Stream ciphers I

Thomas Johansson
Dept. of EIT, Lund University, P.O. Box 118, 221 00 Lund, Sweden [email protected]

May 16, 2011

Thomas Johansson

Stream ciphers I

Outline:

Introduction to stream ciphers Distinguishers Basic constructions of distinguishers Various types of distinguishing attacks eSTREAM and two ciphers from the portfolio

Thomas Johansson

Stream ciphers I

Introduction to stream ciphers

Stream ciphers are important in cryptography since they form one of the two possible ways to provide symmetric encryption. Stream ciphers encrypt individual characters of a plaintext message one by one, using an encryption transformation that varies with time.

Stream ciphers are generally faster than block ciphers in hardware, and have less complex hardware circuitry. They also have some other nice features that in some applications (typically communications applications) tend to be quite important, like limited buering, limited error propagation.

Thomas Johansson

Stream ciphers I

Introduction to stream ciphers

There is a lot of theoretical knowledge on stream ciphers, and various design principles for stream ciphers have been proposed and extensively analyzed.

Recently, we have seen a lot of fully-specied stream cipher proposals through several design projects, e.g. NESSIE, eSTREAM.

In addition, many proprietary and condential stream ciphers are used in practice. Some ciphers have initially been condential but later been leaked to the public, e.g., A5 and RC4.

Thomas Johansson

Stream ciphers I

Introduction to stream ciphers

Most stream cipher constructions use a

keystream generator,

pseudo-random

or simply a generator, to produce a long

sequence of binary symbols. The security of a stream cipher is closely connected to how well this sequence of bits resembles a truly random sequence.

Thomas Johansson

Stream ciphers I

Stream ciphers

Consider a binary additive stream cipher. The output sequence of the keystream generator, z the plaintext sequence m ciphertext c

= c1 , c2 , . . ..

= z1 , z2 , . . . is added bitwise = m1 , m2 , . . ., producing the

to

The keystream generator is initialized through a secret key

K.

keystream generator m1 , m2 , . . .

z1 , z2 , . . .

? - m

c1 , c2 , . . .
-

Figure: A binary additive stream cipher

Thomas Johansson

Stream ciphers I

Attacks

A known-plaintext attack (or chosen-plaintext or chosen-ciphertext) is equivalent to having access to the keystream z

= z1 , z2 , . . . , zN .

Design goal: eciently produce random-looking sequences that are indistinguishable from truly random sequences.

keystream generator m1 , m2 , . . .

z1 , z2 , . . .

? - m

c1 , c2 , . . .
-

Figure: A binary additive stream cipher

Thomas Johansson

Stream ciphers I

Attacks

Two main types of attacks:

Key recovery attack:

secret key

Eve tries to recover the value of the

K. Distinguishing attack: Eve tries to determine whether a given sequence z = z1 , z2 , . . . , zN is likely to have been generated
from the considered stream cipher or whether it is just a truly random sequence. If a distinguisher, i.e., a box (algorithm) that can correctly answer the above question with high probability, can be built, we have a distinguishing attack.

Thomas Johansson

Stream ciphers I

Model of a stream cipher

Requirements in many recent applications have asked for a modied model of a stream cipher including a public parameter called IV (

initial value)

or nonce (

A generator takes two input sequence z.

number used once). parameters, one key K and

one

public parameter IV, and produces an arbitrary long keystream

IV PUBLIC!

key k

Figure: A keystream generator initialized by a key and an IV value

Thomas Johansson

Stream ciphers I

A generator in table form

Generator

a table indexed by

(K , IV )

containing z.

Initial value 00. . . 000 00. . . 000 00. . . 000 . . . 00. . . 001 00. . . 001 00. . . 001 . . . . . . 11. . . 111 11. . . 111 11. . . 111 . . .

