Nov 6, 2007 - Stream ciphers consist of a keystream generator and an output function. ... In mutual clock control generators, the LFSRs control ... Page 6 ...
Algebraic Attacks on Clock-Controlled Stream Ciphers by
Sultan Zayid Mohammed Al-Hinai Bachelor of Science (In Physics) (Strathclyde University- Glasgow -Scotland) – 2000 Master of Science (In Information Security) (Royal Holloway University of London ) – 2002
Thesis submitted in accordance with the regulations for the Degree of Doctor of Philosophy
Information Security Institute Faculty of Information Technology Queensland University of Technology
November 6, 2007
Keywords Stream Ciphers, Linear Feedback Shift Registers, Non Linear Feedback Shift Registers, Regular Clocking, Irregular Clocking, Clock-Controlled, Algebraic Attacks, Fast Algebraic Attacks.
i
ii
Abstract Stream ciphers are encryption algorithms used for ensuring the privacy of digital telecommunications. They have been widely used for encrypting military communications, satellite communications, pay TV encryption and for voice encryption of both fixed lined and wireless networks. The current multi year European project eSTREAM, which aims to select stream ciphers suitable for widespread adoptation, reflects the importance of this area of research. Stream ciphers consist of a keystream generator and an output function. Keystream generators produce a sequence that appears to be random, which is combined with the plaintext message using the output function. Most commonly, the output function is binary addition modulo two. Cryptanalysis of these ciphers focuses largely on analysis of the keystream generators and of relationships between the generator and the keystream it produces. Linear feedback shift registers are widely used components in building keystream generators, as the sequences they produce are well understood. Many types of attack have been proposed for breaking various LFSR based stream ciphers. A recent attack type is known as an algebraic attack. Algebraic attacks transform the problem of recovering the key into a problem of solving multivariate system of equations, which eventually recover the internal state bits or the key bits. This type of attack has been shown to be effective on a number of regularly clocked LFSR based stream ciphers. In this thesis, algebraic attacks are extended to a number of well known stream ciphers where at least one LFSR in the system is irregularly clocked. Applying algebriac attacks to these ciphers has only been discussed previously in the open literature for LILI-128. In this thesis, algebraic attacks are first applied to keystream generators using stop-and go clocking. Four ciphers belonging to this group are investigated: the Beth-Piper stop-and-go generator, the alternating step generator, the Gollmann cascade generator and the eSTREAM candidate: the Pomaranch cipher. It is shown that algebraic attacks are very effective on the first three of these ciphers. Although no effective algebraic attack was found for Pomaranch, the algebraic analysis lead to some interesting findings including weaknesses that may be exploited in future attacks. Algebraic attacks are then applied to keystream generators using (p, q) clocking. Two well known examples of such ciphers, the step1/step2 generator and the self decimated generator are investigated. Algebraic attacks are shown to be very powerful attack in recovering the internal state of these generators. A more complex clocking mechanism than either stop-and-go or the (p, q) clocking keystream generators is known as mutual clock control. In mutual clock control generators, the LFSRs control the clocking of each other. Four well known stream ciphers belonging to this group are investigated with respect to algebraic attacks: the Bilateral-stop-and-go generator, A5/1 stream cipher, Alpha 1 stream cipher, and the more recent eSTREAM proposal, the MICKEY stream ciphers. Some theoretical iii
results with regards to the complexity of algebraic attacks on these ciphers are presented. The algebraic analysis of these ciphers showed that generally, it is hard to generate the system of equations required for an algebraic attack on these ciphers. As the algebraic attack could not be applied directly on these ciphers, a different approach was used, namely guessing some bits of the internal state, in order to reduce the degree of the equations. Finally, an algebraic attack on Alpha 1 that requires only 128 bits of keystream to recover the 128 internal state bits is presented. An essential process associated with stream cipher proposals is key initialization. Many recently proposed stream ciphers use an algorithm to initialize the large internal state with a smaller key and possibly publicly known initialization vectors. The effect of key initialization on the performance of algebraic attacks is also investigated in this thesis. The relationships between the two have not been investigated before in the open literature. The investigation is conducted on Trivium and Grain-128, two eSTREAM ciphers. It is shown that the key initialization process has an effect on the success of algebraic attacks, unlike other conventional attacks. In particular, the key initialization process allows an attacker to firstly generate a small number of equations of low degree and then perform an algebraic attack using multiple keystreams. The effect of the number of iterations performed during key initialization is investigated. It is shown that both the number of iterations and the maximum number of initialization vectors to be used with one key should be carefully chosen. Some experimental results on Trivium and Grain-128 are then presented. Finally, the security with respect to algebraic attacks of the well known LILI family of stream ciphers, including the unbroken LILI-II, is investigated. These are irregularly clock- controlled nonlinear filtered generators. While the structure is defined for the LILI family, a particular paramater choice defines a specific instance. Two well known such instances are LILI-128 and LILI-II. The security of these and other instances is investigated to identify which instances are vulnerable to algebraic attacks. The feasibility of recovering the key bits using algebraic attacks is then investigated for both LILI128 and LILI-II. Algebraic attacks which recover the internal state with less effort than exhaustive key search are possible for LILI-128 but not for LILI-II. Given the internal state at some point in time, the feasibility of recovering the key bits is also investigated, showing that the parameters used in the key initialization process, if poorly chosen, can lead to a key recovery using algebraic attacks.
iv
Contents Front Matter Keywords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
i i
Abstract . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Table of Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
iii v
List of Figures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi List of Tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii Notation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv Declaration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv Previously Published Material . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xix 1 Introduction 1.1 Overview of Stream Ciphers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1 2
1.1.1 1.1.2
Measuring the Security Provided by Stream Ciphers . . . . . . . . . . . . . . The One Time Pad . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2 2
1.1.3
Keystream Generators for Stream Ciphers . . . . . . . . . . . . . . . . . . . .
3
1.1.4 1.1.5
Background on LFSR Based Stream Ciphers . . . . . . . . . . . . . . . . . . Clock-Controlled Generators . . . . . . . . . . . . . . . . . . . . . . . . . . .
4 4
1.2 1.3
Introduction to Cryptanalysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Algebraic Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
7 8
1.4 1.5
Key Initialization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Aims and Objectives of Thesis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8 10
1.6 1.7
Contributions and Achievements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Outline of the Thesis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
10 10
2 Overview of Algebraic Attacks on LFSR based Stream Ciphers 2.1 Framework for Algebraic Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . .
13 14
2.1.1
2.1.2 2.1.3
Equation Generation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Linearly Updated Internal States . . . . . . . . . . . . . . . . . . . . . . . . .
15 15
Nonlinearly Updated Internal States
. . . . . . . . . . . . . . . . . . . . . .
18
Reducing the Degree of the Equations . . . . . . . . . . . . . . . . . . . . . . Methods for Solving Nonlinear Equations . . . . . . . . . . . . . . . . . . . .
19 24
Linearization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
24
v
Gr¨obner Bases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
27
Other Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
28
Fast Algebraic Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.2.1 Precomputation Phase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
31 31
2.2.2 Realtime Phase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
32 35
3 Keystream Generators using Stop-and-Go Clocking 3.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
37 37
2.2
2.3
3.2 3.3
3.4
3.5 3.6
3.7
3.8
Equation Generation for Stop-and-Go Generators . . . . . . . . . . . . . . . . . . . . Beth-Piper Stop-and-Go Generator . . . . . . . . . . . . . . . . . . . . . . . . . . . .
38 39
3.3.1 3.3.2
Description of the Basic Beth-Piper Stop-and-Go Generator . . . . . . . . . . Algebraic Attack of the Basic Beth-Piper Stop-and-Go Generator . . . . . . .
39 39
3.3.3 3.3.4
The Strengthened Beth-Piper Stop-and-Go Generator . . . . . . . . . . . . . Algebraic Attack on the Strengthened Beth-Piper Stop-and-Go Generator . . .
41 41
3.3.5
Reducing the Degree of the Equations . . . . . . . . . . . . . . . . . . . . . . Experimental Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
41 42
3.3.6
Comparison with Previous Cryptanalysis . . . . . . . . . . . . . . . . . . . .
43
3.3.7 Fast Algebraic Attack on Strengthened Beth-Piper Stop-and-Go Generator . . Alternating Step Generator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
46 47
3.4.1 3.4.2
Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Algebraic Attack on the Alternating Step Generator . . . . . . . . . . . . . . .
47 47
3.4.3 3.4.4
Experimental Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Comparison with Previous Cryptanalysis . . . . . . . . . . . . . . . . . . . .
48 49
3.4.5 3.4.6
Modified Alternating Step Generator . . . . . . . . . . . . . . . . . . . . . . . Alternative Algebraic Attacks on the Alternating Step Generator . . . . . . . .
51 51
Cascade Generators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Gollmann Cascade Generator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
52 53
3.6.1 3.6.2
Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Algebraic Attack on the Gollmann Cascade Generator . . . . . . . . . . . . .
53 53
3.6.3
Recovering the Initial State . . . . . . . . . . . . . . . . . . . . . . . . . . . . Experimental Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
54 56
3.6.4
Comparison with Previous Cryptanalysis . . . . . . . . . . . . . . . . . . . .
56
3.6.5 3.6.6
An Alternative Algebraic Attack . . . . . . . . . . . . . . . . . . . . . . . . . 58 Clock-Controlled Cascade Generator with Output Bits Taken from All Registers 59
Pomaranch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.7.1 Pomaranch Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
60 60
3.7.2
Algebraic Analysis of Pomaranch . . . . . . . . . . . . . . . . . . . . . . . . Overcoming the Problem of the Degree Accumulation . . . . . . . . . . . . .
62 63
Algebraic Analysis of the Filter Function . . . . . . . . . . . . . . . . . . . . Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
65 65
vi
4 Keystream Generators using (p, q) Clocking
67
4.1
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
67
4.2
Step1/Step2 Generator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.2.1 Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
68 68
4.2.2 4.2.3
Algebraic Attack on the Step1/Step2 Generator . . . . . . . . . . . . . . . . . Experimental Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
68 69
4.2.4 4.2.5
Comparison with Previous Cryptanalysis . . . . . . . . . . . . . . . . . . . . Alternative Algebraic Attack on the Step1/Step2 Generator . . . . . . . . . . .
70 72
Self-Decimated Generator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.3.1 Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
73 73
4.3.2 4.3.3
Algebraic Attack on the Self-Decimated Generator . . . . . . . . . . . . . . . Experimental Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
73 74
4.3.4 Strengthening the (p, q) Self-Decimated Generator . . . . . . . . . . . . . . . Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
75 75
5 Keystream Generators using Mutual Clock Control 5.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
77 77
4.3
4.4
5.2
Equation Generation for Mutually Clock-Controlled Keystream Generators . . . . . .
78
5.3
The Bilateral Stop-and-Go Generator . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.3.1 Description of the Bilateral Stop and Go Generator . . . . . . . . . . . . . . .
81 81
5.3.2
Algebraic Analysis of the Bilateral Stop and Go Generator . . . . . . . . . . . Reducing the Overall Degree of the Equations . . . . . . . . . . . . . . . . . .
81 82
A5/1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.4.1 Description of A5/1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
83 84
5.4.2
Algebraic Analysis of A5/1 . . . . . . . . . . . . . . . . . . . . . . . . . . . Reducing the Overall Degree of the Equations . . . . . . . . . . . . . . . . . .
84 85
Alpha 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.5.1 Description of Alpha 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
86 87
5.5.2 5.5.3
Algebraic Attacks on Alpha 1 . . . . . . . . . . . . . . . . . . . . . . . . . . Reducing the Overall Degree of the Equations . . . . . . . . . . . . . . . . . .
88 88
5.5.4 Experimental Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . MICKEY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
89 90
5.6.1
Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
90
5.6.2 5.6.3
Algebraic Analysis of MICKEY-80 v1 . . . . . . . . . . . . . . . . . . . . . . Algebraic Analysis of MICKEY-80 v2 . . . . . . . . . . . . . . . . . . . . . .
91 92
5.7
5.6.4 Algebraic Analysis of MICKEY-128 v2 . . . . . . . . . . . . . . . . . . . . . An Alternative Algebraic Attack on Mutually Clock Control Stream Ciphers . . . . . .
93 94
5.8
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
96
5.4
5.5
5.6
6 Initialization and Algebraic Attacks 6.1 6.2
97
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Algebraic Attacks using Multiple Keystreams . . . . . . . . . . . . . . . . . . . . . .
97 98
6.2.1
99
Facilitating the Linearization Approach . . . . . . . . . . . . . . . . . . . . .
vii
6.2.2
Degree Reduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
6.3
Overview of Key Initialization Process of eSTREAM Ciphers . . . . . . . . . . . . . 101
6.4
Trivium . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102 6.4.1 Facilitating the Linearization Approach on Trivium . . . . . . . . . . . . . . . 103 6.4.2 6.4.3
6.5
6.6
Experimental Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103 Observation on Trivium Initialization . . . . . . . . . . . . . . . . . . . . . . 105
Grain-128 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105 6.5.1 Facilitating the Linearization Approach . . . . . . . . . . . . . . . . . . . . . 106 6.5.2 Experimental Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
7 Algebraic Analysis of the LILI Keystream Generators 111 7.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111 7.2
7.3
Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112 7.2.1 LILI-128 Keystream Generator . . . . . . . . . . . . . . . . . . . . . . . . . 113 7.2.2 LILI-II Keystream Generator . . . . . . . . . . . . . . . . . . . . . . . . . . . 113 Algebraic Analysis of the LILI Family of Stream Ciphers . . . . . . . . . . . . . . . . 113 7.3.1
7.4
Attack 1 : Guessing the Controlling Register . . . . . . . . . . . . . . . . . . 114
7.3.2 Attack 2 : Keystream Decimation . . . . . . . . . . . . . . . . . . . . . . . . 115 Algebraic Analysis of the LILI-II Stream Cipher . . . . . . . . . . . . . . . . . . . . . 117 7.4.1 7.4.2
Algebraic Representation for the LILI Family of Stream Ciphers . . . . . . . . 117 Algebraic Attacks on LILI-II . . . . . . . . . . . . . . . . . . . . . . . . . . . 117 Standard Algebraic Attacks of Section 7.3.1 . . . . . . . . . . . . . . . . . . . 118 Standard Algebraic Attacks of Section 7.3.2 . . . . . . . . . . . . . . . . . . . 118
7.5
7.4.3 Fast Algebraic Attacks on LILI-II . . . . . . . . . . . . . . . . . . . . . . . . 118 Initialization and Algebraic Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . 119 7.5.1 7.5.2
Direct Recovery of Key Bits . . . . . . . . . . . . . . . . . . . . . . . . . . . 120 Recovering the Key Bits Given the Internal State Bits . . . . . . . . . . . . . . 121
7.6
Investigating the Resistance of Other Instances of the LILI Family Ciphers to Algebraic Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
7.7
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
8 Conclusion and Future Research 8.1
8.2
127
Review of Contributions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127 8.1.1 8.1.2
Chapter 3: Keystream Generators using Stop-and-Go Clocking . . . . . . . . . 128 Chapter 4: Keystream Generators using (p, q) Clocking . . . . . . . . . . . . . 129
8.1.3 8.1.4
Chapter 5: Keystream Generators using Mutual Clock Control . . . . . . . . . 129 Chapter 6: Initialization and Algebraic Attacks . . . . . . . . . . . . . . . . . 130
8.1.5 Chapter 7: Algebraic Analysis of the LILI Keystream Generators . . . . . . . 130 Future Directions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
A Algebraic Relations in Pomaranch
133
B Algebraic Normal Form of LILI-II Boolean function
137
viii
Bibliography
141
ix
x
List of Figures 1.1 1.2
Binary additive stream cipher . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Basic Clock-Controlled Generator . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3 5
1.3 1.4
The Step1/Step2 Generator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Mutually clock-controlled stream ciphers . . . . . . . . . . . . . . . . . . . . . . . .
5 6
1.5
Clock-controlled nonlinear filter generators . . . . . . . . . . . . . . . . . . . . . . .
6
2.1
Algebraic attacks algorithm
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
18
2.2 2.3
Algorithm for finding low degree multiples . . . . . . . . . . . . . . . . . . . . . . . Algorithm for the linearization approach . . . . . . . . . . . . . . . . . . . . . . . .
21 25
2.4 2.5
Algorithm for the F4 approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Algorithm for the XL approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
28 30
2.6 2.7
Precomputation step algorithm due to [60] . . . . . . . . . . . . . . . . . . . . . . . Algorithm for precomputation and realtime phases of the fast algebraic attack based on
32
LFSR based keystream generators . . . . . . . . . . . . . . . . . . . . . . . . . . . .
33
3.1
The Beth-Piper Stop-and-Go Generator - Basic Version . . . . . . . . . . . . . . . . .
39
3.2
Algorithm for algebraic attack for recovering the state of the Basic Beth-Piper Stop-
3.3
and-Go Generator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . The Beth-Piper Stop-and-Go Generator - Strengthened Version . . . . . . . . . . . . .
40 41
Algorithm for algebraic attack for recovering the state of the strengthened Beth-Piper stop-and-go generator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
42
3.5 3.6
The Alternating Step Generator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . The Gollmann Cascade Generator . . . . . . . . . . . . . . . . . . . . . . . . . . . .
47 53
3.7 3.8
Algorithm for algebraic attack for recovering the state of the Gollmann cascade generator 55 Pomaranch Version 3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
4.1 4.2
The Step1/Step2 Generator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . The Self-Decimated Generator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
68 73
5.1 5.2
The Bilateral-stop-and-go-generator . . . . . . . . . . . . . . . . . . . . . . . . . . . A5/1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
81 84
5.3
Alpha 1 stream cipher . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
87
5.4
The MICKEY family of stream ciphers . . . . . . . . . . . . . . . . . . . . . . . . .
90
6.1
Algorithm for facilitating the linearization approach using multiple keystreams . . . . 100
3.4
xi
6.2
Algorithm for obtaining low degree equations or for reducing the overall degree of the equations using multiple keystreams . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
6.3 6.4
Keystream generation and initialization processes of Trivium . . . . . . . . . . . . . . 103 The Grain family of stream cipher . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
7.1 7.2
The LILI family of keystream generators. . . . . . . . . . . . . . . . . . . . . . . . . 112 Algorithm for algebraic attack based on guessing the controlling register . . . . . . . . 114
7.3
Algorithm for precomputation and realtime phases of the algebraic attack based on keystream decimation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
xii
List of Tables 2.1
LFSR internal state values in terms of initial state values . . . . . . . . . . . . . . . .
16
3.1
Attack Times for Beth-Piper Stop-and-Go Generator . . . . . . . . . . . . . . . . . .
43
3.2
Comparing algebraic attack and the linear syndrome attack on the strengthened BethPiper stop-and-go . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
45
3.3 3.4
Algebraic attack times on Alternating Step Generator . . . . . . . . . . . . . . . . . . Best known attacks on the Alternating Step Generator . . . . . . . . . . . . . . . . . .
48 50
3.5 3.6
Recovering the internal state bits of a Gollmann cascade with K = 4 . . . . . . . . . . Best known attacks on Gollmann cascade generator . . . . . . . . . . . . . . . . . . .
56 57
4.1 4.2
Algebraic attack times for step1/step2 generator . . . . . . . . . . . . . . . . . . . . . Best known attacks on Step1/Step2 Generator . . . . . . . . . . . . . . . . . . . . . .
69 71
4.3 4.4
Algebraic attack on the Self-Decimated Generator . . . . . . . . . . . . . . . . . . . . Algebraic attack times for Self-Decimated Generator . . . . . . . . . . . . . . . . . .
74 75
5.1
Description of clocking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
79
5.2 5.3
Low degree multiples for the output function for the Bilateral Stop and Go Generator . Standard algebraic attacks on A5/1 with the guessing approach . . . . . . . . . . . . .
83 86
5.4 5.5
Standard algebraic attacks on Alpha 1 with the guessing approach . . . . . . . . . . . Best known attacks on the Alpha 1 stream cipher . . . . . . . . . . . . . . . . . . . .
89 89
5.6
Data obtained for the alternative algebraic attack . . . . . . . . . . . . . . . . . . . .
96
6.1
Number of IV needed for an algebraic attack for various given numbers of outputs and
6.2
degrees of the equations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100 Experimental results for Trivium :X = 288 iterations and Y = 21. . . . . . . . . . . . 104
6.3 6.4
Experimental results for Trivium :X = 335 iterations and Y = 21 . . . . . . . . . . . 104 Experimental results for Grain-128: X = 64 and Y = 12 . . . . . . . . . . . . . . . . 108
6.5 6.6
Experimental results for Grain-128: X = 82 and Y = 12 . . . . . . . . . . . . . . . . 108 Experimental results for Grain-128: X = 94 and Y = 12 . . . . . . . . . . . . . . . . 109
7.1 7.2
Parameters for two specific generators from the LILI family . . . . . . . . . . . . . . 112 Summary of the algebraic attacks of Sections 7.3.1 and 7.3.2 on both LILI-128 and LILI-II . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
7.3 7.4
Attack of Section 7.3.1 using fast algebraic attacks on both LILI-128 and LILI-II . . . 119 Attack of Section 7.3.2 using fast algebraic attacks on both LILI-128 and LILI-II . . . 119 xiii
7.5
Summary of requirements for the algebraic attacks of Sections 7.3.1 and 7.3.2 . . . . . 122
7.6
Results of attack of Section 7.3.1
7.7 7.8
Results of attack of Section 7.3.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122 Results of attack of Section 7.3.1 using fast algebraic attacks . . . . . . . . . . . . . . 123
7.9
Results of attack of Section 7.3.2 using fast algebraic attacks . . . . . . . . . . . . . . 124
. . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
Notation The keystream generators examined in this thesis are based on shift registers. Capital letters are used to denote registers and subscript to refer to a specific stage of a register, so A i refers to the ith stage of register A. To indicate the contents of the register at a specific time instance we use the superscript t. The lengths (in bits) of these registers are denoted l, m, n, r etc. The i th bit of register A at time t is denoted by Ati and so the output bit is Atl . The keystream is denoted z, so z t is used to denote the output from the entire system at time t. M denotes the number of monomials occurring in a given system of equations and d the degree of the equations.
xiv
Declaration The work contained in this thesis has not been previously submitted for a degree or diploma at any higher education institution. To the best of my knowledge and belief, the thesis contains no material previously published or written by another person except where due reference is made.
Signed: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Date: . . . . . . . . . . . . . . . . . . . . . . . . .
xv
xvi
Previously Published Material The following papers have been published or presented, and contain material based on the content of this thesis. • [1] Sultan Zayid Al-Hinai, Lynn Batten, Bernard Colbert and Kenneth Wong. Algebraic attacks on clock-controlled stream ciphers. In L. M. Batten and R. Safavi-Naini, editors, Proceedings of Information Security and Privacy - 11th Australasian Conference, ACISP 2006, volume 4058 of Lecture Notes in Computer Science, pages 1–16. Springer-Verlag, 2006. • [2] Kenneth Wong, Bernard Colbert, Lynn Batten and Sultan Zayid Al-Hinai. Algebraic attacks
on clock-controlled cascade ciphers. In Rana Barua, Tanja Lange, editors, Proceedings of the 7th International Conference on Cryptology in India, INDOCRYPT - 2006, volume of Lecture Notes in Computer Science, pages 32–47 . Springer-Verlag, 2006.
• [3] Sultan Zayid Al-Hinai, Ed Dawson, Matt Henricksen and Leonie Simpson. On the Security of the LILI Family of Stream Ciphers Against Algebraic Attacks. In J. Pieprzyk and H. Ghodosi and E. Dawson, editors, Proceedings of Information Security and Privacy - 12th Australasian Conference, ACISP 2007, volume 4586 of Lecture Notes in Computer Science, pages 11–28. Springer-Verlag, 2007.
xvii
xviii
Acknowledgements In the name of Allah, the most gracious, the most merciful. Alhamdulliah without your blessing Allah I could not have finished this thesis. First of all I wish to thank all my supervisors Professor Ed Dawson, Dr Leonie Simpson and Dr Matt Henricksen. Professor Dawson is a very knowledgeable and caring person, he is always there when needed. Professor Dawson provided with the guidance, encouragement and enthusiastic support over the course of this work. Dr Simpson is very patient and provided me a lot of encouragement, support and guidance so that I could finish the thesis. In addition, thanks to Dr Henricksen who I came to know more closely in my last two years of my PhD for the useful discussion and moral support. To my former principal supervisor, Dr Bill Millan, thank you. To my wife and children your sacrifices are great, and without your support this thesis would not have been completed. My mother, brothers, sisters and family many thanks. Special thanks go to my mother who always provided advice when needed and always prayed for me to complete this thesis. I cannot forget my mother in law who gave us a great help with the children during the write up phase of the thesis. To the Omani government that provided the scholarship and gave me this opportunity to complete my PhD degree, many thanks also. I also would like to thank the support of Said Faraj Al-Rabia, Dr Hamed Al-Rawahi, and Yahya Al-Rawahi. To all of my friends in Oman and in Brisbane especially Yusof Banihamad, Saleh, Riza, Housain and all ISI staff and students your help and friendship have made study in Brisbane very enjoyable. I also would like to thank Dr Hovard Molland who visited our institute during the final year of PhD course, with whom I had useful discussions. I thank him for his initial advice and help in using the Magma mathematical software as a useful tool for my research. I wish to acknowledge the efforts of co-researchers, who worked with me on certain areas of this thesis. They are: Professor Lynn Batten, Dr Bernard Colbert and Kenneth Wong who worked with me on most of Chapters 3 and 4 except for Sections 3.3.7, 3.4.6, 3.6.6 and 4.2.5. Professor Lynn Batten and Dr Bernard Colbert also worked with me on parts of Chapter 5.
xix
xx
Chapter 1
Introduction
Stream ciphers have been widely used for providing data confidentiality for real time applications such as mobile telephony (as in the Global System for Mobile Communications (GSM) networks), satellite communications, pay-TV, secure online transactions and sensitive military communications. For these telecommunication applications, information needs to be encrypted and decrypted at high speed. For example decryption of high resolution streaming video data needs to occur in real time. In addition, these telecommunication applications often require the use of encryption algorithms with low implementation footprint (gates/memory), and which are cost effective. Stream ciphers can be designed to provide both security and meet these speed and efficiency requirements. In many telecommunication applications, error propagation can occur. There is a need for encryption algorithms that have limited or no error propagation. Stream ciphers can be designed to overcome the error propagation problems. Various methods have been proposed for analysing and attacking stream ciphers. Some of the proposed methods are generic and can be applied to any stream cipher regardless of the structure. Other methods are more specialized and structure dependent. Generally, the aim of an attack is to recover the internal state at some point in time, or recover the secret key bits. One specialized structure dependent attack method is known as algebraic attacks. Algebraic attacks are new methods for attacking and analyzing stream ciphers. They have drawn much attention from the cryptographic community. Although the effectiveness of these attacks on block ciphers has been questioned by members of the cryptographic community, many stream ciphers have been broken by algebraic attacks. This thesis investigates the security of a number of well known stream ciphers against algebraic attacks, and shows that certain stream ciphers are vulnerable to algebraic attacks. In this chapter, the major concepts and terms used in defining the topic are explained. This includes stream ciphers, keystream generators, and types of attacks on stream ciphers, including algebraic attacks. Secondly, an overview of the thesis is outlined, highlighting the main results.
1
2
Chapter 1. Introduction
1.1 Overview of Stream Ciphers Stream ciphers have been widely used for providing data confidentiality for real time applications as they have the potential to provide fast efficient encryption and decryption. Good introductions to modern stream ciphers and associated analysis are provided by Rueppel [170] and Menezes [150]. This section outlines the principle behind the design of modern stream ciphers and their components.
1.1.1 Measuring the Security Provided by Stream Ciphers Taking an information theoretic approach, Shannon [178] classified ciphers according to the security provided as follows: Definition 1.1 Unconditionally secure: A cipher is unconditionally secure or information theoretic secure if the attacker is unable to determine the plaintext with any probability greater than randomly guessing given unlimited ciphertext, time and computational power. Definition 1.2 Computationally secure: a cipher is computationally secure if an attacker is unable to determine the plaintext given the ciphertext and polynomial computing resources.
1.1.2 The One Time Pad The one-time pad is an encryption algorithm that combines a secret key and a message to generate the ciphertext. The key, plaintext message and the ciphertext are all of equal length. The one timepad is the only known unconditionally secure cipher. A one time-pad is regarded as perfectly secure and unbreakable if the secret key is a uniformly random stream, the lengths of the secret key and the plaintext are the same and the key is never reused for a second encryption. The Vernam cipher is a binary one-time pad [189]. The plaintext message, the secret key and the ciphertext are all binary streams. That is, the plaintext message characters, the secret key characters and the ciphertext characters are binary digits (bits). Only the sender and receiver know the key. Vernam introduced simple encryption and decryption functions. The encryption operation is the bitwise modulo 2 addition of the plaintext with the key. Similarly, the decryption operation is the bitwise modulo 2 addition of the ciphertext with the keystream. This operation is also known as XOR, and in this thesis denoted by ⊕. The XOR function is defined a follows 1 ⊕ 0 = 1, 1 ⊕ 1 = 0, 0 ⊕ 1 = 1 and 0 ⊕ 0 = 0.
Although it is fast and secure, the one-time pad has significant key management problems. The requirements for uncondition security (that the key is a truly random sequence the same length as the
message and may not be reused) result in significant issues with respect to the random generation of the key, the secure distribution of the key and finally the secure elimination of the key. In spite of this, many countries still use the one-time pad for very sensitive military information. For example, a onetime pad is used for the hot line between the United States and Russia where the security requirement justifies the cost. For most applications, a less expensive and more practical scheme is required. Stream ciphers solve some of the problems of key management (the major disadvantage of the one time pad) by taking a short key, and possibly also a publicly known initialization vector (IV ), as input to a keystream generator, and expand it into a long keystream. Stream ciphers aim to emulate a onetime pad by producing a keystream that appears unpredictable and random, although it is completely deterministic. Given the algorithm for keystream generation and the initial state of a generator then the
1.1. Overview of Stream Ciphers
3
same keystream will be produced each time. Although many modern stream ciphers try to adapt the idea of the one-time pad, none of these pseudorandom generators are unconditionally secure. Instead, they aim to be computationally secure. The aim is to produce a cipher for which an attacker, given reasonable resources and time, cannot recover the plaintext. A naive attack is to try every possible key. A stream cipher is known as secure if breaking it requires more computing power than exhaustive key search attack.
1.1.3 Keystream Generators for Stream Ciphers Definition 1.3 Stream Cipher : An encryption algorithm which divides the plaintext into successive characters and encrypts each character under a time varying function of the key [170]. For the last three decades, most of the proposed stream ciphers were based on one-bit characteristics. However, many recently proposed stream ciphers are based on characters consisting of a group of bits called words. Common word sizes are 8, 16, 32, or 64 bits. Most bit-based stream ciphers are fast in hardware but less efficient in software. Word based stream ciphers are intended to achieve adequate security, high speed and efficiency when implemented in software as well as hardware. Bit-based stream ciphers are widely used, and have been well studied and analyzed. The properties of sequences produced by ciphers based on bit-based linear feedback shift registers (LFSRs) in particular are well known. The ciphers examined in this thesis are all bit-based. Modern stream ciphers are divided into two classes: synchronous and self-synchronous stream ciphers. A synchronous stream cipher is a cipher in which the keystream is generated as a function of the key, and possibly an IV , and is produced independently from the ciphertext. In contrast, in selfsynchronizing stream ciphers, the keystream is generated as a function of the key, and possibly an IV , and a fixed number of ciphertext characters. All of the ciphers examined in this thesis are synchronous stream ciphers. Binary additive stream ciphers are the most common form of stream cipher. In binary additive stream ciphers, the output function is the bitwise modulo two addition (XOR). Figure 1.1 illustrates the encryption and decryption operations using a binary additive synchronous stream cipher. Let p t , z t and ct denote the plaintext, keystream and ciphertext bits, respectively, at time, for some t ≥ 0. Under encryption, the tth bit in the ciphertext stream is formed as ct = z t ⊕pt , where ⊕ is the output function. For decryption, the plaintext bitstream is recovered by adding, bitwise modulo 2, the keystream to the ciphertext bitstream. The tth bit in the plaintext stream is given by pt = z t ⊕ ct . The stream ciphers examined in this thesis are assumed to be binary additive stream ciphers.
Secret Key Initialization Vector -
Pseudorandom
Pseudorandom
Keystream
Keystream
Generator
Generator
zt
Sender
pt
? �� - + ��ct
zt
Channel
ct
� Secret Key � Initialization Vector
? �� - + - Receiver ��pt
Figure 1.1: Binary additive stream cipher
Chapter 1. Introduction
4
For binary additive stream ciphers, the security of the cipher depends on the keystream generator. Most stream cipher proposals are actually keystream generators and the cryptanalysis in this thesis focuses on keystream generators. The main building blocks of keystream generators are Boolean functions and feedback shift registers (both linear and nonlinear). More recently S-boxes have also been used in stream ciphers. These are generally considered to be the main building blocks of block ciphers (another symmetric encryption algorithm). All of the stream ciphers examined in this thesis are based on LFSRs, with the exception of the MICKEY ciphers. For modern stream ciphers, the key and an initialization vector (IV) are used as a seed for the initial state of the pseudorandom keystream generator. Each secret key and IV used as input to the pseudorandom keystream generator corresponds to a longer pseudorandom output sequence, known as the keystream. If the same key and IV are used for the keystream generators both on the sending and receiving ends of the transmission, both will produce the same keystream. Many stream cipher proposals employ the cipher algorithm itself for the key initialization process; to take advantage of both the known claimed security properties of the algorithm and also to avoid using extra hardware component (in hardware based stream ciphers).
1.1.4 Background on LFSR Based Stream Ciphers LFSRs are easy to implement in hardware, and the sequences they produce can be readily analyzed using algebraic techniques. It is well known that LFSRs can produce sequences of long period with good statistical properties. A single LFSR should not be used because the sequence it produces is linear [143]. Therefore, methods have been proposed to disguise the linearity of LFSRs. nonlinearity can be introduced into the keystream implicitly or explicitly. Three common methods for using LFSRs output sequences for forming nonlinear keystreams are [150] 1. Using multiple LFSR’s and a nonlinear combining function(either memoryless or with memory), 2. Using a single LFSR and nonlinear filter function, 3. Using irregular clocking of the LFSR’s ( Clock-Controlled generators) A combination of these methods may also be used. For example, the LILI ciphers discussed in Chapter 7 use both the second and the third approaches. Note that most of the work presented in this thesis is on clock-controlled generators. Moreover, the security properties of generators that use the combination of LFSRs and nonlinear Boolean functions are well understood and analyzed [95,166,169]. An overview of methods of analysis of these ciphers is given in [150].
1.1.5 Clock-Controlled Generators Keystream generators may be constructed using irregularly clocked LFSRs. Irregular clocking in LFSRs is used to enhance their complexity and consequently security. These are known as clockcontrolled generators. Clock-controlled ciphers assume the existence of an underlying clock that maintains a consistent set of basic time intervals against which a register and its output can be compared. A bit-based LFSR
1.1. Overview of Stream Ciphers
5
system can then be established in a number of ways. A register can be stepped in synchrony with the underlying clock; it may move more slowly than the underlying clock, taking more than one basic unit to shift the registers; but it can be assumed that it will never shift faster than the clock as otherwise we can adjust the basic clocking time to the step time of the register. Similarly, the output from a system of clock-controlled LFSRs can be synchronized with the clock time or can be slowed down or varied against the clock time. If a register shifts with the basic time interval, it is referred to as regularly clocked. If the output is delivered with the basic time interval, it is referred to as regular output. In this thesis, clock controlled LFSR based stream ciphers are divided into four groups. The first group is known as keystream generators using stop-and-go clocking. The simplest designs of such group uses only two LFSRs; one of these is a control register, LF SRA of length l and the other is the controlled register, LF SRB of length m as illustrated in Figure 1.2. LFSR A l
LFSR B m
Output bit
Figure 1.2: Basic Clock-Controlled Generator Usually the control register is regularly clocked, and the output of this register controls the clocking of the second register. The output of B, that is the controlled register usually forms the keystream sequence, z. A well known example of this simple design is the stop-and-go generator due to Beth and Piper [26]. In this cipher, LFSR A is regularly clocked and LFSR B is clocked once if the output of LFSR A is 1 but not clocked if the output is 0. Alternatively, one register can be used to control the clocking of more than one stop-and-go LFSRs where the outputs of stop-and-go LFSRs are combined to form the keystream, as occurs in the alternating step generator [115]. An extension of the above can be seen in the Gollmann cascade generator and Pomaranch cipher, another eSTREAM cipher. This group of stream ciphers are thoroughly discussed with regards to algebraic attacks in Chapter 3. The second group is known as keystream generators using (p, q) clocking as shown in Figure 1.3. LFSR A l
0 : clock p time 1 : clock q times
LFSR B
Output
m
Figure 1.3: The Step1/Step2 Generator The clocking mechanism used in such group is more complex than the first group. Keystream generators using (p, q) were proposed to resist attacks that utilizes the repetition of the clock controlled register output in the keystream. This system is an improvement on that proposal, as stop-and-go clocking is avoided. In (p, q) clocking, the controlled register/registers are clocked at least p times and at most q times. Well known examples of this group ciphers are the self-decimated generator due to Rueppel and the step1/step2 generator due to Chambers and Gollmann. The security of this group ciphers against algebraic attacks are outlined in Chapter 4. The third group of clock controlled keystreams generators this thesis deals with is known as keystream generators using mutual clock control as shown in Figure 1.4. The clocking mechanism used in this group is more complex than the other two groups. The LFSR of ciphers belonging to this group mutually clock control each other. Well known example of ciphers
Chapter 1. Introduction
6
R1
Clock Control Unit
f
z
R2 R3
Figure 1.4: Mutually clock-controlled stream ciphers of this group is the A5 stream ciphers used in the GSM networks. An in depth analysis of the resistance of such groups along with some theoretical results are given in Chapter 5. The fourth group of clock controlled stream cipher is a combination of the first and second groups. Ciphers belongs to this group are known as irregularly clocked nonlinear filter generators as shown in Figure 1.5. l LFSR A
m LFSR B
f
Output bit
Figure 1.5: Clock-controlled nonlinear filter generators In these ciphers, one regularly clocked LFSR is used to control the clocking of another LFSR in a (p, q) style clocking. Filtering some stages of the second LFSR by a chosen cryptographic filter function generates the output of the cipher. A well known example of ciphers of this group is the LILI family of stream ciphers [182]. The security provided by these ciphers against algebraic attacks is presented in Chapter 7. Note that there are other types of clock controlled stream ciphers that are not discussed in this thesis. This includes the shrinking, self-shrinking generators and the bit search generator [56,114,149]. In these ciphers the output bits are chosen in a selective way. For example, in the shrinking generator, two LFSRs are used where both are regularly clocked. However, the output of the cipher is taken to be the output of the second LFSR whenever the output of the first LFSR is 1. Clock controlled stream ciphers can be designed to combine any of the four groups design approaches. Recently, new types of clock controlled stream ciphers have been proposed that falls into one or more of the above groups. However, the way the registers are clocked is quite new and novel. In the new approach termed jump registers, registers can move to a state that is more than one step ahead without having to step through all the intermediate states. This was first introduced in [129] as alternative to traditional clock-controlled registers to provide LFSR based stream ciphers protection against side channel attacks while preserving the advantages of irregular clocking. Examples of such stream ciphers are the one that have been submitted to the eSTREAM ciphers. The MICKEY stream ciphers as investigated in Chapters 5 and 6 and the Pomaranch family of stream ciphers are analyzed in Chapter 3.
1.2. Introduction to Cryptanalysis
7
1.2 Introduction to Cryptanalysis In the past, most encryption algorithm were kept secret (many are still secret). However, this strategy has never been regarded as a good basis for security. Many algorithms were broken even when they were hidden, such as the well known World War Two German Enigma machine, and the more recent GSM encryption algorithm A5/1. Therefore, modern cryptology uses Kerchoff’s principle [135] which states that ”The security of the encryption scheme must depend only on the secrecy of the key, and not on the secrecy of the algorithm.” Modern cryptanalysis of a cryptosystem begins with the assumption that the encryption algorithm is known. In analysing the security of stream ciphers, the following assumptions will be made: • Assumption 1: an attacker has a complete knowledge of the structure of the cipher, • Assumption 2: an attacker has a considerable amount of ciphertext and • Assumption 3: an attacker knows a segment of plaintext and the corresponding segment of ciphertext.
Based on these three assumptions, the aim of the cryptanalysis is to recover either the internal state at some instant t or the secret key bits used to generate the keystream. Due to the deterministic nature of the algorithm, this will allow the attacker to recover the rest of the plaintext. Various methods have been proposed for attacking stream ciphers. Some of these are generic and can be applied to any stream cipher. Others are more specialized and are based on the structure of the ciphers. In addition, some attacks recover the key bits; others recover the internal state bits and still others distinguish the output of the algorithm from a truly random output. The effectiveness and success of the attacks are measured by time, memory and data complexities: 1. Time complexity: is the number of basic operations required to complete the attack. If the attack requires less operations than exhaustive key search, then the attack is considered to be successful and the cipher is broken (at least from the theoretical point of view), 2. Memory complexity: is the storage memory required to perform the attack and 3. Data complexity: is the amount of data required to run the attack. The data can be ciphertext or known plaintext-ciphertext pairs. The attacker may perform the attack in two phases: the precomputation phase and realtime phase. In the precomputation phase, the attacker runs the most expensive operations which can have complexity up to the complexity of an exhaustive key search and unrealistically amount of storage. Then in the real time phase, the attacker runs simpler operations compared to that of the precomputation in order to recover the secret key, possibly performing this in real time. As far as stream ciphers are concerned, a basic security requirement is that the keystream generated must have three properties: large period, high linear complexity and statistical randomness. These are the minimum security requirements. Well known methods have been proposed to satisfy these properties in [169]. In general, all of the stream ciphers which will be examined in this thesis satisfy these three properties. However, these are necessary but not sufficient requirements. Many of these stream ciphers can still be attacked using algebraic techniques.
Chapter 1. Introduction
8
There are many cryptanalytic attacks that can be applied to stream ciphers; these include generic attacks such as exhaustive key search and time/memory/tradeoff attacks. Others are more specialized, such as divide and conquer attacks, conditional and unconditional correlation attacks, attacks based on linear consistency, linear cryptanalysis, inversion attacks, guess and determine attacks and side channel attacks [150] The more recently proposed algebraic attacks are investigated in this thesis and applied to various stream ciphers. In this thesis, we attack the keystream generators of the stream ciphers analysed using known keystream bits.
1.3 Algebraic Attacks In 1949, Shannon [178] first pointed out two important facts about a symmetric cipher. Firstly, a cipher can be expressed as a system of nonlinear equations. Secondly, breaking a good cipher should require as much work as solving a system of simultaneous equations in a large number of unknowns of a complex type. It is well known that solving systems of nonlinear equations is difficult in general. To date, no polynomial time algorithms are known for solving systems of nonlinear equations. Representing a cipher as a system of equations and solving the system of equations to recover either the internal state or the key bits is now known as an ”algebraic attack”. The phrase algebraic attacks was first used in [65]. However, algebraic attacks were first applied to public key cryptosystems by Courtois [58] and then to block ciphers by Courtois and Pieprzyk [67] and then to stream ciphers in [59, 65]. This idea is not new. However, the approach was novel in that it included the application of methods for reducing the degree of a system of equations before solving them, and proposed newer methods for solving cryptographic multivariate system of equations (for example by, relinearization, extended linearization). Other approaches for solving multivariate system of equations including the Gr¨obner bases and Sat-Solver methods were adopted for solving multivariate system of equations describing a cryptosystem. Improved algorithms for solving nonlinear equations, such as F 4 and F 5, which are based on the Gr¨obner bases methods, have also been applied to ciphers. For stream ciphers, algebraic attacks have been applied particularly in the cryptanalysis of stream ciphers based on linear feedback shift registers (LFSR). They have been shown to be very powerful in attacking regularly clocked LFSR bit-based stream ciphers and are very important tools for analyzing LFSR based stream ciphers. This thesis investigates the security against algebraic attacks of a number of well known constructions of stream ciphers. Chapter 2 discusses in more details standard algebraic attacks, fast algebraic attacks and the approaches used in the algebraic attacks presented in the remainder of this thesis.
1.4
Key Initialization
In some telecommunication systems, such as in mobile telephony and the Internet, errors occur which require that the entire message be re-sent. When synchronous stream ciphers are used, security requires that a different keystream sequence be used. Under certain circumstances the same key can be used to produce a different keystream. To achieve this, a re-keying algorithm (known also as a resynchronisation algorithm) is needed to combine the secret key with a publicly known initialization vector to form
1.4. Key Initialization
9
the initial state for keystream generation. Moreover, the resynchronisation algorithm has to be very efficient and fast. Almost every stream cipher proposed after 2000 has a key initialization algorithm. Therefore, Definition 1.3 of a modern stream cipher should actually be revised as follows Definition 1.4 Modern Stream Cipher : An encryption algorithm which divides the plaintext into successive characters ( bit/bits) and encrypts each character under a time varying function of the internal state, where the internal state is a function of the key and IV. For many ciphers proposed in the last century, there was no distinction between the size of the internal state and the key size; the key size was the same as the internal state size, and initialization was often simply loading the key into the internal state. If an attacker recovered the internal state he/she also recovered the secret key. By 2000, this had changed and key initialization was generally regarded as a required part of a keystream generator proposal. The first public request for key initialization in stream cipher proposals was during the attempt to establish stream cipher standard by the NESSIE organization [1]. Some stream ciphers employing a key initialization process before this include the well known A5, and RC4 ciphers. Since then, people started to distinguish between the key size and the internal state size. For most ciphers, the internal state size was chosen to be at least twice as large as the key size to prevent for example time/memory/tradeoffs attacks [29]. Before a secret key is loaded into the cipher, it goes through some mixing known as key initialization with some publicly known initialization vectors. The two are used to fill the larger internal state. Many modern cryptanalytic techniques recover the internal state bits rather than the key bits. It is sometimes claimed that it is an easy task to recover the key bits given the internal state bits. This claim will be investigated through an examination of key initialization and algebraic attacks on several ciphers in Chapter 6. There are two well known methods for achieving resynchronisation; fixed resynchronisation and requested resynchronisation. In fixed resynchronisation, the message is divided into frames and each frame is encrypted using the secret key and a unique IV. The frame lengths are generally updated by a frame counter in a deterministic way. Attacks targeting this type of resynchronisation are termed known IV resynchronisation attacks. The frame length of stream ciphers employing this type of resynchronisation is typically short, for example, it is 228 bits as in the A51 stream cipher used in GSM cellular voice and data communication [37] and 2745 bits as in the E0 stream cipher used in Bluetooth [5] wireless communication. It will be shown in Section 5.5 that some proposed attacks on ciphers based on fixed resynchronisation are not practical, as they require much more keystream than the typical frame length. In requested resynchronisation, as the name suggests, the receiver sends a resynchronisation request to the sender as soon as synchronization loss is detected. In this case, the receiver may be allowed to choose the IV used in the frame. This may enable a chosen IV resynchronisation attack. A good resynchronisation mechanism should be both fast and resistant against both chosen and known IV attacks. If only a single segment of keystream is known, (no re-keying occurs) then to break a particular instance of the cipher, the cryptanalyst must recover the initial internal state S, using knowledge of the structure of the keystream generator and some amount of the keystream, z. In contrast, with resynchronisation occurring, the cryptanalyst has access to multiple related keystreams produced under the same k and for different but known IV , where the IV’s are typically sequential or differing in only a few bits. The cryptanalyst’s task is then to recover k, given a set of (IV, z) pairs. For security in this scenario,
Chapter 1. Introduction
10
it is required that the re-keying process does not leak information about the key k. In this thesis, we investigate the effect of the initialization process of a cipher on the feasibility of algebraic attacks.
1.5 Aims and Objectives of Thesis The main aim of this thesis is to extend the application of algebraic attacks to clock-controlled stream ciphers. These types of stream ciphers have not been analysed before from an algebraic attack perspective. The motivation behind this is that some clock-controlled stream ciphers are used in the real world. The thesis will investigate the security of a number of well-known keystream generators such as those using stop-and-go clocking, keystream generators using (p, q) clocking, keystream generators using mutual clock control and the LILI family of irregularly clocked nonlinear filter generators. This thesis also aims to determine the effect of the key initialization on algebraic attacks. This aspect of cipher security with respect to algebraic attacks has not been examined in the open literature before. The examination will be conducted on a number of the ciphers in phase three of eSTREAM, the ECRYPT Stream Cipher Project [2]. The ECRYPT Stream Cipher Project is a multi-year effort to identify new stream ciphers that might become suitable for widespread adoption. The final aim of the thesis is to analyze the feasibility of recovering the key bits of a cipher given the recovery of the internal state using algebraic attacks. Previously, there was little distinction in the open literature between key recovery and state recovery using algebraic attacks. This thesis addresses this important issue.
1.6 Contributions and Achievements This thesis has achieved the following : • Presented the first algebraic attacks and analysis on stop-and-go clock-controlled stream ciphers (Beth Piper, Alternating step generator), keystream generators using (p, q) clocking (step1/step2, self-decimated generators), clock-controlled cascade stream ciphers(Gollmann cascade, POMARANCH V1, V2). It also provided a thorough algebraic analysis of mutually clock-controlled stream ciphers (the bilateral stop and go generator, A5/1, and MICKEY family of stream ciphers). An algebraic attack on the mutually clock-controlled stream cipher, Alpha 1 is also presented. • Established and provided a better understanding of algebraic attacks on irregularly clockedcontrolled nonlinear filter generators (The LILI family of stream ciphers);
• Investigated the role of the key initialization and algebraic attacks on the eSTREAM cipher (Trivium and Grain-128).
1.7 Outline of the Thesis The thesis is composed of eight chapters. Chapters 1 and 2 respectively provide the introduction, an outline of the thesis and techniques for applying algebraic attacks to stream ciphers. Chapters 3, 4, 5, 6 and 7 form the main body of the thesis and discuss the application of algebraic attacks on specific stream ciphers, while Chapter 8 is the conclusion.
