Presentation is loading. Please wait.

Presentation is loading. Please wait.

©KDDI R&D Laboratories Inc. ALL Rights Reserved. Cryptanalysis on Clock Controlled Stream Ciphers Shinsaku Kiyomoto KDDI R&D Laboratories Inc. 2005.2.22.

Published byDebra McCarthy Modified over 8 years ago

Similar presentations

Presentation on theme: "©KDDI R&D Laboratories Inc. ALL Rights Reserved. Cryptanalysis on Clock Controlled Stream Ciphers Shinsaku Kiyomoto KDDI R&D Laboratories Inc. 2005.2.22."— Presentation transcript:

1 ©KDDI R&D Laboratories Inc. ALL Rights Reserved. Cryptanalysis on Clock Controlled Stream Ciphers Shinsaku Kiyomoto KDDI R&D Laboratories Inc. 2005.2.22 This is a joint work with Kyushu University (Prof. Kouichi Sakurai)

2 ©KDDI R&D Laboratories Inc. ALL Rights Reserved. Information about Myself Shinsaku Kiyomoto (age 29) –B.E. and M.E. from Tsukuba Univ. (1998 and 2000) –Researcher of Security Lab. in KDDI R&D Labs. Inc. (from April, 2000) –Current Interests: Stream Cipher, Security protocols, and Mobile Security

3 ©KDDI R&D Laboratories Inc. ALL Rights Reserved. KDDI R&D Laboratories Inc. ● Incorporated April 1, 2003 (Merged KDI in April 1, 2001) ● Capital 2.28 billion Yen ● Shareholders KDDI, Kyocera corporation, Toyota motor corporation ● President Tohru ASAMI ● Staff 197 ( April 1, 2004) ● Office Kamifukuoka, Saitama, Japan ● Research Area Photonic NW, Wireless NW, IP, Multimedia, Ubiquitous NW, and Information Security http://www.kddilabs.jp

4 ©KDDI R&D Laboratories Inc. ALL Rights Reserved. Security Laboratory Current Research Topics –Secret and Public Key Cryptosystems –Cryptographic Protocols –Mobile Security –PKI (Public Key Infrastructure) –Software Security –Secure Overlay Networks –P.P. (Privacy Protection) –DRM (Digital Rights Management) –Intrusion Detection System –Virus Protection

5 ©KDDI R&D Laboratories Inc. ALL Rights Reserved. Cryptanalysis on Clock Controlled Stream Ciphers Shinsaku Kiyomoto KDDI R&D Laboratories Inc. 2005.2.22 This is a joint work with Kyushu University (Prof. Kouichi Sakurai)

6 ©KDDI R&D Laboratories Inc. ALL Rights Reserved. Introduction: History of Stream Cipher Hardware based random generator LFSR based Stream Cipher From Bit-Oriented to Word-Oriented Time-Memory Trade off Attack Correlation Attack Berlekamp-Massey Algorithm Distinguishing Attack Re-synchronization Attack Guess-and-Determine Attack A5 RC4 NESSIE Project (SNOW, BGML, SOBER, LILI etc. ) XL, XSL

7 ©KDDI R&D Laboratories Inc. ALL Rights Reserved. Clock Controlled Stream Cipher Using irregular clocking as a non-linear function. Example –A5: Stop-and-Go Clocking according to tap bits from 3 LFSRs. –LILI-128: 1-2-3-4 Clocking by a clock controller and special LFSR

8 ©KDDI R&D Laboratories Inc. ALL Rights Reserved. Analysis of Irregular Clocking Motivation –Is the irregular clocking more effective than other non-linear functions ? –Drawback of irregular clocking Reduce efficiency of generating keystreams Shorten a period of keystreams – How to construct or choose an algorithm of generating irregular clocking

9 ©KDDI R&D Laboratories Inc. ALL Rights Reserved. Theoretical and Experimental Analysis Theoretical Analysis –Analysis on an ideal environment. Experiments (Minutia Model Approach) –Constructing a minutia model of evaluating stream cipher. –How to make a minutia model Shorten the lengths of LFSRs (in case of bit-oriented stream ciphers) Shrink the sizes of registers in LFSRs (in case of word-oriented stream ciphers) Modifying non-linear parts

10 ©KDDI R&D Laboratories Inc. ALL Rights Reserved. Guess-and-Determine Attack G: Guess some registers of an internal states D: Determine other internal states A : Check the validity of guessed registers. An assumption is required to remove nonlinearity. ◆ SOBER, SOBER-II -Blackburn, Murphy, Piper, Wild (1998) -Bleichenbacher, Patel (1999) ◆ SOBER-t16/t32 -Hawkes, Rose (2000) ◆ SNOW1.0 -Hawkes, Rose (2002)

11 ©KDDI R&D Laboratories Inc. ALL Rights Reserved. Security of GD attacks Initial Key Size Internal State Assumption Guess Determine Weak Attack is Successful Same as a computational costs of a exhaustive key search

12 ©KDDI R&D Laboratories Inc. ALL Rights Reserved. Example: Attacks on AA5 000001010011100101110111 LFSR F 21122112 LFSR G 21211212 LFSR H 22111122 F, G, H The Clock controller decides the clocking of three LFSRs according to the least significant bits of No.2 register in LFSR F, No.2 in LFSR G, and No.3 in LFSR H as follows. FGH S M Clock Controller 2 2 3 8bit 48bit40bit56bit 8bit S 6 reg. 5 reg. 7 reg.

