/COSIC9 Differential Attack on WG (3) Attack - differential propagation in key/IV setup of WG (Contd.)

KULeuven, ESAT/COSIC10 Differential Attack on WG (4) At the end of the 22 nd step, the difference at S(10) is S(10) is related to the first keystream bit. Observing the values of the first keystream bits generated from the related IV, we are able to determine whether the value of is 0, then we can recover 29 bits of key IVs for the version with 80-bit IV, 80-bit key (details are omitted here)

KULeuven, ESAT/COSIC11 Differential Attack on WG (5) The differential attack on WG is different from the differential attack on block ciphers Difference generation -- change the input difference and SOME input value to generate many different change the input difference and SOME input value to generate many different Filtering -- change OTHER input value (without modifying ) to generate keystream bits to see whether the related keystream bits are always identical, then to identify whether is 0 change OTHER input value (without modifying ) to generate keystream bits to see whether the related keystream bits are always identical, then to identify whether is 0

KULeuven, ESAT/COSIC12 How to Improve WG WG designers proposed 44-step key/IV setup => small change secure against the differential attack secure against the differential attack => but not that efficient with properly chosen LFSR taps and output tap, with properly chosen LFSR taps and output tap, it is possible to use only 22 steps it is possible to use only 22 steps

KULeuven, ESAT/COSIC13 Description of LEX (1) submission to the eStream 128-bit key, 128-bit IV software and hardware efficient (profile I & II) Design: based on AES OFB mode based on AES OFB mode 4 bytes extracted from each round to form keystream 4 bytes extracted from each round to form keystream

KULeuven, ESAT/COSIC14 Description of LEX (2) Initialization and keystream generation

KULeuven, ESAT/COSIC15 Description of LEX (3) Extracted bytes in the even and odd rounds

KULeuven, ESAT/COSIC16 Slide Attack on LEX (1) Security of LEX depends on that only a small fraction of information is leaked from each round If one round input in LEX is known, then the key could be recovered easily.

KULeuven, ESAT/COSIC17 Slide Attack on LEX (2) In LEX, the same key with two IVs, if keystream 1 is the shifted version of keystream 2, then one input to AES for generating keystream 1 is equivalent to IV 2 => The input to AES is known 32 bits of the first round output are known 32 bits of the first round output are known => 32 bits of the key could be recovered easily

KULeuven, ESAT/COSIC18 Slide Attack on LEX (3) If each IV is used to generate about 500 outputs, then with about 2 61 IVs, 3 pairs of the shifted keystreams could be observed and 96 key bits could be recovered.

KULeuven, ESAT/COSIC19 Slide Attack on LEX (4) LEX is as strong as AES counter mode? No. AES counter mode => A particular key can never be recovered faster A particular key can never be recovered faster than brute force search than brute force search LEX => A particular key recovered with random IVs, A particular key recovered with random IVs, 20,000 bytes from each IV, faster than brute force search 20,000 bytes from each IV, faster than brute force search

KULeuven, ESAT/COSIC20 How to Improve LEX Our suggestion => For each LEX IV, use LEX key and LEX IV to generate an AES key and AES IV

KULeuven, ESAT/COSIC21 Conclusion (1) Lesson from the WG design => To ensure that the tap distances are co-prime To ensure that the tap distances are co-prime in a FSR (including the LFSR on GF(2 m )) in a FSR (including the LFSR on GF(2 m ))

KULeuven, ESAT/COSIC22 Conclusion (2) Lessons from the LEX design => 1) It is better to mix the key and IV in a non-linear way, then use the mixed values to generate the keystream use the mixed values to generate the keystream 2) try to avoid using the stream cipher key directly in the keystream generation keystream generation (more general, try to avoid using static secret parameters in the (more general, try to avoid using static secret parameters in the keystream generation) (LEX, Salsa20, ABC, SEAL …) keystream generation) (LEX, Salsa20, ABC, SEAL …)

KULeuven, ESAT/COSIC23 Thank you! Q & A