Cryptanalysis of the Stream Cipher DECIM Hongjun Wu and Bart Preneel Katholieke Universiteit Leuven ESAT/COSIC.

Slides:



Advertisements
Similar presentations
1 KCipher-2 KDDI R&D Laboratories Inc.. ©KDDI R&D Laboratories Inc. All rights Reserved. 2 Introduction LFSR-based stream ciphers Linear recurrence between.
Advertisements

DES The Data Encryption Standard (DES) is a classic symmetric block cipher algorithm. DES was developed in the 1970’s as a US government standard The block.
Xiutao Feng Institute of Software Chinese Academy of Sciences A Byte-Based Guess and Determine Attack on SOSEMANUK.
1 Introduction to Practical Cryptography Lectures 3/4 Stream Ciphers.
Syed Safi Uddin Qadri BETL/F07/0112 GSM Stream Cipher Algorithm Presented To Sir Adnan Ahmed Siddiqui.
Dan Boneh Stream ciphers Real-world Stream Ciphers Online Cryptography Course Dan Boneh.
An Introduction to Stream Ciphers Zahra Ahmadian Electrical Engineering Department Sahrif University of Technology
1`` ```` ```` ```` ```` ```` ```` ```` ```` ```` `` AEGIS A Fast Authenticated Encryption Algorithm Hongjun Wu Bart Preneel Nanyang Technological University.
Digital Kommunikationselektroink TNE027 Lecture 6 (Cryptography) 1 Cryptography Algorithms Symmetric and Asymmetric Cryptography Algorithms Data Stream.
Block Ciphers and the Data Encryption Standard
Symmetric Encryption Example: DES Weichao Wang. 2 Overview of the DES A block cipher: – encrypts blocks of 64 bits using a 64 bit key – outputs 64 bits.
Session 2 Symmetric ciphers 1. Stream cipher definition Recall the Vernam cipher: Plaintext Ciphertext (Running) key
1 The AES block cipher Niels Ferguson. 2 What is it? Block cipher: encrypts fixed-size blocks. Design by two Belgians. Chosen from 15 entries in a competition.
FEAL FEAL 1.
Hashes and Message Digest Hash is also called message digest One-way function: d=h(m) but no h’(d)=m –Cannot find the message given a digest Cannot find.
1 Overview of the DES A block cipher: –encrypts blocks of 64 bits using a 64 bit key –outputs 64 bits of ciphertext A product cipher –basic unit is the.
McGraw-Hill©The McGraw-Hill Companies, Inc., Security PART VII.
Stream Ciphers 1 Stream Ciphers. Stream Ciphers 2 Stream Ciphers  Generalization of one-time pad  Trade provable security for practicality  Stream.
Session 6: Introduction to cryptanalysis part 1. Contents Problem definition Symmetric systems cryptanalysis Particularities of block ciphers cryptanalysis.
Lecture 23 Symmetric Encryption
6. Practical Constructions of Symmetric-Key Primitives
ORYX 1 ORYX ORYX 2 ORYX  ORYX not an acronym, but upper case  Designed for use with cell phones o To protect confidentiality of voice/data o For “data.
MD4 1 MD4. MD4 2 MD4  Message Digest 4  Invented by Rivest, ca 1990  Weaknesses found by 1992 o Rivest proposed improved version (MD5), 1992  Dobbertin.
Encryption Schemes Second Pass Brice Toth 21 November 2001.
Cryptography and Network Security Chapter 7 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
Practical Techniques for Searches on Encrypted Data Yongdae Kim Written by Song, Wagner, Perrig.
Cryptanalysis of Modern Symmetric-Key Block Ciphers [Based on “A Tutorial on Linear and Differential Cryptanalysis” by Howard Heys.] Modern block ciphers.
Códigos y Criptografía Francisco Rodríguez Henríquez A Short Introduction to Stream Ciphers.
Chapter 20 Symmetric Encryption and Message Confidentiality.
CS555Spring 2012/Topic 51 Cryptography CS 555 Topic 5: Pseudorandomness and Stream Ciphers.
Stream Ciphers Making the one-time pad practical.
