Presentation is loading. Please wait.

Presentation is loading. Please wait.

Xiutao Feng Institute of Software Chinese Academy of Sciences A Byte-Based Guess and Determine Attack on SOSEMANUK.

Published byNya Pear Modified over 9 years ago

Similar presentations

Presentation on theme: "Xiutao Feng Institute of Software Chinese Academy of Sciences A Byte-Based Guess and Determine Attack on SOSEMANUK."— Presentation transcript:

1 Xiutao Feng Institute of Software Chinese Academy of Sciences A Byte-Based Guess and Determine Attack on SOSEMANUK

2 2 Outline 1 Introduction 2 Description of SOSEMANUK 3 Basic properties of SOSEMANUK 4 Our attack 5 Further discussion on our attack 6 Conclusion

3 3 1 Introduction 1.1 On SOSEMANUK SOSEMANUK is a software-oriented stream cipher proposed by C. Berbain et al for the eSTREAM project and has been selected into the final portfolio with other six algorithms together. Its design adopted the ideas of both the stream cipher SNOW 2.0 and the block cipher SERPENT, and aimed at improving SNOW 2.0 from two aspects of both security and efficiency.

4 4 1.2 Known cryptanalytic results on SOSEMANUK The designers of SOSEMANUK presented a guess and determine attack, whose time complexity is 2 256 operations; In 2006 H. Ahmadi et al revised the above attack and reduced the time complexity to 2 226 operations; In 2006 Y. Tsunoo et al improved Ahmadi et al's result and further reduced it to 2 224 operations; In 2008 Jung-Keun Lee et al proposed a correlation attack, which needs about 2 147.88 time, 2 145.50 key bits, and 2 147.10 bit memories;

5 5 In 2009 Lin and Jie gave a new guess and determine attack, and claimed that their attack only needs 2 192 operations.

6 6 1.3 Our work

7 7 2 Description of SOSEMANUK Figure 1 The structure of SOSEMANUK LFSR FSM Serpent1

8 8 2.1 The LFSR

9 9 2.2 The FSM

10 10 2.3 The Serpent1 Figure 2 The round function Serpent1 in the bit-slice mode

11 11 2.4 Generation of Keystream

12 3 Basic properties on SOSEMANUK 12

13 13 Let x be a 32-bit word. Denote by x (i) the i-th byte of x, where i=0,1,2,3. For example, s 1 (3), s 4 (0), s 4 (1) and s 10 (0) are known, then we can calculate s 11 (0). Figure 3 The feedback of the LFSR in the byte form

14 14 4 Our attack 4.1 Basic idea of the guess and determine attack The guess and determine attack is a common cryptographic attack method. Its basic idea is that Guess: first guess the values of a portion of the internal state of the target algorithm; Deduce: then deduce the values of all the rest of the internal state of the algorithm by making use of the values of the guessed portion of the internal state and a few known keystream; Test: finally generate a phase of keystream by using the above recovered values, and test their correctness by comparing the generated keystream with the known keystream. If NOT, then return Step 1.

15 15 4.2 The execution of our attack Our attack is based on the following assumption: The guessing and deducing procedure of the attack can be subdivided into five phases: 1. Guess the values of s 1, s 2, s 3, R2 1 (0), R2 1 (1), R2 1 (2) and the rest 31-bit values of R1 1, and deduce the value of s 10 (0), R1 2 (0), R2 2, s 11 (0), s 4 (1), s 10 (1), R1 2 (1), s 11 (1), s 4 (2), s 10 (2), R1 2 (2), S 11 (2) and s 4 (3).

16 16 The deduced byte The guessed byte Figure 4 The illustration of the deduction in Phase 1

17 17 2.By the assumption lsb(R1 1 )=1, which implies R1 2 =R2 1 ⊞ (s 3 ⊕ s 10 ), we get the equation on the variable s 10 (3) : where a, b, c, and d are known. Since s 10 (3) occurs three times in the above equation, it is easy to check equation (12) has exactly one solution on s 10 (3). So we can solve it and get s 10 (3). Further we deduce s 11 (3), R2 1 (3) and R2 2 (3). Up to now we have obtained s 1, s 2, s 3, s 4, s 10, s 11, R1 1, R2 1, R1 2 and R2 2. 3.Further deduce R1 3, R2 3, R1 4, R2 4, R1 5, R2 5, R2 6, s 5, s 6, s 12 and s 13.

18 18 The deduced byte in phase 2 The known byte Figure 5 The illustration of the deduction in Phase 2 and 3 The deduced byte in phase 3

19 19 4.Further guess s 7 (0) and s 8 (0), and deduce the rest bytes of s 7 and s 8. 5.Final deduce s 9.

20 20 The deduced byte The known byte Figure 6 The illustration of the deduction in Phase 4 and 5 The guessed byte

21 21 4.3 Time and data complexity Time complexity: 2 176 operations In Phase 1 and Phase 4, we guess a total of 175 bits of the internal state, including s 1, s 2, s 3, R2 1 (0), R2 1 (1), R2 1 (2), s 7 (0), s 8 (0) and the rest 31-bit values of R1 1. Consider the assumption which holds true with probability 2 -1. Data complexity: about 20 words used In the guessing phase: 8 words used; In the testing phase: about 8 words used (When 16 words are given, which has totally 512 bits and is larger than the 384 bits of the internal state, the internal state is determined by them. So we can use them to test the correctness of the recovered internal state.); Consider the assumption: another 4 words used (By shifting the keystream by 4 words we can test two cases).

