Presentation is loading. Please wait.

Presentation is loading. Please wait.

Resynchronization Attacks on WG and LEX Hongjun Wu and Bart Preneel Katholieke Universiteit Leuven ESAT/COSIC.

Published byHarold Anderson Modified over 8 years ago

Similar presentations

Presentation on theme: "Resynchronization Attacks on WG and LEX Hongjun Wu and Bart Preneel Katholieke Universiteit Leuven ESAT/COSIC."— Presentation transcript:

1 Resynchronization Attacks on WG and LEX Hongjun Wu and Bart Preneel Katholieke Universiteit Leuven ESAT/COSIC

2 KULeuven, ESAT/COSIC2 Overview 1. Introduction to WG 2. Differential Attack on WG 3. Introduction to LEX 4. Slide Attack on LEX

3 KULeuven, ESAT/COSIC3 Description of WG (1) submission to the eStream key up to 128 bits, IV up to 128 bits hardware efficient stream cipher (profile II) consists of a regularly clocked LFSR over GF(2 29 ) a regularly clocked LFSR over GF(2 29 ) defined by γ defined by p(x) = x 11 + x 10 + x 9 + x 6 + x 3 + x + γ and a WG transform that maps GF(2 29 )  GF(2) and a WG transform that maps GF(2 29 )  GF(2)

4 KULeuven, ESAT/COSIC4 Description of WG (2) Keystream generation of WG

5 KULeuven, ESAT/COSIC5 Description of WG (3) WG Transformation

6 KULeuven, ESAT/COSIC6 Description of WG (4) Key and IV setup of WG (22 Steps)

7 KULeuven, ESAT/COSIC7 Differential Attack on WG (1) Overview of the Attack the taps of LFSR are poorly chosen the taps of LFSR are poorly chosen 22 steps fail to randomize the differential propagation 22 steps fail to randomize the differential propagation at the end of the 22 nd step, the differential in the at the end of the 22 nd step, the differential in the LFSR is exploited to recover the secret key LFSR is exploited to recover the secret key => 48 key bits recovered with about 2 31 chosen IVs => 48 key bits recovered with about 2 31 chosen IVs (80-bit key and 80-bit IV) (80-bit key and 80-bit IV)

8 KULeuven, ESAT/COSIC8 Differential Attack on WG (2) Attack - differential propagation in key/IV setup of WG

9 KULeuven, ESAT/COSIC9 Differential Attack on WG (3) Attack - differential propagation in key/IV setup of WG (Contd.)

10 KULeuven, ESAT/COSIC10 Differential Attack on WG (4) At the end of the 22 nd step, the difference at S(10) is S(10) is related to the first keystream bit. Observing the values of the first keystream bits generated from the related IV, we are able to determine whether the value of is 0, then we can recover 29 bits of key. 2 31 IVs for the version with 80-bit IV, 80-bit key (details are omitted here)

11 KULeuven, ESAT/COSIC11 Differential Attack on WG (5) The differential attack on WG is different from the differential attack on block ciphers Difference generation -- change the input difference and SOME input value to generate many different change the input difference and SOME input value to generate many different Filtering -- change OTHER input value (without modifying ) to generate keystream bits to see whether the related keystream bits are always identical, then to identify whether is 0 change OTHER input value (without modifying ) to generate keystream bits to see whether the related keystream bits are always identical, then to identify whether is 0

12 KULeuven, ESAT/COSIC12 How to Improve WG WG designers proposed 44-step key/IV setup => small change secure against the differential attack secure against the differential attack => but not that efficient with properly chosen LFSR taps and output tap, with properly chosen LFSR taps and output tap, it is possible to use only 22 steps it is possible to use only 22 steps

13 KULeuven, ESAT/COSIC13 Description of LEX (1) submission to the eStream 128-bit key, 128-bit IV software and hardware efficient (profile I & II) Design: based on AES OFB mode based on AES OFB mode 4 bytes extracted from each round to form keystream 4 bytes extracted from each round to form keystream

14 KULeuven, ESAT/COSIC14 Description of LEX (2) Initialization and keystream generation

15 KULeuven, ESAT/COSIC15 Description of LEX (3) Extracted bytes in the even and odd rounds

16 KULeuven, ESAT/COSIC16 Slide Attack on LEX (1) Security of LEX depends on that only a small fraction of information is leaked from each round If one round input in LEX is known, then the key could be recovered easily.

17 KULeuven, ESAT/COSIC17 Slide Attack on LEX (2) In LEX, the same key with two IVs, if keystream 1 is the shifted version of keystream 2, then one input to AES for generating keystream 1 is equivalent to IV 2 => The input to AES is known 32 bits of the first round output are known 32 bits of the first round output are known => 32 bits of the key could be recovered easily

18 KULeuven, ESAT/COSIC18 Slide Attack on LEX (3) If each IV is used to generate about 500 outputs, then with about 2 61 IVs, 3 pairs of the shifted keystreams could be observed and 96 key bits could be recovered.

