Py SPP attack Improving on the attack

Improved Cryptanalysis of Py

Paul Crowley

LShift Ltd

State of the Art in Stream Ciphers 2006

Py SPP attack Improving on the attack

Py

� eSTREAM entrant by Eli Biham and Jennifer Seberry� Fast in software (2.6 cycles/byte on some platforms)� SPP attack: 288 bytes of output� Our attack: 272 bytes

Py SPP attack Improving on the attack

Output

P

O1

O2

Py SPP attack Improving on the attack

Update

P

P

Py SPP attack Improving on the attack

SPP attack

� Gautham Sekar, Souradyuti Paul, Bart Preneel� Defines event L with Pr[L] � 2�41:91� When L occurs, two output bits are the same

Py SPP attack Improving on the attack

Event L (1)

S

S

P

Py SPP attack Improving on the attack

Event L (2)

S

A

A

A

B

B

B

O1;1

O2;3

Py SPP attack Improving on the attack

Result of event L

SA B

O1;1 O2;3

Py SPP attack Improving on the attack

Improving on the attack

� Use all bits of O1;1;O2;3� Group output by column bitwise� Find exact probability Pr[O1;1;O2;3 = o1;1;o2;3jL]� Apply optimal distinguisher

Py SPP attack Improving on the attack

Addition

[c]0[c]1[c]2[c]3

[X ]0 [Y ]0

[X + Y ]0

[X ]1 [Y ]1

[X + Y ]1

[X ]2 [Y ]2

[X + Y ]2

[X ]3 [Y ]3

[X + Y ]3

Py SPP attack Improving on the attack

Carry propagation

[S]i[A]i [B]i

[O1;1]i [O2;3]i

[c1]i[c3]i

[c1]i+1[c3]i+1

Py SPP attack Improving on the attack

Carry propagation

[S]i[A]i [B]i

[O1;1]i [O2;3]i

[c1]i[c3]i

[c1]i+1[c3]i+1

Py SPP attack Improving on the attack

Hidden Markov model

0;00;01;01;0

11

00

10

12

18

18

Py SPP attack Improving on the attack

Hidden Markov model

0;00;01;01;0

11

00

10

12

18

18

Py SPP attack Improving on the attack

The forward algorithm

Pr�

1 0 10 0 1

� = 11�4M1;0M0;0M1;1�0

where 11�4 = � 1 1 1 1 � and �0 =0BB@

1000

1CCA

Py SPP attack Improving on the attack

Optimal distinguisher

� Thomas Baignères, Pascal Junod, Serge Vaudenay� Optimal distinguisher chooses the distribution which hasthe highest probability of producing the observed output

Py SPP attack Improving on the attack

Optimal distinguisher

s0 s1 s2

Py SPP attack Improving on the attack

Optimal distinguisher

s0 s1 s2

jZj�1 jZj�1 jZj�1

Py SPP attack Improving on the attack

Optimal distinguisher

s0 s1 s2

jZj�1 jZj�1 jZj�1jZj�3

Py SPP attack Improving on the attack

Optimal distinguisher

s0 s1 s2

jZj�1 jZj�1 jZj�1jZj�3

Pr[s0jL] Pr[s1jL] Pr[s2jL]

Py SPP attack Improving on the attack

Optimal distinguisher

s0 s1 s2

jZj�1 jZj�1 jZj�1jZj�3

Pr[s0jL] Pr[s1jL] Pr[s2jL]jZj�1 jZj�1 jZj�1

Py SPP attack Improving on the attack

Optimal distinguisher

s0 s1 s2

jZj�1 jZj�1 jZj�1jZj�3

Pr[s0jL] Pr[s1jL] Pr[s2jL]jZj�1 jZj�1 jZj�1

Pr[s0] Pr[s1] Pr[s2]

Py SPP attack Improving on the attack

Optimal distinguisher

s0 s1 s2

jZj�1 jZj�1 jZj�1jZj�3

Pr[s0jL] Pr[s1jL] Pr[s2jL]jZj�1 jZj�1 jZj�1

Pr[s0] Pr[s1] Pr[s2]Pr[s0 ^ s1 ^ s2]

Py SPP attack Improving on the attack

Efficacy of optimal distinguisher

� Where distribution is “close” to uniform random, efficacy� = jZjPz2Z �Pr[z]� 1jZj�2

� Need around 2� samples� Both distinguishers: � = Pr[L]2 �jZj �Pz2Z Pr[zjL]2�� 1�� SPP attack: � = Pr[L]2 so around 285 samples

Py SPP attack Improving on the attack

Efficacy of optimal distinguisher

� Where distribution is “close” to uniform random, efficacy� = jZjPz2Z �Pr[z]� 1jZj�2� Need around 2� samples

� Both distinguishers: � = Pr[L]2 �jZj �Pz2Z Pr[zjL]2�� 1�� SPP attack: � = Pr[L]2 so around 285 samples

Py SPP attack Improving on the attack

Efficacy of optimal distinguisher

� Where distribution is “close” to uniform random, efficacy� = jZjPz2Z �Pr[z]� 1jZj�2� Need around 2� samples� Both distinguishers: � = Pr[L]2 �jZj �Pz2Z Pr[zjL]2�� 1�

