state of the art in stream ciphers 2006state of the art in stream ciphers 2006 py spp attack...
TRANSCRIPT
-
Py SPP attack Improving on the attack
Improved Cryptanalysis of Py
Paul Crowley
LShift Ltd
State of the Art in Stream Ciphers 2006
-
Py SPP attack Improving on the attack
Py
� eSTREAM entrant by Eli Biham and Jennifer Seberry� Fast in software (2.6 cycles/byte on some platforms)� SPP attack: 288 bytes of output� Our attack: 272 bytes
-
Py SPP attack Improving on the attack
Output
P
O1
O2
-
Py SPP attack Improving on the attack
Update
P
P
-
Py SPP attack Improving on the attack
SPP attack
� Gautham Sekar, Souradyuti Paul, Bart Preneel� Defines event L with Pr[L] � 2�41:91� When L occurs, two output bits are the same
-
Py SPP attack Improving on the attack
Event L (1)
S
S
P
-
Py SPP attack Improving on the attack
Event L (2)
S
A
A
A
B
B
B
O1;1
O2;3
-
Py SPP attack Improving on the attack
Result of event L
SA B
O1;1 O2;3
-
Py SPP attack Improving on the attack
Improving on the attack
� Use all bits of O1;1;O2;3� Group output by column bitwise� Find exact probability Pr[O1;1;O2;3 = o1;1;o2;3jL]� Apply optimal distinguisher
-
Py SPP attack Improving on the attack
Addition
[c]0[c]1[c]2[c]3
[X ]0 [Y ]0
[X + Y ]0
[X ]1 [Y ]1
[X + Y ]1
[X ]2 [Y ]2
[X + Y ]2
[X ]3 [Y ]3
[X + Y ]3
-
Py SPP attack Improving on the attack
Carry propagation
[S]i[A]i [B]i
[O1;1]i [O2;3]i
[c1]i[c3]i
[c1]i+1[c3]i+1
-
Py SPP attack Improving on the attack
Carry propagation
[S]i[A]i [B]i
[O1;1]i [O2;3]i
[c1]i[c3]i
[c1]i+1[c3]i+1
-
Py SPP attack Improving on the attack
Hidden Markov model
0;00;01;01;0
11
00
10
12
18
18
-
Py SPP attack Improving on the attack
Hidden Markov model
0;00;01;01;0
11
00
10
12
18
18
-
Py SPP attack Improving on the attack
The forward algorithm
Pr�
1 0 10 0 1
� = 11�4M1;0M0;0M1;1�0
where 11�4 = � 1 1 1 1 � and �0 =0BB@
1000
1CCA
-
Py SPP attack Improving on the attack
Optimal distinguisher
� Thomas Baignères, Pascal Junod, Serge Vaudenay� Optimal distinguisher chooses the distribution which hasthe highest probability of producing the observed output
-
Py SPP attack Improving on the attack
Optimal distinguisher
s0 s1 s2
-
Py SPP attack Improving on the attack
Optimal distinguisher
s0 s1 s2
jZj�1 jZj�1 jZj�1
-
Py SPP attack Improving on the attack
Optimal distinguisher
s0 s1 s2
jZj�1 jZj�1 jZj�1jZj�3
-
Py SPP attack Improving on the attack
Optimal distinguisher
s0 s1 s2
jZj�1 jZj�1 jZj�1jZj�3
Pr[s0jL] Pr[s1jL] Pr[s2jL]
-
Py SPP attack Improving on the attack
Optimal distinguisher
s0 s1 s2
jZj�1 jZj�1 jZj�1jZj�3
Pr[s0jL] Pr[s1jL] Pr[s2jL]jZj�1 jZj�1 jZj�1
-
Py SPP attack Improving on the attack
Optimal distinguisher
s0 s1 s2
jZj�1 jZj�1 jZj�1jZj�3
Pr[s0jL] Pr[s1jL] Pr[s2jL]jZj�1 jZj�1 jZj�1
Pr[s0] Pr[s1] Pr[s2]
-
Py SPP attack Improving on the attack
Optimal distinguisher
s0 s1 s2
jZj�1 jZj�1 jZj�1jZj�3
Pr[s0jL] Pr[s1jL] Pr[s2jL]jZj�1 jZj�1 jZj�1
Pr[s0] Pr[s1] Pr[s2]Pr[s0 ^ s1 ^ s2]
-
Py SPP attack Improving on the attack
Efficacy of optimal distinguisher
� Where distribution is “close” to uniform random, efficacy� = jZjPz2Z �Pr[z]� 1jZj�2
� Need around 2� samples� Both distinguishers: � = Pr[L]2 �jZj �Pz2Z Pr[zjL]2�� 1�� SPP attack: � = Pr[L]2 so around 285 samples
-
Py SPP attack Improving on the attack
Efficacy of optimal distinguisher
� Where distribution is “close” to uniform random, efficacy� = jZjPz2Z �Pr[z]� 1jZj�2� Need around 2� samples
� Both distinguishers: � = Pr[L]2 �jZj �Pz2Z Pr[zjL]2�� 1�� SPP attack: � = Pr[L]2 so around 285 samples
