Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 KCipher-2 KDDI R&D Laboratories Inc.. ©KDDI R&D Laboratories Inc. All rights Reserved. 2 Introduction LFSR-based stream ciphers Linear recurrence between.

Published byMatthew Spencer Modified over 11 years ago

Similar presentations

Presentation on theme: "1 KCipher-2 KDDI R&D Laboratories Inc.. ©KDDI R&D Laboratories Inc. All rights Reserved. 2 Introduction LFSR-based stream ciphers Linear recurrence between."— Presentation transcript:

1 1 KCipher-2 KDDI R&D Laboratories Inc.

2 ©KDDI R&D Laboratories Inc. All rights Reserved. 2 Introduction LFSR-based stream ciphers Linear recurrence between internal states as a feedback polynomial. LFSR-based stream ciphers have been attacked using the linear recurrence. In KCipher-2, Dynamic Feedback Control mechanism is used for hiding the linear recurrence.

3 ©KDDI R&D Laboratories Inc. All rights Reserved. 3 Design policy Security Produce sufficient period sequences Use different two functions (NLF, and Dynamic Feedback Control) Satisfy -bit key level security Performance Good Performance for Software implementation Consist of basic operations

4 ©KDDI R&D Laboratories Inc. All rights Reserved. 4 Advantages of KCipher-2 Fast Encryption/Decryption KCipher-2 suits fast software implementations 128-bit keys are available Size of Internal State is Small The size is 640 bits Security Margin KCipher-2 is secure without the need for a DFC mechanism. The DFC mechanism is an extra security margin. Resistance against Existing Attacks NLF is designed in consideration of attacks on SNOW 2.0 such as an algebraic attack and a distinguishing attack.

5 ©KDDI R&D Laboratories Inc. All rights Reserved. 5 Profile of K2 128- Key 128-bit IV 640-bit state 32-bit X 16 Registers (FSR-A, FSR-B) 32-bit X 4 Internal Memories for NLF 64-bit keystream per cycle Max cycle without re-initialization is 2^58 cycle (2^64 keystream bits) The algorithm was presented in SASC 2007 workshop (Jan. 2007) -> satisfy the maturity criteria

6 ©KDDI R&D Laboratories Inc. All rights Reserved. 6 KCipher-2

7 ©KDDI R&D Laboratories Inc. All rights Reserved. 7 Use Two Functions Non-Linear Function (NLF) and Dynamic Feedback Control (DFC) NLF Provide nonlinearity of output keystream Dynamic Feedback Control Hide Linear Recurrence of FSR-B

8 ©KDDI R&D Laboratories Inc. All rights Reserved. 8 Dynamic Feedback Control Control coefficients for FSR-B Feedback (Clock) Controller 0, 1 2 bits of FSR-A

9 ©KDDI R&D Laboratories Inc. All rights Reserved. 9 Dynamic Feedback Control (cont.) Performance Do not increase the cost significantly Only change a table of multiplying coefficients α_i. Security The attacker may need to guess control bits in some attacks such as Guess-and-Determine Attacks Algebraic Attacks Hide linear recurrence between internal states of FSR-B Effective for protecting against several attacks

10 ©KDDI R&D Laboratories Inc. All rights Reserved. 10 Non-Linear Function Four 32-bit Substitution functions are used Connect Four internal Memories via the Substitution Functions Input six registers Output 64-bit keystream per cycle Well-evaluated structure (like SNOW) The number of S-Box is twice as that of SNOW

11 ©KDDI R&D Laboratories Inc. All rights Reserved. 11 Non-Linear Function (2) Left Part and Right part of NLF is connected Produce double-length keystream Improve the security Left or right keystream is computed from previous memories of both sides. L2 L1R2 R1 Sub Substitution consists of well-evaluated S-boxes and a linear permutation (same as SNOW). Internal memories hide relation between registers and keystream. LFSR-A LFSR-B

12 ©KDDI R&D Laboratories Inc. All rights Reserved. 12 Analysis of KCipher-2 Stream Cipher Periods The period is expected to be more than the periods of output of FSR-A Statistical Tests Evaluated output of FSR-A, FSR-B, and keystream These properties were good

13 ©KDDI R&D Laboratories Inc. All rights Reserved. 13 Security against Existing Attacks Time-Memory trade off Lengths of IV and the secret keys are sufficiently large. Internal state is sufficiently larger than the secret key Correlation Attack No correlation that has large probability was found. Chosen/Related IV Attack The internal state is well mixed by the initialization process. Secure

14 ©KDDI R&D Laboratories Inc. All rights Reserved. 14 Security against existing Attacks(2) Guess-and-Determine Attack In case of attacking FSR-B without multiplying α i (i=1,2,3) Assume that the attacker obtain values The attacker have to guess two registers and four memories to recover all registers of FSR-B. The complexity is O(2^196) However, the attacker have to guess at least two registers of FSR-A without the assumption. The attack is more than O(2^256) Dynamic feedback makes the attack more complicated. Secure

