The LILI Stream Cipher – Is It Still Secure?
Download
Report
Transcript The LILI Stream Cipher – Is It Still Secure?
LILI to Dragon: From Bit Based
to Word Based Stream Ciphers
Ed Dawson and Leonie
Simpson
Information Security Institute,
Qld University of Technology, Australia
1
Overview
1.
2.
3.
4.
5.
6.
Introduction
LILI-128 Keystream Generator
LILI-II
Dragon
Implementation
Hardware
2
Introduction
3
Synchronous Stream Ciphers
• Break messages into successive characters, encrypt
characters under time-varying function of key
• Keystream is generated independently of plaintext
message and ciphertext.
key
Keystream
Generator
keystream
plaintext
Combining
function
ciphertext
4
Types of Stream Ciphers
•
Bit Based
–
•
Encrypt one bit each time interval using
XOR operation
Word Based
–
Encrypt one word each time interval using
XOR operation
5
Properties of Stream Ciphers
•
Large period and white noise characteristics
•
Secure from attack
–
–
–
–
Time/memory trade-off attacks
Divide and conquer attacks
Algebraic Attacks
Any other attacks
6
• Resynchronisation
– For synchronous stream ciphers, loss of
synchronisation is disastrous.
– Many stream cipher applications can only
maintain synchronisation for a short time
• mobile telephony
• internet transmissions
• transmission over error-prone channel
7
• Key loading and re-keying
– Combine secret key k with initialisation
vector vi
– Typically vi is known
– Important that re-keying process doesn’t
leak information about k
8
LILI stream cipher family
• Simpson, Dawson, Golic and Millan, 1999
LFSRc (m bits)
LFSRd (n bits)
k inputs
r inputs
fc
integer c(t) in
{1,2,…,2k}
fd
keystream bit z(t)
fc( xk,t, xk-1,t ,…, x1,t )=1+2x1,t+4x2,t+…+2k-1xk,t
zt= fd( y1,y2,…,yr) in F2, where fd is balanced, has
high algebraic order and high non-linearity
9
LILI-128 Keystream Generator
• Keystream Generator Design:
LFSRc (39 bits)
LFSRd (89 bits)
2 inputs
10 inputs
fc
Integer c(t)
fd
Keystream bit z(t)
10
LILI-128 Keystream Generator
• Keystream generator design features:
– Both LFSRc and LFSRd have primitive
feedback polynomials
– fc(x12, x20) = 2(x12) + x20 + 1
– The 10-input filter function fd
•
•
•
•
is balanced
has nonlinearity of 480
is CI(3)
has algebraic order 6
11
Attacks on LILI-128
•
To methods for handling LFSRc
1. Guess LFSRc. Put the keystream bits back
to the original positions
– Higher runtime complexity, need fewer
keystream bits.
2. Ignore LFSRc Since we know the position
of every 239-1 bit
– Lower runtime complexity, need more
keystream bits
12
Main attacks on LILI-128
•
Algebraic attacks
–
Turn cipher into a set of multivariate equations
•
•
•
Time/Memory trade-off attacks
–
–
•
Guess LFSRc , algebraic attack on LFSRd
Ignore LFSRc , algebraic attack on LFSRd
Calculate a lookup table of pairs of key an keystream bits
Ignore LFSRc , attack LFSRd
Correlation attacks
1.
Use the correlation properties of the boolean function
–
–
Guess LFSRc , use a distinguisher on LFSRd and decide if the
guess was correct
Knowing LFSRc , do a fast correlation attack on LFSRd
13
Algebraic Attacks
•
Willie Meyer and Nicolas Courtois’ algebraic attacks
on LILI-128
1.
Ignoring LFSRc and attack LFSRd with fast algebraic attack
(Cortois, 2003)
–
–
–
2.
Runtime complexity: C231 memory lookups
Number of keystream bits: 260
Computer memory: 224 bits
Guessing LFSRc , attack with normal algebraic attack
(Courtois, Meyer, 2003)
–
–
–
Runtime Complexity: 296 memory lookups
Number of keystream bits: 218
Computer memory: 243 bits
14
Time/Memory Trade-Off Attack
•
Juhani Olavi Saarinen, 2002
•
Ignore LFSRc,
– Runtime complexity: 256 parity checks
– Number of keystream bits: 246
– Computer memory: 251.4 bits
15
Correlation Attacks
• H. Molland, 2004
• Guess LFSRc , do a distinguisher test on
LFSRd
– Runtime complexity: 257
– Number of keystream bits: 229
– Computer memory : 228 bits
16
LILI-II Keystream Generator
• Simpson, Dawson, Golic and Millan, 2001
• Keystream Generator Design:
LFSRc (128 bits)
LFSRd (127 bits)
2 inputs
12 inputs
fc
integer c(t)
fd
keystream bit z(t)
17
LILI-II Keystream Generator
• Keystream generator design features:
– Both LFSRc and LFSRd have primitive
feedback polynomials
– fc(x0, x126) = 2(x0) + x126 + 1
– The 12-input filter function fd
•
•
•
•
is balanced
has nonlinearity of 1992
is CI(1)
has algebraic order 10
18
LILI-II Keystream Generator
• Key loading and Re-keying proposal
– 1. Initial state of LFSRc: XOR k and vi
– 2. Initial state of LFSRd:
• Delete first bit of k and last bit of vi
• XOR resulting 127 bit binary strings
– 3. Run cipher, produce 255 bits output:
• First 128 bits used for LFSRc initial state
• Remaining bits used for LFSRd initial state
– 4. Repeat step 3.
19
LILI-II Keystream Generator
• Key loading and re-keying proposal
– Speed
• re-keying takes time required for encryption
of 2 x 255 = 510 bits
• In hardware, at clock speed of 50MHz LILI-II
has throughput of 50Mbs
• Thus, re-keying takes about 10 microseconds.
20
Keystream Properties
• Period
(2128-1)(2127-1)
• Linear Complexity
at least 2175
• Ratio of ones to zeroes
2126/(2126-1)
21
Possible Attacks
• For known-plaintext attacks
– Assumptions
• Structure of generator is known
• Single segment of keystream is known
– Attack types to consider:
• Time/Memory/Data trade-off attacks
• Divide and conquer attacks targeting LFSRd
• Divide and conquer attacks targeting LFSRc
22
Possible Attacks
• Time/Memory/Data trade-off attacks
– Babbage (1995)/Golic (1997)
– Biryukov and Shamir (Asiacrypt 2000)
– Objective is to recover the internal state at
a known time
– Infeasible for LILI-II as
• internal state is 255 bits
• tradeoffs no better than exhaustive search
23
Possible Attacks
• D and C attacks targeting LFSRd
– Attack algorithm
• 1. Guess an initial state for LFSRd
• 2. Produce output segment for nonlinear filter generator
if regularly clocked (longer than known keystream)
• 3. Calculate correlation with known keystream
– If correlation is high, consider initial state as a
candidate for actual initial state.
– Attack successful if only a few such states are
identified
24
Possible Attacks
• D and C attacks targeting LFSRd
– Feasibility?
• Requires a correlation calculation for each of
the 2127 – 1 LFSRd initial states
• Additional computational complexity is added in
finding the corresponding LFSRc
• Minimum keystream length required for a
successful attack is prohibitive
• Attack performance is worse than exhaustive
key search
25
Possible Attacks
• Divide and conquer attacks targeting LFSRc
– Attack algorithm
• 1. Guess an initial state for LFSRc
• 2. Produce output segment for LFSRc and generate the
decimating sequence c.
• 3. Position known keystream bits in the corresponding
positions of the underlying nonlinear filter generator
sequence (if regularly clocked)
• 4. From these do a distingisher test on LFSRd.
• 5. If distinguisher says yes, we have found the
initialization state for LFSRc
26
Possible Attacks
• D and C attacks targeting LFSRc
– Recover LFSRd initial state using:
• 1. Linear consistency test
• 2. Fast correlation attack procedure (traditional
fast correlation attack)
• 3. Fast correlation attack procedure (Jonsson
and Johansson’s F.C.A.)
• 4. Algebraic attack (Courtois, Meyer)
27
Possible Attacks
• D and C attacks targeting LFSRc
– Feasibility?