13 ©KDDI R&D Laboratories Inc. ALL Rights Reserved. We determine LFSR H (the longest) to guess LFSR F, and G. If we guess LFSR F, G, and internal memory M, then we can ignore influence of S-boxes. How to remove irregularity by the clock controller. →We use assumptions that the target LFSR clocks regularly. Strategy of proposed GD attacks Irregular Clocking Assumption Regular Clocking

14 ©KDDI R&D Laboratories Inc. ALL Rights Reserved. Attacks on AA5 543210 M 43210 LFSR-F LFSR-G Key Stream Z 021 LFSR-H 3 Determine 0,1,2 in H and 7bits of 3,4,5,6 in H. 456 Process Complexity = O(2^100) Data Complexity = O(2^6) =100bit Assumption: H operates six times in succession =2^-36 Non-linear function Guess all values of all registers in F, all registers in G, and M, and least significant bits of 6,5,4 and 3 registers in H.

15 ©KDDI R&D Laboratories Inc. ALL Rights Reserved. Evaluation Results of GD attacks

16 ©KDDI R&D Laboratories Inc. ALL Rights Reserved. Real Probability of Assumption being Valid Ideal model Clocking are determined according to tap bits from LFSRs. Exploitable states are uniformly distributed. Real model Not uniformly distributed. A Gap of experimental results exists. Short period

17 ©KDDI R&D Laboratories Inc. ALL Rights Reserved. Experimental Results of Minutia Model

18 ©KDDI R&D Laboratories Inc. ALL Rights Reserved. Distinguishing Attack Distinguish keystreams from stream ciphers and truly random strings. –Powerful attack on Stream Ciphers SNOW1.0 (by Coppersmith, 2000) SNOW 2.0 (by Watanabe, 2003) SOBER-Family (by Ekdahl, 2002) SCREAM (by Johansson, 2003)

19 ©KDDI R&D Laboratories Inc. ALL Rights Reserved. Distinguishing Attack Cont. Construct a linear equation only consisting of output keystreams by using linear approximation of a non-linear function and other linear equations. LFSR f Key Stream S_x1 + S_x2 + … + S_xi =0 S_(x1 +y1) + S_(x2+y1) + … + S_(xi+y1) =0 S_(x1 +y j ) + S_(x2+y j ) + … + S_(xi+yj) =0 ・・・・・・ LFSR の Feedback Polynomial Linear approximation =Z_t2=Z_t1=Z_t3 Z_t1+Z_t2+Z_t3=0

20 ©KDDI R&D Laboratories Inc. ALL Rights Reserved. Complexity of irregular clocking Regular Clocking Irregular Clocking Key Stream Generator S1S2S3S4S5S6S7S8 S1S3S4S6S8 Key Stream Generator Clock Controller Get keystreams deterministically Get keystreams probabilistically Complexity = (1/Probability)^2 = ?

21 ©KDDI R&D Laboratories Inc. ALL Rights Reserved. Detail Analysis of the Complexity (1) Required Keystreams are skipped In LILI-128 case, theoretical results fit in experimental results, if X_j > 38

22 ©KDDI R&D Laboratories Inc. ALL Rights Reserved. Detail Analysis of the Complexity (2) Fail to guess a cycle of outputting a keystream.

23 ©KDDI R&D Laboratories Inc. ALL Rights Reserved. Detail Analysis of the Complexity Example of LILI-128

24 ©KDDI R&D Laboratories Inc. ALL Rights Reserved. Detail Analysis of the Complexity

25 ©KDDI R&D Laboratories Inc. ALL Rights Reserved. Experimental Results About 2^4 (fit in theoretical results )

26 ©KDDI R&D Laboratories Inc. ALL Rights Reserved. Conclusion Irregular clocking is effective for several attacks. However, the algorithm should be carefully designed. Especially, large clocking is effective for protecting distinguishing attacks, even though a trade-off exists between the effect and efficiency of generating keystreams.

Download ppt "©KDDI R&D Laboratories Inc. ALL Rights Reserved. Cryptanalysis on Clock Controlled Stream Ciphers Shinsaku Kiyomoto KDDI R&D Laboratories Inc. 2005.2.22."

Similar presentations

1 KCipher-2 KDDI R&D Laboratories Inc.. ©KDDI R&D Laboratories Inc. All rights Reserved. 2 Introduction LFSR-based stream ciphers Linear recurrence between.