IV

Key

Keystream sequence z 1101010101110101010100 1110101010101100000101 0010110101011010100100 . . . 1010001010101010110101 0010111010101010100111 1010110101010100001110 . . . . . . 0101010101101001000100 0101111111110000010110 1011010111010100001110
Stream ciphers I

00. . . 000 00. . . 001 00. . . 010 . . . 00. . . 000 00. . . 001 00. . . 010 . . . . . . 00. . . 000 00. . . 001 00. . . 010
Thomas Johansson

. . .

. . .

Remarks on the model

The optimal design of a generator ( (uniformly).

ideal generator),

would be

if every entry in the table was generated truly at random

We have some generic attacks on the ideal generator. For example, an output.

exhaustive key search

would require testing all the

keys and checking whether a chosen key generates the given

The design problem is then essentially to construct a generator that in all aspects implements an ideal generator, leaving only the generic attacks like exhaustive key search for the cryptanalyst.

Thomas Johansson

Stream ciphers I

Examples of insecure generators

Even if some pseudo-random generators may be suitable for simulation purposes, they can be completely insecure in a cryptographic sense.

Output of a linear feedback shift register. The key determines

(s1 , s2 , . . . , sL ), a sequence is dened by L c s for i > L, and the pseudo-random sequence si = j =1 j i j given by z = sL+1 , sL+2 , . . ..
a starting state

is

Various versions of the linear congruential generator. Generators that in some form use the recurrence

si +1 = asi + b (mod m),

where now

a, b, si Zm , i = 1, 2, . . ..

Thomas Johansson

Stream ciphers I

Dening a Distinguisher

Rough description: a distinguisher for a generator X is given as follows. Let

D (z)

be an algorithm that takes as input a length

sequence z and as output gives one out of two possible

answers, either X or RANDOM. The probability that is written

D (z)
If

correctly determines the origin of z

(1 + )/2.

is not very close to zero we say that

D (z) is a distinguisher for generator. The advantage of a distinguisher D , AdvD ,

AdvD

as

= |P (D (z) = X|z

generated by X)

P (D (z) = X|z

truly random)

The advantage is AdvD

= ||.

Thomas Johansson

Stream ciphers I

Dierent Distinguishing Attack Scenarios

a single keystream (from known or chosen IV), several keystreams from dierent several keystreams from dierent

known values of IV, chosen values of IV.

Write

receives

dierent keystreams z1 , z2 , .., zm generated from

dierent IV values

IV1 , IV2 , . . . , IVm . z1,1 z2,1

. . .

z1 z2

. . .

z1,2 z2,2

... ...

z1,N z2,N

zm

zm,1 zm,2 . . . zm,N m = 1,

Special attention to the two special cases

and

N = 1.

Thomas Johansson

Stream ciphers I

Basic constructions of distinguishers

A rst and very basic approach would then be to apply various statistical tests on the received keystream Z (NIST statistical tests, DIEHARD, ...)

These approaches may detect statistical weaknesses in some weak generators but they are not very powerful in general. Stronger attacks can be achieved if we take the internal structure of the cipher into account when we design a distinguisher.

Thomas Johansson

Stream ciphers I

Basic constructions of distinguishers

Try to detect some statistical deviation in the keystream Z based on some internal relationship. However, symbols in Z (or even small blocks of symbols) will often be very close to the uniform distribution. Instead, the internal relationship often gives dependence among dierent

z i ,j

symbols that can be far apart in time.

Thomas Johansson

Stream ciphers I

Transforming keystream into samples

So it is natural that we transform our keystream Z into a new sequence of symbols, called
X

= x1 , x2 , . . ..

samples,

denoted by

In general, this can be done in almost any way,

xi = F (i , Z), i = 1, 2, . . .
where

is some function.

With a given sample sequence, we would nally try to distinguish if X behaves as if generated from a truly random Z or not.

