Stream Ciphers Using a Random Update Function: Study of the ...
Stream Ciphers Using a Random Update Function: Study of the Entropy of the Inner State Andrea R¨ock INRIA Paris-Rocquencourt, Team SECRET France
Africacrypt, June 12, 2008
Outline I Stream Cipher Model I Entropy Estimation • Previous Results • New Entropy Estimator I Collision Attacks I Conclusion
Part 1 Stream Cipher Model
Stream Cipher Model initialisation K, IV ⇒ S0, Φ
random number generator state Sk
Φ
filter function g keystream Yk plaintext Xk
I Initial State :
ciphertext Zk
S0
I Update Function : Sk+1 = Φ(Sk ) for k ≥ 0 I Keystream :
Yk = g(Sk )
I Ciphertext :
Zk = Xk ⊕ Yk 1/24
Probabilistic Model (Information of an adversary) initialisation K, IV ⇒ S0, Φ
random number generator state Sk
Φ
filter function g keystream Yk plaintext Xk
ciphertext Zk
I State space :
Ωn = {ω1, ω2, . . . ωn}
I Initial distribution :
{pi}ni=1 with pi = P r[S0 = ωi]
I Random update function :
P r[Φ = ϕ] = 1/nn for all ϕ ∈ Fn = {ϕ : Ωn → Ωn} 2/24
State Entropy I Probability that the state has the value ωi after k iterations of Φ : k pΦ i (k) = P r[Sk = ωi ] = P r[Φ (S0 ) = ωi ]
I Shannon’s entropy H : is a measure of the information contained in a random variable. It must hold that : H ≤ log2(n) I State entropy after k iterations of Φ : HkΦ
=
n X
µ pΦ i (k) log2
i=1
1 pΦ i (k)
¶
I Average state entropy after k iterations, taken over all functions ϕ ∈ Fn : Hk = E(HkΦ) 3/24
Motivation I A random function allows us to study some interesting properties of our stream cipher model, on average over all function ϕ ∈ Fn . I Some new stream ciphers use an update function which behaves almost like a random function. (e.g. : the eSTREAM candidate MICKEY (version 1) [Babbage et Dodd 05]) I The image size of Φk is smaller than n, thus we loose entropy.
Questions : I How much entropy do we loose in the internal state? I Can this loss be efficiently exploited into a collision attack? 4/24
Part 2 Entropy Estimation
Previous Results
Example of a Functional Graph
13
5 15
10
11 00 00 11 00 11 00 11 00 11 17 1111 0000 00 11 0000 1111 00 11 11 000 111 000 111 000 111 000 000111 111 000 111 000 111 7 000 111 000 111
111 19 000 000 111 000 111 000 111 000 111 000 1 111 000 3111 00 11 00 11 00 11 00 11
9
0
1111 0000 0000 1111 0000 1111 00002 1111 1111 0000 000 111 000 111 000 111 000 111 8 1111 0000 000 111 0000 1111 000 6 111 000 111 000 111 000 111 000 111
12
111 4 000 000 111 000 111 000 111 000 111 000 14 111 000 18111 00 11 00 11 00 11 00 11
16
ϕ : x → x2 + 2 (mod 20)
5/24
Properties of Random Functions [Flajolet Odlyzko 90] 0 13 1 00 11 0 1 00 11
11 00 00 11 00 11 0 17 1 0000 1111 00 11 0 1 0000 1111 00 11 000 11 111 000 111 0 000 111 000 111 51 0 1 000 111 000 111 0 1 07 1 000 111 000 111 0 1 000 111 0 1
0 10 1 01111 1 0000 1111 000 019 000 111 0 1 000 111 000 111 000 111 000 0000 1 01 1 3111 0111 1 0 00 1 11 00 11 00 11 001 11 09 0 1
15
1111 0000 0000 1111 0000 1111 02 1 00000 1111 01 0111 1 000 0 1 000 111 000 111 000 111 0 81 0000 1111 000 111 0 1 0000 1111 000 111 000 6 111 000 111 000 111 000 111 0 1 12 1 0
1111 000 04 000 111 0 0001 111 000 111 000 111 000 0 1 111 000 18111 014 00 1 11 00 11 00 11 001 11 016 0 1
k=2
Asymptotic values for n → ∞ : I Expected number of cycle points :
cp(n) ∼
p
πn/2
5/24
Properties of Random Functions [Flajolet Odlyzko 90] 0 13 1 00 11 0 1 00 11
11 00 00 11 00 11 0 17 1 0000 1111 00 11 0 1 0000 1111 00 11 000 11 111 000 111 0 000 111 000 111 51 0 1 000 111 000 111 0 1 07 1 000 111 000 111 0 1 000 111 0 1
10 1111 000 019 000 111 0 1 000 111 000 111 000 111 000 01 1 111 000 3111 0 00 1 11 00 11 00 11 001 11 09 0 1
15
