1 / 23

Resynchronization Attacks on WG and LEX

Resynchronization Attacks on WG and LEX. Hongjun Wu and Bart Preneel Katholieke Universiteit Leuven ESAT/COSIC. Overview. 1. Introduction to WG 2. Differential Attack on WG 3. Introduction to LEX 4. Slide Attack on LEX. Description of WG (1). submission to the eStream

aisha
Télécharger la présentation

Resynchronization Attacks on WG and LEX

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Resynchronization Attacks on WG and LEX Hongjun Wu and Bart Preneel Katholieke Universiteit Leuven ESAT/COSIC

  2. Overview 1. Introduction to WG 2. Differential Attack on WG 3. Introduction to LEX 4. Slide Attack on LEX KULeuven, ESAT/COSIC

  3. Description of WG (1) submission to the eStream key up to 128 bits, IV up to 128 bits hardware efficient stream cipher (profile II) consists of a regularly clocked LFSR over GF(229) defined by p(x) = x11 + x10 + x9 + x6 + x3 + x + γ and a WG transform that maps GF(229)  GF(2) KULeuven, ESAT/COSIC

  4. Description of WG (2) Keystream generation of WG KULeuven, ESAT/COSIC

  5. Description of WG (3) WG Transformation KULeuven, ESAT/COSIC

  6. Description of WG (4) Key and IV setup of WG (22 Steps) KULeuven, ESAT/COSIC

  7. Differential Attack on WG (1) Overview of the Attack the taps of LFSR are poorly chosen 22 steps fail to randomize the differential propagation at the end of the 22nd step, the differential in the LFSR is exploited to recover the secret key => 48 key bits recovered with about 231 chosen IVs (80-bit key and 80-bit IV) KULeuven, ESAT/COSIC

  8. Differential Attack on WG (2) Attack - differential propagation in key/IV setup of WG KULeuven, ESAT/COSIC

  9. Differential Attack on WG (3) Attack - differential propagation in key/IV setup of WG (Contd.) KULeuven, ESAT/COSIC

  10. Differential Attack on WG (4) At the end of the 22nd step, the difference at S(10) is S(10) is related to the first keystream bit. Observing the values of the first keystream bits generated from the related IV, we are able to determine whether the value of is 0, then we can recover 29 bits of key. 231 IVs for the version with 80-bit IV, 80-bit key (details are omitted here) KULeuven, ESAT/COSIC

  11. Differential Attack on WG (5) The differential attack on WG is different from the differential attack on block ciphers Difference generation -- change the input difference and SOME input value to generate many different Filtering -- change OTHER input value (without modifying ) to generate keystream bits to see whether the related keystream bits are always identical, then to identify whether is 0 KULeuven, ESAT/COSIC

  12. How to Improve WG WG designers proposed 44-step key/IV setup => small change secure against the differential attack => but not that efficient with properly chosen LFSR taps and output tap, it is possible to use only 22 steps KULeuven, ESAT/COSIC

  13. Description of LEX (1) submission to the eStream 128-bit key, 128-bit IV software and hardware efficient (profile I & II) Design: based on AES OFB mode 4 bytes extracted from each round to form keystream KULeuven, ESAT/COSIC

  14. Description of LEX (2) Initialization and keystream generation KULeuven, ESAT/COSIC

  15. Description of LEX (3) Extracted bytes in the even and odd rounds KULeuven, ESAT/COSIC

  16. Slide Attack on LEX (1) Security of LEX depends on that only a small fraction of information is leaked from each round If one round input in LEX is known, then the key could be recovered easily. KULeuven, ESAT/COSIC

  17. Slide Attack on LEX (2) In LEX, the same key with two IVs, if keystream1 is the shifted version of keystream2, then one input to AES for generating keystream1 is equivalent to IV2 => The input to AES is known 32 bits of the first round output are known => 32 bits of the key could be recovered easily KULeuven, ESAT/COSIC

  18. Slide Attack on LEX (3) If each IV is used to generate about 500 outputs, then with about 261 IVs, 3 pairs of the shifted keystreams could be observed and 96 key bits could be recovered. KULeuven, ESAT/COSIC

  19. Slide Attack on LEX (4) LEX is as strong as AES counter mode? No. AES counter mode => A particular key can never be recovered faster than brute force search LEX => A particular key recovered with 260.8 random IVs, 20,000 bytes from each IV, faster than brute force search KULeuven, ESAT/COSIC

  20. How to Improve LEX Our suggestion => For each LEX IV, use LEX key and LEX IV to generate an AES key and AES IV KULeuven, ESAT/COSIC

  21. Conclusion (1) Lesson from the WG design => To ensure that the tap distances are co-prime in a FSR (including the LFSR on GF(2m)) KULeuven, ESAT/COSIC

  22. Conclusion (2) Lessons from the LEX design => 1) It is better to mix the key and IV in a non-linear way, then use the mixed values to generate the keystream 2) try to avoid using the stream cipher key directly in the keystream generation (more general, try to avoid using static secret parameters in the keystream generation) (LEX, Salsa20, ABC, SEAL …) KULeuven, ESAT/COSIC

  23. Thank you! Q & A KULeuven, ESAT/COSIC

More Related