Title: Stream Ciphers: WG and LEX'
1Stream Ciphers WG and LEX.
- Eduard Dvorný, Emil Halko
- University of Pavol Jozef afárik
2WG abstract
- Stream cipher WG
- The cipher is based on Welch-Gong
transformations. The WG cipher has - been designed to produce keystream with
guaranteed randomness properties, - It is resistant to Time/Memory/Data
- tradeo? attacks, algebraic attacks and
correlation attacks. - The cipher can be implemented with a small amount
of hardware.
3LEX abstract
- Stream cipher LEX
- A proposal for a simple AES-based stream cipher
which is at least 2.5 times faster than AES both
in software and in hardware. - LEX stands for Leak EXtraction,
4WG CIPHER
- The WG cipher can be used with keys of length 80,
96, 112 and 128 bits. - An initial vector of size 32 or 64 bits can be
used with any of the above key lengths. - To increase security, IVs of the same length as
the secret key can also be used. - WG cipher is a synchronous stream cipher which
consists of a WG keystream generator.
5WG keystream generation
6WG Transformation
7Resynchronization (Key/IV setup)
8Differential Attack on WG
- Overview of the Attack
- the taps of LFSR are poorly chosen
- 22 steps fail to randomize the differential
propagation - at the end of the 22nd step, the differential
in the - LFSR is exploited to recover the secret key
- gt 48 key bits recovered with about 231
chosen IVs - (80-bit key and 80-bit IV)
9Differential Attack on WG
10Differential Attack on WG
11Differential Attack on WG
- At the end of the 22nd step, the difference at
S(10) is -
- S(10) is related to the first keystream bit.
- Observing the values of the first keystream bits
generated from the related IV, we are able to
determine whether the value of
is 0, then we can recover 29 bits of key.
12Security Against Attacks
- Time/Memory/Data tradeo? has two phases
- During precomputation phase the attacker exploits
the structure of the stream - cipher and summarizes his ?ndings in large
tables. - During the attack phase, the attacker uses these
tables and the observed data to determine the
secret key or the internal state of the stream
cipher.
13- A tradeo? TM2D2 N2 for D2 T N,
- where
- T is the time required for the attack,
- M is the memory required to store the tables,
- D represents the realtime data or the keystream
required, - N is the size of the search space.
- A simple way to provide security against this
attack in stream ciphers is to increase the
search space.
14Algebraic attacks
- have been used recently to break many well known
stream ciphers. - complexity of these attack depends on the
- nonlinear ?lter and the number of outputs
generated by the cipher. - If the nonlinear ?lter can be approximated by a
multivariate equation of low degree this
complexity can be reduced signi?cantly.
15Correlation attacks
- These attacks exploit any correlation that may
exist between the keystream and - the output of the LFSR in the cipher.
- In these attacks the keystream is regarded as a
distorted or noisy version of the the LFSR
output.
16Conclusion
- WG cipher, suitable for hardware implementations.
- WG is vulnerable to a di?erential attack
17LEX Cipher
- LEX is based on the block cipher AES. The
keystream bits are generated by extracting 32
bits from each round of AES in the 128-bit Output
Feedback mode. - First a standard AES key-schedule for a secret
- 128-bit key K is performed.
- Then a given 128-bit IV is encrypted by a single
- AES invocation S AESK(IV). The S and the
subkeys are the output of the initialization
process.
18Initialization and keystream generation
19Extracted bytes in the even and odd rounds
The bytes b0,0, b0,2, b2,0, b2,2 at every odd
round and the bytes b0,1, b0,3, b2,1, b2,3 at
every even round are selected.
20Algebraic Attacks
- Algebraic attacks on stream ciphers are a recent
and a very powerful type of attack. - If one could write a non-linear equation in terms
of the outputs and the key that could lead to
an attack in Lex. - Re-keying every 500 AES encryptions may help to
avoid such attacks by limiting the number of
samples the attacker might obtain while targeting
a speci?c subkey.
21Dedicated Attacks
- An obvious line of attack would be to concentrate
on every 10th round, - since it reuses the same subkey, and thus if the
attacker guesses parts of this subkey he still
can reuse this information - 10t, t 1, 2, . . . rounds later.
22Conclusion
- Since LEX could reuse existing AES
implementations it might provide a simple and
cheap speedup option in addition to the already
existing base AES encryption. - It is better to mix the key and IV in a
non-linear way, then use the mixed values to
generate the keystream .