Post on 08-Feb-2016
description
transcript
1
Introduction to Practical Cryptography
Lectures 3/4Stream Ciphers
2
Agenda
•Properties•Building Blocks•Competitions•Examples
3
Uses
• Encryption of streaming data• Random bit generation
4
Stream Ciphers
• Stream cipher outputs keystream, KS• KS produced by a function, F, that is initialized with a key, k• C = Ek(P) = P KS• P = C KS
• k can be used only once• C1 = Ek1(P1); C2 = Ek2(P2)• C1 C2 = P1 KS1 P2 KS2 = P1 P2 if KS1 = KS2 • Will know when P1 and P2 have identical bits• If know part of P1 (if packet headers, format information), then can
obtain part of P2• Period – how long is KS before it starts repeating?
• repeating is equivalent to reusing a key
5
Stream Ciphers
• Speed• Initialization• Keystream generation
• Resources – memory, power, cpu• Hardware, software suitability
6
Stream Ciphers
• Synchronous stream cipher• Sender and receiver must be in-synch• Lost bit garbles all subsequent bits unless synch up• Flipped bit garbles only one bit• Can precompute key stream • Example: RC4, block cipher in OFB mode
• Self-synchronizing stream ciphers • Use n previous ciphertext bits to compute keystream• Lost bit: synch up after n bits• Flipped bit : next n bits garbled• Can’t precompute keystream• Example: Block cipher in ciphertext feedback (CFB) mode
7
Stream Ciphers – General Concept
State Updates• FSR based (SOBER, LILI)• Array Permutations (RC4)key
state (data)
outputfunction
pi (ci) ci (pi)ksi
next statefunction
synchronous
8
Stream Ciphers – General Concept
key
state (data)
outputfunction
pi (ci) ci
ksi
next statefunction
subset of ci’s
• error propagation • block cipher in CFB mode
self synchronizing
9
Keystream Properties• Period
• Period of 232 repeats after ~ 8.5 minutes when encrypting 1MB/sec
• Random appearance: • Runs of 1’s or 0’s: ½ with length 1, ¼ with length 2, 1/8 have
length 3 … • Test – little or no compression• Dissipates statistics of plaintext
• Complexity: • Low ability to define a bit as a linear expression (or
algebraic expression) of bits < period bits away • No discernable relation to key (seed/initial state) bits
10
Agenda
•Properties•Building Blocks•Competitions•Examples
11
Stream Ciphers - Approaches
• Feedback Shift Register (FSR) based – useful in hardware
• Block cipher – CTR, CFB, OFB modes• Components similar to those found in block
ciphers
12
Feedback Shift Register
bn-1 bn-2 b1 b0……b0
F(bn-1,…..b0)
……new bn-1
Linear F: bn-1 = ibi for i {0,1} i=0,n-1
Nonlinear F
Tap Sequence: bits used in F
Feedback with Carry Shift (FCSR) F: s = (ibi + c) for i {0,1} i=0,n-1
bn-1 = s mod 2 c = s/2 mod log2 (# tap bits)
State: bi values
bits, same concept with bytes, words
13
• Period• LFSR of n bits: Maximum 2n –1 • FCSR: depends on initial state• Non-linear FSR: depends on function, initial state
• Inefficient in Software• Small # of bits in tap sequence, easier to break.• Large # of bits in tap sequence, slow.
• Security• Berlekamp-Massey Algorithm: 2n output bits needed to
reproduce the LFSR in O(n2) time.• Non-linear FSR: avoid linear approximations
Feedback Shift Registers
14
Variations Utilizing LFSR Combination generator
• Output bit = nonlinear function on output of multiple LFSRs.• May clock each LFSR differently• Various combinations of AND,OR,Thresholds
LSFR1
LSFR2
LSFRn
.
.
.
nonlinearfunction keystream
15
Variations Utilizing LFSR
• Clock controlled generator• Move to next state only on some clock cycles.• Move to next state on every cycle but only output bit
on some clock cycles.• 2nd LFSR may control clock.
