Distinguishing Attacks on T-functions - Semantic Scholar

Comment

Report 2 Downloads 242 Views

Distinguishing Attacks on T-functions Simon K¨ unzli1,2

Pascal Junod3

1 FH

Aargau, Switzerland

2 EPFL,

Switzerland

3 NagraVision,

S. K¨ unzli, P. Junod, W. Meier

Willi Meier1

Switzerland

Distinguishing Attacks on T-functions

1 / 20

Outline of this Talk 1

Introduction T-functions Stream Ciphers based on T-functions

2

T-functions based on Square Mappings The Pure Square Mapping Attack on TF-0 Attack on TF-0m

3

The TSC Family of Stream Ciphers Attack on TSC-1 Attack on TSC-2

4

Conclusions

S. K¨ unzli, P. Junod, W. Meier

Distinguishing Attacks on T-functions

2 / 20

What is a T-function?

TF is mapping from n-bit to n-bit, with bitwise triangular structure Bit i of output depends only on bits 0, 1, . . . , i of input Definition naturally extends to multiword mapping (bit-slices)

Example: arbitrary composition of +, ×, ⊕, ∨, ∧, . . . Such compositions are very fast in SW and dedicated HW TF have many analyzable mathematical properties (invertible, . . .)

S. K¨ unzli, P. Junod, W. Meier

Distinguishing Attacks on T-functions

3 / 20

What is a T-function?

TF is mapping from n-bit to n-bit, with bitwise triangular structure Bit i of output depends only on bits 0, 1, . . . , i of input Definition naturally extends to multiword mapping (bit-slices)

Example: arbitrary composition of +, ×, ⊕, ∨, ∧, . . . Such compositions are very fast in SW and dedicated HW TF have many analyzable mathematical properties (invertible, . . .)

S. K¨ unzli, P. Junod, W. Meier

Distinguishing Attacks on T-functions

3 / 20

Stream Ciphers based on TF

The automaton of a stream cipher consists of . . . internal state (initialised with secret key) update function f , which produces a new state output (or filter) function g, which produces keystream A stream cipher should be efficient and secure → Why not use a T-function as update function ? S. K¨ unzli, P. Junod, W. Meier

Distinguishing Attacks on T-functions

4 / 20

Stream Ciphers based on TF

The automaton of a stream cipher consists of . . . internal state (initialised with secret key) update function f , which produces a new state output (or filter) function g, which produces keystream A stream cipher should be efficient and secure → Why not use a T-function as update function ? S. K¨ unzli, P. Junod, W. Meier

Distinguishing Attacks on T-functions

4 / 20

Stream Ciphers based on TF

The automaton of a stream cipher consists of . . . internal state (initialised with secret key) update function f , which produces a new state output (or filter) function g, which produces keystream A stream cipher should be efficient and secure → Why not use a T-function as update function ? S. K¨ unzli, P. Junod, W. Meier

Distinguishing Attacks on T-functions

4 / 20

Security Requirements

Security of a stream cipher . . . known-plaintext scenario keystream indistinguishable from truly random stream Implications . . . update and output functions should produce randomness T-function (and output function) should be single-cycle output function should hide the (secret) internal state

S. K¨ unzli, P. Junod, W. Meier

Distinguishing Attacks on T-functions

5 / 20

Security Requirements

Security of a stream cipher . . . known-plaintext scenario keystream indistinguishable from truly random stream Implications . . . update and output functions should produce randomness T-function (and output function) should be single-cycle output function should hide the (secret) internal state

S. K¨ unzli, P. Junod, W. Meier

Distinguishing Attacks on T-functions

5 / 20

Definition of TF-0

Proposed by Klimov and Shamir at CHES 2002 State: single word x of 64 bits Update function: f(x) = x + (x2 ∨ 5) mod 2n Output function: the first m = 32 most significant bits of x Update is very simple single-cycle T-function with period 264 Keystream is assumed to be balanced

S. K¨ unzli, P. Junod, W. Meier

Distinguishing Attacks on T-functions

6 / 20

Relationship to the Square Mapping

Consider the integer difference of two successive outputs of TF-0

Proposition g(f (x)) − g(x) = g(x2 ) + c mod 2m ,

carry bit c ∈ {0, 1}

We know that the square mapping x2 mod 2n is not a permutation We expect g(x2 ) + c mod 2m to be biased Compute the whole distribution for all 2n words of x Very expensive for typical word sizes n !

