Speaker: Souradyuti Paul

1. Cryptanalysis of Stream Ciphers Based on Arrays and Modular Addition Speaker: Souradyuti Paul Computer Security and Industrial Cryptography (COSIC) Department of Electrical Engineering-ESAT Katholieke Universiteit Leuven, Belgium Email: Souradyuti.Paul@esat.kuleuven.be Ph.D. Defence

2. Indian Statistical Institute, Kolkata M. Tech in Computer Sc. (2001) Ph.D. Defence

3. Katholieke Universiteit Leuven, Belgium, Ph.D. (2002- ) Ph.D. Defence

4. My given name is Souradyuti Meaning: Rays of Sun (in Bengali) My family name is Paul But ….. Ph.D. Defence

5. The rest of the world: Paul Bengal: Souradyuti Ph.D. Defence

6. “What's in a Name?“ -William Shakespeare Ph.D. Defence

7. Overview • Introduction to cryptology • Scope of cryptology • Stream cipher: how it works • Our contributions • Differential equations of addition • Array-based stream ciphers • Conclusion Ph.D. Defence

8. What is Cryptology • Cryptology is Science of Secrecy Systems • Greek words: kryptos(secrecy), logos(words) • Two Frequently Used Words • Cryptography (mainly about design of Cryptosystems) • Cryptanalysis (mainly about attacking Cryptosystems) • Borderline between the two research areas is fuzzy

9. Why and Where is Cryptology • Communication Systems requires Protection of Digital Data from Unauthorized Users • Applications of Cryptography • Electronic Banking • Smart Card • E-Commerce • Defense • Wireless Communications • Satellite TV • Computer Security Systems • Government Identification Ph.D. Defence

10. Scope of Cryptology: Security Issues • Confidentiality of Data • Primitives: Block Ciphers, Stream Ciphers, Public Key Cryptosystems etc. • Authentication of Data and Entity • Primitives: Hash Functions, Message Authentication Codes, Digital Signatures etc.

11. Cryptology: Based on Secret Key • Symmetric Key Primitives: Applications where sender and receiver share a common key • Examples: Block Ciphers (AES), Stream Ciphers (RC4), Hash Functions (SHA-1), MACs (HELIX) etc. • Asymmetric Key Primitives: Applications where sender and receiver do not share a common key • Examples: Public Key Cryptosystems (RSA), Digital Signatures (DSS) etc.

12. The Thesis • deals with several software based stream ciphers (more on that later) • why stream ciphers: • a secure and fast stream cipher is still a far cry from reality • failure of NESSIE project to select a single stream cipher • renewed interests to analyze stream ciphers • too close to the ECRYPT project Ph.D. Defence

13. Perfect Security: Vernam Cipheror One time pad The scheme is impractical because of large size of the key Key: 011001001101001101010010….. Bitwise XOR Plaintext: 100101001000101001001110….. Ciphertext: 111100000101100100011100… Ph.D. Defence

14. How to manage with short keys? 011001001101001101010010….. Bitwise XOR Plaintext: 100101001000101001001110….. Ciphertext: 111100000101011001101100… Ph.D. Defence

15. How does a Stream Cipher Work? • Two stages of a practical stream cipher • Key scheduling algorithm • Pseudorandom bit generation algorithm Ph.D. Defence

16. Stage I : Key/IV Setup (KSA) Key/IV set-up algo (vigorous mixing) Initialization Ph.D. Defence

17. Stage II : Pseudorandom Bit Generation Algo. (PRBG) Round 2 Round 3 Round 1 mixing mixing mixing . . .  Output 1Output 2Output 3   Plaintext 3 Plaintext 2 Plaintext 1 Ciphertext 1 Ciphertext 2 Ciphertext 3 Ph.D. Defence

18. Distinguishing attacks (I) • Stream of bits do not follow the uniform distribution 011001001101001101010010….. Bias in a single stream Ph.D. Defence

19. Distinguishing attacks (II) • Stream of bits do not follow the uniform distribution 01110011010011000010….. 01111011010111100010….. … 01011010011110100010….. Bias in multiple streams Ph.D. Defence

20. Broadly we divide our work into two parts Part I: Analysis of Differential Equations of Addition and its cryptographic applications Part II: Unified analysis of stream ciphers with arrays as the main components of the internal state Ph.D. Defence

21. Part I: Differential Equations of Addition (DEA) • Satisfiability of an arbitrary set of DEA is in the complexity class P • Solving an arbitrary set of DEA in timelinearin number of solutions • Solving DEA with Batch and Adaptive queries • Cryptanalysis of theHelix stream cipherwith both chosen plaintext and adaptive chosen plaintext Ph.D. Defence