1.7. Outline of the Thesis
11
Chapter 2 outlines the various algebraic methods that have been proposed for attacking stream ciphers. A description will be provided of the algorithms which are used in the later part of the thesis. This includes algorithms for the standard algebraic attacks and fast algebraic attacks. Chapter 3 describes the investigation into the security of stop-and-go generators and extensions of this idea against algebraic attacks. Included in this investigations are the Beth-Piper stop-and-go generator, both the basic and strengthened versions, the alternating step generator, the Gollmann cascade generator and the Pomaranch family of stream ciphers. It will be shown that the stop-and-go generators are prone to algebraic attacks. Chapter 4 extends algebraic attack to complex keystreams generators that use a (p, q) clocking. Such generators were proposed to resist attacks that utilize the repetition of the clock-controlled register output in the keystream. This system is an improvement on that proposal, as stop-and-go clocking is avoided. In (p, q) clocking, the controlled register/registers are clocked at least p times and at most q times. Algebraic attacks and analysis on two well known examples of such generators is given. Chapter 5 presents an algebraic analysis on a more complex clock-controlled stream ciphers. In this chapter, the security of keystream generators using mutual clock control is examined against algebraic attacks. A number of known ciphers are investigated in this chapter. This includes the bilateral-stopand-go generator, A5/1, Alpha 1 and the MICKEY family of stream ciphers. Chapter 6 considers the effect of initialization on algebraic attacks for two stream ciphers. Both of these are profile 2 submissions to eSTREAM, the ECRYPT Stream Cipher Project [2], and are currenty focus ciphers in phase 3. At present, there is nothing in the open literature that investigates the effect of key initialization on the security with respect to algebraic attacks. This chapter presents a preliminary step in this direction and presents some experimental results of investigations performed on Trivium and Grain-128. Chapter 7 investigates algebraic attacks on a well known example of irregularly clocked nonlinear filter generators, the LILI family of stream ciphers. The chapter investigates both the feasibility of recovering the internal state using algebraic attacks and of recovering the key bits taking into consideration the key initialization process. The possibility of recovering the key bits given the internal state bits using algebraic attacks is also considered in this chapter. Chapter 8 concludes the thesis by highlighting the main outcomes of the thesis and providing some directions for future research. Some of the results presented in this thesis have been previously published in the academic literature, or presented, during the course of the work, as indicated in the list of published papers included in the front-matter of this thesis. The research outlined in Sections 3.2, 3.3, 3.4, 4.3 and 4.2 has been published in paper [1]. The research described in Sections 3.5 and 3.7 was published in [2]. The research contained in Chapter 7 except for Sections 7.6 was published in [3].
12
Chapter 1. Introduction
Chapter 2
Overview of Algebraic Attacks on LFSR based Stream Ciphers Cryptanalysis is about analyzing a cryptographic system, with the aim of finding weaknesses that can be exploited in attacks. The aim of the attack may be to recover the internal state of the keystream generator or to recover the key bits or some portion of them. In order to design a secure, optimal and efficient encryption algorithm it is important to be able to analyze it with respect to the security it provides against known attacks. In addition, it is desirable, although difficult, to design an encryption algorithm that is resistant to all known attacks and also future attacks. Many encryption algorithms designed to resist attacks known at the time of the design have later fallen to new attacks. Recently, new types of attacks known as algebraic attacks have been proposed on both block ciphers and on LFSR based stream ciphers. Algebraic attacks were first applied to public key cryptosystems by Courtois [58] and then to block ciphers by Courtois and Pieprzyk [67] and then to stream ciphers in [59, 65]. An algebraic attack is based on solving an overdefined system of multivariate algebraic equations involving secret key bits or internal state bits and keystream bits. Many well known LFSR-based stream ciphers with regular clocking have fallen to algebraic attacks. Examples of these algebraic attacks on stream ciphers include attacks on nonlinear filter generators [65], attacks on combiners with memory [12] where the combiner consists of K LFSRs and l-bits of memory and applied to E0, on a summation generator of K LFSRs and l-bits memory [140], on a number of modified bit based stream ciphers [61], an attack by Joo Yeon Cho and Josef Pieprzyk [50] on the Sober class of stream ciphers (modified to remove the stuttering), an algebraic analysis of Snow 2 [27], and recently, on two of the eSTREAM ciphers, F-FCSRs ∗ [24] and Sfinks cipher [62]. It should be noted that solving the system of equations will not guarantee the full recovery of the key or the internal state. In addition, in some cases, obtaining these multivariate equations normally uses other techniques found in the literature. For example, in some algebraic attacks, an attacker often has to guess some key bits in order to be able to generate a set of equations describing the ciphers. Further, solving the system of equations might reveal some key or internal state bits; therefore, other ∗ Note
that F-FCSRs ciphers are not LFSR based
13
Chapter 2. Overview of Algebraic Attacks on LFSR based Stream Ciphers
14
cryptanalytic techniques would have to be used in order to recover the remaining bits. The interest in algebraic attacks has opened new avenues of research in cryptography in three major areas. These are: 1. The search for new techniques or the adaptation of existing techniques for solving systems of equations that describe an encryption algorithm. This area will be discussed in Section 2.1.3, 2. The search for algorithms and methods for reducing the overall degree of the equations as discussed in Section 2.1.2 and 3. Designing cryptographic Boolean functions that preserve all the previously known cryptographic properties along with the newly recognized property, algebraic immunity [146]. Many papers have been published in this area, see for example [13, 36, 42, 68, 69, 141]. However, as none of the ciphers analyzed in this thesis used these newly proposed Boolean functions, this will not be discussed. In this thesis, the only application of an algebraic immune function is the output function used in the Grain family of stream ciphers discussed in Chapter 6. This chapter is organized as follows. Section 2.1 presents the framework for algebraic attacks on both regularly clocked and irregularly clocked LFSR based ciphers. Section 2.1.2 discuses methods used for reducing the overall degree of the equations. Section 2.1.3 outlines methods used in algebraic attacks for solving nonlinear equations. Fast algebraic attacks on LFSR based stream ciphers are discussed in Section 2.2. Section 2.3 present a summary of the chapter.
2.1 Framework for Algebraic Attacks To conduct a successful algebraic attack on a keystream generator, there are three essential requirements to meet. The attacker must be able to find valid relationships between the internal state with the keystream output bits, be able to reduce the degree of the formed system of equations prior to solving them and be able to solve the equations efficiently. Firstly, one has to be able to find valid relations between the internal state of the generator and the output that will hold for all time instances. This is a simple task for regularly clocked LFSR-based stream ciphers. In some keystream generators, some output bits are discarded, or the registers are clocked in an irregular manner. In these cases it is very challenging to find such relations. We will describe methods to overcome these challenges in Chapters 3, 4, 5, and 7. Secondly, for successful algebraic attacks, an attacker should try to reduce the degree of the formed system of equations as far as possible. Having a system of equations of low degree will significantly reduce the complexity of solving the equations and hence recovering the unknowns in the system of equations. Few methods will be shown to achieve low degree equations. The last requirement is the ability to solve the equations efficiently, to obtain an overall attack complexity less than brute force. Note that although the complexity of solving equations might be much less than exhaustive key search, this does not necessarily mean that the cipher can be broken, especially if guessing was involved to obtain the low degree equations necessary to run the attack. This is demonstrated in the analysis of the LILI family of stream ciphers against algebraic attacks presented in Chapter 7.
2.1. Framework for Algebraic Attacks
15
This section provides the framework for algebraic attacks on LFSR based stream ciphers. It will consider two types of LFSR based stream ciphers; regularly clocked LFSR based stream ciphers and irregularly clocked LFSR based stream ciphers. For regularly clocked ciphers, an LFSR is stepped in synchrony with the underlying clock. If a register shifts with the basic time interval, we refer to is as regularly clocked. If the output is delivered with the basic time interval, we refer to it as regular output. If the internal state of the system goes through all the possible states sequentially in order, then the internal state of the system can be represented as a system of linear equations hereby denoted as a linear update internal state. For irregularly clocked stream ciphers, an LFSR may move more slowly than the underlying clock, taking more than one basic time unit to shift the registers; but it can be assumed that it will never shift faster than the clock as otherwise we can adjust the basic clocking time to the step time of the register. The output from a system of irregularly clocked LFSRs can be synchronized with the clock time or can be slowed down or varied against the clock time.
2.1.1 Equation Generation This section provides the framework for forming a system of equations representing the cipher. It will consider stream ciphers with regularly clocked registers with a linear update of the internal state and irregularly clocked registers with a nonlinear update of the internal state. In both cases, we assume that the output of the system is generated by taking some inputs into an output function or a filtering function f of degree d. Denote the size of the internal state of a stream cipher by n and the keystream bits z t be generated from a filter function f such that z t = f (S t ), where S t = (s1 , . . . , sn ) Linearly Updated Internal States The framework for algebraic attacks provided in this section is well suited for nonlinear combining function generator and for nonlinear filter generators. Denote the linearly updated internal state over time t by a function L by (s1 , . . . , sn ), were Lt = L ◦ . . . ◦ L. The task of an algebraic attack is to recover (s1 , . . . , sn ) given T number of output bits z 1 , . . . , z T . For such ciphers, it is clear that z t = f (S t ) = f ◦ Lt (s1 , . . . , sn ) Given the above information, a system of equations relating the outputs with the internal state bits can be set up as follows: z1 z
2
zT
= f ◦ L(s1 , s2 , . . . , sn )
= f ◦ L2 (s1 , s2 , . . . , sn ) .. . = f ◦ LT (s1 , s2 , . . . , sn )
(2.1)
For the purpose of illustration, consider the following example. Example 2.1 Consider a nonlinear filter generator based on an LFSR of size n = 5. Denote the contents of the LFSR by x1 , x2 , . . . , x5 . Suppose r = 5 stages of the LFSR are viewed as input to a
16
Chapter 2. Overview of Algebraic Attacks on LFSR based Stream Ciphers
filter function f of degree 3, with the following ANF z = f (s1 , s2 , . . . , s5 ) = s1 + s2 s3 + s3 s4 s5
(2.2)
Let the feedback polynomial of the LFSR be x5 + x2 + 1. Given this, one can easily work out the contents of the LFSR in each stage of the register for successive clocking as shown in Table 2.1 t 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
s1 x1 x 2 + x5 x 1 + x4 x 2 + x3 + x5 x 1 + x2 + x4 x 1 + x2 + x3 + x5 x 1 + x4 + x5 x 2 + x3 + x4 + x5 x 1 + x2 + x3 + x4 x 1 + x3 + x5 x 4 + x5 x 3 + x4 x 2 + x3 x 1 + x2 x 1 + x2 + x5 x 1 + x2 + x4 + x5 x 1 + x2 + x3 + x4 + x5 x 1 + x3 + x4 + x5 x 3 + x4 + x5 x 2 + x3 + x4 x 1 + x2 + x3
s2 x2 x1 x2 + x 5 x1 + x 4 x2 + x 3 + x 5 x1 + x 2 + x 4 x1 + x 2 + x 3 + x 5 x1 + x 4 + x 5 x2 + x 3 + x 4 + x 5 x1 + x 2 + x 3 + x 4 x1 + x 3 + x 5 x4 + x 5 x3 + x 4 x2 + x 3 x1 + x 2 x1 + x 2 + x 5 x1 + x 2 + x 4 + x 5 x1 + x 2 + x 3 + x 4 + x 5 x1 + x 3 + x 4 + x 5 x3 + x 4 + x 5 x2 + x 3 + x 4
s3 x3 x2 x1 x2 + x 5 x1 + x 4 x2 + x 3 + x 5 x1 + x 2 + x 4 x1 + x 2 + x 3 + x 5 x1 + x 4 + x 5 x2 + x 3 + x 4 + x 5 x1 + x 2 + x 3 + x 4 x1 + x 3 + x 5 x4 + x 5 x3 + x 4 x2 + x 3 x1 + x 2 x1 + x 2 + x 5 x1 + x 2 + x 4 + x 5 x1 + x 2 + x 3 + x 4 + x 5 x1 + x 3 + x 4 + x 5 x3 + x 4 + x 5
s4 x4 x3 x2 x1 x2 + x 5 x1 + x 4 x2 + x 3 + x 5 x1 + x 2 + x 4 x1 + x 2 + x 3 + x 5 x1 + x 4 + x 5 x2 + x 3 + x 4 + x 5 x1 + x 2 + x 3 + x 4 x1 + x 3 + x 5 x4 + x 5 x3 + x 4 x2 + x 3 x1 + x 2 x1 + x 2 + x 5 x1 + x 2 + x 4 + x 5 x1 + x 2 + x 3 + x 4 + x 5 x1 + x 3 + x 4 + x 5
Table 2.1: LFSR internal state values in terms of initial state values
s5 x5 x4 x3 x2 x1 x2 + x 5 x1 + x 4 x2 + x 3 + x 5 x1 + x 2 + x 4 x1 + x 2 + x 3 + x 5 x1 + x 4 + x 5 x2 + x 3 + x 4 + x 5 x1 + x 2 + x 3 + x 4 x1 + x 3 + x 5 x4 + x 5 x3 + x 4 x2 + x 3 x1 + x 2 x1 + x 2 + x 5 x1 + x 2 + x 4 + x 5 x1 + x 2 + x 3 + x 4 + x 5
2.1. Framework for Algebraic Attacks
17
Using Equation (2.2) and Table 2.1, one can easily form a system of equations relating the internal state with the keystream as in Equation (2.1) as follows z1 z
2
z3 z
4
= x 2 x3 x4 + x 1 x2 + x 2 + x 5 = x 1 x2 x3 + x 1 x2 + x 1 x5 + x 1 + x 4 = x 1 x2 x5 + x 2 x4 + x 1 x5 + x 4 x5 + x 2 + x 3 + x 5 = x 1 x2 x4 + x 1 x4 x5 + x 1 x3 + x 2 x4 + x 3 x4 + x 4 x5 + x 1 + x 2 + x 4
z5
= x 1 x2 x3 + x 2 x3 x4 + x 1 x3 x5 + x 3 x4 x5 + x 1 x3 + x 2 x3 + x 3 x4 + x 2 x5 + x 1 + x 3 + x 5
6
= x 1 x2 x3 + x 2 x3 x4 + x 1 x2 x5 + x 2 x4 x5 + x 2 x3 + x 1 x4 + x 2 x4 + x 2 x5 + x 2 + x 4 + x 5
z
z7
= x 1 x2 x3 + x 1 x2 x4 + x 1 x3 x4 + x 1 x2 x5 + x 1 x4 x5 + x 1 x3 + x 2 x3 + x 1 x4 + x 3 x5 +x1 + x3 + x4
z8
= x 1 x2 x3 + x 1 x2 x4 + x 2 x3 x4 + x 1 x2 x5 + x 1 x3 x5 + x 2 x3 x5 + x 1 x4 x5 + x 3 x4 x5 +x2 x4 + x2 x5 + x3 x5 + x2 + x3 + x5
z9
= x 1 x2 x5 + x 1 x3 x5 + x 1 x4 x5 + x 2 x4 x5 + x 3 x4 x5 + x 1 x2 + x 1 x3 + x 1 x4 + x 1 + x 2 + x 4
z
10
= x 1 x2 x4 + x 1 x3 x4 + x 1 x4 x5 + x 2 x4 x5 + x 3 x4 x5 +
z
11
z
12
x1 x2 + x 2 x3 + x 2 x4 + x 1 x5 + x 2 x5 + x 3 x5 + x 1 + x 3 + x 5 = x 1 x2 x3 + x 1 x3 x4 + x 1 x3 x5 + x 2 x3 x5 + x 3 x4 x5 + x 1 x3 + x 2 x3 + x 1 x4 + x 1 x5 + x 4 x5 +x4 + x5 = x 1 x2 x4 + x 2 x3 x4 + x 1 x2 x5 + x 2 x3 x5 + x 2 x4 x5 + x 3 x4 + x 2 x5 + x 3 x5 + x 4 x5 +x2 + x3 + x4 z 13 z
14
z 15 z
16
z
17
z
18
= x 1 x3 x4 + x 1 x3 x5 + x 1 x4 x5 + x 2 x3 + x 1 x4 + x 2 x4 + x 3 x4 + x 1 + x 2 + x 3 = x 2 x3 x4 + x 2 x3 x5 + x 2 x4 x5 + x 3 x4 x5 + x 1 x2 + x 1 x3 + x 2 x3 + x 2 x4 + x 3 x5 + x 1 + x 5 = x 1 x2 x3 + x 1 x2 x4 + x 1 x3 x4 + x 2 x3 x4 + x 1 x3 + x 2 x4 + x 1 x5 + x 2 x5 + x 4 + x 5 = x 1 x2 x5 + x 1 x3 x5 + x 2 x3 x5 + x 1 x2 + x 1 x3 + x 2 x3 + x 1 x4 + x 2 x4 + x 2 x5 + x 4 x5 +x2 + x3 + x4 = x 1 x4 x5 + x 2 x4 x5 + x 1 x3 + x 2 x3 + x 1 x4 + x 2 x4 + x 3 x4 + x 1 x5 + x 2 x5 + x 3 x5 +x1 + x3
z 19
= x 1 x3 x4 + x 2 x3 x4 + x 3 x4 x5 + x 1 x2 + x 1 x3 + x 1 x4 + x 2 x5 + x 3 x5 + x 4 x5 + x 2 + x 5 = x 1 x2 x3 + x 2 x3 x4 + x 2 x3 x5 + x 1 x2 + x 1 x4 + x 2 x4 + x 3 x4 + x 1 x5 + x 2 x5 + x 3 x5 +x1 + x2 + x4
z 20
= x 1 x2 x3 + x 1 x2 x4 + x 1 x2 x5 + x 1 x3 + x 1 x4 + x 1 x5 + x 3 x5 + x 4 x5 + x 1 + x 2 + x 3 + x 5 (2.3)
The generated system of equations is of degree three. It will be shown later that the degree of these equations can be reduced to two and then to linear system of equations.
18
Chapter 2. Overview of Algebraic Attacks on LFSR based Stream Ciphers
Nonlinearly Updated Internal States The framework for algebraic attacks provided in this section is well suited for clock-controlled generator, which is the main scope of the thesis. The internal state at time t denoted st , can be considered as the function of the initial internal state, s0 , where the function transforming s0 into st is the repeated application (t times) of the nonlinear state update function N L. Let the keystream bits z t be generated from a filter function f such that z t = f (st ). The task of an algebraic attack is to recover (s1 , . . . , sn ) given T number of output bits z 1 , . . . , z T . For such cipher, it is clear that z t = f (st ) = f ◦ N Lt (s1 , . . . , sn ) Given the above information, a system of equations relating the outputs with the internal state bits can be set up as follows z (1) z (2)
z (T )
= f ◦ N L(s1 , s2 , . . . , sn )
= f ◦ N L2 (s1 , s2 , . . . , sn ) .. . = f ◦ N LT (s1 , s2 , . . . , sn )
(2.4)
Note that for clock-controlled generators, it is more difficult to find such relations. Note also that the relations obtained will very much depend on the clocking mechanism used and the number of bits used to determine the clocking of the system. The most difficult problem is then to solve these equations of high degree efficiently. We will see that some tricks can be used to tackle this problem. Algorithm 2.1 represents steps for attacking a keystream generator based on LFSRs of n internal state bits and is shown in Figure 2.1. Algorithm 2.1 Algebraic attack on stream ciphers. Inputs : f , keystream bits, z 1 , z 2 , . . ., LFSR length, and feedback function of the LFSR Outputs : Internal state of n bits . • Step 1: Find functions g of low degree e for f such that e < d, in a precomputation phase if they exist. • Step 2: Set up a system of equations in the unknowns n and z t , t ≥ 0. • Step 3: Insert the observed key stream bits into the variables z t . • Step 4: Recover the n initial internal state bits by solving the system of equations. Figure 2.1: Algebraic attacks algorithm
2.1. Framework for Algebraic Attacks
19
2.1.2 Reducing the Degree of the Equations Once the system of equations given by (2.1) and (2.4) are formed, the attacker’s aim is to reduce the degree of the equations as far as possible, as this will reduce the complexity of solving the system of equations. Two methods have been proposed for degree reduction. The first is by finding low degree multiples of f and the second is by guessing some bits that will dramatically reduce the degree of the equations. The guessing approach is more efficient for reducing the overall degree of the equations generated from clock-controlled LFSR based stream ciphers. In this thesis, both methods are utilized. Courtois and Meier have proposed using low degree multiples of f for reducing the overall degree of the equations. A detailed explanation of the method will be presented in the remainder of this section. Before discussing the method in detail, definitions for the following terms, as defined in [65] and [146] are presented. Definition 2.1 A Boolean function g is described as an annihilator of a Boolean function f if g is a nonzero function and the product f g = 0 [146]. That means if f (x) = 1 then g(x) = 0 and if f (x) = 0 then g(x) can be either 0 or 1. Definition 2.2 The algebraic immunity AI of a function f is the minimum degree of all the nonzero annihilators of f and 1 + f [146].
For algebraic attacks, finding such low degree multiples reduces the complexity of algebraic attacks, possibly to a feasible level. For cryptanalytic purposes, finding low degree multiples of output functions for keystream generators is performed in precomputation. The low degree multiple may then be used in an algebraic attack. Note that for high degree Boolean functions with a large number of inputs, the complexity of finding low degree multiples may be more expensive than exhaustive key search, but as this occurs in a precomputation phase, it is a one-off cost which can then be used for multiple state or key recovery attacks. A low degree multiple of a Boolean function f of degree d with r inputs is obtained by multiplying the Boolean function by a well chosen function g such that the product of f and g equal to h is of degree less than d. Note that this approach doubles the keystream required to solve the generated system of equations, as we are multiplying by a function that could have a value of zero or one. This approach was applied to the Boolean function of the Toyocrypt [187] stream cipher in [65] as illustrated below Example 2.2 Consider the filter function used in Toyocrypt. Recall that Toyocrypt is based on LFSR of length 128 and a nonlinear filter Boolean function f of degree 63. At each clock t, some stages of the LFSR are filtered by f to generate the output z t . The filter function f , has the following algebraic normal form (ANF)
f (s0 , . . . , s127 )
= s127 +
62 X
si sαi + s10 s23 s32 s42
i=0
+s1 s2 s9 s12 s18 s20 s23 s25 s26 s28 s33 s41 s42 s51 s53 s59 62 Y + si . i=0
(2.5)
Chapter 2. Overview of Algebraic Attacks on LFSR based Stream Ciphers
20
The filter function in Toyocrypt used monomials of degrees 1, 4, 17, 63 and the rest are of degree 2. However, by inspection, one can see from Equation 2.5 that the variables s 23 and s42 occur in all the high degree terms in the ANF of f , and since the shift register is regularly clocked, then multiplying f with either of the variables results in a degree three Boolean function. For example multiplying f (s) P62 with (1 + s23 ) results in f (st )(1 + s23 ) = (1 + s23 )(s127 + i=0 si sαi ). In this case, the degree has � P3 been reduced from 63 to 3, hence the number of monomials M is also reduced to i=1 128 instead i P63 128� of i=1 i . This method was also applied to f of LILI-128 in [65], reducing the degree of the output function from 6 to 4. Finding low degree multiples of a given Boolean function also means evaluating the resistance of stream ciphers, where the output is based on Boolean function to algebraic and fast algebraic attacks. Most of the algorithms proposed for finding low degree multiples and annihilators use two algorithmic approaches. The first one uses Gr¨obner bases as in [90] and the other relies on linear algebra as discussed next. In [65], Courtois and Meier described an algorithm for finding low degree multiples of a Boolean function. The algorithm is outlined in Figure 2.2. Algorithm 2.2 is the one used in this thesis for finding low degree multiples of a number of stream ciphers investigated in this thesis. However, many algorithms have since followed but the most effective algorithm has been proposed by X. Zhang, J. Pieprzyk and Y. Zheng in [204] during the write up phase of this thesis. Note also that in many cases, multiples can be found by simple inspection of the ANF of the Boolean function much quicker than using any of these algorithms. Algorithm 2.2 starts by setting the degree e of the function g we are looking for. Then we compute all the monomials up to the selected degree e for r inputs. We multiply each of the monomials in lexicographic order with f . Once the multiplication is complete, for each multiplication result, discard 0 0 all the terms of order less than e. Terms of degree d such that e ≤ d ≤ r are only selected from each 0
multiplication. A matrix is formed with entries that compose of all the monomials from degrees d up to d. Finally the solution column is set to zero and the matrix is solved. The solution of the matrix is a combination of all possible g’s a function f can have. The steps of this algorithm are outlined in Algorithm 2.2. The complexity of Algorithm 2.2 is dominated by the complexity of solving system of �� Pr r 3 equations in r unknowns, therefore, the complexity of this algorithm is roughly . i=e i Given the system of equations as in (2.1) the attacker then performs what is called the relation search step. In this step, an attacker looks for g and h of degree e and d h respectively smaller than d. Now assume that a multiples g, h were found such that f g = h gives relations of degree equal to d h . In this case the degree of the equations has been reduced from d to d h , and, the new system of equations can be written as z 1 g(s1 , s2 , . . . , sn ) + h(s1 , s2 , . . . , sn ) = 0 z 2 g ◦ L(s1 , s2 , . . . , sn ) + h ◦ L(s1 , s2 , . . . , sn ) = 0 .. . z T g ◦ L(s1 , s2 , . . . , sn ) + h ◦ LT (s1 , s2 , . . . , sn ) = 0
(2.6)
The new system of equations is now generated using g and h both of degree less than d. The number
2.1. Framework for Algebraic Attacks
21
Algorithm 2.2 Algorithm for finding low degree multiples and annihilators Inputs : A Boolean function f with r input variables, degree e of g desired Outputs: Functions g 0 s of degree e and h such that f g = h • Step 1: Compute all monomials up to degree e,
Pe
i=1
r i
�
.
• Step 2: Multiply f with each of the computed monomials from step 1 in lexicographic order. • Step 3: For each product, discard all the terms of order less than e. 0
• Step 4: Compute monomials of terms from degree d up to r. • Step 5: Solve a matrix composed of all the monomials computed in the previous step after setting the solution column to zero. • Step 6: The solution gives a vector space of the coefficients of the monomials that give you low degree multiples. • Step 7: If the dimension of this space (nullity of matrix) is > 0, then – a: Reconstruct the multiples from the monomials and the coefficient vectors in that space. – b: Else If the nullity is 0, there are no multipliers. Quit Figure 2.2: Algorithm for finding low degree multiples of equations can also be reduced based on the number of low degree multiples found. Applying this to the system of Equations (2.3) for the toy example, we see a new system of equations can be formed by finding a low degree multiple. First, one can easily see by inspection that the degree of Equation 2.2 can be reduced to degree 2 by multiplying both sides of the relation with (s 3 + 1), so we obtain (s3 + 1)f = s1 + s1 s3
(2.7)
In this case, g = (s3 + 1) and h = s1 + s1 s3 . The system of equations of (2.3) is thus replaced with
Chapter 2. Overview of Algebraic Attacks on LFSR based Stream Ciphers
22
z 1 g1
= x 2 x5 + x 5
2 2
= x 1 x4 + x 4
3 3
= x 2 x3 + x 3 x5 + x 3
4 4
z g
= x 1 x2 + x 2 x4 + x 2
z 5 g5
= x 1 x2 + x 1 x3 + x 1 x5 + x 1
z g
z g
6 6
z g
= x 1 x2 + x 2 x4 + x 1 x5 + x 2 x5 + x 4 x5 + x 5
z 7 g7
= x 1 x2 + x 1 x3 + x 1 x4 + x 2 x4 + x 3 x4 + x 1 x5 + x 4 x5 + x 4
8 8
z g
= x 1 x2 + x 1 x3 + x 2 x4 + x 3 x4 + x 1 x5 + x 2 x5 + x 3 x5 + x 4 x5 + x 2 + x 3
z 9 g9
= x 1 x2 + x 1 x3 + x 2 x3 + x 1 x4 + x 3 x4 + x 1 x5 + x 2 x5 + x 4 x5 + x 1
10 10
z g
= x 1 x4 + x 2 x4 + x 3 x4 + x 1 x5 + x 2 x5 + x 3 x5 + x 4 x5 + x 5
z 11 g 11
= x 1 x3 + x 1 x4 + x 3 x4 + x 3 x5 + x 4 x5 + x 4
12 12
z g
= x 2 x4 + x 3 x4 + x 2 x5 + x 3 x5 + x 2 + x 3
z 13 g 13
= x 1 x3 + x 2 x3 + x 1 x4 + x 2 x4 + x 1 + x 2
14 14
z g
= x 1 x2 + x 1 x3 + x 2 x3 + x 2 x5 + x 3 x5 + x 1 + x 5
z 15 g 15
= x 1 x4 + x 2 x4 + x 1 x5 + x 2 x5 + x 4 + x 5
16 16
z g
= x 1 x3 + x 2 x3 + x 1 x4 + x 2 x4 + x 3 x5 + x 4 x5 + x 3 + x 4
z 17 g 17
= x 1 x2 + x 1 x3 + x 2 x3 + x 2 x4 + x 3 x4 + x 2 x5 + x 3 x5 + x 3
18 18
z g
= x 1 x3 + x 2 x3 + x 1 x4 + x 2 x4 + x 1 x5 + x 2 x5
z 19 g 19
= x 1 x2 + x 1 x3 + x 2 x3 + x 1 x4 + x 2 x4 + x 2 x5 + x 3 x5 + x 4 x5 + x 2
20 20
z g
= x 1 x3 + x 2 x3 + x 1 x4 + x 2 x4 + x 3 x4 + x 1 x5 + x 2 x5 + x 3 x5 + x 1 + x 2 (2.8)
This system of equations is now of degree two. In Section 2.2, it will be shown how to further reduce the degree of the these equations to linear equations. Note that the algorithm proposed in [60] and outlined in Figure 2.2 becomes impractical for functions with 20 or more variables. In [146], two algorithms were proposed that can determine if a function has low degree multiples or annihilators. The algorithm was shown to work well for r up to 32 and � Pd d = 5 with complexity of O(Td3 ) where Td = i=1 ri . In the same paper, the authors introduce the terms algebraic immunity and annihilators defined earlier in this section. Both [60, 146] showed that � � the AI of an r-variables function is upper bounded by 2r . Following the work of [65] and [146], interest in new efficient algorithms for finding low degree multiples or annihilators of a given Boolean functions increased. In many cases, finding low degree multiples and annihilators for ciphers based on filter functions helps the designer to evaluate the security of the ciphers against algebraic attacks. In addition, many Boolean functions were adopted for designing nonlinear filter generator thought to be secure against algebraic attacks, later discovered not to be immune against fast algebraic attacks [62] and [35]. In [11], a number of algorithms for finding low degree multiples and annihilators of Boolean functions was given to assess the resistance
2.1. Framework for Algebraic Attacks
23
of Boolean functions against algebraic and fast algebraic attacks when implemented in LFSR-based stream ciphers. The complexity for computing the algebraic immunity of a Boolean function was reduced to O(Td2 ) compared to O(Td3 ). The algorithm for assessing the resistance of such stream ciphers to fast algebraic attacks has a running time complexity of O(Te Td2h ). The algorithms proposed were demonstrated to be particularly efficient for symmetric Boolean functions. One would conclude that in order to resist algebraic attacks, one needs to make sure that the algebraic immunity of a function f of degree d is equal to the degree of the function it self. However, it is important to note that even if the algebraic immunity of a given function f is the degree of the function it self, this does not mean that the function is resistant to other types of algebraic attack. Consider the following example Example 2.3 Consider a nonlinear combining function generators with four regularly clocked LFSR’s; A, B, C and D, where the output of these LFSRs denoted by Al , Bm , Cn and Dr form the input into a Boolean function as follow
z=f
= A l ⊕ B m ⊕ C n ⊕ D r ⊕ B m Cn .
(2.9)
The function is of degree 2. By inspection, one can see that the algebraic immunity of this function is also a degree 2 function, so the function is an algebraic immune function. However, consider multiplying equation 2.9 with Bm , then we end up with Bm z
= Bm (Al ⊕ Dr ⊕ 1)
(2.10)
= Cn (Al ⊕ Dr ⊕ 1)
(2.11)
Similarly multiplying 2.9 with Cn , ends up Cn z
In both cases, although the multiplication gave a degree 2 function, we can independently recover the internal state of three registers at a time instead of the all four registers. A divide and conquer approach is now possible to reduce the total number of variables to solve, and hence reduce complexity. Once the contents of the three registers are obtained, the content of the last register can easily be recovered. In the context of an algebraic attack, a divide and conquer approach would mean dividing the system of equations into subsystems, where each subsystem contains some specific variables or unknowns but not others. However, in this approach the number of unknowns is reduced instead of the degree. This idea was applied in [10] to the E0 keystream generator. It is still unknown whether such an approach can be applied to other types of keystream generators. At FSE 2006, Didier et.al [77], proposed another algorithm for determining whether a given Boolean function has no annihilator nor multiple of degree less than or equal to d. The running time complexity of the new algorithm is O(r d ). The algorithm performs well when d is small for almost all Boolean functions. In ACISP 2006, An Braeken et.al [35] presented a paper that proposed methods for evaluating the resistance of stream ciphers with linear feedback against fast algebraic attacks. The proposed algorithm has a complexity of O(Tdh .(Te2 + Td2h )) with a memory requirement of O(Te Tdh ). As a demonstration of the effectiveness of the algorithm, the author presented their work on the eSTREAM
Chapter 2. Overview of Algebraic Attacks on LFSR based Stream Ciphers
24
candidate Sfinks [34] and WG [113]. The area of finding low degree multiples attracted more interest with another paper in Indocrypt 2006 [76] proposing an algorithm that outperformed the algorithm proposed in [11] in terms of memory requirement. The algorithm proposed has running time complexity of order O(r2 r Tdh ) with O(r2r ) of memory. More recently, X. Zhang, J. Pieprzyk and Y. Zheng [204] have extended the notion of algebraic immunity and presented the most efficient algorithm for finding low degree multiples and annihilators. In this paper, the authors replace f with another function f c called algebraic complement of f . The algebraic compliment is defined as a function that contains all monomials that are not in the ANF of the original function. For example, the algebraic complement of f = x 1 x2 + 1 is f c = x1 + x2 . The extended algebraic immunity EAI is defined as EAI=min {AI(f ), AI(f ) c }. The authors also proposed a new algorithm for computing low degree multiples and annihilators of Boolean functions by applying known results in hypergraph theory to Boolean functions. The new proposed algorithm was shown to be able to find low degree annihilators in r(r + 1) steps. However, while the algorithm can find an annihilator for any given function it might not be the best (with minimum degree).
2.1.3 Methods for Solving Nonlinear Equations Many methods have been proposed for solving nonlinear equations generated from a cryptographic system. These include the linearization method, the Gr¨obner Bases method, the relinearization method, the XL method, the XSL method and more recently, the SAT-solver. Only the complexity of the linearization is known to be feasible in general. Each of the above methods has some advantage over the others. We assume from now on that a system of equations has been constructed, depending on the known parts of the keystream, and the goal is to find the key. We hereby implicitly assume that the system of equations has only one solution which is k. It should be noted however that it is possible in some cases to have equivalent keys [183]. In the linearization method new variables are introduced replacing all high degree terms with a single variable. This approach increases the number of variables, therefore increases the amount of keystream required and hence the attack complexity is also increased. While the complexity of the Gr¨obner Bases method is unknown, the keystream requirement is greatly reduced compared to the linearization method. On the other hand, the XL algorithm which stands for extended linearization has been experimentally shown to be effective for some cryptosystems. Finally, the XSL method by Courtois and Pieprzyk [67] has been proposed for solving equations generated from block ciphers. Recently, the SAT-solver algorithm has been used to break both the block cipher DES [163] in [63] and a stream cipher known as Bivium [145]. In this thesis, we only used the linerization and the Gr¨obner Bases methods. Linearization In the linearization approach, the system of nonlinear equations in n unknowns (which is usually the size of the internal state of the cipher) is transformed into a system of linear equations. The basic idea is to replace each nonlinear term with a new variable and then solve the resulting system of equations
2.1. Framework for Algebraic Attacks
25
using Gaussian elimination. Linear systems of equations can be solved efficiently by Gaussian elimination and is of polynomial complexity in time and memory. In Gaussian elimination, if the number of linearly independent equations equals the number of unknowns, then the equations can be reduced step by step in by computing the row echelon form to get the value of each monomial. As for computing the complexity of the approach, one needs to work out the total number of monomials M expected to appear in the system of equations in n unknowns of degree d given by M=
� � � � � � n n n + +...+ . 1 2 d
(2.12)
where in general, the complexity of solving a system of linear equations is given by Mω
(2.13)
If this system is linear, the complexity of solving the system is in general about M ω ; where 2.807 ≤ ω ≤ 3, however, if the system is sparse, this complexity reduces to M 2 [195]. If the system is quadratic, �ω the complexity of using the linearization methods in [65] is about M . It is worth to mention that in 2 some ciphers, not all of the monomials would appear in the system of equations, therefore, will might have a slight effect on the overall complexity of the approach. An open research area in this direction will be to come up with an algorithm that can tells exactly how which monomials and how many would be needed to solve. Algorithm 2.3 of Figure 2.3 outlines the main steps of the linearization approach. Algorithm 2.3 Solving system of equations using the linearization approach. Inputs : system of equations in n unknowns Outputs : Internal state bits of secret key . • Step 1: Work out how many monomials would be in the system using equation 2.12. • Step 2: Replace each monomial in the system of equation with a new single variable. • Step 3: Insert the observed key stream bits into the identifiers z t . • Step 4: Solve the system of equations using Gaussian elimination algorithm. • Step 5: From the monomials, extract the exact values of n. One might use the Gaussian elimination algorithm again • Output the internal state or secret key bits. Figure 2.3: Algorithm for the linearization approach Example 2.4 Consider the following system of nonlinear equations over F 2 :
xy + yz + z = 1
Chapter 2. Overview of Algebraic Attacks on LFSR based Stream Ciphers
26
xz + yz + x = 0 xy + xz + yz + y + z = 0 xy + xz + x + z = 1 xy + x + y + z = 0 yz + x + y = 1 In this system of equation, there are n = 3 unknowns: x, y and z and the maximum degree of the equations is given by d = 2. Using the linearization approach, one would need to replace each of the degree two terms with a new variable. It is a straightforward task to work out the number of new variables needed referred to monomials given n and d which is given by M=
d � � X n i=1
i
(2.14)
In our example, there are 6 new variables. Next, we label each term in our system of equations as follows; m1 = x, m2 = y, m3 = z, m4 = xy, m5 = xz, m6 = yx yielding the following system of equations m4 + m 6 + m 3 = 1 m5 + m 6 + m 1 = 0 m4 + m 5 + m 6 + m 2 + m 3 = 0 m4 + m 5 + m 1 + m 3 = 1 m4 + m 1 + m 2 + m 3 = 0 m6 + m 1 + m 2 = 1 The nonlinear system of equations is transformed into a system of linear equations. We now apply Gaussian elimination method to recover the mi for 1 ≤ i ≤ 6. For this example a solution obtained is m1 = 1, m2 =, m3 = 1, m4 = 0, m5 = 1 and m6 = 0. Following this, we then recover x, y and z. In our example, they were found to be x = 1, y = 0 and z = 1. Note that there is also extra
complexity involved in revealing the values of x, y and z having revealed the values of m 1 , . . . , m6 . This extra complexity is of little consequences for a small system of equations, but it would matter for a large system of equations. The main drawbacks of linearization approach is that it introduces more unknowns into the system of equations, thus more equations are needed and therefore more keystream bits. The other drawback is that the techniques throw away valuable information contained in the monomials of high degree. For an example, consider the information loss when replacing the nonlinear equation xyz = 1 by the linearized equation ma = 1. The final drawback is that it is still hard to determine beforehand the number of known keystream bits required for a successful attack.
2.1. Framework for Algebraic Attacks
27
Gr¨obner Bases The method of the Gr¨obner bases was initially introduced in [38, 39] for solving commutative algebra problems (solvability and solving of algebraic systems of equations, algebraic relations among polynomials, etc) then extended to systems theory. Many problems in systems theory were found to be solvable by the Gr¨obner bases method including computation of structure indices and factorization of multivariate polynomial matrices. Although the method of Gr¨obner bases was known long ago to be able to solve systems of equations, only recently the method has been proposed for solving system of equations generated from cryptographic algorithms. Note that for linear polynomials in any number of variables, a Gr¨obner basis is equivalent to Gaussian elimination. This thesis use the Gr¨obner bases method for recovering the internal state of some stream ciphers. The rest of this section gives a general overview of the method of the Gr¨obner bases. More details of this method can be found in [6, 40]. The main idea of the Gr¨obner bases approach is as follow: given a set F of polynomials that describe the problem, F is transformed into another set G of polynomials with certain nice properties called a Gr¨obner bases such that F and G generate the same ideal. The algorithm for computing Gr¨obner bases (for transforming an arbitrary F into an equivalent Gr¨obner bases) is known as Buchberger’s algorithm. Once a solution of the problem for G is found, it can often be easily translated back into a solution of the problem for F . The method firstly describes the problem as a set of multivariate polynomials, then generally uses lexicographic orderings to order the terms in these polynomials as Gr¨obner bases with respect to lexicographic ordering are very useful for solving equations and for elimination of variables. Finally multivariate polynomial division (reduction) step. The following example taken from [6], briefly illustrates how the Gr¨obner bases can be applied to solving systems of polynomial equations. Example 2.5 Consider the following system of equations where the terms are lexicographic ordered and the ranking of y is higher than x:
f1 = xy − 2y f2 = 2y 2 − x2 F = {f 1, f 2} Using mathematical software, such as Magma or Mathematica, the Gr¨obner basis G of F will be G = {−2x2 + x3 , −2y + xy, −x2 + 2y 2 } The Gr¨obner bases (with finitely many polynomials) contains exactly one univariate polynomial in the lowest indeterminate. In this example, the univariate polynomial in x contained in G is −2x 2 + x3 . Solving this polynomial for x, gives the following possible solutions x1 = 0, x2 = 0, x3 = 2 If x2 is substituted into the second and third polynomial of G, then the two polynomials are obtained 0, −4 + 2y 2
Chapter 2. Overview of Algebraic Attacks on LFSR based Stream Ciphers
28
Now solving this polynomial for y, one obtains the following solutions y3,1 =
√
√ 2, y3,2 = − 2
In this way, one can obtain all the solutions of G and, hence, of F . The Gr¨obner bases algorithms were then improved by Faug´ere by the two algorithms called F 4 [88] and F 5 [89]. Computing a Gr¨obner basis can be computationally expensive but variables can sometimes be eliminated more readily from a system of equations by manually computing the resultant of successive pairs of equations to iteratively eliminate one variable at each step. The complexity of the bases method still remains unknown. However, it is known that if the number of equations is more than the number of unknowns, then the complexity drops significantly. The Gr¨obner basis method has an advantage over the linearization is that less keystream is required to solve the system of equations and in many cases a solution can be found in less time than with the linearization method. This is clearly demonstrated in Chapters 3 and 4. As the F 4 method is applied in this thesis, its steps are briefly outlined in Figure 2.4 Algorithm 2.4 F 4 algorithm Inputs : system of equations F = 0 for a set of polynomials F in n unknowns Outputs : Internal state bits of secret key . • Step 1: let G = F • Step 2: select a set of polynomials S from G • Step 3: linearise polynomials in S and form their coefficient matrix A • Step 4: add additional reduction polynomials into A • Step 5: compute the row echelon form A˜ of A • Step 6: form reduced polynomials S˜ of S from A˜ • Step 7: add S˜ to G and delete unnecessary polynomials in G • Step 8: repeat steps 2 to 7 until G is a Gr¨obner basis • Step 9: perform back substitution from the univariate polynomial to obtain the solution to the system of equations Figure 2.4: Algorithm for the F4 approach
Other Methods There are other methods that have been proposed for solving the system of equations which have not been directly used in this thesis. These include the relinearization, the XL, and the Sat-Solver. However, for the sake of completeness, an outline of each of these methods is given below.
2.1. Framework for Algebraic Attacks
29
The relinearization method The relinearization method due to Kipnis and Shamir [138] was proposed for solving a system of ϕn 2 quadratic equations in n variables where ϕ is smaller than 1/2. The basic idea of relinearization is to add to the given system of linear equations in the xij additional nonlinear equations which express the fact that these variables are related rather than independent. However, in [57], it was shown that many of the generated equations using the relinearization techniques are provably dependent on other equations, and can thus be eliminated. This reduces the size of the linearized systems, but also limits the types of polynomial equations that can be successfully solved by the technique. Extended Linearization (XL) The XL (extended Linearization) technique was proposed at Eurocrypt by Courtois et.al. [57]. It was proposed as an improvement over the relinearization method. The basic idea of the XL algorithm is to add more equations if the number of unknowns is more than the number of the equations and it works as follows. Given a system of nonlinear polynomial equations, the attacker constructs additional equations by multiplying the existing ones with all the possible monomials of some bounded degree. If the degree of the resulting equation is not greater than a specified threshold, the equation is added to the equation system. This way, a nonlinear system with a lot of redundant information is generated. The extended system of equation is then linearized. In this method, there are a lot more equations reducing the number of output bits required for solving them. Note that the trick with the XL algorithm is to attempt to recover the indeterminate unknown variables one at a time, and recursively calls itself on the new, simplified system on each success. However, for the attack to work, the original equation system has to be overdefined. In addition, some of the newly obtained equations are not independent. In [57], it was experimentally shown that the expected running time of XL is polynomial when the number m of (random) equations is at least ϕn 2 , and this for all ϕ > 0. In the same paper, it was estimated that the techniques runs sub exponentially if m exceeds n even by a small number. However, it seems very hard to theoretically find precise estimates for the required running time or keystream bits. Many papers have been published that deals with analysis, applicability and performance of XL with the aim of establishing a concrete theory about the XL method, see for example [78, 197, 198]. However, in [14] a more comprehensive study has been made on the efficiency of XL algorithm. The study showed that to solve a system of algebraic equations using the XL algorithm is equivalent to calculating the reduced Gr¨obner basis of the ideal associated with the system. Moreover, the study showed that the XL algorithm is also a Gr¨obner basis algorithm which can be represented as a redundant variant of a Gr¨obner basis algorithm F 4, but in fact slower than F 4. It was also shown that some of the heuristics used in deriving the complexity of the XL algorithm were too optimistic. Figure 2.5 briefly outlines the main algorithm steps for the XL method. Also note that there are other variants of the XL algorithm that have not been discussed here. Example 2.6 Consider the following system of nonlinear equations over F 2 :
z = xc ⊕ yc ⊕ y In this example, we are given one equation, with three unknown variables (x, y, c), and one output of a known value. Therefore we need more equations in order to recover the unknowns. Using the XL method, multiplying both sides with c, xy and cx , respectively results in the following additional
Chapter 2. Overview of Algebraic Attacks on LFSR based Stream Ciphers
30
Algorithm 2.5 XL algorithm Inputs : System of T equations in n unknowns of maximum degree d Outputs : Solution of some unknowns . • Step 1: Multiply the initial T equations by all possible monomials of degree up to d. • Step 2: If the degree of resulting equations is equal or less than d, then add to system of equations. • Step 3: Apply the linearization approach on the newly formed sets of equations as outlined by Algorithm 2.3 to find solutions. Figure 2.5: Algorithm for the XL approach equations: 0 = cx ⊕ zc 0 = xy ⊕ zxy 0 = cx ⊕ zcx In the above example, each output bit contributed more than two equations to the equation system, reducing the overall number of known output bits needed to perform the attack. The system of equations is now linearized and solved. The Satisfiability Solver The previous methods used for solving system of equations make use of the ANF representation of the equations. The satisfiability solver (Sat-Solver) converts the problem of solving a system of nonlinear equations to a corresponding SAT-problem. That is converting the algebraic equations into a propositional formula in conjunctive normal form (CNF). The method was adopted to solve multivariate cryptographic systems of equations in [20]. In [63], the method was applied to solve the system of equations representing the block cipher DES [163]. The main steps of the Sat-Solver is to convert the ANF of the equations into CNF. However, converting an equation in ANF with M monomials produces 2M − 1 disjunctive clauses in the CNF, therefore
one has to be able to handle clause expansion introduced by the conversion process. Where ”clause” in this context means the total number of terms (single, double, etc) in each equation. Different methods have been proposed for handling the clause expansion includes as shown in [20]. The last step is to solve the system of equations using, for example, the satisfiability solver MiniSat [4]. Similar to the Gr¨obner bases, the complexity of this approach is also hard to estimate. However, in [20], it was shown that if the system of equations is sparse or over-defined, then the SAT-solver technique works faster than brute-force exhaustive search. If the system is both sparse and over-defined, then the systems can
be solved quite effectively. More recently, McDonald and Charnes and Pieprzyk [145] have proposed a guess and determine attack that make use of the satisfiability solver MiniSat to recover the internal state of Bivium-A and
2.2. Fast Algebraic Attacks
31
Bivium-B [167]. Bivium-A and Bivium-B were proposed by Raddum and are simplified versions of Trivium that are built on the same design principles. The authors estimated that to recover the internal state of Bivium would require an attack complexity of O(252 ) using only 1770 bits of keystream.
2.2 Fast Algebraic Attacks Fast algebraic attacks aim at further reducing the degree of the equations generated in the precomputation phase by linearly combining some specific equations. This has a significant effect in reducing the overall complexity of the attacks. Chapters 3 and 7 make use of fast algebraic attacks. More specifically, fast algebraic attacks also involve a precomputation phase and a realtime phase with four main steps in both phases explained next.
2.2.1 Precomputation Phase In the precomputation phase, there are two main steps, the relation search step and the precomputation step. In the relation search step, an attacker searches for a relation f g = h with g and h of degree e and dh respectively where e < dh . The attacker then multiplies g with f to get equations of degree dh as shown in equation 2.6. Denote the total number of monomials appearing for given n and d h by � Pdh n� Pe n Mh = i=1 i=1 i . i , and the total number of monomials appearing for given n and e by M e = The attacker can then further reduce the degree of the system of Equations (2.6) to a system of equations of degree e resulting in the following system of equations
Mh M t=0
Mh M t=0
Mh M t=0
Mh M t=0
ct z t g ◦ Lt (s1 , s2 , . . . , sn ) = 0
ct+1 z t+1 g ◦ Lt+1 (s1 , s2 , . . . , sn ) = 0 ct+2 z t+2 g ◦ Lt+2 (s1 , s2 , . . . , sn ) = 0 ct+3 z t+3 g ◦ Lt+3 (s1 , s2 , . . . , sn ) = 0 .. .