00000 1111 2 01 0 1 0 81 0000 1111 0 1 0000 1111 111 000 000 111 000 111 000 111 0 1 12 1 0
mt = 2
Asymptotic values for n → ∞ : I Expected number of cycle points : I Expected maximal tail length :
6
1111 000 04 000 111 0 0001 111 000 111 000 111 000 0 1 111 000 18111 014 00 1 11 00 11 00 11 001 11 016 0 1
cp(n) ∼
p
πn/2 p mt(n) ∼ πn/8
5/24
Properties of Random Functions [Flajolet Odlyzko 90] 0 13 1 00 11 0 1 00 11
5
11 00 00 11 00 11 0 17 1 0000 1111 00 11 0 1 0000 1111 001 11 011 0 0001 111 000 111 000 111 000 111
7
10 1111 000 019 000 111 0 1 000 111 000 111 000 111 000 01 1 111 000 3111 0 00 1 11 00 11 00 11 001 11 09 0 1
15
0
2 111 000 000 111 000 111 000 111 0 81 0000 1111 000 111 0 1 0000 1111 000 111 0 1 06 0001 111 000 111 000 111 000 111 0 1 12 1 0
1111 000 04 000 111 0 0001 111 000 111 000 111 000 0 1 0 1 111 18111 0000 1 014 00 1 11 00 11 00 11 001 11 016 0 1
r=2
Asymptotic values for n → ∞ : I Expected number of cycle points :
cp(n) ∼
p
I Expected maximal tail length :
πn/2 p mt(n) ∼ πn/8
I Expected number of r-nodes :
rn(n, r) ∼
n r!e
5/24
Properties of Random Functions [Flajolet Odlyzko 90] 0 13 1 00 11 0 1 00 11
11 00 00 11 00 11 0 17 1 0000 1111 00 11 0 1 0000 1111 00 11 000 11 111 000 111 0 000 111 000 111 51 0 1 000 111 000 111 0 1 07 1 000 111 000 111 0 1 000 111 0 1
0 10 1 01111 1 0000 1111 000 019 000 111 0 1 000 111 000 111 000 111 000 0000 1 01 1 3111 0111 1 0 00 1 11 00 11 00 11 001 11 09 0 1
15
1111 0000 0000 1111 0000 1111 02 1 00000 1111 01 0111 1 000 0 1 000 111 000 111 000 111 0 81 0000 1111 000 111 0 1 0000 1111 000 111 000 6 111 000 111 000 111 000 111 0 1 12 1 0
1111 000 04 000 111 0 0001 111 000 111 000 111 000 0 1 111 000 18111 014 00 1 11 00 11 00 11 001 11 016 0 1
k=0
Asymptotic values for n → ∞ : I Expected number of cycle points :
cp(n) ∼
p
I Expected maximal tail length :
πn/2 p mt(n) ∼ πn/8
I Expected number of r-nodes :
rn(n, r) ∼
I Expected number of image points :
ip(n, k) ∼ n(1 − τk ) where τ0 = 0 and τk+1 = e−1+τk
n r!e
5/24
Properties of Random Functions [Flajolet Odlyzko 90] 0 13 1 00 11 0 1 00 11
11 00 00 11 00 11 0 17 1 0000 1111 00 11 0 1 0000 1111 00 11 000 11 111 000 111 0 000 111 000 111 51 0 1 000 111 000 111 0 1 07 1 000 111 000 111 0 1 000 111 0 1
0 10 1 01111 1 0000 1111 000 019 000 111 0 1 000 111 000 111 000 111 000 0000 1 01 1 3111 0111 1 0 00 1 11 00 11 00 11 001 11 09 0 1
15
1111 0000 0000 1111 0000 1111 02 1 00000 1111 01 0111 1 000 0 1 000 111 000 111 000 111 0 81 0000 1111 000 111 0 1 0000 1111 000 111 000 6 111 000 111 000 111 000 111 0 1 12 1 0
1111 000 04 000 111 0 0001 111 000 111 000 111 000 0 1 111 000 18111 014 00 1 11 00 11 00 11 001 11 016 0 1
k=1
Asymptotic values for n → ∞ : I Expected number of cycle points :
cp(n) ∼
p
I Expected maximal tail length :
πn/2 p mt(n) ∼ πn/8
I Expected number of r-nodes :
rn(n, r) ∼
I Expected number of image points :
ip(n, k) ∼ n(1 − τk ) where τ0 = 0 and τk+1 = e−1+τk
n r!e
5/24
Properties of Random Functions [Flajolet Odlyzko 90] 0 13 1 00 11 0 1 00 11
11 00 00 11 00 11 0 17 1 0000 1111 00 11 0 1 0000 1111 00 11 000 11 111 000 111 0 000 111 000 111 51 0 1 000 111 000 111 0 1 07 1 000 111 000 111 0 1 000 111 0 1
0 10 1 01111 1 0000 1111 000 019 000 111 0 1 000 111 000 111 000 111 000 0000 1 01 1 3111 0111 1 0 00 1 11 00 11 00 11 001 11 09 0 1
15
1111 0000 0000 1111 0000 1111 02 1 00000 1111 01 0111 1 000 0 1 000 111 000 111 000 111 0 81 0000 1111 000 111 0 1 0000 1111 000 111 000 6 111 000 111 000 111 000 111 0 1 12 1 0
1111 000 04 000 111 0 0001 111 000 111 000 111 000 0 1 111 000 18111 014 00 1 11 00 11 00 11 001 11 016 0 1
k=2
Asymptotic values for n → ∞ : I Expected number of cycle points :
cp(n) ∼
p
I Expected maximal tail length :