Linear distinguishers,

the samples are selected as linear

combinations of keystream bits. Usually, the samples are regarded as independent and the distinguisher examines whether the sample values are consistent with a uniform distribution or not.
Thomas Johansson Stream ciphers I

Transforming keystream into samples

Concluding, the challenge for the adversary is to somehow nd a suitable way to transform the keystreams to a sample sequence X.

Once the sample sequence is given, we apply statistical tools to determine which distribution the sample sequence follows.

Thomas Johansson

Stream ciphers I

Hypothesis Testing

Two cases:

We want to determine if an observed sequence is distributed according to one of two known distributions, usually the cipher distribution and the uniform distribution.

We want to determine if an observed sequence is likely to be distributed according to one known distribution.

Thomas Johansson

Stream ciphers I

The Case When Both Distributions Are Known

The optimal hypothesis test is given by:

Lemma (Neyman-Pearson)

Let X1 , X2 , . . . , Xn be drawn i.i.d. according to mass function Pobs . Consider the decision problem corresponding to the hypotheses Pobs = P0 vs. Pobs = P1 . For T 0 dene a region P0 (x1 , x2 , . . . , xn ) >T . P1 (x1 , x2 , . . . , xn ) n n Let n = P0 (Ac (T )) and n = P1 (An (T )) be the error n probabilities corresponding to the decision region An . Let Bn be any other decision region with associated error probabilities and . If , then .
An ( T ) =

Thomas Johansson

Stream ciphers I

The Case When Both Distributions Are Known

Assuming that all samples are independent this is equivalent to

An (T ) =

n
log

i =1

P0 (xi ) P1 (xi )

> log T

Thomas Johansson

Stream ciphers I

Some known facts

There exist

asymptotic

expressions for the error probabilities.

Binary distributions: The Pr( For

bias

of a distribution

is dened as (1) the bias

X = 0) = 0.5(1 + ).
variables

binary

independent

tot

X1 , X2 , . . . , Xk ,

of the sum is given by

tot = k .

When

(2)

and

are about equal, a distinguisher needs roughly

(3)

samples to determine if an observed distribution is the cipher distribution or the uniform distribution.
Thomas Johansson Stream ciphers I

The Case When One Distribution Is Known

If we can not nd the distribution of the cipher.

A chi-square test can be used to determine if an observed distribution is likely to follow one given distribution.

H0 : PX = P0 H1 : PX = P0 . Let O (x ) be the number

of

of outcomes of be denoted

x X

in the

observed sequence and let the expected number of outcomes

x X

according to

P0

E (x ).

The distribution

Q=

x X

(O (x ) E (x ))2 E (x ) 2 r
with

(4)

can be approximated by the chi-square distribution, being the degrees of freedom.

Thomas Johansson

Stream ciphers I

A Practical Situation

A distinguisher is used to derive information about the plaintext.

Alice and Bob is communicating over an insecure channel. The adversary Eve is able to passively eavesdrop the channel. Alice sends a message M
M1

= m1 , m2 , . . . , mN

to Bob. The

Eve knows that the data sent is either

= m11 , m12 , . . . , m1N or M2 = m21 , m22 , . . . , m2N . ciphertext is C = c1 , c2 , . . . , cN and given by

ci = mi zi ,
where

i N.

(5)

zi

is the keystream.

Thomas Johansson

Stream ciphers I

A Practical Situation
Attack scenario: Eve's task is to determine if M

= M1

or M

= M2 .

By xoring the ciphertext C with M1 Eve will get a keystream

^ z

= C M1 . = M1 ,
then ^ is distributed according to the z

If indeed M

cipher distribution since

zi = ci m1i = m1i zi m1i = zi ,

If M

(6)

= M2 ,

then ^ is uniformly distributed since z

zi = ci m1i = m2i zi m1i ,

for 1

(7)

i N,

assuming that M1

M2

is uniformly

distributed.