19 KULeuven, ESAT/COSIC19 Slide Attack on LEX (4) LEX is as strong as AES counter mode? No. AES counter mode => A particular key can never be recovered faster A particular key can never be recovered faster than brute force search than brute force search LEX => A particular key recovered with 2 60.8 random IVs, A particular key recovered with 2 60.8 random IVs, 20,000 bytes from each IV, faster than brute force search 20,000 bytes from each IV, faster than brute force search

20 KULeuven, ESAT/COSIC20 How to Improve LEX Our suggestion => For each LEX IV, use LEX key and LEX IV to generate an AES key and AES IV

21 KULeuven, ESAT/COSIC21 Conclusion (1) Lesson from the WG design => To ensure that the tap distances are co-prime To ensure that the tap distances are co-prime in a FSR (including the LFSR on GF(2 m )) in a FSR (including the LFSR on GF(2 m ))

22 KULeuven, ESAT/COSIC22 Conclusion (2) Lessons from the LEX design => 1) It is better to mix the key and IV in a non-linear way, then use the mixed values to generate the keystream use the mixed values to generate the keystream 2) try to avoid using the stream cipher key directly in the keystream generation keystream generation (more general, try to avoid using static secret parameters in the (more general, try to avoid using static secret parameters in the keystream generation) (LEX, Salsa20, ABC, SEAL …) keystream generation) (LEX, Salsa20, ABC, SEAL …)

23 KULeuven, ESAT/COSIC23 Thank you! Q & A

Download ppt "Resynchronization Attacks on WG and LEX Hongjun Wu and Bart Preneel Katholieke Universiteit Leuven ESAT/COSIC."

Similar presentations

1 KCipher-2 KDDI R&D Laboratories Inc.. ©KDDI R&D Laboratories Inc. All rights Reserved. 2 Introduction LFSR-based stream ciphers Linear recurrence between.

1 KCipher-2 KDDI R&D Laboratories Inc.. ©KDDI R&D Laboratories Inc. All rights Reserved. 2 Introduction LFSR-based stream ciphers Linear recurrence between.
ECE454/CS594 Computer and Network Security

ECE454/CS594 Computer and Network Security
“Advanced Encryption Standard” & “Modes of Operation”

“Advanced Encryption Standard” & “Modes of Operation”
Xiutao Feng Institute of Software Chinese Academy of Sciences A Byte-Based Guess and Determine Attack on SOSEMANUK.

Xiutao Feng Institute of Software Chinese Academy of Sciences A Byte-Based Guess and Determine Attack on SOSEMANUK.
CS470, A.SelcukStream Ciphers1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukStream Ciphers1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
1 Introduction to Practical Cryptography Lectures 3/4 Stream Ciphers.

1 Introduction to Practical Cryptography Lectures 3/4 Stream Ciphers.
Modern Symmetric-Key Ciphers

Modern Symmetric-Key Ciphers
Modern Symmetric-Key Ciphers

Modern Symmetric-Key Ciphers
Syed Safi Uddin Qadri BETL/F07/0112 GSM Stream Cipher Algorithm Presented To Sir Adnan Ahmed Siddiqui.

Syed Safi Uddin Qadri BETL/F07/0112 GSM Stream Cipher Algorithm Presented To Sir Adnan Ahmed Siddiqui.
Dan Boneh Stream ciphers Real-world Stream Ciphers Online Cryptography Course Dan Boneh.

Dan Boneh Stream ciphers Real-world Stream Ciphers Online Cryptography Course Dan Boneh.
An Introduction to Stream Ciphers Zahra Ahmadian Electrical Engineering Department Sahrif University of Technology

An Introduction to Stream Ciphers Zahra Ahmadian Electrical Engineering Department Sahrif University of Technology
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.
1 Lecture 3: Secret Key Cryptography Outline concepts DES IDEA AES.

1 Lecture 3: Secret Key Cryptography Outline concepts DES IDEA AES.
1 CIS 5371 Cryptography 5b. Pseudorandom Objects in Practice Block Ciphers.

1 CIS 5371 Cryptography 5b. Pseudorandom Objects in Practice Block Ciphers.
1`` ```` ```` ```` ```` ```` ```` ```` ```` ```` `` AEGIS A Fast Authenticated Encryption Algorithm Hongjun Wu Bart Preneel Nanyang Technological University.

1`` ```` ```` ```` ```` ```` ```` ```` ```` ```` `` AEGIS A Fast Authenticated Encryption Algorithm Hongjun Wu Bart Preneel Nanyang Technological University.
Wide Collisions in Practice Xin Ye, Thomas Eisenbarth Florida Atlantic University, USA 10 th ACNS 2012- Singapore.

Wide Collisions in Practice Xin Ye, Thomas Eisenbarth Florida Atlantic University, USA 10 th ACNS Singapore.
 We spoke about defense challenges  Crypto introduction o Secret key, public algorithms o Symmetric, asymmetric crypto, one-way hashes  Attacks on cryptography.

 We spoke about defense challenges  Crypto introduction o Secret key, public algorithms o Symmetric, asymmetric crypto, one-way hashes  Attacks on cryptography.
Cryptography1 CPSC 3730 Cryptography Chapter 6 Triple DES, Block Cipher Modes of Operation.

Cryptography1 CPSC 3730 Cryptography Chapter 6 Triple DES, Block Cipher Modes of Operation.
1 Chapter 5 Hashes and Message Digests Instructor: 孫宏民 Room: EECS 6402, Tel:03-5742968, Fax : 886-3-572-3694.

1 Chapter 5 Hashes and Message Digests Instructor: 孫宏民 Room: EECS 6402, Tel: , Fax :
1 The AES block cipher Niels Ferguson. 2 What is it? Block cipher: encrypts fixed-size blocks. Design by two Belgians. Chosen from 15 entries in a competition.

1 The AES block cipher Niels Ferguson. 2 What is it? Block cipher: encrypts fixed-size blocks. Design by two Belgians. Chosen from 15 entries in a competition.

Similar presentations

Ads by Google