πn/2 p mt(n) ∼ πn/8
I Expected number of r-nodes :
rn(n, r) ∼
I Expected number of image points :
ip(n, k) ∼ n(1 − τk ) where τ0 = 0 and τk+1 = e−1+τk
n r!e
5/24
Bounding Entropy with Image Points I Upper bound given by number of image points [Hong Kim 05] : Hk ≤ log2(n) + log2(1 − τk ) I Example for n = 216 16
image size (log2 ) cycle points (log2 ) maximal tail length empirical entropy
bits of entropy
14 12 10 8 6 4 2 0
0
2
4
6
8
10
12
log2 (k + 1)
6/24
New Entropy Estimator
New Entropy Estimator (1)
Motivation: I Find an entropy estimator which is more precise than the upper bound given by the number of image points. Ideas: I We assume a uniform initial distribution. I If a state can be produced by exactly r other states after one iteration, it has probability r/n.
7/24
New Entropy Estimator (2) I Definition : Number of points which are reached by r points after k iterations. −k ϕ ∈ Fn : rnϕ (r) = #{i| |ϕ (i)| = r} k 1 X ϕ Average : rnk(n, r) = n rnk (r) n ϕ∈Fn
I Example for k = 2 and r = 3 : reaches A in 2 steps reaches B in 2 steps
A
B 8/24
New Entropy Estimator (3) I Theorem : For a uniform initial distribution the expected entropy of the inner state after k iterations is : n X
r Hk = log2(n) − rnk(n, r) log2(r) n r=1 I Theorem : For an arbitrary initial distribution P = {p1, p2, . . . , pn} the expected entropy of the inner state after k iterations is : HP k=
n X r=1
1 ¡ rnk(n, r) n¢ r
X
1 (pj1 + · · · + pjr ) log2 pj1 + · · · + pjr
1≤j1 1 : Use the fact that such a tree node consists of : 1. A node. 2. A SET of trees with a depth < k − 1. 3. A CONCATENATION of j trees of depth ≥ k − 1 and 1 ≤ j ≤ r. Their roots are reached by respectively i1, . . . , ij nodes after k − 1 iterations such that i1 + · · · + ij = r. 3. 1.
A 2.
10/24
Computation of rnk(n, r) (2) I By analyzing the generating function of our property we find a ck (r) such that for n → ∞ : rnk(n, r) ∼ n ck (r) ¡
¢ I We can compute ck (r) in O k r log(r) . 2
I For a uniform initial distribution we can write : Hk ∼ log(n) −
R X r=1
ck (r)r log2(r) −
n X
ck (r)r log2(r)
r=R+1
11/24
Remarks I ck (r)r log2(r) decreases very fast. ck (r )r log2 (r )
100
k k k k k k k k k k
10−2 10−4 10−6 10−8
10−10
0
10
20
30
40
50
r
I Approximation : Hk (R) = log2(n) −
60
70
R X
80
= = = = = = = = = =
1 2 3 4 5 6 7 8 9 10
90 100
ck (r) r log2(r)
r=1
I We ignore the incoming cycle nodes. 12/24
Estimation of Entropy Loss with different Methods
k empirical data n = 216 image points R = 50 Hk (R) R = 200 R = 1000
1 0.8273
2 1.3458
3 1.7254
10 3.1130
50 5.2937
100 6.2529
0.6617 0.8272 0.8272 0.8272
1.0938 1.3457 1.3457 1.3457
1.4186 1.7254 1.7254 1.7254
2.6599 3.1084 3.1129 3.1129
4.7312 2.6894 5.2661 5.2918
5.6913 1.2524 5.5172 6.2729
I For small k our new estimator is more precise than the upper bound given by the number of image points. I For larger k we need a bigger R to have a small error. 13/24
Part 4 Collision Attacks
Collision Attacks (1) I Collision : • Different initial states S0, S00 and k, k 0 >= 0 such that Sk = Sk0 0 . • A given S0, k, k 0 >= 0 and k 6= k 0 such that Sk = Sk0 . I We compare the attack with a direct search for a collision in the initial state. I Three criteria : • Number of initial states. • Space complexity. • Query complexity. 14/24
Collision Attacks (2)
Ideas: I Using a random function leads to a loss of entropy. I A reduced entropy leads to higher probability of a collision. I If two states are the same, then the subsequent output sequences are identical. I Two proposals for an attack on Mickey in [Hong Kim 05] (no real attacks). 15/24
Attack 1 (Proposition [Hong Kim 05]) I Search for collision after k iterations.
