©KDDI R&D Laboratories Inc. ALL Rights Reserved. Cryptanalysis on Clock Controlled Stream Ciphers Shinsaku Kiyomoto KDDI R&D Laboratories Inc This is a joint work with Kyushu University (Prof. Kouichi Sakurai)
©KDDI R&D Laboratories Inc. ALL Rights Reserved. Information about Myself Shinsaku Kiyomoto (age 29) –B.E. and M.E. from Tsukuba Univ. (1998 and 2000) –Researcher of Security Lab. in KDDI R&D Labs. Inc. (from April, 2000) –Current Interests: Stream Cipher, Security protocols, and Mobile Security
©KDDI R&D Laboratories Inc. ALL Rights Reserved. KDDI R&D Laboratories Inc. ● Incorporated April 1, 2003 (Merged KDI in April 1, 2001) ● Capital 2.28 billion Yen ● Shareholders KDDI, Kyocera corporation, Toyota motor corporation ● President Tohru ASAMI ● Staff 197 ( April 1, 2004) ● Office Kamifukuoka, Saitama, Japan ● Research Area Photonic NW, Wireless NW, IP, Multimedia, Ubiquitous NW, and Information Security
©KDDI R&D Laboratories Inc. ALL Rights Reserved. Security Laboratory Current Research Topics –Secret and Public Key Cryptosystems –Cryptographic Protocols –Mobile Security –PKI (Public Key Infrastructure) –Software Security –Secure Overlay Networks –P.P. (Privacy Protection) –DRM (Digital Rights Management) –Intrusion Detection System –Virus Protection
©KDDI R&D Laboratories Inc. ALL Rights Reserved. Cryptanalysis on Clock Controlled Stream Ciphers Shinsaku Kiyomoto KDDI R&D Laboratories Inc This is a joint work with Kyushu University (Prof. Kouichi Sakurai)
©KDDI R&D Laboratories Inc. ALL Rights Reserved. Introduction: History of Stream Cipher Hardware based random generator LFSR based Stream Cipher From Bit-Oriented to Word-Oriented Time-Memory Trade off Attack Correlation Attack Berlekamp-Massey Algorithm Distinguishing Attack Re-synchronization Attack Guess-and-Determine Attack A5 RC4 NESSIE Project (SNOW, BGML, SOBER, LILI etc. ) XL, XSL
©KDDI R&D Laboratories Inc. ALL Rights Reserved. Clock Controlled Stream Cipher Using irregular clocking as a non-linear function. Example –A5: Stop-and-Go Clocking according to tap bits from 3 LFSRs. –LILI-128: Clocking by a clock controller and special LFSR
©KDDI R&D Laboratories Inc. ALL Rights Reserved. Analysis of Irregular Clocking Motivation –Is the irregular clocking more effective than other non-linear functions ? –Drawback of irregular clocking Reduce efficiency of generating keystreams Shorten a period of keystreams – How to construct or choose an algorithm of generating irregular clocking
©KDDI R&D Laboratories Inc. ALL Rights Reserved. Theoretical and Experimental Analysis Theoretical Analysis –Analysis on an ideal environment. Experiments (Minutia Model Approach) –Constructing a minutia model of evaluating stream cipher. –How to make a minutia model Shorten the lengths of LFSRs (in case of bit-oriented stream ciphers) Shrink the sizes of registers in LFSRs (in case of word-oriented stream ciphers) Modifying non-linear parts
©KDDI R&D Laboratories Inc. ALL Rights Reserved. Guess-and-Determine Attack G: Guess some registers of an internal states D: Determine other internal states A : Check the validity of guessed registers. An assumption is required to remove nonlinearity. ◆ SOBER, SOBER-II -Blackburn, Murphy, Piper, Wild (1998) -Bleichenbacher, Patel (1999) ◆ SOBER-t16/t32 -Hawkes, Rose (2000) ◆ SNOW1.0 -Hawkes, Rose (2002)
©KDDI R&D Laboratories Inc. ALL Rights Reserved. Security of GD attacks Initial Key Size Internal State Assumption Guess Determine Weak Attack is Successful Same as a computational costs of a exhaustive key search
©KDDI R&D Laboratories Inc. ALL Rights Reserved. Example: Attacks on AA LFSR F LFSR G LFSR H F, G, H The Clock controller decides the clocking of three LFSRs according to the least significant bits of No.2 register in LFSR F, No.2 in LFSR G, and No.3 in LFSR H as follows. FGH S M Clock Controller bit 48bit40bit56bit 8bit S 6 reg. 5 reg. 7 reg.