(2.15)
This can be achieved in the precomputation step by linearly combining some chosen sets of output equations. Two methods have been proposed for this. The first proposed in [60], uses the BerlekampMassey algorithm [143] to eliminate all monomials of degree higher than e. The algorithm works as follow. Given the reduced sets of equations, as in (2.6) and (2.8) of our toy example, consider only the terms of degree dh and ignore the lower degree terms. Randomly initialize the cipher with some bits and compute the output sequence. Now apply the Berlekamp-Massey algorithm [143] to find minimal polynomial of the generated sequence. The coefficients of the polynomial corresponds to the equations that have to be added in order to reduce the degree of the equations. The algorithm steps of this approach are outlined in Algorithm 2.6 of Figure 2.6
32
Chapter 2. Overview of Algebraic Attacks on LFSR based Stream Ciphers
Algorithm 2.6 Algorithm for the precomputation step of fast algebraic attacks Inputs : A reduced system of equations of maximum degree dh as in 2.6 Outputs : Computation of minimal polynomial with coefficients that corresponds to the equations to be added • Step 1: Randomly initialize the keystream generator with a non zero internal state. • Step 2: Compute the keystream sequence for the system of equations ignoring terms of degree < dh . • Step 3: Apply the Berlekamp-Massey algorithm to find the corresponding minimal polynomials for the sequence. Figure 2.6: Precomputation step algorithm due to [60] In the same paper, it was shown that since we are dealing with LFSR and since the combination of linear recurring sequences is also a linear recurring sequence, then there will always exists a single linear combination of every Mh + 1 consecutive bits. As for the complexity of finding such relations, it is estimated that one needs about
of consecutive keystream bits where Tdh =
Tdh + T e � Pd n i=1
i
(2.16) and Te =
Pe
i=1
n i
�
. The complexity of the
algorithm for finding which outputs are to be linearly combined was estimated in [121] to be Tdh × (log2 Tdh )2
(2.17)
Te2
(2.18)
and the amount of memory required is
The second method was proposed in [9] and makes use of the theory of linear recurring sequences. The method works well for combining function generators but not for nonlinear filter generators [8]. In [9], the author first proved that that Courtois’ precomputation step is applicable for LFSR-based stream ciphers and then presented an improved precomputation algorithm. The algorithms can be implemented in parallel, in contrast to Courtois’ algorithm, and is more efficient even when running sequentially. It is important to note that the proposed algorithm worked well for combiners with memory. However, the algorithm has not been shown to be applicable is also applicable to LFSR-based nonlinear filter stream ciphers. In addition, the complexity associated with the memory, substitution, the solving operations remain the same as the Courtois’one.
2.2.2 Realtime Phase In the realtime phase, two main steps are involved; firstly the substitution of the keystream bits into the established equations (2.15) and then solving the system of equations. During the substitution step, monomials of degree higher than e are eliminated. In [121], Hawkes and Rose pointed out that the
2.2. Fast Algebraic Attacks
33
Algorithm 2.7 Fast algebraic attack algorithm on stream ciphers Precomputation phase Inputs: ANF of f. Pd Outputs: g, f g = h and i=1
m i
�
equations from
• Relation Search Step: Find low degree functions g,h of degree e for f dh such that e < dh using for example [204]. • Precomputation step: Find the linear combinations of keystream to eliminate monomials of degree ≥ dh . • Go to realtime phase. Real Time � P Phase
Inputs: di=1 m Precompute equations; i Outputs: LF SRc and LF SRd
Pd
i=1
m� i
bits of keystream
• Substitution step: Set up a system of equations in the unknowns n of degree e and • Insert the observed key stream bits into the identifiers zt . • Solving step : Solve the system of equations to recover the internal state.
Figure 2.7: Algorithm for precomputation and realtime phases of the fast algebraic attack based on LFSR based keystream generators original papers on fast algebraic attacks underestimated the complexity of the substitution step and claimed that the best complexity for the substitution step is 2 × Te × Tdh × log2 Tdh .
(2.19)
The complexity of recovering the internal state is further reduced to the complexity of the final main step which is solving system of equations in Te only. Algorithm 2.7 outlines the main steps used in fast algebraic attacks. Now consider applying a fast algebraic attack approach to the system of equations given in 2.6. Following the steps of fast algebraic attacks, it can be seen that the first step has already been obtained with g = s3 + 1 and h = s1 + s1 s3 which leaves us to deal with a system of equations given in (2.8). � P We know that there is a linear combination of outputs for every 2i=1 5i + 1 = 16 output that will
result in a system of linear equations of degree e. Using Algorithm 2.6, one can find which relations to combine in order to get a system of lower degree equation in our case a linear system of equations .
For our toy example, this linear relation was found to be z 0t + z 0t+1 + z 0t+6 + z 0t+7 + z 0t+8 + z 0t+11 + z 0t+12 + z 0t+13 + z 0t+14 + z 0t+15 , where each z 0t is actually equal to z t g t . Using this, the system of equations described in 2.8 can now be written as
Chapter 2. Overview of Algebraic Attacks on LFSR based Stream Ciphers
34
z 01 + z 02 + z 07 + z 08 + z 09 + z 012 + z 013 + z 014 + z 015 + z 016
= x1 + x2 + x3 + x5
02
+z
017
= x1 + x4 + x5
+z
018
= x2 + x3 + x4 + x5
+z
019
= x1 + x2 + x3 + x4
03
09
z +z +z +z +z
010
03
09
z +z +z +z
010
+z
011
04
010
011
+z
012
04
05
z +z +z
08
+z
+z
013
+z
014
+z
015
+z
014
+z
015
+z
016
+z
015
+z
016
+z
017
+z
016
+z
017
+z
018
z 05 + z 06 + z 011 + z 012 + z 013 + z 016 + z 017 + z 018 + z 019 + z 020
= x1 + x3 + x5 (2.20)
Now the system of equations can be solved using the Gaussian elimination method. One important requirement for fast algebraic attacks is that the known keystream bits have to be consecutive. Fast algebraic attacks were also applied to Toyocrypt, LILI-128, and E0. The fast algebraic attack on Toyocrypt for n = 128, d = 3 and e = 1 required 218.4 of consecutive keystream bits, with a precomputation step for finding with relations to be linearly combined of complexity 2 26.8 , 213.9 bits of memory, and a substitution complexity of the keystream bits into the equations of 2 30.6 . The complexity of solving these equations is 221 operations, which gives an overall attack complexity dominated by the complexity of substituting of the keystream bits. Similarly, the attack on LILI-128 for n = 89, e = 2 and d = 4 required 2 21 of consecutive keystream bits, with a precomputation step for finding with relations to be linearly combined of complexity 230 , 214 bits of memory, and a substitution complexity of the keystream bits into the equations of 238.6 . The complexity of solving these equations is 239 operations. Fast algebraic attacks were shown to be effective on the E0 keystream generators in [9]. Recall that for E0, n = 128, e = 3 and d = 4. The attack required 223.4 of consecutive keystream bits, with a precomputation step for finding with relations to be linearly combined of complexity 232.4 , 236.8 bits of memory, and a substitution complexity of the keystream bits into the equations of 247.3 . The complexity of solving these equations is 255.2 operations. The only problem with these algebraic attacks is that they are impractical in terms of data requirements, as they require more keystream than that available on one frame, 2745 for E0. However, they still remain interesting from the theoretical point of view. More recently, a fast algebraic attack was applied to the Sfinks stream cipher [34], one of the eSTREAM ciphers. Sfinks is a filter generator with 80-bit secret key and 256-bit internal state. The filter function has 17 inputs and degree 15. The algebraic immunity of the filter function used in Sfinks was computed in [62] to be 6 using the algorithms of [146], thus reducing the complexity of the attack to 2115 . As the case with fast algebraic attacks, the attacker aim is finding in a precomputation step which relations when added reduce the overall degree of the equations. It was found that there exist many low degree multiples g when multiplied with the filter function f of Sfinks which result in a function g.f = h of low degree. The most interesting such relations of (g, h) were of degree (2, 8),(3, 7) and (4, 6). The complexity of solving the systems of equations were therefore dramatically reduced. However, the substitution complexity of the keystream dominated the overall attack complexity. In conclusion Sfinks was the first known cipher to use a Boolean function with the notion of algebraic immunity in mind. However, it could not prevent fast algebraic attacks. Furthermore, the cipher was shown to be broken with complexity of about 271 computations and with 243 keystream bits. It is important to note, however, that the designer of Sfinks limits the number of keystream bits to be generated
2.3. Summary
35
from the internal state using a key and IV pairs to 240 . This means that not all of these attacks using the above relations are possible. Only the (4, 6) relation will be applicable as this requires less than 2 40 bits of keystream with an attack complexity of 277 .
2.3 Summary In this chapter, a general overview of algebraic attacks was given. It was shown that algebraic attacks are an effective attack approach on regularly clocked LFSR based stream ciphers. A general framework for algebraic attacks was presented. There are three main requirements for a successful algebraic attacks: the ability to obtain valid relationships between the internal state with the outputs, the ability to reduce the overall degree of the equations and finally being able to efficiently solve them. Each of these requirements was then dealt with separately. It was shown how to form a system of equations for keystream generators based on LFSRs. Firstly, it was shown how to obtain this for regularly clocked LFSR ciphers with linear update of the internal state and then for irregularly clocked LFSRs with nonlinear update of the internal state. Following this, the methods proposed for reducing the degree of the equations were then discussed. The discussion revisited the algebraic immunity and annihilators definition. Several algorithms were proposed for this purpose and were discussed above including their complexity. The algorithm used in this thesis for finding low degree multiples was also outlined. There are many methods proposed for solving systems of equations. A discussion on the complexity of these methods was outlined. Currently the only method with a known runtime complexity is the linearization approach. Finally, fast algebraic attacks were discussed. In the discussion, the complexity of the four main steps in fast algebraic attacks were given.
36
Chapter 2. Overview of Algebraic Attacks on LFSR based Stream Ciphers
Chapter 3
Keystream Generators using Stop-and-Go Clocking
3.1 Introduction In this chapter, algebraic attacks are applied to keystream generators which use stop-and-go clocking. The generators considered are based on LFSRs where one LFSR controls the clocking of one or more other LFSRs, or an extension of this idea. In particular, algebraic attacks are applied to four ciphers: the Beth-Piper strengthened stop-and-go, the alternating step generator, the Gollmann cascade and Pomaranch family of stream ciphers. It is shown that algebraic attacks are effective against this type of stream cipher. For each cipher, our attack is compared with other known attacks, based on the keystream requirements, the attack complexity, and the pre-computation complexity. Improvements to currently known attacks are demonstrated. The aim of the algebraic attacks is to obtain equations to find the initial states of the ciphers above. The attacks presented in this chapter ignore key initialization schemes. This issue will be discussed in Chapter 6. The attack algorithms proposed in this chapter are based on Algorithm 2.1. In Section 3.2, a generic approach to constructing algebraic equations involving the initial state bits for stop-and-go clock-controlled ciphers is presented. Once the system of equations is formed, the known keystream bits are substituted into the system and then solved using one of the well known methods for solving non linear systems of equations, as described in Chapter 2. The solution provides the initial state bits of the ciphers. However, if guessing was involved, one would need to check if the recovered state can be used to generate keystream which matches the observed keystream. In subsequent sections, this generic approach is applied to specific ciphers.
37
Chapter 3. Keystream Generators using Stop-and-Go Clocking
38
3.2 Equation Generation for Stop-and-Go Generators In a general approach to generating an equation for a stop-and-go clock-controlled stream cipher, three things need to be considered: firstly, which LFSR controls the clocking (the letter A will be used for this register), secondly, which bits of this controlling register are used to determine the clocking; and thirdly, the effect of the control bit on the controlled register. For example, consider a keystream generator based on two LFSR’s. Let A denote the controlling LFSR and B denote the controlled LFSR. Suppose that the ith bit of A denoted Ai , controls the clocking of B in such a way that if it is 0, B does not clock and if it is 1, B clocks 1 time. In this case, the value stored in the u th position of B can be expressed as follows: t−1 t−1 Bkt = But−1 (At−1 ⊕ 1) ⊕ Bu−1 Ai . i
(3.1)
Of course, this applies if (u − 1) > 0 as otherwise, the feedback polynomial must be used in forming the equation. Modifications can also be made to take into consideration the use of several bits of A to determine the clocking of B and in cases where more than one register is used in determining the clocking of other registers. In the more general situation of a polynomial P in the bits of A controlling the clocking of register B, Equation (3.1) becomes t−1 But = But−1 (P ⊕ 1) ⊕ Bu−1 P.
(3.2)
where P denotes a polynomial relating all of the controlling bits from register A.
Theorem 3.1 Consider a bit-based LFSR system with K regularly clocked LFSRs A i of length li respectively, 1 ≤ i ≤ k, in which a linear polynomial L involving bits of the A i determines the clocking
of a register B of length m as described in (3.2). Suppose the output z t at time t is the binary sum of the outputs of all registers. The initial state of all Ai can then be recovered from a system of quadratic equations, and can subsequently be used to recover the output of B.
t Proof. Having z t = Bm ⊕
X
Atli , and using (3.2), z t+1 can be written as
i
t t z t ⊕ z t+1 = L(Bm ⊕ Bm−1 )⊕
X i
X
At+1 li .
(3.3)
(Atli ⊕ At+1 li ).
(3.4)
t t z t+1 = Bm (L ⊕ 1) ⊕ Bm−j L⊕
i
Multiplying by L ⊕ 1 results in an equation of degree at most two involving the bits of the A i : (L ⊕ 1)(z t ⊕ z t+1 ) = (L ⊕ 1)
X (Atli ⊕ At+1 li ).
(3.5)
i
This quadratic system can be solved for all bits of the registers Ai by running off sufficiently many
3.3. Beth-Piper Stop-and-Go Generator
39
output bits from the system. The output of B can then be calculated from t Bm = zt ⊕
X
Atli .
2
i
The above theorem indicates that using more than one regularly clocked register in a linear way to produce the output of the system adds no additional security, as one sufficiently long such register will suffice. This confirms, as a special case, the result of [170]. Although the assumptions of the theorem apply only to the stop-and-go generator in our list of target ciphers, the method used in the proof applies to a general class of clock-controlled LFSR based systems, namely those in which a linear function of register bits controls the clocking of several registers. As will be shown in Sections 3.4 and 3.5 the alternating step and the Gollmann cascade ciphers respectively also fall into this category. While the internal state values of A can be expressed in terms of linear equations of the initial contents used the feedback polynomial, the internal state values of B are higher degree equations because of the increased nonlinearity in the internal state of register B. Since the output of B is always used in the output of the entire system, the equations describing the keystream bits may be considered as highly non-linear. Solving high degree equations is a time complexity consuming and some times can be worse than exhaustive keysearch; our aim is therefore to reduce the high degree of the output equations. In each of the four systems discussed below, combinations of consecutive output bits in order to obtain reduced degree equations have been considered in the attack.
3.3 Beth-Piper Stop-and-Go Generator 3.3.1 Description of the Basic Beth-Piper Stop-and-Go Generator The basic Beth-Piper stop-and-go generator [26] shown in Figure 3.1, has two LFSRs denoted A and B of lengths l and m respectively. A is regularly clocked and its output controls the clocking of B. Register B is clocked once if and only if the output of A is 1, and the output of register B form the ∞ keystream z = {z(t)}t=1 . LFSR A l
LFSR B m
z
Figure 3.1: The Beth-Piper Stop-and-Go Generator - Basic Version
3.3.2 Algebraic Attack of the Basic Beth-Piper Stop-and-Go Generator From Equation (3.1), a relationship between the internal states of the cipher and the output is obtained. Using Equation (3.1), equations for two consecutive output bits of the system can be produced as follows: t−1 t t−1 t−1 t−1 z t = Bm = Bm Al ⊕ B m ⊕ Bm−1 At−1 l
and
t t t z t+1 = Bm Atl ⊕ Bm ⊕ Bm−1 Atl .
(3.6) (3.7)
Chapter 3. Keystream Generators using Stop-and-Go Clocking
40
Adding (7.2) and (3.7) yields z t ⊕ z t+1
t−1 t−1 t−1 t−1 = Bm Al ⊕ B m ⊕ Bm−1 At−1 l t t t ⊕Bm Atl ⊕ Bm ⊕ Bm−1 Atl .
t Substituting for Bm in the right hand side of this expression yields
z t ⊕ z t+1
t−1 t−1 t−1 t−1 = Bm Al ⊕ B m ⊕ Bm−1 At−1 l
t−1 t t−1 t−1 t−1 ⊕Bm Atl ⊕ Bm Al ⊕ B m ⊕ Bm−1 At−1 l
t ⊕Bm−1 Atl
t t ⊕ Bm−1 ). which simplifies to z t ⊕ z t+1 = Atl (Bm
(3.8)
From equation (3.8), Kanso [134] and Rueppel [172] observe that when the left side is 1, then A tl t t is 1. However, one should also observe that when Bm ⊕ Bm−1 equals 1, this gives useful information t about the bit Bm−1 in the irregularly clocked register. Note also that in (3.8) the right-hand side is a product of a linear term with a high degree term and this is equal to the constant on the left-hand
side. Consequently, running off about 2 × l keystream bits gives enough equations to solve the sparse linear system in A with a complexity of l 2 . Once the initial state of A is determined, the output from the system can then be used to determine the initial state of B directly. Figure 3.2 outlines the attack algorithm for recovering the internal state of the cipher based on the derived analysis. Note that around 2 × l segments of keystream are needed in order to run the attack as the probability that z t ⊕ z t+1 is equal to 1 is a half.
Algorithm 3.1 An algebraic attack on the basic Beth-Piper stop-and-go generator Inputs : Feedback polynomials of A and B; 2 × l segments of keystream. Outputs: Internal state bits of A and B. • Step 1: Consider the output of A as an equation whenever z t ⊕ z t+1 in Equation (3.8) is equal to 1. • Step 2: Generate l such equations. • Step 3: Solve the system of equations of A by substituting in keystream. • Step 4: Substitute the recovered values of A and generate linear equations in the unknowns of B using equation (3.6). • Step 5: Solve the formed system of equations in the unknowns of B to recover its state. • Output A and B. Terminate Figure 3.2: Algorithm for algebraic attack for recovering the state of the Basic Beth-Piper Stop-and-Go Generator
3.3. Beth-Piper Stop-and-Go Generator
41
3.3.3 The Strengthened Beth-Piper Stop-and-Go Generator The strengthened Beth-Piper stop-and-go generator [26] as shown in Figure 3.3, employs three LFSRs; in addition to A and B as in the basic stop-and-go, it uses a third regularly clocked register C of length n. The output bit at time t is formed by combining, using XOR, the sequences from B and C. A thorough analysis of the cipher has been conducted in [134], confirming that the cipher generates sequences with good statistical properties. LFSR B m Clock
LFSR A l
Output bit LFSR C n
Figure 3.3: The Beth-Piper Stop-and-Go Generator - Strengthened Version
3.3.4 Algebraic Attack on the Strengthened Beth-Piper Stop-and-Go Generator The method applied to the basic stop-and-go generator is also applied here. The output of the irregularly clocked register B is given by t−1 t t−1 Bm = Bm (At−1 ⊕ 1) ⊕ Bm−1 At−1 . l l
(3.9)
the generator output is t z t = Bm ⊕ Cnt .
(3.10)
The maximum degree an equation can have for this system is l + 1. The number of monomials is M = m(2l − 1) + n + 1. The complexity of solving this system of equations using the standard
linearization method outlined by Algorithm 2.3 is then M ω as shown in Chapter 2. This is greater than exhaustive keysearch. Reducing the Degree of the Equations
If the degree of the equations generated by the generator can be significantly reduced, it might be possible to perform an algebraic attack. In this section, a method for obtaining equations between the internal state of the registers and the outputs independent of the internal state of the irregularly clocked register B is shown. The method of degree reduction is the basis of algebraic attack method. From Equations (3.9 and 3.10), t+1 t t t t z t+1 = Bm ⊕ Cnt+1 = Bm Atl ⊕ Bm ⊕ Bm−1 Atl ⊕ Cn−1 .
(3.11)
Combining this with (3.10) yields t t z t ⊕ z t+1 = (Bm ⊕ Bm−1 )Atl ⊕ Cnt+1 ⊕ Cnt .
(3.12)
42
Chapter 3. Keystream Generators using Stop-and-Go Clocking
Algorithm 3.2 An algebraic attack on the strengthened Beth-Piper stop-andgo generator Inputs : Feedback polynomials of A, B and C; 2 × (l + n) segments of keystream. Outputs: Internal state bits of A, B and C. • Step 1: Form an equation whenever z t ⊕ z t+1 in Equation (3.13) is equal to 1. • Step 2: Collect l + n of such equations. • Step 3: Solve the system of equations in the unknowns in A and C by substituting in keystream to recover the internal state of A and C. • Step 4: Recover B using Equation (3.10). • Output A, B and C. Terminate Figure 3.4: Algorithm for algebraic attack for recovering the state of the strengthened Beth-Piper stopand-go generator The high degree terms can easily be eliminated in this equation by multiplying both sides by A tl ⊕ 1. (Atl ⊕ 1)(z t ⊕ z t+1 ) = Atl Cnt+1 ⊕ Atl Cnt ⊕ Cnt ⊕ Cnt+1 .
(3.13)
Equation (3.13) provides a system of quadratic equations in the bits of regularly clocked registers A and C. One can conduct divide and conquer algebraic attacks on the system. Based on the above analysis, the internal state of the cipher can be recovered as follows. By observing the cases where (z t ⊕z t+1 ) is equal to 1, an attacker can form an equation using Equation (3.13). Once enough equations in the unknowns of A and C are formed, the system of quadratic equations is solved to recover the state of A and C. Having done so, the initial state of B can be recovered using Equation (3.10). The attack algorithm for recovering the initial state of the strengthened version of the stop-and-go generator is shown in Figure 3.4. It should be noted that it is not useful to solve the system of equation obtained from equation (3.13) with Gaussian elimination by linearisation of the system. This is because multiplying the equations by (Atl ⊕ 1) introduces new sets of monomials that need to be linearised with more variables, while the rank of the system stays constant. The system then becomes underdetermined and hence cannot be solved for a unique solution. Such a system of equations is solved by Gr¨obner bases methods instead.
3.3.5 Experimental Results Experimental simulations were conducted implementing the algebraic attack on the strengthened BethPiper stop-and-go generator using Algorithm 3.2. The aim is to recover the initial state bits of the cipher. Experiments were performed for three different register lengths: l = n = m = 16, 32, and 64. Thirty trials were conducted for each length. In each trial, the following procedure is used: for registers A, B, and C random initial states
3.3. Beth-Piper Stop-and-Go Generator
43
generated, then a segment of the keystream sequence is produced. The length of the keystream segment used varied as shown in Table 3.1. Then using equation (3.13), quadratic equations in terms of initial state bits of registers A and C only, with l + n variables are obtained. Finally, the F 4 algorithm of the Gr¨obner bases methods was used to solve the formed system of equations, which provided a unique solution to the initial states of A and C. Once the initial state are recovered, a segment of the keystream was generated and compared with the observed one which were found to match. The minimum keystream required for the attack is l + n. In practice, one usually needs significantly more than l + n equations for finding a unique solution. Performing multiplication on the algebraic equations introduces dependencies and so the attack requires about l 2 /2 bits of keystream to find unique solutions. l, n 16 bit 16 bit 32 bit 32 bit 64 bit 64 bit
Number of variables 32 32 64 64 128 128
Keystream used 128 bit 256 bit 1024 bit 1536 bit 4096 bit 5120 bit
Time to generate equations 0.8 s 1.6 s 40 s 60 s 513 s 649 s
Time to find solution 32 s 0.75 s 60 s 10 s 3889 s 618 s
Table 3.1: Attack Times for Beth-Piper Stop-and-Go Generator It can be seen from Table 3.1 that increasing the keystream length increases the time taken to generate the equations. However, it decreases the time taken to find a solution of the system of the generated equations. Note that equations are generated in the precomputation phase of the attack, so this is a one off cost.
3.3.6 Comparison with Previous Cryptanalysis A significant attack on the strengthened version of the stop-and-go generator is due to [199], which uses an improved linear syndrome algorithm. It is assumed that the feedback polynomials are primitive trinomials. The approach uses trinomial multiples of the feedback polynomial of each LFSR to generate syndromes which are equations in the output bits. Under this assumption, the attack is very fast, solving the problem in 896 max(l, m) computations based on 37 max(l, m) keystream bits, where max stands for the maximum. When a feedback polynomial is not trinomial, the linear syndrome method relies on being able to replace it by its trinomial multiple of the least degree. A well known method for determining such multiples is due to Coppersmith [54, 188]. For each register, a database of discrete logarithms must be pre-computed in order to permit the generation of a system of smooth polynomials. The construction of the database and generation of polynomials are both used in assessing the precomputational complexity as described in Table 3.2. However, if a new register size is introduced for which a database does not exist, a new database and corresponding polynomial set must be generated. Coppersmith makes use of an agreed range of discrete logarithm polynomial degrees to produce a range of computational complexities allowing for a trade-off with pre-computational time against solution time. More pre-computation may result in a sparse system of linear equations and hence lower solution complexity. Conversely, less pre-computation results in a system which is not sparse and higher (full Gaussian) solution complexity should be expected. Meier and Staffelbach [147] show that low weight
44
Chapter 3. Keystream Generators using Stop-and-Go Clocking
feedback polynomials (less than weight 10) are unsafe for use in LFSRs. Thus, methods to produce low weight multiples as in [159] have been developed. All such methods have high complexity and low probability of achieving weight 3 polynomials, and so are not discussed here. It is noted that the algebraic attack method presented in this thesis is applicable regardless of the weight of the feedback polynomial and the length of the LFSR’s. Table 3.2 provide a summary of the requirements for performing a successful attack, both for the linear syndrome attack and the attack presented in this thesis. The requirements include the minimum keystream required, precomputation complexity, where applicable, solution complexity, and the total attack complexity which is the combination of precomputation and solution complexities. Where there is essentially no precomputation performed, this spot is left blank. For comparison, the keystream lengths and the total attack complexity for register sizes 64 and 128 are also given. The table entry Gr indicates that complexity of the work using a Gr¨obner bases method, which is generally unknown. A measure of this complexity can be derived from the empirical results presented in Table 3.1.
Linear syndrome attack [199] Our attack Gr¨obner
Minimum keystream required MK
MK l=m= n = 64
Precomputation complexity
Solution complexity
Total attack complexity TC
212
2n +2 n2(n −1)/3 to∗∗ 1/3 2/3 2n +2 n(4n −1)/3
(l + n)3 to (l + n)2
2n +2 n2(n +(l + n)3
37 max(l, n)∗ l+n
27
O(l2 )
Gr
Gr
2/3
1/3
2/3
1/3
−1)/3
TC l=m= n = 64
TC l=m= n = 128
230 to 2132
247 to 2241
Gr
Gr
Table 3.2: Comparing algebraic attack and the linear syndrome attack on the strengthened Beth-Piper stop-and-go
3.3. Beth-Piper Stop-and-Go Generator
Attack
45
46
Chapter 3. Keystream Generators using Stop-and-Go Clocking
It can be seen from Table (3.2) that for l = m = n = 64, the attack presented in this thesis requires only 27 keystream bits while the linear syndrome attack requires 212 bits. In addition, the precomputation complexity of the syndrome attack ranges between 2 30 and 2132 , while ours only needs approximately 212 . As for the solution complexity, the linear syndrome attack requires between 2 30 to 2132 as well, while ours is unknown. However, the experimental results shown on Table 3.1 provide a better understanding of the complexity of our attack. It is very difficult to make a a theoretical comparison between an attack of unknown complexity with those of known complexity outlined in Table 3.1 (unless one implements all of the other attacks, which is not the scope of this thesis), we will assume that generally, 2 14 operations can be performed in 1 second using Magma 2.11 on the SGI Origin 3000 using CPU at 600 MHz. Note that, we also assume each operation in all of the attack takes the same amount of time, which might not actually be the case in reality. Comparing the presented algebraic attack with the linear syndrome attack for l = n = 16, it can be seen that a unique solution was found in 32 seconds using 128 bits of keystream, whereas 256 keystream bits gave the solution in 0.75 seconds. Applying the linear syndrome attack to the same generator would require about 592 keystream bits to run the attack with an overall attack complexity 237 which can be completed in around 232 seconds. Similarly, for l = n = 64, a unique solution was found in 3889 seconds using 4096 bits of keystream, and for 5120 keystream bits a solution is obtained in 618 seconds. Applying the linear syndrome attack to the same generator would require about 2368 keystream bits to run the attack with an overall attack complexity 2132 which will take more than 260 seconds to complete. These results indicate that this method is significantly better than previous technique proposed in [199].
3.3.7 Fast Algebraic Attack on Strengthened Beth-Piper Stop-and-Go Generator The complexity of recovering the internal state of the strengthened Beth-Piper stop-and-go generator can be reduced by solving a system of linear equations instead of solving a sysem of quadratic equations using fast algebraic attacks. Recall that in the previous section, a multiple g = (A l ⊕ 1) was found that significanlty reduce the overall degree of the equations from l + 1 to degree 2. Using g, h was found to be h = Atl Cnt+1 ⊕ Atl Cnt ⊕ Cnt ⊕ Cnt+1 . Hence fast algebraic attacks can be applied to further reduce the degree of the equations to degree 1 by combining some output equations. Note that given Equation (3.13), one can see that using fast algebraic attacks linear equations in the unknowns of register C can only be obtained. Consider the application of fast algebraic attack to the strengthened Beth-Piper stop-and-go generator. Using Algorithm 2.6, one can easily obtain the equations to add for the precomputation step of the attack. For l = m = n = 64, using equations (2.16),(2.18), (2.17) and (2.19), the amount of data, ∗ This only applies for LFSRs with trinomial primitive polynomials, in which case the attack takes time 896 max(l, m). Trinomial Polynomials should not be used. ∗∗ The lower pre-complexity corresponds to higher solution complexity and higher pre-complexity to lower solution complexity in this table. On average, if the attack is only performed once the total attack complexity will be about the same in either case.
3.4. Alternating Step Generator
47
memory, precomputation step complexity and the substitution step complexity is 2 11 bits,212 bits, 217 and 221 ,respectively. Similarly, for l = m = n = 128, the the data, memory, precomputation step complexity and the substitution step complexity is 213 bits, 214 bits, 220 , and 224 , respectively. Although the attack requirements for fast algebraic attack is more than that of the standard algeriac attacks, the attack complexity is now known.
3.4 Alternating Step Generator 3.4.1 Description The alternating step generator was introduced in [115] and is shown in Figure 3.5. It uses three LFSRs A, B and C of lengths l, m and n, respectively. A is regularly clocked and controls the clocking of both B and C. If the output of A at time t is 1, then B is clocked; otherwise, C is clocked. The output of the system is the sum of the outputs of registers B and C. LFSR B m Clock
LFSR A l
Output bit LFSR C n
Figure 3.5: The Alternating Step Generator In the following sections, an algebraic attack approach for recovering the initial state of the alternating step generator is shown.
3.4.2 Algebraic Attack on the Alternating Step Generator Using the general equation of Section 3.2, t−1 t−1 Bit = Bit−1 (At−1 ⊕ 1) ⊕ Bi−1 Al l
(3.14)
t−1 Cit = Cit−1 At−1 ⊕ Ci−1 (At−1 ⊕ 1). l l
(3.15)
t the keystream bit at time t is given by z t = Bm ⊕ Cnt . The maximum degree an equation can have is
l + 1 as the length of the controlling register is l which is incorporated into the internal states of B and C. The number of monomials is M = (n + m)(2l − 1) + n + 1.
In applying our algebraic attack, Theorem 3.1 of Section 3.2 is used again to obtain t+1 t z t ⊕ z t+1 = Bm ⊕ Bm ⊕ Cnt+1 ⊕ Cnt
(3.16)
t t t z t ⊕ z t+1 = (Bm ⊕ Bm−1 )Atl ⊕ (Cnt ⊕ Cn−1 )(Atl ⊕ 1).
(3.17)
which can be rewritten as
Chapter 3. Keystream Generators using Stop-and-Go Clocking
48
Multiplying both sides of (3.17) by Atl ⊕ 1 produces t (Atl ⊕ 1)(z t ⊕ z t+1 ) = (Atl ⊕ 1)(Cnt ⊕ Cn−1 ).
(3.18)
Thus, a linear multiple of the complex component in C reduces to a low degree function on the left. On the other hand, multiplying both sides of (3.17) by Atl produces t t Atl (z t ⊕ z t+1 ) = Atl (Bm ⊕ Bm−1 ).
(3.19)
In both cases, a divide and conquer attack can be performed. One can guess register A bits and use an algebraic attack to solve the resulting system in C formed using Equation (3.18), with complexity 2l nω . Equation (3.16) can then be used to solve for the bits of B with additional complexity m ω . The total complexity is 2l (nω + mω ). Alternatively, the internal state of register A can be guessed, and the bits of B recovered, using Equation (3.19) with complexity 2 l (mω ). The overall attack complexity after recovering the bits of C using equation (3.16) is then 2l (mω + nω ). Guessing the shortest register is clearly the best option. The last option would be not to guess any bits and attempt to solve the constructed system of equations via Equations (3.18) or (3.19) using the F 4 algorithm which is the one used in our experimental simulations.
3.4.3 Experimental Results Experimental simulations were conducted implementing the algebraic attack on the alternating step generator. The aim is to recover the initial state bits of the cipher. Experiments were performed for two different register lengths: l = m = 8 and 10. Thirty trials were conducted for each length. In each trial, the following procedure is used: for registers A, B, and C random initial states are generated, then a segment of the keystream sequence is produced. The length of the keystream segment used varied as shown in Table 3.3. Using equation (3.19), a system of equations in terms of initial state bits of registers A and B are formed, with l + m variables of degree l + 1. Finally, the F 4 algorithm of the Gr¨obner bases methods was used to solve the formed system of equations, which provided a unique solution to the initial states of A and B. Once the initial states are recovered, a segment of keystream was generated and compared with the observed and found to matched. The minimum keystream required for the attack is l + m. Once the initial state of registers A and B were recovered, the state of register C was recovered using equation (3.16). Note that Table (3.3) uses equation (3.19) to generate a system of equations in A and B only. l, m 8 bit 10 bit
Number of variables 16 20
Keystream used 24 bit 30 bit
Equations Degree 9 11
Time to generate equations 27 s 2706 s
Time to find solution 7s 1830 s
Table 3.3: Algebraic attack times on Alternating Step Generator
3.4. Alternating Step Generator
49
3.4.4 Comparison with Previous Cryptanalysis Several correlation attacks have been applied to the alternating step generator. In [105], Goli´c and Menicocci define the ’edit distance’ between two input strings and an output string as the minimum possible number of substitutions needed to obtain the output string and show that it can be computed in time O((n/m)2(n+m) ) using O(m + n) keystream bits. In a later paper, [106], the same authors significantly improve on the above using experimental results which indicate that the probability of obtaining zero edit distance is larger when the guess about the internal states is correct. They show that the complexity depends only on the size of the longer non-linear register, replacing m + n with max (n, m) in the above, as shown in Table 3.4. The attack used by Zenner [201] can also be applied against the alternating step generator with complexities as indicated in Table 3.4. Zenner attack involves guessing a large number of clocking bits, generate system of equations in the remaining unguessed bits and then checking the generated system of equations for consistency. While it remains very difficult to make a theoretical comparison between an attack of unknown complexity with those of known complexity given in Table 3.4 (unless one implements all of the other attacks, which is not in the scope of this thesis), we will assume that generally, 2 14 operations can be performed in 1 second using Magma 2.11 on the SGI Origin 3000 using CPU at 600 MHz. Note that, we also assume each operation in all of the attack takes the same amount of time, which might not be the case in reality. As well we are assuming that each bit increase doubles the time. Table 3.4 presents a summary, both for ours and other attacks the minimum keystream required, precomputation complexity, where applicable, solution complexity, and the total attack complexity which is the combination of precomputation and solution complexities. The length of keystream and the total complexity for register sizes 64 are also given.
MK l=m= n = 64
Precomputation complexity
Solution complexity
Total attack complexity TC
TC l=m= n = 64
O(m + n)
29
—
O(2m+n (m + n))
O(2m+n (m + n))
2135
l+m+n
28
—
O((l + m + n)3 2(l+m+n)/2 )
O((l + m + n)3 2(l+m+n)/2 )
2119
O(max{m, n})
211
—
O(2max{m,n} max{m, n})
O(2max{m,n} max{m, n})
270
max{m, n}
27
—
O(2l (n3 + m3 ))
O(2l (n3 + m3 ))
283
l + max{m, n}
28
O(2l )
Gr
Gr
Gr
Table 3.4: Best known attacks on the Alternating Step Generator
Chapter 3. Keystream Generators using Stop-and-Go Clocking
Edit distance corr’n [105] Clock control guessing attack [201] Improved edit distance corr’n [106] Algebraic attack Gaussian Algebraic attack Gr¨obner
Minimum keystream required MK
50
Attack
3.4. Alternating Step Generator
51
It can be seen from Table (3.4) that for l = m = n = 64, our attack using the linearization approach given by Algorithm 2.3 combined with the guessing approach achieves the second best runtime complexity compared with the rest of the attacks in the table. In addition, it has the minimum keystreams requirements compared with the rest of the attacks in the table. Furthermore, our attack using the Gr¨obner bases method has the same keystream requirement as the clock control guessing attack, which is 28 . But our attack complexity using this approach remains unknown. However, to get a sense of the effectiveness of using the Gr¨obner bases method, experimental simulations have been conducted which implements the algebraic attacks described above. It is shown in Table 3.3 that the initial states can be recovered with the minimum required keystream. For instance, for l = m = n = 10, the initial state can be recovered using the F 4 algorithm in around 210.8 seconds using only 20 bits of keystream. If instead the linearization approach given by Algorithm 2.3 was used, the amount of keystream required would be about 2 19.5 with an attack complexity of 258.7 for ω = 3. Based on our timing assumption, this would take around 2 43 seconds. Furthermore, if the attack was to be compared with the edit distance correlation for l = m = n = 10, then the amount of keystream required would be 20 bits, same as ours. However, the overall attack complexity will be 224 which can be completed in around 210 seconds. Furthermore, the clock control guessing attack would requires 30 keystream bits with an overall attack complexity of 2 30 which can be completed in 216 seconds. Finally, the improved edit distance attack would require approximately 10 bits with an attack complexity of 213.2 which can be performed in around half a second.
3.4.5 Modified Alternating Step Generator In [130], Johansson presents a modified version of the alternating step generator with the same clockcontrol set-up but the following change in output: t z t = Atl Bm ⊕ Cnt (Atl ⊕ 1)
(3.20)
so that only the output of B or C is used rather than the sum of the two. He states that the complexity is the same as that for the standard version. The keystream needed for his attack on the modified version is O(max (m, n)) bits and the attack complexity is O(2(max(m,n)+10) ), or 2138 when m = n = 128. In this situation, an algebraic attack can again be mounted, applying the method of Section 2 to z t z t+1 : t−1 t (At−1 ⊕ 1)(Atl ⊕ 1)z t z t+1 = (At−1 ⊕ 1)(Atl ⊕ 1)(z t−1 ⊕ Cnt−1 ⊕ Cn−1 )(z t ⊕ Cnt ⊕ Cn−1 ). (3.21) l l
In this case, a quadratic multiple of the complex component in C reduces to a low degree function. The complexity of solving the system is the same as the standard one. Once the bits of A and C are obtained, the bits of B can directly be obtained using Equation (3.20).
3.4.6 Alternative Algebraic Attacks on the Alternating Step Generator Alternatively, one can recover the internal state of the registers by making use of the statistical distribution of the bits generated from a regularly clocked register. One algebraic attack on LILI-128 [65], made use of this fact. That is for every period of register A, there are exactly 2 l−1 − 1 outputs of zero and 2l−1 outputs of 1. Therefore, for one period of register A, register B is clocked exactly
Chapter 3. Keystream Generators using Stop-and-Go Clocking
52
∆B = 1 ∗ (2l−1 − 1) while register C is clocked exactly ∆C = (2l−1 ) times. Thus, one can obtain a
linear equation for each period of register A by stepping register B ∆ B and register C ∆C clocks and solve the linear equations in the unknowns of both registers. The complexity of this approach is then the complexity of solving linear equations in m + n unknowns. However, the amount of keystream required is (m + n) ∗ 2l−1 . The interesting thing is that if the number of controlling bits is increased, this will increase the degree of the equations more quickly, but this will reduce ∆ B and ∆C . This fact shows that one has to be careful with the number of bits to choose in such ciphers and the lengths of the registers. In order to resist such attack, it is preferably to choose the lengths of registers B and C to be bigger than register A, rather than all should be of similar length as previously suggested in [115]. Comparing this attack with the rest of the attacks of Table3.4 for l = m = n = 64, one can see that the initial state bits can be recovered in 1283 = 221 , for ω = 3 using around 264 × (128) = 271 of keystream bits.
3.5 Cascade Generators The stop-and-go clock control cascade cipher is an extension of the basic idea of a stop-and-go generator. In an LFSR based stop-and-go clock control cascade cipher, the output of the first LFSR controls the clocking of a second LFSR, both outputs together control the clocking of a third LFSR, and so on. This section presents algebraic analysis of two such ciphers, the Gollmann cascade generator [110] and Pomaranch, an eSTREAM project candidate [126, 128, 129]. It will be shown how to obtain relations between the internal state bits and the output bits of the Gollmann clock-controlled cascade stream ciphers. An alternative attack on the Gollmann cascade is also described. An algebraic analysis of Pomaranch is then presented. Pomaranch is a family of stream ciphers that are in phase two proposals of the eSTREAM project. The idea of cascading a set of LFSRs was due to Gollmann [110] and was further studied by Chambers and Gollmann in 1988 [111]. In the latter study, they conclude that better security is achieved with a large number of short LFSRs instead of a small number of long ones. Park, Lee and Goh [164], extended the attack of Menicocci on a 2-register cascade using statistical techniques [152] and successfully broke 9-register cascades where each register has fixed length 100. They suggested also that 10-register cascades might be insecure. In 1994, Chambers [44] proposed a clock-controlled cascade cipher in which each 32-bit portion of the output sequence of each LFSR passes through an invertible s-box with the result being used to clock the next register. In the case of the Gollmann cascade, the key is the combined initial states of the registers, and the keystream of the generator is the output of the final register. Pomaranch uses an initialization vector for key loading and its keystream output is the sum of certain bits taken from each of the registers. In subsequent sections, algebraic attacks on the Gollmann cascade generator will be presented. This leads us into our algebraic analysis of Pomaranch, where the cipher construction is more complicated than the Gollmann cascade. Unless otherwise specified, additions and multiplications presented in this section are defined over GF(2).
3.6. Gollmann Cascade Generator
53
3.6 Gollmann Cascade Generator 3.6.1 Description The Gollmann cascade generator, introduced in [110], employs K LFSRs arranged serially such that
each register except for the first one is clock-controlled by an input bit, which is the sum of the output bits of its predecessors. This structure is shown in Figure 3.6. Let the input bit to the i-th register at time t be ati , for i ≥ 2. The i-th register is clocked if and only if ati = 1. The output bit of the i-th register is then added to ati , and the result becomes ati+1 . The keystream output of the generator is the output of the K-th LFSR.
Figure 3.6: The Gollmann Cascade Generator Gollmann first proposed cascading K cyclic registers of the same prime length p with feedback polynomial f (x) = xp + 1. This is known as the p-cycle. A variation of the Gollmann cascade, called an m-sequence cascade, has the cyclic registers replaced by maximum length LFSRs of the same length l. An algebraic analysis of this type of Gollmann cascade generator with registers of variable length is given, and an attack is presented showing how one can recover the initial states of the registers.
3.6.2 Algebraic Attack on the Gollmann Cascade Generator This section presents a basic algebraic analysis of the clock-controlled Gollmann cascade generator. For simplicity, a cascade generator of K = 4 LFSRs of any lengths is considered. However, the analysis presented here can be adapted to a cascade with any number of registers. For this particular case, the lengths of LFSRs, A, B, C, D denoted by l, m, n, r respectively. Let, for example, A ti be the i-th bit t of register A at time t. Atl , Bm , Cnt , Drt are then the outputs of the respective registers. A is clocked regularly as a traditional LFSR. The states of the other LFSRs at time t can be expressed as follows. Bit Cit Dit
t−1 t−1 = Bit−1 (At−1 ⊕ 1) ⊕ Bi−1 Al l
(3.22)
t−1 t−1 t−1 = Cit−1 (At−1 ⊕ Bm ⊕ 1) ⊕ Ci−1 (At−1 ⊕ Bm ) l l
=
Dit−1 (At−1 l
⊕
t−1 Bm
⊕
Cnt−1
⊕ 1) ⊕
t−1 Di−1 (At−1 l
⊕
(3.23) t−1 Bm
⊕
Cnt−1 ).
(3.24)
Since the keystream of the generator is given by the output of the final register, this gives z t = Drt .
(3.25)
The maximum degree of the equations generated from the above set up is d = l + m + n + r − 1. Using (3.24) with i = r and (3.25) with t + 1 instead of t one gets
t t t z t+1 = z t (Atl ⊕ Bm ⊕ Cnt ⊕ 1) ⊕ Dr−1 (Atl ⊕ Bm ⊕ Cnt ).
(3.26)
Chapter 3. Keystream Generators using Stop-and-Go Clocking
54
which can be expressed as t t z t ⊕ z t+1 = (z t ⊕ Dr−1 )(Atl ⊕ Bm ⊕ Cnt )
(3.27)
From (3.27), it can be seen that if z t ⊕ z t+1 = 1, then t 1 = Atl ⊕ Bm ⊕ Cnt .
(3.28)
This observation will be used to recover the initial state bits in the attack presented in the following section. Recovering the Initial State Recovering the internal state of all registers can be performed by a divide and conquer algebraic attack. t Consider again the case where K = 4. From (3.28), whenever z t ⊕ z t+1 = 1, then Atl ⊕ Bm ⊕ Cnt = 1.
Therefore, one can start by guessing the initial states of registers A and B, which will enable us to t generate linear equations (3.23) for C with the substitution Cnt = Atl ⊕ Bm ⊕ 1 when z t ⊕ z t+1 = 1. Once enough equations are obtained, the initial state of C can by recovered by solving the formed system of equations. Once the initial states of C have been recovered, the internal state of register D can be recovered by solving the linear equations (3.24) and substituting the values for A, B, C and the keystream. If a solution for both C and D is obtained, then the initial states of all registers have been found. The complexity of this approach is given by the complexity of guessing A and B multiplied by the complexity of solving linear equations in the other registers. Gaussian elimination can be in general performed in O(nω ) operations, with 2.807 ≤ ω ≤ 3. For simplicity, throughout this section, it is
assumed that the worst case with ω = 3. The time complexity of this attack is then 2 l+m (n3 + r3 ). The minimum keystream requirement for recovering C is 2n on average, since useful information is only obtained if z t ⊕ z t+1 = 1, and that for recovering D is r. The same keystream can be used to construct equations for C and D, so the attack needs max(2n, r) bits of keystream. Figure 3.7 outlines that attack algorithm steps for recovering the initial state of the cipher. In practice one might need a small percentage more than this requirement due to linear dependencies among the linear equations generated. For a cascade cipher with K LFSRs, the complexity of the presented approach will be 2u (l13 + l23 ), where l1 , l2 are the length of the last two registers and u is the total length of the remaining registers. Clearly, the proposed attack is better than exhaustive key search, which has complexity 2u+l1 +l2 . Remark If the final register is of short length, say u, then one can generate equations of degree at most u (not involving the lengths of the other registers). Since every term in the final output equations will contain bits from the final registers, then one can reduce the overall degree of the equations by the length of the final register. For example, if we have K = 10 registers of length 32 each except for the final one which is of length say 16, then the overall degree of the equations generated will be d = 303. However, using this remark, the degree can be reduced to 16 only. Note that using this approach, one will be able to
recover the bits of the final register only. This shows that the length of the final register can minimize the security level provided by the cipher. On the other hand, if one was to set a number of bits from the last register to zero and leave x bits
3.6. Gollmann Cascade Generator
55
Algorithm 3.3 Algebraic Attack on the Gollmann cascade generator with K=4 Inputs : Lengths of registers, Feedback polynomials of A, B, C and D; keystream segments of lengths (l + m + n + r) . Outputs: Internal state bits of A, B C and D. • Step 1: Guess A and B. • Step 2: Form a system of linear equations in C using equation (3.23) for whenever z t ⊕ z t+1 = 1. • Step 3: Solve the system of equations in the unknowns in C by substituting in keystream to recover the internal state C. • Step 4: Form another set of linear equations in D using equation (3.24). • Step 5: Solve the system of equations in D by substituting the values for A, B, C and the keystream. • Step 6: Use the recovered initial state to reconstruct segments of keystream. • Step 7: Compare with the observed one. If mismatch, go to step 1, otherwise • Output A, B, C and D. Terminate Figure 3.7: Algorithm for algebraic attack for recovering the state of the Gollmann cascade generator
Chapter 3. Keystream Generators using Stop-and-Go Clocking
56
as unknowns, then the overall degree of the generated equations can be reduced by using an annihilator of degree x. Guessing all bits of the final register will only reduce the overall degree of the system by the length of the final register, but it is not as effective as annihilating the final register.
3.6.3 Experimental Results Experimental simulations were conducted implementing the algebraic attack on the Gollmann cascade cipher with K = 4 outlined in Algorithm 3.3. The aim is to recover the initial state bits of the cipher.
