On the Security of IV Dependent Stream Ciphers Cme Berbain and - - PowerPoint PPT Presentation

research & development

On the Security

• f IV Dependent Stream Ciphers

Côme Berbain and Henri Gilbert France Telecom R&D

{firstname.lastname@orange-ftgroup.com}

IV setup – H. Gilbert (2) research & developement Orange Group

Stream Ciphers

IV-less

plaintext ciphertext

IV-dependent

plaintext ciphertext

⊕ ⊕

keystream key K

number generator

keystream key K IV (initial value)

?

e.g. RC4, Shrinking Generator well founded theory [S81,Y82,BM84] practical limitations:

• no reuse of K
• synchronisation

e.g. SNOW, Scream, eSTREAM ciphers less unanimously agreed theory prior work [RC94, HN01, Z06] numerous chosen IV attacks

• key and IV setup not well understood

IV setup – H. Gilbert (3) research & developement Orange Group

Outline

security requirements on IV-dependent stream ciphers

whole cipher key and IV setup

key and IV setup constructions satisfying these requirements

blockcipher based tree based

application example: QUAD

incorporate key and IV setup in QUAD's provable security argument

IV setup – H. Gilbert (4) research & developement Orange Group

Security in IV-less case: PRNG notion

] 1 ) ( [ Pr ] 1 )) ( ( [ Pr ) ( = − = = Z A K g A A Adv

Z K PRNG g

g K∈R{0,1}m truly random generator

A

1 input

g(K) ∈{0,1}L Z ∈R{0,1}L

( )

) ( max ) (

) ( ,

A Adv t Adv

PRNG g t A T A PRNG g ≤

= OR

0 or 1

VS g is a secure cipher ⇔ g is a PRNG ⇔

1 ) 2 (

80 <<

< t AdvPRNG

g

number generator g A tests number distributions:

IV setup – H. Gilbert (5) research & developement Orange Group

Security in IV-dependent case: PRF notion

gK g*

A•

q oracle queries

VS

( )

) ( max ) , ( A Adv q t Adv

PRF G A PRF G

= IV∈ {0,1}n gK(IV) function generator G = {gK} OR

] 1 Pr[ ] 1 Pr[ ) (

* =

− = =

g g PRF G

A A A Adv

K

0 or 1

G is a secure cipher ⇔ G is a PRF ⇔

1 ) 2 , 2 (

40 80

<< < t Adv PRF

G

stream cipher perfect random fct. A tests function distributions:

IV setup – H. Gilbert (6) research & developement Orange Group

Structure of the stream ciphers considered here

key & IV setup keystream generation IV (n bits) initial state (m bits) keystream (L bits)

state transition function

• utput

function

typical KG structure

λ iterations

K

IV setup – H. Gilbert (7) research & developement Orange Group

Security: sufficient conditions

F = {fK} is a PRF g is a PRNG IV initial state keystream G = {g ο fK} is a PRF

⇒

IV keystream

[informally]: the key & IV setup is a PRF and the keystream generator is a PRNG ⇒ the whole stream cipher is secure key & IV setup keystream generation

IV setup – H. Gilbert (8) research & developement Orange Group

This is due to a simple composition theorem

Composition of {fK} and g Composition Theorem:

F = {fK} g (comp. time Tg) G = {g ο fK} ) ' ( ) , ' ( ) , ( t qAdv q t Adv q t Adv

PRNG g PRF F PRF G

+ ≤

where t' = t + qTg

≡

function generator number generator

IV setup – H. Gilbert (9) research & developement Orange Group

Key & IV setup = PRF is "almost" a necessary condition

F = {fK} g TK&IV + TKG ≥ TPRF

(where TPRF is the time needed by the fastest n-bit to m-bit PRF) IV (n bits) initial state (m bits) m first keystream bits

time TK&IV (key and IV setup) time TKG (keystream generation)

For a fast cipher,TKG is small, so TK&IV cannot be much lower than TPRF

IV setup – H. Gilbert (10) research & developement Orange Group

Key & IV setup: candidate PRF constructions

Block cipher based (not detailed here)

Examples: LEX (based on AES), Sosemanuk (based on Serpent) Pros: more conservative than many existing constructions Cons: heterogeneous construction ⇒ increased implementation complexity (except for LEX)

Tree based (detailed in the sequel)

