Cryptanalysis of the Stream cipher BEAN

Cryptanalysis of the Stream cipher BEAN
c
ACM,
2011. This is the author’s version of the work. It is posted here by permission of
ACM for your personal use. Not for redistribution. The definitive version was published
in SIN ’11 Proceedings of the 4th international conference on Security of information and
networks (2011), http://doi.acm.org/10.1145/2070425.2070432
Cryptanalysis of the Stream Cipher BEAN
Martin Ågren
Martin Hell
Dept. of Electrical and Information Technology,
Lund University
P.O. Box 118
SE-221 00 Lund, Sweden
Tel: +46 46 222 38 69
Fax: +46 46 12 99 48
Dept. of Electrical and Information Technology,
Lund University
P.O. Box 118
SE-221 00 Lund, Sweden
Tel: +46 46 222 43 53
Fax: +46 46 12 99 48
[email protected]
ABSTRACT
BEAN is a recent stream cipher proposal that uses Feedback
with Carry Shift Registers (FCSRs) and an output function.
There is a sound motivation behind the use of FCSRs in
BEAN as they provide several cryptographically interesting
properties. In this paper, we show that the output function is not optimal. We give an efficient distinguisher and a
key recovery attack that is slightly better than brute force,
requiring no significant memory. We then show how this
attack can be made better with access to more keystream.
Already with access to 6 KiB, the 80-bit key is recovered in
time 273 .
Categories and Subject Descriptors
E.3 [Data Encryption]: Code Breaking
General Terms
Algorithms, Security
1.
INTRODUCTION
The Linear Feedback Shift Register (LFSR) is a common
building block in stream ciphers. This is partly due to its
simple implementation, in particular in hardware, but also
because of the random-like properties of the produced sequences. However, the inherent linearity in the produced
sequence requires the stream cipher to also include one or
more nonlinear components. The properties of these components, which can be e.g., S-boxes, Boolean functions or
Nonlinear Feedback Shift Registers (NFSRs), are crucial to
the security of the cipher. A Feedback with Carry Shift
Register (FCSR) can be seen as an alternative to an LFSR.
While sharing several cryptographically important properties with LFSRs, as well as being easily implementable, these
are updated nonlinearly. This nonlinear update somewhat
relaxes the requirements on the other building blocks.
Permission to make digital or hard copies of all or part of this work for
personal or classroom use is granted without fee provided that copies are
not made or distributed for profit or commercial advantage and that copies
bear this notice and the full citation on the first page. To copy otherwise, to
republish, to post on servers or to redistribute to lists, requires prior specific
permission and/or a fee.
SIN’11, November 14–19, 2011, Sydney, Australia.
Copyright 2011 ACM 978-1-4503-1020-8/11/11 ...$10.00.
[email protected]
There have been several FCSR-based stream ciphers proposed in the literature. One notable design is F-FCSR-H [1,
2] which was selected for the final portfolio in the eSTREAM
project. The hardware performance is good and the design
is very simple in that it only uses a linear filter together
with one FCSR. The performance of, and interest in, the FFCSR-H stream cipher have made it evident that FCSRs are
attractive building blocks for stream ciphers, even though FFCSR-H was later cryptanalyzed in [7].
Another stream cipher selected for the final portfolio in
eSTREAM is Grain [9]. Grain is also very simple and is
based on one LFSR, one NFSR and a nonlinear Boolean
output function. It can be seen as a variant of a nonlinear
filter generator in which the taps to the nonlinear Boolean
output function are taken from both shift registers.
BEAN [11] is a more recent design, which is influenced by
Grain but replaces both shift registers by FCSRs. There is a
sound motivation behind this idea since the LFSR in Grain
is used to provide large period and guaranteed random-like
properties while the NFSR is used to provide nonlinearity.
An FCSR combines both these properties, while still being
very efficient in hardware. Thus, BEAN has two shift register components, both providing nonlinearity, large period
and random-looking sequences. The attack on F-FCSR-H
in [7] took advantage of the fact that 8 keystream bits were
produced in each clocking of the register. As BEAN produces 2 keystream bits in 3 FCSR updates, that attack is
not applicable to BEAN.
In this paper we give two attacks on the BEAN stream
cipher. While the design idea can be well-motivated, as described above, the design of the output function allows for
attacks. First, we give a distinguishing attack based on the
low correlation immunity order of the output function. This
attack is very efficient as it can distinguish the keystream
of BEAN from a random sequence using only about 217
keystream bits, or 16 KiB. Second, we give a key recovery
attack that is based on information leakage in the output
function. By guessing a carefully chosen subset of the state
bits, a portion of the keystream can be used to verify the
guess, resulting in a divide-and-conquer kind of attack on the
state. We give a trade-off between computational complexity and keystream required in the attack. As an example,
we can recover the state using 6 KiB of keystream and 273
computations, each computation being as complex as testing
one key.
With these attacks as background, we discuss the specific
design choices made in the BEAN stream cipher and how
m
div 2
mod 2
yn−1
yn−2
d0
y1
d1
consists of two parts, one main register
y0
dn−2
y = (y0 , y1 , . . . , yn−2 , yn−1 )
dn−1
σ
and one memory m. The feedback is given by (d0 , d1 , . . . , dn−1 ).
