Stream Ciphers: WG and LEX' - PowerPoint PPT Presentation

1 / 22
About This Presentation
Title:

Stream Ciphers: WG and LEX'

Description:

The WG cipher has. been designed to produce keystream with guaranteed randomness properties, ... multivariate equation of low degree this complexity can be ... – PowerPoint PPT presentation

Number of Views:154
Avg rating:3.0/5.0
Slides: 23
Provided by: webIc
Category:

less

Transcript and Presenter's Notes

Title: Stream Ciphers: WG and LEX'


1
Stream Ciphers WG and LEX.
  • Eduard Dvorný, Emil Halko
  • University of Pavol Jozef afárik

2
WG abstract
  • Stream cipher WG
  • The cipher is based on Welch-Gong
    transformations. The WG cipher has
  • been designed to produce keystream with
    guaranteed randomness properties,
  • It is resistant to Time/Memory/Data
  • tradeo? attacks, algebraic attacks and
    correlation attacks.
  • The cipher can be implemented with a small amount
    of hardware.

3
LEX abstract
  • Stream cipher LEX
  • A proposal for a simple AES-based stream cipher
    which is at least 2.5 times faster than AES both
    in software and in hardware.
  • LEX stands for Leak EXtraction,

4
WG CIPHER
  • The WG cipher can be used with keys of length 80,
    96, 112 and 128 bits.
  • An initial vector of size 32 or 64 bits can be
    used with any of the above key lengths.
  • To increase security, IVs of the same length as
    the secret key can also be used.
  • WG cipher is a synchronous stream cipher which
    consists of a WG keystream generator.

5
WG keystream generation
6
WG Transformation
7
Resynchronization (Key/IV setup)
8
Differential Attack on WG
  • Overview of the Attack
  • the taps of LFSR are poorly chosen
  • 22 steps fail to randomize the differential
    propagation
  • at the end of the 22nd step, the differential
    in the
  • LFSR is exploited to recover the secret key
  • gt 48 key bits recovered with about 231
    chosen IVs
  • (80-bit key and 80-bit IV)

9
Differential Attack on WG
10
Differential Attack on WG
11
Differential Attack on WG
  • At the end of the 22nd step, the difference at
    S(10) is
  • S(10) is related to the first keystream bit.
  • Observing the values of the first keystream bits
    generated from the related IV, we are able to
    determine whether the value of
    is 0, then we can recover 29 bits of key.

12
Security Against Attacks
  • Time/Memory/Data tradeo? has two phases
  • During precomputation phase the attacker exploits
    the structure of the stream
  • cipher and summarizes his ?ndings in large
    tables.
  • During the attack phase, the attacker uses these
    tables and the observed data to determine the
    secret key or the internal state of the stream
    cipher.

13
  • A tradeo? TM2D2 N2 for D2 T N,
  • where
  • T is the time required for the attack,
  • M is the memory required to store the tables,
  • D represents the realtime data or the keystream
    required,
  • N is the size of the search space.
  • A simple way to provide security against this
    attack in stream ciphers is to increase the
    search space.

14
Algebraic attacks
  • have been used recently to break many well known
    stream ciphers.
  • complexity of these attack depends on the
  • nonlinear ?lter and the number of outputs
    generated by the cipher.
  • If the nonlinear ?lter can be approximated by a
    multivariate equation of low degree this
    complexity can be reduced signi?cantly.

15
Correlation attacks
  • These attacks exploit any correlation that may
    exist between the keystream and
  • the output of the LFSR in the cipher.
  • In these attacks the keystream is regarded as a
    distorted or noisy version of the the LFSR
    output.

16
Conclusion
  • WG cipher, suitable for hardware implementations.
  • WG is vulnerable to a di?erential attack

17
LEX Cipher
  • LEX is based on the block cipher AES. The
    keystream bits are generated by extracting 32
    bits from each round of AES in the 128-bit Output
    Feedback mode.
  • First a standard AES key-schedule for a secret
  • 128-bit key K is performed.
  • Then a given 128-bit IV is encrypted by a single
  • AES invocation S AESK(IV). The S and the
    subkeys are the output of the initialization
    process.

18
Initialization and keystream generation
19
Extracted bytes in the even and odd rounds
The bytes b0,0, b0,2, b2,0, b2,2 at every odd
round and the bytes b0,1, b0,3, b2,1, b2,3 at
every even round are selected.
20
Algebraic Attacks
  • Algebraic attacks on stream ciphers are a recent
    and a very powerful type of attack.
  • If one could write a non-linear equation in terms
    of the outputs and the key that could lead to
    an attack in Lex.
  • Re-keying every 500 AES encryptions may help to
    avoid such attacks by limiting the number of
    samples the attacker might obtain while targeting
    a speci?c subkey.

21
Dedicated Attacks
  • An obvious line of attack would be to concentrate
    on every 10th round,
  • since it reuses the same subkey, and thus if the
    attacker guesses parts of this subkey he still
    can reuse this information
  • 10t, t 1, 2, . . . rounds later.

22
Conclusion
  • Since LEX could reuse existing AES
    implementations it might provide a simple and
    cheap speedup option in addition to the already
    existing base AES encryption.
  • It is better to mix the key and IV in a
    non-linear way, then use the mixed values to
    generate the keystream .
Write a Comment
User Comments (0)
About PowerShow.com