Cryptanalysis of Sosemanuk and SNOW 2'0 Using Linear Masks

1
Cryptanalysisof Sosemanuk and SNOW 2.0 Using
Linear Masks
Dec. 11. 2008

• Jung-Keun Lee, Dong Hoon Lee, and Sangwoo Park
• ETRI

2
Outline
1
Introduction
2
Linear Approximations
3
Correlation Attack
4
Simulations
5
SNOW 2.0
3
1. Introduction
1
Introduction
2
Linear Masking
3
Correlation Attack
4
Simulations
5
SNOW 2.0
4
Sosemanuk (1/4)

• Selected in the eSTREAM Portfolio Profile 1
  (Apr. 2008)
• Considerable security margin
• Reasonable security/performance tradeoff
• Claimed security 128-bit security level
• Previous Analysis
• T. Tsunoo et al. (2006)
• Guess-and-Determine attack
• Complexity 2224
• TMD-Tradeoff
• Pre-computation 2192
• Time 2192
• Memory 2200 bits
• Data 2200 bits

5
Sosemanuk (2/4)

• New Attack Correlation attack recovering the
  initial internal state
• Complexity lt 2150
• Time 2147.12
• Memory 2147.00 bits
• Data 2145.00 bits
• With precomputation of complexity a little more
  than 2150 the time complexity can be reduced.

6
Sosemanuk (3/4)

• Input
• Key 128256 bits
• IV128 bits
• Structure
• Internal State (384 bits)
• LFSR - 10 words
• FSM (finite state machine) - 2 words
• LFSR update
• st10 st9 ? a-1st3? a st
• FSM update
• R1t R2t-1 (st1? lsb(R1t-1)st8)
• R2t Trans(R1t-1) (M R1t-1)ltltlt7
• M 0x54655307
• FSM output
• ft (st9 R1t ) ? R2t
• Keystream output
• 128 bits per 4 LFSR clockings
• (zt,zt1,zt2,zt3) S2 (ft,ft1,ft2,ft3) ?
  (st, st1, st2, st3) t1 (mod 4)

Serpent S-box S2 applied in bit slice mode
7
Sosemanuk (4/4)
8
Outline of the Attack

• Correlation Attack
• A divide-and-conquer attack recovering the
  initial LFSR state using linear approximations
  regarding LFSR states and keystream bits.
• Attack Algorithm
• Step 1
• Get linear approximation relations regarding LFSR
  state and keystream bits using linear masks
  Nyberg Wallen, FSE2006
• Get linear approximation relations regarding
  initial LFSR state and keystream bits using
  linear recurrence relations
• Step 2
• Recover the initial LFSR state by solving the
  approximation relations
• Using fast Walsh Transform etc.

9
Outline of the Attack

• Correlation Attack
• A divide-and-conquer attack recovering the
  initial LFSR state using linear approximations
  regarding LFSR states and keystream bits.
• Attack Algorithm
• Step 1
• Get linear approximation relations regarding LFSR
  state and keystream bits using linear masks
  Nyberg Wallen, FSE2006
• Get linear approximation relations regarding
  initial LFSR state and keystream bits using
  linear recurrence relations
• Step 2
• Recover the initial LFSR state by solving the
  approximation relations
• Using fast Walsh Transform Berbain et al,
  FSE2006

10
2. Linear Approximations
1
Introduction
2
Linear Approximations
3
Correlation Attack
4
Simulations
5
SNOW 2.0
11
Preliminaries

• Linear Mask
• n-bit linear mask L(un-1, , u0)
• operates on n-bit vectors by inner product
• correlation of linear approximation
• F (F2n1) x x (F2nk) ? F2n, L0, L1, , Lk
  linear masks ?cF(L0 L1, , Lk) 2 Prob(L0y
  L1x1? ?Lkxk y F(x1,,xk) ) 1,or
  equivalenty, Prob (1c)/2
• e.g. c(L0 L1, L2) 2 Prob(L0y L1x1 ?L2x2 y
  x1x2) - 1
• bias correlation/2
• Piling-Up Lemma
• The correlation of XOR of two independent linear
  approximations is the product of the
  correlations.
• Correlation regarding modular additionNyberg
  Wallén, FSE 2006
• For each positive integers n,k, and n-bit masks
  GL1, ,Lk, c(GL1, ,Lk) can be computed in
  terms of product of n (k1)x(k1) matrices,
  where is the addition mod 2n of k n-bit
  integers.
• In case k2, can be computed using finite
  automaton

12
Linear Approximations (1/6)

• Try to eliminate all terms except those involving
  LFSR states and keystream bits only

at lsb(R1t)
M 0x54655307
T Trans

• Yet to eliminate Gft ?Gft1

13
Linear Approximations (2/6)

• Keystream output function
• 128 bits output per 4 LFSR clockings
• (zt,zt1,zt2,zt3) S2(ft,ft1,ft2,ft3) ?
  (st,st1,st2,st3) t1 (mod 4)
• Approximation of S2 in the form x(i) x(i1)
  (terms involving only y )0
• x(0) x(1) y(0) y(3) 0 (correlation ½)
• Linear approximation of output function
• (zt ? st ? zt3 ? st3 ? ft ? ft1)j0
  correlation ½
• G(zt ? st ? zt3 ? st3 ? ft ? ft1)0
  correlation (½)wt(G) for any G
• Linear approximation regarding LFSR state and
  keystream
• Gst10 ? Gst3 ? Gst2 ? Gst ? Gzt ? Gzt3 0
  (t1 (mod 4))
• correlation (1/2)wt(G)1 c(G G, G)3 cT(G G)
  assuming independence
• But highly dependent gt very different from
  actual correlation
• Need to be much more precise!!!

14
Linear Approximations (3/6)

• Need to use linear approximations without obvious
  dependencies
• Need to check the validity of the estimation

GL
15
Linear Approximations (4/6)

• Correlation of Composite Function Nyberg,
  Correlation Theorem
• Correlation of G1y G2x1G3x2 under yx1F(x2)
  is SFc(G1G2,F) cF(FG3)

16
Linear Approximations (5/6)

• Linear approximation involving LFSR states and
  keystream bits
• Gst10 ? Gst3 ? Gst2 ? Gst ? Gzt ? Gzt3 0
  (t1 (mod 4))
• predicted correlation C(G)
• (1/2)wt(G)1 c(G G,G,G) (SF c(GG,F) cT(G F))
• How to compute C(G) for each fixed G
• Compute c(GG,G,G) using FSE 2006.
• Compute cT(GF) for all F at once
• by Fast Walsh Transform (FWT) with time
  complexity 237 and 16GB RAM
• Naïve approach would take time complexity 264
• Calculate c(GG,F) for each F using a finite
  automaton description.
• c(GG,F)0 for most F
• Maximum of C(G)
• Considering Gs of small Hamming weight ( most G
  of Hamming weight 4), the maximum value of C(G)
  found is 2-21.41
• G 0x03004001.
• wt(G) 4, c(GG,G,G) 2-3.17, SF 2-13.24

17
Linear Approximations (6/6)

• Linear approximation regarding initial LFSR state
  and keystream bits
• Define G(L0,,L9)(L9a,L0,L1,L2 ?
  L9a,L3,L4,L5,L6,L7,L8?L9) for 10-tuple of linear
  masks (L0,,L9)
• Given G0 st ? ? G9 st9 Zt t1 (mod 4),
  where Zt depends only on a small number of
  keystream bits
• t1? G0 s1 ? ? G9 s10 Z1Or (G0 , ,G9)(s1,
  , s10) Z1
• t2 ? G0s2 ? ? G9s11 (G9a,G0,G1,G2?G9a,G3,,G7
  ,G8?G9)(s1, , s10) G(G0 , ,G9)(s1, ,s10)
  lt G9st10 G9(st9?a-1st3?ast)
• t3 ? G0s2? ?G9s11 G2(G0, , G9)(s1, ,s10)
• t4gt G0s2 ? ?G9 s11 G3(G0, ,G9)(s1, ,s10)
  
• t5gt G4(G0, ,G9)(s1, ,s10) Z5
• Get linear approximationsG4k(G0, ,G9)(s1,
  ,s10) Z4k1 (k0,1, )
• Similar method can be applied to general
  word-based LFSRs.
• XOR of linear masking of LFSR cells at any time
  can be computed efficiently in terms of initial
  LFSR cells one by one.