In each update of the FCSR, the sum
σ =m+
n−1
X
yi dn−i−1
i=0
Figure 1: An FCSR in Fibonacci architecture.
is computed and the state is updated as
the cipher can be improved in the future. Our results can
thus be seen as a foundation for studying the security of
BEAN-like stream ciphers.
While the BEAN specification [11] is sometimes ambiguous, for example as to whether the FCSRs are really FCSRs or merely LFSRs, the reference implementation can be
used to clarify such uncertainties. We have chosen a very
conservative approach and always used the more secure interpretation in these cases. It is known that constructing a
decent stream cipher using only LFSRs and an output function (a non-linear combiner) is practically impossible [4].
Indeed, if BEAN is implemented with LFSRs instead of FCSRs, independent work [14] has shown that it is susceptible
to algebraic attacks. Similarly, correlation attacks would be
a natural approach to such weakened versions. This paper
deals exclusively with the stronger version of BEAN that
results from always making the sane choice in case of ambiguities.
This paper is organized as follows. In Section 2 we describe FCSRs and properties of Boolean functions. Section 3
describes the stream cipher BEAN, before Section 4 gives a
distinguishing attack. Section 5 outlines the standard brute
force attack so that we have an attack cost to compare our
subsequent findings to. Section 6 then describes how to find
the key slightly faster than brute force, and Section 7 introduces a time–data trade-off that needs more keystream but
is significantly faster. Section 8 outlines what needs to be
reconsidered in the BEAN design, before Section 9 concludes
the paper.
2.
PRELIMINARIES
In this section we give some background theory on FCSRs
and Boolean functions. This theory will later be used in our
attacks.
2.1
Feedback with Carry Shift Registers
A Feedback with Carry Shift Register (FCSR) is a device
that computes the 2-adic expansion of the rational number
p/q, with q odd. FCSRs were proposed by Klapper and
Goresky and their cryptographic properties were thoroughly
examined and determined in [10]. We refer to that paper for
details on p-adic numbers.
An FCSR can be realized using either a Galois or a Fibonacci architecture. While most previous stream cipher
designs use a Galois architecture, BEAN implements the
FCSRs using a Fibonacci architecture. A relation between
states in the two architectures can be found in [6]. A general
Fibonacci FCSR is given in Figure 1 and we will refer to this
implementation type in the sequel.
We will implicitly assume that any vector (v0 , v1 , . . . , vk−1 ) ∈
P
i
{0, 1}k is also identified by the integer k−1
i=0 vi 2 . The state
m = σ div 2,
y = (y1 , y2 , . . . , yn−1 , σ mod 2).
(1)
(2)
The FCSR automaton is completely determined by the connection integer q = 1 − 2d. The size of the main register
is given by n = blog(|q| + 1)c, i.e., the bit length of d. The
state of the FCSR is associated with the integer p, which is
given by
p = m2n −
n−1
k
XX
dj−1 yk−j 2k ,
k=0 j=0
where we define d−1 = −1. The output of the FCSR is
then the 2-adic expansion of p/q and it can be shown, see
e.g., [10], that the output is strictly periodic if and only if
0 ≤ p ≤ |q|. Let the initial state be given by p. If the state
at time t corresponds to the integer p (≥ 0), then the state
p0 at time t + 1 corresponds to the integer
p0 = 2−1 p mod q.
The output of the FCSR is given by p mod 2, and thus the
tth output is given by (2−t p mod q) mod 2 if p corresponds
to the initial state. If 0 < p < |q|, q odd, and q and p
are coprime, then the period of the output sequence equals
ordq (2). Thus, the optimal choice of q is a negative prime
with 2 being a primitive root. The FCSR automaton will
then produce a maximum length sequence, also known as an
l-sequence. The following result [3] will be useful to us:
Lemma 1. Using any FCSR of length n and starting in
any state, it takes at most n + 4 FCSR updates to reach a
strictly periodic state.
Let Ty denote the set of register taps used when computing
σ, i.e., i ∈ Ty if and only if di = 1, and let |Ty | be the
cardinality of the set, i.e., the number of register taps used.
It is straightforward to see, and it was formally shown in [10],
that
m ≤ |Ty | − 1
if the register is in a periodic state. Due to this, the carry
can be realized using dlog |Ty |e bits. When we refer to an
FCSR of length n, we implicitly consider its state to consist
of in total n + dlog |Ty |e bits.
2.2
Boolean Function Properties
We briefly review some important properties of Boolean
functions. We can represent an n-variable Boolean function f (x1 , . . . , xn ) by its truth table, i.e., a binary string of
length 2n , f = [f (0, 0, . . . , 0), f (0, . . . , 0, 1), f (0, . . . , 1, 0),
. . . , f (1, 1, . . . , 1)]. A Boolean function f is balanced if the
truth table contains an equal number of 1’s and 0’s.
The Hamming weight of a binary string S is the number of
ones in the string and is denoted wt(S). The Hamming distance between two strings, S1 and S2 , is denoted dH (S1 , S2 )
and is the number of places where S1 and S2 differ.
