Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cryptanalysis of the Stream Cipher DECIM Hongjun Wu and Bart Preneel Katholieke Universiteit Leuven ESAT/COSIC.

Published bySabina Bailey Modified over 8 years ago

Similar presentations

Presentation on theme: "Cryptanalysis of the Stream Cipher DECIM Hongjun Wu and Bart Preneel Katholieke Universiteit Leuven ESAT/COSIC."— Presentation transcript:

1 Cryptanalysis of the Stream Cipher DECIM Hongjun Wu and Bart Preneel Katholieke Universiteit Leuven ESAT/COSIC

2 KULeuven, ESAT/COSIC2 Overview 1. Introduction to DECIM 2. Key Recovery Attack (on Initialization) 3. Distinguishing Attack 4. Conclusion

3 KULeuven, ESAT/COSIC3 Description of DECIM (1) submission to the eStream 80-bit key, 64 or 80-bit IV hardware efficient stream cipher (profile II) Main features 1. ABSG decimation algorithm (similar to the self-shrinking generator, 25% more efficient) (similar to the self-shrinking generator, 25% more efficient) 2. Buffer for constant output rate

4 KULeuven, ESAT/COSIC4 Description of DECIM (2) Keystream generation

5 KULeuven, ESAT/COSIC5 Description of DECIM (3) DECIM consists of 192-bit regularly clocked LFSR (14 taps) 192-bit regularly clocked LFSR (14 taps) two filtering functions (different tap positions) two filtering functions (different tap positions) ABSG decimation ABSG decimation split the sequence into the form split the sequence into the form if i = 0,output the bit b; otherwise, output the inverse of b if i = 0,output the bit b; otherwise, output the inverse of b 32-bit Buffer 32-bit Buffer for every 4/3 input bits, only one output bit for every 4/3 input bits, only one output bit

6 KULeuven, ESAT/COSIC6 Description of DECIM (4) Key/IV setup 192 steps 192 steps each step -- the non-linear feedback each step -- the non-linear feedback a permutation on 7 LFSR bits a permutation on 7 LFSR bits

7 KULeuven, ESAT/COSIC7 Key Recovery Attack (1) Overview of the Attack The permutations are used to update the LFSR The permutations are used to update the LFSR => 54.5 bits in the LFSR are not updated during => 54.5 bits in the LFSR are not updated during the key/IV setup the key/IV setup => key recovered with 2 20 random IVs, => key recovered with 2 20 random IVs, the first 2 keystream bytes, the first 2 keystream bytes, negligible computations negligible computations

8 KULeuven, ESAT/COSIC8 Key Recovery Attack (2) Two permutations operate on 7 elements (s t+5, s t+31,s t+59,s t+100,s t+144,s t+177,s t+186 ) (s t+5, s t+31,s t+59,s t+100,s t+144,s t+177,s t+186 ) If the output of ABSG is 1, the first permutation is used; otherwise, the second is used

9 KULeuven, ESAT/COSIC9 Key Recovery Attack (3) Using permutation to update FSR is bad If no permutation, then every bit in the FSR If no permutation, then every bit in the FSR is updated once every 192 steps is updated once every 192 steps But with the permutation on the FSR, the bit But with the permutation on the FSR, the bit positions are changed, some bits would be updated positions are changed, some bits would be updated more than once while some bits not updated! more than once while some bits not updated! => no matter how to design the permutation => no matter how to design the permutation the updating would not be uniform for all the bits the updating would not be uniform for all the bits

10 KULeuven, ESAT/COSIC10 Key Recovery Attack (4) The key-dependent selection of permutations does not hide the intrinsic weakness of the permutation =>in average 54.5 bits in the LFSR are not updated

11 KULeuven, ESAT/COSIC11 Key Recovery Attack (5) To recover the key, we need to trace each key bit to see how that key bit is updated during those 192 steps in the initialization => very tedious use computer program to trace those key bits use computer program to trace those key bits