18
3. Correlation Attack
1
Introduction
2
Linear Approximations
3
Correlation Attack
4
Simulations
5
SNOW 2.0
18
19
Correlation Attack (1/4)

• Recover partial m bits among the whole n bit
  initial LFSR state
• Adapted from Cryptanalysis of Grain, FSE 2006
• Cipher vs Random distribution
• What we have N2n-m linear approximation
  relations of bias e regarding initial LFSR
  internal state s1, , s10
• That is, N2n-m linear approximation relations of
  bias e regarding n320 unknown binary variables
  x1, , x320
• Select out linear approximation relations
  involving m binary variables xi1, , xim (or
  less)
• For the right candidate, the number of the
  relations that hold when substituted follows the
  normal distribution N (N/2Ne , N1/2/2)
• For a wrong candidate, the number of the
  relations that hold when substituted follows the
  normal distribution N(N/2 , N1/2/2)
• Letting N (2l/3e)2 and taking the threshold
  value 3Ne /2, we can get the partial m bits with
• False Alarm Probability Prob(Zgtl)
• Non-detection Probability Prob(Zgtl/3)

20
Correlation Attack (2/4)

• But have to estimate the number of the
  relations that hold when substituted for each
  m-bit candidates gt Use Fast Walsh Transform
  again.
• Given N relations a1j x1 amj xm bj (j1,
  , N) How to compute the number of relations
  that hold for each (x1, , xm)
• Naïve approach requires computational cost of N2m
  (too large)
• Efficient method using Fast Walsh Transform
  requires
• computational cost m2m (integer
  addition/subtraction and memory access)
• memory 2m log2 N bits
• Fast Walsh Transform
• f Z2m ? Z gt W(f) Z2m ? Z
• W(f)(u) ?x f(x) (-1)ux

21
Correlation Attack (3/4)

• Recover partial m bits of an initial LFSR state
  given arbitrarily many linear approximation
  relations regarding the n-bit initial LFSR state
  and keystream bits (with false alarm rate 2-m)
• Correlation Attack I
• Given N 2n-m linear approximation relations
• N (2l/3e)2 (where, P(lltZ) 2-m)number of
  relations involving m binary variables xi1, ,
  xim (or less)
• Recovering partial m bits using Fast Walsh
  Transform
• Time Cost 128 N 2n-m m 2m log2 N
• for computing relations 128 N 2n-m
• for FWT m 2m log2 N
• Data 128 N 2n-m bits (one relation is gotten per
  4 LFSR clockings)
• Can be reduced if other relations are used.
• Sosemanuk case can be reduced at least by the
  factor of 8 (if other approximations of S2 are
  used)
• Memory 2m log2 N bits
• Time Cost gt 2n/2

22
Correlation Attack (4/4)

• Correlation Attack II Consider pairs of linear
  approximation equations and recover m-bits
  x1,,xm
• Get linear approximation relations with
  correlation e 2e2
• N (2l/3e )2 (where P(lltZ) 2-m) number of
  approximations regarding only xi1, , xim or
  less (with correlation e)
• R (N 2n-m1)1/2 number of approximations with
  correlation e
• Time cost 128R R log2R (n1)
  N (n1) m 2m log2 N
  Get R relations Sort out
  Get N relations FWT
• Memory (n 1)R 2m log2 N
  (bits) Store R relations
  Store FWT result
• Data 128R bits
• can be reduced if other relations are used
• Sosemanuk case n320
• e 2-21.41, m139gt l13.65, N 294.01 , R
  2138.00
• Recovering the whole initial state
• Recover m bits twice to recover 278 bits and then
  recover the remaining 106(4264) bits by
  exhaustive search
• Can eliminate false alarms
• Time cost 2(128 R R log2R (n1) N (n1)m 2m
  log2 N) 384222106 2155.12
• Time complexity 2147.12
• Memory 2147.00 bits
• Data 2145.00 bits