A Boolean function can be represented as a polynomial
over F2 , called the algebraic normal form (ANF),
f (x1 , . . . , xn ) =
M
a0 ⊕
ai xi ⊕
1≤i≤n
M
aij xi xj ⊕ . . . ⊕ a12...n x1 x2 . . . xn ,
1≤i<j≤n
where the coefficients a0 , aij , . . . , a12...n ∈ {0, 1}. The algebraic degree, denoted deg(f ), is the number of variables
in the highest order term with non-zero coefficient. Affine
Boolean functions are those with no terms of degree > 1 in
the ANF. The set of all affine n-variable functions is denoted
A(n). The nonlinearity of an n-variable Boolean function is
the minimum distance from the set of all n-variable affine
functions,
nl(f ) = min (dH (f, g)).
Table 1: Truth table
used in BEAN.
0 0 0 1 1 0
0 1 1 0 1 0
1 1 0 0 1 0
0 0 1 1 0 1
3.
of the output Boolean function
1
1
1
0
0
1
0
0
0
0
0
1
1
1
0
1
1
1
0
1
1
0
1
0
0
0
0
1
1
0
1
1
0
1
1
0
1
0
1
0
BEAN SPECIFICATION
BEAN is very similar to Grain in that it consists of two
shift registers and one output function, taking input from
both registers. The size of the secret key is 80 bits. While
Grain uses one LFSR and one NFSR, BEAN instead has
two FCSRs, both implemented in Fibonacci architecture.
These are denoted FCSR-I and FCSR-II, see Figure 2. An
overview of the design of BEAN is given in the design document [11]. In order to avoid any ambiguity or misinterpretation of the specification, we have also studied the implementation provided by the designers.
g∈A(n)
The correlation immunity of a Boolean function is a measure of to which degree its output is correlated to a subset
of its inputs. For an mth order correlation immune Boolean
function, the mutual information between the output and a
subset of at most m inputs is zero. If the function is balanced, it is called m-resilient.
The Walsh transform can be used to describe many properties of a Boolean function. Let x = (x1 , . . . , xn ) and
ω = (ω1 , . . . , ωn ) both belonging to {0, 1}n and x · ω =
x1 ω1 ⊕ . . . ⊕ xn ωn . The Walsh transform of f (x) is a real
valued function over {0, 1}n which is defined as
X
Wf (ω) =
(−1)f (x)⊕x·ω .
(3)
3.1
Keystream Generation
Both FCSRs are 80 bits in size, i.e., the same as the key
size. We denote the state of FCSR-I at time instance i by Bi
and correspondingly the state of FCSR-II at time instance
i by Si . Thus we have
=
(si , mis ) = (si , . . . , si+79 , mis ),
σb
bi+80
max n |Wf (ω)|.
ω∈{0,1}
A function is m-resilient if and only if its Walsh transform
satisfies Wf (ω) = 0, for 0 ≤ wt(ω) ≤ m.
The best linear approximation, `(f ), of f produces a sequence that is correlated to the output of the function as
nl(f )
1
(1 + ε),
ε = 1 − n−1 .
(4)
2
2
In a distinguishing attack, nonlinear building blocks, e.g.,
Boolean functions, are approximated by linear blocks and
some added noise. The nonlinearity nl(f ) is then a measure
of how good the best approximation is. However, linear approximations other than the best ones could be more favorable to consider due to the cipher’s internal structure. Typically, approximations with as few terms as possible might
allow an attack that is much more successful than using the
best approximation. Generalizing (4), ε for a linear approximation is given by
Pr(f (·) = `(f )) =
Wf (ω)
2n
where ω corresponds to the linear approximation, see (3).
The least number of terms in a linear approximation with
|ε| > 0 is m + 1 where m is the resiliency of the Boolean
function.
ε=
(bi , mib ) = (bi , . . . , bi+79 , mib ),
and FCSR-I is updated according to
mi+1
b
A function f is balanced if and only if Wf (0) = 0. The
nonlinearity of f is given by
1
2
=
i
S
x∈{0,1}n
nl(f ) = 2n−1 −
Bi
= bi+62 + bi+51 + bi+38 +
bi+23 + bi+13 + bi + mib ,
= σb mod 2,
jσ k
b
.
=
2
FCSR-II is updated in a similar way, but using other tap positions. The set of tap positions for the feedback for FCSR-I
are given by Tb = {17, 28, 41, 56, 66, 79} and for FCSR-II
they are given by Ts = {1, 2, 3, 78}. Thus, mb and ms are
realized using 3 and 2 bits respectively.
A Boolean function f (x1 , . . . , x6 ) is used to produce the
keystream. This is given as a 6-to-4-bit S-box in the original
description [11] but as only one bit from each word is taken
as output, it is easier to analyze it if we see it as a 6-to-1
Boolean function. The truth table of f is given in Table 1.
