Cryptanalysis of the Stream Cipher DECIM - PowerPoint PPT Presentation

About This Presentation
Title:

Cryptanalysis of the Stream Cipher DECIM

Description:

Cryptanalysis of the Stream Cipher DECIM. Hongjun Wu and Bart Preneel ... (similar to the self-shrinking generator, 25% more efficient) 2. Buffer for constant ... – PowerPoint PPT presentation

Number of Views:143
Avg rating:3.0/5.0
Slides: 20
Provided by: hj84
Learn more at: https://www.iacr.org
Category:

less

Transcript and Presenter's Notes

Title: Cryptanalysis of the Stream Cipher DECIM


1
Cryptanalysis of the Stream Cipher DECIM
  • Hongjun Wu and Bart Preneel
  • Katholieke Universiteit Leuven ESAT/COSIC

2
Overview
  • 1. Introduction to DECIM
  • 2. Key Recovery Attack (on Initialization)
  • 3. Distinguishing Attack
  • 4. Conclusion

3
Description of DECIM (1)
  • submission to the eStream
  • 80-bit key, 64 or 80-bit IV
  • hardware efficient stream cipher (profile II)
  • Main features
  • 1. ABSG decimation algorithm
  • (similar to the self-shrinking generator,
    25 more efficient)
  • 2. Buffer for constant output rate

4
Description of DECIM (2)
  • Keystream generation

5
Description of DECIM (3)
  • DECIM consists of
  • 192-bit regularly clocked LFSR (14 taps)
  • two filtering functions (different tap
    positions)
  • ABSG decimation
  • split the sequence into the form
  • if i 0,output the bit b
    otherwise, output the inverse of b
  • 32-bit Buffer
  • for every 4/3 input bits, only one
    output bit

6
Description of DECIM (4)
  • Key/IV setup
  • 192 steps
  • each step -- the non-linear feedback
  • a permutation on 7
    LFSR bits

7
Key Recovery Attack (1)
  • Overview of the Attack
  • The permutations are used to update the
    LFSR
  • gt 54.5 bits in the LFSR are not updated
    during
  • the key/IV setup
  • gt key recovered with 220 random IVs,
  • the first 2 keystream bytes,
  • negligible computations

8
Key Recovery Attack (2)
  • Two permutations operate on 7 elements
  • (st5, st31,st59,st100,st144,st177,s
    t186)
  • If the output of ABSG is 1, the first permutation
  • is used otherwise, the second is used

9
Key Recovery Attack (3)
  • Using permutation to update FSR is bad
  • If no permutation, then every bit in the
    FSR
  • is updated once every 192 steps
  • But with the permutation on the FSR, the
    bit
  • positions are changed, some bits would be
    updated
  • more than once while some bits not
    updated!
  • gt no matter how to design the permutation
  • the updating would not be uniform for
    all the bits

10
Key Recovery Attack (4)
  • The key-dependent selection of permutations does
    not
  • hide the intrinsic weakness of the permutation
  • gtin average 54.5 bits in the LFSR are not
    updated

11
Key Recovery Attack (5)
  • To recover the key, we need to trace each key bit
    to see
  • how that key bit is updated during those 192
    steps
  • in the initialization
  • gt very tedious
  • use computer program to trace those key
    bits

12
Key Recovery Attack (6)
  • One example recovering K21
  • s21 K21 \/ IV21
  • s21 is not updated and it becomes s1926 with
    prob 1/27
  • s1926 used in the generation of the first
    keystream bit z0
  • if s1926 is 0, then z00 with prob. 56/128
  • if s1926 is 1, then z00 with prob. 72/128
  • if K21 1, the distribution of z0 independent of
    IV21
  • if K21 0, the distribution of z0 affected by
    IV21
  • gt Being used to identify K21 with about 218.5
    random IVs

13
Distinguishing Attack (1)
  • Overview of the Attack
  • The filtering functions are not 1-resilient
  • ABSG could not hide the non-randomness
  • gt any two adjacent bits are equal with
    0.52-9
  • message being recovered if encrypted
    218 times

14
Distinguishing Attack (2)
  • Bias from the filtering function
  • If two inputs share one common bit, the two
    outputs bits
  • are equal with prob. 65/128

15
Distinguishing Attack (3)
  • Bias passing through the ABSG decimation and
    buffer
  • Deal with the bits with relations not affected
    significantly by
  • the ABSG decimation algorithm
  • i.e., the bits with small distance
  • For these three pairs of bits, passing through
    the ABSG
  • decimation and buffer does not reduce the bias
    too much
  • (about 8 to 32 times)
  • But the analysis is too complicated (details
    ignored here)

16
Distinguishing Attack (4)
  • Any two adjacent keystream bits are equal with
  • probability 0.52-9
  • The bias is large enough for the broadcast attack
  • If a message if encrypted by DECIM for 218 times,
    then
  • the message could be recovered

17
DECIM v2
  • Initialization
  • Permutation removed
  • 768 steps
  • Keystream generation
  • one LFSR one filtering function ABSG
    buffer
  • 1-resillient filtering function
  • Greatly simplified comparing to the original
    version

18
Conclusion
  • Using permutation to update FSR is undesirable
  • Try to design Boolean function conservatively
  • (high resilience, .)

19
  • Thank you!
  • Q A
Write a Comment
User Comments (0)
About PowerShow.com