Experiments were performed for four different register lengths: l = m = n = r = 4, 6, 8 and 10. Fifteen trials were conducted for each length. The minimum keystream required for the attack is l + m + n + r bits, but in the experiments the keystream segment of length 6l was used. In each trial, the following procedure is used: for registers A, B, C and D random initial states are generated, then a segment of the keystream sequence is produced. After guessing A and B, a system of equations in terms of initial state bits of register C is formed, with n variables of degree 1. The F 4 algorithm of the Gr¨obner bases method was then used to solve the formed system of equations, which provided a unique solution for the initial state of C. Once C has been recovered, another set of equations in D are formed and solved. Once the initial states of all four registers are recovered, a segment of keystream was generated and compared with the observed one. If the two segments are identical the experiment was considered successful. l, m, n, r 4 6 8 10
Maximum keystream bits used 24 36 48 60
Maximum time required 12 s 157 s 5728 s 135822 s
Table 3.5: Recovering the internal state bits of a Gollmann cascade with K = 4
3.6.4 Comparison with Previous Cryptanalysis There are four published attacks on the Gollmann cascade generator. These are the lock-in effect attack by Gollmann and Chambers [45], the attack by Menococci [152], the clock control guessing attack by Zenner [201], and the attack by Park et. al. [164]. The complexities of the lock-in effect attack and the Menicocci attack are far higher than ours, so only a comparison of our attack with the ones that are more effective will be made. The clock control guessing attack has a relatively closer complexity and has a similar approach to ours. Zenner applies linear consistency tests to the Gollmann cascade using a technique of guessing the clock control bits resulting in a search tree. This attack is similar to ours in that it forms a set of equations after guessing a number of bits. It then solves the equations discarding those that are inconsistent. The complexity of the attack is of order 2 (l+m+n+r)/2 (l + m + n + r)3 . The only attack that outperforms ours is the attack by Park et. al. [164]. This attack is based on guessing the initial states of each register successively in the cascade with some desired probability. Their analysis starts by building a matrix of conditional probabilities between the inputs and outputs of a register. This matrix is used to determine the probabilities of particulars output to the cipher given particular inputs of the registers. These probabilities are biased when a run of zeros or ones occurs, yielding an efficient algorithm for finding the initial states of the registers by scanning the given
3.6. Gollmann Cascade Generator
57
keystream for runs of at least u consecutive zeros or ones, where u is determined by the desired error rate of the algorithm. The algorithm builds linear equations in the unknowns of the initial state bits of the first register of the cascade. Random equations from these are solved until a solution with high probability is found. The algorithm then uses this solution to build equations for the next register. This process is repeated until the initial states of every register are recovered except for the last. Finally, the initial states of the last register are recovered by using previously known techniques. The theoretical complexity of this attack is not given in the paper, so it is estimated it from the algorithm and the experimental data. Gaussian elimination is present, so O(l 3 ) is used for the asymptotic time complexity. From the experimental data it can deduced that O(l 2 ) bits of keystream are required to find the desired run of zeros or ones. Although Park’s attack is very efficient, it does have some limitations. Park’s attack requires consecutive keystream bits, but our attack does not require consecutive keystream bits. In our attack, any subset of the keystream can be used as long as the equations describing them are dependent on the values of all of the initial state bits. The number of keystream bits necessary in our attack is smaller than the number needed in that Park attack. Hence, our attack would be the only one that is feasible for implementations where rekeying occurs frequently such as the frame based communication systems for mobile telephones and wireless networks. Table 3.6 summarizes the above mentioned attacks on the Gollmann cascade generator for K = 4. Finally, the alternative algebraic attack presented in Section
3.6.5, transforms the problem of recovering the internal state of the cipher into a problem of solving quadratic equations in a large number of unknowns using for example the F 5 algorithm of unknown complexity. Attack Park attack [164] Lock-in-effect attack [45] Clock control guessing attack [201] Our Attack
Minimum keystream required (MK)
Time complexity (TC)
MK l=m=n = r = 64
TC l=m=n = r = 64
6l2
36l3
215
224
214
2248
4l2
16 (2l l2
− 2)4
l+m+n+r
2(l+m+n+r)/2 (l + m + n + r)3
28
2152
max(2n, r)
2l+m (n3 + r3 )
27
2147
Table 3.6: Best known attacks on Gollmann cascade generator It remains very difficult to make a theoretical comparison between an attack of unknown complexity (due to the application of Gr¨obner bases) with those of known complexity outlined in Table 3.6 (unless one implements all of the other attacks, which is not the scope of this thesis), we will assume that generally, 214 operations can be performed in 1 second using Magma 2.11 on the SGI Origin 3000 using CPU at 600 MHz. Note that, we also assume each operation in all of the attack takes the same amount of time, which might not actually be the case in reality. It is shown in Table 3.5 that the initial states can be recovered with the minimum required keystream. For instance, for l = m = n = r = 10, our algebraic attack can recover the initial state bits in 2 17 seconds using only 60 bits of keystream. Furthermore, if the attack was to be compared with Park et.al
Chapter 3. Keystream Generators using Stop-and-Go Clocking
58
attack, for l = m = n = 10, then the amount of keystream required would be 600 bits, much more than ours. However, the overall attack complexity will be 215.1 which can be completed in around 2 seconds. Furthermore, the clock control guessing attack would requires 40 keystream bits with an overall attack complexity of 235.9 which can be completed in 4194304 seconds. Finally, the lock-in-effect attack would requires approximately 400 bits with an attack complexity of 2 37.3 which can be performed in around 16777216 seconds.
3.6.5 An Alternative Algebraic Attack In this section another algebraic attack on the Gollmann cascade is shown. The resistance of clockcontrolled stream ciphers to traditional algebraic attacks is due to the fact that clock controls cause increases in the degrees of the equations generated. In the case of the Gollmann cascade, equations (3.22), (3.23) and (3.24) are obtained. The clock control bits are multiplied with the bit states of the registers causing an increase in the degree of the equations. Since the clock control of the Gollmann cascade is linear in the register states, the degrees of the equations increase by one at every clock. For example, let the initial states bits of A, B be ai , bi respectively. The outputs of A at the first two clocks are then A0l
= al
A1l
= al−1 ,
and the states of B at the first three clocks are expressed as Bi0
= bi
Bi1
= bi (al ⊕ 1) ⊕ bi−1 al
Bi2
= bi (al ⊕ 1)(al−1 ⊕ 1) ⊕ bi−1 {(al ⊕ 1)al−1 ⊕ al (al−1 ⊕ 1)} ⊕ bi−2 al al−1 .
The equations formed in the variables ai , bi will increase in degree as the cipher is clocked. However, if one instead uses new variables for the register states at every clock, this degree accumulation can be prevented and quadratic equations in terms of the register states at each time t can be obtained, as shown in (3.22), (3.23), (3.24). Initially, there are l + m + n + r variables representing the initial states of the registers. Since A is regularly clocked, no new variables for A need to be introduced. Also, since Drt = z t , one can just replace that state with the keystream output. This means that a total of m + n + r − 1 new variables are introduced at each time t. Now m + n + l equations are introduced as relations between old and new variables. Since the key size is l + m + n + r, at least l + m + n + r clocks are needed to form a system of equations with a unique solution. From the analysis above, (m + n + l)(l + m + n + r) quadratic equations can be obtained in (m + n + l)(l + m + n + r) unknowns for the Gollmann cascade. These equations can be solved by techniques such as Gr¨obner bases methods, but not by linearisation. This is because as more keystream is used, the number of variables and therefore monomials in the system increases at a much higher rate, and it is not possible to obtain enough equations in the linearised variables. Not so much is known about the practical complexities of solving polynomial equations by Gr¨obner bass methods, such as those by using Faugere’s F 5 and the XL and related algorithms. It is known that
3.6. Gollmann Cascade Generator
59
the worst case complexity of these algorithms on random systems of equations in GF(2) is O(2 2v ), where v is the number of equations. However, for specific systems and as the number of equations exceeds the number of variables, the complexity of XL and its variants can drop significantly, to even polynomial time. See for example [57,66,197] for descriptions and analysis of these algorithms. In our case, since the variables are in GF(2), we do not need to consider solutions in the algebraic closure of GF(2) and can solve the equations subject to the field equations x 2 + x = 0 for each variable x in the system. Therefore, another (m + n + l)(l + m + n + r) equations are obtained, giving us twice as many equations as variables. Furthermore, the equations are very sparse, since each variable is used only for two clocks. These properties might prove useful at reducing the complexity of finding the solution to the system. The actual efficiency of this attack is yet to be gauged and further research is needed in this area. This concept of attack will be used in Section 3.7.
3.6.6 Clock-Controlled Cascade Generator with Output Bits Taken from All Registers In this section, the effectiveness of our approach if each register contributes a bit to the output of the system is studied. Although this situation has not been examined in the literature, it is a natural extension of the cipher of the Gollmann cascade generator. The results of this section enable us to obtain some insight into the Pomaranch cipher. For this configuration, the degree of the resultant equations and number of monomials will remain the same as in the Gollmann-Chambers description. A Gollmann cascade cipher with K = 4 LFSRs
where the output is taken from the output of registers A, B, C, D as a binary sum is considered. In this case, the output of the system at time t can be represented as t z t = Atl ⊕ Bm ⊕ Cnt ⊕ Drt
(3.29)
t+1 Substituting for Bm , Cnt+1 and Drt+1 in equation 3.29 using equations (3.22), (3.23), (3.24).
z t+1
t t = At+1 ⊕ Bm (Atl ⊕ 1) ⊕ Bm−1 Atl l
t t t ⊕ Cnt (Atl ⊕ Bm ⊕ 1) ⊕ Cn−1 (Atl ⊕ Bm )
t t t ⊕ Drt (Atl ⊕ Bm ⊕ Cnt ⊕ 1) ⊕ Dr−1 (Atl ⊕ Bm ⊕ Cnt )
(3.30)
If we then add z t and z t+1 , we arrive at z t ⊕ z t+1
t t = Atl ⊕ At+1 ⊕ Bm Atl ⊕ Bm−1 Atl l
t t t t ⊕ Cnt Atl ⊕ Cnt Bm ⊕ Cn−1 Atl ⊕ Cn−1 Bm
t t t t t ⊕ Drt Atl ⊕ Drt Bm ⊕ Cnt Drt ⊕ Dr−1 Atl ⊕ Bm Dr−1 ⊕ Cnt Dr−1
(3.31)
which can be rewritten as z t ⊕ z t+1
t t = (z t ⊕ Dr−1 )(z t ⊕ Drt ) ⊕ At+1 ⊕ Bm ⊕ Cnt+1 l t t ⊕ Atl (Bm ⊕ Bm−1 ).
(3.32)
Chapter 3. Keystream Generators using Stop-and-Go Clocking
60
While this last equation is simple, it remains quadratic in the bits of D. Thus guessing the initial bits of A and B leaves a system of quadratic equations to solve in n + r variables. The complexity of �ω solving this revised system is then 2l+m n+r and the amount of keystream required is around max 2 (2n, r). The clock controls are contributions to keystream. The complexity of recovering the internal state of this set up involves solving quadratic equations as opposed to solving linear equations in the Gollman cascade. For example, for l = m = n = r = 64, the complexity of recovering the initial state of this system is 2167 compared with 2147 , for the Gollmann cipher’s initial state.
3.7 Pomaranch This section provides an algebraic analysis of version 3 of Pomaranch [126, 128, 129], an eSTREAM stream cipher candidate. A description of the cipher will be given first. Here we mainly discuss the context of the 128-bit version of Pomaranch, but the analysis also holds for the 80-bit version. Although only the 80-bit version of Pomaranch is officially in phase 2, the 128-bit version will also be included since there are doubts about the security of 80-bit ciphers, as discussed in the eSTREAM project. Earlier versions of Pomaranch have been cryptanalysed in [85, 117, 125, 137], but as of the beginning of phase 2 of the eSTREAM stream cipher project, version 3 of Pomaranch has been published to address weaknesses found in the above papers. This section is the first to analyse version 3 of the cipher.
3.7.1 Pomaranch Description The overall structure of Pomaranch is shown in Figure 3.8. Pomaranch is a clock-controlled cascade generator consisting of 9 jump registers R1 , R2 , . . . , R9 . The jump registers are implemented as autonomous Linear Finite State Machines (LFSM), each containing 18 memory cells, and each cell contains a bit value. Each cell in a jump register behaves as a shift cell or a feedback cell. At each clock, a shift cell simply shifts its state to the next cell, whereas a feedback cell feeds its state back to itself and adds it to the state from the previous cell, as well as performing a normal shift like a shift cell. The behaviour of each cell depends on the value of a Jump Control (JC) signal to the jump register where the cell belongs. Algebraically, a transition matrix A governs the behaviour of an LFSM. The transition matrices of the jump registers in Pomaranch take the form
d18
1 0 A= 0 . . . 0
0
0
...
0
1
d17
0
1
d16 .. . .. .
... .. . .. .
0 .. . 0
t17 .. . .. .
1 0
d2 1
t2 d 1 + t1
0 .. . 0
...
,
where ti determines the positions of the feedback taps, and di determines whether the cells are shift cells or feedback cells. At any moment, half of the cells in the registers behave as shift cells, and the
3.7. Pomaranch
61
other half as feedback cells, so half the di are 0 and the other half are 1. If JC = 0 for a certain register, the register is clocked according to its transition matrix A. If JC = 1, all cells are switched to the opposite behaviour. This is equivalent to switching the transition matrix to A + I, where I is the identity matrix. Two different transition matrices A1 , A2 are used for odd (type 1) and even (type 2) numbered registers respectively, with different values of ti , di . Each jump register is then connected to a key map, which consists of an s-box and a nonlinear filter. Key bits are diffused into the key map and a one-bit output is drawn. The jump control of a register is then taken as the sum of all outputs from the key maps from all previous registers. The keystream output is given by the sum of the contents of the 17th cells of all registers.
Figure 3.8: Pomaranch Version 3 The 128-bit key k of Pomaranch is divided into eight 16-bit subkeys K 1 to K8 , where Ki represents the key bits ki,1 , ki,2 , . . . , ki,16 . Each section of Pomaranch except the last contains a jump register of length 18 and a nonlinear function composed of an s-box and a degree 4 Boolean function f . The last section of Pomaranch has a jump register. The key map at section i first takes a 9-bit vector v from cells numbered 1, 2, 4, 5, 6, 7, 9, 10, 11 from jump registers of type 1 or 1, 2, 3, 4, 5, 7, 9, 10, 11 from jump registers of type 2. Then the 9 least significant bits of Ki are added to v. The sum is passed through a 9-to-7-bit inversion s-box over GF(29 ) defined by the primitive polynomial x9 + x + 1. The resulting 7 bits are then added to the 7 most significant bits of Ki . This is fed into the Boolean function f of degree 4, and the output of f is called the jump control out bit of the section and is denoted as c i . The ci from each section is used to produce the jump control bits JC2 to JC9 controlling the registers R2 to R9 at time t respectively, as follows. JCit =
i−1 X j=2
ctj ,
2 ≤ i ≤ 9.
The jump control bit JC1 of register R1 is permanently set to zero.
62
Chapter 3. Keystream Generators using Stop-and-Go Clocking
3.7.2 Algebraic Analysis of Pomaranch In this section an algebraic analysis of Pomaranch is provided. From the description of the way that the cipher is clocked, each register can be represented as Rt = (A + JC t · I)Rt−1 ,
(3.33)
where Rt is the state of a register at time t, A is its transition matrix, JC t is its jump control, and I is the identity matrix. The keystream is given by zt =
9 X
t , ri,17
(3.34)
i=1
t where ri,17 is the 17-th cell of the register i at time t. In the 80-bit version employing only 6 sections, the keystream is given by t t t t z t = g(r1,17 , r2,17 , . . . , r5,17 ) + r6,17 ,
(3.35)
where g is a nonlinear filter of degree 3. In order to understand how the key is related to the output and what the relations among different subkey bits are, we analyse what happens in the first section containing R1 as the key bits are mixed in a nonlinear manner, and how the key bits are carried across into the second section. Similar analysis follows for the remaining sections. Let the i-th bit of R1 at time t be ri for 1 ≤ i ≤ 18. Nine selected bits rj are added to k1 , k2 , . . . , k9 respectively, according to the register type. These are then fed into the key map that consists of an s-box and a Boolean function f of degree 4. Firstly, the bits pass through an inversion s-box over GF(2 9 ). Let the input to the s-box be a1 , a2 , . . . , a9 , then we have ai = rj + ki for 1 ≤ i ≤ 9. Let the output from the s-box be b1 , b2 , . . . , b9 . Each bi can be represented by equations in ai . An explicit function of each bi in terms of ai will be of high degree, in our case it is of degree 9, i.e. bi =
X
e∈GF(2)9
se
9 Y
i=0
aei i
!
,
1 ≤ i ≤ 7,
where se are coefficients in GF(2). One can also form implicit relations between the inputs and outputs of the s-boxes of degree 2, as was shown in [64]. The relations for this s-box are presented in Appendix A. From the truth table of the s-box shown in [128], it can be seen that the seven output bits b2 , b3 , . . . , b8 are used for the next component, discarding b1 , b9 . Those output bits from the s-box are then added to the next 7 key bits and the result bi + k8+i for 2 ≤ i ≤ 8 is filtered through f , a
degree 4 function. The algebraic normal form (ANF) of f has been computed as shown in Appendix A. Assuming that the explicit functions for the s-box and the ANF of the filter is taken, then the output
c1 from the filter function will be an expression of degree 13 in 16 key bits. This expression is then fed into the next register R2 as JC2 , and also added to the output c2 from R2 to be fed into R3 as JC3 , and so forth. From the analysis above, a degree 13 equation in 16 key bits is generated from the first section, which becomes an input in the second section. As JC2 is fed forward into R2 , the high degree expression and variables from the first section are carried across the second section. The key map of the second section will mix the next 16-bit subkey K2 into the expression, raising the degree by 13 to
3.7. Pomaranch
63
26 and the number of variables by 16 to 32. This accumulation continues to carry across to R 3 and beyond. The following expression describes the number of possible monomials each JC i possesses at first clock MJCi = max
� 13i � X 16i
j=0
j
, 2128
,
1 ≤ i ≤ 9.
(3.36)
By the end of the first clock, equations of degree 104 in 128 variables will be obtained. This degree accumulation does not carry over to the next clock, since JC1 is set to be constantly 0. Therefore, in order to perform an algebraic attack in this manner, at least 128 bits of keystream is needed, giving us 128 equations of degree 104. Generating such equations is time and memory consuming and the effort needed in solving them is likely to be much more than that of exhaustive key search. Overcoming the Problem of the Degree Accumulation There are three main components in each section of Pomaranch, namely a jump register, an s-box, and a nonlinear filter. The outputs of each component are nonlinear in its inputs, and the expressions describing the outputs will have a higher degree than those of the inputs. Since each output is fed into the next component, the degree of the expressions accumulates. To prevent this degree accumulation, t new variables are introduced so that the nonlinearities are not carried across the components. Let r i,m t be the m-th bit of register Ri at time t, bi,m be the output bits of the s-box at the i-th section at time t,
JCit be the jump control input to Ri at time t, and ki,m be the key bits used in the i-th section. One can successively introduce the above variables by stepping through the keystream generation. At the start, there are 128 variables ki,m whose values are to be determined. The plan of the attack is to go through each component and try to discover equations that relate to k i,m . At time t, the attacker proceeds as follows. The relations between the jump controls and the registers are
Rt,i =
A Rt 1 i−1
t t JCi−1 I)Ri−1
(A2 + (A + JC t I)Rt 1 i−1 i−1
i=1 i ∈ {2, 4, 6, 8} . i ∈ {3, 5, 7, 9}
The first register will always contain known bits, since it is not under the effect of jump controls. Hence, there are 8 registers with 18 variables each to introduce in each clock. Each new R it is a function of t Ri−1 . This yields 144 quadratic equations in 144 variables. The s-box is defined by inversion over
GF(29 ), which means that the relations between its input and output bits can be expressed as a system of 9 quadratic equations. The inputs are linear sums of certain register bits and key bits, resulting in the following equations t t s0 (ri,1 + ki,1 , . . . , ri,11 + ki,9 , bti,1 , . . . , bti,9 ) = 1 t t sj (ri,1 + ki,1 , . . . , ri,11 + ki,9 , bti,1 , . . . , bti,9 ) = 0,
1 ≤ j ≤ 8.
In each clock there are 8 s-boxes, which yield 72 quadratic equations and 72 new variables b ti,m . Let cti be the jump control output from the nonlinear filter f of the i-th section at time t. Then cti = f (bti,2 + ki,10 , bti,2 + ki,11 , . . . , bti,8 + ki,16 )
(3.37)
Chapter 3. Keystream Generators using Stop-and-Go Clocking
64
giving a degree 4 equation. The jump control input to the next register is then t JCi+1 = JCit + cti .
There is no need to assign new variables to cti . Therefore, a degree 4 equation with the new variable t JCi+1 is obtained. Since there are 8 filters in one clock, 8 equations and 8 variables are formed. Finally, at the end of each clock the keystream bit is formed as follows
zt =
9 X
t ri,17 .
i=0
The above equation can be used to be rewritten as, for example, t r9,17 = zt +
8 X
t ri,17 ,
i=0
and r9,17 can be replaced with the above expression, thereby eliminating a variable at each clock. As a whole, 224 equations and 223 new variables at each clock are obtained, plus the original 128 variables which represent the key bits. In order to obtain a unique solution, at least 128 bits of keystream are required, giving 28672 equations in 28672 variables. Of these equations, 1024 are of degree four and 27648 are quadratic. In the case of the 80-bit version, we have t t t t z t = g(r1,17 , r2,17 , . . . , r5,17 ) + r6,17 ,
which can be rewritten as t t t t r6,17 = g(r1,17 , r2,17 , . . . , r5,17 ),
where g is the cubic nonlinear filter. This contributes a cubic equation to the system. We then obtain 140 equations and 139 new variables at each clock, plus the original 80 variables which represent the key bits. In order to obtain a unique solution, we would require at least 80 bits of keystream, giving 11200 equations in 11200 variables. Of these equations, 400 are of degree four, 80 are cubic and 10800 are quadratic. In order to solve the set of equations, techniques such as Gr¨obner bases methods can be used, since there are not enough equations for linearisation. With the addition of field equations into the system, there are twice as many equations as variables. The sparse structure of the equations may also give rise to complexity reductions in solving the system by the XL and related algorithms. This would reduce the complexity of finding the solution significantly from O(22v ) for random systems, where v is the number of equations. See for example [57, 66, 197] for analysis and details of implementing these algorithms. All key bits can be recovered when the solution to this set of equations is found. While there is yet no evidence for or against whether this type of attack would be better than exhaustive key search, the size and the form of the equations generated can be used intuitively to judge the cipher’s strength. Algebraic attacks are still a widely discussed and controversial topic in the cryptographic community, so its consequences should not be overlooked. It is noted here that the designers of Pomaranch have increased the size of the registers from 14 to 18. This increase has no effect on the size or the degree of the final equations. In fact, the degrees of the
3.8. Summary
65
equations are independent of the size of the registers. They are affected by the nonlinear clock control mechanism and nonlinear components. Algebraic Analysis of the Filter Function A cubic annihilator yf of the degree four filter f such that f yf = 0 and cubic polynomials ef,1 , ef,2 , ef,3 such that hf,i = f ef,i are cubic for all ei have been found using Algorithm 2.2. These are shown in Appendix A. This shows a potential weakness in the filter function f . However, in terms of our algebraic attack these multipliers are not useful, because of the newly introduced variables. Apply a cubic multiplier e to (3.37), to obtain cti e = f e, which is still of degree 4, due to the presence of cti . To successfully reduce the degree of our equations, one needs to find annihilators or low degree multiples of f + cti , which we have not been able to do. For the 80-bit version of Pomaranch, quadratic annihilator yg of the cubic filter g such that gyg = 0 and quadratic polynomials eg,1 , eg,2 such that hg,i = geg,i are cubic for all eg,i have also been found. These are shown in Appendix A. Again, there could be weaknesses in the filter function g. However, t our algebraic attack cannot make use of this since annihilators or low degree multiples of g + r 6,17 are needed in order to reduce the equations describing the cipher.
We leave as an open question other possible uses of these results. However, we believe that the filter functions f, g should be changed so that no annihilators or low degree multiples exist for f, g. This would resist possible future attacks based on algebraic techniques.
3.8 Summary In this chapter, an algebraic method of attacking clock-controlled stream ciphers which use stop-and-go clocking is presented and a theorem for generating equations for such ciphers is given. This theorem was applied to a broad range of stop-and-go clocked ciphers in determining their levels of security. The effectiveness of algebraic attacks on the strengthened stop-and-go, alternating step generators, Gollmann cascade and the eSTREAM candidate Pomaranch have been demonstrated. For the Beth-Piper Stop-and-Go Generator — Strengthened Version, the initial state was obtained with an algebraic attack significantly better than the other known attack. For the alternating and the Gollmann cascade ciphers, our attack complexity is not far from the best known attacks. For the Gollmann cascade it was also shown that the effect of the clock control on algebraic attacks is that the degree of the equations generated increases with each clock. An alternative attack on the cascade was developed to eliminate the effect of this degree accumulation, resulting in a large sparse low degree polynomial system, which can be generated and solved more efficiently using algorithms such as Faugere’s F 5 and XL and its variants. Furthermore, an alternative attack on the alternating step generator which is the best known attack on such a cipher so far in terms of running time complexity was given. Our algebraic analysis on Pomaranch further showed that a cipher with nonlinear components could be expressed as a system of equations with maximum degree no higher than the maximum degree of the components. In this case, a system of equations of maximum degree four that describes the full
66
Chapter 3. Keystream Generators using Stop-and-Go Clocking
cipher is derived. In the analysis, it was shown how to generate degree four equations in the key bits and other component bits of the system. The bottleneck to reducing this degree further is due to the filter function of degree four. The input and output sizes of the components determine the number of new variables to be introduced and therefore the size of the system of equations needed to describe the cipher. It was observed that increasing the size of the jump registers has no effect on increasing the degree of the equations, and hence no effect on the complexity of algebraic attacks. Finally, annihilators and low degree multiples of both the filter function in the keymap and the filter function for the keystream contributions in the 80-bit version of Pomaranch have been found, which indicates an apparent weakness in the cipher.
Chapter 4
Keystream Generators using (p, q) Clocking
4.1 Introduction In the literature, the traditional notation for the keystream generators discussed in this chapter is (d, k) clocking. However, for algebraic attacks d is commonly used for the degree of the equations and for stream ciphers k is often used to represent the secret key. Therefore, in this chapter we use the notation (p, q). In this chapter, algebraic attacks are applied to two keystream generators using (p, q) clocking. Keystream generators using (p, q) clocking were proposed to provide resistance against attacks on stopgo clocked registers, that utilizes the repetition of the clock- controlled register output in the keystream. Keystream generators using (p, q) include the step1/step2 keystream generator proposed by Gollmann and Chambers [111] and the self-decimated generator proposed by Rueppel [171]. In (p, q) clocking, the controlled register/registers are clocked at least p times and at most q times. In order to mount algebraic attacks on such ciphers, valid relationships must be found between the internal states of the ciphers and the outputs. Equation 3.1 of Section 3.2 in Chapter 3 can be modified to achieve this. Given registers A and B, where B is clocked j times by the output of A, the internal state of register B can be represented as a function of the internal state values of both registers A and B, in order to incorporate the controlling mechanism in used. Thus at time t, the contents of stage u can be represented as t−1 t−1 But = But−1 (At−1 ⊕ 1) ⊕ Bu−j Ai . i
(4.1)
Of course, this applies if (u − j) > 0 as otherwise, the feedback polynomial for register B must be used in forming the equation. Modifications can also be made to take into consideration the use of several bits of A to determine the clocking of B and in cases where more than one register is used in determining the clocking of other registers. 67
Chapter 4. Keystream Generators using (p, q) Clocking
68
In this chapter, algebraic attacks are applied to the step1/step2 generator and self-decimated generator with the aim of recovering the internal state bits. The attack algorithms proposed in this chapter are based on Algorithm 2.1. Algebraic attacks on the step1/step2 generators and the self-decimated generator are given in Sections 4.2 and 4.3 respectively. An alternative attack on step1/step2 generator is given in Section 4.2.5. Finally, Section 4.4 summarizes the work presented in this chapter.
4.2 Step1/Step2 Generator 4.2.1 Description Gollmann and Chambers proposed the Step1/Step2 generator in [111]. As shown in Figure 4.1, the generator consists of two LFSRs, A and B, which are of the same length. A controls the shifting of B in the following way. If the output of A is 0, then B is clocked once and if the output of A is 1, B is clocked twice before producing the keystream bits. Note that if A outputs 1, it must wait for B to clock twice and hence does not regularly clock. The output z t of the system is the output of B.
LFSR A
0 : clock 1 time 1 : Clock 2 times
LFSR B
l
Output
m
Figure 4.1: The Step1/Step2 Generator
4.2.2 Algebraic Attack on the Step1/Step2 Generator In this section an algebraic attack on the step1/step2 generator is outlined. Using the general equation, 3.1 of Section 3.2 of Chapter 3, each stage Bi for 2 < i < m is replaced by the following expression: t−1 t−1 t−1 Bit = Bi−1 (At−1 ⊕ 1) ⊕ Bi−2 Al l
(4.2)
t−1 t−1 Al . B2t = B1t−1 (At−1 ⊕ 1) ⊕ Fm l
(4.3)
B2 is given by
and the right-most position is given by t−1 t−1 (At−1 ⊕ 1) ⊕ Fm−1 At−1 B1t = Fm l l
(4.4)
where Fjt−1 applies the feedback polynomial from the j th position at time t − 1. Since A controls the clocking of B, the maximum degree an equation can have is l + 1 and the number of monomials M = m(2l − 1) + 1. The output is given by t−1 t−1 t−1 t z t = Bm = Bm−1 At−1 ⊕ Bm−1 ⊕ Bm−2 At−1 . l l
(4.5)
t t t Adding two consecutive output bits z t = Bm and z t+1 = Bm−1 (Atl ⊕ 1) ⊕ Bm−2 Atl gives t t t t zt ⊕ zt+1 = (Bm−1 ⊕ Bm−2 )Atl ⊕ Bm−1 ⊕ Bm .
(4.6)
4.2. Step1/Step2 Generator
69
Multiplying through by Atl ⊕ 1 produces t (Atl ⊕ 1)(z t ⊕ z t+1 ) = (Atl ⊕ 1)(Bm−1 ⊕ z t ).
(4.7)
Thus a linear multiple of the complex component in B reduces to a low degree function as shown on the left hand side of Equation 4.7. Register A bits can now be guessed and the resulting system in B with complexity 2l m3 is then solved, using the linearization method given by Algorithm 2.3.
4.2.3 Experimental Results Experimental simulations were conducted implementing the presented algebraic attack on the step1/step2 generator. The aim is to recover the initial state bits of the cipher. Experiments were performed for three different register lengths: l = m = 8, 10 and 12. Twenty trials were conducted for l = 8, 10 while only five trials for l = m = 12. In each trial, the following procedure was used. For registers A and B, random initial states were generated, then a segment of the keystream sequence was produced. The length of the keystream segment used varied, as shown in Table 4.1. A system of equations of degree l + 1 in l + m variables was then generated using equation (4.7). Finally, the F 4 algorithm of the Gr¨obner bases methods was used to solve the formed system of equations, and provided a unique solution for the initial states of registers A and B. Once the initial state are recovered, a segments of keystream was generated and compared with the observed keystream. The minimum keystream required for the attack is l + m. l, m 8 bit 8 bit 8 bit 10 bit 10 bit 10 bit 12 bit 12 bit
Number of variables 16 20 24 20 20 20 24 24
Keystream used 16 bit 20 bit 24 bit 20 bit 24 bit 28 bit 24 bit 28 bit
Equations Degree 9 9 9 11 11 11 13 13
Time to generate equations 13 s 14 s 23 s 936 s 1255 s 2327 s 153699 s 109778 s
Time to find solution 3s 2.7 s 2.4 s 89 s 107 s 112 s 5958 s 8742 s
Table 4.1: Algebraic attack times for step1/step2 generator It is shown in Table 4.1 that the initial states can be recovered with the minimum required keystream. For instance, for l = m = 12, the initial state can be recovered using the F 4 algorithm in around 89 seconds using only 20 bits of keystream. If instead the linearization approach of Algorithm 2.3 was used, the amount of keystream required would be about 2 19.5 with an attack complexity of 258.7 for ω = 3. Based on our timing assumption, this would take around 2 43 seconds. This indicates that though the complexity of the F 4 algorithm still remains unknown, it is more efficient (at least for shorter register lengths) than the linearization approach (which might have to do with the types of equations generated from our ciphers).
70
Chapter 4. Keystream Generators using (p, q) Clocking
4.2.4 Comparison with Previous Cryptanalysis There have been three substantial attacks on this generator. The first was the embedding correlation attack [205] in 1991 by Zivkovic which considers the general situation of a regularly clocked keystream generator A (not necessarily an LFSR) which controls the clocking of an irregularly clocked B. (This situation therefore also applies to the basic stop-and-go generator). Zivkovic presented an algorithm which is effective provided the length of register B does not exceed 30 bits. The aim of the algorithm is to reconstruct the initial state of LFSR A. A system of linear equations is pre-computed using embedding of subvectors into the vector of a known string of output bits. Once acquired, the system of equations can be solved using Gaussian elimination. The most complex procedure however, is the precomputation, which is of order 2m m where m is the size of register B. With current computational capacity, the register size of B can probably be increased to 45 bits and still make the attack effective. The second attack on the step1/step2 generator is due to Zenner [201] in 2002. He applies linear consistency tests to the cryptanalysis of clock-controlled bit stream generators using a technique of guessing the clock control resulting in a search tree. The method is applied on a number of clock-controlled generators including the step1/step2. In this case, the complexity is of order (l + m)3 2(l+m)/2 . The third attack, by Molland [159] in 2004, uses the controlling register A to generate a clock control sequence whose bits are then guessed and used to reconstruct the bits of B. These bits are then compared with actual output bits for consistency. Once a correct guess is achieved, a Gaussian algorithm for a linear system can be applied. The precomputation component comprises finding low weight multiples which has complexity O(l w−1 ) where w ≥ 10. The comparison testing and equation solving form the solution computation with complexity of order (l + m) 3 . Table 4.2 presents a summary of the requirements both for our attack and others giving the minimum
keystream required, precomputation complexity where applicable, solution complexity, and the total attack complexity (which is the combination of precomputation and solution complexities). Where there is essentially no precomputation (reusable) work, this spot is left blank. The values of the keystream and the total complexity for register sizes 64 will also be given. Table 4.2 gives separate rows for complexities derived using linear algebra methods and respectively Gr¨obner bases methods.
Embedding corr’n attack [205] Clock control guessing attack [201] Improved LCT attack [159] Our attack Gaussian Our attack Gr¨obner
Minimum required MK
MK l=m = 64
Precomputation complexity
Solution complexity
Total attack TC
TC l=m = 64
5m
28
2m m
up to m3
> 2m 5m
272
l+m
27
—
O((l + m)3 2(l+m)/2 )
O((l + m)3 2(l+m)/2 )
284
3l/2
27
> O(l9 )
O(2l )
O(2l )
264
l
27
—
2 l m3
2 l m3
282
l+m
27
O(2l )
Gr
Gr
Gr
4.2. Step1/Step2 Generator
Attack
Table 4.2: Best known attacks on Step1/Step2 Generator
71
72
Chapter 4. Keystream Generators using (p, q) Clocking
In Table 4.2, the precomputation complexity shown in the last line is derived from polynomial multiplication. The entry Gr indicates that complexity of the work using a Gr¨obner bases method is generally unknown. Empirical data are provided derived from using the Gr¨obner bases method as shown in Table 4.1. It can be seen from Table 4.2 that for l = m = 64, our attack has the same keystream requirements as most other attacks in the table (only 27 bits) while the embedding correlation attack requires 28 bits. In addition, our attack and the clock control guessing attacks have no precomputation complexity, unlike the other attacks. While the embedding correlation attack has the lowest solution complexity, it is overall attack complexity is greater than that of the improved LCT attack. From the table, one can also see that our attacks outperform the clock control guessing attack using the Gaussian elimination method, but the attack complexity of our attack based on the Gr¨obner bases method still remains unknown. However, the experimental results provide a better understanding of the complexity of our attack based on the Gr¨obner bases method. Once again, it is very difficult to make a theoretical comparison between an attack of unknown complexity with those of known complexity outlined in Table 4.2 (unless one implements all of the other attacks, which is not the scope of this thesis), we will assume that generally, 2 14 operations can be performed in 1 second using Magma 2.11 on the SGI Origin 3000 using CPU at 600 MHz. Note that, we also assume each operation in all of the attack takes the same amount of time, which might not actually be the case in reality. If we were to compare our algebraic attack using the F 4 algorithm for recovering the internal state with the embedding correlation correlation attack for l = m = 10, then the amount of keystream required would be 50 bits, which is more than ours. However, the overall attack complexity will be 215.6 which can be completed in around 2 seconds. Furthermore, the clock control guessing attack would require 20 keystream bits with an overall attack complexity of 2 22.9 which can be completed in 256 seconds. Finally, the improved linear consistency test attack would require approximately 15 bits with an attack complexity of approximately 210 which can be performed in less than a second.
4.2.5 Alternative Algebraic Attack on the Step1/Step2 Generator As an alternative approach to the attack outlined in Section 4.2.2, the step1/step2 generator can be attacked using the same method applied to the alternating step generator presented in Section 3.4.6 of Chapter 3. Recall that this alternative algebraic attack takes the following approach. Given a clockcontrolled generator, where one LFSR, A, is controlling another LFSR in the system, the attacker targets the controlled LFSR separately and avoids guessing the clock control components by taking a regular decimation of the keystream. In the case of the step1/step2 generator, register A controls the clocking of register B. Let ∆b denote the number of times B is advanced for one period of A. Using the same technique presented in [73], one can compute exactly how many times B is advanced for one period of A. Hence, one can see that register B will be clocked for every period of A exactly ∆b = 1 ∗ 2l−1 − 1 + 2 ∗ 2l−1 times. The attacker forms an equation from B in every ∆b clocks, then solves the linear system of equations. This approach was presented in [65] for attacking LILI-128. Using this approach, an attack with a very low computational complexity can be mounted. However, the keystream required is greatly increased as one linear equation is obtained for every period of A. This attack approach is much better than the algebraic attack presented in Section 4.2.2 in terms of
4.3. Self-Decimated Generator
73
runtime complexity, but requires many more keystream bits.
4.3 Self-Decimated Generator 4.3.1 Description The (p, q) self-decimated generator, proposed by Rueppel [171] and shown in Figure 4.2, consists of a single LFSR A which controls its own clocking on the principle that if the output is 0, then A clocks d times before producing new output, and if the output is 1, A clocks k times before doing so. 0 : Clock d times
LFSR A
Output
1: Clock k times l
Figure 4.2: The Self-Decimated Generator It is shown in [171] that a (p, q) self-decimated generator is theoretically equivalent to a (1, q) selfdecimated generator in combination with a generator regularly clocked in intervals of length p. In [45], it was pointed out that if p and q are at most 3, the generator might be subject to a correlation attack, although no such attack has been reported in the open literature to date.
4.3.2 Algebraic Attack on the Self-Decimated Generator In this section, an algebraic attack on a (1, 4) self-decimated generator is presented. However, the situation can be generalized fully to the (p, q) case. For LFSR A of length l, the state update function can be represented as 4.8
Ati
� t−1 t−1 = At−1 ⊕ 1 ⊕ At−1 , 5≤i≤l i−1 Al i−4 Al
(4.8)
The generator will produce equations of maximum degree l + 1 where l is the length of the underlying LFSR, and the number of monomials occurring in the system of equations is therefore equal to M = 2l − 1. Thus the maximum attack complexity is M 3 , using the linearization methods of [65].
Theorem (3.1) from Chapter 3 can also be applied here, and in this case, the output of the generator
at time t is given by z t t−1 t−1 z t = Atl = At−1 + 1) ⊕ At−1 . l−1 (Al l−4 Al
(4.9)
This can be rewritten as t−1 t−1 z t = At−1 ⊕ At−1 ⊕ At−1 l−1 z l−4 z l−1 .
(4.10)
When z t−1 = 1, we know that Atl−4 = z t and when z t−1 = 0, then Atl−1 = z t . Thus the knowledge of two consecutive keystream bits gives us a linear equation in the bits of A. Based on this observation, an algebraic attack on the self-decimated generator can be conducted using Algorithm 2.1 as follows. Form a system of equations using Equation 4.10. Collect at least l of them. Now substitute
Chapter 4. Keystream Generators using (p, q) Clocking
74
the known keystream bits into the formed system of equations to give a system of equations in terms of the initial state of A. Solve the system of equations to recover the bits of A. Table 4.3 records the complexity of this algebraic attack on the self-decimated generator. Table 4.3, shows that O(l) keystream bits is sufficient to get a system of linear equations solvable for the initial state. Table 4.3 also presents for our attack the minimum keystream required, precomputation complexity, solution complexity, and the total attack complexity which is the combination of precomputation and solution complexities. Values of the keystream and the total complexity for a register of length 128 are also be given.
Attack
Minimum keystream required MK
MK l = 128
Precomputation complexity
Solution complexity
Total attack complexity TC
TC l = 128
Algebraic attack
O(l)
27
O(1)
O(l3 )
O(l3 )
221
Table 4.3: Algebraic attack on the Self-Decimated Generator
4.3.3 Experimental Results Experimental simulations were conducted implementing the algebraic attack on the (1, 4) self decimated generator. The aim of the attack is to recover the initial state bits of the cipher. Experiments were performed for three different register lengths: l = 128, 256 and 512. One hundred and fifty trials were conducted for each length. In each trial, the following procedure is used. For register A, a random initial state was generated, then a segment of the keystream sequence is produced. The length of the keystream segment used varied as shown in Table 4.4 but was less than twice the register length. From equation (4.10) linear equations with l variables for the keystream in terms of the initial state bits of register A were obtained, in constant time. Given l linearly independent equations, the Gr¨obner bases method was used to solve the resulting system of equations. In practice, more than l equations are needed to yield a linear system of full rank. Equations can be generated in linear time and the system can be solved in O(l 3 ). Once the initial state bits are recovered, a segment of keystream was generated and compared with the observed keystream. If this matched the original keystream, the attack was considered a success. It can be seen from Table 4.4 that the self-decimated generator can be broken in polynomial time, and for standard register lengths, the initial state of the generator can be found efficiently using keystream of order l. It can be seen from Table 4.4 that the self-decimated generator with an LFSR of length 128 can be broken in 0.07 seconds using about 160 bits of keystream. Similarly, our algebraic attack can recover the initial state of the self-decimated generator of 512 bits register length in 3 second using 640 keystream bits. From the experiments, it is clear that the (1, 4) self-decimated keystream generator is not secure.
4.4. Summary
75
l 128 bit 256 bit 512 bit
Number of variables 128 256 512
Keystream used 160 bit 384 bit 640 bit
Time to generate equations 6s 71 s 182 s
Time to find solution 0.07 s 0.6 s 3s
Table 4.4: Algebraic attack times for Self-Decimated Generator
4.3.4 Strengthening the (p, q) Self-Decimated Generator Rueppel [172] notes that since this generator outputs directly bits of A, this reveals information about A and so could be weak. He suggests the possibility of out-putting a linear combination of bits of A. The situation where a polynomial P in bits Ai of A is added to the output will yield: z t+1 = P (Ati ) ⊕ Atl−1 z t ⊕ Atl−4 z t ⊕ Atl−1 . If P is linear, the system is subject to attack with the same complexity as the original system. As the degree of P increases, so does the complexity.
4.4 Summary In this chapter algebraic attacks on keystream generators using (p, q) clocking were presented. The attacks were applied to two well known examples of such structures; the step1/step2 and the selfdecimated generators. Effective algebraic attacks on both the self-decimated and the step1/step2 generators has been presented. For the self-decimated generator, the initial state bits are obtained significantly better than any other known attack. For the step1/step2 generator, our attack is not far from the best known attack. In addition, an alternative algebraic attack on the step1/step2 generator have been presented. The attack requires a large amount of keystream with a complexity of solving linear equations in register B. This attack is the best known attack on the cipher in terms of running time complexity.
76
Chapter 4. Keystream Generators using (p, q) Clocking
Chapter 5
Keystream Generators using Mutual Clock Control
5.1 Introduction In previous chapters, an algebraic analysis of the basic stop-and-go and the (p, q) clocking generators was given. This chapter looks at a more complex clocking mechanism, that is, keystream generators using mutual clock control. This chapter provides an analysis of mutually clock-controlled feedback shift register (FSR)-based stream ciphers. This includes examining the resistance of a number of wellknown examples of mutually clock-controlled keystream generators. These are the bilateral stop and go generator, A5/1, Alpha 1 and the MICKEY generators. In such generators, the ciphers’ registers mutually clock each other. From this it is shown that there do exist stream cipher structure that appear to be highly resistant to algebraic attacks. However, some of these fall to common attacks on LFSR based stream ciphers such as correlation and fast correlation attacks. Firstly, a generic way of obtaining relationships between the internal bits and the outputs that takes into account the controlling mechanism and apply to every output is obtained. This can be applied to mutually clock-controlled ciphers. It will be shown that these ciphers generate very high degree equations that are infeasible to solve. In Chapter 2 several previously proposed methods for reducing the degree of equations by finding multipliers algorithmically were discussed. At present, none of these methods guarantee an efficient determination of a low degree multiple for very large systems of equations of high degree such as those produced by irregular clocking ciphers. Guessing some initial state bits in order to reduce the number of monomials generated is a method that has been used to successfully attack some ciphers. The feasibility of applying this approach on each of the ciphers will also be tested. It will be shown that low degree multiples do exist for these ciphers, however, the degree of these multiples increases with time. In addition, it will be shown that for the MICKEY stream ciphers,
77
Chapter 5. Keystream Generators using Mutual Clock Control
78
there always exist annihilators that will reduce the degree of the equations. In fact, these annihilators significantly reduce the number of monomials to be recovered. Moreover, equations exhibiting some pattern are obtained for all versions of the MICKEY cipher. More interestingly, the same sets of annihilators can be found independently of the position in the register controlling bits. Finally, it will be shown that the problem of recovering the internal state of these ciphers can be transformed into a problem of solving quadratic equations in a large number of unknowns. In Section 5.2, a method for generating equations from mutually clock- controlled stream ciphers along with a definition of mutually clock-controlled feedback shift register is given. In addition, a number of theoretical results are given. Sections 5.3, 5.4, 5.5 and 5.6 respectively present an analysis of the four ciphers bilateral stop-and-go [200], A5/1 [37], Alpha 1 [139] and the MICKEY family [17–19]. Section 5.7 presents an alternative approach for recovering the internal state of the above ciphers. The summary of the work is given in Section 5.8.
5.2 Equation Generation for Mutually Clock-Controlled Keystream Generators Mutually clock control keystream generators use a complex clocking mechanism. Mutually clock control keystream generators can mutually control the clocking of its registers in a stop-and-go or in a (p, q) clocking manner. For simplicity, the case of two registers will be examined where they mutually clock control each other in a stop-and-go manner. In irregularly clocked stream ciphers, one cannot tell from the keystream which registers clocked and which did not. However, knowledge of the architecture of the system permits us to write equations incorporating the clocking. Generally, the more complex is the clocking mechanism, the more complex are the resulting equations from the cipher (high degree, large number of monomials). Mutually clocking registers is one way of adding complexity. This means that (at least) two registers depend on bits of at least two registers in the cipher for their clocking determination. The bilateral-stop-and-go generator, A51 and Alpha 1 are examples whereas MICKEY is an example of a (p, q) mutual clocking. Definition 5.1 A Mutually Clock-Controlled FSR-based stream cipher (MCFSR) is a stream cipher consisting of two or more FSRs where the clocking of more than one of the FSRs is determined by bits from more than one FSR in the system. Assume that there is a MCFSR with two registers, A and B, of size l and m respectively. The clocking of each register depends on bits from both registers. This dependence can be expressed by a function g(xi , yi ) of bits xi from A and yi from B. The function g maps to binary pairs indicating whether or not the corresponding register clocks, as indicated in Table 5.1. It is usually not practicable to allow the situation in which neither A nor B clocks, so this situation is often changed to both registers clocking. Any permutation of the above list, can of course, also be chosen. Based on Table 5.1, one can easily incorporate the clocking mechanism into the internal state of each register. Letting x represent the first bit of g and y the second, the effect of the clocking mechanism
5.2. Equation Generation for Mutually Clock-Controlled Keystream Generators
g(xi , yi ) 0 0 0 1 1 0 1 1
79
Register to be clocked A and B B not A A not B A and B
Table 5.1: Description of clocking on the internal state of registers A and B at time t can be described as follows: Ati
Bit
� t−1 � = At−1 (x ⊕ 1)(y t−1 ⊕ 1) ⊕ xt−1 (y t−1 ⊕ 1) ⊕ xt−1 y t−1 ⊕ 1 i � t−1 � ⊕At−1 ⊕ 1)(y t−1 ⊕ 1) ⊕ xt−1 (y t−1 ⊕ 1) ⊕ xt−1 y t−1 i−1 (x
(5.1)
� � = Bit (xt−1 ⊕ 1)(y t−1 ⊕ 1) ⊕ (xt−1 ⊕ 1)y t−1 ⊕ xt−1 y t−1 ⊕ 1 � t−1 � t (x ⊕ 1)(y t−1 ⊕ 1) ⊕ (xt−1 ⊕ 1)y t−1 ⊕ xt−1 y t−1 ⊕Bi−1
(5.2)
Despite the fact that the clocking mechanism used is very simple, the function describing the clocking of each register is nonlinear with degree increasing quickly as time t increases. The following theorem and its corollaries describe the strengths of this situation. For simplicity, we will reduce this to the case of two registers. Theorem 5.1 The standard algebraic attack on MCFSR with two registers ! of size l and m will generate l+m P l+m equations of degree equal to l + m and a maximum of j j=1 monomials. Proof: Label the bits of register 1 A, xi and the bits of register 2 B, yi . Assume that the clocking of Ri can be described by a nonlinear function fi of degree d that takes as input some values of xi and yi and determines which register is to be clocked. Assume also that the output of the system is given by some combination of the outputs of the two registers. The j th internal state of each register can be written as t Rkjt = Rkjt (f (xi , yi )t ⊕ 1) ⊕ Rkj−1 (f (xi , yi )t )
(5.3)
for k = 1, 2. At time t = 1, each position Rij contains an expression of minimum degree d. At time t = 2, the degrees of the expressions in Rij doubles; this continues until the degree reaches the size of the internal state size of the cipher, which is l + m. Thus the maximum degree of the equations generated from the system is l + m (which can always be achieved assuming the cipher is permitted to keep producing output) and the maximum number of monomials is M=
l+m X� j=1
l+m j
�
(5.4)
2 The complexity of solving such a system of equations using Algorithm 2.3 in an MCFSR is therefore
80
Chapter 5. Keystream Generators using Mutual Clock Control
at least
l+m X� j=1
� ω l+m j
(5.5)
where 2.807 ≤ ω ≤ 3 [186], which is greater than the complexity of exhaustive search using currently
known best algorithms for solving equations. As noted in the introduction, guessing some initial state bits may assist an attack. In the corollary following, we describe the impact of such guessing Corollary 5.1 Guessing u bits of the internal state of a mutually clocked-controlled stream cipher reduces the overall degree of the equations by u. Proof: One can see from Equation (5.5) of Theorem 5.1 that each guess of u bits reduces the degree of the equations by u. In addition, the complexity of algebraic attacks using the guessing approach will be
2
2u
(l+m−u) �
X j=1
� ω (l + m − u) j
(5.6)
Corollary 5.2 The existence of a regularly clocked register in an MCFSR reduces the complexity of the algebraic attack to less than exhaustive key search, assuming that the key size is the same as the total number of initial state bits. Proof: Let l be the total number of bits from regularly clocked registers, and k the key size. Then ! l guessing all k −l bits from the irregularly clocked registers produces only linear equations in = 1 l monomials using the procedure of the proof of Theorem 2.1. The overall attack complexity is then 2k−l lω < 2k
if l
is at least 4.