The keystream bits z0 , z1 , . . . are then given by
z2i
z2i+1
= f (bi+23 , bi+73 , s2i+5 , s2i+9 , s2i+29 , bi+51 ), (5)
= f (bi+23 , bi+73 , s2i+6 , s2i+10 , s2i+30 , s2i+68 ). (6)
The algebraic normal form of f is
f (·) =x1 ⊕ x4 ⊕ x1 x2 ⊕ x1 x3 ⊕ x1 x4 ⊕ x1 x5 ⊕ x2 x5 ⊕ x2 x6 ⊕
x3 x4 ⊕ x3 x5 ⊕ x3 x6 ⊕ x4 x6 ⊕ x5 x6 ⊕ x1 x2 x5 ⊕
x1 x2 x6 ⊕ x1 x3 x4 ⊕ x1 x3 x6 ⊕ x1 x4 x5 ⊕ x1 x5 x6 ⊕
x2 x3 x5 ⊕ x2 x3 x6 ⊕ x2 x4 x5 ⊕ x2 x4 x6 ⊕ x2 x5 x6 ⊕
x3 x4 x5 ⊕ x3 x4 x6 ⊕ x4 x5 x6 ⊕ x1 x2 x3 x5 ⊕ x1 x2 x3 x6 ⊕
x1 x2 x4 x5 ⊕ x1 x2 x4 x6 ⊕ x1 x2 x5 x6 ⊕ x1 x3 x4 x5 ⊕
x1 x3 x4 x6 ⊕ x1 x3 x5 x6 ⊕ x1 x4 x5 x6 ⊕
x1 x2 x3 x4 x6 ⊕ x1 x2 x4 x5 x6 .
+
d79
+
d66
+
d56
+
d41
+
d28
+
+ + + +
mb
d17
b
mod 2
d78
ms
d3 d2 d1
s
div 2
FCSR-I
mod 2 div 2
FCSR-II
f
f
z2i
z2i+1
Figure 2: An overview of BEAN. Non-zero di ’s are named next to the corresponding taps.
Algorithm 1 — BEAN Keystream Generation
Input: initialized FCSR-I and FCSR-II
Output: 2-bit keystream word
Repeat until enough keystream bits are generated {
Output an even numbered keystream bit
Update FCSR-II
Output an odd numbered keystream bit
Update FCSR-I and FCSR-II
}
Figure 3: BEAN keystream generation.
Referring to Table 1, the first two bits determine the row,
while the last four bits determine the column from which
the keystream bit is taken (the top left bit corresponds to
the all-zero input). The keystream generation algorithm is
given in Figure 3. We will sometimes refer to the function f
in the representation in Table 1 by referring to “rows” and
“columns”. This approach arises naturally as the row is always selected by B, while the column is (almost) exclusively
selected by S.
3.2
BEAN Initialization
BEAN is initialized by loading the key k = (k0 , k1 , . . . , k79 )
into the registers as
bi = ki+81 ,
i = −81, . . . , −2
si = ki+81 ,
i = −81, . . . , −2
The carries are set to mi−81
= mi−81
= 0. Then, both FCs
b
SRs are initialized by updating them 81 times. After initialization, the registers contain b0 , b1 , . . . , b79 and s0 , s1 , . . . , s79
respectively and keystream is ready to be produced according to Algorithm 1.
4.
A DISTINGUISHING ATTACK ON BEAN
In this section we give a very efficient distinguishing attack on BEAN. A distinguisher takes a stream of bits as
input and decides whether it is most likely to have been
generated by the cipher or if it looks random. Thus, it will
output either BEAN or RANDOM. In [11], the designers
performed several statistical tests, provided by NIST [13],
on the keystream. The keystream showed no deviation from
random behaviour when the tests were applied to sequences
of about 223 bits. However, these tests are generic and do
not take the internal structure of the stream cipher into account. Taking the structure into account, we show that with
as few as 217 keystream bits, a deviation from random can
be observed.
Recall the truth table of the Boolean output function
given in Table 1. We write it as f (x1 , x2 , x3 , x4 , x5 , x6 ) where
the input variables can be immediately translated to register
bits for z2i and z2i+1 in (5) and (6), respectively. Analysing
the Boolean function and its Walsh transform, the following
properties can be found.
Balanced
Algebraic Degree
Resiliency
Nonlinearity
Best Linear
Approximations
Yes
5
0
22
`1 (f ): 1 + x1 + x4 + x5 ,
`2 (f ): x2 + x3 + x5 + x6
Using `1 (f ) we can e.g., write
Pr(z2i = bi+23 ⊕ s2i+9 ⊕ s2i+29 ) =
1
10
(1 −
).
2
32
(7)
The common approach in a linear distinguishing attack
is then to find a relation in bi and si variables that sum to
zero, leaving only an expression involving keystream bits,
see e.g., [5, 8]. However, the FCSRs are nonlinearly updated and it is very difficult to find such a relation unless
the full period is considered. As the period is large, this attack is not applicable to BEAN. However, noticing that the
resiliency of the Boolean function is 0, we know that there
are biased linear approximations of weight 1. Studying the
Walsh transform of the Boolean function we find that
Pr(f (·) = x3 ⊕ 1) = Pr(z2i = s2i+5 ⊕ 1) =
1
(1 + 2−4 ) (8)
2
and, similarly,
Pr(f (·) = x5 ⊕ 1) = Pr(z2i = s2i+29 ⊕ 1) =
1
(1 + 2−4 ). (9)
2
do not claim that these are flaws in and of themselves, and
we suspect that any attacker attempting a standard brute
force would use this property: to test two keys that only
differ in k0 , we need to initialize B twice, but S only once.
Thus, during a standard brute force attack on BEAN,
one expects to perform 279 × 80 + 278 × 80 = 280 × 60 FCSR
updates. This will be the reference point in this paper: when
we claim that an attack requires e.g., time 279 , we mean that
it requires 279 ×60 FCSR updates (and some additional work
that is negligible in comparison).