1 KCipher-2 KDDI R&D Laboratories Inc.. ©KDDI R&D Laboratories Inc. All rights Reserved. 2 Introduction LFSR-based stream ciphers Linear recurrence between.
DES The Data Encryption Standard (DES) is a classic symmetric block cipher algorithm. DES was developed in the 1970’s as a US government standard The block.

DES The Data Encryption Standard (DES) is a classic symmetric block cipher algorithm. DES was developed in the 1970’s as a US government standard The block.
Spreading Alerts Quietly and the Subgroup Escape Problem Aleksandr Yampolskiy (Yale) Joint work with James Aspnes, Zoë Diamadi, Kristian Gjøsteen, and.

Spreading Alerts Quietly and the Subgroup Escape Problem Aleksandr Yampolskiy (Yale) Joint work with James Aspnes, Zoë Diamadi, Kristian Gjøsteen, and.
Xiutao Feng Institute of Software Chinese Academy of Sciences A Byte-Based Guess and Determine Attack on SOSEMANUK.

Xiutao Feng Institute of Software Chinese Academy of Sciences A Byte-Based Guess and Determine Attack on SOSEMANUK.
GSM network and its privacy Thomas Stockinger. Overview Why privacy and security? GSM network‘s fundamentals Basic communication Authentication Key generation.

GSM network and its privacy Thomas Stockinger. Overview Why privacy and security? GSM network‘s fundamentals Basic communication Authentication Key generation.
CS470, A.SelcukStream Ciphers1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukStream Ciphers1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
1 Introduction to Practical Cryptography Lectures 3/4 Stream Ciphers.

1 Introduction to Practical Cryptography Lectures 3/4 Stream Ciphers.
AN IMPROVEMENT TO A CORRELATION ATTACK ON A5/1 H. Nikoonia, F. Amin, A. H. Jahangir Computer Engineering Department, Sharif University of Technology.

AN IMPROVEMENT TO A CORRELATION ATTACK ON A5/1 H. Nikoonia, F. Amin, A. H. Jahangir Computer Engineering Department, Sharif University of Technology.
GSM Security Threats and Countermeasures Saravanan Bala Tanvir Ahmed Samuel Solomon Travis Atkison.

GSM Security Threats and Countermeasures Saravanan Bala Tanvir Ahmed Samuel Solomon Travis Atkison.
LINEAR FEEDBACK SHIFT REGISTERS, GALOIS FIELDS, AND STREAM CIPHERS Mike Thomsen Cryptography II May 14 th, 2012.

LINEAR FEEDBACK SHIFT REGISTERS, GALOIS FIELDS, AND STREAM CIPHERS Mike Thomsen Cryptography II May 14 th, 2012.
Syed Safi Uddin Qadri BETL/F07/0112 GSM Stream Cipher Algorithm Presented To Sir Adnan Ahmed Siddiqui.

Syed Safi Uddin Qadri BETL/F07/0112 GSM Stream Cipher Algorithm Presented To Sir Adnan Ahmed Siddiqui.
An Introduction to Stream Ciphers Zahra Ahmadian Electrical Engineering Department Sahrif University of Technology

An Introduction to Stream Ciphers Zahra Ahmadian Electrical Engineering Department Sahrif University of Technology
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.
Class 25: Security through Complexity? Karsten Nohl cs302: Theory of Computation University of Virginia, Computer Science PS6 is due today. Lorenz cipher.

Class 25: Security through Complexity? Karsten Nohl cs302: Theory of Computation University of Virginia, Computer Science PS6 is due today. Lorenz cipher.
Digital Kommunikationselektroink TNE027 Lecture 6 (Cryptography) 1 Cryptography Algorithms Symmetric and Asymmetric Cryptography Algorithms Data Stream.

Digital Kommunikationselektroink TNE027 Lecture 6 (Cryptography) 1 Cryptography Algorithms Symmetric and Asymmetric Cryptography Algorithms Data Stream.
Session 2: Secret key cryptography – stream ciphers – part 2.

Session 2: Secret key cryptography – stream ciphers – part 2.
Stream ciphers 2 Session 2. Contents PN generators with LFSRs Statistical testing of PN generator sequences Cryptanalysis of stream ciphers 2/75.

Stream ciphers 2 Session 2. Contents PN generators with LFSRs Statistical testing of PN generator sequences Cryptanalysis of stream ciphers 2/75.
CIS 5371 Cryptography 3b. Pseudorandomness.

CIS 5371 Cryptography 3b. Pseudorandomness.
Cryptanalysis on FPGA Based Hardware

Cryptanalysis on FPGA Based Hardware
Session 2 Symmetric ciphers 1. Stream cipher definition Recall the Vernam cipher: Plaintext 000110111101101 Ciphertext 110000101000110 (Running) key 110110010101011.

Session 2 Symmetric ciphers 1. Stream cipher definition Recall the Vernam cipher: Plaintext Ciphertext (Running) key

Similar presentations

Ads by Google