• Clock control that affects output is also called stuttering
16
Clock Control Examples• Stop and Go:
• 2 LFSRs• LFSR1’s output clocks LFSR2
• Alternating Stop and Go: • 3 LFSRs• output of LFSR1 indicates whether to clock LFSR2 or LFSR3 • output is of LFSR’s 2 and 3
• Bilateral Stop and Go: • 2 LFSRs• output = of both outputs• clock LSRFs depending on their output values
• Self-Decimated Generators: • control their own clock – some function of their state bits controls clock
17
Clock Control Examples• Shrinking Generator:
• 2 LFSRs• always clock• if LFSR1 outputs 1, use LFSR2’s output, else no output on that
cycle • called “shrinking” because fewer output bits than clock ticks
• Self Shrinking Generator: • similar to shrinking generator but use 2 different bits from 1
LSFR instead of 2 LFSRs• Cascade:
• output of 1st level (may be single or combination of generators) controls clock of next level
• usually not secure due to some relationship between 1st level output and final output.
18
Agenda
•Properties•Building Blocks•Competitions•Examples
19
NESSIE Stream Cipher Submissions
• None recommended• BMGL – too slow, small internal state –
time/memory tradeoff attack• Leviathan - distinguishing attack• LILI-128 – attack O(271)• SNOW – distinguishing attack• SOBER-t16 – distinguishing attack• SOBER-t32 – distinguishing attack• Both Sober algorithms thought to be subject to
side channel analysis
20
ECRYPT’s eStream Contest• Just ended (3rd round of evaluations finished, winners
selected)• 4 for software, 4 for hardware
• In third round of evaluations • 16 candidates
• 3+ years from time of call for proposals to final report• originally November 2004 to January 2008• Just ended
• ECRYPT: European Network of Excellence for Cryptology
21
eStream Overview• Categories
• key length of 128 bits and an IV length of 64 and/or 128 bits• key length of 80 bits and an IV length of 32 and/or 64 bits
• Separate software and hardware categories within each• Evaluation
• Security• Free of licensing requirements …• Performance, range of environments
• Committee is only collecting submissions. Evaluations are done by the general cryptographic community.
22
eStream Evaluation• Security Criteria
• Any key-recovery attack should be at least as difficult as exhaustive search.
• Distinguishing attacks • Interest to the cryptographic community • Relative importance of high complexity distinguishing attacks is an
issue for wider discussion• Clarity of design
• Implementation Criteria• Software and hardware efficiency• Execution code and memory sizes• Performance• Flexibility of use
23
eSTREAM Phase 3 CandidatesProfile 1 (SW) Profile 2 (HW)
CryptMT (CryptMT Version 3) DECIM (DECIM v2 and DECIM-128)
Dragon Edon80HC (HC-128 and HC-256) F-FCSR (F-FCSR-H v2 and F-FCSR-16)
LEX (LEX-128, LEX-192 and LEX-256) Grain (Grain v1 and Grain-128)
NLS (NLSv2, encryption-only) MICKEY (MICKEY 2.0 and MICKEY-12 2.0)
Rabbit Moustique
Salsa20 Pomaranch (Pomaranch Version 3)
SOSEMANUK Trivium
http://www.ecrypt.eu.org/stream/phase3list.htmlkey lengths: 128 bits for SW and 80 bits for HW
24
eSTREAM Winners
Profile 1 (SW) Profile 2 (HW)
HC (HC-128 and HC-256) F-FCSR (F-FCSR-H v2 and F-FCSR-16)
Rabbit Grain (Grain v1 and Grain-128)
Salsa20 MICKEY (MICKEY 2.0 and MICKEY-12 2.0)
SOSEMANUK Trivium
http://www.ecrypt.eu.org/stream/key lengths: 128 bits for SW and 80 bits for HW
25
Agenda
•Properties•Building Blocks•Competitions•Examples
26
Stream Cipher Examples