16/24
Attack 1 (Proposition [Hong Kim 05]) I Search for collision after k iterations.
m
16/24
Attack 1 (Proposition [Hong Kim 05]) I Search for collision after k iterations.
m
0 1
k
16/24
Attack 1 (Proposition [Hong Kim 05]) I Search for collision after k iterations.
m
0 1
k
16/24
Attack 1 (Proposition [Hong Kim 05]) I Search for collision after k iterations.
collision m
0 1
k
16/24
Attack 1 (Analysis) I Upper bound: Hk ≤ log2(n) − log2(k) + 1 p I Birthday paradox: Need ∼ 2n/k values in the last row.
# initial states space complexity [Hong Kim 05] query complexity (new)
Attack 1 q ∼ 2n qk ∼ 2n √ k ∼ 2kn
17/24
Attack 1 (Remark) Under which circumstances is the attack effective? I If we have functions which loose on average more than 2 log2(k) bits after k iterations. This means that we don’t use a random function, but the principle of the attack stays the same.
18/24
Attack 2 (Proposition [Hong Kim 05]) I Iterate 2k times and search for collision in the second half of the intermediate states.
19/24
Attack 2 (Proposition [Hong Kim 05]) I Iterate 2k times and search for collision in the second half of the intermediate states.
m
0 1
k
2k − 1
19/24
Attack 2 (Proposition [Hong Kim 05]) I Iterate 2k times and search for collision in the second half of the intermediate states.
m
0 1
k
2k − 1
19/24
Attack 2 (Proposition [Hong Kim 05]) I Iterate 2k times and search for collision in the second half of the intermediate states.
m
0 1
k
collision
2k − 1
19/24
Attack 2 (Proposition [Hong Kim 05]) I Iterate 2k times and search for collision in the second half of the intermediate states.
m
0 1
k
collision
2k − 1
p I [Hong Kim 05]: Magnitude of m such that m k ∼ n/k. 19/24
Attack 2 (Analysis (new)) I Let P r[A] be the probability of no collision in the 2km points. I Probability of collision in km points is smaller than 1 − P r[A]. n(n − 1) · · · (n − 2km + 1) I By counting arguments : P r[A] = n2km √ I Birthday Paradox: We need 2mk ≈ n # initial states space complexity query complexity
Attack 1 q ∼ 2n qk ∼ 2n √ k ∼ 2kn
Attack 2 ∼ ∼ ∼
√
n 2k √ n 2
√
n 20/24
Attack 3 (new) (Distinguished Points) I Iterate until we reach a distinguished point.
21/24
Attack 3 (new) (Distinguished Points) I Iterate until we reach a distinguished point.
m
21/24
Attack 3 (new) (Distinguished Points) I Iterate until we reach a distinguished point.
m
0 1
21/24
Attack 3 (new) (Distinguished Points) I Iterate until we reach a distinguished point.
m
0 1
collision
21/24
Attack 3 (new) (Analysis)
√
I We assume that in total we need again about n data points. I Let c = d/n be the ratio of distinguished points, 0 < c < 1. I We assume that like for random points the average length of a row is about 1/c. √ log2(d) 20 I E.g. n = 2 , kmax = n, and 0.7 ≤ log ≤1 (n) 2 −6 (i.e. 2 ≤ c ≤ 1). # initial states space complexity query complexity
Attack 1 q ∼ 2n qk ∼ 2n √ k ∼ 2kn
Attack 2 ∼ ∼ ∼
√
n 2k √ n 2
√
n
Attack 3 √ ∼c n √ ∼c n √ ∼ n 22/24
Part 5 Conclusion
Conclusion
Entropy Estimator: I We studied a stream cipher model with a random update function. I We introduced a new estimator which can be iteratively computed. I For small k it is more precise than the previous upper bound.
23/24
Conclusion
Collision Attacks: I Using a random update function introduces an entropy loss. I Till now it was not well studied if this introduce a real threat for our stream cipher model. I We showed that the proposed attacks are less effective than expected. 24/24
Africacrypt, June 12, 2008
Outline I Stream Cipher Model I Entropy Estimation • Previous Results • New Entropy Estimator I Collision Attacks I Conclusion
Part 1 Stream Cipher Model
Stream Cipher Model initialisation K, IV ⇒ S0, Φ
random number generator state Sk
Φ
filter function g keystream Yk plaintext Xk
I Initial State :
ciphertext Zk
S0
I Update Function : Sk+1 = Φ(Sk ) for k ≥ 0 I Keystream :
Yk = g(Sk )
I Ciphertext :
Zk = Xk ⊕ Yk 1/24
Probabilistic Model (Information of an adversary) initialisation K, IV ⇒ S0, Φ
random number generator state Sk
Φ
filter function g keystream Yk plaintext Xk
ciphertext Zk
I State space :
Ωn = {ω1, ω2, . . . ωn}
I Initial distribution :
{pi}ni=1 with pi = P r[S0 = ωi]
I Random update function :
P r[Φ = ϕ] = 1/nn for all ϕ ∈ Fn = {ϕ : Ωn → Ωn} 2/24
State Entropy I Probability that the state has the value ωi after k iterations of Φ : k pΦ i (k) = P r[Sk = ωi ] = P r[Φ (S0 ) = ωi ]
I Shannon’s entropy H : is a measure of the information contained in a random variable. It must hold that : H ≤ log2(n) I State entropy after k iterations of Φ : HkΦ
=
n X
µ pΦ i (k) log2
i=1
1 pΦ i (k)
¶
I Average state entropy after k iterations, taken over all functions ϕ ∈ Fn : Hk = E(HkΦ) 3/24
Motivation I A random function allows us to study some interesting properties of our stream cipher model, on average over all function ϕ ∈ Fn . I Some new stream ciphers use an update function which behaves almost like a random function. (e.g. : the eSTREAM candidate MICKEY (version 1) [Babbage et Dodd 05]) I The image size of Φk is smaller than n, thus we loose entropy.
Questions : I How much entropy do we loose in the internal state? I Can this loss be efficiently exploited into a collision attack? 4/24
Part 2 Entropy Estimation
Previous Results
Example of a Functional Graph
13
5 15
10
11 00 00 11 00 11 00 11 00 11 17 1111 0000 00 11 0000 1111 00 11 11 000 111 000 111 000 111 000 000111 111 000 111 000 111 7 000 111 000 111
111 19 000 000 111 000 111 000 111 000 111 000 1 111 000 3111 00 11 00 11 00 11 00 11
9
0
1111 0000 0000 1111 0000 1111 00002 1111 1111 0000 000 111 000 111 000 111 000 111 8 1111 0000 000 111 0000 1111 000 6 111 000 111 000 111 000 111 000 111
12
111 4 000 000 111 000 111 000 111 000 111 000 14 111 000 18111 00 11 00 11 00 11 00 11
16
ϕ : x → x2 + 2 (mod 20)
5/24
Properties of Random Functions [Flajolet Odlyzko 90] 0 13 1 00 11 0 1 00 11
11 00 00 11 00 11 0 17 1 0000 1111 00 11 0 1 0000 1111 00 11 000 11 111 000 111 0 000 111 000 111 51 0 1 000 111 000 111 0 1 07 1 000 111 000 111 0 1 000 111 0 1
0 10 1 01111 1 0000 1111 000 019 000 111 0 1 000 111 000 111 000 111 000 0000 1 01 1 3111 0111 1 0 00 1 11 00 11 00 11 001 11 09 0 1
15
1111 0000 0000 1111 0000 1111 02 1 00000 1111 01 0111 1 000 0 1 000 111 000 111 000 111 0 81 0000 1111 000 111 0 1 0000 1111 000 111 000 6 111 000 111 000 111 000 111 0 1 12 1 0
1111 000 04 000 111 0 0001 111 000 111 000 111 000 0 1 111 000 18111 014 00 1 11 00 11 00 11 001 11 016 0 1
k=2
Asymptotic values for n → ∞ : I Expected number of cycle points :
cp(n) ∼
p
πn/2
5/24
Properties of Random Functions [Flajolet Odlyzko 90] 0 13 1 00 11 0 1 00 11
11 00 00 11 00 11 0 17 1 0000 1111 00 11 0 1 0000 1111 00 11 000 11 111 000 111 0 000 111 000 111 51 0 1 000 111 000 111 0 1 07 1 000 111 000 111 0 1 000 111 0 1
10 1111 000 019 000 111 0 1 000 111 000 111 000 111 000 01 1 111 000 3111 0 00 1 11 00 11 00 11 001 11 09 0 1