23
4. Simulations
1
Introduction
2
Linear Approximations
3
Correlation Attack
4
Simulations
5
SNOW 2.0
24
Overview

• Simulation for a Reduced Cipher
• Validate the correctness of the correlation
• Observed correlation close to predicted
  correlation
• Validate the correctness of the attack using the
  obseved correlation
• Simulation for Sosemanuk
• Validate the correctness of the correlation
• Observed correlation very close to predicted
  correlation

25
Reduced Cipher

• Reduced Cipher consisting of 5-byte LFSR and
  2-byte FSM
• LFSR update
• st5 st4 ? b-1st3? bst (GF(28)GF(2)x/ltx8x
  7x5x31gt)
• FSM update
• R1t R2t-1 (st1? lsb(R1t-1)st3)
• R2t Trans(R1t-1)(M R1t-1)ltltlt3
• M 0x59
• ft (st4 R1t ) ? R2t
• Keystream output
• (zt, zt1, zt2, zt3) S2 (ft, ft1, ft2,
  ft3) ? (st, st1, st2, st3) t1 (mod 4)
• Linear Approximation
• Gst5 ? Gst3 ? Gst2 ? Gst ? Gzt ? Gzt3 0
  t1 (mod 4)
• Correlation For the 8-bit mask G 0x21
• Predicted 2-6.50
• observed 2-6.12
• Experiment Recover partial 24 bits of the
  initial LFSR state for 100 initial states
• Non-detection 1
• False Alarm 1.18 on average
• time about 2 minutes on Pentium IV 3.4GHz, 1GB
  RAM

26
Long Keystream

• Observe correlation between LFSR states and
  keystream bits for 16 initial states(2 LFSR
  initial states and 8 FSM initial states)
• In each case, generate 253 keystream bits and
  check how many among the 246 equations Gst10 ?
  Gst3 ? Gst2 ? Gst ? Gzt ? Gzt3 0 t1 (mod
  4), 1t 248 hold.
• Distribution as predicted
• Number of equations that hold is about 245 245
  C(G) in each case
• Observed correlation using the 250 relations
  2-21.45 (very close to the predicted correlation
  C(G) 2-21.41)

27
5. SNOW 2.0
1
Introduction
2
Linear Approximations
3
Correlation Attack
4
Simulations
5
SNOW 2.0
28
SNOW 2.0

• State 576 bits
• LFSR 16 words
• FSM 2 words
• LFSR update
• st16 a-1st11 ? st12 ? ast
• FSM update
• R1t1 st5 R2t
• R2t1 S(R1t)
• FSM output
• Ft (st15 R1t) ? R2t
• Keystream output
• zt Ft ? st

29
Correlation Attack on SNOW 2.0

• Linear approximation relation FSE 2006
• Lst ?Lst1?Lst5?Lst15?Lst16?Lzt?Lzt1 0
• bias 2-15.496
• Complexity
• Parameters n512, e 2-15.496, m192, l16.1, N
  266.54, R2193.77
• Time cost 3(32R R log2R (n1) N (n1)
  m 2m log2 N) 2212.38
• Memory (n 1)R 2m log2 N 2202.83 bits
• Data 32 R 2198.77 bits
• Complexity similar as for TMD-Tradeoff.
• But the attack does not depend on key/IV size
  the attack is relevant to the state
  update/keystream output function.

30
Summary

• Best attack on Sosemanuk
• Time 2147.12
• Memory 2147.00 bits
• Data 2145.00 bits
• A correlation attack on SNOW 2.0
• Time 2203.38
• Memory 2202.83 bits
• Data 2198.77 bits