•Lists•http://en.wikipedia.org/wiki/Stream_cipher •http://www.ecrypt.eu.org/stream/
• RC4• A5/1• A5/3• LILI• Sober• Trivium• Lex
27
RC4
S-Box Creationinput key;if (key < 256 bytes) { repeat key until 256 bytes;}for (i=0; i < 256; ++i) { S[i] = i; // initialize S-Box K[i] = ith key byte;}j = 0;for (i = 0; i <256; ++i) { j = (j + S[i] + K[i]) mod 256; swap(S[i],S[j]);}
Keystream Generatori = 0; j = 0;loop {
i = (i+1) mod 256;j = (j+S[i]) mod 256;Swap(S[i],S[j]);t = (S[i] + S[j]) mod 256;ks_byte = S[t];
}
2 S-Box entries form index into S-Box Output S-Box entry (byte)
S-Box: key dependent permutation of 0 to 255. (lookup table)
28
RC4 Cryptanalysis
• Initial keystream byte highly correlated with first few key bytes• Recommendations to discard first 256 or 512 output bytes
• Distinguish from random: O(230.6) bytes needed• Attempts to backtrack to initial state from keystream
Keystream Generatori = 0; j = 0;loop {
i = (i+1) mod 256;j = (j+S[i]) mod 256;Swap(S[i],S[j]);t = (S[i] + S[j]) mod 256;ks_byte = S[t];
}
29
A5/1• Used in Global System for Mobil Communications (GSM)• Example of a cipher manufacturers tried to keep secret, it was
leaked and also reversed engineered within 5 years• A5/2 – weaker cipher used in some countries due to export rules• GSM phone conversations are sent as sequences of frames. • One 228 bit frame is sent every 4.6 milliseconds: 114 bits for the
communication in each direction. • A5/1 produces 228 bits to XOR with the frame • Initialized using a 64-bit key combined with a publicly-known 22-bit
frame number. • In some GSM implementations, 10 key bits are fixed at zero -
effective key length is 54 bits.• A5/1 is based around a combination of three LFSRs with irregular
clocking.
30
A5/1
Image from Wikipedia
31
A5/1 LSRFs• 19 bits
• x19 + x5 + x2 + x + 1 • clock bit 8 • tapped bits: 13, 16, 17, 18
• 22 bits • x22 + x + 1 • clock bit 10 • tapped bits 20, 21
• 23 bits • x23 + x15 + x2 + x + 1 • clock bit 10 • tapped bits 7, 20, 21, 22
• Least significant bit numbered 0• Tapped bits of each LSRF are XORed to create value of next 0 bit.• Output bits of the three LSRFs are XORed to form the keystream bit
32
A5/1
• Each cycle, look at the three clock bits. The majority value, cm, is determined.
• In each LSRF, if the clock bit matches cm, the registers are clocked.
• In each cycle, 2 or 3 LSRFs will be clocked.
33
A5/1 Initialization• Registers set to all 0’s• Incorporate the key and frame number:
• For 64 cycles, the key is mixed in by XORing the ith key bit with the least significant bit of each register
• For 22 cycles, the 22 bit frame value is mixed in – same as with key value
• Normal clocking used• 100 cycles are run using the majority clocking,
the output is discarded• End result is the initial state
34
A5/1
• Three short LSFRs• Not many tap bits to guess
35
A5/3 Core
KASUMI
CC || CB || CD || 00 || CA || CE
BLKCNT=0
CO[0] … CO[63] CO[64] … CO[127] CO[128] … CO[191]
A
CO[last bits]
KASUMI KASUMI KASUMI KASUMI
BLKCNT=1 BLKCNT=2 BLKCNT=BLOCKS-1
CKCKCK CK
CK KM
BLCNT is a 64 bit counterKM = 0x555….555 (128 bit key modifier)CK = key bits
•CBC XORed with counter and key•A counter previous output
•defined on next slide
36
A5/3 GSM
CA CB CC CD CK
CO (228 bits)
0…0 || COUNT
00000
00001111
0 KC cyclicallyrepeated tofill 128 bits
KGCORE
BLOCK1 (114 bits) || BLOCK2 (114 bits)
CE
0…0
•Kc = key
•http://www.gsmworld.com/using/algorithms/docs/a5_3_and_gea3_specifications.pdf
37
LILI
LFSRC LFSRD
FcFD
bit for keystream.