-
Py SPP attack Improving on the attack
Efficacy of optimal distinguisher
� Where distribution is “close” to uniform random, efficacy� = jZjPz2Z �Pr[z]� 1jZj�2� Need around 2� samples� Both distinguishers: � = Pr[L]2 �jZj �Pz2Z Pr[zjL]2�� 1�
� SPP attack: � = Pr[L]2 so around 285 samples
-
Py SPP attack Improving on the attack
Efficacy of optimal distinguisher
� Where distribution is “close” to uniform random, efficacy� = jZjPz2Z �Pr[z]� 1jZj�2� Need around 2� samples� Both distinguishers: � = Pr[L]2 �jZj �Pz2Z Pr[zjL]2�� 1�� SPP attack: � = Pr[L]2 so around 285 samples
-
Py SPP attack Improving on the attack
Efficacy of our distinguisher
Xz2Z Pr[zjL]
2
= X (11�4M31M30 : : :M0�0)2= X (11�4M31M30 : : :M0�0) (11�4M31M30 : : :M0�0)T= X�11�4M31M30 : : :M0�0�T0 MT0 : : :MT30MT311T1�4�= 11�4X�M31M30 : : :M0�0�T0 MT0 : : :MT30MT31�1T1�4
Mi 2 fM0;0;M0;1;M1;0;M1;1g
-
Py SPP attack Improving on the attack
Efficacy of our distinguisher
Xz2Z Pr[zjL]
2
= X (11�4M31M30 : : :M0�0)2
= X (11�4M31M30 : : :M0�0) (11�4M31M30 : : :M0�0)T= X�11�4M31M30 : : :M0�0�T0 MT0 : : :MT30MT311T1�4�= 11�4X�M31M30 : : :M0�0�T0 MT0 : : :MT30MT31�1T1�4
Mi 2 fM0;0;M0;1;M1;0;M1;1g
-
Py SPP attack Improving on the attack
Efficacy of our distinguisher
Xz2Z Pr[zjL]
2
= X (11�4M31M30 : : :M0�0)2= X (11�4M31M30 : : :M0�0) (11�4M31M30 : : :M0�0)T
= X�11�4M31M30 : : :M0�0�T0 MT0 : : :MT30MT311T1�4�= 11�4X�M31M30 : : :M0�0�T0 MT0 : : :MT30MT31�1T1�4
Mi 2 fM0;0;M0;1;M1;0;M1;1g
-
Py SPP attack Improving on the attack
Efficacy of our distinguisher
Xz2Z Pr[zjL]
2
= X (11�4M31M30 : : :M0�0)2= X (11�4M31M30 : : :M0�0) (11�4M31M30 : : :M0�0)T= X�11�4M31M30 : : :M0�0�T0 MT0 : : :MT30MT311T1�4�
= 11�4X�M31M30 : : :M0�0�T0 MT0 : : :MT30MT31�1T1�4
Mi 2 fM0;0;M0;1;M1;0;M1;1g
-
Py SPP attack Improving on the attack
Efficacy of our distinguisher
Xz2Z Pr[zjL]
2
= X (11�4M31M30 : : :M0�0)2= X (11�4M31M30 : : :M0�0) (11�4M31M30 : : :M0�0)T= X�11�4M31M30 : : :M0�0�T0 MT0 : : :MT30MT311T1�4�= 11�4X�M31M30 : : :M0�0�T0 MT0 : : :MT30MT31�1T1�4
Mi 2 fM0;0;M0;1;M1;0;M1;1g
-
Py SPP attack Improving on the attack
Efficacy of our distinguisher
Hi = XMi�1Mi�2 : : :M1M0�0�T0 MT0 MT1 : : :MTi�2MTi�1
H0 = �0�T0Hi+1 = X
M2fM0;0;M0;1;M1;0;M1;1gMHiMT
� = Pr[L]2 �264 �11�4H321T1�4�� 1�� 60552 Pr[L]2
-
Py SPP attack Improving on the attack
Efficacy of our distinguisher
Hi = XMi�1Mi�2 : : :M1M0�0�T0 MT0 MT1 : : :MTi�2MTi�1H0 = �0�T0
Hi+1 = XM2fM0;0;M0;1;M1;0;M1;1gMHiM
T
� = Pr[L]2 �264 �11�4H321T1�4�� 1�� 60552 Pr[L]2
-
Py SPP attack Improving on the attack
Efficacy of our distinguisher
Hi = XMi�1Mi�2 : : :M1M0�0�T0 MT0 MT1 : : :MTi�2MTi�1H0 = �0�T0
Hi+1 = XM2fM0;0;M0;1;M1;0;M1;1gMHiM
T
� = Pr[L]2 �264 �11�4H321T1�4�� 1�� 60552 Pr[L]2
-
Py SPP attack Improving on the attack
Efficacy of our distinguisher
Hi = XMi�1Mi�2 : : :M1M0�0�T0 MT0 MT1 : : :MTi�2MTi�1H0 = �0�T0
Hi+1 = XM2fM0;0;M0;1;M1;0;M1;1gMHiM
T
� = Pr[L]2 �264 �11�4H321T1�4�� 1�
� 60552 Pr[L]2
-
Py SPP attack Improving on the attack
Efficacy of our distinguisher
Hi = XMi�1Mi�2 : : :M1M0�0�T0 MT0 MT1 : : :MTi�2MTi�1H0 = �0�T0
Hi+1 = XM2fM0;0;M0;1;M1;0;M1;1gMHiM
T
� = Pr[L]2 �264 �11�4H321T1�4�� 1�� 60552 Pr[L]2
-
Py SPP attack Improving on the attack
Conclusions
� We can efficiently calculate the efficacy of HMM-baseddistinguishers� Distinguisher advantage is 0.53 given 264 bytes from 28key/IV pairs� Advantage is 0.03 given a single 264-byte stream� Can this be improved still further?
http://www.ciphergoth.org/crypto/py
PySPP attackImproving on the attack