Thomas Johansson

Stream ciphers I

Generic attacks on Block Ciphers in OFB and CTR mode

Generic distinguishing attacks apply to many common modes of operations of block ciphers (here OFB mode and counter mode).

EK (x )

is the block cipher encryption function,

= the block size in bits.

Thomas Johansson

Stream ciphers I

Output feedback mode

OFB turns any block cipher into a synchronous stream cipher. The

B -bit

keystream words

encrypting a

B -bit

IV.

(z1 , z2 , z3 . . .) are generated Let z0 = IV , then

by repeatedly

zi = EK (zi 1 ),

i 1. B -bit

Since a block cipher denes a permutation over all the order of 2

blocks, we expect the average period of the keystream to be in

B 1

blocks.

If there is a collision, then we know that all subsequent blocks will be the same. I.e., if

zi +k = zj +k (k 0).

zi = zj (i = j ),

then

The birthday paradox: in a truly random sequence we expect to nd a collision after observing 2

B /2 B -bit

blocks.

Thomas Johansson

Stream ciphers I

Distinguisher for OFB mode

Input(z1 , z2 , . . . , z2B /2 ) if (zi = zj and zi +1 = zj +1 for some i = j) return Random else return OFB Mode
Figure: Distinguisher for OFB mode

Thomas Johansson

Stream ciphers I

Counter Mode
In counter mode (CTR), the

B -bit

keystream words

(z1 , z2 , z3 . . .)

are generated by encrypting an incrementing counter,

i,

zi = EK (IV ||i ),
where

a||b

denotes string concatenation of bit strings

and

b.

Since a counter is used, and a block cipher together with the key denes a random permutation, a keystream block will never repeat (as long as the counter is not repeated).

By observing 2 mode.

B /2

keystream blocks, we can decide if the

sequence is random or generated by a block cipher in counter

Thomas Johansson

Stream ciphers I

Distinguisher for Counter mode

Input(z1 , z2 , . . . , z2n/2 ) if (zi = zj for some i = j ) return Random else return Counter Mode
Figure: Distinguisher for Counter mode

Thomas Johansson

Stream ciphers I

Reections

The amount of keystream needed in the distinguisher is independent of the size of the key. AES denes a block size of 128 bits, but the key can be chosen from the set

{128, 192, 256}.

The above distinguishers

64

can be applied to AES using about 2

keystream blocks,

For 64 bit block size (DES) this can be a practical problem.

Thomas Johansson

Stream ciphers I

Linear distinguishing attacks

A sequence of samples as linear combinations of keystream bits.

Usually time-invariant, i.e.,

xt =
for some

k j =0

cj zt +j ,

and

The samples

xt

t = 1, 2, . . ..
are considered as iid random variables

distributed according to

Pobs .

Finding good linear distinguishers resembles a lot linear cryptanalysis of block ciphers as invented by Matsui. Linearize the cipher by replacing some nonlinear blocks with linear ones. Find a linear relationship among keystream symbols, where the relationship involves as few approximated blocks as possible.
Thomas Johansson Stream ciphers I

Distinguishers for array-based stream ciphers

Many software-oriented stream ciphers are using large arrays and apply a slow continous update (RC4).

Examples: Py-family; HC-128 and HC-256; MUGI; Scream, RC4.

S []

denotes an array

S [0], S [1], . . . S [l ].

Between successive outputs the array is updated as

S [](t ) = G (S [](t 1)),

where

is some updating function. An output symbol is then

generated at time

as

zt = F (S [](t )),
where

is some function.

Thomas Johansson

Stream ciphers I

A basic attack strategy

Detect some dependence or statistical deviation in the update of the array that will be visible in the keystream sequence.

Consider two dierent but related events related to the array

ES is some event S []. For example, if event ES occurs then EZ occurs with probability 1, i.e., P (EZ |ES ) = 1. However, if event ES does C not occur then we assume P (EZ |ES ) = PU (EZ ).
is some event related to the keystream and

EZ

and

ES , where EZ

In this way we can detect a bias since

C C P (EZ ) = P (EZ |ES ) P (ES ) + P (EZ |ES ) P (ES ) C = 1 P (ES ) + PU (EZ ) P (ES ) = (1 PU (EZ ))P (ES ) + PU (EZ ).