S. K¨ unzli, P. Junod, W. Meier

Distinguishing Attacks on T-functions

7 / 20

Relationship to the Square Mapping

Consider the integer difference of two successive outputs of TF-0

Proposition g(f (x)) − g(x) = g(x2 ) + c mod 2m ,

carry bit c ∈ {0, 1}

We know that the square mapping x2 mod 2n is not a permutation We expect g(x2 ) + c mod 2m to be biased Compute the whole distribution for all 2n words of x Very expensive for typical word sizes n !

S. K¨ unzli, P. Junod, W. Meier

Distinguishing Attacks on T-functions

7 / 20

Biased Square Mapping

Compute distribution of y = g(x2 ) for small word sizes n We observed that following words occur two times more than uniform random words n−8 y = 2 2 · i2 for i = 0, 1, 2, 3 Many more aggregates of words with constant bias exist Observation seems to be independent of n Approximate distribution of pure square mapping in very compact way

S. K¨ unzli, P. Junod, W. Meier

Distinguishing Attacks on T-functions

8 / 20

How to Benefit from a biased Distribution?

Construct a distinguisher, based on statistical test

Distribution 0: uniform Distribution 1: approximation of square mapping Sample: integer differences of output Expected data complexity of 232 , verified in experiments Better attacks on TF-0 exist, e.g. Mitra and Sarkar at Asiacrypt 2004

S. K¨ unzli, P. Junod, W. Meier

Distinguishing Attacks on T-functions

9 / 20

How to Benefit from a biased Distribution?

Construct a distinguisher, based on statistical test

Distribution 0: uniform Distribution 1: approximation of square mapping Sample: integer differences of output Expected data complexity of 232 , verified in experiments Better attacks on TF-0 exist, e.g. Mitra and Sarkar at Asiacrypt 2004

S. K¨ unzli, P. Junod, W. Meier

Distinguishing Attacks on T-functions

9 / 20

Definition of TF-0m Proposed by Klimov and Shamir at FSE 2004 State: 4 words xi of 64 bits each Update function:    x0 x0 x1  x1   f: x2  7→ x2 x3 x3

+ + + +

 (s20 ∨ C0 ) (s21 ∨ C1 ) + κ0   (s22 ∨ C2 ) + κ1  (s23 ∨ C3 ) + κ2

si are simple functions of x, Ci are constants, κi are carry bits. Output function: the first 32 most significant bits of x3 Update is single-cycle T-function with period 24·64 Intended security is 2128

S. K¨ unzli, P. Junod, W. Meier

Distinguishing Attacks on T-functions

10 / 20

Distinguishing Attack on TF-0m

Focus on the last word x3 7→ x3 + (s23 ∨ C3 ) + κ2 Assume that s3 is uniformly distributed Very similar to TF-0, so perform exactly the same test Same expected data complexity of 232 , despite of large state ! Attack was verified in experiments, confirming our assumptions

S. K¨ unzli, P. Junod, W. Meier

Distinguishing Attacks on T-functions

11 / 20

Definition of TSC-1 Proposed by Hong, Lee, Yeom and Han at FSE 2005 State: 4 words xi of 32 bits each Update Function: Define 32 bit function α(x) and fixed 4 × 4 S-box S. Then . . .

Output Function: g(x) = (x0≪9 + x1 )≪15 + (x2≪7 + x3 ) Update function is single-cycle T-function with period 24·32 Intended security is 296 S. K¨ unzli, P. Junod, W. Meier

Distinguishing Attacks on T-functions

12 / 20

Definition of TSC-1 Proposed by Hong, Lee, Yeom and Han at FSE 2005 State: 4 words xi of 32 bits each Update Function: Define 32 bit function α(x) and fixed 4 × 4 S-box S. Then . . .

Output Function: g(x) = (x0≪9 + x1 )≪15 + (x2≪7 + x3 ) Update function is single-cycle T-function with period 24·32 Intended security is 296 S. K¨ unzli, P. Junod, W. Meier

Distinguishing Attacks on T-functions

12 / 20

Definition of TSC-1 Proposed by Hong, Lee, Yeom and Han at FSE 2005 State: 4 words xi of 32 bits each Update Function: Define 32 bit function α(x) and fixed 4 × 4 S-box S. Then . . .

Output Function: g(x) = (x0≪9 + x1 )≪15 + (x2≪7 + x3 ) Update function is single-cycle T-function with period 24·32 Intended security is 296 S. K¨ unzli, P. Junod, W. Meier

Distinguishing Attacks on T-functions

12 / 20

Definition of TSC-1 Proposed by Hong, Lee, Yeom and Han at FSE 2005 State: 4 words xi of 32 bits each Update Function: Define 32 bit function α(x) and fixed 4 × 4 S-box S. Then . . .