c
s1 s2 sk… s1 s2 sn…
clocking function integer
output
Irregular:clocked c times
Regularly clocked
b
non-linearfunction
Family of keystream generators
38
SOBER - OriginalLFSR
S17 = 141 S15 175 S0
LFSR: 17 bytes, 128 bit key
Nonlinear transformationVn = (S0 + S2 + S5 + S12) (S12 S13)
Stutter Control
Output function (sc) 00: No output01: Vn 0110100110: Vn 11: Vn 10010110
output bytesc
Vn
Clock Control
Vn
sc = next 2 bits of byteneed byte: clock, take Vn
Clock Control (sc) 00: 1 clock 01: clock, output, clock 10: 2 clocks 11: 1 clock
Si’s
39
Sober t{8,16,32}8,16,32 = byte size of key
40
Sober-t
LSFR for Sober-tw w = 8,16,32Max period: 213w-1
41
Non-linear FunctionLFSR output input to non-linear function fw, output added to subset of LSFRs bits, XORed with key-dependent value, this result then added to subset of LSRF bits
42
Trivium
• Christophe De Canniere and Bart Preneel• hardware oriented synchronous stream
cipher• Trivium generates up to 264 bits of key
stream from an 80-bit secret key and an 80-bit initial value (IV).
• Internal state is 288 bits
43
Trivium
• IV and key used to initialize the state• Iterate state
– extract values of 15 specific state bits and use them to update 3 bits of the state and to compute 1 bit of the key stream zi.
– state bits then rotated and process repeats
44
Trivium Key Stream Generation
for i = 1 to N dot1 s66 s93t2 s162 s177t3 s243 s288zi t1 t2 t3t1 t1 s91 s92 s171t2 t2 s175 s176 s264t3 t3 s286 s287 s69(s1; s2; : : : ; s93) (t3; s1; : : : ; s92)(s94; s95; : : : ; s177) (t1; s94; : : : ; s176)(s178; s279; : : : ; s288) (t2; s178; : : : ; s287)
end for
45
Trivium Initialization
• load 80-bit key and 80-bit IV into 288-bit initial state
• set all remaining bits to 0, except for s286, s287, and s288, which are set to 1
• state is rotated over 4 full cycles of the for look, but no bits are output (for i = 1 to 4288)
46
Trivium
• state bit is not used for at least 64 iterations after it has been modified
• up to 64 iterations can be computed at once, provided that 3 AND gates and 11 XOR gates in the original scheme are duplicated a corresponding number of times
47
Estimated Gate Counts1-bit to 64-bit hardware implementations
Components 1-bit 8-bit 16-bit 32-bit 64-bit
Flip-ops 288 288 288 288 288
AND gates 3 24 48 96 192
XOR gates 11 88 176 352 704
NAND gate count 3488 3712 3968 4480 5504
48
Software
• Stream generation: 12 cycles/byte• Key setup: 55 cycles• IV setup: 2050 cycles• on Intel XeonTM CPU 1.5 GHz
49
Trivium Security• Linear correlations between key stream bits and internal state bits are
easy to find because zi is simply defined to be equal to s66s93 s162 s177 s243 s288.
• But, as opposed to LFSR based ciphers, Trivium's state evolves in a nonlinear way– not clear how an attacker should combine these equations in order to
efficiently recover the state– Estimate: follow linear trails through the cipher and approximate the outputs
of all encountered AND gates by 0. However, the positions of the taps in Trivium have been chosen in such a way that any trail of this specific type is forced to approximate at least 72 AND gate outputs
– If assume that the correlation of linear combination is completely explained by a specific trail considered, then it would have a correlation coefficient of 2-72
• Detecting such a correlation would require at least 2144 bits of key stream• Other more complicated types of linear trails with larger correlations
might exist, estimate that no correlations will exceed 2-40
50
Lex
• Alex Biryukov• Leak EXtraction• Software category
– Uses AES – reuse if application has AES implementation
51
Lex• Initialize:
– Key AES: 128-bit key, K, run through standard AES key-schedule
– State: 128-bit IV is encrypted by AES S = AESK(IV )
• Generate key stream– Repeatedly encrypt (starting with S)
• Rekey every 500 AES applications
52
Lex
takes 4 bytes from each round of AES(see next slide)
53
Lex
54
Lex
• order of bytes – not relevant for security– relevant for fast software implementation
• allows extraction of a 32-bit value from two 32-bit rows in four steps ((t0&0xFF00FF) << 8) (t2&0xFF00FF)
t0 = 1st row, t2 = 3rd row in 4x4 matrix