15
00000 1111 2 01 0 1 0 81 0000 1111 0 1 0000 1111 111 000 000 111 000 111 000 111 0 1 12 1 0
mt = 2
Asymptotic values for n → ∞ : I Expected number of cycle points : I Expected maximal tail length :
6
1111 000 04 000 111 0 0001 111 000 111 000 111 000 0 1 111 000 18111 014 00 1 11 00 11 00 11 001 11 016 0 1
cp(n) ∼
p
πn/2 p mt(n) ∼ πn/8
5/24
Properties of Random Functions [Flajolet Odlyzko 90] 0 13 1 00 11 0 1 00 11
5
11 00 00 11 00 11 0 17 1 0000 1111 00 11 0 1 0000 1111 001 11 011 0 0001 111 000 111 000 111 000 111
7
10 1111 000 019 000 111 0 1 000 111 000 111 000 111 000 01 1 111 000 3111 0 00 1 11 00 11 00 11 001 11 09 0 1
15
0
2 111 000 000 111 000 111 000 111 0 81 0000 1111 000 111 0 1 0000 1111 000 111 0 1 06 0001 111 000 111 000 111 000 111 0 1 12 1 0
1111 000 04 000 111 0 0001 111 000 111 000 111 000 0 1 0 1 111 18111 0000 1 014 00 1 11 00 11 00 11 001 11 016 0 1
r=2
Asymptotic values for n → ∞ : I Expected number of cycle points :
cp(n) ∼
p
I Expected maximal tail length :
πn/2 p mt(n) ∼ πn/8
I Expected number of r-nodes :
rn(n, r) ∼
n r!e
5/24
Properties of Random Functions [Flajolet Odlyzko 90] 0 13 1 00 11 0 1 00 11
11 00 00 11 00 11 0 17 1 0000 1111 00 11 0 1 0000 1111 00 11 000 11 111 000 111 0 000 111 000 111 51 0 1 000 111 000 111 0 1 07 1 000 111 000 111 0 1 000 111 0 1
0 10 1 01111 1 0000 1111 000 019 000 111 0 1 000 111 000 111 000 111 000 0000 1 01 1 3111 0111 1 0 00 1 11 00 11 00 11 001 11 09 0 1
15
1111 0000 0000 1111 0000 1111 02 1 00000 1111 01 0111 1 000 0 1 000 111 000 111 000 111 0 81 0000 1111 000 111 0 1 0000 1111 000 111 000 6 111 000 111 000 111 000 111 0 1 12 1 0
1111 000 04 000 111 0 0001 111 000 111 000 111 000 0 1 111 000 18111 014 00 1 11 00 11 00 11 001 11 016 0 1
k=0
Asymptotic values for n → ∞ : I Expected number of cycle points :
cp(n) ∼
p
I Expected maximal tail length :
πn/2 p mt(n) ∼ πn/8
I Expected number of r-nodes :
rn(n, r) ∼
I Expected number of image points :
ip(n, k) ∼ n(1 − τk ) where τ0 = 0 and τk+1 = e−1+τk
n r!e
5/24
Properties of Random Functions [Flajolet Odlyzko 90] 0 13 1 00 11 0 1 00 11
11 00 00 11 00 11 0 17 1 0000 1111 00 11 0 1 0000 1111 00 11 000 11 111 000 111 0 000 111 000 111 51 0 1 000 111 000 111 0 1 07 1 000 111 000 111 0 1 000 111 0 1
0 10 1 01111 1 0000 1111 000 019 000 111 0 1 000 111 000 111 000 111 000 0000 1 01 1 3111 0111 1 0 00 1 11 00 11 00 11 001 11 09 0 1
15
1111 0000 0000 1111 0000 1111 02 1 00000 1111 01 0111 1 000 0 1 000 111 000 111 000 111 0 81 0000 1111 000 111 0 1 0000 1111 000 111 000 6 111 000 111 000 111 000 111 0 1 12 1 0
1111 000 04 000 111 0 0001 111 000 111 000 111 000 0 1 111 000 18111 014 00 1 11 00 11 00 11 001 11 016 0 1
k=1
Asymptotic values for n → ∞ : I Expected number of cycle points :
cp(n) ∼
p
I Expected maximal tail length :
πn/2 p mt(n) ∼ πn/8
I Expected number of r-nodes :
rn(n, r) ∼
I Expected number of image points :
ip(n, k) ∼ n(1 − τk ) where τ0 = 0 and τk+1 = e−1+τk
n r!e
5/24
Properties of Random Functions [Flajolet Odlyzko 90] 0 13 1 00 11 0 1 00 11
11 00 00 11 00 11 0 17 1 0000 1111 00 11 0 1 0000 1111 00 11 000 11 111 000 111 0 000 111 000 111 51 0 1 000 111 000 111 0 1 07 1 000 111 000 111 0 1 000 111 0 1
0 10 1 01111 1 0000 1111 000 019 000 111 0 1 000 111 000 111 000 111 000 0000 1 01 1 3111 0111 1 0 00 1 11 00 11 00 11 001 11 09 0 1
15
1111 0000 0000 1111 0000 1111 02 1 00000 1111 01 0111 1 000 0 1 000 111 000 111 000 111 0 81 0000 1111 000 111 0 1 0000 1111 000 111 000 6 111 000 111 000 111 000 111 0 1 12 1 0
1111 000 04 000 111 0 0001 111 000 111 000 111 000 0 1 111 000 18111 014 00 1 11 00 11 00 11 001 11 016 0 1
k=2
Asymptotic values for n → ∞ : I Expected number of cycle points :
cp(n) ∼