Resynchronization Attacks on WG and LEX Hongjun Wu and Bart Preneel Katholieke Universiteit Leuven ESAT/COSIC.
Chapter 20 Symmetric Encryption and Message Confidentiality.
The Misuse of RC4 in Microsoft Office A paper by: Hongjun Wu Institute for Infocomm Research, Singapore ECE 578 Matthew Fleming.
1 Hashes and Message Digests. 2 Hash Also known as –Message digest –One-way function Function: input message -> output One-way: d=h(m), but not h’(d)
13. Other Block Ciphers 13.1 LUCIFER 13.2 MADRYGA 13.3 NEWDES 13.4 FEAL 13.5 REDOC 13.6 LOKI.
Cryptographic Attacks on Scrambled LZ-Compression and Arithmetic Coding By: RAJBIR SINGH BIKRAM KAHLON.
3DES and Block Cipher Modes of Operation CSE 651: Introduction to Network Security.
Encryption Types & Modes Chapter 9 Encryption Types –Stream Ciphers –Block Ciphers Encryption Modes –ECB - Electronic Codebook –CBC - Cipher Block Chaining.
Modes of Usage Dan Fleck CS 469: Security Engineering These slides are modified with permission from Bill Young (Univ of Texas) 11 Coming up: Modes of.
1 Symmetric-Key Encryption CSE 5351: Introduction to Cryptography Reading assignment: Chapter 3 Read sections first (skipping 3.2.2)
Stream Ciphers and Block Ciphers A stream cipher is one that encrypts a digital data stream one bit or one byte at a time. Examples of classical stream.
©KDDI R&D Laboratories Inc. ALL Rights Reserved. Cryptanalysis on Clock Controlled Stream Ciphers Shinsaku Kiyomoto KDDI R&D Laboratories Inc
Introduction to Modern Symmetric-key Ciphers
Differential Distinguishing Attack of Shannon Stream Cipher Mehdi Hassanzadeh University of Bergen Selmer Center, Norway Yaser.
Lecture 23 Symmetric Encryption
A High-Speed Hardware Implementation of the LILI-II Keystream Generator Paris Kitsos...in cooperation with Nicolas Sklavos and Odysseas Koufopavlou Digital.
Symmetric Encryption Lesson Introduction ●Block cipher primitives ●DES ●AES ●Encrypting large message ●Message integrity.
A Ultra-Light Block Cipher KB1 Changhoon Lee Center for Information Security Technologies, Korea University.
Linear Cryptanalysis of DES
Visual Tracking by Cluster Analysis Arthur Pece Department of Computer Science University of Copenhagen
1 Analysis of Non-fortuitous Predictive States of the RC4 Keystream Generator Souradyuti Paul and Bart Preneel K.U. Leuven, ESAT/COSIC Indocrypt 2003 India.
Linear Cryptanalysis of DES M. Matsui. 1.Linear Cryptanalysis Method for DES Cipher. EUROCRYPT 93, 1994.Linear Cryptanalysis Method for DES Cipher 2.The.
Differential Distinguishing Attack on the Shannon Stream Cipher Based on Fault Analysis Mehdi Hassanzadeh University of Bergen Selmer Center, Norway
Block Ciphers and the Data Encryption Standard. Modern Block Ciphers  One of the most widely used types of cryptographic algorithms  Used in symmetric.
1 A New Weakness in the RC4 Keystream Generator and an Approach to Improve the Security of the Cipher Souradyuti Paul and Bart Preneel K.U. Leuven, ESAT/COSIC.
Information and Network Security Lecture 2 Dr. Hadi AL Saadi.
หัวข้อบรรยาย Stream cipher RC4 WEP (in)security LFSR CSS (in)security.
Homework #1 J. H. Wang Oct. 9, 2012.
Modes of Operation block ciphers encrypt fixed size blocks – eg. DES encrypts 64-bit blocks with 56-bit key need some way to en/decrypt arbitrary amounts.
Cryptography CS 555 Topic 15: Stream Ciphers.
Improved Practical Differential Fault Analysis of Grain-128
Cryptography Lecture 16.
Cryptography Lecture 15.
Introduction to Modern Symmetric-key Ciphers
CH 6. Stream Ciphers Information Security & IoT Lab 김해용
Information and Computer Security CPIS 312 Lab 4 & 5
Cryptography Lecture 15.
Presentation transcript:

