Resynchronization Attacks on WG and LEX - PowerPoint PPT Presentation

About This Presentation
Title:

Resynchronization Attacks on WG and LEX

Description:

key up to 128 bits, IV up to 128 bits. hardware efficient stream cipher (profile II) ... WG designers proposed 44-step key/IV setup = small change ... – PowerPoint PPT presentation

Number of Views:28
Avg rating:3.0/5.0
Slides: 24
Provided by: hj84
Learn more at: https://www.iacr.org
Category:

less

Transcript and Presenter's Notes

Title: Resynchronization Attacks on WG and LEX


1
Resynchronization Attacks on WG and LEX
  • Hongjun Wu and Bart Preneel
  • Katholieke Universiteit Leuven ESAT/COSIC

2
Overview
  • 1. Introduction to WG
  • 2. Differential Attack on WG
  • 3. Introduction to LEX
  • 4. Slide Attack on LEX

3
Description of WG (1)
  • submission to the eStream
  • key up to 128 bits, IV up to 128 bits
  • hardware efficient stream cipher (profile II)
  • consists of
  • a regularly clocked LFSR over GF(229)
  • defined by p(x) x11 x10 x9 x6 x3
    x ?
  • and a WG transform that maps GF(229) ? GF(2)

4
Description of WG (2)
Keystream generation of WG
5
Description of WG (3)
  • WG Transformation

6
Description of WG (4)
Key and IV setup of WG (22 Steps)
7
Differential Attack on WG (1)
  • Overview of the Attack
  • the taps of LFSR are poorly chosen
  • 22 steps fail to randomize the differential
    propagation
  • at the end of the 22nd step, the differential
    in the
  • LFSR is exploited to recover the secret key
  • gt 48 key bits recovered with about 231
    chosen IVs
  • (80-bit key and 80-bit IV)

8
Differential Attack on WG (2)
  • Attack - differential propagation in key/IV setup
    of WG

9
Differential Attack on WG (3)
  • Attack - differential propagation in key/IV setup
    of WG (Contd.)

10
Differential Attack on WG (4)
  • At the end of the 22nd step, the difference at
    S(10) is
  • S(10) is related to the first keystream bit.
  • Observing the values of the first keystream bits
    generated
  • from the related IV, we are able to determine
    whether the
  • value of is 0, then we can recover
    29 bits of key.
  • 231 IVs for the version with 80-bit IV, 80-bit
    key
  • (details are omitted here)

11
Differential Attack on WG (5)
  • The differential attack on WG is different from
    the differential
  • attack on block ciphers
  • Difference generation --
  • change the input difference and SOME input
    value to generate many different
  • Filtering --
  • change OTHER input value (without modifying
    ) to generate keystream bits to see
    whether the related keystream bits are always
    identical, then to identify whether
    is 0

12
How to Improve WG
  • WG designers proposed 44-step key/IV setup
  • gt small change
  • secure against the differential attack
  • gt but not that efficient
  • with properly chosen LFSR taps and output
    tap,
  • it is possible to use only 22 steps

13
Description of LEX (1)
  • submission to the eStream
  • 128-bit key, 128-bit IV
  • software and hardware efficient (profile I II)
  • Design
  • based on AES OFB mode
  • 4 bytes extracted from each round to form
    keystream

14
Description of LEX (2)
  • Initialization and keystream generation

15
Description of LEX (3)
  • Extracted bytes in the even and odd rounds

16
Slide Attack on LEX (1)
  • Security of LEX depends on that only a
  • small fraction of information is leaked
  • from each round
  • If one round input in LEX is known, then
  • the key could be recovered easily.

17
Slide Attack on LEX (2)
  • In LEX, the same key with two IVs,
  • if keystream1 is the shifted version of
    keystream2,
  • then one input to AES for generating keystream1
    is
  • equivalent to IV2
  • gt The input to AES is known
  • 32 bits of the first round output are known
  • gt 32 bits of the key could be recovered easily

18
Slide Attack on LEX (3)
  • If each IV is used to generate about 500 outputs,
  • then with about 261 IVs, 3 pairs of the shifted
  • keystreams could be observed and 96 key bits
    could
  • be recovered.

19
Slide Attack on LEX (4)
  • LEX is as strong as AES counter mode?
  • No.
  • AES counter mode gt
  • A particular key can never be
    recovered faster
  • than brute force search
  • LEX gt
  • A particular key recovered with
    260.8 random IVs,
  • 20,000 bytes from each IV, faster
    than brute force search

20
How to Improve LEX
  • Our suggestion gt
  • For each LEX IV, use LEX key and LEX IV to
    generate
  • an AES key and AES IV

21
Conclusion (1)
  • Lesson from the WG design gt
  • To ensure that the tap distances are
    co-prime
  • in a FSR (including the LFSR on
    GF(2m))

22
Conclusion (2)
  • Lessons from the LEX design gt
  • 1) It is better to mix the key and IV in a
    non-linear way, then
  • use the mixed values to generate the
    keystream
  • 2) try to avoid using the stream cipher key
    directly in the
  • keystream generation
  • (more general, try to avoid using static
    secret parameters in the
  • keystream generation) (LEX, Salsa20, ABC,
    SEAL )

23
  • Thank you!
  • Q A
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Resynchronization Attacks on WG and LEX" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!