12 KULeuven, ESAT/COSIC12 Key Recovery Attack (6) One example – recovering K 21 s 21 = K 21 \/ IV 21 s 21 is not updated and it becomes s 192+6 with prob 1/27 s 192+6 used in the generation of the first keystream bit z 0 if s 192+6 is 0, then z 0 =0 with prob. 56/128 if s 192+6 is 1, then z 0 =0 with prob. 72/128 if K 21 = 1, the distribution of z 0 independent of IV 21 if K 21 = 0, the distribution of z 0 affected by IV 21 => Being used to identify K 21 with about 2 18.5 random IVs

13 KULeuven, ESAT/COSIC13 Distinguishing Attack (1) Overview of the Attack The filtering functions are not 1-resilient The filtering functions are not 1-resilient ABSG could not hide the non-randomness ABSG could not hide the non-randomness => any two adjacent bits are equal with 0.5+2 -9 => any two adjacent bits are equal with 0.5+2 -9 message being recovered if encrypted 2 18 times message being recovered if encrypted 2 18 times

14 KULeuven, ESAT/COSIC14 Distinguishing Attack (2) Bias from the filtering function If two inputs share one common bit, the two outputs bits are equal with prob. 65/128

15 KULeuven, ESAT/COSIC15 Distinguishing Attack (3) Bias passing through the ABSG decimation and buffer Deal with the bits with relations not affected significantly by the ABSG decimation algorithm i.e., the bits with small distance For these three pairs of bits, passing through the ABSG decimation and buffer does not reduce the bias too much (about 8 to 32 times) But the analysis is too complicated (details ignored here)

16 KULeuven, ESAT/COSIC16 Distinguishing Attack (4) Any two adjacent keystream bits are equal with probability 0.5+2 -9 The bias is large enough for the broadcast attack If a message if encrypted by DECIM for 2 18 times, then the message could be recovered

17 KULeuven, ESAT/COSIC17 DECIM v2 Initialization Permutation removed Permutation removed 768 steps 768 steps Keystream generation one LFSR + one filtering function + ABSG + buffer one LFSR + one filtering function + ABSG + buffer 1-resillient filtering function 1-resillient filtering function Greatly simplified comparing to the original version

18 KULeuven, ESAT/COSIC18 Conclusion Using permutation to update FSR is undesirable Try to design Boolean function conservatively (high resilience, ….)

19 KULeuven, ESAT/COSIC19 Thank you! Q & A

Download ppt "Cryptanalysis of the Stream Cipher DECIM Hongjun Wu and Bart Preneel Katholieke Universiteit Leuven ESAT/COSIC."

Similar presentations

1 KCipher-2 KDDI R&D Laboratories Inc.. ©KDDI R&D Laboratories Inc. All rights Reserved. 2 Introduction LFSR-based stream ciphers Linear recurrence between.

1 KCipher-2 KDDI R&D Laboratories Inc.. ©KDDI R&D Laboratories Inc. All rights Reserved. 2 Introduction LFSR-based stream ciphers Linear recurrence between.
DES The Data Encryption Standard (DES) is a classic symmetric block cipher algorithm. DES was developed in the 1970’s as a US government standard The block.

DES The Data Encryption Standard (DES) is a classic symmetric block cipher algorithm. DES was developed in the 1970’s as a US government standard The block.
Xiutao Feng Institute of Software Chinese Academy of Sciences A Byte-Based Guess and Determine Attack on SOSEMANUK.

Xiutao Feng Institute of Software Chinese Academy of Sciences A Byte-Based Guess and Determine Attack on SOSEMANUK.
1 Introduction to Practical Cryptography Lectures 3/4 Stream Ciphers.

1 Introduction to Practical Cryptography Lectures 3/4 Stream Ciphers.
Syed Safi Uddin Qadri BETL/F07/0112 GSM Stream Cipher Algorithm Presented To Sir Adnan Ahmed Siddiqui.

Syed Safi Uddin Qadri BETL/F07/0112 GSM Stream Cipher Algorithm Presented To Sir Adnan Ahmed Siddiqui.
Dan Boneh Stream ciphers Real-world Stream Ciphers Online Cryptography Course Dan Boneh.

