A New 128-bit Key Stream Cipher LEX



Similar documents
F3 Symmetric Encryption

The Stream Cipher HC-128

Cryptanalysis of Grain using Time / Memory / Data Tradeoffs

Lecture Note 8 ATTACKS ON CRYPTOSYSTEMS I. Sourav Mukhopadhyay

WINTER SCHOOL ON COMPUTER SECURITY. Prof. Eli Biham

1 Data Encryption Algorithm

Network Security. Chapter 3 Symmetric Cryptography. Symmetric Encryption. Modes of Encryption. Symmetric Block Ciphers - Modes of Encryption ECB (1)

CSCE 465 Computer & Network Security

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Error oracle attacks and CBC encryption. Chris Mitchell ISG, RHUL

Lecture 4 Data Encryption Standard (DES)

Analysis of Non-fortuitous Predictive States of the RC4 Keystream Generator

Split Based Encryption in Secure File Transfer

How To Encrypt With A 64 Bit Block Cipher

The Advanced Encryption Standard: Four Years On

Table of Contents. Bibliografische Informationen digitalisiert durch

A Practical Attack on Broadcast RC4

Bounds for Balanced and Generalized Feistel Constructions

Enhancing Advanced Encryption Standard S-Box Generation Based on Round Key

Cryptography and Network Security Chapter 3

On the Security of Double and 2-key Triple Modes of Operation

The Misuse of RC4 in Microsoft Word and Excel

Cryptography and Network Security Block Cipher

The Advanced Encryption Standard (AES)

Cryptography and Network Security

lundi 1 octobre 2012 In a set of N elements, by picking at random N elements, we have with high probability a collision two elements are equal

A PPENDIX H RITERIA FOR AES E VALUATION C RITERIA FOR

Modes of Operation of Block Ciphers

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

Overview of Cryptographic Tools for Data Security. Murat Kantarcioglu

Sosemanuk, a fast software-oriented stream cipher

Salsa20/8 and Salsa20/12

Statistical weakness in Spritz against VMPC-R: in search for the RC4 replacement

Block encryption. CS-4920: Lecture 7 Secret key cryptography. Determining the plaintext ciphertext mapping. CS4920-Lecture 7 4/1/2015

Masao KASAHARA. Public Key Cryptosystem, Error-Correcting Code, Reed-Solomon code, CBPKC, McEliece PKC.

Cryptography & Network Security. Introduction. Chester Rebeiro IIT Madras

A VHDL Implemetation of the Advanced Encryption Standard-Rijndael Algorithm. Rajender Manteena

A NEW DNA BASED APPROACH OF GENERATING KEY-DEPENDENT SHIFTROWS TRANSFORMATION

Application of cube attack to block and stream ciphers

MAC. SKE in Practice. Lecture 5

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Karagpur

Serpent: A Proposal for the Advanced Encryption Standard

Helix. Fast Encryption and Authentication in a Single Cryptographic Primitive

Introduction. Where Is The Threat? Encryption Methods for Protecting Data. BOSaNOVA, Inc. Phone: Web:

Secure Large-Scale Bingo

Key Hopping A Security Enhancement Scheme for IEEE WEP Standards

Cryptography: Motivation. Data Structures and Algorithms Cryptography. Secret Writing Methods. Many areas have sensitive information, e.g.

QoS Provisioning in Mobile Internet Environment

The Advanced Encryption Standard (AES)

Hardware Implementation of AES Encryption and Decryption System Based on FPGA

IJESRT. [Padama, 2(5): May, 2013] ISSN:

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Network Security. Modes of Operation. Steven M. Bellovin February 3,

Password-based encryption in ZIP files

Implementation of Full -Parallelism AES Encryption and Decryption

HASH CODE BASED SECURITY IN CLOUD COMPUTING

Common Pitfalls in Cryptography for Software Developers. OWASP AppSec Israel July The OWASP Foundation

Security Evaluation of the SPECTR-128. Block Cipher

Symmetric Key cryptosystem

Network Security - ISA 656 Introduction to Cryptography

Authentication requirement Authentication function MAC Hash function Security of

Efficient Software Implementation of AES on 32-bit Platforms

AES-COPA v.2. Designers/Submitters: Elena Andreeva 1,2, Andrey Bogdanov 3, Atul Luykx 1,2, Bart Mennink 1,2, Elmar Tischhauser 3, and Kan Yasuda 1,4

Security (WEP, WPA\WPA2) 19/05/2009. Giulio Rossetti Unipi

Algebraic Attacks on Stream Ciphers with Linear Feedback

The 128-bit Blockcipher CLEFIA Design Rationale

CS 758: Cryptography / Network Security

Modern Block Cipher Standards (AES) Debdeep Mukhopadhyay

Message Authentication

SAMPLE EXAM QUESTIONS MODULE EE5552 NETWORK SECURITY AND ENCRYPTION ECE, SCHOOL OF ENGINEERING AND DESIGN BRUNEL UNIVERSITY UXBRIDGE MIDDLESEX, UK

Vulnerabilities in WEP Christopher Hoffman Cryptography

How To Attack A Block Cipher With A Key Key (Dk) And A Key (K) On A 2Dns) On An Ipa (Ipa) On The Ipa 2Ds (Ipb) On Pcode)

A Comparative Study Of Two Symmetric Encryption Algorithms Across Different Platforms.

Overview of Symmetric Encryption

A low-cost Alternative for OAEP

SD12 REPLACES: N19780

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Network Security: Cryptography CS/SS G513 S.K. Sahay

Counter Expertise Review on the TNO Security Analysis of the Dutch OV-Chipkaart. OV-Chipkaart Security Issues Tutorial for Non-Expert Readers

Multi-Layered Cryptographic Processor for Network Security

AN IMPLEMENTATION OF HYBRID ENCRYPTION-DECRYPTION (RSA WITH AES AND SHA256) FOR USE IN DATA EXCHANGE BETWEEN CLIENT APPLICATIONS AND WEB SERVICES

QUADRATIC EQUATIONS EXPECTED BACKGROUND KNOWLEDGE

IronKey Data Encryption Methods

Fault attack on the DVB Common Scrambling Algorithm

AES Cipher Modes with EFM32

SECURE AND EFFICIENT PRIVACY-PRESERVING PUBLIC AUDITING SCHEME FOR CLOUD STORAGE

FAREY FRACTION BASED VECTOR PROCESSING FOR SECURE DATA TRANSMISSION

Linux Access Point and IPSec Bridge

Transcription:

A New 128-it Key Stream Cipher LEX Alex Biryukov Katholieke Universiteit Leuven, Dept. ESAT/SCD-COSIC, Kasteelpark Arenerg 10, B 3001 Heverlee, Belgium http://www.esat.kuleuven.ac.e/~airyuko/ Astract. A proposal for a simple AES-ased stream cipher which is at least 2.5 times faster than AES oth in software and in hardware. 1 Introduction In this paper we suggest a simple notion of a leak extraction from a lock cipher. The idea is to extract parts of the internal state at certain rounds and give them as the output key stream (possily after passing an additional filter function). This idea applies to any lock cipher ut a careful study y cryptanalyst is required in each particular case in order to decide which parts of the internal state may e given as output and at what frequency. This mainly depends on the strength of the cipher s round function and on the strength of the cipher s key-schedule. For example, ciphers with good diffusion might allow to output larger parts of the internal state at each round than ciphers with weak diffusion. 2 Description of LEX In this section we descrie a 128-it key stream cipher LEX (which stands for Leak EXtraction, and is pronounced leks ). The design is simple and is using AES in a natural way: at each AES round output certain four ytes from the intermediate variale. The AES with all three different key lengths (128, 192, 256) can e used. The difference with AES is that the attacker never sees the full 128-it ciphertext ut only portions of the intermediate state. Similar principle can e applied to any other lock-cipher. In Fig. 1 we show how the cipher is initialized and chained. First a standard AES key-schedule for some secret 128-it key K is performed. Then a given 128-it IV is encrypted y a single AES invocation: S = AES K (IV ). The 128- it result S together with the secret key K constitute a 256-it secret state of the stream cipher. 1 S is changed y a round function of AES every round and K is kept unchanged (or in a more secure variant is changing every 500 AES encryptions). The most crucial part of this design is the exact locations of the four ytes of the internal state that are given as output as well as the frequency of outputs 1 In fact the K part is expanded y the key-schedule into ten 128-it sukeys.

128 it 128 it 128 it 128 it K K K K IV 128 it AES AES AES AES 320 it 320 it 320 it Output stream Fig. 1. Initialization and stream generation. (every round, every second round, etc.). So far we suggest to use the ytes, 2,0, 0,2, 2,2 at every odd round and the ytes 0,1, 2,1, 0,3, 2,3 at every even round. We note that the order of ytes is not relevant for security ut is relevant for fast software implementation. The order of ytes as given aove allows to extract a 32-it value from two 32-it row variales t 0, t 2 in just four steps (that can e pipelined): out32 = ((t 0 &0xFF00FF) << 8) (t 2 &0xFF00FF), while each round of AES uses aout 40 steps. Here t i is a row of four ytes: t i = ( i,0, i,1, i,2, i,3 ). So far we do not propose to use any filter function and output the ytes as they are. The choice of the output yte locations (see also 1,0 0,1 0,2 0,3 1,1 1,3 2,0 2,1 2,2 2,3 3,0 3,1 3,2 3,3 1,0 2,0 2,2 0,1 0,2 0,3 1,1 1,3 2,1 2,3 3,0 3,1 3,2 3,3 Odd rounds 1,0 0,1 0,2 0,3 1,1 1,3 2,0 2,1 2,2 2,3 3,0 3,1 3,2 3,3 Even rounds Fig.2. The positions of the leak in the even and in the odd rounds. Fig. 2) is motivated y the following: oth sets constitute an invariant suset of

the ShiftRows operation (the first row is not shifted and the third is rotated y two ytes). By alternating the two susets in even and odd rounds we ensure that the attacker does not see input and output ytes that are related y a single SuBytes and a single MixColumn. This choice ensures that the attacker will have to analyze two consecutive rounds. The two rounds of AES have full diffusion thus limiting divide-and-conquer capailities of the attacker. The speed of this cipher is exactly 2.5 times faster than AES up to a cost of extraction of four ytes at each round. 3 Analysis of LEX In this section we analyze resistance of LEX to various attacks. 3.1 Period of the Output Sequence The way we use AES is essentially an Output Feedack Mode (OFB), in which instead of using the ciphertexts as a key-stream we use the leaks from the intermediate rounds as a key-stream. The output stream will eventually cycle when we traverse the full cycle of the AES-generated permutation. If one assumes that AES is indistinguishale from a random permutation for any fixed key, one would expect the cycle size to e of the order O(2 128 ) since the proaility of falling into one of the short cycles is negligile 2. If the output stream is produced y following a cycle of a random permutation it is easily distinguished from random after oserving asence of 128-it collisions in a stream of 2 64 outputs. In our case since we output only part of the state at each round, the mapping from internal state to the output is not 1-1 and thus such collisions would occur. 3.2 Tradeoff Attacks For a stream cipher to e secure against time-memory and time-memory-data tradeoff attacks [1, 5, 2] the following conditions are necessary: K = IV = State /2. This ensures that the est tradeoff attack has complexity roughly the same as the exhaustive key-search. The IV s may e pulic, ut it is very important that full-entropy IV s are used to avoid tradeoff-resynchronization attacks [6]. In the case of LEX K = IV = Block = 128 its, where Block denotes an intermediate state of the plaintext lock during the encryption. Internal state is the pair (IV, K) at the start and (Block, Key) during the stream generation, and thus K + IV = K + S = 256 its which is enough to avoid the tradeoff attacks. Note that if one uses LEX construction with larger key variants of AES this might e a prolem. For example for 192-it key AES the state would consist of 128-it internal variale and the 192-it key. This would 2 A random permutation over n-it integers typically consists of only aout n cycles, the largest of them spanning aout 62% of the space.

allow to apply a time-memory-data tradeoff attack with roughly 2 160 stream, memory and time. Such attack is asolutely impractical ut may e viewed as a certificational weakness. 3.3 Algeraic Attacks Algeraic attacks on stream ciphers [4] are a recent and a very powerful type of attack. Applicaility of these to LEX is to e carefully investigated. If one could write a non-linear equation in terms of the outputs and the key that could lead to an attack. Re-keying every 500 AES encryptions may help to avoid such attacks y limiting the numer of samples the attacker might otain while targeting a specific sukey. We expect that after the re-keying the system of nonlinear equations collected y the attacker would ecome osolete. Shifting from AES key-schedule to a more roust one might e another precaution against these attacks. Note also that unlike in LFSR-ased stream ciphers we expect that there do not exist simple relations that connect internal variales at distances of 10 or more steps. Such relations if they would exist would e useful in cryptanalysis of AES itself. 3.4 Differential, Linear or Multiset Resynchronization Attacks If mixing of IV and the key is weak the cipher might e prone to chosen or known IV attacks similar to the chosen plaintext attacks on the lock-ciphers. However in our case this mixing is performed via a single AES encryption. Since AES is designed to withstand such differential, linear or multiset attacks we elieve that such attacks pose no prolem for our scheme either. Slide-resynchronization attacks [3] should also not e a prolem due to different round constants in the key-schedule which reak the self-similarity of the AES. 3.5 Potential Weakness AES Key-schedule There is a simple way to overcome weaknesses in AES key-schedule (which is almost linear) and which might e crucial for our construction. The idea might e to use ten consecutive encryptions of the IV as sukeys, prior to starting the encryption. This method will however loose in key agility, since key-schedule time will e 11 AES encryptions instead of one. If etter key-agility is required a faster dedicated key-schedule may e designed. If ulk encryption is required then it might e advisale to replace static key y slowly time-varying key. One possiility would e to perform additional 10 AES encryptions every 500 AES encryptions and to use the 10 results as sukeys. This method quite efficient in software might not e suitale for small hardware (Profile 2) due to the requirement to store 1280 its (160 ytes) of the sukeys. The overhead of such key-change is only 2% slowdown, while it might stop potential attacks which require more than 500 samples gathered for a specific sukey. This method quite efficient in software might not e suitale for

small hardware (Profile 2) due to the requirement to store 1280 its (160 ytes) of the sukeys. An alternative more gate-efficient solution would e to perform single AES encryption every 100 steps without revealing the intermediate values and use the result as a new 128-it key. Then use the keyschedule of AES to generate the sukeys. Note, that previously y iterating AES with the same key we explored a single cycle of AES, which was likely to e of length O(2 128 ) due to the cipher eing a permutation of 2 128 values. However y doing intermediate key-changes we are now in a random mapping scenario. Since state size of our random mapping is 256 its (key + internal state), one would expect to get into a short cycle in aout O(2 128 ) steps, which is the same as in the previous case and poses no security prolem. 3.6 No Weak Keys Since there are no weak keys known for the underlying AES cipher we elieve that weak keys pose no prolem for this design either. This is especially important since we suggest frequent rekeying to make the design more roust against other cryptanalytic attacks. 3.7 Dedicated Attacks An ovious line of attack would e to concentrate on every 10th round, since it reuses the same sukey, and thus if the attacker guesses parts of this sukey he still can reuse this information 10t, t = 1, 2,... rounds later. Note however that unlike in LFSR or LFSM ased stream ciphers the other parts of the intermediate state have hopelessly changed in a complex non-linear manner and any guesses spent for those are wasted (unless there is some weakness in a full 10-round AES). 4 Implementation We elieve that LEX would e ale to run aout 2.5 times faster than AES in oth hardware and software. Since LEX could reuse existing AES implementations it might provide a simple and cheap speedup option in addition to the already existing ase AES encryption. For example, if one uses a fast software AES implementation which runs at 14-15 clocks per yte we may expect LEX to e running at aout 5-6 clocks per yte. The same leak extraction principle naturally applies to 192 and 256-it AES resulting in LEX-192 and LEX-256. LEX-192 should e 3 times faster than AES-192, and LEX-256 is 3.5 times faster than AES-256. Note that unlike in AES the speed penalty for using larger key versions is much smaller in LEX (a slight slowdown for a longer keyschedule, i.e. resynchronization ut not for the stream generation).

5 Strong Points of the Design Here we list some enefits of using this design: AES hardware/software implementations can e reused with few simple modifications. The implementors may use all their favorite AES implementation tricks. The cipher is at least 2.5 times faster than AES. In order to get an idea of the speed of LEX divide performance figures of AES y a factor 2.5. The speed of key and IV setup is equal to the speed of AES keyschedule followed y a single AES encryption. In hardware the area and gate count figures are essentially those of the AES. Unlike in the AES the key-setup for encryption and decryption in LEX are the same. The cipher may e used as a speedup alternative to the existing AES implementation and with only minor changes to the existing software or hardware. Security analysis enefits from existing literature on AES. The speed/cost ratio of the design is even etter than for the AES and thus it makes this design attractive for oth fast software and fast hardware implementations (Profile 1). The design will also perform reasonaly well in restricted resource environments (Profile 2). Since this design comes with explicit specification of IV size and resynchronization mechanism it is secure against time-memory-data tradeoff attacks. This is not the case for the AES in ECB mode or for the AES with IV s shorter than 128-its. Side-channel attack countermeasures developed for the AES will e useful for this design as well. 6 Summary In this paper we have descried efficient extensions of AES into the world of stream ciphers. We expect that (if no serious weaknesses of this approach would e found) it may provide a very useful speed up option to the existing ase implementations of AES. We hope that there are no attacks on this design faster than O(2 128 ) steps. The design is rather old and of course requires further study. However so far there are no weaknesses known to the designers as well as there are no hidden weaknesses inserted y the designers. 7 Acknowledgement This paper is a result of several inspiring discussions with Adi Shamir. We would also like to thank Christophe De Cannière, Joseph Lano, Ingrid Verauwhede and other cosix for the exchange of views on the stream cipher design.

References [1] S. Baage, Improved exhaustive search attacks on stream ciphers, in ECOS 95 (European Convention on Security and Detection), no. 408 in IEE Conference Pulication, May 1995. [2] A. Biryukov and A. Shamir, Cryptanalytic time/memory/data tradeoffs for stream ciphers, in Proceedings of Asiacrypt 00 (T. Okamoto, ed.), no. 1976 in Lecture Notes in Computer Science, pp. 1 13, Springer-Verlag, 2000. [3] A. Biryukov and D. Wagner, Slide attacks, in Proceedings of Fast Software Encryption FSE 99 (L. R. Knudsen, ed.), no. 1636 in Lecture Notes in Computer Science, pp. 245 259, Springer-Verlag, 1999. [4] N. T. Courtois and W. Meier, Algeraic attacks on stream ciphers with linear feedack, in Advances in Cryptology EUROCRYPT 2003 (E. Biham, ed.), Lecture Notes in Computer Science, pp. 345 359, Springer-Verlag, 2003. [5] J. D. Golic, Cryptanalysis of alleged A5 stream cipher, in Advances in Cryptology EUROCRYPT 97 (W. Fumy, ed.), vol. 1233 of Lecture Notes in Computer Science, pp. 239 255, Springer-Verlag, 1997. [6] J. Hong and P. Sarkar, Rediscovery of time memory tradeoffs, 2005. http: //eprint.iacr.org/2005/090.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information