Thomas Johansson

Stream ciphers I

A Chosen-IV Distinguisher - basics

n-variable

Boolean function

in ANF form:

an entry in the truth table is denoted

v = (v1 , v2 , . . . , vn ).
table.

f (v )

with

There are ecient ways to compute the ANF from the truth

Thomas Johansson

Stream ciphers I

The d -monomial Test

(Saarinen)

The Boolean function is dened as

z = f (iv0 , iv1 , . . . , ivn1 ), n

bits of the IV are used as input variables and the output is one (rst) bit of the keystream. The key and the remaining bits of the IV are kept constant. Compute the ANF of

f.

Thomas Johansson

Stream ciphers I

The d -monomial Test

In a

d -monomial
n d

test the aim is to count the number of

monomials in the ANF of degree If the observed number of from

1 2

d.
signicantly deviates

d -monomials

, the expected case, we can distinguish the cipher

from random (Pearson's chi-square test).

Broke several eSTREAM candidates in this way.

Thomas Johansson

Stream ciphers I

A General Approach

Boolean functions by using a dierent value for the constant

bits in the IV for each polynomial. The occurrence of each monomial can be counted individually.

In particular, the monomial of maximal degree. This monomial will not occur unless all the considered IV bits have been properly mixed.

Its coecient is calculated as the XOR of all values in the truth table.

Thomas Johansson

Stream ciphers I

The max degree test

'
for

j = 1, . . . , P n for iv = 1, . . . , 2 1
Initialize cipher with

z = rst keystream a =az

end for if

iv

bit after initialization

a=1
ones++

end for if ones

=0

or ones=

return else

cipher random

&

return

Figure: The maximal degree test

Thomas Johansson

Stream ciphers I

The eSTREAM project

eSTREAM - an evaluation project within ECRYPT, to come up with a portfolio of new and promising stream ciphers. Previous projects: AES competition, NESSIE, ...

eSTREAM was decided to be more research oriented, e.g., allowing designers to modify. 2004 - 2008. The eSTREAM Portfolio is announced in 2008.

Thomas Johansson

Stream ciphers I

The eSTREAM project

PROFILE 1. Stream ciphers for software applications with high throughput requirements. (23 submissions) PROFILE 2. Stream ciphers for hardware applications with restricted resources such as limited storage, gate count, and/or power consumption. (25 submissions)

Thomas Johansson

Stream ciphers I

The eSTREAM portfolio

Prole 1 SOFTWARE:

HC-128, Rabbit, Salsa20/12, SOSEMANUK

Prole 2 HARDWARE:

Grain v1, MICKEY v2, Trivium

Thomas Johansson

Stream ciphers I

HC-128

Internal state: Two tables

g1 (x , y , z ) = ((x 10) (z 23)) + (y g2 (x , y , z ) = ((x 10) (z 23)) + (y h1 (x ) = Q [x0 ] + Q [256 + x2 ] h2 (x ) = P [x0 ] + P [256 + x2 ] where x = x3 ||x2 ||x1 ||x0 .

and

Q.

Each contains 512 words. 8) 8)

Thomas Johansson

Stream ciphers I

HC-128
HC-128 Keystream Generation Input: Tables

and

Q,

each containing 512 words.

Output: Keystream words

si

for

i = 0, 1, . . ..

i = 0;
repeat (until enough keystream bits are generated) {

j = i mod 512; if ((i mod 1024) < 512) { P [j ] += g1 (P [j 3], P [j si = h1 (P [j 12]) P [j ];

else {

10],

P [j Q [j

511]);

Q [j ] += g2 (Q [j 3], Q [j si = h2 (Q [j 12]) Q [j ];
+= 1;
Thomas Johansson

10],

511]);

i
}

Stream ciphers I

Wu's distinguishing attack

P
is updated as +=

P [i mod 512] But, si = h1 (P [i

g1 (P [i 3], P [i 12]) P [i mod 512].