False positive probability
0.4
0.3
0.2
5.1
0.1
0
214
215
216
217
218
219
220
Keystream length (bits)
Figure 4: Using the distinguisher on more amounts
of keystream material results in smaller probabilities of false positives. The decision thresholds were
chosen such that false positives and false negatives
were equally likely. Each trial was conducted over
215 different keys.
We can rewrite (8) as
Pr(z2i+24 = s2i+29 ⊕ 1) =
1
(1 + 2−4 )
2
(10)
and combine this with (9) to get
Pr(z2i = z2i+24 ) =
1
(1 + 2−8 ),
2
using the piling-up lemma [12].
A common rule of thumb, see e.g., [8], is that approximately ε−2 samples are needed in order to detect this nonrandomness and to correctly decide whether a given sequence
is drawn from the cipher distribution or a uniform distribution. Thus, our distinguishing attack requires only about
216 samples, or 217 bits, to succeed. The attack has been
simulated and the results have been verified, see Fig. 4.
5.
A STANDARD BRUTE FORCE KEY RECOVERY
In the remainder of the paper, we will derive several knownplaintext key-recovery attacks.
Before giving the details of the attacks, we need to know
the cost of the generic attack, which does not exploit the
internals of BEAN: the exhaustive search. For this reason,
we will first give a reasonable measure on the time (computations) spent in a brute force approach to find the secret
key behind a given keystream.
For this, we will consider the initialization to consist of 80
clockings. This is simply because 80 is a slightly easier number to work with than 81. This simplification has virtually
no effect on any of the measurements in this paper.
From the specification in Section 3, it can be seen that one
bit of key never affects the contents of S as d79 = 0: k0 is
thrown out of the state in the very first update without affecting the feedback. Furthermore, S never affects B. These
properties will we used in our “trivial” brute force attack. We
On Data Requirements
We assume that the key is drawn from a uniformly random
distribution. Looking at only the first bit of the keystream,
half the keys will be valid candidates. Only after looking at
80 bits of keystream can the attacker expect to find a unique
key. This, therefore, is the fundamental data requirement of
any brute force attack.
We will give several attacks which require more data. The
reasons why a cryptanalytic attack can sometimes require a
considerable amount of data are many, but one common
example is that the attacker has to wait for some special
condition to arise in the internals of the cipher. It could be,
as in the F-FCSR-H analysis [7], that the FCSR has to be in
a special state, so that it behaves very nicely to the attacker.
If such an event happens with probability 2−γ , the attacker
can expect to look at 2γ different “windows” of keystream
before the event occurs. Note that, asymptotically, the size
of the window has no effect on the data requirements. However, the attack cost has to incorporate actually looking at
all parts of the keystream, checking if we are in such a special state. For this reason it is important to find an efficient
abort rule that allows the attacker to discard a non-special
state.
In this paper, we will exploit that the keystream leaks
information about the state of the FCSRs (specifically, S).
The attacker’s strategy will be to look at a small portion
of keystream and make an informed guess on the state of
BEAN. This can be done using some very small lookup tables. The guess will be correct with some probability 2−γ
so, similar to above, we will require data 2γ , so that we can
expect the attack to succeed.
6.
A KEY RECOVERY ATTACK
In this section, we describe how structural flaws allow for
a key recovery faster than brute force, i.e., cheaper than
280 × 60 FCSR updates. The fundamental observation is
that we can brute force the 79-bit key for S before taking
care of B. To see this, let us assume that we have a guess for
Sj , meaning that we can track this FCSR for all future time.
We can then observe (z2i , z2i+1 ) and find contradictions.
Example 1. Without loss of generality, we consider 2i =
0. Let (s5 , s6 , s9 , s10 , s29 , s30 , s68 ) = (1, 0, 0, 0, 0, 0, 0). This
means that the column for z0 is picked as (1, 0, 0, ·) where
the last bit is unknown, while z1 is picked from column
(0, 0, 0, 0). If we observe z1 = 1, we can conclude that the
row is (1, 0). If we also see z0 = 1, the row cannot be (1, 0)
meaning we have a contradiction.
To summarize this example, by looking at nine bits, we can
conclude whether or not they pose a contradiction. We have
implemented a simple scheme such as this. It uses a small
lookup table of 29 bits and at average only needs to perform
Table 2: Integer representations of nine-bit vectors
of state and output that cannot appear in BEAN.
9
13
24
34
41
45
55
56
66
87
94 136 156 157
163 168 170 178 188 189 192
195 207 210 256 259 263 267
271 274 277 282 329 333 344
380 385 386 394 400 406 407
414 415 456 476 477 480 493
15 FCSR updates before rejecting a bad guess. Table 2 lists
the impossible state–output combinations that can be used
to reject guesses of S. Using the notation of Example 1,
we have vectors (s5 , s6 , s9 , s10 , s29 , s30 , s68 , z0 , z1 ). E.g., the
number 385 = (1, 0, 0, 0, 0, 0, 0, 1, 1) corresponds to the specific numerical values studied in Example 1.
We summarize the above as it is a central discovery relating to BEAN and will be used later in the paper.
Claim 1. Given keystream and a guess for Sj , the expected number of FCSR updates needed before rejecting this
guess is 20. The additional work is negligible, as it only
amounts to a small number of table lookups.