22 22 5 Further discussion on our attack Here it should be pointed out that the assumption lsb(R1 1 )=1 is NOT necessary for our attack to work. In fact when lsb(R1 1 )=0, which implies that R1 2 =R2 1 ⊞ s 3, similarly we get the equation on s 10 (3) : The above equation has no solution or 2 k solutions for some integer k. However when a’, b’, c’ and d’ go through all possible values, the sum of the number of all solutions is just equal to 2 32. We directly guess total 160-bit values of the internal state in phase 1, and after phase 2 we get total 2 160 possible values. For each of them, we go on phases 3, 4 and 5. So the time complexity is still 2 176 operations, but the data complexity reduces to about 16 key words.

23 23 6 Conclusion In this work we presented a byte-based guess and determine attack on SOSEMANUK, which only needs a few words of known keystream to recover the whole internal state of SOSEMANUK with time complexity 2 176 operations. Since SOSEMANUK has a key with the length varying from 128 and 256 bits, it shows that when the length of a chosen encryption key is larger than 176 bits, our attack is more efficient than an exhaustive key search.

24 24 Thank you !

Download ppt "Xiutao Feng Institute of Software Chinese Academy of Sciences A Byte-Based Guess and Determine Attack on SOSEMANUK."

Similar presentations

1 KCipher-2 KDDI R&D Laboratories Inc.. ©KDDI R&D Laboratories Inc. All rights Reserved. 2 Introduction LFSR-based stream ciphers Linear recurrence between.

1 KCipher-2 KDDI R&D Laboratories Inc.. ©KDDI R&D Laboratories Inc. All rights Reserved. 2 Introduction LFSR-based stream ciphers Linear recurrence between.
Cryptography, Attacks and Countermeasures Lecture 3 - Stream Ciphers

Cryptography, Attacks and Countermeasures Lecture 3 - Stream Ciphers
“Advanced Encryption Standard” & “Modes of Operation”

“Advanced Encryption Standard” & “Modes of Operation”
Differential Fault Analysis on AES Variants Kazuo Sakiyama, Yang Li The University of Electro-Communications Nagoya, Japan.

Differential Fault Analysis on AES Variants Kazuo Sakiyama, Yang Li The University of Electro-Communications Nagoya, Japan.
1 Introduction to Practical Cryptography Lectures 3/4 Stream Ciphers.

1 Introduction to Practical Cryptography Lectures 3/4 Stream Ciphers.
AN IMPROVEMENT TO A CORRELATION ATTACK ON A5/1 H. Nikoonia, F. Amin, A. H. Jahangir Computer Engineering Department, Sharif University of Technology.

AN IMPROVEMENT TO A CORRELATION ATTACK ON A5/1 H. Nikoonia, F. Amin, A. H. Jahangir Computer Engineering Department, Sharif University of Technology.
Modern Symmetric-Key Ciphers

Modern Symmetric-Key Ciphers
Modern Symmetric-Key Ciphers

Modern Symmetric-Key Ciphers
LINEAR FEEDBACK SHIFT REGISTERS, GALOIS FIELDS, AND STREAM CIPHERS Mike Thomsen Cryptography II May 14 th, 2012.

LINEAR FEEDBACK SHIFT REGISTERS, GALOIS FIELDS, AND STREAM CIPHERS Mike Thomsen Cryptography II May 14 th, 2012.
An Introduction to Stream Ciphers Zahra Ahmadian Electrical Engineering Department Sahrif University of Technology

An Introduction to Stream Ciphers Zahra Ahmadian Electrical Engineering Department Sahrif University of Technology
Side Channel Attacks on CBC Encrypted Messages in the PKCS#7 Format

Side Channel Attacks on CBC Encrypted Messages in the PKCS#7 Format
Fast Algorithms For Hierarchical Range Histogram Constructions

Fast Algorithms For Hierarchical Range Histogram Constructions
Digital Kommunikationselektroink TNE027 Lecture 6 (Cryptography) 1 Cryptography Algorithms Symmetric and Asymmetric Cryptography Algorithms Data Stream.

Digital Kommunikationselektroink TNE027 Lecture 6 (Cryptography) 1 Cryptography Algorithms Symmetric and Asymmetric Cryptography Algorithms Data Stream.
Stream ciphers 2 Session 2. Contents PN generators with LFSRs Statistical testing of PN generator sequences Cryptanalysis of stream ciphers 2/75.

Stream ciphers 2 Session 2. Contents PN generators with LFSRs Statistical testing of PN generator sequences Cryptanalysis of stream ciphers 2/75.
Optimal redundancy allocation for information technology disaster recovery in the network economy Benjamin B.M. Shao IEEE Transaction on Dependable and.

Optimal redundancy allocation for information technology disaster recovery in the network economy Benjamin B.M. Shao IEEE Transaction on Dependable and.
Block Ciphers and the Data Encryption Standard

Block Ciphers and the Data Encryption Standard
Cryptography and Network Security

Cryptography and Network Security
Bounds on Code Length Theorem: Let l ∗ 1, l ∗ 2,..., l ∗ m be optimal codeword lengths for a source distribution p and a D-ary alphabet, and let L ∗ be.

Bounds on Code Length Theorem: Let l ∗ 1, l ∗ 2,..., l ∗ m be optimal codeword lengths for a source distribution p and a D-ary alphabet, and let L ∗ be.
An Approach to Evaluate Data Trustworthiness Based on Data Provenance Department of Computer Science Purdue University.

An Approach to Evaluate Data Trustworthiness Based on Data Provenance Department of Computer Science Purdue University.
Introduction to Cryptography and Security Mechanisms: Unit 5 Theoretical v Practical Security Dr Keith Martin McCrea 34901784 443099

Introduction to Cryptography and Security Mechanisms: Unit 5 Theoretical v Practical Security Dr Keith Martin McCrea

Similar presentations

Ads by Google