Output Function: g(x) = (x0≪9 + x1 )≪15 + (x2≪7 + x3 ) Update function is single-cycle T-function with period 24·32 Intended security is 296 S. K¨ unzli, P. Junod, W. Meier

Distinguishing Attacks on T-functions

12 / 20

Definition of TSC-1 Proposed by Hong, Lee, Yeom and Han at FSE 2005 State: 4 words xi of 32 bits each Update Function: Define 32 bit function α(x) and fixed 4 × 4 S-box S. Then . . .

Output Function: g(x) = (x0≪9 + x1 )≪15 + (x2≪7 + x3 ) Update function is single-cycle T-function with period 24·32 Intended security is 296 S. K¨ unzli, P. Junod, W. Meier

Distinguishing Attacks on T-functions

12 / 20

Definition of TSC-1 Proposed by Hong, Lee, Yeom and Han at FSE 2005 State: 4 words xi of 32 bits each Update Function: Define 32 bit function α(x) and fixed 4 × 4 S-box S. Then . . .

Output Function: g(x) = (x0≪9 + x1 )≪15 + (x2≪7 + x3 ) Update function is single-cycle T-function with period 24·32 Intended security is 296 S. K¨ unzli, P. Junod, W. Meier

Distinguishing Attacks on T-functions

12 / 20

Definition of TSC-1 Proposed by Hong, Lee, Yeom and Han at FSE 2005 State: 4 words xi of 32 bits each Update Function: Define 32 bit function α(x) and fixed 4 × 4 S-box S. Then . . .

Output Function: g(x) = (x0≪9 + x1 )≪15 + (x2≪7 + x3 ) Update function is single-cycle T-function with period 24·32 Intended security is 296 S. K¨ unzli, P. Junod, W. Meier

Distinguishing Attacks on T-functions

12 / 20

The S-box

S-box S is defined by S = [3, 5, 9, 13, 1, 6, 11, 15, 4, 0, 8, 14, 10, 7, 2, 12] Single-cycle S-box, meaning that S 16 (a) = a Define bit-flip probability for S d p(d) = Pr([a]i = [S d (a)]i ) =

1 +ε 2

p is balanced for d = 1, 2, but huge bias for d = 0 mod 4 For example, for d = 4 we find =

S. K¨ unzli, P. Junod, W. Meier

3 8

Distinguishing Attacks on T-functions

13 / 20

The S-box

S-box S is defined by S = [3, 5, 9, 13, 1, 6, 11, 15, 4, 0, 8, 14, 10, 7, 2, 12] Single-cycle S-box, meaning that S 16 (a) = a Define bit-flip probability for S d p(d) = Pr([a]i = [S d (a)]i ) =

1 +ε 2

p is balanced for d = 1, 2, but huge bias for d = 0 mod 4 For example, for d = 4 we find =

S. K¨ unzli, P. Junod, W. Meier

3 8

Distinguishing Attacks on T-functions

13 / 20

How to Benefit from the Biased S-box? In a single update, bit-slice i is mapped randomly by S or by S 2 In ∆ updates, bit-slice i is mapped by S d , d has binomial distribution b∆ (d) =

∆ ∆ 1 · 2 d−∆

We know the bit-flip probability of S d for each d In ∆ updates, the bit-flip probability of a single bit in the state is 2∆ X d=∆

p(d) · b∆ (d) =

1 +ε 2

We find maximum bias for ∆ = 3, where ε = 0.1406 Still large bias in case of perfect single-cycle S-box S. K¨ unzli, P. Junod, W. Meier

Distinguishing Attacks on T-functions

14 / 20

How to Benefit from the Biased S-box? In a single update, bit-slice i is mapped randomly by S or by S 2 In ∆ updates, bit-slice i is mapped by S d , d has binomial distribution b∆ (d) =

∆ ∆ 1 · 2 d−∆

We know the bit-flip probability of S d for each d In ∆ updates, the bit-flip probability of a single bit in the state is 2∆ X d=∆

p(d) · b∆ (d) =

1 +ε 2

We find maximum bias for ∆ = 3, where ε = 0.1406 Still large bias in case of perfect single-cycle S-box S. K¨ unzli, P. Junod, W. Meier

Distinguishing Attacks on T-functions

14 / 20

Linearization of the Output Function

We have probabilistic linear relations between state bits at different time instants We need relations between output bits at different time instants Find linear relations between the state bits and the output bits Simple linearization of g [y]i = [x0 ]i+8 ⊕ [x1 ]i+17 ⊕ [x2 ]i+25 ⊕ [x3 ]i ⊕ c In ∆ updates, bit-flip probability of single bit in output is estimated with Piling-up Lemma We find maximal bias of ε = 0.0003 for ∆ = 3 and i = 1 We verified data complexity of O(ε−2 ) = 222 to distinguish output