(5.7)
2 One might conjecture that increasing the number of clock-control bits used in an MCFSR would increase the level of complexity of the corresponding equations. The following corollary shows that this is only partly true. Corollary 5.3 Increasing the number of clock-control bits in an MCFSR may increase the degree of the equations generated during the first outputs but does not increase the maximum degree of the equations generated. Proof: Equation (5.3) shows that the maximum degree of the equations generated is independent of the number of clock-control bits. 2 As mentioned in Section 5.1, multiplier functions may exist which can reduce the degrees of the functions under consideration. However, the larger the system of equations generated, and the higher the degrees of these equations, the more difficult it is to find such multipliers. Thus, one of the strategies for choosing FSR-based ciphers that are immune to algebraic attack is to make sure that the number and
5.3. The Bilateral Stop-and-Go Generator
81
degree of equations generated is high with no low degree annihilators or multiples. MCFSRs appear to have these properties.
5.3 The Bilateral Stop-and-Go Generator This section applies the analysis of Section 5.2 to the bilateral-stop-and-go generator. We start by a description of the cipher followed by an algebraic analysis.
5.3.1 Description of the Bilateral Stop and Go Generator The bilateral Stop-and-Go generator, Figure 5.1, is one of the first known examples of a mutually clock-controlled stream cipher [200]. It consists of two linear feedback shift registers (LFSRs), A and B of the same length l. Both LFSRs control their own clocking using two bits from each LFSR in the following way. Let a, b and c, d be pairs of bits from A and B respectively. If (a, b) = (0, 1), then clock only A. On the other hand, if (c, d) = (0, 1) 6= (a, b), then clock only B, otherwise clock both registers. Since there are 4 bits controlling the clocking of A, it can be seen that A is clocked with probability equal 13/16 whereas B is clocked with 3/4 probability. To the best of our knowledge, there is only one correlation attack on this cipher by Goli´c [153] which requires l keystream bits with O(2l+3log2 l ) operations.
R1
Clock Control Unit
f
z
R2
Figure 5.1: The Bilateral-stop-and-go-generator
5.3.2 Algebraic Analysis of the Bilateral Stop and Go Generator Let the output of register A be Al and B be Bl . Based on the description of the way registers A and B are clocked, we can describe the effect of the clocking mechanism on the internal state of each register described by a binary truth table of all the clocking possibilities respectively as follows Ati
� � = At−1 (dt−1 (at−1 bt−1 ct−1 ) ⊕ at−1 bt−1 ⊕ bt−1 ct−1 ⊕ bt−1 ⊕ ct−1 ⊕ 1 ) i � t−1 t−1 t−1 � t−1 ⊕At−1 (a b c ) ⊕ at−1 bt−1 ⊕ bt−1 ct−1 ⊕ bt−1 ⊕ ct−1 ⊕ 1 ⊕ 1) i−1 (d
For example, A1 , it is given by
(5.8)
Chapter 5. Keystream Generators using Mutual Clock Control
82
At1
� t−1 t−1 t−1 � t−1 = At−1 (a b c ) ⊕ at−1 bt−1 ⊕ bt−1 ct−1 ⊕ bt−1 ⊕ ct−1 ⊕ 1 ) 1 ((d � � ⊕Flt−1 ((dt−1 (at−1 bt−1 ct−1 ) ⊕ at−1 bt−1 ⊕ bt−1 ct−1 ⊕ bt−1 ⊕ ct−1 ⊕ 1 ⊕ 1)
Similarly Bit can represented as
t−1 t−1 t−1 Bit = Bit−1 (at−1 bt−1 ⊕ bt−1 ) ⊕ Bi−1 (a b ⊕ bt−1 ⊕ 1)
(5.9)
and the B1t position is given by t−1 t−1 t−1 B1t = B1t−1 (at−1 bt−1 ⊕ bt−1 ) ⊕ Fm (a b ⊕ bt−1 ⊕ 1)
where Fjt−1 applies the feedback polynomial from the j th position at time t − 1. The output of the generator at time t is: z t = Atl ⊕ Blt For the purpose of our analysis, we will substitute the values for Atl and Blt using equations 5.8 and 5.9 respectively and expand it as follows : zt = f t
t−1 t−1 t−1 t−1 = at−1 bt−1 ct−1 dt−1 At−1 ⊕ at−1 bt−1 ct−1 dt−1 At−1 b d Ai i i−1 ⊕ a t−1 t−1 t−1 t−1 ⊕bt−1 ct−1 dt−1 At−1 ⊕ at−1 bt−1 dt−1 At−1 c d Ai−1 i i−1 ⊕ b
t−1 t−1 t−1 ⊕bt−1 dt−1 At−1 ⊕ ct−1 dt−1 At−1 ⊕ bt−1 dt−1 At−1 d Ai−1 i i i−1 ⊕ c
t−1 t−1 t−1 ⊕at−1 bt−1 Bit−1 ⊕ at−1 bt−1 Bi−1 ⊕ dt−1 At−1 ⊕ dt−1 At−1 Bi i i−1 ⊕ b
t−1 t−1 ⊕bt−1 Bi−1 ⊕ At−1 i−1 ⊕ Bi−1 .
(5.10) The output function f is initially of degree 5, however, because of the nonlinear update function of each register, the degree tends to increase. According to Theorem 5.1, the maximum degree of the equations generated from this cipher is d = 2l and the number of monomials expected to appear is given by equation 5.4. Clearly, trying to recover the internal state of such generators using the Algorithm 2.3 will usually require complexity much worse than exhaustive key search on the internal state size. Reducing the Overall Degree of the Equations In this section, the applicability of two approaches used in reducing the overall degree of the equations on our cipher is examined. As Corollary 5.1 shows, guessing any u bits for u ≤ 2l will result in the �ω P2l−u following attack complexity 2u i=1 2l−u . In fact, guessing the internal state bits of A has the i same effect as guessing the internal state bits of B since both registers are of the same length. In order to get an algebraic attack , less complex than exhaustive key search when some bits are guessed, the �ω P2l−u following relations must hold 2u i=1 2l−u < 22l . However, it can be seen that this relation will i never hold true for any of its parameters; therefore, the guessing approach is not suitable.
In the other approach, the attacker aims to find annihilators or multiples that will reduce the overall
5.4. A5/1
83
degree of the equations. By further analysis of Equation (5.10), that is, using one of the algorithms outlined in Chapter 2 for finding low degree multiples, one can see that there exist many multiples and annihilators for the output function. Table 5.2 below lists the number of multiples g found on the output and the number of h such that h = gf . Degree of g 1 2 3 4
Degree of h 4 3 and 4 3 and 4 0 and 4
Total Number of g and h 4 10 42 48
Table 5.2: Low degree multiples for the output function for the Bilateral Stop and Go Generator Note that the number 0 in Table 5.2 indicates that there exist many degree 4 multiples of g such that f.g = 0. Multiplying both sides of equation 5.10 with at−1 results in the following expression : f g = f at−1
= at−1 ct−1 dt−1 At−1 ⊕ at−1 ct−1 dt−1 At−1 i i−1
t−1 t−1 t−1 . ⊕at−1 dt−1 At−1 ⊕ at−1 dt−1 At−1 Ai−1 ⊕ at−1 Bi−1 i i−1 ⊕ a
(5.11) This multiplication also eliminates many terms of different degrees. As shown in equation (7.4), this multiple also eliminates the effect of bt−1 . However, the degree of such multiples also keeps increasing, so reducing the possibility of an algebraic attack. More interestingly, multiplying both sides of equation 5.10 with (b t−1 ⊕ 1)(dt−1 ⊕ 1) results in the following expression : f g = f at−1
� t−1 � = At−1 ⊕ 1)(dt−1 ⊕ 1) i−1 (b � t−1 � t−1 ⊕Bi−1 (b ⊕ 1)(dt−1 ⊕ 1) .
(5.12)
This multiplication eliminates many terms of different degrees. In particular, the multiple eliminates the effect of bt−1 . However, the degree of such multiples keeps increasing, so reducing the possibility of an algebraic attack. Note also that we have observed that multiplying the output of the generator with Ql i=1 (xi ⊕ 1), where xi runs through the contents of A, reduces the overall degree of the equations from 2l to l + 1.
5.4 A5/1 A5/1 is an encryption algorithm in the A5 family of stream ciphers. The A5 stream ciphers are used in GSM networks for wireless encryption. The design of the algorithm was kept secret until it was reverse engineered from an actual GSM phone by Briceno [37] in 1999. The internal design of both A5/1 and another member of the family, A5/2 (used in most middle east countries) were revealed. In 2002, the A5/3 encryption algorithm was added to the A5 family. Unlike, A5/1 and A5/2, its internal design was published. A5/3 is based on the block-cipher KASUMI, which is intended to be used in third generation networks.
Chapter 5. Keystream Generators using Mutual Clock Control
84
A5/1 has fallen to many attacks. These includes time memory tradeoff attacks [28], and correlation attacks [37,82,102] and [144]. In this section, we assess the security of A5/1 against algebraic attacks, which is believed not have been examined before in the open literature.
5.4.1 Description of A5/1 A5/1, presented in Figure 5.2, consists of three short binary LFSRs of lengths 19, 22 and 23, denoted by A, B and C, respectively. The three LFSRs have the following primitive feedback polynomials: f1 (x) = x19 + x5 + x2 + x + 1 f2 (x) = x22 + x + 1 f3 (x) = x23 + x15 + x2 + x + 1 At time t, denote the output of register A as Ati , B as Bit and C as Cit and the output keystream of A5/1 as z t . The output of A5/1 is given as the XOR of the output of the three LFSRs. The LFSRs are clocked in an irregular fashion, determining a type of stop/go clocking with a majority rule as follows. Each register has a certain clocking tap used to determine its clocking and the clocking of t t other registers. At9 , B11 and C11 are the bits taken from A, B and C as input to the majority function. The majority function is given by t t t t M t = (At9 B11 ⊕ At9 C11 ⊕ B11 C11 ) t A is clocked if A9 agrees with the majority function. Similarly, register B is clocked if B 11 agrees with t the majority function. Finally, register C is clocked if C11 agrees with the majority function.
R1
Clock Control Unit
f
z
R2 R3
Figure 5.2: A5/1
5.4.2 Algebraic Analysis of A5/1 Based on the clocking mechanism used in A5/1, it is possible to rewrite the internal states of the three registers so they take into account the clocking mechanism in place, which as a result will produce valid relations that hold true for every clock. Each ith stage in A is replaced by: t−1 Ati = At−1 (At−1 ⊕ M t−1 ) ⊕ (At−1 ⊕ M t−1 )) 9 i i−1 (1 ⊕ A9
(5.13)
5.4. A5/1
85
and the left most position is given by t−1 t−1 t−1 t−1 t−1 At1 = At−1 ⊕ M t−1 ) ⊕ ((At−1 ⊕ M t−1 )). 1 (A9 19 ⊕ A18 ⊕ A17 ⊕ A14 )(1 ⊕ A9
Similarly for B, each ith stage in B is replaced by: t−1 t−1 t−1 ⊕ M t−1 ) ⊕ (Bi−1 (1 ⊕ B11 ⊕ M t−1 )) Bit = Bit−1 (B11
(5.14)
and the left most position is given by t−1 t−1 t−1 t−1 B1t = B1t−1 (B11 ⊕ M t−1 ) ⊕ ((B21 ⊕ B22 )(1 ⊕ B11 ⊕ M t−1 )).
Finally, each ith stage in C is replaced by: t−1 t−1 t−1 Ci = Cit−1 (C11 ⊕ M t−1 ) ⊕ (Ci−1 (1 ⊕ C11 ⊕ M t−1 ))
(5.15)
and the left most position is given by t−1 t−1 t−1 t−1 t−1 C1t = C1t−1 (C11 ⊕ M t−1 ) ⊕ ((C23 ⊕ C22 ⊕ C21 ⊕ C8t−1 )(1 ⊕ C11 ⊕ M t−1 )).
The output is given by t t z = At19 ⊕ B22 ⊕ C23
Using Equations (5.13),(5.14) and (5.15), the output function can described as follows zt = f t
t−1 t−1 t−1 t−1 t−1 t−1 t−1 t−1 t−1 t−1 t−1 = At−1 19 A9 B11 ⊕ A9 A18 B11 ⊕ A9 B22 B11 ⊕ A9 B11 B21
t−1 t−1 t−1 t−1 t−1 t−1 t−1 t−1 t−1 t−1 t−1 ⊕At−1 9 B11 B23 ⊕ A19 A9 B11 ⊕ A9 A18 B11 ⊕ A9 B22 B11
t−1 t−1 t−1 t−1 t−1 t−1 t−1 t−1 ⊕At−1 19 B11 B11 ⊕ A18 B11 B11 ⊕ B22 B11 B11 t−1 t−1 t−1 t−1 t−1 t−1 t−1 t−1 ⊕At−1 9 B21 B11 ⊕ B11 B21 B11 ⊕ A9 B23 B11
t−1 t−1 t−1 t−1 t−1 t−1 t−1 t−1 t−1 t−1 t−1 ⊕B11 B23 B11 ⊕ At−1 9 B11 B22 ⊕ A9 B11 B22 ⊕ B11 B11 B22
t−1 t−1 t−1 t−1 t−1 t−1 t−1 t−1 ⊕At−1 ⊕ At−1 19 A9 9 A18 ⊕ B22 B11 ⊕ B11 B21 ⊕ B23 B11 t−1 t−1 t−1 t−1 ⊕B11 B22 ⊕ At−1 18 ⊕ B21 ⊕ B22 .
(5.16)
Based on the above set up and on Theorem 5.1, the maximum degree of the equations generated from A5/1 is d = l+m+n = 64 and the number of monomials expected to appear is given by Equation (5.4), which is approximately M = 288 . Therefore, trying to recover the internal state of such generators using Algorithm 2.3 will require a complexity of approximately M 3 = 2264 , which is much worse than exhaustive key search on the internal state size. The following section explore the methods used for reducing the degree of the equations in order to reduce the complexity. Reducing the Overall Degree of the Equations In this section, the effectiveness of the guessing approach is examined in a divide and conquer style of attack. In the examination, the contents of each individual register are guessed, and the complexity
Chapter 5. Keystream Generators using Mutual Clock Control
86
of the overall attack including the complexity of recovering the remaining registers by solving system of equations, is estimated. In another examination, the contents of two different registers are guessed, and the complexity of the overall attack including the complexity of recovering the contents of the unguessed register by solving a system of equations, is estimated. Table 5.3, lists the results for all possibilities one can take. Guessed Register A B C A and B A and C B and C
Max degree of equations 45 42 41 23 22 19
Total Attack Complexity ≈ (219 .2182.5 ) = 2201.5 ≈ (222 .2169.7 ) = 2191.7 ≈ (223 .2165.4 ) = 2188.4 ≈ (241 .288.7 ) = 2129.7 ≈ (242 .284.5 ) = 2126.5 ≈ (245 .271.8 ) = 2116.8
Table 5.3: Standard algebraic attacks on A5/1 with the guessing approach It can be seen from Table 5.3, that the worst attack complexity is obtained by guessing A and solving the system of equations of degree 45 in the unknowns of B and C. In contrast, the best result is obtained by guessing B and C and solving for the internal state of register A. However, the complexity of any of these approaches is still much higher than exhaustive key search. As for the approach which is based on finding low degree multiples, the following was found. It is clear that the output function f is of degree 3. But as the internal state of each register in the ciphers is nonlinearly updated, the degree of the generated equations will increase. We have not found any multiplier functions g of degree 1 or 2, however, we have found 9 functions of degree 3 such that f.g = 0.
5.5 Alpha 1 The Alpha1 stream cipher [139], was proposed for mobile and wireless devices. The design of Alpha1 is based on A5/1 and was intended as a replacement for this stream cipher. Alpha 1 is based on linear feedback shift registers (LFSRs) and uses irregular clocking. Alpha1 uses four LFSRs, with a total key size of 128-bits. In Alpha1, one of the four registers is regularly clocked while the other three registers are irregularly clocked. The contents of two stages from each of the irregularly clocked registers control the clocking according to a majority function, so that at least one of these three registers is clocked for each output bit. Initial analysis of Alpha 1 by Mitchell [158] pointed out several weaknesses and inaccuracies in the Alpha1 specification. In an attack by Wu [196] recovers the initial state of the regularly clocked register only. The attack requires 3000 keystream bits with O(229 ) operations. The problem of recovering the remaining registers was left as an open problem. This was addressed by Chen et.al [48], who proposed an attack that recovers the whole initial state of the cipher using 35,000 keystream bits with 261 operations.
5.5. Alpha 1
87
5.5.1 Description of Alpha 1 Alpha 1, Figure 5.3, is based on four binary linear LFSRs of lengths 29, 31, 33 and 35 bits, which are denoted as A, B, C and D respectively. R1 R2
Clock Control Unit
f
z
R3 R4
Figure 5.3: Alpha 1 stream cipher The LFSRs have the following feedback polynomials: f1 (x) = x29 + x27 + x24 + x8 + 1 f2 (x) = x31 + x28 + x23 + x18 + 1 f3 (x) = x33 + x28 + x24 + x4 + 1 f4 (x) = x35 + x30 + x22 + x11 + x6 + 1 At time t, denote the output of register Ri as Rit and the output keystream of Alpha1 as z t . The keystream bit is a function of the output bit of each of the four registers. zt
= f (At , B t , C t , Dt )
zt
= At + B t ⊕ C t ⊕ Dt ⊕ (B t C t ).
(5.17)
Let Rij denote the j th stage of LF SRi. While A is regularly clocked, B, C and D are clocked in a stop/go fashion according to the following majority rule. Alpha 1 employs two majority rule functions, M 1t and M 2t , and uses pairs of clocking taps from B, C, and D to control the three registers clocking, where M 1t and M 2 t are respectively given by t t t t t t M 1t = B11 C23 ⊕ B11 D12 ⊕ C23 D12
and t t t t t t M 2t = B22 C11 ⊕ D25 B22 ⊕ C11 D25 . t t t B is clocked if B11 agrees with M 1t and B22 agrees with M 2t . C is clocked if C23 agrees with t t t M 1t and C11 agrees with M 2t . Finally, D is clocked if D12 agrees with M 1t and D25 agrees with t M2 .
Chapter 5. Keystream Generators using Mutual Clock Control
88
5.5.2 Algebraic Attacks on Alpha 1 Before we describe our attack, we show how to obtain relationships between the internal states of the cipher with the output that takes into account the irregular clocking used. As A is regularly clocked, then each ith stage in A is replaced by: Ati = At−1 i−1 . Each ith stage in B is replaced by: t−1 t−1 t−1 t−1 t−1 Bit = Bit−1 (B11 ⊕ B23 ⊕ M1t−1 ⊕ M2t−1 ) ⊕ Bi−1 (B11 ⊕ B23 ⊕ M1t−1 ⊕ M2t−1 ⊕ 1)
and the left most position is given by B1t
t−1 t−1 = B1t−1 (B11 ⊕ B23 ⊕ M1t−1 ⊕ M2t−1 ) ⊕
t−1 t−1 t−1 t−1 t−1 t−1 ((1 ⊕ B11 ⊕ B23 ⊕ M1t−1 ⊕ M2t−1 )(B31 ⊕ B28 ⊕ B23 ⊕ B18 )).
Each ith stage in C is replaced by: t−1 t−1 t−1 t−1 t−1 Cit = Cit−1 (C23 ⊕ C11 ⊕ M1t−1 ⊕ M2t−1 ) ⊕ Ci−1 (C23 ⊕ C11 ⊕ M1t−1 ⊕ M2t−1 ⊕ 1)
and the left most position is given by C1t
t−1 t−1 = C1t−1 (C23 ⊕ C11 ⊕ M1t−1 ⊕ M2t−1 ) ⊕
t−1 t−1 t−1 t−1 t−1 ((C23 ⊕ C11 ⊕ M1t−1 ⊕ M2t−1 ⊕ 1)(C33 ⊕ C28 ⊕ C24 ⊕ C4t−1 )).
Finally, each ith stage in D is replaced by: t−1 t−1 t−1 t−1 t−1 Dit = Dit−1 (D12 ⊕ D25 ⊕ M1t−1 ⊕ M2t−1 ) ⊕ Di−1 (D12 ⊕ D25 ⊕ M1t−1 ⊕ M2t−1 ⊕ 1).
The output of the cipher is given by t t t t t z t = At29 ⊕ B31 ⊕ B33 ⊕ D35 ⊕ B31 B33 .
(5.18)
5.5.3 Reducing the Overall Degree of the Equations It is expected that Alpha 1 will generate equations of maximum degree d = 99 with the number P99 99� of monomials equal to M = i=1 i . Thus, applying the standard algebraic attack will have a 1080 complexity of approximately 2 , which is much worse than the complexity of exhaustive keysearch. However, note that the regularly clocked register, A, will have no effect at all in determining the size of the generated equations. Table 5.4 lists different choices for the guessing and solving approach for Alpha 1. Note also that the table only considers guessing the mutually clocked registers. The approach used here is similar to that used in A5/1, in which the contents of each of the irregularly clocked register is guessed, then the complexity of the overall attack including the complexity of recovering the remaining registers by solving system of equations is estimated. In another examination, the contents of two different
5.5. Alpha 1
89
irregularly registers are guessed, and the complexity of the overall attack including the complexity of recovering the contents of the unguessed register by solving a system of equations is estimated. In the last examination, the contents of the three irregularly clocked registers are guessed and the content of the regularly clocked register is solved for. Guessed Register B C D B and C B and D C and D
Max degree of equations 68 66 64 35 33 31
Total Attack Complexity ≈ (231 .2281 ) = 2312 ≈ (233 .2272.6 ) = 2305.6 ≈ (235 .2264 ) = 2299 ≈ (264 .2139.8 ) = 2203 ≈ (266 .2131 ) = 2197 ≈ (268 .2122.7 ) = 2190.7
Table 5.4: Standard algebraic attacks on Alpha 1 with the guessing approach It is evident from Table 5.4 that none of the above choices will lead to an attack that is, better than exhaustive key search. However, based on Corollary 5.2, we see that the key size of the cipher is the same as the internal state size k = 128, and there is at least one register that is regularly clocked. Hence, using Corollary 5.2 and equation (5.18), guessing B, C and D will result in linear equations in the output, containing unknowns from A only. Thus the complexity of this basic algebraic attack is 231+33+35 (29)2 ≈ 2108 , which is less than exhaustive key search. Table 5.5 lists the best known attacks on the Alpha 1 stream ciphers. Attack Chen et.al Our attack
Minimum Keystream 35, 000 bits 128 bits
Attack Complexity 261 2108
Table 5.5: Best known attacks on the Alpha 1 stream cipher It can be seen from Table 5.5 that our approach requires the minimum keystream to run the attack, that is 128 bits compared with the other attack that requires 35,000 bits. It should be noted that in frame based GSM system, this attack is not possible due to rekeying each 288 bits. Theoretically, our attack is more applicable. However, the attack complexity of our approach is much more than the other attack. As for the use of low degree multiples and annihilators, it is clear that even if there exist any, their degree will not be constant and will keep increasing.
5.5.4 Experimental Results We tested the algebraic attack described above on the full version of Alpha 1 by running some experimental simulations. In the simulations we tested two things; first, whether 29 bits are sufficient to solve the system of equations and give unique solutions. Second, whether 29 bits is enough to enable us to reject wrong guesses for the bits of A since it might happen that equivalent internal state bits might result in the same 29 keystream bits. This never happened in our simulations; we were always able to verify that the correct internal state had been chosen. In any event, 128 bits of keystream would be sufficient to guarantee the correct internal state, and this is well within the limits of the typical frame-length.
Chapter 5. Keystream Generators using Mutual Clock Control
90
In the experiment, we first generated and recorded 29 keystream bits by randomly choosing the values of all four registers. Then we applied the attack approach briefly outlined above for 250,000 runs. In each run we randomly guessed the contents of B, C and D. We next generated a linear system of equations in the unknowns of A and solved it using the F4 algorithm of the Gr¨obner bases method available in Magma [3]. In each case, we obtained a unique solution for the bits of A and used these, together with the guessed bits for B, C and D to reconstruct the keystream bits which were then compared with the recorded keystream. In each run, we managed with 100 percent success to solve the system of equations and detect if the guesses made were right or wrong. This was done using Magma 2.11 on the SGI Origin 3000 using CPU at 600 MHz. The fact that this can be done with only 29 bits of keystream suggests a here-to-fore unknown weakness in the Alpha1.
5.6
MICKEY
5.6.1 Description The MICKEY family of stream ciphers [17–19], as shown in Figure 5.4, is a hardware oriented stream cipher that was submitted to eSTREAM, the ECRYPT Stream Cipher Project [2]. The family consist of three ciphers, MICKEY-80 v1, MICKEY-80 v2 and MICKEY-128 v2. The MICKEY family has passed the eSTREAM review process and proceeded to the third phase of the evaluation process.
R
Clock Control Unit
+
z
S
Figure 5.4: The MICKEY family of stream ciphers MICKEY uses an LFSR and a Nonlinear Feedback Shift Register (NLFSR). The registers are clocked in an irregular manner determined by some of the internal states bits taken from both registers. Most of the previously known clock-controlled generators used the LFSR for controlling the clocking of their registers. The authors of MICKEY believe that ”algebraic attacks usually become possible when the keystream is correlated to one or more linearly clocking registers, whose clocking is either entirely predictable or can be guessed”: which explains why they used both the LFSR and the NLFSR to control clocking in an irregular manner. In this section we show that even with MICKEY’s novel technique for irregularly clocking the registers, we can still form algebraic expressions that deal with the irregular clocking and also relate its output with its input and holds true for every single clock t. The MICKEY ciphers consist of two registers R and S each of the same length l. The bits of the t t registers at time t are labeled as R0t , . . . , Rl−1 and S0t , . . . , Sl−1 respectively. R is a LFSR and S is a NLFSR. The clocking mechanism used in MICKEY is based on the notion of jump registers first introduced
5.6. MICKEY
91
in [129] as an alternative to traditional clock-controlled registers. Registers based on the notion of jump registers can move to a state that is more than one step ahead without having to step through all the intermediate states. This provides LFSR based stream ciphers protection against side channel attacks while preserving the advantages of irregular clocking.
5.6.2 Algebraic Analysis of MICKEY-80 v1 MICKEY-80 v1 [18] uses a key size of 80-bit and internal state size of l =160-bit. This section provides an algebraic analysis of this cipher. An expression that deals with the irregular clocking of R and S will be given. The internal states of R change depending on the control bit that controls the clocking of R. If the control bit Cr of register R is 0, then R simply shifts to the right and if the control bit is 1, then as well as shifting to the right, the bits are XORed back, this having the effect of stepping R, J = 2 40 − 23
times. The control bits Cr and Cs (the control bit of S) are defined as: t t , and ⊕ R53 Crt = S27 t t Cst = S53 ⊕ R26 .
It is assumed that the control bits are unknown, however, one can derive an expression that deals with both cases. For Cr t Rit = Ri−1 ⊕ Rit Crt .
(5.19)
Depending on the control bit Cs that controls the clocking of register S, Sit can have different values. We can derive an expression that holds true for all clocks and takes into account all possible 79 values for Cst . Four sets of fixed, known values are defined in [18]: {COM P 0 i }79 i=0 , {COM P 1i }i=0 , 79 {F B0i }79 i=0 and {F B1i }i=0 and are used to define the bits of the NLFSR as follows
Sit = Sˆit ⊕ F B0i × FeedbackBitS t × (Cst ⊕ 1) ⊕ F B1i × FeedbackBitS t × Cst where:
(5.20)
t t t Si−1 ⊕ ((Si ⊕ COM P 0i ) × (Si+1 ⊕ COM P 1i )) if 1 < i < 79 Sˆit = 0 if i = 0 t S79 if i = 78.
t In addition, the value of FeedbackBitS t is equal to S79 if the key initialization is ignored. The output
of the cipher is given by z t = R0t ⊕ S0t
(5.21)
which can be rewritten using Equations (5.19) and (5.20) as z t = f t = R0t ⊕R1t Crt ⊕ Sˆ0t ⊕F B01 × FeedbackBitS t ×(Cst ⊕1)⊕F B10 × FeedbackBitS t ×Cst (5.22) From Equation (5.22), it can be seen that the degree of the generated equations from the MICKEY stream cipher will increase by at least two at every clock. It starts with degree 2 until it reaches degree
Chapter 5. Keystream Generators using Mutual Clock Control
92
2l. As with the bilateral-stop-and-go generator, guessing l bits will result in solving equations of degree l. As for the existence of annihilators, our experimental results (in this case, implementing the keystream generator algorithm and generating equations in terms of the initial state) show that for MICKEY-80 v1, the following annihilators exist: z 1 (r0 ⊕ 1)(r79 ⊕ 1)(s79 ⊕ 1) = 0 z 2 (r0 ⊕ 1)(r79 ⊕ 1)(s79 ⊕ 1)(s78 ⊕ 1)(r78 ⊕ 1) = 0 z 3 (r0 ⊕ 1)(r79 ⊕ 1)(s79 ⊕ 1)(s78 ⊕ 1)(r78 ⊕ 1)(s77 ⊕ 1)(r77 ⊕ 1) = 0 z 4 (r0 ⊕ 1)(r79 ⊕ 1)(s79 ⊕ 1)(s78 ⊕ 1)(r78 ⊕ 1)(s77 ⊕ 1)(r77 ⊕ 1)(s76 ⊕ 1)(r76 ⊕ 1) = 0 z 5 (r0 ⊕1)(r79 ⊕1)(s79 ⊕1)(s78 ⊕1)(r78 ⊕1)(s77 ⊕1)(r77 ⊕1)(s76 ⊕1)(r76 ⊕1)(s75 ⊕1)(r75 ⊕1) = 0. .. . The above equations can then be linearised and solved. The complexity of an algebraic attack still needs to be determined, and will be significantly reduced by the existence of the annihilators. The algebraic structure of the cipher is suggestive that other techniques may also be able to exploit this structure. Also note that the same annihilators can be found in each cipher irrespective of the clock control bits of R and S. That is, if these bits are changed, then one would still get the same annihilators.
5.6.3 Algebraic Analysis of MICKEY-80 v2 MICKEY-80 v2 [17] uses a key size of 80-bit and internal state size l =200-bit. This section provides an algebraic analysis of this cipher. An expression that deals with the irregular clocking of R and S will be given. The internal states of R change depending on the control bit that controls the clocking of R. If the control bit Cr of register R is 0, then R simply shifts to the right and if the control bit is 1, then as well as shifting to the right, the bits are XORed back, having the effect of stepping R, J = 2 50 − 157 times. The control bits Cr and Cs (the control bit of S) are defined as: t t Crt = S34 ⊕ R67 , and t t Cst = S67 ⊕ R33 .
It is assumed that the control bits are unknown, however, one can derive an expression that deals with both cases. For Cr t Rit = Ri−1 ⊕ Rit Crt .
(5.23)
Depending on the control bit Cs that controls the clocking of register S, Sit can have different values. We can derive an expression that holds true for all clocks and takes into account all possible 99 values for Cst . Four sets of fixed, known values are defined in [18]: {COM P 0 i }99 i=0 , {COM P 1i }i=0 , 99 {F B0i }99 i=0 and {F B1i }i=0 and are used to define the bits of the NLFSR as follows
Sit = Sˆit ⊕ F B0i × FeedbackBitS t × (Cst ⊕ 1) ⊕ F B1i × FeedbackBitS t × Cst
(5.24)
5.6. MICKEY
where:
93
t t t Si−1 ⊕ ((Si ⊕ COM P 0i ) × (Si⊕1 ⊕ COM P 1i )) Sˆit = 0 t S99
if 1 < i < 99 if i = 0 if i = 98.
t In addition, the value of FeedbackBitS t is equal to S99 if the key initialization is ignored. The output of the cipher is given by
z t = R0t ⊕ S0t
(5.25)
which can be rewritten using equations 5.23 and 5.24 as z t = f t = R0t ⊕R1t Crt ⊕ Sˆ0t ⊕F B01 × FeedbackBitS t ×(Cst ⊕1)⊕F B10 × FeedbackBitS t ×Cst (5.26) From Equation (5.26), it can be seen that the degree of the generated equations from MICKEY stream cipher will increase by at least two at every clock. It starts with degree 2 and it reaches degree 2l. As with the bilateral-stop-and-go generator, guessing l bits will result in solving equations of degree l. As for the existence of the annihilators, experimental results show that for MICKEY-80 v1, the following annihilators exist: z 1 (r0 ⊕ 1)(r99 ⊕ 1)(s99 ⊕ 1) = 0 z 2 (r0 ⊕ 1)(r99 ⊕ 1)(s99 ⊕ 1)(s98 ⊕ 1)(r98 ⊕ 1) = 0 z 3 (r0 ⊕ 1)(r99 ⊕ 1)(s99 ⊕ 1)(s98 ⊕ 1)(r98 ⊕ 1)(s97 ⊕ 1)(r97 ⊕ 1) = 0 z 4 (r0 ⊕ 1)(r99 ⊕ 1)(s99 ⊕ 1)(s98 ⊕ 1)(r98 ⊕ 1)(s97 ⊕ 1)(r97 ⊕ 1)(s96 ⊕ 1)(r96 ⊕ 1) = 0 z 5 (r0 ⊕1)(r99 ⊕1)(s99 ⊕1)(s98 ⊕1)(r98 ⊕1)(s97 ⊕1)(r97 ⊕1)(s96 ⊕1)(r96 ⊕1)(s95 ⊕1)(r95 ⊕1) = 0. .. .
5.6.4 Algebraic Analysis of MICKEY-128 v2 MICKEY-128 v2 [19] uses a key size of 128-bit and internal state size of l =320-bit. This section provides an algebraic analysis of this cipher. An expression that deals with the irregular clocking of R and S will be given. The internal states of R change depending on the control bit that controls the clocking of R. If the control bit Cr of register R is 0, then R simply shifts to the right and if the control bit is 1, then as well as shifting to the right, the bits are XORed back, having the effect of stepping R, J = 2 80 − 255 times. The control bits Cr and Cs (the control bit of S) are defined as: t t Crt = S54 ⊕ R106 , and t t Cst = S106 ⊕ R53 .
It is assumed that the control bits are unknown, however, one can derive an expression that deals with both cases. For Cr t Rit = Ri−1 ⊕ Rit Crt .
(5.27)
Chapter 5. Keystream Generators using Mutual Clock Control
94
Depending on the control bit Cs that controls the clocking of register S, Sit can have different values. We can derive an expression that holds true for all clocks and takes into account all possible 159 values for Cst . Four sets of fixed, known values are defined in [18]: {COM P 0 i }159 i=0 , {COM P 1i }i=0 , 319 159 {F B0i }i=0 and {F B1i }i=0 and are used to define the bits of the NLFSR as follows
Sit = Sˆit ⊕ F B0i × FeedbackBitS t × (Cst ⊕ 1) ⊕ F B1i × FeedbackBitS t × Cst
(5.28)
where: t t t Si−1 ⊕ ((Si ⊕ COM P 0i ) × (Si⊕1 ⊕ COM P 1i )) Sˆit = 0 t S159
if 1 < i < 159 if i = 0 if i = 158.
t In addition, the value of FeedbackBitS t is equal to S159 if the key initialization is ignored. The output
of the cipher is given by z t = R0t ⊕ S0t
(5.29)
which can be rewritten using equations 5.27 and 5.28 as z t = f t = R0t ⊕R1t Crt ⊕ Sˆ0t ⊕F B01 × FeedbackBitS t ×(Cst ⊕1)⊕F B10 × FeedbackBitS t ×Cst (5.30) From equation 5.30, it can be seen that the degree of the generated equations from MICKEY stream cipher will increase by at least 2 at every clock. It starts with degree 2 and it reaches degree 2l. As with the bilateral-stop-and-go generator, guessing l bits will result in solving equations of degree l. As for the existence of the annihilators, experimental results show that for MICKEY-128 v2, the following annihilators exist: z 1 (r0 ⊕ 1)(r159 ⊕ 1)(s159 ⊕ 1) = 0 z 2 (r0 ⊕ 1)(r159 ⊕ 1)(s159 ⊕ 1)(s158 ⊕ 1)(r158 ⊕ 1) = 0 z 3 (r0 ⊕ 1)(r159 ⊕ 1)(s159 ⊕ 1)(s158 ⊕ 1)(r158 ⊕ 1)(s157 ⊕ 1)(r157 ⊕ 1) = 0 z 4 (r0 ⊕ 1)(r159 ⊕ 1)(s159 ⊕ 1)(s158 ⊕ 1)(r158 ⊕ 1)(s157 ⊕ 1)(r157 ⊕ 1)(s156 ⊕ 1)(r156 ⊕ 1) = 0 z 5 (r0 ⊕1)(r159 ⊕1)(s159 ⊕1)(s158 ⊕1)(r158 ⊕1)(s157 ⊕1)(r157 ⊕1)(s156 ⊕1)(r156 ⊕1)(s155 ⊕1)(r155 ⊕1) = 0. .. .
5.7 An Alternative Algebraic Attack on Mutually Clock Control Stream Ciphers The resistance of mutually clock-controlled stream ciphers to traditional algebraic attacks is due to the fact that clock control causes increases in the degrees of the equations generated. In mutually clock-controlled stream ciphers, the clock control bits from each register are multiplied with the bit states of the other registers causing a rapid increase in the degree of the equations to the size of the
5.7. An Alternative Algebraic Attack on Mutually Clock Control Stream Ciphers
95
internal state. The degrees of the equations increase at least by one and at most by two at every clock. This section provides an alternative algebraic attack on the bilateral stop and go, A5/1, Alpha 1 and MICKEY ciphers using approaches similar to those presented in Chapter 3. This degree accumulation can be prevented and low degree equations in the internal state can be obtained if instead new variables for the register states are introduced at every clock and hence in the output. At each clock, new variables with a total number equal to the size of the internal state are introduced. Clocking the cipher S times result in generating a total of 2S equations in S unknowns. These equations can be solved by techniques such as Gr¨obner bases methods, but not by linearisation. This is because as we use more keystream, the number of variables and therefore monomials in the system increases at a much higher rate, and it is not possible to obtain enough equations in the linearised variables. In the case of the bilateral stop and go generator, the degree in the internal state variables and hence the output increases according to Equations (5.8)and (5.9). The clock control bits are multiplied with the bit states of the registers causing an increase in the degree of the equations. The degrees of the equations increase by one at every clock. However, if instead new variables are used for the register states at every clock, this degree accumulation can be prevented and we obtain degree five and three equations in terms of the register states of A and B at each time t respectively, as shown in (5.8)and (5.9). Initially, there are l + l = 2l variables representing the initial states of the registers. This means that a total of 2l new variables are introduced at each time t. Thus 2l equations are introduced as relations between old and new variables. Since the key size is 2l, one would need at least 2l clocks to form a system of equations with a unique solution. From the analysis above, we obtain 4l 2 degree 5 equations in 4l 2 unknowns for the bilateral stop-and-go generator. Similar approaches can be used for the remaining ciphers. For A5/1 using the relabeling technique, the total number of new variables introduced at each time t is 19 + 22 + 23. The number of equations introduced as relations between old and new variables is 64 and since the length of the key is 64, then one needs to clock 64 times to generate 64 ∗ 64 = 4096 quadratic equations. For Alpha 1, A is regularly clocked, therefore, we do not need to add new variable for it at each clock. However, for the rest of the registers, the number of new variables introduced in each clock is 99, therefore the total number of variables and equations introduced for 99 clocks is 9801 quadratic equations. Finally, for MICKEY-80, v1 and MICKEY-128, the total number of equations needed to obtain a unique solution is 6400 quadratic equations in 6400 variables and 16384 quadratic equations in 16384 unknowns respectively. Table 5.6 below summarizes the total number of equations, variables needed to recover the internal state bits for the bilateral stop-and-go generator, A5/1 , Alpha 1 and MICKEY stream ciphers. In the future an efficient algorithm with known complexity may be used to solve a large number of low degree equations. Stream ciphers should be designed in such way to resist such kind of approach. Similarly to all other known cryptalysis technique, they did not exist a decade ago, but when they did, formally secure stream ciphers started to fall one after another.
Chapter 5. Keystream Generators using Mutual Clock Control
96
Stream cipher Bilateral s-and-go A5/1 Alpha 1 MICKEY-80 V1 MICKEY-80 V2 MICKEY-128
Internal state size 2l 64 128 160 200 320
Total variables 4l 2 4096 9801 25600 40000 102400
Total equations 4l2 4096 9801 25600 40000 102400
Degree 5 2 2 2 2 2
Table 5.6: Data obtained for the alternative algebraic attack
5.8 Summary This chapter presented some theoretical results on the complexity of the algebraic equations generated from mutually clock-controlled feedback shift registers. Such ciphers appear to be particularly resistant to algebraic attacks as it has been illustrated on four well-known ciphers, the bilateral stop-and-go, A5/1, Alpha 1 and MICKEY. Guessing some initial state bits in order to reduce the number of monomials generated is a method that has been used to successfully attack some ciphers. The feasibility of such approach on each of the ciphers was examined. This method was shown be to succeed on Alpha 1 with complexity less than exhaustive key search due to the use of a regularly clocked register in the system. Low degree multiples were also shown to exist for these ciphers, however, the degree of these multiples kept increasing. In addition, for the MICKEY stream ciphers, there always exists annihilators that will reduce the degree of the equations. In fact, these annihilators significantly reduce the number of monomials to be recovered. Moreover, equations exhibiting pattern are obtained for all versions of the MICKEY cipher, which might lead to some attack in the future. As well, the same sets of annihilators can be found irrespective of the clock controlling bits. Finally, it was shown that the problem of recovering the internal state of these ciphers could be transformed into a problem of solving quadratic equations in a large number of unknowns.
Chapter 6
Initialization and Algebraic Attacks
6.1 Introduction The previous chapters investigated the security with respect to algebraic attacks of a number of well known keystream generators for binary additive stream ciphers. Most recently proposed stream ciphers use an internal state that is at least twice as large as the key size to provide resistance to generic attacks such as time/memory/tradeoff attacks. An initialization process expands the k bit key to fill the internal state, possibly also incorporating initialization vectors (IV ’s). All of the eSTREAM ciphers use initialization vectors along with a key. For example, Trivium has an internal state size of 288 bits, with a key size of 80 bits and an initialization vector of size 64 bits. Similarly, Grain-128 has an internal state size of 256 bits with a key size of 128 bits and an initialization vector of size 96 bits. In the investigations in previous chapters, the key initialization process was ignored. In fact, some of these keystream generator proposals did not employ an initialization process. Instead, the key bits were loaded directly into the internal state of the generator and then keystream bits were generated. Generally, algebraic attacks aim to recover the internal state of the cipher. In this case, the number of variables is the state size and the equations obtained relate known keystream outputs with the internal state variables. Given a state size which is much greater than the key size, many attacks will be worse than exhaustive key search. An alternative approach is to consider the key bits as variables. Where the key size is less than the state size, there are fewer variables to consider. However, generating equations where the variables are the unknown key bits requires consideration of the initialization process. This chapter considers the effect of the initialization process on the performance of algebraic attacks, for two candidates : Trivium and Grain-128 in profile 2 of phase three of the eSTREAM, the ECRYPT Stream Cipher Project [2]. For both Trivium and Grain-128, the algebraic degree of the equations relating the keystream output bit with the unknown key bits is large, thus defeating the linearization algebraic attack approach. The increase in the degree of the equations occurs during both initialization and keystream generation phases. The number of iterations used during initialization plays a role in the increase. Generally, the 97
98
Chapter 6. Initialization and Algebraic Attacks
more iterations performed during initialization, the higher the degree of the equations. This chapter describes investigations into the number of iterations used during initializations and the effect on algebraic equations and hence on the performance of algebraic attacks. Choosing the number of iterations to be employed in the key initialization phase is usually a tradeoff between security and speed. Speed is required if the cipher is to be reinitialized often with a new IV and the same key, so a small number of iterations may be performed. However, if too few iterations are performed, the generator may be vulnerable to algebraic attacks. For the cryptanalyst one positive aspect of initialization is that multiple keystreams can be used to obtain the required number of equations (possibly of low degree). In previous chapters, one single keystream sequence was considered for recovering the internal state of the ciphers. In this chapter, multiple keystreams are considered to recover the key bits of the cipher. That is, equations are generated for the same unknown key and multiple keystreams using multiple known IV ’s. As most ciphers allow the use of a large number of IV ’s with a single key, this means we can generate as many equations as wanted in the unknowns for a single secret key. The attacker can consider known or chosen IV ’s. In addition, an attacker can take advantage of this by only considering equations for the first keystream bits generated during the keystream generation phase as they generally tend to have low degree. Taking this approach, the attack scenario will change from the previous chapters. This chapter applies this alternative approach to analysis of both Trivium and Grain-128. In these investigations, the number of iterations performed in initialization is considered as a variable. We aim to establish a lower bound for the number of iterations for both Trivium and Grain-128 during the initialization process, and the maximum number of IV ’s to be used with a single key in order to resist algebraic attacks under multiple keystreams. Setting a lower limit for the number of iterations and the number of IV ’s to be used may either save reinitialization time or provide resistance to the attack approach discussed in this chapter. Note that as the investigations presented here are mainly of an experimental nature, several limitations have occured during these investigations such as the availability of computer resources. In addition, there have been time limitations. Most conventional attacks do not depend on variables associated with the initialization. For example, the number of iterations during initialization is not a factor for correlation attacks and fast correlation attacks. For example, if the number of iterations in the initialization process of a cipher is altered, then it will not make much difference to the complexity of correlation attacks. This chapter is organized as follows. Section 6.2 describes the overall method used in this investigation. In Section 6.3, an overview of key initialization process of eSTREAM ciphers is outlined. Sections 6.4 and 6.5 present an in depth analysis of the effect of initialization process on algebraic attacks on Trivium and Grain-128 respectively. Section 6.6 summarizes the chapter.
6.2 Algebraic Attacks using Multiple Keystreams To perform an algebraic attack making use of multiple keystreams produced from a single key and multiple IV ’s, the variables in the generated equations must be the key bits, not internal state bits. The number of maximum IV ’s to be used with a single key and the number of iterations during initialization should be carefully chosen. Their importance is discussed in the next two subsections.
6.2. Algebraic Attacks using Multiple Keystreams
99
6.2.1 Facilitating the Linearization Approach This part shows that the use of large number of IV ’s with a single key may in fact facilitate algebraic attacks by making the linearization method possible. Each known IV results in a set of equations in the same unknowns key bits. Many different IV ’s can be used to generate a large number of equations in the same unknowns. This approach may generate enough equations for the linearization method to be applied. As the equations are generated from the same cipher functions, there will be some dependencies in the equations, however, there will always exist independent equations generated from this large sets of known IV 0 s which can be used in the attack. A relationship between key lengths k, number of IV ’s (N ), number of keystream T , number of monomials M , degree of the equations d is first derived. In order to derive this relationship, one needs to work out the values for algebraic attack parameters for which the complexity of an algebraic attack is more efficient than exhaustive keysearch. Generally, algebraic attacks are more efficient than exhaustive key search using the linearization approach of Algorithm 2.3 whenever k and d satisfy for the following relation: " d � �# ω X k < 2k (6.1) i i=1 for 2.807 ≤ ω ≤ 3
It can be seen from equation 6.1 using ω = 2.807 that for k = 80 and k = 92 the linearization method will fail as soon as the degree of the equations exceeds 6. Similarly, for k = 112 and k = 128, linearization fails for equations of degree 8 and 9 respectively. Where more equations are needed to perform an algebraic attack, one way to obtain the number of equations is by clocking the cipher during the keystream generation phase until enough equations are obtained. However, for many of the eSTREAM ciphers, clocking the register causes the degree of the generated equations to increase. This may in turn make the linearization approach infeasible. An alternative approach is to use multiple keystreams generated from multiple IV ’s to provide sufficient data for the attack. Assume that after initialization process of a cipher has taken place, T output bits have been generated from equations of degree d for which the complexity of an algebraic attack is more efficient than brute force. Assume that the degree increases if we clock more than T times to a point that makes the attack infeasible. In this case, one can use as many IV ’s as needed to generate enough equations to run the attack by generating equations for the first T outputs. The minimum number of different IV ’s required to get enough equations for the above scenario is: N=
"
d � � X k i=1
i
#ω
/T
(6.2)
Figure 6.1 outlines the algorithm steps for using multiple keystreams for facilitating the linearization approach. The complexity of step 2 Algorithm 6.1 might exceed the complexity of the attack, however, it can be performed in a precomputation phase. To illustrate the relations of the parameters in equation (6.2), consider a cipher with 128-bit secret key. Assume that after initialization has taken place, the maximum degree of the equations generated for the first T = 80 outputs is 9, where all of the key bits have been already introduced into our system of equations. The total number of monomials in such a system of
Chapter 6. Initialization and Algebraic Attacks
100
Algorithm 6.1 Multiple keystreams algebraic attacks using the linearization approach Inputs : Cipher design structure, Multiple IV’s, IV1 , IV2 , . . .. Outputs: Sets of equations . • Step 1: Using the cipher structure, generate enough T equations using multiple IV ’s. • Step 2: Check if enough independent equations are obtained. If not generate more equations using more IV ’s and check for dependency. • Step 3: Once enough independent equations are obtained, solve the system of equations by substituting in keystream. • Step 4: Output key bits. Terminate
Figure 6.1: Algorithm for facilitating the linearization approach using multiple keystreams � Pd equations is then equal to i=1 128 = 236.5 , which needs around the same number of outputs or i more to solve for the key bits. This is much more than the given amount of data for that particular degree where algebraic attack is possible, therefore more equations are needed. However, if the cipher is clocked more often in order to obtain the sufficient output bits for the linearization approach to work, then the degree of the equations will increase, thus defeating the linearization method. However, each (k, IV ) generates a sets of equations. By using more IV ’s, enough equations can be generated to recover the key bits. The number of different IV ’s needed in this case according to Equation (6.2)is 236.5 /80 = 230 . Many of the eSTREAM ciphers do not limit the number of different IV ’s that may be used with the � �2.807 same key. This means that the above cipher can be broken with complexity 236.5 ≈ 2124 using 230 different IV ’s. Equation 6.2 can be applied with different values for the parameters to determine the minimum number N of IV ’s which are required for a successful algebraic attacks. Table 6.1 shows a trend in the number N of IV ’s needed for different values of the key length, d and T . key size 80 80 96 96 112 112 128 128
d 5 5 6 6 7 7 9 9
T 50 1000 50 1000 50 1000 50 1000
N 219 215 224 220 229 225 238 234
Table 6.1: Number of IV needed for an algebraic attack for various given numbers of outputs and degrees of the equations Table 6.1 can be interpreted as follows. The first T equations generated after initialization processes are of degree d. The minimum number of IV ’s needed to get enough equations is to run an algebraic attack with complexity less than exhaustive keysearch, is N .