22. Part I: Differential Equations of Addition (DEA) • Satisfiability of an arbitrary set of DEA is in the complexity class P • Solving an arbitrary set of DEA in timelinearin number of solutions • Solving DEA with Batch and Adaptive queries • Cryptanalysis of the Helix stream cipher with both chosen plaintext and adaptive chosen plaintext Ph.D. Defence

23. Part II: Stream Ciphers Based on Arrays • Design of the stream cipher RC4A • Unified analysis of array-based stream ciphers • Cryptanalysis of • RC4 • RC4A • Py, Py6 • IA, ISAAC • GGHN, NGG Ph.D. Defence

24. Part II: Stream Ciphers Based on Arrays • Design of the stream cipher RC4A • Unified analysis of array-based stream ciphers • Cryptanalysis of • RC4 • RC4A • Py,Py6 • IA, ISAAC • GGHN, NGG Ph.D. Defence

25. Discussion: Part I Satisfiability of an arbitrary set of DEA is in the complexity class P Ph.D. Defence

26. Motivation: Mixing Diff. Group Operations (I) • Addition (+): Integer addition over Z2n; a=b+c; a, b, c are n-bit integers • :Addition in characteristic 2 over (Z2)n; a=bc; a, b, c are n-bit integers • Combination of Addition and XOR is one of the most used symmetric cipher components   Ph.D. Defence

27. Motivation: Why Addition and XOR (II) • Extremely faston all modern machines • Generates nonlinear equations over GF(2) Ph.D. Defence

28. Examples of Addition and XOR • HELIX • TWOFISH • IDEA • MARS • RC6 • … Ph.D. Defence

29. DEA:Differential Eqn. of Addition • Investigating Addition under Differential Cryptanalysis • Inputs: (a, b), (a’, b’ ); Outputs: c, c’ a + b = c a’+ b’ = c’ • Known differences as XOR’s: m, n, p • m=aa’ • n= bb’ • p= cc’ • DEA: p=(a+b) ((am)+(bn))       Ph.D. Defence

30. Each pi is a nonlinear combination of all the preceding bits DEA: What’s the big deal? • DEA: p=(a+b) XOR ((aXORm)+(bXORn)) an-1 an-2 an-3 … ai+1 ai … a1 a0 bn-1 bn-2 bn-3 … bi+1 bi … b1 b0 cn-1 cn-2 cn-3 … ci+1 ci … c1 0 Carry bits mn-1 mn-2 mn-3 … mi+1 mi … m1 m0 nn-1 nn-2 nn-3 … ni+1 ni … n1 n0 ----------------------------------------------------------------------------------------------- pn-1 pn-2 pn-3… pi+1 pi … p1 0 Ph.D. Defence

31. The Problem: DEA-sat • Consider an arbitrary set of DEA • p[i]=(a+ b) ((am[i]) + (bn[i])) i= 0,1,2, … k • Secret: (a, b) • Known: p[i], m[i], n[i] for all i=0,1,2,…k • k=O(nl), l is a constant • DEA-Sat: Contains all satisfiable sets of DEA • Question: Verify membership in DEA-Sat    Ph.D. Defence

32. DEA-sat is in P • In 1992, Berson observed that “it is hard to analyze addition, for largen, when differences are expressed as XOR’s’’ [Berson, Eurocrypt 1992] • DEA-Sat by trivial exhaustive search requires time O(nl·22n) • We verified membership in DEA-Sat in O(poly(n))-time Ph.D. Defence

33. DEA-sat is in P: How? Whether there exists a solution (ai, bi, ci) for (mi ,ni ,p’i ,p’i+1 ) • Clue 1: “Equivalence” of two eqn. • p= (a+ b) ((am) + (bn)) • p’=(a+ b) ((am) + (bn)) mn • There are k such equations • Clue 2: Dependence among bits of a, b, m, n, p’ an-1 an-2 an-3 … ai+1 ai … a1 a0 bn-1 bn-2 bn-3 … bi+1 bi … b1 b0 cn-1 cn-2 cn-3 … ci+1 ci … c1 0 Carry bits mn-1 mn-2 mn-3 … mi+1 mi … m1 m0 nn-1 nn-2 nn-3 … ni+1 ni … n1 n0 ----------------------------------------------------------------------------------------------- p’n-1 p’n-2 p’n-3 … p’i+1 p’i … p’1 0         Ph.D. Defence

34. Tabulating pi+1 mi, ni, pi (ai, bi, ci) 0, 0, 0 0, 0, 1 0, 1, 0 0, 1, 1 1, 0, 0 1, 0, 1 1, 1, 0 1, 1, 1 Ph.D. Defence

35. Beyond the Satisfiability Problem… Computing all the solutions of an arbitrary set of differential equations of addition Ph.D. Defence

36. The Problem: DEA-comp • DEA-Comp: Compute all solutions to a given set of DEA • Our algorithm solves DEA-Comp with running time linear in the number of solutions • Our technique is combinatorial (different from traditional methods such as Gröbner Bases) Ph.D. Defence