15 ©KDDI R&D Laboratories Inc. All rights Reserved. 15 Security against Existing Attacks(3) Distinguishing Attack Secure The attacker have to use four mask values. (two masks for attacking SNOW 2.0) Sub consists of AES S- boxes; thus, it has a good linear property. We could not find a linear distinguisher with a feasible linear probability. Dynamic feedback prevents the attack

16 ©KDDI R&D Laboratories Inc. All rights Reserved. 16 Security against Existing Attacks(4) Algebraic Attacks General evaluation results were good. A algebraic attack such as an attack on SNOW 2.0 is impossible, because; The attacker cannot obtain a linear equation of fixed values of keystream and registers. The attacker have to guess control bits of FSR-B. Secure

17 ©KDDI R&D Laboratories Inc. All rights Reserved. 17 Performance Performance on Pentium4 3.2 GHz The algorithm consists of XOR, ADD, and Table lookups. Performances of these computation is expected to be independent against CPU types. Key. Gen.Init. Kcipher-2 (Optimal) 5.45 C/Byte1162 C/Init.

Download ppt "1 KCipher-2 KDDI R&D Laboratories Inc.. ©KDDI R&D Laboratories Inc. All rights Reserved. 2 Introduction LFSR-based stream ciphers Linear recurrence between."

Similar presentations

6.1.2 Overview DES is a block cipher, as shown in Figure 6.1.

6.1.2 Overview DES is a block cipher, as shown in Figure 6.1.
6.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 2 Data Encryption Standard (DES)

6.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 2 Data Encryption Standard (DES)
Hashes and Message Digests

Hashes and Message Digests
0 - 0.

0 - 0.
DES The Data Encryption Standard (DES) is a classic symmetric block cipher algorithm. DES was developed in the 1970’s as a US government standard The block.

DES The Data Encryption Standard (DES) is a classic symmetric block cipher algorithm. DES was developed in the 1970’s as a US government standard The block.
Block Cipher Modes of Operation and Stream Ciphers

Block Cipher Modes of Operation and Stream Ciphers
ECE454/CS594 Computer and Network Security

ECE454/CS594 Computer and Network Security
Kasumi Block Cipher Data Encryptors Darshan Gandhi Rushabh Pasad.

Kasumi Block Cipher Data Encryptors Darshan Gandhi Rushabh Pasad.
Scalable Involutional PP-1 Block Cipher for Limited Resources K. Chmiel, A. Grocholewska-Czuryło, J. Stokłosa Poznan University of Technology Institute.

Scalable Involutional PP-1 Block Cipher for Limited Resources K. Chmiel, A. Grocholewska-Czuryło, J. Stokłosa Poznan University of Technology Institute.
Virtual Memory 1 Computer Organization II ©2005-2013 McQuain Virtual Memory Use main memory as a cache for secondary (disk) storage – Managed jointly.

Virtual Memory 1 Computer Organization II © McQuain Virtual Memory Use main memory as a cache for secondary (disk) storage – Managed jointly.
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
International Data Encryption Algorithm

International Data Encryption Algorithm
From Crypto-Theory to Crypto-Practice 1 CHAPTER 14: From Crypto-Theory to Crypto-Practice SHIFT REGISTERS The first practical approach to ONE-TIME PAD.

From Crypto-Theory to Crypto-Practice 1 CHAPTER 14: From Crypto-Theory to Crypto-Practice SHIFT REGISTERS The first practical approach to ONE-TIME PAD.
Lecture 5: Cryptographic Hashes

Lecture 5: Cryptographic Hashes
Lecture 7 Overview. Advanced Encryption Standard 10, 12, 14 rounds for 128, 192, 256 bit keys – Regular Rounds (9, 11, 13) – Final Round is different.

Lecture 7 Overview. Advanced Encryption Standard 10, 12, 14 rounds for 128, 192, 256 bit keys – Regular Rounds (9, 11, 13) – Final Round is different.
Origins  clear a replacement for DES was needed Key size is too small Key size is too small The variants are just patches The variants are just patches.

Origins  clear a replacement for DES was needed Key size is too small Key size is too small The variants are just patches The variants are just patches.
“Advanced Encryption Standard” & “Modes of Operation”

“Advanced Encryption Standard” & “Modes of Operation”
Xiutao Feng Institute of Software Chinese Academy of Sciences A Byte-Based Guess and Determine Attack on SOSEMANUK.

Xiutao Feng Institute of Software Chinese Academy of Sciences A Byte-Based Guess and Determine Attack on SOSEMANUK.
CS470, A.SelcukStream Ciphers1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukStream Ciphers1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
1 Introduction to Practical Cryptography Lectures 3/4 Stream Ciphers.

1 Introduction to Practical Cryptography Lectures 3/4 Stream Ciphers.

Similar presentations

Ads by Google