6.2.2 Degree Reduction The use of multiple IV ’s can result in reducing the overall degree of the equations. In many cases, this results in an immediate recovery of key bits. The idea behind this is very simple yet promising as
6.3. Overview of Key Initialization Process of eSTREAM Ciphers
101
Algorithm 6.2 Reducing the degree of the equations using multiple keystreams algebraic attacks Inputs : Cipher design structure, Multiple IV’s, IV1 , IV2 , . . .. Outputs: Sets of low degree equations , lower than d, or linear equations . • a: Generate T equations, z1 , z2 , . . . using IV1 . • b: Repeat step a using another IV, IV2 . 1 1 ,. . . , z T • c: Add the two sets of equations in the following way; zIV + zIV IV1 + 1 2 T zIV2 .
• d: Check if linear or low degree equations resulted from the addition. If so, store the equations in a record. • e: Repeat the above process until enough low degree or linear equations are obtained. • f: Solve the system of equations. • g: Output key bits. Terminate
Figure 6.2: Algorithm for obtaining low degree equations or for reducing the overall degree of the equations using multiple keystreams explained next. Generate two sets of equations a and b using the same unknown key bits k with a pair of known or chosen IV ’s, IV1 , and IV2 respectively. Then add each equation in the two sets generated at the same time instance t. Depending on the initialization process used and the number of X iterations employed, there is a probability that high order terms might cancel out as well as the generation of linear equations. Note that in many new ciphers, it is a hard task to determine before hand the terms that can be canceled for a given output or whether linear equations can be obtained. It is also hard to determine how many multiples of key streams we need and what values of IV bits result in lower degree equations. One naive approach for establishing this is to run some experiments. Experimental simulation has been conducted on Trivium and Grain-128 which applied this concept. Analysis is presented in Sections 6.4 and 6.5 of this chapter. Multiple IV ’s can also be utilized in divide and conquer attacks. One can recover some key bits using the above approach, then substitute these recovered bits, then use more pairs of IV ’s to recover some more key bits and so on. Again, it is a hard task to know in advance which key bits can be recovered and which IV ’s to choose. The method explained above can be used either to reduce the degree of the equations to a level where the algebraic attack complexity is feasible or to generate linear equations which in some cases can lead to an immediate key bits recovery. Figure 6.2 outlines the algorithm steps for the approach discussed in this section. Note that in many cases, one might be able to reveal key bits directly. The above algorithm can be further improved by substituting in the recovered key bits and repeating the algorithm again.
6.3 Overview of Key Initialization Process of eSTREAM Ciphers An investigation into the role of initialization on algebraic attacks shows that most of the eSTREAM ciphers are designed in such a way that the degree of the equations increases as the cipher is clocked,
102
Chapter 6. Initialization and Algebraic Attacks
therefore eliminating the efficiency of some of the algebraic attack methods, i.e. the linearization approach. For some ciphers, the degree of the equations increases during the key initialization phase, others during the keystream generation phase and some others in both phases. Generally, there is no one standard way of doing the initialization process. It has been done in an add-hoc way. In addition, key and IV bits loading are done in three different ways. In the first way, the IV and key bits are loaded into the cipher as in Trivium, Grain, DECIM V1 [23] and DECIM V2. The cipher is clocked or stepped say X times. The majority of the eSTREAM ciphers load in the key and then the IV bits. Other ciphers load in the IV bits and then the key bits. However, the way these parameters are loaded plays a role in increasing the degree of the equations. For example, in Achterbahn [93] stream ciphers, the introduction of IV bits into the cipher causes the overall degree of the equations generated from the cipher to increase. In the MICKEY cipher, every key bit introduced into the system increases the overall degree of the equation by one. The introduction of IV bits does not increase the degree of the equations as they also get loaded first. Moreover, many of the eSTREAM ciphers introduce key bits and IV bits into the system as the system is clocked or stepped, as in Achterbahn, MICKEY-80 V1, V2 and MICKEY-128. In other words, each time a cipher is clocked or stepped, a new IV or key bit is introduced. Another remark worth mentioning is that in some ciphers, the introduction of known IV bits causes the degree of the equations to increase dramatically even before the end of the initialization and this can be seen in Achterbahn V1 and Achterbahn V2. If one chooses to use the guessing approach, this will result in guessing a large number of bits in order to get some solvable system of equations, as the internal state size for most of these ciphers is at least as twice as large as the key size. The following sections describe in more depth the effect of initialization on algebraic attacks on Trivium and Grain-128. The investigation is conducted through a series of experiments. In the experiments, the original iteration length of the initialization process of the ciphers has been varied. For each chosen iteration length, a series of tests are conducted. In more detail, the number X of iterations of the initialization process is varied while the number Y of iterations of the keystream generation phase is fixed. For each X and Y values, the maximum degree of the equations generated is first computed. Then the approaches outlined in Section 6.2 are applied to these ciphers. All computations involved in this investigation were performed with MAGMA 2.11 on the IRIX-64 computers.
6.4 Trivium Trivium [41] is a hardware based stream cipher. It was designed by Christophe De Canniere and Bart Preneel. Trivium has been analysed in [167]. Trivium takes a key and IV of length 80. Trivium is based on three long registers, 84, 93, and 111 bits together make up the internal state of size 288. Bits taken from the register itself and one of the other two registers update each register of Trivium nonlinearly. The nonlinear update function for the cipher uses bits from all three registers. The output of the cipher is also taken from three registers. The internal state bits of Trivium are denoted as (s 1 , s2 , . . . , s288 ). During the initialization, Trivium is iterated 4 times its internal state size before producing any output bits. The pseudo-code for both the keystream generation and initialization are taken from the specification of Trivium are given below in Figure 6.3 respectively.
6.4. Trivium
103
for i = 1 to N do t1 ← s66 + s93 t2 ← s162 + s177 t3 ← s243 + s288 z i = t1 + t2 + t3 t1 ← t1 + s91 s92 + s171 t2 ← t2 + s175 s176 + s264 t3 ← t3 + s286 s287 + s69 (s1 , s2 . . . , s93 ) ← (t3 , s1 . . . , s92 ) (s94 , s95 . . . , s177 ) ← (t1 , s94 . . . , s176 ) (s178 , s279 , . . . , s288 ) ← (t2 , s178 , . . . , s287 ) end for (s1 , s2 . . . , s93 ) ← (K1 , K2 . . . , K80 , 0, . . . , 0) (s94 , s95 , . . . , s177 ) ← (IV1 , IV2 , . . . , IV80 , 0, . . . , 0) (s178 , s279 . . . , s288 ) ← (0, . . . , 0, 1, 1, 1) for i = 1 to 4*288 do t1 ← s66 + s91 ∗ s92 + s93 + s171 t2 ← s162 + s175 ∗ s176 + s177 + s264 t3 ← s243 + s286 ∗ s287 + s288 + s69 (s1 , s2 . . . , s93 ) ← (t3 , s1 . . . , s92 ) (s94 , s95 . . . , s177 ) ← (t1 , s94 . . . , s176 ) (s178 , s279 , . . . , s288 ) ← (t2 , s178 , . . . , s287 ) end for
Figure 6.3: Keystream generation and initialization processes of Trivium
6.4.1 Facilitating the Linearization Approach on Trivium In the first test, the maximum degree of the equations generated was computed every 10 iterations of the initialization phase. The minimum number of iterations X was set to 288, that is the size of the internal state and the maximum number of iterations was set to 360. The experiment was repeated for 160 different IV ’s, that are 80 pairs of IV , differing in one position. The maximum degree of the equations generated from Trivium from X = 288 to X = 320 for the first 21 outputs was 5, however, the degree then increases. Thus, according to equation 6.1, Trivium is prone to the multiple keystreams attack for X less than or equal to 320 with an attack complexity of "
# 5 � � 2.807 X 80 i=1
i
≈ 269
The minimum number of IV ’s needed to run the attack according to equation 6.2 is 2 24.6 /21 ≈ 220.2 . As soon as the degree increases to 6, algebraic attack becomes less efficient than brute force.
6.4.2 Experimental Results Experimental simulations were conducted implementing Algorithm 6.2 of Figure 6.2. Using Algorithm 6.2, low degree equations can be obtained if appropriate equations can be identified and combined, higher degree terms can be eliminated. Experiments were performed for three different iterations numbers: X = 288 and X = 335. In the simulation, pairs of IV ’s were randomly chosen such that they differ in one position only and only 21 output equations were generated. For each X, the experiment was repeated 80 times and each time the maximum degree of the generated equations was first recorded before combining them. Algorithm 6.2 was then applied. Note that in these simulations, we were only interested in linear
Chapter 6. Initialization and Algebraic Attacks
104
relations. Tables 6.2 and 6.3 record the results of a few sample simulations. The tables also record the relations obtained from applying the algorithm of Figure 6.2 for X = 288 and X = 335 respectively. The IV values in the tables are given by their hexadecimal values. The experimental results presented in Tables 6.2 and 6.3 showed the usefulness of the approach and since many linear equations can easily be obtained and some key bits can immediately be revealed. The process of key recovery was then improved by substituting the recovered key bits back into the system, reducing the number of unknowns in the equations. The experiment was then repeated for different pairs of IV sets until all key bits were recovered. Using this approach, the algorithm managed to recover key bits without solving any equations for X up to 345 iterations. It can also be seen that the simple combining process enabled us to work with linear relations instead of high degree relations. For example, for X = 288, equations of degree 5 were reduced to linear equations and for X = 335, equations of degree 7 were reduced to linear relations as well. IV1 8DF 4F 4641F 1D965733EA
IV2 8DF 4F 4641F 1D965737EA
Max d 5
9E554C4AEF F 3E7780A57
9E554C4AEF F 3E7780A17
5
7F 9B92F 13F EC75410EC2
7F 1B92F 13F EC75410EC2
96A523C59DE9DB226D89
96A523C59DE9DB222D89
5
772678B97BE966797DC
572678B97BE966797DC
5
Relations Obtained 9 9 zIV + zIV = k18 + 1 1 2 10 10 zIV + z IV2 = k16 + k17 1 11 11 zIV + zIV = k15 + 1 1 2 18 18 zIV + z IV2 = k59 1 20 20 zIV + zIV = k55 + k61 1 2 7 7 zIV + z = k20 IV2 1 8 8 zIV + zIV = k18 + k19 + 1 1 2 18 18 zIV + zIV = k57 + 1 1 2 19 19 zIV + z IV2 = k55 + 1 1 13 13 z IV + zIV = k62 + k68 + 1 1 2 15 15 zIV + z IV2 = k11 + k59 + k65 1 1 1 zIV + zIV = k10 + k11 + k25 + k26 1 2 2 2 zIV + z IV2 = k9 + k10 + k24 + k25 + 1 1 3 3 zIV + zIV = k8 + k23 + 1 1 2 8 8 zIV + z IV2 = k1 1 13 13 zIV + zIV = k14 1 2 14 14 zIV + z = k12 + 1 IV 1 2 15 15 zIV + zIV = k12 1 2 16 16 zIV + z = k10 + k11 + 1 IV 1 2 1 1 zIV + zIV = k11 1 2 2 2 zIV + z = k9 IV 1 2 14 14 zIV + zIV = k61 + k67 + 1 1 2 15 15 zIV + zIV = k59 + k60 + k65 + k66 + 1 1 2 16 16 zIV + z = k11 + k58 + k59 + k64 + k65 IV 1 2 17 17 zIV + zIV = k9 + k57 + k63 + 1 1 2
Table 6.2: Experimental results for Trivium :X = 288 iterations and Y = 21. IV1 BA0616F E662C3994B6 E8638F C4F D2E1F 384CE0 E3E374660A851DD136F 9 A7AC5773095048D39275 4795DDEBE4B3A4BF 13BB DCE265BCC37484D07191 D4E3AE6B7DC3527798A2 D32CAE029E1612266F 31 4CE7F 73B14EA2C025B12 55D4019CDC2DB6038DA9
IV2 BA0416F E662C3994B6 E8638F C4F D2E1F 284CE0 E3E374660A855DD136F 9 A7AC5773095058D39275 4791DDEBE4B3A4BF 13BB 9CE265BCC37484D07191 D4C3AE6B7DC3527798A2 D32CBE029E1612266F 31 4CE7F 73B14EA2C825B12 55D4011CDC2DB6038DA9
Max d 7 7 7 7 7 7 7 7 7 7
Relations Obtained 4 4 zIV + zIV = k27 1 2 21 21 zIV + zIV = k10 + 1 1 2 13 13 zIV + zIV = k18 1 2 6 6 z IV + z = k55 IV 1 2 16 16 zIV + zIV = k15 + 1 1 2 7 7 zIV + zIV = k24 1 2 14 14 zIV + z = k16 + k17 + 1 IV2 1 2 2 zIV + zIV = k29 1 2
Table 6.3: Experimental results for Trivium :X = 335 iterations and Y = 21
6.5. Grain-128
105
6.4.3 Observation on Trivium Initialization Another note to make on the initialization of Trivium is the following. Let E be sets of equations generated from clocking the cipher X times during the loading phase and Y times time during the keystream generation phase. Then the same sets of equations E can be generated after iterating the cipher Y times during initialization and then X − Y times in the keystream generation phase. We can make use of this observation for efficiency reasons if one procedure takes longer the other one, but it would mean ignoring some keystream bits or adding more keystream bits. We noted that the initialization takes longer then the keystream generation phase for a given X and Y , as opposed if we do Y and then X, but this would mean ignoring the first X − Y keystream bits.
6.5 Grain-128 The Grain family of stream ciphers [123, 124] is based on an LFSR, NLFSR and an output function. Grain-80 versions support a key size of 80-bits and use an LFSR and an NLFSR of length 80 each, while Grain-128 support a key size of 128-bits and uses an LFSR and an NLFSR of length 128 each. In both versions, selected bits from both registers are filtered using a degree 4 Boolean function for Grain-80 and degree 3 for Grain-128 respectively. In the Grain ciphers, the IV bits are loaded into the LFSR and the key bits into the NLFSR. The cipher is then clocked 160 times for Grain-80 and 256 times for Grain-128. However, during the initialization, the feedbacks of both registers are changed. The feedback of the LFSR depends on bits from the NLFSR. Similarly for the feedback of the NLFSR. In our analysis, we look at the strengthened version of the family, Grain-128. This section provides the first analysis of Grain-128. Grain-128, Figure 6.4, supports a key size of 128 bits and an IV size of 96 bits. Grain-128 is very similar to Grain-V1 except for the size of the registers that make a total internal state size of 256 bits. The initialization and keystream generation processes of Grain-128 are described below. The internal state of the registers is initialized as follows. The 128 NFSR elements are loaded with the key bits, and then the first 96 LFSR elements are loaded with the IV bits and the last 32 bits of the LFSR are filled with ones. After loading key and IV bits, the cipher is clocked 256 times without producing any keystream. Instead the output function is fed back and xored with the input, both to the LFSR and to the NFSR. Denote the contents of the LFSR by si , si+1 , . . . , si+127 and the the content of NFSR by bi , bi+1 , . . . , bi+127 . The feedback polynomial of the LFSR, and the NLFSR denoted f (x), g(x) respectively given by f (x) = x128 + x121 + x90 + x58 + x47 + x32 + 1.
g(x)
= 1 + x32 + x37 + x72 + x102 + x128 +x44 x60 + +x61 x125 + x63 x67 + x69 x101 + +x80 x88 + x110 x111 + x115 x117 .
Keystream bits are generated as follows. At each clock, 9 bits are taken as input to a degree 3 Boolean function, h(x). Two inputs to h(x) are taken from the NFSR and seven are taken from the
Chapter 6. Initialization and Algebraic Attacks
106
g(x)
N F SR
f (x)
LF SR
h(x)
Figure 6.4: The Grain family of stream cipher LFSR. This function is defined as h(x) = x0 x1 + x2 x3 + x4 x5 + x6 x7 + x0 x4 x8 where the bits x0 , x1 , x2 , x3 , x4 , x5 , x6 , x7 and x8 correspond to the tap positions bi+12 , si+8 , si+13 , si+20 , bi+95 , si+42 , si+60 , si+79 and si+95 respectively. Finally, the keystream bits are computed using the following defined function zi =
X
bi+j + h(x) + si+93
(6.3)
j∈Λ
where Λ = {2, 15, 36, 45, 64, 73, 89}.
6.5.1 Facilitating the Linearization Approach In order to make use of the idea presented in Section 6.2.1 on Grain-128, the maximum degree we can work with is 9 which is the largest degree where algebraic attacks are more efficient than brute force for a 128-bit key size according to equation 6.1. Based on our simulation, Grain-128 outputs for the first Y = 10 clocks, equations of degree 8 for X = 66. Thus it is prone to linearization attacks using � P8 37 at least i=1 128 known IV ’s. i /10 = 2
6.5.2 Experimental Results Experimental simulations were conducted implementing Algorithm 6.2. Using Algorithm 6.2, low degree equations can be obtained if appropriate equations can be identified and combined, and higher degree terms can be eliminated. Experiments were performed for three different iterations numbers: X = 64, 82 and X = 94, where Y = 10.
6.5. Grain-128
107
In the simulation, pairs of IV ’s were randomly chosen such that they differed in one position only and only 21 output equations were generated. For each X, the experiment was repeated 80 times and in each time the maximum degree of the generated equations was first recorded before combining them. Algorithm 6.2 was then applied. Note that in these simulations, we were only interested in linear relations. Tables 6.4, 6.5 and 6.6 record the results of few simulations only. The tables also records the relations obtained from applying the algorithm of Figure 6.2 for X = 288, X = 335 and X = 345 respectively. The IV values in the tables are given by their hex values. The experimental results presented in Tables 6.4,6.5 and 6.6 showed the usefulness of the approach and since many quadratic equations can easily be obtained and some key bits can immediately be revealed. Note that however, in Grain-128, the degree 2 relations were obtained by finding a suitable multiple that significantly reduced the high degree of the equations to at most degree three in our simulations. The process of key recovery was then improved by substituting the recovered key bits back into the system, reducing the number of unknowns in the equations. The experiment was then repeated for different pairs of IV sets to recover more bits. Using this approach, in general, the algorithm can recover key bits by solving quadratic equations for X up to 345. It can also be seen that the simple combining process enabled us to work with quadratic relations by finding low degree multiples instead of high degree relations. For example, for X = 64, equations of degree 8 were reduced to in most cases to linear equations. Similarly, for X = 82, equations of degree 10 can be reduced to linear relations and finally, for X = 94, equations of degree 10 were reduced to degree 2 equations. Similar observations to Trivium has been observed in Grain-128. Simulations show that linear equations exists so far for X < 94. In addition, the equations get very complex and the degree goes up to degree 12 for X = 94. However, the overall degree could always be reduced to one or two. Degree 2 multiples have also been found that reduce the overall degree of the equations to 2 using a multiple of the form (xa + 1)(xb + 1). More interestingly, the degree two multiples happened to be of fixed distance apart, that is xa and xb are found to be l positions apart, where l differs from X to another. Note also that in the case of Grain-128, so far we have managed to reduce the degree of almost every output equation.
Chapter 6. Initialization and Algebraic Attacks
108
IV1 570E5F 7967C157F B627C18C5
IV2 570E5F 7967C157F B607C18C5
Degree 8
50A5F F BA7B530BB5E7D4A4B0
5085F F BA7B530BB5E7D4A4B0
8
DA87E2D365A5986218570E15
DA87E2D365A5986218570E14
8
Relations obtained 1 1 (z IV + zIV )(k128 + 1) = 0 1 2 1 1 (zIV + z )(k45 + 1) = 0 IV 1 2 2 2 (zIV + zIV )(k46 + 1)(k123 + 1) = 0 1 2 2 2 (zIV + zIV )(k79 + 1)(k123 + 1) = 0 1 2 3 3 (zIV + zIV )(k80 + 1) = 0 1 2 5 5 (zIV1 + zIV )=0 2 6 6 (zIV + z )=1 IV 1 2 7 7 (zIV + zIV ) = k45 k128 1 2 8 8 (zIV + zIV )=0 1 2 9 9 (zIV + z IV2 ) = 0 1 1 1 (zIV + zIV )(k87 + 1) = 0 1 2 11 11 (zIV + z IV2 )(k88 + 1) = 0 1 11 11 (zIV + zIV )(k55 + 1) = 0 1 2 12 12 (zIV + z )(k56 + 1) = 0 IV 1 2 12 12 (zIV + zIV )(k89 + 1) = 0 1 2 1 1 (z IV + z ) = k14 IV 1 2 2 2 (zIV + z )(k 14 + 1)(k79 + 1) = 0 IV2 1 3 3 (zIV + zIV )(k14 + 1)(k15 + 1) = 0 1 2 4 4 (zIV + z IV2 )(k48 + 1)(k81 + 1) = 0 1 5 5 (zIV + zIV )(k47 + 1)(k82 + 1) = 0 1 2 6 6 (zIV + z IV2 )(k15 + 1)(k83 + 1) = 0 1 8 8 (zIV + zIV ) = k14 + k15 1 2 9 9 (zIV + z )(k 14 + 1)(k47 + 1) = 0 IV2 1 10 10 (zIV + zIV )(k48 + 1)(k87 + 1) = 0 1 2 12 12 (zIV + z IV2 )(k89 + 1) = 0 1 1 1 (z IV + z IV2 )(k13 + 1) = 0 1 2 2 (zIV + z )(k96 + 1) = 0 IV 1 2 2 2 (zIV + zIV ) = k79 + 1 1 2 3 3 (zIV + z )(k 47 + 1)(k80 + 1) = 0 IV 1 2 4 4 (zIV + zIV )(k81 + 1)(k96 + 1) = 0 1 2 5 5 (zIV1 + zIV2 )(k47 + 1)(k82 + 1) = 0 7 7 (zIV + zIV ) = k84 + 1 1 2 8 8 (zIV + zIV )=0 1 2 9 9 (zIV + z )(k + 1)(k 47 86 + 1) = 0 IV 1 2
Table 6.4: Experimental results for Grain-128: X = 64 and Y = 12 IV1 A38F 93AA746BEF 1806CD655E 676D15F 75C31AC787DAA59D7 377D9BB5A284F 4A446D1D103 BF 2B94BCB51F 9A464A8B5B3 3BA84707F 213F 26F 39158F 31
IV2 A18F 93AA746BEF 1806CD655E 676D15F 75C31AE787DAA59D7 377D9BB5A284F 4A446D1D10B BF 2B94BCB50F 9A464A8B5B3 3BA84707F 213F 26E39158F 31
Degree 10 10 10 10 10
Relations Obtained 4 4 (z IV + zIV )(k99 + 1) = 0 1 2 3 3 (z IV + z )(k 107 + 1) = 0 IV 1 2 1 1 (z IV + zIV )(k96 + 1) = 0 1 2 3 3 (z IV + zIV )(k98 + 1) = 0 1 2 12 12 (z IV1 + zIV2 ) = k116 + k117
Table 6.5: Experimental results for Grain-128: X = 82 and Y = 12
IV2 1368C231E7C7 E016C622BA60 333046AE458D BD472476F CDA
Degree 10
AE31D7B6911A AA14DF C0B308
AE31D7B6911A AA14DF C0B30C
10
D023C1542819 4153ED5A4B20
D023C1542819 4153ED5A4B24
10
10
Relations Obtained 2 2 (zIV + zIV )((k60 + 1)(k109+1 )) 1 2 = (k45 k128 + k126 + 1)(k60 + 1)(k109+1 ) 1 1 (zIV + zIV )(k59+1 (k108 + 1)) 1 2 = (k59+1 )(k108 + 1))(k12 + k22 + k25 + k46 + k55 + k74 + k83 + k99 + k105 + 1) 2 2 (zIV + zIV )(k60 + 1)(k109 + 1)) = (k60 + 1)(k109 + 1))(k45 k128 + k60 + k126 + 1) 1 2 1 1 (zIV + zIV )=0 1 2 2 2 (zIV1 + zIV2 ) = k45 k128 + 1 3 3 (zIV + zIV )(k77 + 1)(k110 + 1)) 1 2 = ((k77 + 1)(k110 + 1))(k14 + k24 + k27 + k48 + k57 + k76 + k85 + k101 + k110 ) 1 1 (zIV + zIV )=0 1 2 2 2 (zIV1 + zIV2 ) = k45 k128 + 1 3 3 (zIV + zIV )(k77 + 1)(k110 + 1)) 1 2 = ((k77 + 1)(k110 + 1)) (k45 k128 + k77 k128 + k110 k128 + k14 + k27 + k48 + k57 + k76 + k85 + k101 + 1)
6.5. Grain-128
IV1 1368C231E7C7 E016C622BA64 333046AE458D BD472476F CDE
Table 6.6: Experimental results for Grain-128: X = 94 and Y = 12
109
110
Chapter 6. Initialization and Algebraic Attacks
6.6 Summary In this chapter, a different approach for breaking keystream generators was considered. In this approach, relationships between the key bits and the output were considered. Taking this approach requires indepth investigations of the key initialization process. Many ciphers employ key initialization so that the same secret key may be used with many different IV ’s. The number of iterations performed during initialization is also investigated. A framework for using multiple keystreams for conducting algebraic attacks was shown. In the investigation, both the number of IV and the number of iterations were considered as variables. It was shown that the use of a large number of IV ’s with a single key can provide enough equations to recover the key bits. This approach may also be applied to reduce the degree of the equations, hence making algebraic attacks efficient. The investigations were conducted on two stream ciphers: Trivium and Grain-128. These are two of four focused ciphers in profile two phase three of the eSTREAM ciphers project. It was shown that Trivium is prone to multiple keystream algebraic attacks using only 2 32 IV ’s if the number of iterations performed during initialization process is less than 355 times. The approach significantly reduced the overall degree of the equations generated for the parameters tested from degree 7 to degree 1 equations. In many cases this lead to immediate recovery of the key bits. Grain-128 was also shown to be prone to algebraic attacks based on multiple keystreams. The high degree terms in equations could be reduced to at most degree 2 for the parameters for the first 96 iterations of the cipher. In general, it was shown that it is also possible to reduce the degree of every single equation from degree 10, the maximum degree considered in this thesis to degree 2. Due to time constraint, only a brief investigation was performed particularly to establish experimentally the lower bound for the number of iterations. The key initialization process of Grain-128 deserves further investigation with regards to algebraic attacks using multiple keystreams. From the above, the number of iterations during the key initialization and the maximum number of IV ’s to be used with one key should not be chosen at random. The possibility of multiple keystream, algebraic attacks has to be taken into consideration when choosing the number for these parameters.
Chapter 7
Algebraic Analysis of the LILI Keystream Generators
7.1 Introduction In Chapters 3, 4 and 5, algebraic attacks and analyses on a number of stream ciphers were given. In the above chapters, key initialization process was ignored and the aim of the attacks was to recover the internal state of the ciphers. Then in Chapter 6, the relation between key initialization and algebraic attacks were investigated on a number of the eSTREAM ciphers. The aim was to recover the key bits directly taking into consideration key initialization process. This chapter investigates both perspectives on a well known family of stream ciphers, the LILI ciphers [182]. That is the feasibility of recovering the internal state using algebraic attacks and the feasibility of recovering the key bits taking into consideration the key initialization process. Courtois and Meier introduced two algebraic attacks on LILI-128 [65]. To date there are no algebraic attacks reported on LILI-II [181]. This chapter examines the resistance of these and other ciphers in the LILI family [182] to algebraic attacks. A relationship between parameters that provide resistance to algebraic attacks including the size of the registers, the difference in their lengths, the degree of the Boolean function used and the number of times the controlled register is clocked will be derived. In particular, for LILI-II, it is shown that the filter function is not optimal with respect to algebraic attacks: there exist low degree multiples. This has a substantial impact in reducing the overall attack complexity of algebraic attacks on LILI-II. In Section 7.2, a description of the LILI family of stream ciphers and of the specific designs of LILI-128 and LILI-II are given. In Section 7.3, a general algebraic analysis of the LILI family is outlined. A more specific algebraic analysis of LILI-II is given in Section 7.4, and it will be shown that the filter function used in LILI-II is not optimal with regards to algebraic attack. A polynomial multiple will be presented which significantly reduces the degree of equations generated. A discussion of the
111
Chapter 7. Algebraic Analysis of the LILI Keystream Generators
112
importance of initialization for the LILI family of stream ciphers in providing resistance to algebraic attacks is given in Section 7.5. Section 7.6 investigates the resistance of other instances of the LILI family ciphers to algebraic attacks. Section 7.7 presents the summary of the chapter.
7.2 Description The LILI family of stream ciphers are keystream generators that use two binary LFSRs and two nonlinear functions to generate pseudorandom binary keystream sequences. The feedback polynomials of both LFSRs are chosen to be primitive polynomials. An all-zero state in either register is not permitted. The structure of LILI keystream generators is illustrated in Figure 7.1.
LF SRc
LF SRd
-
r ... ? ? fc
w ... ? ? c(t)
z(t) -
fd
CLOCK CONTROL
DATA GENERATION
Figure 7.1: The LILI family of keystream generators.
The components of the keystream generator can be grouped into two subsystems based on the functions they perform: clock control and data generation. The l-bit LF SRc for the clock-control subsystem is regularly clocked. The contents of r stages of LF SRc are input to a function, fc . The output of fc is an integer between 1 and 2r , inclusive. Denote ∞
the sequence of outputs of fc by c(t) = {c(t)}t=1 . This is a periodic integer sequence, with period equal to Pc = 2l − 1. The output of the clock-control subsystem controls the clocking of the m-bit
LF SRd . Each time LF SRc is clocked, LF SRd is clocked between 1 and 2r times. The contents of w stages
of LF SRd are input to fd , a Boolean function of degree d. The binary output of fd is the keystream bit z(t). At time t, the binary output of fd is the keystream bit z t . After z t is produced the process is ∞
repeated to form the sequence z = {z(t)}t=1 . The contents of LF SRc and LF SRd at time t are denoted as cti and dtj respectively for 1 ≤ i ≤ l
and 1 ≤ j ≤ m and t ≥ 1. The parameters of two specific designs from the LILI family; LILI-128 and LILI-II are shown in Table 7.1 and described in Sections 7.2.1 and 7.2.2 respectively.
LILI-128 LILI-II
Length of LF SRc 39 bits 128 bits
Period of LF SRc 239 − 1 2128 − 1
Length of LF SRd 89 bits 127 bits
Period of LF SRd 289 − 1 2127 − 1
Algebraic degree of fd 6 10
Table 7.1: Parameters for two specific generators from the LILI family
7.3. Algebraic Analysis of the LILI Family of Stream Ciphers
113
7.2.1 LILI-128 Keystream Generator LILI-128 [182] uses registers LF SRc and LF SRd of lengths l = 39 and m = 89 respectively. Thus the internal state size is 128 bits. Keystream generation is performed as follows. At time t, the contents of the r = 2 stages 12 and 20 of LF SRc are used as inputs to the function fc . The output is calculated by fc (ct12 , ct20 ) = 2(c12 )t + ct20 + 1. The output is an integer between 1 and 4, inclusive. The w = 10 inputs to fd are taken from the LF SRd positions (0, 1, 3, 7, 12, 20, 30, 44, 65, 80). We note that the function fd , given in [182], has an algebraic degree of 6. LILI-128 is intended for use with a 128-bit key,k and an initialization vector v of up to 128-bits. The re-keying scheme of LILI-128 provided in [74] is as follows. Firstly, use k and v to form an initial internal state value. The initial internal state value is formed by XORing two 128-bit vectors: k and v or a 128-bit vector formed from the concatenation of copies of v, if v is less than 128 bits. Secondly, use the first 39 bits of this sum to form the initial state of LF SRc and the remaining 89 bits to form the initial state of LF SRd . In [74] the rekeying process is defined with parameters a and b for the number of applications, and the number of lead bits deleted from the outputs, respectively. That is, after the initial loading of the LFSRs, run a applications of the cipher, generating (128 + b) output bits each time, deleting the first b outputs and reloading the LFSRs with the remaining 128 bits. For LILI-128 recommended minimum values are a = 1 or a = 2 and b = 32, but preferably b = 64, or b = 128. After the rekeying process has been performed the cipher is ready for keystream generation. We choose a = 2 and b = 0 to conduct further analysis on the initialization process discussed in Section 7.5.1.
7.2.2 LILI-II Keystream Generator LILI-II [181] uses registers LF SRc and LF SRd of lengths l = 128 and m = 127 respectively. Thus it has an internal state size of 255 bits. Keystream generation is performed as follows. At time t, the contents of the r = 2 stages 1 and 127 of LF SRc are used as inputs to the function fc . The output is calculated by fc (ct1 , ct127 ) = 2(c1 )t + ct127 + 1. The output is an integer between 1 and 4, inclusive. The w = 12 inputs to fd are taken from the LF SRd positions (0, 1, 3, 7, 12, 20, 30, 44, 65, 80, 96, 122). The function selected for fd and given in [181] has an algebraic degree of 10. The 255-bit initial state for LILI-II is formed from a 128-bit key k and a 128-bit initialization vector v in a three step process, as follows. Firstly, the 128-bit initial state of LF SR c is given by XORing k and v, and the 127-bit initial state of LF SRd is given by deleting the first bit of k and the last bit of v, and XORing the two resulting 127-bit binary strings. In the second step, the cipher is clocked to produce an output string of length 255 bits. The first 128 bits of this output are used to form a new state for LF SRc , and the remaining 127 bits are used to form a new state for LF SR d . The third step repeats step 2: the cipher is clocked to produce an output string of length 255 bits, of which the first 128 bits are loaded into LF SRc and the remaining 127 bits are loaded into LF SRd . At this point the generator is ready for the production of keystream.
7.3 Algebraic Analysis of the LILI Family of Stream Ciphers Algebraic attacks on stream ciphers involve generating and solving an overdefined system of multivariate polynomial equations relating the stream ciphers’ initial state values and known keystream bits. The
Chapter 7. Algebraic Analysis of the LILI Keystream Generators
114
Algorithm 7.1 Algebraic attack algorithm based on guessing the controlling register. Inputs : Feedback polynomials of LF SRc and LF SRd ; keystream. Outputs: Internal state bits of LF SRc and LF SRd .
Pd
i=1
m� i
segments of
1. Guess value for LF SRc � P • a: Generate di=1 m output bits from LF SRc . i Pd m� • b: Generate equations from LF SRd treating output of i=1 i LF SRc as clocking information for LF SRd . • c: Solve the system of equations of LF SRd by substituting in keystream.
• d: Reconstruct keystream using recovered internal state bits of LF SR d and guessed bits of LF SRc . • e: If reconstructed keystream matches obtained keystream go to 2. Otherwise go to 1. 2. Output LF SRc and LF SRd . Terminate
Figure 7.2: Algorithm for algebraic attack based on guessing the controlling register complexity of an algebraic attack is dominated by the degree of the equations generated, as the lower the degree the more efficient the attack becomes. For LILI keystream generators, the function f d is central to the generation of equations. Low degree multiples of f d could be used to reduce the degree of generated equations, and hence the complexity of an algebraic attack. There are two existing algebraic attacks on ciphers from the LILI family; both are attacks on LILI128 [65] and demonstrate time-data tradeoffs. The first attack involves guessing the initial state of LF SRc , then using the known clocking sequence to form equations relating the initial state bits of LF SRd and the keystream bits and attempting to solve these equations. This attack requires 2 18 keystream bits and 2102 operations. The second attack involves taking a subsequence of keystream bits that are 2l − 1 places apart, form equations relating the initial state bits of LF SRd and these keystream
bits and attempting to solve these equations. This attack requires 2 57 keystream bits and 263 operations. In Sections 7.3.1 and 7.3.2 respectively, we review these two attacks on LILI-128, generalizing them to the entire LILI family.
7.3.1 Attack 1 : Guessing the Controlling Register In the first algebraic attack on LILI-128, the initial internal state of register LF SR c is guessed, revealing the clocking pattern of LF SRd . For each guess, a system of equations is constructed relating the unknowns initial state from LF SRd and the keystream bits. After substituting the keystream bits, an attempt to solve the system of equations is made. If the system of equations is inconsistent then the original guessed LF SRc state is wrong. Otherwise, the recovered initial state bits can be used to generate a candidate keystream. If this agrees with the observed keystream then the guess is correct. For other LILI generators, the output function fd may be of higher degree, potentially providing greater resistance to algebraic attacks. In this case, in a precomputation phase, the lowest degree multiples g of f can be determined, as discussed in Section 2.1.2 of Chapter 2. The attack algorithm of this approach is given by Algorithm 7.1. As this approach requires guessing the internal state bits of LF SRc , which has a complexity of
7.3. Algebraic Analysis of the LILI Family of Stream Ciphers
115
l each guess, one system of equations needs to be solved, or attempted. This system has h2P− 1. For �i d m equations. The computational complexity for solving the system of equations in step 1c i=1 d
using Strassen’s algorithm [186] is given by M ω , with 2.807 ≤ ω ≤ 3. In order for this attack to be applied to other members of the LILI family with complexity less than exhaustive key search, the parameters must satisfy the following equation: l
2 −1
"
d � � X m i=1
d
#ω
< (2k − 1)
(7.1)
7.3.2 Attack 2 : Keystream Decimation In the second algebraic attack, the attacker targets LF SRd and avoids guessing the clock control components by taking a regular decimation of the keystream. Let ∆ d denotes the number of times LF SRd is advanced for one period of LF SRc . It was shown in [73] that r
∆d = (2l−r − 1) +
2 X s=2
s × 2l−r
(7.2)
The attack is performed in two phases: precomputation and a realtime phase. In the precomputation phase, the lowest degree multiple of fd is computed as discussed in Section 2.1.2 of Chapter 2. In ad� Pd dition, i=1 mi equations are obtained from LF SRd every ∆d cycles. In [173], Saarinen suggests
stepping LF SRd ∆d number of positions using either a vector-matrix multiplication with a precomputed m × m bit matrix over GF (2), or by using a multiplication algorithm in GF (2 m ). In the realtime
phase we substitute the keystream bits and attempt to solve the system of equations. The steps of the realtime phase of this approach are outlined in Algorithm 7.2.
For this attack, we need to select keystream bits that are (2l −1) apart. Assume that we have found n � Pd independent low-degree multiples of fd . We form i=1 m d equations relating the initial internal state
values for LF SRd and the known keystream bits, and attempt to solve them. Let T denote the number of keystream bits required for the attack to be successful. Therefore, the total amount of keystream required for a successful attack is "
l
T = (2 − 1)
# d � � X m i=1
d
/n
(7.3)
The number of equations that can be generated from LF SRd can be computed as follows. For each period of LF SRc , use one output or equation every ∆d . For one period of LF SRd , 2m − 1 equations can be obtained. The total number of equations E is given by E = (2m − 1)/gcd((∆d , 2m − 1))
(7.4)
The number of equations that can be generated from LF SRd must be greater or equal to the number of keystream bits required to run the attack. l
E ≥ (2 − 1)
d � � X m i=1
d
/n
(7.5)
116
Chapter 7. Algebraic Analysis of the LILI Keystream Generators
Algorithm 7.2 Algebraic attack algorithm based on keystream decimation Inputs: ANF of fd . Pd Outputs: g, fd g = h and i=1 LF SRd .
m i
�
equations from
1. Compute the lowest degree multiple of f according to [11]. 2. Compute ∆d using equation (7.2). � Pd 3. Output i=1 mi equations by clocking LF SRd ∆d cycles at one time. 4. Go to realtime phase. � Pd Pd m Inputs: Precomputed equations; i=1 i i=1 bits of keystream Outputs: LF SRc and LF SRd
m i
�
1. Substitute keystream into precomputed equations. 2. Solve the system of equations to recover the internal state of LF SRd . 3. Recover the internal state of LF SRc using newly obtained bits of LF SRd . 4. Output LF SRc and LF SRd. Terminate. Figure 7.3: Algorithm for precomputation and realtime phases of the algebraic attack based on keystream decimation After recovering the internal state of LF SRd , the cryptanalyst must recover the internal state of LF SRc to complete the attack, increasing the overall attack complexity. A worst case scenario involves a brute force attack to recover the initial internal state of LF SR c . Alternative methods such as using correlation or embedding attacks could be considered. Depending on the LFSR length and the method used, the complexity of recovering LF SRc may be less than 2l − 1. For the rest of this paper, we denote the complexity of recovering LF SRc by CLF SRc . Compared to the attack outlined in Section 7.3.1, the computational complexity of this attack is
lower, but it requires a greater number of keystream bits. The above analysis shows that the resistance of the LILI family of stream ciphers to both of these algebraic attacks depends on the number of times register LF SRd is clocked, ∆d , the degree d of the filter function fd , and the lengths, (l, m), of the two registers.
7.4. Algebraic Analysis of the LILI-II Stream Cipher
117
7.4 Algebraic Analysis of the LILI-II Stream Cipher In this section, we first present an algebraic representation of the LILI family of stream ciphers, compute a low degree multiplier g of fd and consider using this multiplier in applying the attacks outlined in Section 7.3 to LILI-II.
7.4.1 Algebraic Representation for the LILI Family of Stream Ciphers The relationship between the internal state and the output of the LILI ciphers can be obtained by incorporating the clock control outputs from LF SRc as variables into LF SRd . Given fc relations between the two controlling bits ct1 , ct2 , the number of times register LF SRd is clocked and the initial state of LF SRd can be represented in an algebraic expression as follows: dt+1 = (ct1 + 1)(ct2 + 1)dti−1 + (ct1 + 1)ct2 dti−2 + ct1 (ct2 + 1)dti−3 + ct1 ct2 dti−4 i
(7.6)
where dti is the ith stage of LF SRd at time t. Specifically, the stages ct1 and ct2 are c12 and c20 , respectively, for LILI-128 and c1 and c127 , respectively, for LILI-II. Equation (7.6) shows that the degree of the equations in LF SRd increases by two each time LF SRc is clocked.
7.4.2 Algebraic Attacks on LILI-II The filter function fd is important in providing resistance to algebraic attacks. The algebraic normal form (ANF) of fd is computed and presented in Appendix A. Through examination of the ANF of f d we found a multiplier g of degree e = 2, where g = (x11 + 1)(x7 + 1). This results in a product h of degree 4 as shown below. g · fd = (x11 + 1)(x7 + 1)fd
= x2 x4 x7 x11 + x3 x7 x8 x11 + x1 x7 x9 x11 + x7 x10 x11 x12 +x2 x4 x7 + x3 x7 x8 + x1 x7 x9 + x2 x4 x11 + x1 x7 x11 + x2 x7 x11 +x3 x7 x11 + x4 x7 x11 + x5 x7 x11 + x6 x7 x11 + x3 x8 x11 + x7 x8 x11 +x1 x9 x11 + x7 x9 x11 + x7 x10 x11 + x7 x10 x12 + x10 x11 x12 +x2 x4 + x1 x7 + x2 x7 + x3 x7 + x4 x7 + x5 x7 + x6 x7 + x3 x8 +x7 x8 + x1 x9 + x7 x9 + x7 x10 + x1 x11 + x2 x11 + x3 x11 + x4 x11 +x5 x11 + x6 x11 + x7 x11 + x8 x11 + x9 x11 + x10 x11 + x10 x12 +x1 + x2 + x3 + x4 + x5 + x6 + x7 + x8 + x9 + x10 + x11 + 1 (7.7)
Further examination of fd using Algorithm 2.2 confirmed the multiplier g = (x11 + 1)(x7 + 1) was one of thirty-two degree 2 multipliers that exist for fd , and the only one of these multipliers that resulted in h of degree 4. Our implementation of the algorithm found the degree 2 multipliers in 82 seconds using Magma 2.11 on the SGI Origin 3000 using CPU at 600 MHz. This demonstrates that f d of LILI-II has an algebraic immunity of at most 4. In our attack we make use of this by multiplying the initial set of equations by (x11 + 1)(x7 + 1). Note that this implies that z t is also multiplied by g, so only gives a useful equation when z t is equal to 1.
118
Chapter 7. Algebraic Analysis of the LILI Keystream Generators
Standard Algebraic Attacks of Section 7.3.1 Consider applying the attack of Section 7.3.1 using Algorithm 7.1 with the original function f d of P10 127� degree 10, then one need to solve equations involving M = = 247.7 unknowns with a i=1 i solution complexity of 2143.1 for ω = 3. From Equation (7.1), this gives a total attack complexity of
2128 .2143 = 2271 . However, using g to reduce the degree of equations generated reduces the number of monomials to 223.3 , and correspondingly the attack complexity to 2198 . This is a significant reduction
in the complexity of the algebraic attack on LILI-II, and is better than exhaustive search of the initial 255-bit internal state, but is still much worse than exhaustive search on the 128-bit key. Standard Algebraic Attacks of Section 7.3.2 Similarly, applying the attack of Section 7.3.2 using Algorithm 7.2 using d = 10, requires ∆ d = 2129 . The complexity of recovering LF SRd by solving 247.8 equations using the linearization approach is 2143 with a keystream requirement of T = 2128 .247.8 = 2175.8 . Since only E = 2127 − 1 equations can be generated from LF SRd , the amount of keystream required to run the attack is clearly more than the number of independent equations that can be generated. Further, the complexity of recovering the internal state of LF SRc must be added. Using the multiplier g to obtain equations of degree 4 reduces the complexity of recovering the initial state of LF SRd to 270 . Adding the complexity of recovering LF SRc gives a total attack complexity of 270 + CLF SRc . There is also the keystream requirement of (2128 )(223 ) = 2151 bits, again more than the number of independent equations that can be generated from LF SR d . Therefore, the attack of Section 7.3.2 cannot be applied successfully to LILI-II for either the case where f d of degree 10 is used or a reduced gfd of degree d = 4 is used. Although neither attack is better than exhaustive key search, reducing the degree from 10 to 4 significantly reduces the complexity of an algebraic attack for recovering LF SR d . Table 7.2 below summarises the requirements for applying the algebraic attacks of Sections 7.3.1 and 7.3.2 to both LILI-128 and LILI-II, with the original function fd of degree 10, and reduced gfd of degree d = 4 respectively.
LILI-family LILI-128, d=4 LILI-II, d=10 LILI-II, d=4
Complexity of attack of Section 7.3.1 Keystream Operations 218 2102 48 2 2271 23 2 2198
Complexity of attack of Section 7.3.2 Keystream E Operations 57 89 2 2 −1 263 176 127 2 2 − 1 2143 + CLF SRc 151 2 2127 − 1 270 + CLF SRc
Table 7.2: Summary of the algebraic attacks of Sections 7.3.1 and 7.3.2 on both LILI-128 and LILI-II
7.4.3 Fast Algebraic Attacks on LILI-II Both of the attacks outlined in Sections 7.3.1 and 7.3.2 have a common last step, involving solving a system of equations. Fast algebraic attacks [60] aim to reduce the degree of the equations generated in the precomputation phase by linearly combining some specific equations. This has a significant effect
7.5. Initialization and Algebraic Attacks
119
in reducing the overall complexity of the attacks. This section applies fast algebraic attacks described in Section 2.2 to LILI-II. It is noted from the analysis provided in Section 2.2 that fast algebraic attacks can be applied to significantly reduce the complexity of solving equations in the realtime phase of the attacks from Sections 7.3.1 and 7.3.2. Tables 7.3 and 7.4 summarise the data obtained when the fast algebraic attack approach is applied to the attacks of Sections 7.3.1 and 7.3.2, respectively. The output equations that needs to be combined for the precomputaion step can be found using Algorithm 2.6. The keystream, the memory, the precomputation and the substitution requirements recorded in the tables were computed using Equations (2.16),(2.18),(2.17) and ( 2.19), respectively. LILI-family LILI-128 LILI-II
d 4 4
e 2 2
Keystream 221 bits 223.3
Memory 214 bits 226 bits
Precomputation 230 232.4
Substitution 238.6 241.8
Attack ops 239 .238.6 = 277.6 241.8 .2127 = 2168.8
Table 7.3: Attack of Section 7.3.1 using fast algebraic attacks on both LILI-128 and LILI-II
LILI-family LILI-128 LILI-II
d 4 4
e 2 2
Keystream 260 2151.3
Memory 214 bits 226 bits
Precomputation 230 232.4
Substitution 238.6 241.8
Attack ops 230 241.8 + CLF SRc
Table 7.4: Attack of Section 7.3.2 using fast algebraic attacks on both LILI-128 and LILI-II The tables illustrate the tradeoffs between keystream requirements and attack complexity, and also the significant reduction in the complexity of recovering the internal states for both ciphers when using e = 2. However, it can also be seen that with fast algebraic attacks that the complexity of substituting the keystream bits into the system of equations is higher than the complexity of solving the equations, and that the keystream requirement for the attack of Section 7.3.2 cannot be met. Although the attack of Section 7.3.1 requires less keystream bits, its complexity is still more than the exhaustive key search.
7.5 Initialization and Algebraic Attacks Most recently proposed stream ciphers use an internal state that is at least twice as large as the key size to provide resistance to attacks such as time/memory/tradeoff attacks. An initialization process expands the k bit key to fill the internal state, possibly also incorporating initialisation vectors. This is the case for the LILI ciphers. Most algebraic attacks, including those on LILI-128, aim to recover the internal state of the cipher. In this section two aspects of the effect of the initialization process are considered, as outlined in Section 7.2, on algebraic attacks on the LILI ciphers. Firstly, it will be examined whether it is possible to recover key bits directly in an algebraic attack, rather than state bits. Secondly, an investigation on the possibility that an attacker, having recovered internal state bits through a standard algebraic attack, can extend the attack to key recovery.