10],

P [i

511])

For most

i,

si h1 (zi ) = (si 1024 h1 (zi 1024 )) + (8) g1 (si 3 h1 (zi 3 ), si 10 h1 (zi 10 ), si 1023 h1 (zi 1023 ))
h1 (x )

h1 (x ) dierent functions; zj denotes the P [j 12] at the j -th step.

and (9)
23

For the least signicant bit,

[h1 (zi )] [h1 (zi 3 )]

0

[si ]0 [si 3 ]10 [si 10 ]8 [si 1023 ]23 [si 1024 ]0 =

10 8

[h1 (zi 10 )] [h1 (zi 1023 )]

[h1 (zi 1024 )]0

Thomas Johansson

Stream ciphers I

Wu's distinguishing attack

Looking at time 1024

+ 10 i , j < 1024 + 511 [si ]0 [si 3 ]10 [si 10 ]8 [si 1023 ]23 [si 1024 ]0
(10)

and

j, i = j,

where

= [sj ]0 [sj 3 ]10 [sj 10 ]8 [sj 1023 ]23 [sj 1024 ]0

which holds if and only if

[h1 (zj )]0 [h1 (zj 3 )]10 [h1 (zj 10 )]8 [h1 (zj 1023 )]23 [h1 (zj 1024 )]0

[h1 (zi )]0 [h1 (zi 3 )]10 [h1 (zi 10 )]8 [h1 (zi 1023 )]23 [h1 (zi 1024 )]0 =

Thomas Johansson

Stream ciphers I

Wu's distinguishing attack

That equation can be approximated as

H (a1 ) = H (a2 ),
where

(11)

a2

denotes a random secret 80-bit-to-1-bit S-box,

a1

and

are two 80-bit random inputs,

a1 = z i ||z i 3 ||z i 10 ||z i 1023 ||z i 1024 a2 = z j ||z j 3 ||z j 10 ||z j 1023 ||z j 1024 ,
Theorem

(12)

Let H be an m-bit-to-n-bit S-box and all those n-bit elements are randomly generated, where m n. Let a1 and a2 be two m-bit random inputs to H. Then H (a1 ) = H (a2 ) with probability m + 2n 2mn . 2
Thus, (??) holds with probability samples needed
1 2

+ 281 .

Number of

2 , so 2164 such samples. 4

Stream ciphers I

Thomas Johansson

Wu's distinguishing attack

Several attempts have been made to improve this basic idea. Some improvements have been found, but no attack below complexity 2
128

have been found.

Thomas Johansson

Stream ciphers I

Trivium

extremely simple hardware design the most challenging design in the eSTREAM portfolio A 288-bit internal state

(s1 , s2 , . . . , s288 )

and a very simple

update/output function.

Thomas Johansson

Stream ciphers I

Trivium
Trivium Keystream Generation Input: State

Output: Keystream bits

(s1 , s2 , . . . , s288 ) zi for i = 1, 2, . . ..

for

i = 1to N do t1 s66 + s93 ; t2 s162 + s177 ; t3 s243 + s288 ; zi t1 + t2 + t3 t1 t1 + s91 s92 + s171 ; t2 t2 + s175 s176 + s264 ; t3 t3 + s286 s287 + s69 ; (s1 , s2 , . . . , s93 ) (t3 , s1 , . . . , s92 ) (s94 , s95 , . . . , s177 ) (t1 , s94 , . . . , s176 ); (s178 , s179 , . . . , s288 ) (t2 , s178 , . . . , s287 );
Thomas Johansson Stream ciphers I

end for