37. DEA-comp: How     • Consider the eqn. • p’=(a+ b) ((am) + (bn)) mn • Individual Solution, Si an-1 an-2 an-3 … ai+1 ai … a1 a0 bn-1 bn-2 bn-3 … bi+1 bi … b1 b0 cn-1 cn-2 cn-3 … ci+1 ci … c1 0 Carry bits mn-1 mn-2 mn-3 … mi+1 mi … m1 m0 nn-1 nn-2 nn-3 … ni+1 ni … n1 n0 ----------------------------------------------------------------------------------------------- p’n-1 p’n-2 p’n-3 … p’i+1 p’i … p’1 0 • All Solutions, S=4Sn-2Sn-3Si…S1S0  Ph.D. Defence

38. Part I: Other Results • Satisfiability of an arbitrary set of DEA is in the complexity class P • Solving an arbitrary set of DEA in time linear in number of solutions • Solving DEA with Batch and Adaptive queries • Cryptanalysis of theHelix stream cipherwith both chosen plaintext and adaptive chosen plaintext Ph.D. Defence

39. Discussion: Part II Array-based stream ciphers and Distinguishing Attacks on Py Ph.D. Defence

40. 094 253 … 094 256 … 095 002 001 255 096 254 … 254 094 … 000 001 … 003 … 095 001 093 000 255 002 ... 093 187 ... 096 143 198 45 123 … 99 079 001 113 32 113 093 … 001 079 143 … 165 143 43 096 23 Internal State of an Array Based Cipher: ith round 000 095 X 233 165 233 075 255 Y 99 187 Ph.D. Defence

41. 094 253 … 094 256 … 095 002 001 255 096 254 … 254 094 … 000 001 … 003 … 095 001 093 000 255 002 093 187 079 ... 096 113 198 45 123 … 99 143 ... 113 32 23 096 43 143 165 001 143 079 001 … 093 … Single round of an Array Based Cipher: (i+t)th round 000 095 X 233 165 233 075 255 Y 99 187 Predicted Output Ph.D. Defence

42. The basic idea of our attacks and assumptions • Assumption: Key/IV set-up is perfect • Focus: mixing of bits in a round • Identify: a class of internal states introducing bias in the outputs • Observe: rest of the states do not cancel bias (reason: rigorous mixing) • Conclude: output is biased on a randomly chosen internal state Ph.D. Defence

43. 000 255 -2 254 256 001 002 -1 … 095 094 094 … 096 … 094 … … 001 095 -3 093 -2 -1 … 094 -3 095 … 254 256 253 … 255 093 093 079 ... 096 143 X Z 001 Y … N P Q L ... M 001 096 … 165 113 X’ L 079 Z … P 233 … M F Y … 143 113 Single round of Py: ith round 000 095 P 233 165 165 233 0 255 Y X’ O(1,i) O(2,i) Ph.D. Defence

44. Main observation: A lucky case in the array P … 26 … 72 … 116 … 208 … 239 … P 1 Round 1 … 26 … 72 … 116 … 208 … 239 … P X -18 mod32 Y Round 2 … 26 … 72 … 116 … 208 … 239 … P Y+1 7 mod32 254 X+1 Round 3

45. Outputs at 1st and 3rd rounds Bias in the lsbs. z=O(1,1)[0] O(2,3)[0] P(z=0)=1  -3 -2 -1 0 1 … … … 254 255 256 Y G H H G Round 1 Round 2 Round 3  O(1,1) = (S G) + H  O(2,3) = (S H) + G Ph.D. Defence

46. Quantifying the bias • The lucky caseL occurs with prob. 2-41.9 • For the lucky case the P(z=0|L)=1 • For the rest of the cases, we observe that P(z=0|L’) =1/2 (details in thesis) • The overall prob. P(z=0) =½·(1+ 2-41.9) Ph.D. Defence

47. The distinguisher (I) Biased Output z Key/IV • Optimal Distinguisher: If # of 0’s ≥ # of 1’s then Py else Random • The advantage is close to 0% for n=1 • If n=284.7then advantage is more than 50% n … … Ph.D. Defence

48. The distinguisher (II) • Requirements: • # of Key/IV’s = 284.7 • key stream per Key/IV=24bytes • time = 284.7 · Tini • The distinguisher works • within Py specifications • with less than exhaustive search Ph.D. Defence

49. The distinguisher (III) • A single keystream but takes outputs longer than 264 • To reduce work load a hybrid distinguisher with many key/IVs and less than 264 output bytes per Key/IV Ph.D. Defence

50. Bias in other pairs of bits  O(1,1) = (S G) + H  O(2,3) = (S H) + G Bias in the ith bits. z=O(1,1)[i] O(2,3)[i] P(z=0)=1/2+µ  Ph.D. Defence