120
Chapter 7. Algebraic Analysis of the LILI Keystream Generators
7.5.1 Direct Recovery of Key Bits If the variables represent the key bits rather than state bits for ciphers with a relatively large internal state size then there are fewer variables to consider. However, generating equations where the variables are the unknown key bits requires consideration of the initialization process. From Equation (7.6) in Section 7.4.1, it is clear that if the variables are key bit values, rather than the internal state values, the generated system of equations contains k variables with maximum degree of k, and the maximum � Pk number of monomials is given by i=1 ki . In contrast, if the variables are the initial internal state values, rather than the key bit values, then the generated system of equations contains l + m variables with maximum degree of l + d, where d is the degree of fd , and the maximum number of monomials � P l+m formed is equal to M = l+d . i=1 i
This can easily be seen as every time LF SRc is clocked, two variables from LF SRc are multiplied with expression representing the internal state of LF SRd . For example, at time t = 1, the degree of the expression in LF SRd is 3. Using Equation (7.6), one can see that at time t = 2, the degree jumps to 5 as two new variables from LF SRc are multiplied with the degree 3 expressions. The degree of the equations increases as we clock more. The expression in LF SRd reaches degree 64 at t = 32 and the maximum degree is k. So at the end of the initialization process, the contents of each stage of the LFSRs is a function of the key bits of degree d ≥ 64. Since the output is generated in terms of the internal state of LF SRd , and LF SRc is regularly clocked, then one need to look for annihilators or multiples that would reduce the degree of the internal state expressions in LF SRd . It can be seen that by multiplying ct1 or ct2 or combinations of them with Equation (7.6) will reduce the number of terms in the output. For example, multiplying c t1 ct2 with (7.6) gives ct1 ct2 dt+1 = ct1 ct2 dti−4 . This means that we will have to multiply fd with ct1 ct2 which i will have the same effect as the previous relation. The multipliers reduce the number of terms in the system of equations but do not reduce the overall degree of the equations as each stage of LF SR d is a combination of high degree terms. After initialization, the contents of both registers are high degree functions of all key bits. To recover the key bits of LILI ciphers using the approach outlined in Section 7.3.1 requires guessing the initial contents of LF SRc . Now the clocking of LF SRd is known. The attacker then forms equations relating the known keystream values to the filtered outputs of LF SR d . However, each stage of LF SRd contains a high degree function of key bit variables. To use this approach, the attacker needs to know what these high degree functions also to have the ability to solve them. Therefore, the hP are,�iand ω d k k complexity of this approach is 2l · , for i=1 i 2 ≤ d < k. For example, consider applying this to LILI-128 with 128-bit key and initialization vectors. Assume
that the degree of the key bit expressions in each stage of the registers after initialization is 64 ≤ d ≤ 128 and ω = 3. Applying the algebraic attack of Section 7.3.1 requires guessing 39 bits of
LF SRc multiplied with the complexity of solving a system of equations generated using f d . Note that the equations are a function of all the key bits, therefore there are 128 unknowns in the generated hP �i3 64 128 system of equations. The overall attack complexity will be between 2 39 ≈ 2495 and i=1 64 hP i3 128 128� 239 ≈ 2578.5 . This exceeds the complexity of exhaustive key search. Similarly, using i=1 i this approach on LILI-II requires a 128 bit guess of LF SRc , so will also be worse than exhaustive key
7.5. Initialization and Algebraic Attacks
121
hP �i3 64 128 search. The overall attack complexity will be between 2128 ≈ 2584 and 2667.5 . i=1 i Alternatively, consider the approach outlined in Section 7.3.2. This requires decimation of the keystream by ∆d , with a corresponding increase in the degree of the underlying key bit equations. The equations generated from LF SRd will be of a very high degree, probably the maximum degree. It appears infeasible to generate these high degree equations, let alone However, assuming hP solve�ithem. ω d k this is possible, the overall attack complexity of this approach is , for k2 ≤ d < k. i=1 i For example, consider applying this to LILI-128. The complexity of solving these equations is hP hP i3 �i3 64 128 128� 128 between ≈ 2456 and ≈ 2539.5 . The same attack complexity will also be i=1 i=1 i i applicable to LILI-II when using this approach for recovering the internal state of LF SR d, however, the amount of keystream will be much greater in the case of LILI-II. Table 7.5 summarizes the complexity of applying the attacks outlined in Sections 7.3.2 and 7.3.1 to LILI-128 and LILI-II after going through the initialization phase. Note that the degree of the filter function fd used has a minimal effect in increasing the degree of the generated equations, as at the end of initialization, the contents of the stages of each register are high degree equations.
7.5.2 Recovering the Key Bits Given the Internal State Bits Consider the initialization processes used in LILI-128 and LILI-II. Denote the first l + m output bits 00
00
00
generated during initialization by (z1 . . . , zl+m ). Each z is a high degree function of the key bits. 00 00 These (z1 . . . , zl+m ) bits are loaded into the cipher registers and the process is repeated to generate 0
0
another l + m bits denoted as z1 . . . , zl+m . This is reloaded and used to generate the keystream bits denoted z1 , z2 , . . . ,. Assume that we have T known keystream bits z1 , . . . zT and have successfully performed an al0 0 gebraic attack to recover the initial internal state (z1 . . . , zl+m ). In order to recover the key bits 0
0
(k1 , . . . , k128 ), (z1 . . . , zl+m ) are needed to be used as keystream and apply an algebraic attack to 00 00 recover (z1 . . . , zl+m ). Given this internal state, the entire keystream sequence for this (k, v i pair can be produced, but when a new initialization vector is used we will have to repeat the entire attack to � Pl+m generate that keystream. The keystream requirement is approximately i=1 l+m bits using the lind earization approach. But in this case, there are only l + m outputs, which is much less than the needed data. The difficulty of recovering the key bits from the internal state bits is further increased if some output bits are discarded during the initialization. 0
0
For example consider applying this to key recovery on LILI-128. Suppose that (z 1 . . . , z128 ) have been recovered. This attack requires approximately 218 bits. For key recovery, we now need to repeat 0
0
this attack using (z1 . . . , z128 ) as the keystream bits. But there are only 128 outputs, which is much less than the needed data. Obviously, there is no way to proceed to recover the key bits. Similarly, key 0
0
recovery cannot be performed on LILI-II as only 255 bits (z1 . . . , z255 ) of keystream are available to 00 00 recover (z1 . . . , z255 ), which is much less than the required keystream bits. It is evident that the initialization process used in LILI-128 and LILI-II prevents the direct recovery of the key bits using algebraic attacks, and it prevents the recovery of the key bits even if the state bits can be recovered. An interesting exercise is to investigate partial key guessing. That is guessing u-bits of the k-bit secret key. This is reduces the degree of the equations generated during initialization so that algebraic attacks may be successfully applied to the reduced system.
Chapter 7. Algebraic Analysis of the LILI Keystream Generators
122
LILI-family LILI-128 LILI-II
Complexity of attack of Section 7.3.1 Keystream Operations 2152 to 2179 2495 to 2578.5 2152 to 2179 2584 to 2667.5
Complexity of attack of Section 7.3.2 Keystream Operations 191 218.8 2 to 2 2456 to 2539.5 280 307 2 to 2 2456 to 2539.5
Table 7.5: Summary of requirements for the algebraic attacks of Sections 7.3.1 and 7.3.2
7.6 Investigating the Resistance of Other Instances of the LILI Family Ciphers to Algebraic Attacks LILI is a parameterizable family of ciphers. In this section, the key size is fixed to 128 bits and the total internal state size of LF SRc and LF SRd to 255 bits and evaluate the resistance to algebraic attacks and fast algebraic attacks. An estimate of the keystream requirements and attack complexity for different sized registers using the reduced degree d = 4 Boolean function f d and e = 2 for g will be given. Tables 7.6 and 7.7 provide the data obtained for the attacks of Sections 7.3.1 and 7.3.2 using Equations (7.1) and (7.3) of the standard algebraic attacks while Tables 7.8 and 7.6 provide the data obtained for the attacks of Sections 7.3.1 and 7.3.2 using fast algebraic attacks using Equations (7.1),(7.3), (2.16), (2.18), (2.17) and (2.19), respectively. d 4 4 4 4 4 4
l 107 108 118 119 127 128
m 148 147 137 136 128 127
Keystream O(224 ) bits O(224 ) bits O(223 ) bits O(223 ) bits O(223 ) bits O(223 ) bits
Attack complexity 2179 2180 2187 2188 2196 2197
Table 7.6: Results of attack of Section 7.3.1 d 4 4 4 4 4 4 4 4 4 4 4
l 107 108 109 110 111 116 117 118 119 127 128
m 148 147 146 145 144 139 138 137 136 128 127
Keystream 2131 bits 2132 bits 2133 bits 2134 bits 2135 bits 2140 bits 2141 bits 2142 bits 2143 bits 2150 bits 2151 bits
Number of Equations 2148 2147 2146 2145 2144 2139 2138 2137 2136 2128 2127
Attack complexity 273 + CLF SRc 272.5 + CLF SRc 272.4 + CLF SRc 272.3 + CLF SRc 272.2 + CLF SRc 271.8 + CLF SRc 271.7 + CLF SRc 271.6 + CLF SRc 271.5 + CLF SRc 270 + CLF SRc 270 + CLF SRc
Table 7.7: Results of attack of Section 7.3.2
e 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2
l 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128
m 148 147 146 145 144 143 142 141 140 139 138 137 136 135 134 133 132 131 130 129 128 127
Keystream O(224 ) bits O(224 ) bits O(224 ) bits O(224 ) bits O(224 ) bits O(224 ) bits O(223.9 ) bits O(223.9 ) bits O(223.9 ) bits O(223.8 ) bits O(223.8 ) bits O(223.7 ) bits O(223.7 ) bits O(223.7 ) bits O(223.6 ) bits O(223.6 ) bits O(223.5 ) bits O(223.5 ) bits O(223 ) bits O(223 ) bits O(223 ) bits O(223 ) bits
Memory O(226 ) bits O(226.8 ) bits O(226.7 ) bits O(226.7 ) bits O(226.6 ) bits O(226.6 ) bits O(226.6 ) bits O(226.5 ) bits O(226.5 ) bits O(226 ) bits O(226 ) bits O(226 ) bits O(226 ) bits O(226 ) bits O(226 ) bits O(226 ) bits O(226 ) bits O(226 ) bits O(226 ) bits O(226 ) bits O(226 ) bits O(225.9 ) bits
Precomputation O(233.4 ) bits O(233 ) bits O(233 ) bits O(233 ) bits O(233 ) bits O(233 ) bits O(233 ) bits O(233 ) bits O(233 ) bits O(233 ) bits O(232.9 ) bits O(232.9 ) bits O(232.8 ) bits O(232.8 ) bits O(232.7 ) bits O(232.7 ) bits O(232.6 ) bits O(232 ) bits O(232.5 ) bits O(232.5 ) bits O(232 ) bits O(232 ) bits
Substitution O(243 ) bits O(243 ) bits O(243 ) bits O(243 ) bits O(243 ) bits O(242.9 ) bits O(242.8 ) bits O(242.8 ) bits O(242.7 ) bits O(242.6 ) bits O(242.6 ) bits O(242.5 ) bits O(242 ) bits O(242 ) bits O(242 ) bits O(242 ) bits O(242 ) bits O(242 ) bits O(242 ) bits O(242 ) bits O(241.9 ) bits O(241.8 ) bits
Attack O 2107 .243 = 2150 O 2108 .243 = 2151 O 2109 .243 = 2152 O 2110 243 = 2153 O 2111 243 = 2154 O 2112 .242.9 = 2154.9 O 2113 242.8 = 2155.8 O 2114 .242.8 = 2156.8 O 2115 .242.7 = 2157.7 O 2116 .242.6 = 2158.6 O 2117 .242.6 = 2159.6 O 2118 .242.5 = 2160.5 O 2119 .242 = 2161 O 2120 .242 = 2162 O 2121 .242 = 2163 O 2122 .242 = 2164 O 2123 .242 = 2165 O 2124 .242 = 2166 O 2125 .242 = 2167 O 2126 .242 = 2168 O 2127 .241.9 = 2168.9 O 2128 .241.8 = 2169.8
Table 7.8: Results of attack of Section 7.3.1 using fast algebraic attacks
7.6. Investigating the Resistance of Other Instances of the LILI Family Ciphers to Algebraic Attacks 123
d 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
l 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128
m 148 147 146 145 144 143 142 141 140 139 138 137 136 135 134 133 132 131 130 129 128 127
Keystream O2107 .213 = 2120 bits O2108 .213 = 2121 bits O2109 .213 = 2122 bits O2110 .213 = 2123 bits O2111 .213 = 2124 bits O2112 .213 = 2125 bits O2113 .213 = 2126 bits O2114 .213 = 2127 bits O2115 .213 = 2128 bits O2116 .213 = 2129 bits O2117 .213 = 2130 bits O2118 .213 = 2131 bits O2119 .213 = 2132 bits O2120 .213 = 2133 bits O2121 .213 = 2134 bits O2122 .213 = 2135 bits O2123 .213 = 2136 bits O2124 .213 = 2137 bits O2125 .213 = 2138 bits O2126 .213 = 2139 bits O2127 .213 = 2140 bits O2128 .212.9 = 2140.9 bits
Number of Equations 2148 2147 2146 2145 2144 2143 2142 2141 2140 2139 2138 2137 2136 2135 2134 2133 2132 2131 2130 2129 2128 2127
Memory O(226 ) bits O(226.8 ) bits O(226.7 ) bits O(226.7 ) bits O(226.6 ) bits O(226.6 ) bits O(226.6 ) bits O(226.5 ) bits O(226.5 ) bits O(226 ) bits O(226 ) bits O(226 ) bits O(226 ) bits O(226 ) bits O(226 ) bits O(226 ) bits O(226 ) bits O(226 ) bits O(226 ) bits O(226 ) bits O(226 ) bits O(225.9 ) bits
Precomputation O(233.4 ) bits O(233 ) bits O(233 ) bits O(233 ) bits O(233 ) bits O(233 ) bits O(233 ) bits O(233 ) bits O(233 ) bits O(233 ) bits O(232.9 ) bits O(232.9 ) bits O(232.8 ) bits O(232.8 ) bits O(232.7 ) bits O(232.7 ) bits O(232.6 ) bits O(232 ) bits O(232.5 ) bits O(232.5 ) bits O(232 ) bits O(232 ) bits
Table 7.9: Results of attack of Section 7.3.2 using fast algebraic attacks
Substitution O(243 ) bits O(243 ) bits O(243 ) bits O(243 ) bits O(243 ) bits O(242.9 ) bits O(242.8 ) bits O(242.8 ) bits O(242.7 ) bits O(242.6 ) bits O(242.6 ) bits O(242.5 ) bits O(242 ) bits O(242 ) bits O(242 ) bits O(242 ) bits O(242 ) bits O(242 ) bits O(242 ) bits O(242 ) bits O(241.9 ) bits O(241.8 ) bits
Attack O (243 ) + CLF SRc O (243 ) + CLF SRc O (243 ) + CLF SRc O (243 ) + CLF SRc O (243 ) + CLF SRc O (242.9 ) + CLF SRc O (244.8 ) + CLF SRc O (242.8 ) + CLF SRc O (242.7 ) + CLF SRc O (242.6 ) + CLF SRc O (242.6 ) + CLF SRc O (242.5 ) + CLF SRc O (242 ) + CLF SRc O (242 ) + CLF SRc O (242 ) + CLF SRc O (242 ) + CLF SRc O (242 ) + CLF SRc O (242 ) + CLF SRc O (242 ) + CLF SRc O (242 ) + CLF SRc O (241.9 ) + CLF SRc O (241.8 ) + CLF SRc
Chapter 7. Algebraic Analysis of the LILI Keystream Generators
e 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2
124
d 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
7.7. Summary
125
Let’s assume that CLF SRc = 2l − 1. Then for alll register sizes considered, the LILI family is
resistant to the attack of Section 7.3.1. However, for 107 ≤ l ≤ 115, the LILI family is prone to the
attack of Section 7.3.2. The second algebraic attack is possible on all register lengths if the effect of the filer function is deleted. This can be thought of as an improved algebraic attacks on clock controlled generators that are composed of a single register controlling other registers and the output of the system as a modulo sum of the registers outputs. On the other hand, for all register sizes considered, the LILI family is resistant to the attack of Section 7.3.1 using fast algebraic attacks. However, for 107 ≤ l ≤ 121, the LILI family is prone to the
attack of Section 7.3.2 using fast algebraic attacks. They remain resistant to the attack of Section 7.3.2 for the remaining registers lengths as the amount of keystream needed to run the attack is greater than the number of independent equations that can be generated from the cipher. Generally, the use of low degree multiples of fd , reduces the complexity of solving the system of equations, which is one phase of some of the algebraic attacks. The complexity of the whole attack exceeds that of the exhaustive key search for some register lengths. This indicates that the choice of the register lengths plays an important part in resisting different types of algebraic attacks on the LILI family of stream ciphers. For some register lengths the attack complexity may be lower than exhaustive key search, but the attack could not be performed as the required number of equations cannot be generated.
7.7 Summary This chapter examined the two main perspectives of the thesis on the well known LILI family of stream ciphers. In particular, the security of the LILI family of stream ciphers against both standard and fast algebraic attacks was analysed. Our analysis provides an increased understanding of algebraic attacks on this type of cipher. It was shown that the size of the two registers used, the difference between their lengths, the maximum number of times a register is clocked and the degree of the filter function all contribute in providing resistance to algebraic attacks. For LILI-128, the internal state bits can be recovered with complexity less than exhaustive keysearch. For LILI-II, a low degree multiplier of the filter function is given, implying the algebraic immunity of the filter function is at most four. This dramatically reduces the complexity of algebraic attacks, including fast algebraic attacks. However, even the reduced complexity exceeds exhaustive key search. This chapter also examined the role of initialization in reducing the effectiveness of algebraic attacks for key recovery. This is important for applications where rekeying is performed. It was shown that, even assuming a successful algebraic attack has been performed, revealing the internal state for the LILI ciphers, the complexity of recovering the secret key remains worse than exhaustive key search. It appears that the initialization process provides the LILI ciphers with resistance against key recovery attacks. It was also shown that some instances of the LILI family of stream ciphers fall victim to fast algebraic attacks. Finally, an alternative approach for attacking the LILI family of stream ciphers was discussed. However, it still remains an open problem whether partially guessed key attacks will be effective.
126
Chapter 7. Algebraic Analysis of the LILI Keystream Generators
Chapter 8
Conclusion and Future Research
Stream ciphers are encryption algorithms used for providing privacy for real time applications such as mobile telephony, satellite communications, secure online transactions and sensitive military communications. Various methods have been proposed for analysing and attacking stream ciphers. Algebraic attacks are the most recent types of attacks on stream ciphers. They have been shown to be effective on regularly clocked LFSR based stream ciphers. Algebraic attacks have drawn much attention from the cryptographic community. Clock-controlled stream ciphers were considered resistant to algebraic attacks. In this thesis, algebraic attacks are extended and applied to clock-controlled (irregularly clocked) stream ciphers. It is shown that algebraic attacks provide a significant method for cryptanalysis of many of these algorithms. Four groups of stream ciphers of stream ciphers were investigated: keystream generator using stop-and-go clocking, keystream generators using (p, q) clocking, mutual clock-controlled keystream generators and irregularly clocked nonlinear filter generators. The role of initialization process in providing resistance against algebraic attacks were also examined on Trivium and Grain-128. Both of these are profile 2 submissions to eSTREAM, the ECRYPT Stream Cipher Project [2], and are currenty focus ciphers in phase 3. In Section 8.1, the contributions of this thesis are reviewed and the major contributions for each chapter are noted. In Section 8.2, possible future directions are explored.
8.1 Review of Contributions The first two chapters of the thesis provide an introduction to stream ciphers generally and to existing algebraic attacks on LFSR based stream ciphers. The research performed to extend these attacks for application to other stream ciphers was presented in Chapters 3 to 7.
127
128
Chapter 8. Conclusion and Future Research
8.1.1 Chapter 3: Keystream Generators using Stop-and-Go Clocking In Chapter 3 a theorem for generating equations relating the internal state bits and the keystream output bits for keystream generators using stop-and-go clocking is given. This theorem was applied to four stop-and-go clocked ciphers to produce a system of equations required to enable algebraic attacks. For each cipher, an investigation was performed to determine the effectiveness of an algebraic attack in recovering the internal state. For the strengthened version of the Beth-Piper stop-and-go generator, the initial state was obtained with an algebraic attack significantly better than other known attacks. Fast algebraic attacks were also shown to be very effective on the strengthened version of the Beth-Piper stop-and-go generator. For the alternating and the Gollmann cascade ciphers, divide and conquer algebraic attacks were presented. In these attacks, the internal state of the LFSR’s in the system were recovered independently from one or more other registers in the system. In comparison with previous attacks, the recovery of the internal state of both the alternating step and the Gollmann cascade generators can be performed with the smallest keystream requirements and the second smallest attack complexity. Furthermore, an alternative attack on the alternating step generator was presented with the smallest running time complexity known to date. For the Gollmann cascade the effect of the clock control on algebraic attacks was shown to be an increase with each clock in the degree of the equations generated. Furthermore, it was demonstrated that the initial states of the last two shift registers of the Gollmann cascade generator can be determined by the initial states of the others using a small amount of known keystream. The only previous attack on the Gollmann cascade generator with lower complexity than the algebraic attack applied in this thesis is Park’s attack. However, Park’s attack has a serious limitation due to the constrained keystream requirements. Park’s attack requires consecutive keystream bits with runs of zeros or ones, whereas the algebraic attack does not even require consecutive keystream bits. Any subset of the keystream bits can be used as long as the equations describing them are dependent on the values of the initial state bits. The length of keystream required for the algebraic attack is also much less than for Park’s attack. Hence, the algebraic attack presented in this thesis is currently the only feasible attack for implementations where rekeying occurs frequently such as the frame based communication systems for mobile telephones and wireless networks. An outline for an alternative attack on the cascade generator was presented in the thesis. This approach was developed to eliminate the effect of degree accumulation, which occurs as the keystream generator is clocked. The outcome of this alternative approach is a large sparse low degree polynomial system. Such a system can be generated and solved efficiently using algorithms such as Faugere’s F 5. Algebraic analysis on the eSTREAM candidate Pomaranch showed that a cipher with nonlinear components could be expressed as a system of equations with maximum degree no higher than the maximum degree of the components. In this case, a system of equations of maximum degree four is derived that fully describes the Pomaranch cipher. In the analysis, a method for generating degree four equations in the key bits and other component bits of the system is given. The bottleneck to reducing this degree further is identified as the filter function of degree four. The input and output sizes of the components determine the number of new variables to be introduced and therefore the size of the system of equations needed to describe the cipher. Interestingly, it was observed that increasing the size of the jump registers has no effect on increasing the degree of the equations. Thus increasing the size of the registers does not increase the complexity of the algebraic attacks. Finally, annihilators and low degree
8.1. Review of Contributions
129
multiples of the Pomaranch filter functions used in the keymap and for the keystream contributions in the 80-bit version of Pomaranch have been found, which indicates an apparent weakness in the cipher.
8.1.2 Chapter 4: Keystream Generators using (p, q) Clocking In Chapter 4, algebraic attacks on keystream generators using (p, q) clocking were presented. The attacks were applied to two well known examples of such structures; the step1/step2 and the selfdecimated generators. Effective algebraic attack on both the self-decimated and the step1/step2 generators has been presented. For the self-decimated generator, the initial state bits are obtained significantly better than any other known attack. For the step1/step2 generator, the presented algebraic attack has the same keystream requirements as most attacks and it is not far from the best known attack. In addition, an alternative algebraic attack on the step1/step2 generator has been presented. The attack requires a large amount of keystream with a complexity of solving a system of linear equations where the number of variables equals the length of register B. This attack has the smallest running time complexity of known attacks.
8.1.3 Chapter 5: Keystream Generators using Mutual Clock Control The first step in performing algebraic attacks is to generate a system of equations relating the internal state with the keystream. Generally, for mutually clock-controlled stream ciphers generating these equations is very challenging. Chapter 5 presented some theoretical results on the complexity of generating the algebraic equations for mutually clock-controlled feedback shift registers. Four mutually clocked controlled stream ciphers were considered: the bilateral-stop-and-go generator, the A5/1 stream ciphers, the Alpha 1 stream ciphers, the eSTREAM candidates the MICKEY family of stream ciphers. It was shown that the degree of the equations generated from these systems in general is equal to the length of the irregularly clocked LFSRs. However, it was observed that for the bilateral-stop-and-go generator, the degree could be significantly reduced, almost to the length of one register. One method that has been used to successfully attack some ciphers is to guess some initial state bits in order to reduce the number of monomials in the generated system of equations. The feasibility of such an approach was investigated for the four mutually clock-controlled ciphers examined in this thesis. This method was successfully applied to Alpha 1, resulting in an attack with complexity less than exhaustive key search due to the use of a regularly clocked register in the system. In Alpha 1, the 128 bits of internal state were recovered by guessing the contents of the irregularly clocked registers, and recovering the remaining 29 bits using only 128 bits of keystream. Low degree multiples of the combining functions were also shown to exist for these ciphers. However, in the equations produced as the cipher is clocked, the degree of these multiples is increasing. In addition, for the MICKEY stream ciphers, annihilators are shown to exist that will reduce the degree of the equations. In fact, these annihilators significantly reduce the number of monomials in the system of equations. Moreover, equations of some pattern are obtained for all versions of the MICKEY cipher, which might lead to a future attack. Furthermore, the same sets of annihilators can be found irrespectively from the position of the clock controlling bits. Finally, it was shown that the problem of recovering the internal state of these ciphers could be transformed into a problem of solving quadratic equations in large unknowns.
130
Chapter 8. Conclusion and Future Research
8.1.4 Chapter 6: Initialization and Algebraic Attacks In Chapter 6, the effect of key initialization process on the performance of algebraic attacks on two candidates of phase three of the eSTREAM ciphers was investigated. The investigations were conducted on both Trivium and Grain-128. In this chapter, relationships between the key bits and the output were considered where multiple keystreams are used in the attack (instead of using one keystream sequence as in the other chapters) to recover the internal state. In multiple keystreams, an attacker is able to generate as many equations as desired using multiple IV 0 s with one single key. Taking this approach, depending on the number of iterations performed during key initialization, an attacker can generate low degree equations in the key unknowns using simple tricks such as combining two equations generated at the same time instance using two different but closely related IV 0 s. A framework for using multiple keystreams for conducting algebraic attacks was first discussed. Then a number of investigations were conducted on both Trivium and Grain-128. In the investigations, both IV numbers and the iterations number were considered as variables. It was shown that the use of large number of IV could actually be used to form enough system of equations to recover the key bits using relatively small number of keystream outputs. It was also shown that this approach might enable us to reduce the decree of the equations, hence making algebraic attacks efficient. From these investigation, it was shown that Trivium is prone to multiple keystream algebraic attacks if it gets iterated less than 355 times during initialization process using only 2 IV’s. It was also shown the approach can significantly reduce the overall degree of the equation for the parameters tested from degree 7 to linear equations, in fact, in many cases lead to an immediate recovery of the key bits. For Grain-128, it was also shown that the cipher is prone to algebraic attacks using multiple keystreams. It was demonstrate how the high degree terms can actually be reduced to at most degree 2 for the parameter of the experiments for the first 98 iterations of the ciphers. In general, it was shown that it is also possible to reduce the degree of every single equation from degree 10, the maximum degree considered in these investigations to degree 2. It is worthwhile to mention that the results obtained are imperial results; hence better results can be obtained given enough computer resources and time to conduct the investigations. From these preliminary investigations, it is clear that the number of iterations performed during the key initialization process and the maximum number of IV 0 s to be used with one key should not be chosen at random. The vulnerability of stream ciphers against multiple keystream algebraic attacks has to be taken into consideration when designing a key initialization process of stream ciphers. In general, there is a need for further research for establishing design criteria for key initialization
8.1.5 Chapter 7: Algebraic Analysis of the LILI Keystream Generators Chapter 7 examined the two main perspectives of the first chapters of the thesis on the well known LILI family of stream ciphers. In particular, the security of the LILI family of stream ciphers against both standard and fast algebraic attacks was analysed. The algebraic analysis of this chapter provides an increased understanding of algebraic attacks on this type of cipher. It was shown that the size of the two registers used, the difference between their lengths, the maximum number of times a register is clocked and the degree of the filter function all contribute in providing resistance to algebraic attacks. For LILI-128, the internal state bits can be recovered with complexity less than exhaustive keysearch. For LILI-II, a low degree multiplier of the filter function is given; implying the algebraic immunity
8.2. Future Directions
131
of the filter function is at most four. This dramatically reduces the complexity of algebraic attacks, including fast algebraic attacks. However, even the reduced complexity exceeds exhaustive key search. This chapter also examined the role of initialization in reducing the effectiveness of algebraic attacks for key recovery. This is important for applications where rekeying is performed. It was shown that, even assuming a successful algebraic attack has been performed, revealing the internal state for the LILI ciphers, the complexity of recovering the secret key remains worse than exhaustive key search. It appears that the initialization process provides the LILI ciphers with resistance against key recovery attacks. It was also shown that some instances of the LILI family of stream ciphers fall victim to fast algebraic attacks. Finally, an alternative approach for attacking the LILI family of stream ciphers was discussed.
8.2 Future Directions It would be interesting to investigate the possibility of extending algebraic attacks to word-based stream ciphers. This would require the design of efficient methods capable of solving system of equations over extension fields. It would also be interesting to examine the feasibility of extending algebraic attacks to other stream ciphers that are not based on feedback shift registers, for example, RC4 like stream ciphers. Another possible area of research is to find methods for generating low degree relations relating the internal state with the keystreams for the shrinking, the self shrinking and the bit search generator. Recall that in the shrinking and the self-shrinking generators, the LFSRs are regularly clocked, so in theory, one can obtain linear equations. However, the output is computed in an irregular manner. Further investigation is needed to investigate the resistance of clock-controlled stream ciphers against fast algebraic attacks. Preliminary investigations in this direction show that these attacks might be possible. A good start would be to investigate the bilateral-stop-and-go generator first. Further investigation is needed to establish design criteria for designing key initialization process of a stream cipher. Currently, there are no design criteria for the key initialization process, and for many ciphers this has been done in an ad-hoc way. Some keystream generators, including eSTREAM ciphers, have been broken due to weaknesses found in the key initialization processes. The investigation should also consider the possibility of attacking stream ciphers using multiple keystreams in algebraic attacks. Finally, it is still an open problem whether partially guessed key attacks will be effective on stream ciphers. Investigation should be conducted to access the feasibility of algebraic attacks when some key bits are guessed prior to performing key initializations in order to reduce the degree of the equations.
132
Chapter 8. Conclusion and Future Research
Appendix A
Algebraic Relations in Pomaranch The algebraic normal form (ANF) of the Pomaranch filter function is as follows. f (x1 , x2 , x3 , x4 , x5 , x6 , x7 ) = x 1 x2 x3 x4 + x 1 x2 x3 x5 + x 1 x2 x3 x6 + x 1 x2 x3 x7 + x 1 x2 x4 x5 + x 1 x2 x4 x7 + x 1 x2 x6 x7 + x 1 x3 x4 x6 + x 1 x3 x4 x7 + x 1 x3 x5 x6 + x 1 x3 x5 x7 + x 1 x3 x6 x7 + x 1 x4 x5 x7 + x 2 x3 x4 x5 + x 2 x3 x4 x6 + x 2 x3 x4 x7 + x 2 x3 x5 x6 + x 2 x3 x5 x7 + x 2 x3 x6 x7 + x 2 x4 x5 x6 + x 2 x4 x6 x7 + x 3 x4 x5 x6 + x 3 x4 x5 x7 + x 3 x4 x6 x7 + x 4 x5 x6 x7 + x 1 x2 x3 + x 1 x2 x4 + x 1 x2 x6 + x 1 x2 x7 + x 1 x3 x5 + x 1 x3 x6 + x 1 x3 x7 + x 1 x4 x6 + x 1 x4 x7 + x 1 x6 x7 + x 2 x3 x5 + x 2 x3 x6 + x 2 x3 x7 + x 2 x4 x7 + x 2 x5 x7 + x 2 x6 x7 + x 3 x4 x6 + x 3 x5 x7 + x 5 x6 x7 + x 1 x2 + x 1 x6 + x 2 x7 + x 3 x7 + x 4 x5 + x 4 x7 + x1 + x2 + x3 + x5 + x6 + x7
133
134
Appendix A. Algebraic Relations in Pomaranch
The relations between the inputs ai and the outputs bi of the Pomaranch s-box is as follows. a 1 b1 + a 2 b9 + a 3 b8 + a 4 b7 + a 5 b6 + a 6 b5 + a 7 b4 + a 8 b3 + a 9 b2
= 1
a 1 b2 + a 2 b1 + a 2 b9 + a 3 b8 + a 3 b9 + a 4 b7 + a 4 b8 + a 5 b6 + a 5 b7 + a 6 b5 + a 6 b6 + a 7 b4 + a 7 b5 + a 8 b3 + a 8 b4 + a 9 b2 + a 9 b3
= 0
a 1 b3 + a 2 b2 + a 3 b1 + a 3 b9 + a 4 b8 + a 4 b9 + a 5 b7 + a 5 b8 + a 6 b6 + a 6 b7 + a 7 b5 + a 7 b6 + a 8 b4 + a 8 b5 + a 9 b3 + a 9 b4
= 0
a 1 b4 + a 2 b3 + a 3 b2 + a 4 b1 + a 4 b9 + a 5 b8 + a 5 b9 + a 6 b7 + a 6 b8 + a 7 b6 + a 7 b7 + a 8 b5 + a 8 b6 + a 9 b4 + a 9 b5
= 0
a 1 b5 + a 2 b4 + a 3 b3 + a 4 b2 + a 5 b1 + a 5 b9 + a 6 b8 + a 6 b9 + a 7 b7 + a 7 b8 + a 8 b6 + a 8 b7 + a 9 b5 + a 9 b6
= 0
a 1 b6 + a 2 b5 + a 3 b4 + a 4 b3 + a 5 b2 + a 6 b1 + a 6 b9 + a 7 b8 + a 7 b9 + a 8 b7 + a 8 b8 + a 9 b6 + a 9 b7
= 0
a 1 b7 + a 2 b6 + a 3 b5 + a 4 b4 + a 5 b3 + a 6 b2 + a 7 b1 + a 7 b9 + a 8 b8 + a 8 b9 + a 9 b7 + a 9 b8
= 0
a 1 b8 + a 2 b7 + a 3 b6 + a 4 b5 + a 5 b4 + a 6 b3 + a 7 b2 + a 8 b1 + a 8 b9 + a 9 b8 + a 9 b9
= 0
a 1 b9 + a 2 b8 + a 3 b7 + a 4 b6 + a 5 b5 + a 6 b4 + a 7 b3 + a 8 b2 + a 9 b1 + a 9 b9
= 0
135
The annihilator yf and low degree multiples ef,i of the filter function f in Pomaranch are as follows. yf (x1 , x2 , x3 , x4 , x5 , x6 , x7 ) = x 1 x3 x5 + x 2 x4 x5 + x 3 x4 x5 + x 2 x3 x6 + x 1 x4 x6 + x 1 x5 x6 + x 3 x5 x6 + x 4 x5 x6 + x 1 x3 x7 + x 1 x4 x7 + x 2 x5 x7 + x 3 x5 x7 + x 1 x6 x7 + x 2 x6 x7 + x 4 x6 x7 + x 5 x6 x7 + x 1 x3 + x 2 x3 + x 1 x4 + x 2 x4 + x 3 x4 + x 1 x5 + x 4 x5 + x 3 x6 + x 4 x6 + x 5 x7 + x 6 x7 + x 4 ef,1 (x1 , x2 , x3 , x4 , x5 , x6 , x7 ) = x 1 x2 x4 + x 1 x3 x5 + x 2 x4 x5 + x 3 x4 x5 + x 2 x3 x6 + x 2 x4 x6 + x 3 x4 x6 + x 4 x5 x6 + x 1 x2 x7 + x 1 x3 x7 + x 3 x4 x7 + x 4 x5 x7 + x 1 x6 x7 + x 1 x3 + x 1 x4 + x 2 x4 + x 3 x4 + x 2 x5 + x 3 x5 + x 5 x6 + x 1 x7 + x 3 x7 + x 4 x7 + x 5 x7 + x2 + x3 + x6 + x7 ef,2 (x1 , x2 , x3 , x4 , x5 , x6 , x7 ) = x 1 x2 x4 + x 1 x4 x6 + x 2 x4 x6 + x 3 x4 x6 + x 1 x5 x6 + x 3 x5 x6 + x 1 x2 x7 + x 1 x4 x7 + x 3 x4 x7 + x 2 x5 x7 + x 3 x5 x7 + x 4 x5 x7 + x 2 x6 x7 + x 4 x6 x7 + x 5 x6 x7 + x 2 x3 + x 1 x5 + x 2 x5 + x 3 x5 + x 4 x5 + x 3 x6 + x 4 x6 + x 5 x6 + x 1 x7 + x 3 x7 + x 4 x7 + x 6 x7 + x 2 + x 3 + x 4 + x 6 + x 7 ef,3 (x1 , x2 , x3 , x4 , x5 , x6 , x7 ) = x 1 x2 x3 + x 1 x4 x5 + x 1 x2 x6 + x 1 x3 x6 + x 2 x3 x6 + x 1 x5 x6 + x 4 x5 x6 + x 2 x3 x7 + x 1 x4 x7 + x 1 x5 x7 + x 4 x5 x7 + x 1 x6 x7 + x 2 x6 x7 + x 3 x6 x7 + x 4 x6 x7 + x 1 x6 + x 2 x6 + x 3 x6 + x 5 x6 + x 1 x7 + x 4 x7 + x 5 x7 + x 6 + x 7
In particular we have yf = g1 + g2 , (f + 1)g1 = 0, (f + 1)g3 = 0. The annihilator yg and low degree multiples eg,i of the filter function f in Pomaranch are as follows. yg (x1 , x2 , x3 , x4 , x5 ) = x1 x2 + x1 x3 + x2 x3 + x3 x4 + x2 x5 + x2 + x3 eg,1 (x1 , x2 , x3 , x4 , x5 ) = x1 x2 + x1 x3 + x3 x4 + x2 x5 eg,2 (x1 , x2 , x3 , x4 , x5 ) = x2 x3 + x2 + x3 In particular we have y = e1 + e2 , (f + 1)g1 = 0
136
Appendix A. Algebraic Relations in Pomaranch
Appendix B
Algebraic Normal Form of LILI-II Boolean function Degree 0 1 Degree 1 x1 + x2 + x3 + x4 + x5 + x6 + x7 + x8 + x9 + x10 + x11 Degree 2 x1 x9 + x2 x4 + x3 x8 + x5 x11 + x6 x7 + x7 x10 + x7 x11 + x7 x12 + x10 x12 Degree 3 x2 x7 x11 + x2 x7 x12 + x4 x7 x11 + x4 x7 x12 + x7 x10 x11 + x7 x11 x12 Degree 4 x1 x2 x7 x11 + x1 x2 x7 x12 + x1 x3 x7 x11 + x2 x7 x9 x11 + x2 x7 x9 x12 + x2 x7 x11 x12 + x3 x4 x7 x11 + x3 x7 x9 x11 + x4 x7 x11 x12 + x7 x9 x11 x12 Degree 5 x1 x2 x3 x7 x9 + x1 x2 x7 x11 x12 + x1 x3 x7 x11 x12 + x1 x7 x9 x11 x12 + x2 x3 x4 x7 x9 + x2 x3 x5 x7 x9 + x2 x3 x6 x7 x11 + x2 x3 x7 x8 x9 + x2 x3 x7 x9 x10 + x2 x3 x7 x9 x11 + x2 x3 x7 x9 x12 + x2 x3 x7 x11 x12 + x2 x3 x9 x11 x12 + x2 x7 x8 x9 x11 + x2 x7 x8 x9 x12 + x2 x7 x9 x10 x11 + x2 x7 x9 x11 x12 + x3 x5 x7 x11 x12 + x3 x7 x8 x9 x11 + x3 x7 x8 x11 x12 + x3 x7 x9 x10 x11 + x4 x7 x9 x11 x12 + x7 x8 x9 x11 x12 + x7 x9 x10 x11 x12 Degree 6 x2 x3 x4 x9 x11 x12 +x2 x3 x6 x7 x9 x11 +x3 x4 x7 x8 x9 x11 +x3 x6 x7 x8 x9 x11 +x2 x3 x7 x10 x11 x12 +x3 x7 x9 x10 x11 x12 + x3 x5 x7 x8 x9 x11 + x1 x2 x3 x7 x10 x11 + x2 x3 x6 x9 x11 x12 + x2 x7 x9 x10 x11 x12 + x1 x3 x4 x7 x11 x12 + x1 x3 x7 x10 x11 x12 + x1 x2 x3 x7 x9 x12 + x2 x3 x6 x7 x11 x12 + x3 x7 x8 x9 x10 x11 + x2 x3 x5 x7 x11 x12 + x3 x5 x6 x7 x9 x11 + x1 x2 x3 x7 x11 x12 + x3 x5 x6 x7 x11 x12 + x1 x3 x7 x8 x11 x12 + x3 x4 x7 x10 x11 x12 + x1 x3 x5 x7 x9 x11 +x2 x3 x5 x7 x10 x11 +x2 x3 x4 x7 x10 x11 +x2 x3 x7 x8 x9 x12 +x2 x3 x4 x7 x9 x12 +x2 x3 x8 x9 x11 x12 + x3 x6 x7 x8 x11 x12 + x4 x5 x6 x7 x8 x11 + x3 x5 x7 x9 x10 x11 + x2 x3 x5 x9 x11 x12 + x2 x3 x9 x10 x11 x12 + x3 x7 x8 x9 x11 x12 +x3 x4 x7 x9 x11 x12 +x1 x2 x3 x5 x7 x11 +x1 x3 x4 x7 x9 x11 +x3 x5 x7 x8 x11 x12 +x2 x3 x4 x5 x7 x11 + x3 x6 x7 x9 x11 x12 +x1 x2 x3 x6 x7 x11 +x2 x3 x5 x7 x8 x11 +x2 x3 x5 x6 x7 x11 +x1 x2 x7 x9 x11 x12 +x2 x3 x7 x8 x9 x11 + 137
138
Appendix B. Algebraic Normal Form of LILI-II Boolean function
x1 x2 x3 x9 x11 x12 + x3 x4 x5 x7 x9 x11 + x3 x4 x6 x7 x11 x12 Degree 7 x3 x5 x6 x7 x10 x11 x12 +x2 x3 x5 x7 x8 x10 x11 +x1 x2 x3 x6 x7 x9 x11 +x1 x3 x5 x7 x8 x9 x11 +x2 x3 x4 x6 x7 x11 x12 + x2 x3 x5 x7 x8 x9 x11 +x2 x3 x4 x5 x6 x7 x11 +x2 x3 x5 x7 x10 x11 x12 +x1 x3 x4 x5 x7 x11 x12 +x1 x3 x6 x7 x9 x10 x11 + x3 x4 x6 x7 x9 x10 x11 +x2 x3 x4 x5 x7 x11 x12 +x3 x5 x6 x7 x9 x11 x12 +x1 x3 x6 x7 x10 x11 x12 +x1 x3 x6 x7 x8 x11 x12 + x4 x5 x6 x7 x8 x11 x12 +x2 x3 x5 x6 x7 x11 x12 +x1 x2 x3 x5 x6 x7 x11 +x2 x3 x4 x7 x10 x11 x12 +x3 x5 x7 x8 x9 x10 x11 + x2 x4 x5 x6 x7 x8 x11 +x1 x3 x4 x7 x9 x11 x12 +x2 x3 x4 x6 x7 x9 x11 +x1 x2 x3 x6 x7 x10 x11 +x2 x3 x4 x7 x9 x10 x11 + x2 x3 x6 x7 x8 x9 x11 +x2 x3 x4 x5 x7 x8 x11 +x3 x5 x6 x7 x9 x10 x11 +x1 x2 x3 x7 x9 x10 x11 +x4 x5 x6 x7 x8 x10 x11 + x1 x2 x3 x7 x8 x11 x12 +x3 x6 x7 x9 x10 x11 x12 +x1 x2 x3 x4 x7 x11 x12 +x2 x3 x6 x7 x8 x11 x12 +x3 x4 x5 x6 x7 x8 x11 + x1 x2 x3 x7 x10 x11 x12 +x1 x3 x5 x7 x8 x11 x12 +x2 x3 x4 x5 x7 x10 x11 +x3 x4 x6 x7 x10 x11 x12 +x3 x4 x6 x7 x9 x11 x12 + x1 x2 x3 x4 x7 x9 x11 +x1 x3 x5 x6 x7 x9 x11 +x3 x4 x7 x9 x10 x11 x12 +x2 x3 x5 x6 x7 x9 x11 +x4 x5 x6 x7 x8 x9 x11 + x3 x5 x7 x8 x9 x11 x12 +x1 x3 x5 x6 x7 x11 x12 +x2 x3 x5 x7 x9 x10 x11 +x1 x3 x4 x7 x8 x11 x12 +x3 x4 x7 x8 x10 x11 x12 + x3 x6 x7 x8 x9 x11 x12 +x1 x3 x4 x5 x7 x9 x11 +x3 x5 x7 x9 x10 x11 x12 +x1 x3 x6 x7 x8 x9 x11 +x1 x3 x5 x7 x10 x11 x12 + x1 x3 x5 x7 x9 x11 x12 +x1 x2 x3 x4 x5 x7 x11 +x1 x3 x4 x6 x7 x9 x11 +x1 x3 x7 x8 x9 x11 x12 +x3 x4 x6 x7 x8 x11 x12 + x2 x3 x5 x7 x9 x11 x12 +x3 x4 x5 x7 x9 x10 x11 +x1 x2 x3 x4 x7 x8 x11 +x1 x2 x3 x4 x6 x7 x11 +x3 x5 x7 x8 x10 x11 x12 + x3 x5 x6 x7 x8 x11 x12 +x3 x6 x7 x8 x10 x11 x12 +x3 x6 x7 x8 x9 x10 x11 +x1 x2 x3 x6 x7 x11 x12 +x3 x4 x5 x7 x8 x11 x12 Degree 8 x1 x2 x3 x4 x6 x7 x9 x11 +x2 x4 x5 x6 x7 x8 x10 x11 +x1 x2 x3 x4 x7 x8 x10 x11 +x1 x2 x3 x4 x7 x8 x9 x11 +x3 x4 x5 x6 x7 x8 x10 x11 + x4 x5 x6 x7 x8 x9 x11 x12 + x3 x4 x7 x8 x9 x10 x11 x12 + x1 x2 x3 x4 x6 x7 x10 x11 + x2 x3 x5 x7 x9 x10 x11 x12 + x2 x3 x5 x7 x8 x10 x11 x12 + x1 x2 x3 x5 x6 x7 x8 x11 + x1 x3 x4 x7 x9 x10 x11 x12 + x1 x3 x6 x7 x9 x10 x11 x12 + x2 x3 x4 x5 x7 x8 x9 x11 + x3 x4 x5 x7 x8 x9 x11 x12 + x3 x4 x5 x6 x7 x9 x10 x11 + x4 x5 x6 x7 x8 x9 x10 x11 + x3 x4 x5 x7 x9 x10 x11 x12 + x2 x3 x4 x5 x7 x10 x11 x12 + x1 x2 x3 x4 x5 x7 x8 x11 + x1 x3 x5 x6 x7 x10 x11 x12 + x2 x4 x5 x6 x7 x8 x9 x11 +x2 x3 x4 x5 x6 x7 x10 x11 +x1 x2 x3 x4 x6 x7 x11 x12 +x2 x3 x4 x5 x6 x7 x8 x11 +x2 x3 x5 x6 x7 x8 x11 x12 + x1 x2 x3 x5 x7 x10 x11 x12 + x1 x2 x3 x6 x7 x8 x11 x12 + x1 x2 x3 x6 x7 x9 x10 x11 + x2 x3 x4 x7 x8 x9 x11 x12 + x2 x3 x4 x6 x7 x9 x10 x11 + x3 x5 x6 x7 x8 x9 x10 x11 + x1 x3 x4 x5 x6 x7 x11 x12 + x2 x3 x4 x5 x7 x8 x10 x11 + x3 x4 x5 x6 x7 x8 x9 x11 + x2 x3 x4 x6 x7 x8 x11 x12 + x1 x3 x4 x7 x8 x9 x11 x12 + x2 x3 x6 x7 x8 x10 x11 x12 + x1 x3 x5 x7 x8 x9 x10 x11 + x1 x2 x3 x6 x7 x10 x11 x12 + x1 x2 x3 x4 x7 x10 x11 x12 + x2 x3 x6 x7 x8 x9 x10 x11 + x2 x3 x4 x5 x6 x7 x11 x12 + x1 x3 x4 x6 x7 x10 x11 x12 + x2 x3 x5 x7 x8 x9 x11 x12 + x2 x3 x4 x7 x8 x10 x11 x12 + x2 x3 x6 x7 x8 x9 x11 x12 + x2 x3 x5 x6 x7 x10 x11 x12 + x1 x2 x3 x5 x7 x9 x10 x11 + x2 x3 x6 x7 x9 x10 x11 x12 + x1 x2 x3 x5 x7 x8 x11 x12 + x1 x2 x3 x4 x7 x9 x11 x12 + x1 x3 x7 x8 x9 x10 x11 x12 + x2 x3 x5 x6 x7 x9 x10 x11 + x2 x3 x7 x8 x9 x10 x11 x12 +x2 x3 x4 x5 x6 x7 x9 x11 +x1 x2 x3 x6 x7 x8 x9 x11 +x2 x3 x5 x6 x7 x8 x9 x11 +x1 x2 x3 x5 x6 x7 x9 x11 + x3 x4 x6 x7 x8 x9 x11 x12 + x1 x2 x3 x4 x7 x9 x10 x11 + x1 x3 x4 x5 x7 x9 x10 x11 + x1 x3 x5 x6 x7 x9 x11 x12 + x4 x5 x6 x7 x8 x10 x11 x12 + x2 x3 x5 x6 x7 x9 x11 x12 + x3 x4 x5 x6 x7 x9 x11 x12 + x1 x3 x6 x7 x8 x9 x11 x12 + x2 x3 x5 x7 x8 x9 x10 x11 + x2 x3 x4 x6 x7 x10 x11 x12 + x2 x4 x5 x6 x7 x8 x11 x12 Degree 9 x1 x3 x4 x5 x6 x7 x9 x11 x12 +x2 x3 x4 x5 x6 x7 x9 x11 x12 +x2 x3 x4 x7 x8 x9 x10 x11 x12 +x1 x2 x3 x4 x6 x7 x9 x10 x11 + x1 x2 x3 x4 x5 x7 x8 x9 x11 +x2 x3 x4 x5 x7 x8 x9 x10 x11 +x2 x3 x5 x7 x8 x9 x10 x11 x12 +x1 x2 x3 x4 x7 x9 x10 x11 x12 + x1 x2 x3 x6 x7 x9 x10 x11 x12 +x4 x5 x6 x7 x8 x9 x10 x11 x12 +x1 x2 x3 x5 x7 x8 x9 x11 x12 +x1 x2 x3 x5 x6 x7 x10 x11 x12 + x1 x2 x3 x4 x5 x7 x9 x11 x12 +x2 x3 x4 x5 x6 x7 x8 x9 x11 +x3 x4 x5 x6 x7 x8 x9 x10 x11 +x2 x4 x5 x6 x7 x8 x9 x10 x11 + x1 x2 x3 x4 x5 x6 x7 x11 x12 +x2 x3 x4 x5 x6 x7 x9 x10 x11 +x1 x2 x3 x5 x6 x7 x8 x9 x11 +x1 x3 x5 x6 x7 x9 x10 x11 x12 + x2 x3 x4 x5 x6 x7 x8 x10 x11 +x2 x3 x4 x6 x7 x9 x10 x11 x12 +x1 x2 x3 x7 x8 x9 x10 x11 x12 +x1 x3 x4 x6 x7 x9 x10 x11 x12 + x2 x4 x5 x6 x7 x8 x10 x11 x12 +x1 x2 x3 x4 x6 x7 x10 x11 x12 +x2 x3 x4 x6 x7 x8 x9 x10 x11 +x2 x4 x5 x6 x7 x8 x9 x11 x12 Degree 10
139
x1 x2 x3 x4 x5 x6 x7 x9 x11 x12 +x1 x2 x3 x4 x6 x7 x9 x10 x11 x12 +x1 x2 x3 x5 x6 x7 x9 x10 x11 x12 +x2 x3 x4 x5 x6 x7 x8 x9 x10 x11 + x2 x4 x5 x6 x7 x8 x9 x10 x11 x12
140
Appendix B. Algebraic Normal Form of LILI-II Boolean function
Bibliography [1] http://www.cryptonessie.org. [2] http://www.ecrypt.eu.org/stream. [3] http://magma.maths.usyd.edu.au/. [4] Minisat 2.0.
http://www.cs.chalmers.se/Cs/Research/FormalMethods/
MiniSat/MiniSat.html/. [5] Bluetooth s.i.g. specification of the bluetooth system, version 1.2, 2003. [6] W. Adams and P. Loustaunau. An Introduction to Gro¨ bner Bases. Amer Mathematical Society, 7 1994. [7] R. Anderson. On Fibonacci keystream generators. In B. Preneel, editor, Fast Software Encryption FSE 1994, volume 1008 of Lecture Notes in Computer Science, pages 346–352. SpringerVerlag, 1994. [8] F. Armknecht. Private communications. [9] F. Armknecht. Improving fast algebraic attacks. In B. Roy and W. Meier, editors, Fast Software Encryption - FSE 2004, volume 3017 of Lecture Notes in Computer Science, pages 65–82. Springer-Verlag, 2004. [10] F. Armknecht and G. Ars. Introducing a new variant of fast algebraic attacks and minimizing their successive data complexity. In E. Dawson and S. Vaudenay, editors, Progress in cryptology - MYCRYPT 2005, volume 3715 of Lecture Notes in Computer Science, pages 16–32. SpringerVerlag, 2005. [11] F. Armknecht, C. Carlet, P. Gaborit, S. Kunzli, W. Meier, and O. Ruatta. Efficient computation of algebraic immunity for algebraic and fast algebraic attacks. In S. Vaudenay, editor, Advances in Cryptology— Eurocrypt 2006, volume 4004 of Lecture Notes in Computer Science, pages 147–164. Springer-Verlag, 2006. [12] F. Armknecht and M. Krause. Algebraic attacks on combiners with memory. In D. Boneh, editor, Advances in Cryptology— CRYPTO 2003, volume 2729 of Lecture Notes in Computer Science, pages 162–175. Springer-Verlag, 2003.