p
I Expected maximal tail length :
πn/2 p mt(n) ∼ πn/8
I Expected number of r-nodes :
rn(n, r) ∼
I Expected number of image points :
ip(n, k) ∼ n(1 − τk ) where τ0 = 0 and τk+1 = e−1+τk
n r!e
5/24
Bounding Entropy with Image Points I Upper bound given by number of image points [Hong Kim 05] : Hk ≤ log2(n) + log2(1 − τk ) I Example for n = 216 16
image size (log2 ) cycle points (log2 ) maximal tail length empirical entropy
bits of entropy
14 12 10 8 6 4 2 0
0
2
4
6
8
10
12
log2 (k + 1)
6/24
New Entropy Estimator
New Entropy Estimator (1)
Motivation: I Find an entropy estimator which is more precise than the upper bound given by the number of image points. Ideas: I We assume a uniform initial distribution. I If a state can be produced by exactly r other states after one iteration, it has probability r/n.
7/24
New Entropy Estimator (2) I Definition : Number of points which are reached by r points after k iterations. −k ϕ ∈ Fn : rnϕ (r) = #{i| |ϕ (i)| = r} k 1 X ϕ Average : rnk(n, r) = n rnk (r) n ϕ∈Fn
I Example for k = 2 and r = 3 : reaches A in 2 steps reaches B in 2 steps
A
B 8/24
New Entropy Estimator (3) I Theorem : For a uniform initial distribution the expected entropy of the inner state after k iterations is : n X
r Hk = log2(n) − rnk(n, r) log2(r) n r=1 I Theorem : For an arbitrary initial distribution P = {p1, p2, . . . , pn} the expected entropy of the inner state after k iterations is : HP k=
n X r=1
1 ¡ rnk(n, r) n¢ r
X
1 (pj1 + · · · + pjr ) log2 pj1 + · · · + pjr
1≤j1 1 : Use the fact that such a tree node consists of : 1. A node. 2. A SET of trees with a depth < k − 1. 3. A CONCATENATION of j trees of depth ≥ k − 1 and 1 ≤ j ≤ r. Their roots are reached by respectively i1, . . . , ij nodes after k − 1 iterations such that i1 + · · · + ij = r. 3. 1.
A 2.
10/24
Computation of rnk(n, r) (2) I By analyzing the generating function of our property we find a ck (r) such that for n → ∞ : rnk(n, r) ∼ n ck (r) ¡
¢ I We can compute ck (r) in O k r log(r) . 2
I For a uniform initial distribution we can write : Hk ∼ log(n) −
R X r=1
ck (r)r log2(r) −
n X
ck (r)r log2(r)
r=R+1
11/24
Remarks I ck (r)r log2(r) decreases very fast. ck (r )r log2 (r )
100
k k k k k k k k k k
10−2 10−4 10−6 10−8
10−10
0
10
20
30
40
50
r
I Approximation : Hk (R) = log2(n) −
60
70
R X
80
= = = = = = = = = =
1 2 3 4 5 6 7 8 9 10
90 100
ck (r) r log2(r)
r=1
I We ignore the incoming cycle nodes. 12/24
Estimation of Entropy Loss with different Methods
k empirical data n = 216 image points R = 50 Hk (R) R = 200 R = 1000
1 0.8273
2 1.3458
3 1.7254
10 3.1130
50 5.2937
100 6.2529
0.6617 0.8272 0.8272 0.8272
1.0938 1.3457 1.3457 1.3457
1.4186 1.7254 1.7254 1.7254
2.6599 3.1084 3.1129 3.1129
4.7312 2.6894 5.2661 5.2918
5.6913 1.2524 5.5172 6.2729
I For small k our new estimator is more precise than the upper bound given by the number of image points. I For larger k we need a bigger R to have a small error. 13/24
Part 4 Collision Attacks
Collision Attacks (1) I Collision : • Different initial states S0, S00 and k, k 0 >= 0 such that Sk = Sk0 0 . • A given S0, k, k 0 >= 0 and k 6= k 0 such that Sk = Sk0 . I We compare the attack with a direct search for a collision in the initial state. I Three criteria : • Number of initial states. • Space complexity. • Query complexity. 14/24
Collision Attacks (2)
Ideas: I Using a random function leads to a loss of entropy. I A reduced entropy leads to higher probability of a collision. I If two states are the same, then the subsequent output sequences are identical. I Two proposals for an attack on Mickey in [Hong Kim 05] (no real attacks). 15/24
Attack 1 (Proposition [Hong Kim 05]) I Search for collision after k iterations.
