Cryptanalysis of the Stream Cipher DECIM - PowerPoint PPT Presentation

About This Presentation
Title:

Cryptanalysis of the Stream Cipher DECIM

Description:

Cryptanalysis of the Stream Cipher DECIM. Hongjun Wu and Bart Preneel ... (similar to the self-shrinking generator, 25% more efficient) 2. Buffer for constant ... – PowerPoint PPT presentation

Number of Views:143
Avg rating:3.0/5.0
Slides: 20
Provided by: hj84
Learn more at: https://www.iacr.org
Category:

less

Transcript and Presenter's Notes

Title: Cryptanalysis of the Stream Cipher DECIM


1
Cryptanalysis of the Stream Cipher DECIM
  • Hongjun Wu and Bart Preneel
  • Katholieke Universiteit Leuven ESAT/COSIC

2
Overview
  • 1. Introduction to DECIM
  • 2. Key Recovery Attack (on Initialization)
  • 3. Distinguishing Attack
  • 4. Conclusion

3
Description of DECIM (1)
  • submission to the eStream
  • 80-bit key, 64 or 80-bit IV
  • hardware efficient stream cipher (profile II)
  • Main features
  • 1. ABSG decimation algorithm
  • (similar to the self-shrinking generator,
    25 more efficient)
  • 2. Buffer for constant output rate

4
Description of DECIM (2)
  • Keystream generation

5
Description of DECIM (3)
  • DECIM consists of
  • 192-bit regularly clocked LFSR (14 taps)
  • two filtering functions (different tap
    positions)
  • ABSG decimation
  • split the sequence into the form
  • if i 0,output the bit b
    otherwise, output the inverse of b
  • 32-bit Buffer
  • for every 4/3 input bits, only one
    output bit

6
Description of DECIM (4)
  • Key/IV setup
  • 192 steps
  • each step -- the non-linear feedback
  • a permutation on 7
    LFSR bits

7
Key Recovery Attack (1)
  • Overview of the Attack
  • The permutations are used to update the
    LFSR
  • gt 54.5 bits in the LFSR are not updated
    during
  • the key/IV setup
  • gt key recovered with 220 random IVs,
  • the first 2 keystream bytes,
  • negligible computations

8
Key Recovery Attack (2)
  • Two permutations operate on 7 elements
  • (st5, st31,st59,st100,st144,st177,s
    t186)
  • If the output of ABSG is 1, the first permutation
  • is used otherwise, the second is used

9
Key Recovery Attack (3)
  • Using permutation to update FSR is bad
  • If no permutation, then every bit in the
    FSR
  • is updated once every 192 steps
  • But with the permutation on the FSR, the
    bit
  • positions are changed, some bits would be
    updated
  • more than once while some bits not
    updated!
  • gt no matter how to design the permutation
  • the updating would not be uniform for
    all the bits

10
Key Recovery Attack (4)
  • The key-dependent selection of permutations does
    not
  • hide the intrinsic weakness of the permutation
  • gtin average 54.5 bits in the LFSR are not
    updated

11
Key Recovery Attack (5)
  • To recover the key, we need to trace each key bit
    to see
  • how that key bit is updated during those 192
    steps
  • in the initialization
  • gt very tedious
  • use computer program to trace those key
    bits

12
Key Recovery Attack (6)
  • One example recovering K21
  • s21 K21 \/ IV21
  • s21 is not updated and it becomes s1926 with
    prob 1/27
  • s1926 used in the generation of the first
    keystream bit z0
  • if s1926 is 0, then z00 with prob. 56/128
  • if s1926 is 1, then z00 with prob. 72/128
  • if K21 1, the distribution of z0 independent of
    IV21
  • if K21 0, the distribution of z0 affected by
    IV21
  • gt Being used to identify K21 with about 218.5
    random IVs

13
Distinguishing Attack (1)
  • Overview of the Attack
  • The filtering functions are not 1-resilient
  • ABSG could not hide the non-randomness
  • gt any two adjacent bits are equal with
    0.52-9
  • message being recovered if encrypted
    218 times

14
Distinguishing Attack (2)
  • Bias from the filtering function
  • If two inputs share one common bit, the two
    outputs bits
  • are equal with prob. 65/128

15
Distinguishing Attack (3)
  • Bias passing through the ABSG decimation and
    buffer
  • Deal with the bits with relations not affected
    significantly by
  • the ABSG decimation algorithm
  • i.e., the bits with small distance
  • For these three pairs of bits, passing through
    the ABSG
  • decimation and buffer does not reduce the bias
    too much
  • (about 8 to 32 times)
  • But the analysis is too complicated (details
    ignored here)

16
Distinguishing Attack (4)
  • Any two adjacent keystream bits are equal with
  • probability 0.52-9
  • The bias is large enough for the broadcast attack
  • If a message if encrypted by DECIM for 218 times,
    then
  • the message could be recovered

17
DECIM v2
  • Initialization
  • Permutation removed
  • 768 steps
  • Keystream generation
  • one LFSR one filtering function ABSG
    buffer
  • 1-resillient filtering function
  • Greatly simplified comparing to the original
    version

18
Conclusion
  • Using permutation to update FSR is undesirable
  • Try to design Boolean function conservatively
  • (high resilience, .)

19
  • Thank you!
  • Q A
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Cryptanalysis of the Stream Cipher DECIM" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!