141
BIBLIOGRAPHY
142
[13] F. Armknecht and M. Krause. Constructing single- and multi-output boolean functions with maximal algebraic immunity. In M. Bugliesi et al., editor, ICALP 2006, Part II, volume 4052 of Lecture Notes in Computer Science, pages 180–191. Springer-Verlag, 2006. [14] G. Ars, J. Faug´ere, H. Imai, M. Kawazoe, and M. Sugita. Comparison between XL and Gr¨obner basis algorithms. In P. Lee, editor, Advances in Cryptology—ASIACRYPT 2004, volume 3329 of Lecture Notes in Computer Science, pages 338–353. Springer-Verlag, 2004. [15] Telecommunications International Association. B dual-mode cellular system: Authentication, message encryption, voice privacy mask generation, shared secret data generation, a-key verification and test data. Cryptology ePrint Archive, Feburary 1992. [16] S. Babbage. A space/time tradeoff in exhaustive search attacks on stream ciphers. In In European Convention on Security and Detection, volume 408 of Lecture Notes in Computer Science. IEE Conference Publication, 1995. [17] S. Babbage and M. Dodd. The stream cipher mickey-128 (version 1). eSTREAM, ECRYPT Stream Cipher Project, Report 2005/016, 2005. http://www.ecrypt.eu.org/stream. [18] S. Babbage and M. Dodd. The stream cipher MICKEY(version 1). eSTREAM, ECRYPT Stream Cipher Project, Report 2005/015, 2005. http://www.ecrypt.eu.org/stream. [19] S. Babbage and M. Dodd. The stream cipher mickey (version 2). eSTREAM, ECRYPT Stream Cipher Project, Report 2006, 2006. http://www.ecrypt.eu.org/stream. [20] G. Bard, N. Courtois, and C. Jefferson. Efficient methods for conversion and solution of sparse systems of low-degree multivariate polynomials over GF (2) via SAT-solvers. Cryptology ePrint Archive, Report 2007/024, 2007. http://eprint.iacr.org/. [21] E. Barkan, E. Biham, and N. Keller. Instant ciphertext-only cryptanalysis of gsm encrypted communication. In D. Boneh, editor, Advances in Cryptology— CRYPTO 2003, volume 2729 of Lecture Notes in Computer Science, pages 600–616. Springer-Verlag, 2003. [22] L. Batten. Algebriac attacks over GF (q). In A. Canteaut and K. Viswanathan, editors, Proceedings of the 5th International Conference on Cryptology in India, INDOCRYPT 2004, volume 3348 of Lecture Notes in Computer Science, pages 84–91. Springer-Verlag, 2004. [23] C. Berbain, O. Billet, A. Canteaut, N. Courtois, B. Debraize, H. Gilbert, L. Goubin, A. Gouget, L. Granboulan, C. Lauradoux, M. Minier, T. Pornin, and H. Sibert. ”Decim - a new stream cipher for hardware applications”. eSTREAM, ECRYPT Stream Cipher Project, Report 2005/004, 2005. http://www.ecrypt.eu.org/stream. [24] T. Berger and M. Minier. Two algebraic attacks against the f-fcsrs using the iv mode. In S. Maitra, C. Madhavan, and R. Venkatesan, editors, Proceedings of the 6th International Conference on Cryptology in India, INDOCRYPT 2005, volume 3797 of Lecture Notes in Computer Science, pages 143–154. Springer-Verlag, 2006. [25] E. Berlekamp, editor. Algebric Coding Theory. McGrew Hill, New York, 1986.
BIBLIOGRAPHY
143
[26] T. Beth and F. C. Piper. The stop-and-go generator. In T. Beth, N. Cot, and I. Ingemarsson, editors, Advances in Cryptology— CRYPTO 95, volume 209 of Lecture Notes in Computer Science, pages 88–92. Springer-Verlag, 1985, 1985. [27] O. Billet and H. Gilbert. Resistance of SNOW 2.0 against algebraic attacks. In A. Menezes, editor, CT-RSA 2005, volume 3376 of Lecture Notes in Computer Science, pages 19–28. SpringerVerlag, 2005. [28] A. Biryukov, A.Shamir, and D. Wagner. Real time cryptanalysis of A5/1 on a pc. In B. Schneier, editor, Fast Software Encryption FSE 2000, volume 1978 of Lecture Notes in Computer Science, pages 1–18. Springer-Verlag, 2000. [29] A. Biryukov and A. Shamir. Cryptanalytic time/memory/data tradeoffs for stream ciphers. In T. Okamoto, editor, Advances in Cryptology—ASIACRYPT 2000, volume 1976 of Lecture Notes in Computer Science, pages 1–13. Springer-Verlag, 2000. [30] S. Blackburn, S. Murphy, F. Piper, and P. Wild. A SOBERing remark. Technical report, Egham,Surrey TW20 0EX, U.K, 1998. [31] Bleichenbacher and Patel. SOBER cryptanalysis. In L. Knudsen, editor, Fast Software Encryption FSE 1999, volume 1636 of Lecture Notes in Computer Science, pages 305–316. SpringerVerlag, 1999. [32] U. Bl¨ocher and M. Dichtl. Fish: A fast software stream cipher. In R. Anderson, editor, Fast Software Encryption FSE 1994, volume 809 of Lecture Notes in Computer Science, pages 41– 44. Springer-Verlag, 1994. [33] M. Boesgaard, M. Vesterage, T. Pedersen, j. Christiansen, and O. Scavenius. Rabbit : a new high performance stream cipher. In T. Johansson, editor, Fast Software Encryption FSE 2003, volume 2887 of Lecture Notes in Computer Science, pages 307–329. Springer-Verlag, 2003. [34] A. Braeken, J. Lano, N. Mentens, B. Preneel, and I. Verbauwhede. ” ”sfinks” : A synchronous stream cipher for restricted hardware environments ”. eSTREAM, ECRYPT Stream Cipher Project, Report 2005/026, 2005. http://www.ecrypt.eu.org/stream. [35] A. Braeken, J. Lano, and B. Preneel. Evaluating the resistance of stream ciphers with linear feedback against fast algebraic attacks. In L. M. Batten and R. Safavi-Naini, editors, Proceedings of Information Security and Privacy - 11th Australasian Conference, ACISP 2006, volume 4058 of Lecture Notes in Computer Science, pages 40–51. Springer-Verlag, 2006. [36] A. Braeken and B. Preneel. On the algebraic immunity of symmetric boolean functions. In S. Maitra, C. Madhavan, and R. Venkatesan, editors, Proceedings of the 6th International Conference on Cryptology in India, INDOCRYPT 2005, volume 3797 of Lecture Notes in Computer Science, pages 35–48. Springer-Verlag, 2006. [37] M. Briceno, I. Goldberg, and D. Wagner. http://www.scard.org., May 1999.
A pedagogical implementation of A5/1.
BIBLIOGRAPHY
144
[38] B. Buchberger. An Algorithm for Finding the Bases Elements of the Residue Class Ring Modulo a Zero Dimensional Polynomial Ideal (German). PhD thesis, University. of Innsbruck, Austria, 1965. [39] B. Buchberger. An algorithmical criterion for the solvability of algebraic systems of equations (german). Aequationes Mathematicae, 4(3):374–384, 1970. [40] B. Buchberger. Some properties of Gr¨obner bases for polynomial ideals. ACM SIGSAM Bulletin, 10(4):19–24, 1976. [41] C. De Canni´ere and B. Preneel. ”Trivium - a stream cipher construction inspired by block cipher design principle”. eSTREAM, ECRYPT Stream Cipher Project, Report 2006/021, 2006. http://www.ecrypt.eu.org/stream. [42] C. Carlet. A method of construction of balanced functions with optimum algebraic immunity. Cryptology ePrint Archive,Available at http://eprint.iacr.org/2006/149, 2006. [43] C. Carlet. On the higher order nonlinearities of algebraic immune functions. In C. Dwork, editor, Advances in Cryptology—CRYPTO 2006, volume 4117 of Lecture Notes in Computer Science, pages 584–601. Springer-Verlag, 2006. [44] W. Chambers. Two stream ciphers. In R. Anderson, editor, Fast Software Encryption - FSE 1993, volume 809 of Lecture Notes in Computer Science, pages 51–55. Springer-Verlag, 1994. [45] W. Chambers and D. Gollmann. Lock-in effect in cascades of clock-controlled shift-registers. In Christoph G. G¨unther, editor, Advances in Cryptology—EUROCRYPT 88, volume 330 of Lecture Notes in Computer Science, pages 331–344. Springer-Verlag, 1988. [46] W. Chambers and D. Gollmann. Embedding attacks on step[l ..d] clock controlled generators. Electronics Letters, 36(1):1771–1773, 2000. [47] K. Chen, W. Millan, and L. R. Simpson. Perspectives on word based stream ciphers. In proceedings of Cryptographic Algorithms and Their uses, pages 14–28,QUT, July 2004. [48] K. Chen, L. Simpson, M. Henricksen, W. Millan, and E. Dawson. A complete divide and conquer attack on the Alpha 1 stream cipher. In I. Lim and D.H. Lee, editors, Information Security and Cryptology - ICISC 2003, volume 2971 of Lecture Notes in Computer Science, pages 418–431. Springer-Verlag, 2003. [49] Chepyzhov, Johansson, and Smeets. A simple algorithm for fast correlation attacks on stream ciphers. In B. Schneier, editor, Fast Software Encryption FSE 2000, volume 1978 of Lecture Notes in Computer Science, pages 181–195. Springer-Verlag, 2000. [50] J. Cho and J. Pieprzyk. Algebraic attacks on sober-t32 and sober-t16 without stuttering. In B. Roy and W. Meier, editors, Fast Software Encryption - FSE 2004, volume 3017 of Lecture Notes in Computer Science, pages 49–64. Springer-Verlag, 2004. [51] C. Cid, H. Gilbert, and T. Johansson. ”Cryptanalysis of Pomaranch”. eSTREAM, ECRYPT Stream Cipher Project, Report 2005/060, 2005. http://www.ecrypt.eu.org/stream.
BIBLIOGRAPHY
145
[52] C. Cid and G. Leurent. An analysis of the XSL algorithm. In B. Roy, editor, Advances in Cryptology—ASIACRYPT 2005, volume 3788 of Lecture Notes in Computer Science, pages 333– 352. Springer-Verlag, 2005. [53] A. Clark, J. Golic, and E. Dawson. A comparison of fast correlation attakcs. In D. Gollmann, editor, Fast Software Encryption, FSE 1996, volume 1039 of Lecture Notes in Computer Science, pages 145–157. Springer-Verlag, 1996. [54] D. Coppersmith. Fast evaluation of logarithms in fields of characteristic two. IEEE Transactions on Information Theory, 30(4):587–593, 1984. [55] D. Coppersmith, S. Halevi, and C. Jutla. Cryptanalysis of stream ciphers with linear masking. In M. Yung, editor, Advances in Cryptology— CRYPTO 2002, volume 2442 of Lecture Notes in Computer Science, pages 515–532. Springer-Verlag, 2002. [56] D. Coppersmith, H. Krawczyk, and Y. Mansour. The shrinking generator. In D. Stinson, editor, Advances in Cryptology—CRYPTO 93, volume 773 of Lecture Notes in Computer Science, pages 22–39. Springer-Verlag, 1993. [57] N. Courois, A. Klimov, J. Patarin, and A. Shamir. Efficient algorithms for solving overdefined systems of multivariate polynomial equations. In B. Preneel, editor, Advances in Cryptology— EUROCRYPT 2003, volume 1807 of Lecture Notes in Computer Science, pages 392–407. Springer-Verlag, 2000. [58] N. Courtois. The security of hidden field equations (HFE). In D. Naccache, editor, Progress in Cryptology - CT-RSA 2001, volume 2020 of Lecture Notes in Computer Science, pages 266–281. Springer-Verlag, 2001. [59] N. Courtois. Higher order correlation attacks, XL algorithm and cryptanalysis of toyocrypt. In P-J. Lee and C-H. Lim, editors, Information Security and Cryptology - ICISC 2002, volume 2587 of Lecture Notes in Computer Science, pages 182–199. Springer-Verlag, 2002. [60] N. Courtois. Fast algebraic attacks on stream ciphers with linear feedback. In D. Boneh, editor, Advances in Cryptology—CRYPTO 2003, volume 2729 of Lecture Notes in Computer Science, pages 176–194. Springer-Verlag, 2003. [61] N. Courtois. Algebraic attacks on combiners with memory and several outputs. In C. Park and S. Chee, editors, Information Security and Cryptology ICISC 2004, volume 3506 of Lecture Notes in Computer Science, pages 3–20. Springer-Verlag, 2005. [62] N. Courtois. Cryptanalysis of Sfinks. In D. Won and S. Kim, editors, Information Security and Cryptology ICISC 2005, volume 3935 of Lecture Notes in Computer Science, pages 261–269. Springer-Verlag, 2006. [63] N. Courtois and G. Bard. Algebraic cryptanalysis of the data encryption standard. Cryptology ePrint Archive, Report 2006/402, 2006. http://eprint.iacr.org/.
BIBLIOGRAPHY
146
[64] N. Courtois, B. Debraize, and E. Garrido. On exact algebraic [non-]immunity of s-boxes based on power functions. In L. M. Batten and R. Safavi-Naini, editors, Proceedings of Information Security and Privacy - 11th Australasian Conference, ACISP 2006, volume 4058 of Lecture Notes in Computer Science, pages 76–86. Springer-Verlag, 2006. [65] N. Courtois and W. Meier. Algebraic attacks on stream ciphers with linear feedback. In E. Biham, editor, Advances in Cryptology—EUROCRYPT 2003, volume 2656 of Lecture Notes in Computer Science, pages 346–359. Springer-Verlag, 2003. [66] N. Courtois and J. Patarin. About the XL algorithm over GF (2). In M. Joye, editor, Topics in Cryptology - CT-RSA 2003, volume 2612 of Lecture Notes in Computer Science, pages 141–157. Springer-Verlag, 2003. [67] N. Courtois and J. Pieprzyk. Cryptanalysis of block ciphers with overdefined systems of equations. In Y. Zheng, editor, Advances in Cryptology—ASIACRYPT 2002, volume 2501 of Lecture Notes in Computer Science, pages 267–287. Springer-Verlag, 2002. [68] Dalai, Deepak, Maitra, Subhamoy, Sarkar, and Sumanta. Basic theory in construction of boolean functions with maximum possible annihilator immunity. Designs, Codes and Cryptography, 40(1):41–58, July 2006. [69] D. Dalai, K. Gupta, and S. Maitra. Results on algebraic immunity for cryptographically significant boolean functions. In A. Canteaut and K. Viswanathan, editors, 5th International Conference on Cryptology in India - INDOCRYPT 2005, volume 3348 of Lecture Notes in Computer Science, pages 92–106. Springer-Verlag, 2006. [70] D. Dalai, K. Gupta, and Subhamoy Maitra. Cryptographically significant boolean functions: Construction and analysis in terms of algebraic immunity. In H. Gilbert and H. Handschuh, editors, Fast Software Encryption - FSE 2005, volume 3557 of Lecture Notes in Computer Science, page 98111. Springer-Verlag, 2005. [71] E. Dawson. Cryptanalysis of summation generator. In J. Seberry and Y. Zheng, editors, Advances in Cryptology —ASIACRYPT 1992, volume 718 of Lecture Notes in Computer Science, pages 209–215. Springer-Verlag, 1993. [72] E. Dawson. Design and analysis of symmetric ciphers. PhD thesis, Information security reserach center,Faculty of information technology, Queensland University of Technology, Feb 1991. [73] E. Dawson, A. Clark, J. Goli´c, W. Millan, L. Penna, , and L. Simpson. The LILI-128 keystream generator. NESSIE submission, in the proceedings of the First Open NESSIE Workshop (Leuven, November 2000) and available at http://www.cryptonessie.org. [74] E. Dawson, J. Goli´c, W. Millan, , and L. Simpson. Response to initial report on LILI-128. NESSIE submission, available at http://www.cryptonessie.org. [75] E. Dawson and L. Nielsen. Automated cryptanalysis of xor plaintext string. Cryptologia, 10(2):25–40, April 1996.
BIBLIOGRAPHY
147
[76] F. Didier. Using wiedemanna algorithm to compute the immunity against algebraic and fast algebraic attacks. In T. Lange R. Barua, editor, Proceedings of the 7th International Conference on Cryptology in India, INDOCRYPT 2006, volume 4329 of Lecture Notes in Computer Science, pages 236–250. Springer-Verlag, 2006. [77] F. Didier and J-P. Tillich. Computing the algebraic immunity efficiently. In M. Robshaw, editor, Fast Software Encryption - FSE 2006, volume 4047 of Lecture Notes in Computer Science, pages 359–374. Springer-Verlag, 2006. [78] C. Diem. The XL-algorithm and a conjecture from commutative algebra. In P. Lee, editor, Advances in Cryptology—ASIACRYPT 2004, volume 3329 of Lecture Notes in Computer Science, pages 323–337. Springer-Verlag, 2004. [79] C. Diem. The XL algorithm and a conjecture from commutative algebra. In P. Lee, editor, Advances in Cryptology—ASIACRYPT 2004, volume 3329 of Lecture Notes in Computer Science, pages 323–337. Springer-Verlag, 2004. [80] M. Krause E. Zenner and S. Lucks. Improved cryptanalysis of the self-shrinking generator. In V. Varadharajan and Y. Mu, editors, Proceedings of Information Security and Privacy - 6th Australasian Conference, ACISP 2001, volume 2119 of Lecture Notes in Computer Science, pages 21–35. Springer-Verlag, 2001. [81] P. Ekdahl and T. Johansson. Distinguishing attacks on SOBER-t16 and t32. In V. Rijmen J. Daemen, editor, Fast Software Encryption FSE 2002, volume 2365 of Lecture Notes in Computer Science, pages 210–224. Springer-Verlag, 2002. [82] P. Ekdahl and T. Johansson. Another attack on A5/1. IEEE Transactions on Information Theory, 49(1):284–289, 2003. [83] P. Ekdahl, W. Meier, and T. Johansson. Predicting the shrinking generator with fixed connections. In E. Biham, editor, Advances in Cryptology—EUROCRYPT 2003, volume 2656 of Lecture Notes in Computer Science, pages 330–344. Springer-Verlag, 2003. [84] P. Ekhdal and T. Johansson. A new version of the stream cipher SNOW. In H. Heys K. Nyberg, editor, Selected Areas in Cryptography: 5th Annual International Workshop - SAC 2002, volume 2595 of Lecture Notes in Computer Science, pages 47–61. Springer-Verlag, 2002. [85] H. Englund, M. Hell, and T. Johansson. Two general attacks on pomaranch-like keystream generators. eSTREAM, ECRYPT Stream Cipher Project, Report 2007/001, 2006. [86] H. Englund and T. Johansson. A new distinguisher for clock controlled stream ciphers. In H. Gilbert and H. Handschuh, editors, Fast Software Encryption - FSE 2005, volume 3557 of Lecture Notes in Computer Science, pages 181–195. Springer-Verlag, 2005. [87] H˚akan Englund and T. Johansson. A new distinguisher for clock controlled stream ciphers. In H. Gilbert and H.Handschuh, editors, Fast Software Encryption - FSE 2005, volume 3557 of Lecture Notes in Computer Science, pages 181–195. Springer-Verlag, 2005.
BIBLIOGRAPHY
148
[88] J-C. Faug´ere. A new efficient algorithm for computing Gr¨obner bases (f 4). Journal of Pure and Applied Algebra, 139:61–88, 1999. [89] J-C. Faug´ere. A new eficient algorithm for computing Gr¨obner bases without reduction to zero f 5. In T. Mora, editor, Proceedings of ISSAC 2002, pages 75–83. ACM Press, 2002. [90] J-C. Faug´ere and G. Ars. An algebraic cryptanalysis of nonlinear filter generator using Gr¨obner bases. Technical report, 2003. [91] N. Ferguson, D. Whiting, B. Schneier, J. Kelsey, S. Lucks, and T. Kohno. Helix fast encryption and authentication in a single cryptographic primitive. In T. Johansson, editor, Fast Software Encryption FSE 2003, volume 2887 of Lecture Notes in Computer Science, pages 330–346. Springer-Verlag, 2003. [92] S. Fluhrer, I. Mantin, and A. Shamir. Weaknesses in the key scheduling algorithm of RC4. In S. Vaudenay and A. Youssef, editors, Selected Areas in Cryptography: 8th Annual International Workshop - SAC 2001, volume 2259 of Lecture Notes in Computer Science, pages 1–24. Springer-Verlag, 2001. [93] B. Gammel, Rainer Gttfert, and O. Kniffler. ”the Achterbahn stream cipher”. eSTREAM, ECRYPT Stream Cipher Project, Report 2005/002, 2005. http://www.ecrypt.eu.org/ stream. [94] B. Gammel, Rainer Gttfert, and O. Kniffler. ”status of Achterbahn and tweaks”. eSTREAM, ECRYPT Stream Cipher Project, Report 2006/027, 2006. http://www.ecrypt.eu.org/ stream. [95] P. Geffe. How to protect data with with ciphers that are really hard to break. Electronics, 46(1):99–101, January 1973. [96] W. Geiselmann and D. Gollmann. Correlation attacks on cascades of clock controlled shift registers. In T. Matsumoto K. Kim, editor, ASIACRYPT, volume 1163 of Lecture Notes in Computer Science, pages 346–359. Springer-Verlag, 1996. [97] I. Goldberg, D. Wagner, and L. Green. The (real-time) cryptanalysis of A5/2. Presented at the Rump Session of Crypto’99, 1999. [98] J. Goli´c. Linear cryptanalysis of stream ciphers. In Fast Software Encryption FSE 1994, volume 1008 of Lecture Notes in Computer Science, pages 66–77. Springer-Verlag, 1994. [99] J. Goli´c. Towards fast correlation attacks on irregularly clocked shift registers. In L. Guillou and J Quisquater, editors, Advances in Cryptology—EUROCRYPT 95, volume 921 of Lecture Notes in Computer Science, pages 248–262. Springer-Verlag, 1995. [100] J. Goli´c. Correlation properties of a general binary combiner with memory. Journal of Cryptology, 9(2):111–126, 1996. [101] J. Goli´c. On the security of nonlinear filter generators. In D. Gollmann, editor, Fast Software Encryption FSE 1996, volume 1039 of Lecture Notes in Computer Science, pages 173–188. Springer-Verlag, 1996.
BIBLIOGRAPHY
[102] J. Goli´c.
Cryptanalysis of alleged A5 stream cipher.
149
In W. Fumy, editor, Advances in
Cryptology— EUROCRYPT 97, volume 1233 of Lecture Notes in Computer Science, pages 239– 255. Springer-Verlag, 1997. [103] J. Goli´c. Linear statistical weakness of alleged RC4 keystream generator. In W. Fumy, editor, Advances in Cryptology— Eurocrypt 97, volume 1233 of Lecture Notes in Computer Science, pages 226–238. Springer-Verlag, 1997. [104] J. Goli´c. Correlation analysis of the shrinking generator. In K. Joe, editor, Advances in Cryptology—CRYPTO 2001, volume 2139 of Lecture Notes in Computer Science, pages 440– 457. Springer-Verlag, 2001. [105] J. Goli´c and R. Menicocci. Edit distance correlation attack on the alternating step generator. In B. Kaliski, editor, Advances in Cryptology— CRYPTO 97, volume 1294 of Lecture Notes in Computer Science, pages 499–512. Springer-Verlag, 1997. [106] J. Goli´c and R. Menicocci. Correlation analysis of the alternating step generator. In B. Kaliski, editor, Designs, Codes and Cryptography, volume 31 of Lecture Notes in Computer Science, pages 51–74. Springer-Verlag, 2004. [107] J. Goli´c and L. O’Connor. Embedding and probabilistic correlation attacks on clock-controlled shift registers. In Alfredo De Santis, editor, Advances in Cryptology—EUROCRYPT 94, volume 950 of Lecture Notes in Computer Science, pages 230–243. Springer-Verlag, 1995, 1994. [108] J. Goli´c and S. V. Petrovic. Correlation attacks on clock-controlled shift registers in keystream generators. IEEE Trans. Computers, 45(4):482–486, 1996. [109] J. Goli´c, M. Salmasizadeh, E. Dawson, and A. Khodkar. Cryptanalysis of the summation generator with three input lfsrs. International Symposium on Information Theory and its Applications 1996, 1:343–346, Oct 1949. [110] D. Gollmann. Pseudo random properties of cascade connections of clock controlled shift registers. In T. Beth, N. Cot, and I. Ingemarsson, editors, Advances in Cryptology—EUROCRYPT 84, volume 209 of Lecture Notes in Computer Science, pages 93–98. Springer-Verlag, 1985. [111] D. Gollmann and W. Chambers. Clock-controlled shift registers: a review. IEEE Journal on Selected Areas in Communications, 7:525–533, 1989. [112] S. Golomb. Shift register sequences. Holden Day, 1967. [113] G. Gong and Y. Nawaz. The WG stream cipher”. eSTREAM, ECRYPT Stream Cipher Project, Report 2005/033, 2005. http://www.ecrypt.eu.org/stream. [114] A. Gouget and H. Sibert. The bit-search generator. The State of the Art of Stream Ciphers: Workshop Record, Brugge, Belgium, October 2004. [115] C. G¨unther. Alternating step generators controlled by deBruijn sequences. In D. Chaum and W. Price, editors, Advances in Cryptology—EUROCRYPT 87, volume 304 of Lecture Notes in Computer Science, pages 5–14. Springer-Verlag, 1987.
BIBLIOGRAPHY
150
[116] S. Halevi, D. Coppersmith, and C. Jutla. Scream: a software-efficient stream cipher. In J. Daemen and V. Rijmen, editors, Fast Software Encryption FSE 2002, volume 2365 of Lecture Notes in Computer Science, pages 195–209. Springer-Verlag, 2002. [117] M. Hasanzadeh, S. Khazaei, and A. Kholosha. On IV setup of pomaranch. eSTREAM, ECRYPT Stream Cipher Project, Report 2005/082, 2005. [118] P. Hawekes and G. Rose. Primitive specification and supporting documentation for the sober-t-32 submission to NESSIE. 2000. [119] P. Hawkes and G. Rose. Exploiting multiples of the connection polynomial in word-oriented stream ciphers. In T. Okamoto, editor, Advances in Cryptology— ASIACRYPT 2000, volume 1976 of Lecture Notes in Computer Science, pages 303–316. Springer-Verlag, 2000. [120] P. Hawkes and G. Rose. Guess-and-determine attacks on SNOW. In H. Heys K. Nyberg, editor, Selected Areas in Cryptography: 5th Annual International Workshop - SAC 2002, volume 2595 of Lecture Notes in Computer Science, pages 37–46. Springer-Verlag, 2002. [121] P. Hawkes and G. Rose. Rewriting variables: The complexity of fast algebraic attacks on stream ciphers. In M. Franklin, editor, Advances in Cryptology—CRYPTO 2004, volume 3152 of Lecture Notes in Computer Science, pages 390–406. Springer-Verlag, 2004. [122] M. Hell and T. Johansson. Some attacks on the bit-search generator. In H. Gilbert and H.Handschuh, editors, Fast Software Encryption - FSE 2005, volume 3557 of Lecture Notes in Computer Science, pages 215–227. Springer-Verlag, 2005. [123] M. Hell, T. Johansson, A. Maximov, and W. Meier. A stream cipher proposal: Grain-128. To appear at the IEEE International Symposium on Information Theory 2006, Seattle, USA, 2006. [124] M. Hell, T. Johansson, and W. Meier. ”Grain - a stream cipher for constrained environments”. eSTREAM, ECRYPT Stream Cipher Project, Report 2005/010, 2005. http://www.ecrypt. eu.org/stream. [125] T. Helleseth, C. Jansen, S. Khazaei, and A. Kholosha. Security of jump controlled sequence generators for stream ciphers. In G. Gong, Tor Helleseth, H-Y. Song, and Kyeongcheol Yang, editors, SETA 2006, volume 4086 of Lecture Notes in Computer Science, pages 141–152. SpringerVerlag, 2006. [126] T. Helleseth, C. Jansen, and A. Kholosha. Pomaranch - design and analysis of a family of stream ciphers. eSTREAM, ECRYPT Stream Cipher Project, Report 2006/008, 2006. [127] J. Hong and Woo-Hwan Kim. ”Tmd-Tradeoff and State Entropy Loss Considerations of Streamcipher MICKEY”. eSTREAM, ECRYPT Stream Cipher Project, Report 2005/055, 2005. http://www.ecrypt.eu.org/stream. [128] C. Jansen, T. Helleseth, and A. Kholosha. Cascade jump controlled sequence generator and pomaranch stream cipher (version 3). eSTREAM, ECRYPT Stream Cipher Project, Report 2006/06, 2006.
BIBLIOGRAPHY
151
[129] C. Jansen and A. Kolosha. Cascade jump controlled sequence generator (cjcsg) pomaranch. eSTREAM, ECRYPT Stream Cipher Project, Report 2005/022, 2005. [130] T. Johansson. Reduced complexity correlation attacks on two clock-controlled generators. In K. Otha and D. Pei, editors, Advances in Cryptology—ASIACRYPT 98, volume 1541 of Lecture Notes in Computer Science, pages 342–356. Springer-Verlag, 1998. [131] T. Johansson and F. J¨onsson. Fast correlation attacks based on turbo code techniques. In J. Stern, editor, Advances in Cryptology— CRYPTO 1999, volume 1666 of Lecture Notes in Computer Science, pages 181–197. Springer-Verlag, 1999. [132] T. Johansson and F. Jonsson. Improved fast correlation attacks on stream ciphers via convolutional codes. In J. Stern, editor, Advances in Cryptology— EUROCRYPT 1999, volume 1592 of Lecture Notes in Computer Science, pages 347–362. Springer-Verlag, 1999. [133] D. Kahn, editor. The CodeBreakers: The Story of Secret Writing. Macmillan Publishing, New York, 1967. [134] A. Kanso. Clock-Controlled Generators. PhD thesis, Royal Holloway University of London, Egham, London, 1999. [135] A. Kerckhoffs. La cryptographie militaire. Journal des Sciences Militaires, pages 161–191, 1883. [136] E. Key. An analysis of the structure and complexity of nonlinear binary sequence generators. IEEE Trans. Information Theory, IT-22(6):732–736, 1976. [137] S. Khazaei. ”Cryptanalysis of Pomaranch (CJCSG)”). eSTREAM, ECRYPT Stream Cipher Project, Report 2005/065, 2005. http://www.ecrypt.eu.org/stream. [138] A. Kipnis and A. Shamir. Cryptanalysis of the hfe public key cryptosystem by relinearization. In M. Wiener, editor, Advances in Cryptology—CRYPTO 1999, volume 1666 of Lecture Notes in Computer Science, pages 19–30. Springer-Verlag, 1999. [139] K. Komninos, B. Honary, and M. Darnell. An efficient stream cipher for mobile and wireless devices. In B. Honary, editor, Cryptography and Coding - 8th IMA International Conference 2001, volume 2260 of Lecture Notes in Computer Science, pages 294–300. Springer-Verlag, 2001. [140] D. H. Lee, J. Kim, J. Hong, J. W. Han, and D. Moon. Algebraic attacks on summation generators. In B. Roy and W. Meier, editors, Fast Software Encryption - FSE 2004, volume 3017 of Lecture Notes in Computer Science, pages 34–48. Springer-Verlag, 2004. [141] N. Li and W-F. Qi. Construction and analysis of boolean functions of 2t + 1 variables with maximum algebraic immunity. In X. Lai and K. Chen, editors, Advances in Cryptology—ASIACRYPT 2006, volume 4284 of Lecture Notes in Computer Science, pages 84–98. Springer-Verlag, 2006. [142] Y. Lu, W. Meier, and S. Vaudenay. The conditional correlation attack: A practical attack on bluetooth encryption. In V. Shoup, editor, Advances in Cryptology—CRYPTO 2005, volume 3621 of Lecture Notes in Computer Science, pages 97–117,. Springer-Verlag, 2005.
BIBLIOGRAPHY
152
[143] J. Massey. Shift-register synthesis and BCH decoding. IEEE Trans. Information Theory, IT15:122–127, 1969. [144] A. Maximov, T. Johansson, and S. Babbage. An improved correlation attack on A5/1. In M. Hasan H. Handschuh, editor, Selected Areas in Cryptography: 11th Annual International Workshop - SAC 2004, volume 3357 of Lecture Notes in Computer Science, pages 1–18. Springer-Verlag, 2004. [145] C. McDonald, C. Charnes, and J. Pieprzyk. ”attacking bivium with minisat”. eSTREAM, ECRYPT Stream Cipher Project, Report 2007/040, 2007. http://www.ecrypt.eu.org/ stream. [146] W. Meier, E. Pasalic, and C. Carlet. Algebraic attacks and decomposition of boolean functions. In C. Cachin and J. Camenisch, editors, Advances in Cryptology— Eurocrypt 2004, volume 3027 of Lecture Notes in Computer Science, pages 474–491. Springer-Verlag, 2004. [147] W. Meier and O. Staffelbach. Fast correlation attacks on stream ciphers (extended abstract). In C. G¨unther, editor, Advances in Cryptology—EUROCRYPT 88, volume 330 of Lecture Notes in Computer Science, pages 301–314. Springer-Verlag, 1988. [148] W. Meier and O. Staffelbach. Fast corelation attacks on certain stream ciphers. Journal of Cryptology, 1:159–176, 1989. [149] W. Meier and O. Staffelbach. The self-shrinking generator. In A. De Santis, editor, Advances in Cryptology—EUROCRYPT 94, volume 950 of Lecture Notes in Computer Science, pages 205–214. Springer-Verlag, 1995, 1999. [150] A. Menezes, P. Oorschot, and S. Vanstone, editors. Handbook of Applied cryptography. Discrete Mathimatics and its Applications. CRC Press, 1996. [151] A. J. Menezes, P. C. Van Oorschot, and S. A. Vanstone. Handbook of Applied Cryptography. CRC Press, 1997. [152] R. Menicocci. Cryptanalysis of a two stage gollmann cascade generator. In Proceedings of the 3rd Symposium on State and Progress of Research in Cryptography, volume 4, page 6269. Springer-Verlag, 1993. [153] R. Menicocci and J. Goli´c. Edit probability correlation attack on bilateral stop/go generator. In M. Walker, editor, Cryptography and Coding - 6th IMA International Conference 1999, volume 1746 of Lecture Notes in Computer Science, pages 202–212. Springer-Verlag, 1999. [154] M. Mihaljevic. An approach to the initial state reconstruction of a clock-controlled shift register based on a novel distance measure. In J. Seberry and Y. Zheng, editors, Advances in Cryptology—AUSCRYPT 92, volume 718 of Lecture Notes in Computer Science, pages 349– 356. Springer-Verlag, 1992. [155] W. Millan. Low order approximation of cipher functions. In Cryptography: Policy and Algorithms (CPAC’95), volume 1029 of Lecture Notes in Computer Science, pages 144–155. Springer-Verlag, 1995.
BIBLIOGRAPHY
153
[156] W. Millan. A report on word based stream ciphers. Internal Report, ISRC, QUT, 2003. [157] W. Millan. New results on binary bent functions. International Symposium on Information Theory and its Applications, pages 1013–1016, November 1994. [158] C. Mitchell. Remarks on the security of the Alpha 1 stream cipher. Egham,Surrey TW20 0EX, U.K, 2001.
Technical report,
[159] H. Molland. Improved linear consistency attack on irregular clocked keystream generators. In B. Roy and W. Meier, editors, Fast Software Encryption FSE 2004, volume 3017 of Lecture Notes in Computer Science, pages 109–126. Springer-Verlag, 2004. [160] H. Molland and Tor Helleseth. An improved correlation attack against irregular clocked and filtered keystream generators. In M. Franklin, editor, Advances in Cryptology—CRYPTO 2004, volume 3152, pages 373–389. Springer-Verlag, 2004. [161] S. Rønjom and T. Helleseth. Breaking of the filter generator. accepted by IEEE Transactions on Information Theory. [162] S. Rønjom and T. Helleseth. Attacking the filter generator over GF (2 m ). SASC, the State of the Art of Stream Ciphers, 2007. [163] National Bureau of Standards. Data encryption standard. Federal Information Processing Standard (FIPS, 1977. [164] S-J. Park, S-J. Lee, , and S-C. Goh. On the security of the gollmann cascades. In D. Coppersmith, editor, Advances in Cryptology—CRYPTO 95, volume 963 of Lecture Notes in Computer Science, pages 148–156. Springer-Verlag, 1995. [165] S. Petrovic and A. F.-Sabater. Cryptanalysis of the A5/2 algorithm. Cryptography ePrint Archive, Report 2000/052, 2000. [166] V.S. Pless. Encryption schemes for computer confidentiality. IEEE Trnas.Comput, C-26:1133– 1136, November 1977. [167] H. Raddum. ”Cryptanalytic results on Trivium”. eSTREAM, ECRYPT Stream Cipher Project, Report 2006/039, 2006. http://www.ecrypt.eu.org/stream. [168] G. Rose and P. Hawkes. Turing : a fast stream cipher. In T. Johansson, editor, Fast Software Encryption FSE 2003, volume 2887 of Lecture Notes in Computer Science, pages 290–306. Springer-Verlag, 2003. [169] R. Rueppel. New Approaches to Stream Ciphers. PhD thesis, Swiss Federal Institute of Technology Zurich, Zurich,Switzerland, 1984. [170] R. Rueppel, editor. Analysis and Design of Stream Ciphers. Springer-Verlag, Berlin, 1986. [171] R. Rueppel. When shift registers clock themselves. In D. Chaum and W. Price, editors, Advances in Cryptology—EUROCRYPT 87, volume 304 of Lecture Notes in Computer Science, pages 53– 64. Springer-Verlag, 1988, 13–15 1987.
BIBLIOGRAPHY
154
[172] R. A. Rueppel. Stream ciphers. In Gustavus J. Simmons (Ed.), Contemporary Cryptology :The Science of Information Integrity, IEEE Press. 1992. [173] M. Saarinen. A time-memory tradeoff attack against LILI-128. In J. Daemen and V. Rijmen, editors, Fast Software Encryption - FSE 2002, volume 2365 of Lecture Notes in Computer Science, pages 231–236. Springer-Verlag, 2002. [174] M. Salmasizadeh. statistical and corelation analysis of certain shift register based stream ciphers. PhD thesis, Information security reserach center,Faculty of information technology,School of data comminications, Queensland university of technology, June 1997. [175] M. Salmasizadeh, J. Goli´c, E. Dawson, and L. Simpson. A systematic procedure for applying fast correlation attacks to combiners with memory. In Selected Areas in Cryptography: 4th Annual International Workshop - SAC 1997, Lecture Notes in Computer Science, pages 102– 116. Springer-Verlag, 1997. [176] P. Sarkar. Hiji-bij-bij: A new stream cipher with self-synchronizing and mac modes of operation. In Proceedings of the 3th International Conference on Cryptology in India, INDOCRYPT 2003, volume 2904 of Lecture Notes in Computer Science, pages 36–51. Springer-Verlag, 2003. [177] F. Sato and K. Kurosawa. On the randomness of a [d, k] self-decimation stream key generator. [178] C. Shannon.
Communication theory of secrecy systems.
Bell System Technical Journal,
28(1):656–715, Oct 1949. [179] T. Siegenthaler. Decrypting a class of stream ciphers using ciphertext only. IEEE Transactions on Computers, C-34(1):81–85, January -1985. [180] T. Siegenthaler. Correlation-immunity of nonlinear combining functions for cryptographic applications. IEEE Transactions on Information Theory, 30(5):776–780, September-1984. [181] L. Simpson, E. Dawson, J. Fuller, J. Goli´c, H. J. Lee, W. Millan, S. J. Moon, and A. Clark. The LILI-II keystream generator. In L. Batten and J. Seberry, editors, Proceedings of Information Security and Privacy - 7th Australasian Conference, ACISP 2002, volume 2384 of Lecture Notes in Computer Science, pages 25–39. Springer-Verlag, 2002. [182] L. Simpson, E. Dawson, J. Goli´c, and W. Millan. LILI keystream generator. In D. Stinson and S. Tavares, editors, Selected Areas in Cryptography: 7th Annual International Workshop - SAC 2000, volume 2012 of Lecture Notes in Computer Science, pages 248–261. Springer-Verlag, 2001. [183] L. Simpson, J. Goli´c, and E. Dawson. A probabilisitic attack on the shrinking generator. In C. Boyd and E. Dawson, editors, Proceedings of Information Security and Privacy, ACISP 1998, volume 1438 of Lecture Notes in Computer Science, pages 147–158. Springer-Verlag, 1998. [184] L. Simpson, J. Goli´c, M. Salmasizadeh, and E. Dawson. Fast correlation attacks on the multiplexer generator. In ISIT98, pages 270–270, August 1998. [185] S. Singh, editor. The Code Book.
BIBLIOGRAPHY
155
[186] V. Strassen. Gaussian elimination is not optimal. Numerische Mathematik, 13:354–356, 1969. [187] K. Sugimoto, T. Chikaraishi, and T. Morizumi. Design criteria and security evaluations on certain stream ciphers. Technical report, University of Mannheim, Germany, 2000. [188] Emmanuel. Thom´e. Computation of discrete logarithms in F 2607 . In C. Boyd, editor, Advances in Cryptology—ASIACRYPT 2001, volume 2248 of Lecture Notes in Computer Science, pages 107–124. Springer-Verlag, 2001. [189] G. Vernam. Cipher printing telegraph system for secret wire and radio telegraphic communications. Journal of American Institute of Electrical Engineers, 45:109–115, 1926. [190] D. Wagner. Analysis of CAVE: A first look. David Wagner described inversion and custom attacks on CAVE, 20 April 1998. [191] D. Wagner, B. Schneier, and J. Kelsey. Cryptanalysis of the cellular message encryption algorithm. In Advances in Cryptology— CRYPTO 1997, volume 1294 of Lecture Notes in Computer Science, pages 526–537. Springer-Verlag, 1997. [192] D. Wagner, L. Simpson, E. Dawson, J. Kelsey, W. Millan, and B. Schneier. Cryptanalysis of ORYX. In H. Meijer S. Tavares, editor, Selected Areas in Cryptography: 5th Annual International Workshop - SAC 1998, volume 1556 of Lecture Notes in Computer Science, pages 296–305. Springer-Verlag, 1998. [193] D. Watanabe, A. Biryukov, , and C. De Canni´ere. A distinguishing attack of SNOW 2.0 with linear masking method. In M. Matsui and R. Zuccherato, editors, SAC 2003: Annual International Workshop on Selected Areas in Cryptography, volume 3006 of Lecture Notes in Computer Science, pages 222–233. Springer-Verlag, 2003. [194] D. Watanable, S. Furuya, H. Yoshida, and K. Takaragi. A new stream generator MUGI. In J. Daemen and V. Rijmen, editors, Fast Software Encryption FSE 2002, volume 2365 of Lecture Notes in Computer Science, pages 179–194. Springer-Verlag, 2002. [195] D. H. Wiedemann. Solving sparse linear equations over finite fields. IEEE Transactions on Information Theory, 32(1):54–62, 1986. [196] H. Wu. Cryptanalysis of stream cipher Alpha 1. In L. Batten and J. Seberry, editors, Proceedings of Information Security and Privacy - 7th Australasian Conference ACISP 2002, volume 2384 of Lecture Notes in Computer Science, pages 169–175. Springer-Verlag, 2002. [197] B. Yang and J. Chen. All in the XL family: Theory and practice. In S. Chee C. Park, editor, Information Security and Cryptology ICISC 2004, volume 3506 of Lecture Notes in Computer Science, pages 67–86. Springer-Verlag, 2005. [198] B-Y. Yang, J-M. Chen, and Nicolas T. Courtois. On asymptotic security estimates in XL and Gr¨obner bases-related algebraic cryptanalysis. In J. L´opez, S. Qing, and E. Okamoto, editors, Information Security and Cryptology ICISC 2004, volume 3269 of Lecture Notes in Computer Science, pages 401–413. Springer-Verlag, 2004.
BIBLIOGRAPHY
156
[199] K. Zeng, C. Yang, and T. Rao. An improved linear syndrome algorithm in cryptanalysis with applications. In A. Vanstone and A. Menezes, editors, Advances in Cryptology—CRYPTO 90, volume 537, pages 34–48. Springer-Verlag, 1990. [200] K. Zeng, C-H. Yang, and T. R. N. Rao. Large primes in stream cipher cryptography. In J. Seberry and J. Pieprzyk, editors, AUSCRYPT 90: Proceedings of the International Conference on Cryptology, volume 453 of Lecture Notes in Computer Science, pages 194–205. Springer-Verlag, 1990. [201] E. Zenner. On the efficiency of the clock control guessing attack. In C-H. Lim P-J. Lee, editor, Information Security and Cryptology - ICISC 2002, volume 2587 of Lecture Notes in Computer Science, pages 200–212. Springer-Verlag, 2002. [202] E. Zenner. Cryptanalysis of LFSR-based pseudorandom generators - a survey. Technical report, University of Mannheim, Germany, 2004. [203] H. Zhang, L. Li, and X. Wang. Fast correlation attack on stream cipher abc v3. eSTREAM, ECRYPT Stream Cipher Project, Report 2006/049, 2006. http://www.ecrypt.eu.org/ stream. [204] X. Zhang, J. Pieprzyk, and Y. Zheng. On algebraic immunity and annihilators. In M. Rhee and B. Lee, editors, Information Security and Cryptology ICISC 2006, volume 4296 of Lecture Notes in Computer Science, pages 65–80. Springer-Verlag, 2006. [205] M. V. Zivkovic. An algorithm for the initial state reconstruction of the clock-controlled shift register. IEEE Transactions on Information Theory, 37(5):1488, 1991.