All attacks require
• exhaustive search over LFSRc initial state space
• Additional computation for each candidate state
– Worse than exhaustive search of 128-bit
secret key
28
Dragon Cipher (2004)
Chen, Dawson, Fuller, Henricksen,
Millan, Simpson (QUT)
Lee, Moon, (MSRC, South Korea)
29
Specification
• Key/IV size = 128 or 256 bits
• Internal state = 1088 bits
– 1024-bit NLFSR
– 64-bit memory/counter
• Output size = 64 bits
• Feedback size = 64 bits
30
Specification
• Keystream generation
NLFSR
M
FPDS Selection
F
feedback
keystream
31
Specification
• F has six inputs and six outputs
–
–
–
–
–
Inputs = {a, b, c, d, e, f }
Outputs = {a’, b’, c’, d’, e’, f’ }
Feedback = b’ || c’
Keystream = a’ || e’
Explicit non-linearity provided by G and H
functions
32
Specification
• G and H Functions (232→232)
– Composed of two 8x32 s-boxes, S1 and S2
– S1 and S2 are generated heuristically
33
Specification
• F function
34
Design Principles
• F function
– Complete at both the bit and the word level
• A single bit change in any of the inputs affects
all output bits and words
• S-boxes
– Heuristically designed, no algebraic structure
– All output bits have non-linearity 116
• Optimal for balanced Boolean Function (n=8)
– Optimal algebraic degree (Siegenthaler’s tradeoff)
35
Design Principles
• G and H functions
– Output bits have higher non-linearity than
other popular 32x32 mapping
• eg AES, MUGI, SNOW
– No linear redundancy
• AES has linear redundancy due to its finite field
operation based s-box
• Dragon’s s-boxes are built heuristically and
uses no finite field operations
36
Specification
• Initialisation
37
Design Principles
• Initialisation
– Using the F function and memory M arranged in
the different manner to keystream generation
• M is used as a 64-bit memory in initialisation
• Feedback size is 128-bit in initialisation
• Different FPDS is used in initialisation
– 128-bit and 256-bit have similar initialisation
– No more than 264 bits (258 words) of keystream
per key and IV pair
38
Analysis
• Dragon passes all pertinent statistical
tests
• Expected Period 2576 words
• Period lower bound 264 words
• Weak keys are prevented by
– Use of NLFSR
– Limit the affected inputs to 4 out of 6 in F
– G and H functions ensures proper mixing
39
Cryptanalysis
• Related Key and IV Attack
– In initialisation
• Controllable inputs are limited to 4
• Internal state is completely replaced after 8
rounds
• Non-zero differences are propagated
throughout the internal state in no more than
12 rounds
40
Cryptanalysis
• Time/Memory/Data Tradeoff Attack
– The internal state is 1024 + 64 bits – more than 4
times larger than the maximum key size of 256
bits
– Complexity is much greater than exhaustive
search
41
Cryptanalysis
• Guess and Determine Attack
– FPDS selection quickly increases the
complexity of attack on internal state
– G and H functions prevents attack on
internal variables
– Complexity is greater than exhaustive
search
42
Cryptanalysis
• Distinguishing Attack
– No linear masking is used
– Large expected period of 2576 words with
amount of keystream limited at 258 words
per key/IV pair
43
Cryptanalysis
• Linear Approximations
– F function has bias no greater than 2-73.3
– Linear cryptanalysis seeks to relate key bits
to internal state bits and keystream bits
– Initialisation of Dragon uses 8 iterations of
F function
– Bias of best affine approximation over 8
iterations of F is no greater than (2-73.3)8 =
2-586.4
44
Cryptanalysis
• Algebraic Attack
– So far mainly effective on LFSR based
stream ciphers
– Dragon uses NLFSR and large s-boxes
– Number of equations grows exponentially
• Approximating modular addition with bitwise
addition
• Secure even if there are annihilators (none
known)
45
Implementation
• Software
– Machine 3.2 GHz Pentium 4
LILI-128
72 Mbps
LILI-II
66 Mbps
Dragon
3820 Mbps
AES
1828 Mbps
• Hardware
– LILI family more efficient in terms of gates
and memory
46
Conclusion
• Dragon and LILI-II
– Secure against all known attacks
– Dragon is more efficient in software
– LILLI-II is more efficient in hardware
• Source code can be found at:
http://www.isi.qut.edu.au/resource/dragon
http://www.isi.qut.edu.au/resource/lili
47