16/24
Attack 1 (Proposition [Hong Kim 05]) I Search for collision after k iterations.
m
16/24
Attack 1 (Proposition [Hong Kim 05]) I Search for collision after k iterations.
m
0 1
k
16/24
Attack 1 (Proposition [Hong Kim 05]) I Search for collision after k iterations.
m
0 1
k
16/24
Attack 1 (Proposition [Hong Kim 05]) I Search for collision after k iterations.
collision m
0 1
k
16/24
Attack 1 (Analysis) I Upper bound: Hk ≤ log2(n) − log2(k) + 1 p I Birthday paradox: Need ∼ 2n/k values in the last row.
# initial states space complexity [Hong Kim 05] query complexity (new)
Attack 1 q ∼ 2n qk ∼ 2n √ k ∼ 2kn
17/24
Attack 1 (Remark) Under which circumstances is the attack effective? I If we have functions which loose on average more than 2 log2(k) bits after k iterations. This means that we don’t use a random function, but the principle of the attack stays the same.
18/24
Attack 2 (Proposition [Hong Kim 05]) I Iterate 2k times and search for collision in the second half of the intermediate states.
19/24
Attack 2 (Proposition [Hong Kim 05]) I Iterate 2k times and search for collision in the second half of the intermediate states.
m
0 1
k
2k − 1
19/24
Attack 2 (Proposition [Hong Kim 05]) I Iterate 2k times and search for collision in the second half of the intermediate states.
m
0 1
k
2k − 1
19/24
Attack 2 (Proposition [Hong Kim 05]) I Iterate 2k times and search for collision in the second half of the intermediate states.
m
0 1
k
collision
2k − 1
19/24
Attack 2 (Proposition [Hong Kim 05]) I Iterate 2k times and search for collision in the second half of the intermediate states.
m
0 1
k
collision
2k − 1
p I [Hong Kim 05]: Magnitude of m such that m k ∼ n/k. 19/24
Attack 2 (Analysis (new)) I Let P r[A] be the probability of no collision in the 2km points. I Probability of collision in km points is smaller than 1 − P r[A]. n(n − 1) · · · (n − 2km + 1) I By counting arguments : P r[A] = n2km √ I Birthday Paradox: We need 2mk ≈ n # initial states space complexity query complexity
Attack 1 q ∼ 2n qk ∼ 2n √ k ∼ 2kn
Attack 2 ∼ ∼ ∼
√
n 2k √ n 2
√
n 20/24
Attack 3 (new) (Distinguished Points) I Iterate until we reach a distinguished point.
21/24
Attack 3 (new) (Distinguished Points) I Iterate until we reach a distinguished point.
m
21/24
Attack 3 (new) (Distinguished Points) I Iterate until we reach a distinguished point.
m
0 1
21/24
Attack 3 (new) (Distinguished Points) I Iterate until we reach a distinguished point.
m
0 1
collision
21/24
Attack 3 (new) (Analysis)
√
I We assume that in total we need again about n data points. I Let c = d/n be the ratio of distinguished points, 0 < c < 1. I We assume that like for random points the average length of a row is about 1/c. √ log2(d) 20 I E.g. n = 2 , kmax = n, and 0.7 ≤ log ≤1 (n) 2 −6 (i.e. 2 ≤ c ≤ 1). # initial states space complexity query complexity
Attack 1 q ∼ 2n qk ∼ 2n √ k ∼ 2kn
Attack 2 ∼ ∼ ∼
√
n 2k √ n 2
√
n
Attack 3 √ ∼c n √ ∼c n √ ∼ n 22/24
Part 5 Conclusion
Conclusion
Entropy Estimator: I We studied a stream cipher model with a random update function. I We introduced a new estimator which can be iteratively computed. I For small k it is more precise than the previous upper bound.
23/24
Conclusion
Collision Attacks: I Using a random update function introduces an entropy loss. I Till now it was not well studied if this introduce a real threat for our stream cipher model. I We showed that the proposed attacks are less effective than expected. 24/24