Cryptanalysis of the Stream Cipher DECIM Hongjun Wu and Bart Preneel Katholieke Universiteit Leuven ESAT/COSIC

KULeuven, ESAT/COSIC2 Overview 1. Introduction to DECIM 2. Key Recovery Attack (on Initialization) 3. Distinguishing Attack 4. Conclusion

KULeuven, ESAT/COSIC3 Description of DECIM (1) submission to the eStream 80-bit key, 64 or 80-bit IV hardware efficient stream cipher (profile II) Main features 1. ABSG decimation algorithm (similar to the self-shrinking generator, 25% more efficient) (similar to the self-shrinking generator, 25% more efficient) 2. Buffer for constant output rate

KULeuven, ESAT/COSIC4 Description of DECIM (2) Keystream generation

KULeuven, ESAT/COSIC5 Description of DECIM (3) DECIM consists of 192-bit regularly clocked LFSR (14 taps) 192-bit regularly clocked LFSR (14 taps) two filtering functions (different tap positions) two filtering functions (different tap positions) ABSG decimation ABSG decimation split the sequence into the form split the sequence into the form if i = 0,output the bit b; otherwise, output the inverse of b if i = 0,output the bit b; otherwise, output the inverse of b 32-bit Buffer 32-bit Buffer for every 4/3 input bits, only one output bit for every 4/3 input bits, only one output bit

KULeuven, ESAT/COSIC6 Description of DECIM (4) Key/IV setup 192 steps 192 steps each step -- the non-linear feedback each step -- the non-linear feedback a permutation on 7 LFSR bits a permutation on 7 LFSR bits

KULeuven, ESAT/COSIC7 Key Recovery Attack (1) Overview of the Attack The permutations are used to update the LFSR The permutations are used to update the LFSR => 54.5 bits in the LFSR are not updated during => 54.5 bits in the LFSR are not updated during the key/IV setup the key/IV setup => key recovered with 2 20 random IVs, => key recovered with 2 20 random IVs, the first 2 keystream bytes, the first 2 keystream bytes, negligible computations negligible computations

KULeuven, ESAT/COSIC8 Key Recovery Attack (2) Two permutations operate on 7 elements (s t+5, s t+31,s t+59,s t+100,s t+144,s t+177,s t+186 ) (s t+5, s t+31,s t+59,s t+100,s t+144,s t+177,s t+186 ) If the output of ABSG is 1, the first permutation is used; otherwise, the second is used

KULeuven, ESAT/COSIC9 Key Recovery Attack (3) Using permutation to update FSR is bad If no permutation, then every bit in the FSR If no permutation, then every bit in the FSR is updated once every 192 steps is updated once every 192 steps But with the permutation on the FSR, the bit But with the permutation on the FSR, the bit positions are changed, some bits would be updated positions are changed, some bits would be updated more than once while some bits not updated! more than once while some bits not updated! => no matter how to design the permutation => no matter how to design the permutation the updating would not be uniform for all the bits the updating would not be uniform for all the bits

KULeuven, ESAT/COSIC10 Key Recovery Attack (4) The key-dependent selection of permutations does not hide the intrinsic weakness of the permutation =>in average 54.5 bits in the LFSR are not updated

KULeuven, ESAT/COSIC11 Key Recovery Attack (5) To recover the key, we need to trace each key bit to see how that key bit is updated during those 192 steps in the initialization => very tedious use computer program to trace those key bits use computer program to trace those key bits

KULeuven, ESAT/COSIC12 Key Recovery Attack (6) One example – recovering K 21 s 21 = K 21 \/ IV 21 s 21 is not updated and it becomes s with prob 1/27 s used in the generation of the first keystream bit z 0 if s is 0, then z 0 =0 with prob. 56/128 if s is 1, then z 0 =0 with prob. 72/128 if K 21 = 1, the distribution of z 0 independent of IV 21 if K 21 = 0, the distribution of z 0 affected by IV 21 => Being used to identify K 21 with about random IVs

KULeuven, ESAT/COSIC13 Distinguishing Attack (1) Overview of the Attack The filtering functions are not 1-resilient The filtering functions are not 1-resilient ABSG could not hide the non-randomness ABSG could not hide the non-randomness => any two adjacent bits are equal with => any two adjacent bits are equal with message being recovered if encrypted 2 18 times message being recovered if encrypted 2 18 times

KULeuven, ESAT/COSIC14 Distinguishing Attack (2) Bias from the filtering function If two inputs share one common bit, the two outputs bits are equal with prob. 65/128

KULeuven, ESAT/COSIC15 Distinguishing Attack (3) Bias passing through the ABSG decimation and buffer Deal with the bits with relations not affected significantly by the ABSG decimation algorithm i.e., the bits with small distance For these three pairs of bits, passing through the ABSG decimation and buffer does not reduce the bias too much (about 8 to 32 times) But the analysis is too complicated (details ignored here)

KULeuven, ESAT/COSIC16 Distinguishing Attack (4) Any two adjacent keystream bits are equal with probability The bias is large enough for the broadcast attack If a message if encrypted by DECIM for 2 18 times, then the message could be recovered

KULeuven, ESAT/COSIC17 DECIM v2 Initialization Permutation removed Permutation removed 768 steps 768 steps Keystream generation one LFSR + one filtering function + ABSG + buffer one LFSR + one filtering function + ABSG + buffer 1-resillient filtering function 1-resillient filtering function Greatly simplified comparing to the original version

KULeuven, ESAT/COSIC18 Conclusion Using permutation to update FSR is undesirable Try to design Boolean function conservatively (high resilience, ….)

KULeuven, ESAT/COSIC19 Thank you! Q & A

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.