In Claim 1 we have exaggerated the expected cost of the
verification. This is for the benefit of even numbers, but can
also be seen as a buffer for implementation overhead.
There is obviously one guess which will never be rejected,
no matter how many times we update the FCSR: the correct
guess. The strategy of the attack is now clear: first guess 79
bits of S. Each individual guess is cheap to verify and once
the correct 79 bits are found, the remaining key bit is trivial
to brute force through B with additive, i.e., negligible cost.
The cost is 278 × (80 + 20) = 280 × 25 ≈ 278.7 × 60 FCSR
updates. This attack takes less than half the time of a brute
force and requires no significant amount of memory.
Since d79 = 0 in S, the remainder of this paper will use a
slightly modified definition of si :
si = (si+1 , . . . , si+79 ).
We redefine Si correspondingly. The FCSR is still the same
in a mathematical sense, only the state is one bit smaller.
7.
A TIME–DATA TRADE-OFF
The major cost of the above key recovery lies in the guess
of key for S: this requires us to perform 279 initializations of
S and some clockings in order to determine whether the state
is correct or not. We would like to be able to make better
guesswork. That is, rather than each guess succeeding with
probability 2−79 , we would like to do significantly better.
This requires us to look at keystream and make informed
guesses from it. Note that we want to guess S in the middle
of operations and cannot assume ms = 0 but have to find
these two bits as well. Thus, it appears as if we need to guess
81 bits. All in all, we aim to recover a 164-bit state faster
than 279 . To succeed with this, we need several observations
which we describe below.
7.1
Guessing S
In Section 7.3, we will show that it is straightforward to
recover B once S is known. Thus, we first investigate how
to recover S.
First, we study how to verify a guess of s and recover
ms . We simply try all four possibilities for the two bits of
carry, which allows us to track S for all future time. We can
then use Claim 1 to reject three or four guesses. Note in
particular how rejecting all four guesses costs 4 × 20 = 80
FCSR updates. The rest of this section will investigate how
we can come up with a good guess for s.
Assume we have a guess on the left-most bit of s and the
carry ms . There are in total eight such guesses. However, as
we calculate the new state using σs = si+1 + si+76 + si+77 +
si+78 + mis , knowing (si+76 , si+77 , si+78 ), we can only produce |Ts | + 1 = 5 distinct S in the next time step. Thus,
rather than guessing 79 bits and guessing the carry 4 times,
we can guess 78 bits and then the carry (rather, the rest
of the information) 5 times. As an example of this, note
that (si+1 , mis ) = (1, 1) produces the same new state as
(si+1 , mis ) = (0, 2), where we have moved the 1 from si+1
into the carry.
We can generalize the above as the following lemma. Its
precise formulation is specific to the special nature of S,
where si+0 is included neither in the update rule nor the
redefined state, but it can be easily stated for the more common type of FCSR.
Lemma 2. Let S be an FCSR of length n using taps Ts
and with state Si = (si+1 , . . . , si+n−1 , mis ). Let l = max Ts =
n − 2 and k = max Ts \{l}. For each j, 0 < j ≤ l − k
and each state (si+1 , . . . , si+j , si+j+1 , . . . , si+n−1 , mis ), there
is an equivalent state (0, . . . , 0, si+j+1 , . . . , si+n−1 , mis +
P
k
k=0,...,j−1 2 si+1+k ). The states are equivalent in the sense
that they produce the same future state
(si+j+1 , . . . , si+j+n−1 , mi+j
s ).
Thus, having guessed (si+j+1 , . . . , si+n−1 ), we can assume
si+1 = . . . = si+j = 0 and only need to find the carry
mis ∈ {0, . . . , 2 + 2j } where we have extended the set of
possible mis .
This lemma is highly applicable to S in BEAN as the first
two taps are l − k = 78 − 3 = 75 bits apart. This means
we can guess (si+76 , . . . , si+79 ), assume (si+1 , . . . , si+75 ) = 0
and then recover the equivalent carry at cost 3 + 275 ≈ 275 .
In total, this attack would require work 24 (3 + 275 ) ≈ 279 .
Obviously, the gain of applying this trick to yet another bit
quickly becomes unimpressive. Certainly, one can also claim
that 254 (3+225 ) ≈ 279 , so the marginal gain of applying this
trick to 75 rather than 25 bits is negligible.
In the following attack, we will guess 19 bits from A =
{s2i+30 , . . . , s2i+104 } with probability > 2−14.5 , brute force
the rest of that set, assume all bits in C = {s2i+26 , . . . , s2i+29 }
are zero, and recover m2i+25
at cost 3 + 24 where each cost
s
unit is 20 FCSR updates. Thus, we recover the entire S2i+25
≈ 273 and data ≈ 214.5 × 2
using time 214.5 256 (3 + 24 ) × 20
60
which is approximately 6 KiB. (The factor 2 shows up because we apply our strategy to windows of s beginning with
even numbered bits.)
7.2
Guessing 19 Bits of s
In the above, we have given all the characteristics of the
recovery of S, except a very crucial part: how to guess 19
bits of s with probability at least 2−14.5 . For this, we will
use that
Pr(f (·) = x5 ⊕ x6 ) =
1
6
38
= (1 +
),
64
2
32
(11)
as this linear approximation allows us to only involve bits of
s (cf. (7)).