S. K¨ unzli, P. Junod, W. Meier

Distinguishing Attacks on T-functions

15 / 20

Linearization of the Output Function

We have probabilistic linear relations between state bits at different time instants We need relations between output bits at different time instants Find linear relations between the state bits and the output bits Simple linearization of g [y]i = [x0 ]i+8 ⊕ [x1 ]i+17 ⊕ [x2 ]i+25 ⊕ [x3 ]i ⊕ c In ∆ updates, bit-flip probability of single bit in output is estimated with Piling-up Lemma We find maximal bias of ε = 0.0003 for ∆ = 3 and i = 1 We verified data complexity of O(ε−2 ) = 222 to distinguish output

S. K¨ unzli, P. Junod, W. Meier

Distinguishing Attacks on T-functions

15 / 20

Key Recovery Attack

Transform distinguishing attack in state recovery attack Guess lsb-slice of state, iterate ∆ times, subtract corresponding bits from the output Bias will increase for right guess, recover consecutive bit-slices Overall complexity of 231 verified T-functions may be vulnerable to divide and conquer

S. K¨ unzli, P. Junod, W. Meier

Distinguishing Attacks on T-functions

16 / 20

Definition of TSC-2

Multiword T-function with single-cycle, similar to TSC-1 Update function: no modification of bit-slice i if [α]i = 0 Output function is more complicated Linearization of TSC-2 is more difficult

S. K¨ unzli, P. Junod, W. Meier

Distinguishing Attacks on T-functions

17 / 20

Detection of Weak States

32 bits of α determine update of 128 bits Some states produce α(x) = 1 Update function modifies only least significant bit-slice Event α(x) = 1 can be detected with about 233 data Detector is transformed in a distinguisher with about 234 data

S. K¨ unzli, P. Junod, W. Meier

Distinguishing Attacks on T-functions

18 / 20

Conclusions

Three proposals of stream ciphers based on TF have been attacked. Some design components turned out to be critical . . . -

squaring operation in the update small size of parameter controlling the update tiny S-boxes in the update with fixed properties integer addition and rotations in output

The eSTREAM proposal TSC-3 has been broken by linearization, very similar to our attack on TSC-1 [Muller and Peyrin, Asiacrypt 2005] HW-efficient stream ciphers should have small footprint. It is open whether it is possible to achieve security with lightweight stream ciphers based on T-functions

S. K¨ unzli, P. Junod, W. Meier

Distinguishing Attacks on T-functions

19 / 20

Conclusions

Three proposals of stream ciphers based on TF have been attacked. Some design components turned out to be critical . . . -

squaring operation in the update small size of parameter controlling the update tiny S-boxes in the update with fixed properties integer addition and rotations in output

The eSTREAM proposal TSC-3 has been broken by linearization, very similar to our attack on TSC-1 [Muller and Peyrin, Asiacrypt 2005] HW-efficient stream ciphers should have small footprint. It is open whether it is possible to achieve security with lightweight stream ciphers based on T-functions

S. K¨ unzli, P. Junod, W. Meier

Distinguishing Attacks on T-functions

19 / 20

Conclusions

Three proposals of stream ciphers based on TF have been attacked. Some design components turned out to be critical . . . -

squaring operation in the update small size of parameter controlling the update tiny S-boxes in the update with fixed properties integer addition and rotations in output

The eSTREAM proposal TSC-3 has been broken by linearization, very similar to our attack on TSC-1 [Muller and Peyrin, Asiacrypt 2005] HW-efficient stream ciphers should have small footprint. It is open whether it is possible to achieve security with lightweight stream ciphers based on T-functions

S. K¨ unzli, P. Junod, W. Meier

Distinguishing Attacks on T-functions

19 / 20

Conclusions

Three proposals of stream ciphers based on TF have been attacked. Some design components turned out to be critical . . . -

squaring operation in the update small size of parameter controlling the update tiny S-boxes in the update with fixed properties integer addition and rotations in output

The eSTREAM proposal TSC-3 has been broken by linearization, very similar to our attack on TSC-1 [Muller and Peyrin, Asiacrypt 2005] HW-efficient stream ciphers should have small footprint. It is open whether it is possible to achieve security with lightweight stream ciphers based on T-functions

S. K¨ unzli, P. Junod, W. Meier

Distinguishing Attacks on T-functions

19 / 20

Thank you!

S. K¨ unzli, P. Junod, W. Meier

Distinguishing Attacks on T-functions

20 / 20

Recommend Documents

Three ways to mount distinguishing attacks on ... - Semantic Scholar

Two Linear Distinguishing Attacks on VMPC and RC4A and ...