Example: QUAD Conducting idea: re-use essentially the same PRNG as in the keystream generation Pros: low implementation complexity Cons: relatively slow

IV setup – H. Gilbert (11) research & developement Orange Group

Tree based construction [GGM86]

m-bit to 2m-bit PRNG f f

(m bits) (2m bits)

f f f f f f f f f f

y (parameter)

0 1 1 1 0 1 1

x1 x2 x3 xn-1 xn fy(x)

n-bit to m-bit PRF F = {fy}

x (input)

⇒

Theorem[≈GGM86]: ) ' ( ) , ( t nqAdv q t Adv

PRNG f PRF F

≤

where t' = t + q(n+1)Tf = 0 = 1 = 1 = 0 = 1

IV setup – H. Gilbert (12) research & developement Orange Group

Tree based key & IV setup

f

m-bit state K

f f f

f

f f f f f f

0 1 1 1 0 1 1

IV1 IV2 IV3 IVn-1 IVn

fK(IV) IV (input) 2 m-bit sequence

truncated IV-less cipher key and IV setup

⇒

Is this practical? Cons: relatively slow. If |IV|=80 bits and |state|=160 bits, key & IV setup ≡ generation of 3200 keystream bytes Pros: very low extra implementation complexity in hardware

IV setup – H. Gilbert (13) research & developement Orange Group

The Stream Cipher QUAD [BGP06]

Based on the multivariate quadratic problem (MQ)

Given a system of quadratic equations in variables over Find a solution (if any)

• NP hard even over GF(2)
• best solving algorithms so far are exponential [Faugère, Bardet]

QUAD iterates a fixed quadratic function S

m k y x x x x x Q

k i k i k i j i j i k j i n k

,..., 1 , ) ,..., (

, 1

= = γ + β + α =

∑ ∑

≤

n n

q GF x x x ) ( ) ,..., (

1

∈ =

m ) (q GF n

S keystream

IV setup – H. Gilbert (14) research & developement Orange Group

(n bits)

S

q = 2

QUAD: keystream generation

internal state: fixed public quadratic function S: n var., m = tn eq. (typically 2n eq.) recommended parameters: q=2, n=160 bits, t=2

n n

q GF x x x ) ( ) ,..., (

1

∈ =

IV setup – H. Gilbert (15) research & developement Orange Group

Security argument for the keystream generation

Th [BGP06]:

in the GF(2) case, if there exists a distinguisher for g allowing to distinguish a sequence of keystream bits associated with a random quadratic systems S and a random initial state value x in time T with advantage ε, then there is an MQ solver that solves a random instance of MQ in time with probability .

Example of application: q=2, n = 350 bits, t = 2, L=240, T=280, ε = 1%

(no such concrete reduction for the recommend value n = 160)

) ( '

2 2 2

ε λ ≅ T n O T λ ε = ε

2

2 ' n t L ) 1 ( − λ =

Keystream generation, GF(2) case

initial state (n bits) keystream (L bits)

g

λ iterations of S number generator

IV setup – H. Gilbert (16) research & developement Orange Group

uses two public quadratic functions S0 and S1 of n eq. in n var. each set x with the key K for each IV bit IVi:

• if IVi = 0 then update x with S0(x)
• if IVi = 1 then update x with S1(x)

runup: clock the cipher n times without outputting the keystream

typical key and IV lengths: 160 bits each

QUAD: Key and IV Setup

tree based construction

IV setup – H. Gilbert (17) research & developement Orange Group

Extending the proof to the whole cipher

Th: in the GF(2) case, if there exists a (T,q) PRF-distinguisher for the family G of IV to

keystream functions associated with a random key and a random quadratic systems S with PRF-advantage ε, then there is an MQ solver that solves a random instance of MQ in time with probability at least .

Example of application: q=2, n = 760 bits, t = 2, L=240, T=280, ε = 1% ) ( '

2 2 2 2

ε λ ≅ T q n O T λ ε = ε q

3

2 . 3 ' ) (

2

n n L + = λ

Whole cipher, GF(2) case

IV (n bits)

keystream (L bits)

G={gofK}

λ iterations of S t =2 function generator

IV setup – H. Gilbert (18) research & developement Orange Group

Conclusions

Requirements: a PRF is needed Conservative IV setup

seems demanding w.r.t. computational complexity is not demanding w.r.t. implementation complexity

"Provable security" can be extended to IV-dependent stream ciphers