Dan Boneh Stream ciphers Real-world Stream Ciphers Online Cryptography Course Dan Boneh.
An Introduction to Stream Ciphers Zahra Ahmadian Electrical Engineering Department Sahrif University of Technology

An Introduction to Stream Ciphers Zahra Ahmadian Electrical Engineering Department Sahrif University of Technology
1`` ```` ```` ```` ```` ```` ```` ```` ```` ```` `` AEGIS A Fast Authenticated Encryption Algorithm Hongjun Wu Bart Preneel Nanyang Technological University.

1`` ```` ```` ```` ```` ```` ```` ```` ```` ```` `` AEGIS A Fast Authenticated Encryption Algorithm Hongjun Wu Bart Preneel Nanyang Technological University.
Digital Kommunikationselektroink TNE027 Lecture 6 (Cryptography) 1 Cryptography Algorithms Symmetric and Asymmetric Cryptography Algorithms Data Stream.

Digital Kommunikationselektroink TNE027 Lecture 6 (Cryptography) 1 Cryptography Algorithms Symmetric and Asymmetric Cryptography Algorithms Data Stream.
Block Ciphers and the Data Encryption Standard

Block Ciphers and the Data Encryption Standard
Symmetric Encryption Example: DES Weichao Wang. 2 Overview of the DES A block cipher: – encrypts blocks of 64 bits using a 64 bit key – outputs 64 bits.

Symmetric Encryption Example: DES Weichao Wang. 2 Overview of the DES A block cipher: – encrypts blocks of 64 bits using a 64 bit key – outputs 64 bits.
Session 2 Symmetric ciphers 1. Stream cipher definition Recall the Vernam cipher: Plaintext 000110111101101 Ciphertext 110000101000110 (Running) key 110110010101011.

Session 2 Symmetric ciphers 1. Stream cipher definition Recall the Vernam cipher: Plaintext Ciphertext (Running) key
1 The AES block cipher Niels Ferguson. 2 What is it? Block cipher: encrypts fixed-size blocks. Design by two Belgians. Chosen from 15 entries in a competition.

1 The AES block cipher Niels Ferguson. 2 What is it? Block cipher: encrypts fixed-size blocks. Design by two Belgians. Chosen from 15 entries in a competition.
FEAL FEAL 1.

FEAL FEAL 1.
Hashes and Message Digest Hash is also called message digest One-way function: d=h(m) but no h’(d)=m –Cannot find the message given a digest Cannot find.

Hashes and Message Digest Hash is also called message digest One-way function: d=h(m) but no h’(d)=m –Cannot find the message given a digest Cannot find.
1 Overview of the DES A block cipher: –encrypts blocks of 64 bits using a 64 bit key –outputs 64 bits of ciphertext A product cipher –basic unit is the.

1 Overview of the DES A block cipher: –encrypts blocks of 64 bits using a 64 bit key –outputs 64 bits of ciphertext A product cipher –basic unit is the.
McGraw-Hill©The McGraw-Hill Companies, Inc., 2004 1 Security PART VII.

McGraw-Hill©The McGraw-Hill Companies, Inc., Security PART VII.
Stream Ciphers 1 Stream Ciphers. Stream Ciphers 2 Stream Ciphers  Generalization of one-time pad  Trade provable security for practicality  Stream.

Stream Ciphers 1 Stream Ciphers. Stream Ciphers 2 Stream Ciphers  Generalization of one-time pad  Trade provable security for practicality  Stream.
Session 6: Introduction to cryptanalysis part 1. Contents Problem definition Symmetric systems cryptanalysis Particularities of block ciphers cryptanalysis.

Session 6: Introduction to cryptanalysis part 1. Contents Problem definition Symmetric systems cryptanalysis Particularities of block ciphers cryptanalysis.
Lecture 23 Symmetric Encryption

Lecture 23 Symmetric Encryption

Similar presentations

Ads by Google