Now, each time we observe a bit z2(i+n)+1 , we can make
an educated guess as to the value of s2(i+n)+30 ⊕ s2(i+n)+68 ,
thanks to (11). Due to this, we can make a correct guess on
B = {s2i+30+2n |n = 0, 1, . . . , 18} with probability
19
38
≈ 2−14.3 .
64
Indeed, the probability of making a correct guess has been
found experimentally as approximately 2−14.4 . Observe that
we brute force 56 bits from A while the other 19 bits follow
directly from these together with the keystream z.
7.3
Find B Given S
Assume that we have the correct S, so that we can track
this FCSR for all future time. Our aim is to recover B. The
strategy is to first derive about 20 bits in a window of eighty
bits of b. A concluding brute force will require guessing 63
bits, so that the total cost is negligible to the previous parts
of the attack.
Note that for z2i+1 , we know precisely which column is
used in f . There are 10 unbalanced columns in Table 1 and
with probability 41 , one of these columns uniquely identifies
a row, i.e., two bits of b. Thus we recover two bits of b with
probability
5
10 1
· =
.
16 4
32
6
More likely, with probability 16
, we can learn one bit of b,
either as a “real” bit bj , or as a parity bit bj ⊕ bk . While we
can also get non-linear equations, we ignore this here.
We have implemented this part, and have found that with
probability .5, at least 20 bits can be recovered. Similarly,
with probability .022, we recover at least 30 bits. If we are
unlucky and only recover some small number of bits from
b, we can fast-forward in S and z and make another try.
Within just a few trials, we can find enough bits to make
the total recovery cost of B negligible.
7.4
A General Conclusion
Let us use Lemma 2 on j bits. One can see that (3 +
20
2j ) 60
< 2j−1 for j > 2. If we are able to guess k of the
remaining bits with probability 2−p , we can construct an
attack that requires 2p × 2 data and time
2p 279−j−k (3 + 2j )
20
< 278+p−k .
60
As an example, above we found 19 bits with probability
2−14.5 . If we could similarly guess 30 bits with probability
2−23 , there would be an attack requiring 2 MiB of data and
time 271 . In the same fashion, there would be an attack
requiring 2 GiB and time 267 .
7.5
the state that the FCSR was put into at key loading. We
are on the cycle, while the state we are looking for is at some
tail leading into it. Nonetheless, we can expect the absolute
majority of bits to be correct. A first approach is to use
Lemma 2 to try to get the carry to be 0, but this only gives
the correct key with a low probability. We will refer to the
state of b that we reach in this way, as the key stub.
We can use this key stub as the basis for a brute force
through the register, creating key candidates: by changing more and more bits, from left to right, we eventually
reach the true key and will find that both registers, when
loaded with this key candidate, reach B3 and S3 , respectively. While the worst case scenario is that we must brute
force the entire key, simulations have shown that we can expect to find the correct key after trying ≈ 24 key candidates.
Lemma 1 really describes the worst case behaviour [3]: despite performing 235 tests, we never found a situation where
we needed to try more than 225 key candidates, which suggests that there is only some very small probability that this
part of the attack becomes non-marginal.
There are several ways of improving this step, but the cost
is already negligible compared to the state recovery.
Summarizing, we outline the complete attack in Figure 5.
We use three sets of bits,
A = {s2i+30 , . . . , s2i+104 },
B = {s2i+30+2n |n = 0, 1, . . . , 18},
C = {s2i+26 , . . . , s2i+29 }.
In order to completely formalize the attack, we would need
to introduce several indices and variables, so instead we only
give the broad picture.
Algorithm 2 — Time–Data Trade-Off Attack
Input: keystream
Output: corresponding key
Until satisfied {
Look at a window of keystream z2i , . . .
For each guess of bits in A\B
Guess bits in B using (11)
Assume all bits in C are zero
For each ms ∈ {0, . . . , 2 + 24 }
Clock S, comparing to z,
until contradiction or satisfied
}
Until satisfied {
Derive bits from B, using S and z
If at least 20 bits found: satisfied
Else: fast-forward a few clocks
}
Brute force the rest of B
Recover key as in Section 7.5
Recovering the Key
The obvious approach is to reverse the cipher from the
recovered state. By reversing both FCSRs to their respective states n + 4 = 84 states after key loading, we know
from Lemma 1 that these particular states, B3 and S3 , were
visited by the BEAN FCSRs shortly after initialization finished.
We can then revert B all the way back to B−81 . The
state we then reach was not necessarily (in fact, not likely)
Figure 5: The complete attack.
8.
PROTECTING AGAINST THE ATTACKS
We believe that a crucial part in strengthening BEAN is
selecting a better output function f . If the resiliency had
been at least one, we could not have found the very straightforward distinguisher in Section 4. Furthermore, with resiliency at least two, it would not have been possible to
involve only two bits of s in each guess as we did in (11).
It might also be necessary to let f depend on more than six
variables. A third factor to consider might be suitability for
hardware implementation.
One notable difference between BEAN and the various
incarnations of Grain is that the latter use a feed-forward
from the NFSR to the LFSR. One idea might thus be to
strengthen BEAN by adding feed-forward from S to B. However, this does not protect from any of our attacks as they
first derive S completely before turning to B. Also, doing
this would alter the behaviour of B from well-known to unknown.