� SPP attack: � = Pr[L]2 so around 285 samples

Py SPP attack Improving on the attack

Efficacy of optimal distinguisher

� Where distribution is “close” to uniform random, efficacy� = jZjPz2Z �Pr[z]� 1jZj�2� Need around 2� samples� Both distinguishers: � = Pr[L]2 �jZj �Pz2Z Pr[zjL]2�� 1�� SPP attack: � = Pr[L]2 so around 285 samples

Py SPP attack Improving on the attack

Efficacy of our distinguisher

Xz2Z Pr[zjL]

2

= X (11�4M31M30 : : :M0�0)2= X (11�4M31M30 : : :M0�0) (11�4M31M30 : : :M0�0)T= X�11�4M31M30 : : :M0�0�T0 MT0 : : :MT30MT311T1�4�= 11�4X�M31M30 : : :M0�0�T0 MT0 : : :MT30MT31�1T1�4

Mi 2 fM0;0;M0;1;M1;0;M1;1g

Py SPP attack Improving on the attack

Efficacy of our distinguisher

Xz2Z Pr[zjL]

2

= X (11�4M31M30 : : :M0�0)2

= X (11�4M31M30 : : :M0�0) (11�4M31M30 : : :M0�0)T= X�11�4M31M30 : : :M0�0�T0 MT0 : : :MT30MT311T1�4�= 11�4X�M31M30 : : :M0�0�T0 MT0 : : :MT30MT31�1T1�4

Mi 2 fM0;0;M0;1;M1;0;M1;1g

Py SPP attack Improving on the attack

Efficacy of our distinguisher

Xz2Z Pr[zjL]

2

= X (11�4M31M30 : : :M0�0)2= X (11�4M31M30 : : :M0�0) (11�4M31M30 : : :M0�0)T

= X�11�4M31M30 : : :M0�0�T0 MT0 : : :MT30MT311T1�4�= 11�4X�M31M30 : : :M0�0�T0 MT0 : : :MT30MT31�1T1�4

Mi 2 fM0;0;M0;1;M1;0;M1;1g

Py SPP attack Improving on the attack

Efficacy of our distinguisher

Xz2Z Pr[zjL]

2

= X (11�4M31M30 : : :M0�0)2= X (11�4M31M30 : : :M0�0) (11�4M31M30 : : :M0�0)T= X�11�4M31M30 : : :M0�0�T0 MT0 : : :MT30MT311T1�4�

= 11�4X�M31M30 : : :M0�0�T0 MT0 : : :MT30MT31�1T1�4

Mi 2 fM0;0;M0;1;M1;0;M1;1g

Py SPP attack Improving on the attack

Efficacy of our distinguisher

Xz2Z Pr[zjL]

2

= X (11�4M31M30 : : :M0�0)2= X (11�4M31M30 : : :M0�0) (11�4M31M30 : : :M0�0)T= X�11�4M31M30 : : :M0�0�T0 MT0 : : :MT30MT311T1�4�= 11�4X�M31M30 : : :M0�0�T0 MT0 : : :MT30MT31�1T1�4

Mi 2 fM0;0;M0;1;M1;0;M1;1g

Py SPP attack Improving on the attack

Efficacy of our distinguisher

Hi = XMi�1Mi�2 : : :M1M0�0�T0 MT0 MT1 : : :MTi�2MTi�1

H0 = �0�T0Hi+1 = X

M2fM0;0;M0;1;M1;0;M1;1gMHiMT

� = Pr[L]2 �264 �11�4H321T1�4�� 1�� 60552 Pr[L]2

Py SPP attack Improving on the attack

Efficacy of our distinguisher

Hi = XMi�1Mi�2 : : :M1M0�0�T0 MT0 MT1 : : :MTi�2MTi�1H0 = �0�T0

Hi+1 = XM2fM0;0;M0;1;M1;0;M1;1gMHiM

T

� = Pr[L]2 �264 �11�4H321T1�4�� 1�� 60552 Pr[L]2

Py SPP attack Improving on the attack

Efficacy of our distinguisher

Hi = XMi�1Mi�2 : : :M1M0�0�T0 MT0 MT1 : : :MTi�2MTi�1H0 = �0�T0

Hi+1 = XM2fM0;0;M0;1;M1;0;M1;1gMHiM

T

� = Pr[L]2 �264 �11�4H321T1�4�� 1�� 60552 Pr[L]2

Py SPP attack Improving on the attack

Efficacy of our distinguisher

Hi = XMi�1Mi�2 : : :M1M0�0�T0 MT0 MT1 : : :MTi�2MTi�1H0 = �0�T0

Hi+1 = XM2fM0;0;M0;1;M1;0;M1;1gMHiM

T

� = Pr[L]2 �264 �11�4H321T1�4�� 1�

� 60552 Pr[L]2

Py SPP attack Improving on the attack

Efficacy of our distinguisher

Hi = XMi�1Mi�2 : : :M1M0�0�T0 MT0 MT1 : : :MTi�2MTi�1H0 = �0�T0

Hi+1 = XM2fM0;0;M0;1;M1;0;M1;1gMHiM

T

� = Pr[L]2 �264 �11�4H321T1�4�� 1�� 60552 Pr[L]2

Py SPP attack Improving on the attack

Conclusions

� We can efficiently calculate the efficacy of HMM-baseddistinguishers� Distinguisher advantage is 0.53 given 264 bytes from 28key/IV pairs� Advantage is 0.03 given a single 264-byte stream� Can this be improved still further?

http://www.ciphergoth.org/crypto/py

PySPP attackImproving on the attack