©KDDI R&D Laboratories Inc. ALL Rights Reserved. We determine LFSR H (the longest) to guess LFSR F, and G. If we guess LFSR F, G, and internal memory M, then we can ignore influence of S-boxes. How to remove irregularity by the clock controller. →We use assumptions that the target LFSR clocks regularly. Strategy of proposed GD attacks Irregular Clocking Assumption Regular Clocking
©KDDI R&D Laboratories Inc. ALL Rights Reserved. Attacks on AA M LFSR-F LFSR-G Key Stream Z 021 LFSR-H 3 Determine 0,1,2 in H and 7bits of 3,4,5,6 in H. 456 Process Complexity = O(2^100) Data Complexity = O(2^6) =100bit Assumption: H operates six times in succession =2^-36 Non-linear function Guess all values of all registers in F, all registers in G, and M, and least significant bits of 6,5,4 and 3 registers in H.
©KDDI R&D Laboratories Inc. ALL Rights Reserved. Evaluation Results of GD attacks
©KDDI R&D Laboratories Inc. ALL Rights Reserved. Real Probability of Assumption being Valid Ideal model Clocking are determined according to tap bits from LFSRs. Exploitable states are uniformly distributed. Real model Not uniformly distributed. A Gap of experimental results exists. Short period
©KDDI R&D Laboratories Inc. ALL Rights Reserved. Experimental Results of Minutia Model
©KDDI R&D Laboratories Inc. ALL Rights Reserved. Distinguishing Attack Distinguish keystreams from stream ciphers and truly random strings. –Powerful attack on Stream Ciphers SNOW1.0 (by Coppersmith, 2000) SNOW 2.0 (by Watanabe, 2003) SOBER-Family (by Ekdahl, 2002) SCREAM (by Johansson, 2003)
©KDDI R&D Laboratories Inc. ALL Rights Reserved. Distinguishing Attack Cont. Construct a linear equation only consisting of output keystreams by using linear approximation of a non-linear function and other linear equations. LFSR f Key Stream S_x1 + S_x2 + … + S_xi =0 S_(x1 +y1) + S_(x2+y1) + … + S_(xi+y1) =0 S_(x1 +y j ) + S_(x2+y j ) + … + S_(xi+yj) =0 ・・・・・・ LFSR の Feedback Polynomial Linear approximation =Z_t2=Z_t1=Z_t3 Z_t1+Z_t2+Z_t3=0
©KDDI R&D Laboratories Inc. ALL Rights Reserved. Complexity of irregular clocking Regular Clocking Irregular Clocking Key Stream Generator S1S2S3S4S5S6S7S8 S1S3S4S6S8 Key Stream Generator Clock Controller Get keystreams deterministically Get keystreams probabilistically Complexity = (1/Probability)^2 = ?
©KDDI R&D Laboratories Inc. ALL Rights Reserved. Detail Analysis of the Complexity (1) Required Keystreams are skipped In LILI-128 case, theoretical results fit in experimental results, if X_j > 38
©KDDI R&D Laboratories Inc. ALL Rights Reserved. Detail Analysis of the Complexity (2) Fail to guess a cycle of outputting a keystream.
©KDDI R&D Laboratories Inc. ALL Rights Reserved. Detail Analysis of the Complexity Example of LILI-128
©KDDI R&D Laboratories Inc. ALL Rights Reserved. Detail Analysis of the Complexity
©KDDI R&D Laboratories Inc. ALL Rights Reserved. Experimental Results About 2^4 (fit in theoretical results )
©KDDI R&D Laboratories Inc. ALL Rights Reserved. Conclusion Irregular clocking is effective for several attacks. However, the algorithm should be carefully designed. Especially, large clocking is effective for protecting distinguishing attacks, even though a trade-off exists between the effect and efficiency of generating keystreams.