We suggest that any future design includes an IV, that
can be transmitted in the clear and significantly simplifies
key management. This approach is taken in most modern
stream ciphers.
Also, one should reselect the feedback taps as there are
some unfortunate properties of the current choices:
• One initial state bit of S is completely disregarded as
79 ∈
/ Ts .
• The taps in S are clustered, as opposed to spread out
somewhat evenly (cf. B).
• The numbers q are not optimal; as indicated in Section 2.1, q should ideally have certain number theoretic
properties.
While we only exploited the first of these observations, a
serious redesign should address these potential weaknesses.
8.1
Improving the Attack
We do not claim that our approach for deriving e.g., s is
optimal. One can easily make assumptions on some bits of s,
increasing the probability of guessing correctly. By assuming
some specific configuration of d bits, which should occur with
probability 2−d , one can make more advanced guesswork
recovering the remaining bits with probability 2−e , where e
should be “small”. The data complexity would then be 2d+e ,
and we suspect that the time complexity can be lower than
what we have found in this paper. However, to find the
“optimal” attack, one needs to consider several properties
of f , bits that reoccur in the equations, and build decision
trees that allow the implementation to adapt its behaviour
to the guesses already made.
9.
CONCLUSION
We have seen that the non-linear function in BEAN, combined with other properties of the construction, allows for an
efficient distinguisher and a key-recovery faster than brute
force. We also show how access to more keystream allows
for a faster key recovery. Already at a very modest 6 KiB,
the 80-bit key is recovered in time 273 . While the distinguisher requires slightly more data, and thus is information
theoretically inferior to the distinguisher inherent in the keyrecovery attack, it is of practical time complexity, making it
interesting in its own right.
10.
ACKNOWLEDGMENT
This work was supported by the Swedish Foundation for
Strategic Research (SSF) through its Strategic Center for
High Speed Wireless Communication at Lund. The authors
are grateful for the insightful comments received from the
anonymous reviewers.
11.
REFERENCES
[1] F. Arnault and T. Berger. Design of new pseudo
random generators based on filtered FCSR automaton.
The State of the Art of Stream Ciphers, Workshop
Record, SASC 2004, Brugge, Belgium, October 2004.
[2] F. Arnault, T. Berger, and C. Lauradoux. Update on
F-FCSR stream cipher. eSTREAM, ECRYPT Stream
Cipher Project, Report 2006/025, 2006.
http://www.ecrypt.eu.org/stream.
[3] F. Arnault, T. Berger, and M. Minier. Some results on
FCSR automata with applications to the security of
FCSR-based pseudorandom generators. IEEE
Transactions on Information Theory, 54(2):836–840,
February 2008.
[4] A. Braeken and J. Lano. On the (im)possibility of
practical and secure nonlinear filters and combiners.
In B. Preneel and S. Tavares, editors, Selected Areas
in Cryptography—SAC 2005, volume 3897 of Lecture
Notes in Computer Science, pages 159–174.
Springer-Verlag, 2005.
[5] D. Coppersmith, S. Halevi, and C.S. Jutla.
Cryptanalysis of stream ciphers with linear masking.
In M. Yung, editor, Advances in
Cryptology—CRYPTO 2002, volume 2442 of Lecture
Notes in Computer Science, pages 515–532.
Springer-Verlag, 2002.
[6] S. Fischer, W. Meier, and D. Stegemann. Equivalent
representations of the F-FCSR keystream generator.
The State of the Art of Stream Ciphers, Workshop
Record, SASC 2008, Lausanne, Switzerland, February
2008.
[7] M. Hell and T. Johansson. Breaking the F-FCSR-H
stream cipher in real time. In Advances in
Cryptology—ASIACRYPT 2008, volume 5350/2008 of
Lecture Notes in Computer Science, pages 557–569.
Springer-Verlag, 2008.
[8] M. Hell, T. Johansson, and L. Brynielsson. An
overview of distinguishing attacks on stream ciphers.
Cryptography and Communications, 1(1):71–94, 2008.
[9] M. Hell, T. Johansson, and W. Meier. Grain - a
stream cipher for constrained environments.
International Journal of Wireless and Mobile
Computing, Special Issue on Security of Computer
Network and Mobile Systems., 2(1):86–93, 2006.
[10] A. Klapper and M. Goresky. Feedback shift registers,
2-adic span, and combiners with memory. Journal of
Cryptology, 10(2):111–147, 1997.
[11] N. Kumar, S. Ojha, K. Jain, and S. Lal. BEAN: a
lightweight stream cipher. In Proceedings of the 2nd
international conference on Security of information
and networks, SIN ’09, pages 168–171, New York, NY,
USA, 2009. ACM.
[12] M. Matsui. Linear cryptanalysis method for DES
cipher. In T. Helleseth, editor, Advances in
Cryptology—EUROCRYPT’93, volume 765 of Lecture
Notes in Computer Science, pages 386–397.
Springer-Verlag, 1994.
[13] NIST. A statistical test suite for random and
pseudorandom number generators for cryptographic
applications. NIST Special Publication 800-22b, 2010.
[14] N. R. Pillai and Y. K. Lather. Algebraic attack on
BEAN a lightweight stream cipher. To appear.
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertisement