c ACM, 2011. This is the author’s version of the work. It is posted here by permission of ACM for your personal use. Not for redistribution. The definitive version was published in SIN ’11 Proceedings of the 4th international conference on Security of information and networks (2011), http://doi.acm.org/10.1145/2070425.2070432 Cryptanalysis of the Stream Cipher BEAN Martin Ågren Martin Hell Dept. of Electrical and Information Technology, Lund University P.O. Box 118 SE-221 00 Lund, Sweden Tel: +46 46 222 38 69 Fax: +46 46 12 99 48 Dept. of Electrical and Information Technology, Lund University P.O. Box 118 SE-221 00 Lund, Sweden Tel: +46 46 222 43 53 Fax: +46 46 12 99 48 [email protected] ABSTRACT BEAN is a recent stream cipher proposal that uses Feedback with Carry Shift Registers (FCSRs) and an output function. There is a sound motivation behind the use of FCSRs in BEAN as they provide several cryptographically interesting properties. In this paper, we show that the output function is not optimal. We give an efficient distinguisher and a key recovery attack that is slightly better than brute force, requiring no significant memory. We then show how this attack can be made better with access to more keystream. Already with access to 6 KiB, the 80-bit key is recovered in time 273 . Categories and Subject Descriptors E.3 [Data Encryption]: Code Breaking General Terms Algorithms, Security 1. INTRODUCTION The Linear Feedback Shift Register (LFSR) is a common building block in stream ciphers. This is partly due to its simple implementation, in particular in hardware, but also because of the random-like properties of the produced sequences. However, the inherent linearity in the produced sequence requires the stream cipher to also include one or more nonlinear components. The properties of these components, which can be e.g., S-boxes, Boolean functions or Nonlinear Feedback Shift Registers (NFSRs), are crucial to the security of the cipher. A Feedback with Carry Shift Register (FCSR) can be seen as an alternative to an LFSR. While sharing several cryptographically important properties with LFSRs, as well as being easily implementable, these are updated nonlinearly. This nonlinear update somewhat relaxes the requirements on the other building blocks. Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. SIN’11, November 14–19, 2011, Sydney, Australia. Copyright 2011 ACM 978-1-4503-1020-8/11/11 ...$10.00. [email protected] There have been several FCSR-based stream ciphers proposed in the literature. One notable design is F-FCSR-H [1, 2] which was selected for the final portfolio in the eSTREAM project. The hardware performance is good and the design is very simple in that it only uses a linear filter together with one FCSR. The performance of, and interest in, the FFCSR-H stream cipher have made it evident that FCSRs are attractive building blocks for stream ciphers, even though FFCSR-H was later cryptanalyzed in [7]. Another stream cipher selected for the final portfolio in eSTREAM is Grain [9]. Grain is also very simple and is based on one LFSR, one NFSR and a nonlinear Boolean output function. It can be seen as a variant of a nonlinear filter generator in which the taps to the nonlinear Boolean output function are taken from both shift registers. BEAN [11] is a more recent design, which is influenced by Grain but replaces both shift registers by FCSRs. There is a sound motivation behind this idea since the LFSR in Grain is used to provide large period and guaranteed random-like properties while the NFSR is used to provide nonlinearity. An FCSR combines both these properties, while still being very efficient in hardware. Thus, BEAN has two shift register components, both providing nonlinearity, large period and random-looking sequences. The attack on F-FCSR-H in [7] took advantage of the fact that 8 keystream bits were produced in each clocking of the register. As BEAN produces 2 keystream bits in 3 FCSR updates, that attack is not applicable to BEAN. In this paper we give two attacks on the BEAN stream cipher. While the design idea can be well-motivated, as described above, the design of the output function allows for attacks. First, we give a distinguishing attack based on the low correlation immunity order of the output function. This attack is very efficient as it can distinguish the keystream of BEAN from a random sequence using only about 217 keystream bits, or 16 KiB. Second, we give a key recovery attack that is based on information leakage in the output function. By guessing a carefully chosen subset of the state bits, a portion of the keystream can be used to verify the guess, resulting in a divide-and-conquer kind of attack on the state. We give a trade-off between computational complexity and keystream required in the attack. As an example, we can recover the state using 6 KiB of keystream and 273 computations, each computation being as complex as testing one key. With these attacks as background, we discuss the specific design choices made in the BEAN stream cipher and how m div 2 mod 2 yn−1 yn−2 d0 y1 d1 consists of two parts, one main register y0 dn−2 y = (y0 , y1 , . . . , yn−2 , yn−1 ) dn−1 σ and one memory m. The feedback is given by (d0 , d1 , . . . , dn−1 ). In each update of the FCSR, the sum σ =m+ n−1 X yi dn−i−1 i=0 Figure 1: An FCSR in Fibonacci architecture. is computed and the state is updated as the cipher can be improved in the future. Our results can thus be seen as a foundation for studying the security of BEAN-like stream ciphers. While the BEAN specification [11] is sometimes ambiguous, for example as to whether the FCSRs are really FCSRs or merely LFSRs, the reference implementation can be used to clarify such uncertainties. We have chosen a very conservative approach and always used the more secure interpretation in these cases. It is known that constructing a decent stream cipher using only LFSRs and an output function (a non-linear combiner) is practically impossible [4]. Indeed, if BEAN is implemented with LFSRs instead of FCSRs, independent work [14] has shown that it is susceptible to algebraic attacks. Similarly, correlation attacks would be a natural approach to such weakened versions. This paper deals exclusively with the stronger version of BEAN that results from always making the sane choice in case of ambiguities. This paper is organized as follows. In Section 2 we describe FCSRs and properties of Boolean functions. Section 3 describes the stream cipher BEAN, before Section 4 gives a distinguishing attack. Section 5 outlines the standard brute force attack so that we have an attack cost to compare our subsequent findings to. Section 6 then describes how to find the key slightly faster than brute force, and Section 7 introduces a time–data trade-off that needs more keystream but is significantly faster. Section 8 outlines what needs to be reconsidered in the BEAN design, before Section 9 concludes the paper. 2. PRELIMINARIES In this section we give some background theory on FCSRs and Boolean functions. This theory will later be used in our attacks. 2.1 Feedback with Carry Shift Registers A Feedback with Carry Shift Register (FCSR) is a device that computes the 2-adic expansion of the rational number p/q, with q odd. FCSRs were proposed by Klapper and Goresky and their cryptographic properties were thoroughly examined and determined in [10]. We refer to that paper for details on p-adic numbers. An FCSR can be realized using either a Galois or a Fibonacci architecture. While most previous stream cipher designs use a Galois architecture, BEAN implements the FCSRs using a Fibonacci architecture. A relation between states in the two architectures can be found in [6]. A general Fibonacci FCSR is given in Figure 1 and we will refer to this implementation type in the sequel. We will implicitly assume that any vector (v0 , v1 , . . . , vk−1 ) ∈ P i {0, 1}k is also identified by the integer k−1 i=0 vi 2 . The state m = σ div 2, y = (y1 , y2 , . . . , yn−1 , σ mod 2). (1) (2) The FCSR automaton is completely determined by the connection integer q = 1 − 2d. The size of the main register is given by n = blog(|q| + 1)c, i.e., the bit length of d. The state of the FCSR is associated with the integer p, which is given by p = m2n − n−1 k XX dj−1 yk−j 2k , k=0 j=0 where we define d−1 = −1. The output of the FCSR is then the 2-adic expansion of p/q and it can be shown, see e.g., [10], that the output is strictly periodic if and only if 0 ≤ p ≤ |q|. Let the initial state be given by p. If the state at time t corresponds to the integer p (≥ 0), then the state p0 at time t + 1 corresponds to the integer p0 = 2−1 p mod q. The output of the FCSR is given by p mod 2, and thus the tth output is given by (2−t p mod q) mod 2 if p corresponds to the initial state. If 0 < p < |q|, q odd, and q and p are coprime, then the period of the output sequence equals ordq (2). Thus, the optimal choice of q is a negative prime with 2 being a primitive root. The FCSR automaton will then produce a maximum length sequence, also known as an l-sequence. The following result [3] will be useful to us: Lemma 1. Using any FCSR of length n and starting in any state, it takes at most n + 4 FCSR updates to reach a strictly periodic state. Let Ty denote the set of register taps used when computing σ, i.e., i ∈ Ty if and only if di = 1, and let |Ty | be the cardinality of the set, i.e., the number of register taps used. It is straightforward to see, and it was formally shown in [10], that m ≤ |Ty | − 1 if the register is in a periodic state. Due to this, the carry can be realized using dlog |Ty |e bits. When we refer to an FCSR of length n, we implicitly consider its state to consist of in total n + dlog |Ty |e bits. 2.2 Boolean Function Properties We briefly review some important properties of Boolean functions. We can represent an n-variable Boolean function f (x1 , . . . , xn ) by its truth table, i.e., a binary string of length 2n , f = [f (0, 0, . . . , 0), f (0, . . . , 0, 1), f (0, . . . , 1, 0), . . . , f (1, 1, . . . , 1)]. A Boolean function f is balanced if the truth table contains an equal number of 1’s and 0’s. The Hamming weight of a binary string S is the number of ones in the string and is denoted wt(S). The Hamming distance between two strings, S1 and S2 , is denoted dH (S1 , S2 ) and is the number of places where S1 and S2 differ. A Boolean function can be represented as a polynomial over F2 , called the algebraic normal form (ANF), f (x1 , . . . , xn ) = M a0 ⊕ ai xi ⊕ 1≤i≤n M aij xi xj ⊕ . . . ⊕ a12...n x1 x2 . . . xn , 1≤i<j≤n where the coefficients a0 , aij , . . . , a12...n ∈ {0, 1}. The algebraic degree, denoted deg(f ), is the number of variables in the highest order term with non-zero coefficient. Affine Boolean functions are those with no terms of degree > 1 in the ANF. The set of all affine n-variable functions is denoted A(n). The nonlinearity of an n-variable Boolean function is the minimum distance from the set of all n-variable affine functions, nl(f ) = min (dH (f, g)). Table 1: Truth table used in BEAN. 0 0 0 1 1 0 0 1 1 0 1 0 1 1 0 0 1 0 0 0 1 1 0 1 3. of the output Boolean function 1 1 1 0 0 1 0 0 0 0 0 1 1 1 0 1 1 1 0 1 1 0 1 0 0 0 0 1 1 0 1 1 0 1 1 0 1 0 1 0 BEAN SPECIFICATION BEAN is very similar to Grain in that it consists of two shift registers and one output function, taking input from both registers. The size of the secret key is 80 bits. While Grain uses one LFSR and one NFSR, BEAN instead has two FCSRs, both implemented in Fibonacci architecture. These are denoted FCSR-I and FCSR-II, see Figure 2. An overview of the design of BEAN is given in the design document [11]. In order to avoid any ambiguity or misinterpretation of the specification, we have also studied the implementation provided by the designers. g∈A(n) The correlation immunity of a Boolean function is a measure of to which degree its output is correlated to a subset of its inputs. For an mth order correlation immune Boolean function, the mutual information between the output and a subset of at most m inputs is zero. If the function is balanced, it is called m-resilient. The Walsh transform can be used to describe many properties of a Boolean function. Let x = (x1 , . . . , xn ) and ω = (ω1 , . . . , ωn ) both belonging to {0, 1}n and x · ω = x1 ω1 ⊕ . . . ⊕ xn ωn . The Walsh transform of f (x) is a real valued function over {0, 1}n which is defined as X Wf (ω) = (−1)f (x)⊕x·ω . (3) 3.1 Keystream Generation Both FCSRs are 80 bits in size, i.e., the same as the key size. We denote the state of FCSR-I at time instance i by Bi and correspondingly the state of FCSR-II at time instance i by Si . Thus we have = (si , mis ) = (si , . . . , si+79 , mis ), σb bi+80 max n |Wf (ω)|. ω∈{0,1} A function is m-resilient if and only if its Walsh transform satisfies Wf (ω) = 0, for 0 ≤ wt(ω) ≤ m. The best linear approximation, `(f ), of f produces a sequence that is correlated to the output of the function as nl(f ) 1 (1 + ε), ε = 1 − n−1 . (4) 2 2 In a distinguishing attack, nonlinear building blocks, e.g., Boolean functions, are approximated by linear blocks and some added noise. The nonlinearity nl(f ) is then a measure of how good the best approximation is. However, linear approximations other than the best ones could be more favorable to consider due to the cipher’s internal structure. Typically, approximations with as few terms as possible might allow an attack that is much more successful than using the best approximation. Generalizing (4), ε for a linear approximation is given by Pr(f (·) = `(f )) = Wf (ω) 2n where ω corresponds to the linear approximation, see (3). The least number of terms in a linear approximation with |ε| > 0 is m + 1 where m is the resiliency of the Boolean function. ε= (bi , mib ) = (bi , . . . , bi+79 , mib ), and FCSR-I is updated according to mi+1 b A function f is balanced if and only if Wf (0) = 0. The nonlinearity of f is given by 1 2 = i S x∈{0,1}n nl(f ) = 2n−1 − Bi = bi+62 + bi+51 + bi+38 + bi+23 + bi+13 + bi + mib , = σb mod 2, jσ k b . = 2 FCSR-II is updated in a similar way, but using other tap positions. The set of tap positions for the feedback for FCSR-I are given by Tb = {17, 28, 41, 56, 66, 79} and for FCSR-II they are given by Ts = {1, 2, 3, 78}. Thus, mb and ms are realized using 3 and 2 bits respectively. A Boolean function f (x1 , . . . , x6 ) is used to produce the keystream. This is given as a 6-to-4-bit S-box in the original description [11] but as only one bit from each word is taken as output, it is easier to analyze it if we see it as a 6-to-1 Boolean function. The truth table of f is given in Table 1. The keystream bits z0 , z1 , . . . are then given by z2i z2i+1 = f (bi+23 , bi+73 , s2i+5 , s2i+9 , s2i+29 , bi+51 ), (5) = f (bi+23 , bi+73 , s2i+6 , s2i+10 , s2i+30 , s2i+68 ). (6) The algebraic normal form of f is f (·) =x1 ⊕ x4 ⊕ x1 x2 ⊕ x1 x3 ⊕ x1 x4 ⊕ x1 x5 ⊕ x2 x5 ⊕ x2 x6 ⊕ x3 x4 ⊕ x3 x5 ⊕ x3 x6 ⊕ x4 x6 ⊕ x5 x6 ⊕ x1 x2 x5 ⊕ x1 x2 x6 ⊕ x1 x3 x4 ⊕ x1 x3 x6 ⊕ x1 x4 x5 ⊕ x1 x5 x6 ⊕ x2 x3 x5 ⊕ x2 x3 x6 ⊕ x2 x4 x5 ⊕ x2 x4 x6 ⊕ x2 x5 x6 ⊕ x3 x4 x5 ⊕ x3 x4 x6 ⊕ x4 x5 x6 ⊕ x1 x2 x3 x5 ⊕ x1 x2 x3 x6 ⊕ x1 x2 x4 x5 ⊕ x1 x2 x4 x6 ⊕ x1 x2 x5 x6 ⊕ x1 x3 x4 x5 ⊕ x1 x3 x4 x6 ⊕ x1 x3 x5 x6 ⊕ x1 x4 x5 x6 ⊕ x1 x2 x3 x4 x6 ⊕ x1 x2 x4 x5 x6 . + d79 + d66 + d56 + d41 + d28 + + + + + mb d17 b mod 2 d78 ms d3 d2 d1 s div 2 FCSR-I mod 2 div 2 FCSR-II f f z2i z2i+1 Figure 2: An overview of BEAN. Non-zero di ’s are named next to the corresponding taps. Algorithm 1 — BEAN Keystream Generation Input: initialized FCSR-I and FCSR-II Output: 2-bit keystream word Repeat until enough keystream bits are generated { Output an even numbered keystream bit Update FCSR-II Output an odd numbered keystream bit Update FCSR-I and FCSR-II } Figure 3: BEAN keystream generation. Referring to Table 1, the first two bits determine the row, while the last four bits determine the column from which the keystream bit is taken (the top left bit corresponds to the all-zero input). The keystream generation algorithm is given in Figure 3. We will sometimes refer to the function f in the representation in Table 1 by referring to “rows” and “columns”. This approach arises naturally as the row is always selected by B, while the column is (almost) exclusively selected by S. 3.2 BEAN Initialization BEAN is initialized by loading the key k = (k0 , k1 , . . . , k79 ) into the registers as bi = ki+81 , i = −81, . . . , −2 si = ki+81 , i = −81, . . . , −2 The carries are set to mi−81 = mi−81 = 0. Then, both FCs b SRs are initialized by updating them 81 times. After initialization, the registers contain b0 , b1 , . . . , b79 and s0 , s1 , . . . , s79 respectively and keystream is ready to be produced according to Algorithm 1. 4. A DISTINGUISHING ATTACK ON BEAN In this section we give a very efficient distinguishing attack on BEAN. A distinguisher takes a stream of bits as input and decides whether it is most likely to have been generated by the cipher or if it looks random. Thus, it will output either BEAN or RANDOM. In [11], the designers performed several statistical tests, provided by NIST [13], on the keystream. The keystream showed no deviation from random behaviour when the tests were applied to sequences of about 223 bits. However, these tests are generic and do not take the internal structure of the stream cipher into account. Taking the structure into account, we show that with as few as 217 keystream bits, a deviation from random can be observed. Recall the truth table of the Boolean output function given in Table 1. We write it as f (x1 , x2 , x3 , x4 , x5 , x6 ) where the input variables can be immediately translated to register bits for z2i and z2i+1 in (5) and (6), respectively. Analysing the Boolean function and its Walsh transform, the following properties can be found. Balanced Algebraic Degree Resiliency Nonlinearity Best Linear Approximations Yes 5 0 22 `1 (f ): 1 + x1 + x4 + x5 , `2 (f ): x2 + x3 + x5 + x6 Using `1 (f ) we can e.g., write Pr(z2i = bi+23 ⊕ s2i+9 ⊕ s2i+29 ) = 1 10 (1 − ). 2 32 (7) The common approach in a linear distinguishing attack is then to find a relation in bi and si variables that sum to zero, leaving only an expression involving keystream bits, see e.g., [5, 8]. However, the FCSRs are nonlinearly updated and it is very difficult to find such a relation unless the full period is considered. As the period is large, this attack is not applicable to BEAN. However, noticing that the resiliency of the Boolean function is 0, we know that there are biased linear approximations of weight 1. Studying the Walsh transform of the Boolean function we find that Pr(f (·) = x3 ⊕ 1) = Pr(z2i = s2i+5 ⊕ 1) = 1 (1 + 2−4 ) (8) 2 and, similarly, Pr(f (·) = x5 ⊕ 1) = Pr(z2i = s2i+29 ⊕ 1) = 1 (1 + 2−4 ). (9) 2 do not claim that these are flaws in and of themselves, and we suspect that any attacker attempting a standard brute force would use this property: to test two keys that only differ in k0 , we need to initialize B twice, but S only once. Thus, during a standard brute force attack on BEAN, one expects to perform 279 × 80 + 278 × 80 = 280 × 60 FCSR updates. This will be the reference point in this paper: when we claim that an attack requires e.g., time 279 , we mean that it requires 279 ×60 FCSR updates (and some additional work that is negligible in comparison). False positive probability 0.4 0.3 0.2 5.1 0.1 0 214 215 216 217 218 219 220 Keystream length (bits) Figure 4: Using the distinguisher on more amounts of keystream material results in smaller probabilities of false positives. The decision thresholds were chosen such that false positives and false negatives were equally likely. Each trial was conducted over 215 different keys. We can rewrite (8) as Pr(z2i+24 = s2i+29 ⊕ 1) = 1 (1 + 2−4 ) 2 (10) and combine this with (9) to get Pr(z2i = z2i+24 ) = 1 (1 + 2−8 ), 2 using the piling-up lemma [12]. A common rule of thumb, see e.g., [8], is that approximately ε−2 samples are needed in order to detect this nonrandomness and to correctly decide whether a given sequence is drawn from the cipher distribution or a uniform distribution. Thus, our distinguishing attack requires only about 216 samples, or 217 bits, to succeed. The attack has been simulated and the results have been verified, see Fig. 4. 5. A STANDARD BRUTE FORCE KEY RECOVERY In the remainder of the paper, we will derive several knownplaintext key-recovery attacks. Before giving the details of the attacks, we need to know the cost of the generic attack, which does not exploit the internals of BEAN: the exhaustive search. For this reason, we will first give a reasonable measure on the time (computations) spent in a brute force approach to find the secret key behind a given keystream. For this, we will consider the initialization to consist of 80 clockings. This is simply because 80 is a slightly easier number to work with than 81. This simplification has virtually no effect on any of the measurements in this paper. From the specification in Section 3, it can be seen that one bit of key never affects the contents of S as d79 = 0: k0 is thrown out of the state in the very first update without affecting the feedback. Furthermore, S never affects B. These properties will we used in our “trivial” brute force attack. We On Data Requirements We assume that the key is drawn from a uniformly random distribution. Looking at only the first bit of the keystream, half the keys will be valid candidates. Only after looking at 80 bits of keystream can the attacker expect to find a unique key. This, therefore, is the fundamental data requirement of any brute force attack. We will give several attacks which require more data. The reasons why a cryptanalytic attack can sometimes require a considerable amount of data are many, but one common example is that the attacker has to wait for some special condition to arise in the internals of the cipher. It could be, as in the F-FCSR-H analysis [7], that the FCSR has to be in a special state, so that it behaves very nicely to the attacker. If such an event happens with probability 2−γ , the attacker can expect to look at 2γ different “windows” of keystream before the event occurs. Note that, asymptotically, the size of the window has no effect on the data requirements. However, the attack cost has to incorporate actually looking at all parts of the keystream, checking if we are in such a special state. For this reason it is important to find an efficient abort rule that allows the attacker to discard a non-special state. In this paper, we will exploit that the keystream leaks information about the state of the FCSRs (specifically, S). The attacker’s strategy will be to look at a small portion of keystream and make an informed guess on the state of BEAN. This can be done using some very small lookup tables. The guess will be correct with some probability 2−γ so, similar to above, we will require data 2γ , so that we can expect the attack to succeed. 6. A KEY RECOVERY ATTACK In this section, we describe how structural flaws allow for a key recovery faster than brute force, i.e., cheaper than 280 × 60 FCSR updates. The fundamental observation is that we can brute force the 79-bit key for S before taking care of B. To see this, let us assume that we have a guess for Sj , meaning that we can track this FCSR for all future time. We can then observe (z2i , z2i+1 ) and find contradictions. Example 1. Without loss of generality, we consider 2i = 0. Let (s5 , s6 , s9 , s10 , s29 , s30 , s68 ) = (1, 0, 0, 0, 0, 0, 0). This means that the column for z0 is picked as (1, 0, 0, ·) where the last bit is unknown, while z1 is picked from column (0, 0, 0, 0). If we observe z1 = 1, we can conclude that the row is (1, 0). If we also see z0 = 1, the row cannot be (1, 0) meaning we have a contradiction. To summarize this example, by looking at nine bits, we can conclude whether or not they pose a contradiction. We have implemented a simple scheme such as this. It uses a small lookup table of 29 bits and at average only needs to perform Table 2: Integer representations of nine-bit vectors of state and output that cannot appear in BEAN. 9 13 24 34 41 45 55 56 66 87 94 136 156 157 163 168 170 178 188 189 192 195 207 210 256 259 263 267 271 274 277 282 329 333 344 380 385 386 394 400 406 407 414 415 456 476 477 480 493 15 FCSR updates before rejecting a bad guess. Table 2 lists the impossible state–output combinations that can be used to reject guesses of S. Using the notation of Example 1, we have vectors (s5 , s6 , s9 , s10 , s29 , s30 , s68 , z0 , z1 ). E.g., the number 385 = (1, 0, 0, 0, 0, 0, 0, 1, 1) corresponds to the specific numerical values studied in Example 1. We summarize the above as it is a central discovery relating to BEAN and will be used later in the paper. Claim 1. Given keystream and a guess for Sj , the expected number of FCSR updates needed before rejecting this guess is 20. The additional work is negligible, as it only amounts to a small number of table lookups. In Claim 1 we have exaggerated the expected cost of the verification. This is for the benefit of even numbers, but can also be seen as a buffer for implementation overhead. There is obviously one guess which will never be rejected, no matter how many times we update the FCSR: the correct guess. The strategy of the attack is now clear: first guess 79 bits of S. Each individual guess is cheap to verify and once the correct 79 bits are found, the remaining key bit is trivial to brute force through B with additive, i.e., negligible cost. The cost is 278 × (80 + 20) = 280 × 25 ≈ 278.7 × 60 FCSR updates. This attack takes less than half the time of a brute force and requires no significant amount of memory. Since d79 = 0 in S, the remainder of this paper will use a slightly modified definition of si : si = (si+1 , . . . , si+79 ). We redefine Si correspondingly. The FCSR is still the same in a mathematical sense, only the state is one bit smaller. 7. A TIME–DATA TRADE-OFF The major cost of the above key recovery lies in the guess of key for S: this requires us to perform 279 initializations of S and some clockings in order to determine whether the state is correct or not. We would like to be able to make better guesswork. That is, rather than each guess succeeding with probability 2−79 , we would like to do significantly better. This requires us to look at keystream and make informed guesses from it. Note that we want to guess S in the middle of operations and cannot assume ms = 0 but have to find these two bits as well. Thus, it appears as if we need to guess 81 bits. All in all, we aim to recover a 164-bit state faster than 279 . To succeed with this, we need several observations which we describe below. 7.1 Guessing S In Section 7.3, we will show that it is straightforward to recover B once S is known. Thus, we first investigate how to recover S. First, we study how to verify a guess of s and recover ms . We simply try all four possibilities for the two bits of carry, which allows us to track S for all future time. We can then use Claim 1 to reject three or four guesses. Note in particular how rejecting all four guesses costs 4 × 20 = 80 FCSR updates. The rest of this section will investigate how we can come up with a good guess for s. Assume we have a guess on the left-most bit of s and the carry ms . There are in total eight such guesses. However, as we calculate the new state using σs = si+1 + si+76 + si+77 + si+78 + mis , knowing (si+76 , si+77 , si+78 ), we can only produce |Ts | + 1 = 5 distinct S in the next time step. Thus, rather than guessing 79 bits and guessing the carry 4 times, we can guess 78 bits and then the carry (rather, the rest of the information) 5 times. As an example of this, note that (si+1 , mis ) = (1, 1) produces the same new state as (si+1 , mis ) = (0, 2), where we have moved the 1 from si+1 into the carry. We can generalize the above as the following lemma. Its precise formulation is specific to the special nature of S, where si+0 is included neither in the update rule nor the redefined state, but it can be easily stated for the more common type of FCSR. Lemma 2. Let S be an FCSR of length n using taps Ts and with state Si = (si+1 , . . . , si+n−1 , mis ). Let l = max Ts = n − 2 and k = max Ts \{l}. For each j, 0 < j ≤ l − k and each state (si+1 , . . . , si+j , si+j+1 , . . . , si+n−1 , mis ), there is an equivalent state (0, . . . , 0, si+j+1 , . . . , si+n−1 , mis + P k k=0,...,j−1 2 si+1+k ). The states are equivalent in the sense that they produce the same future state (si+j+1 , . . . , si+j+n−1 , mi+j s ). Thus, having guessed (si+j+1 , . . . , si+n−1 ), we can assume si+1 = . . . = si+j = 0 and only need to find the carry mis ∈ {0, . . . , 2 + 2j } where we have extended the set of possible mis . This lemma is highly applicable to S in BEAN as the first two taps are l − k = 78 − 3 = 75 bits apart. This means we can guess (si+76 , . . . , si+79 ), assume (si+1 , . . . , si+75 ) = 0 and then recover the equivalent carry at cost 3 + 275 ≈ 275 . In total, this attack would require work 24 (3 + 275 ) ≈ 279 . Obviously, the gain of applying this trick to yet another bit quickly becomes unimpressive. Certainly, one can also claim that 254 (3+225 ) ≈ 279 , so the marginal gain of applying this trick to 75 rather than 25 bits is negligible. In the following attack, we will guess 19 bits from A = {s2i+30 , . . . , s2i+104 } with probability > 2−14.5 , brute force the rest of that set, assume all bits in C = {s2i+26 , . . . , s2i+29 } are zero, and recover m2i+25 at cost 3 + 24 where each cost s unit is 20 FCSR updates. Thus, we recover the entire S2i+25 ≈ 273 and data ≈ 214.5 × 2 using time 214.5 256 (3 + 24 ) × 20 60 which is approximately 6 KiB. (The factor 2 shows up because we apply our strategy to windows of s beginning with even numbered bits.) 7.2 Guessing 19 Bits of s In the above, we have given all the characteristics of the recovery of S, except a very crucial part: how to guess 19 bits of s with probability at least 2−14.5 . For this, we will use that Pr(f (·) = x5 ⊕ x6 ) = 1 6 38 = (1 + ), 64 2 32 (11) as this linear approximation allows us to only involve bits of s (cf. (7)). Now, each time we observe a bit z2(i+n)+1 , we can make an educated guess as to the value of s2(i+n)+30 ⊕ s2(i+n)+68 , thanks to (11). Due to this, we can make a correct guess on B = {s2i+30+2n |n = 0, 1, . . . , 18} with probability 19 38 ≈ 2−14.3 . 64 Indeed, the probability of making a correct guess has been found experimentally as approximately 2−14.4 . Observe that we brute force 56 bits from A while the other 19 bits follow directly from these together with the keystream z. 7.3 Find B Given S Assume that we have the correct S, so that we can track this FCSR for all future time. Our aim is to recover B. The strategy is to first derive about 20 bits in a window of eighty bits of b. A concluding brute force will require guessing 63 bits, so that the total cost is negligible to the previous parts of the attack. Note that for z2i+1 , we know precisely which column is used in f . There are 10 unbalanced columns in Table 1 and with probability 41 , one of these columns uniquely identifies a row, i.e., two bits of b. Thus we recover two bits of b with probability 5 10 1 · = . 16 4 32 6 More likely, with probability 16 , we can learn one bit of b, either as a “real” bit bj , or as a parity bit bj ⊕ bk . While we can also get non-linear equations, we ignore this here. We have implemented this part, and have found that with probability .5, at least 20 bits can be recovered. Similarly, with probability .022, we recover at least 30 bits. If we are unlucky and only recover some small number of bits from b, we can fast-forward in S and z and make another try. Within just a few trials, we can find enough bits to make the total recovery cost of B negligible. 7.4 A General Conclusion Let us use Lemma 2 on j bits. One can see that (3 + 20 2j ) 60 < 2j−1 for j > 2. If we are able to guess k of the remaining bits with probability 2−p , we can construct an attack that requires 2p × 2 data and time 2p 279−j−k (3 + 2j ) 20 < 278+p−k . 60 As an example, above we found 19 bits with probability 2−14.5 . If we could similarly guess 30 bits with probability 2−23 , there would be an attack requiring 2 MiB of data and time 271 . In the same fashion, there would be an attack requiring 2 GiB and time 267 . 7.5 the state that the FCSR was put into at key loading. We are on the cycle, while the state we are looking for is at some tail leading into it. Nonetheless, we can expect the absolute majority of bits to be correct. A first approach is to use Lemma 2 to try to get the carry to be 0, but this only gives the correct key with a low probability. We will refer to the state of b that we reach in this way, as the key stub. We can use this key stub as the basis for a brute force through the register, creating key candidates: by changing more and more bits, from left to right, we eventually reach the true key and will find that both registers, when loaded with this key candidate, reach B3 and S3 , respectively. While the worst case scenario is that we must brute force the entire key, simulations have shown that we can expect to find the correct key after trying ≈ 24 key candidates. Lemma 1 really describes the worst case behaviour [3]: despite performing 235 tests, we never found a situation where we needed to try more than 225 key candidates, which suggests that there is only some very small probability that this part of the attack becomes non-marginal. There are several ways of improving this step, but the cost is already negligible compared to the state recovery. Summarizing, we outline the complete attack in Figure 5. We use three sets of bits, A = {s2i+30 , . . . , s2i+104 }, B = {s2i+30+2n |n = 0, 1, . . . , 18}, C = {s2i+26 , . . . , s2i+29 }. In order to completely formalize the attack, we would need to introduce several indices and variables, so instead we only give the broad picture. Algorithm 2 — Time–Data Trade-Off Attack Input: keystream Output: corresponding key Until satisfied { Look at a window of keystream z2i , . . . For each guess of bits in A\B Guess bits in B using (11) Assume all bits in C are zero For each ms ∈ {0, . . . , 2 + 24 } Clock S, comparing to z, until contradiction or satisfied } Until satisfied { Derive bits from B, using S and z If at least 20 bits found: satisfied Else: fast-forward a few clocks } Brute force the rest of B Recover key as in Section 7.5 Recovering the Key The obvious approach is to reverse the cipher from the recovered state. By reversing both FCSRs to their respective states n + 4 = 84 states after key loading, we know from Lemma 1 that these particular states, B3 and S3 , were visited by the BEAN FCSRs shortly after initialization finished. We can then revert B all the way back to B−81 . The state we then reach was not necessarily (in fact, not likely) Figure 5: The complete attack. 8. PROTECTING AGAINST THE ATTACKS We believe that a crucial part in strengthening BEAN is selecting a better output function f . If the resiliency had been at least one, we could not have found the very straightforward distinguisher in Section 4. Furthermore, with resiliency at least two, it would not have been possible to involve only two bits of s in each guess as we did in (11). It might also be necessary to let f depend on more than six variables. A third factor to consider might be suitability for hardware implementation. One notable difference between BEAN and the various incarnations of Grain is that the latter use a feed-forward from the NFSR to the LFSR. One idea might thus be to strengthen BEAN by adding feed-forward from S to B. However, this does not protect from any of our attacks as they first derive S completely before turning to B. Also, doing this would alter the behaviour of B from well-known to unknown. We suggest that any future design includes an IV, that can be transmitted in the clear and significantly simplifies key management. This approach is taken in most modern stream ciphers. Also, one should reselect the feedback taps as there are some unfortunate properties of the current choices: • One initial state bit of S is completely disregarded as 79 ∈ / Ts . • The taps in S are clustered, as opposed to spread out somewhat evenly (cf. B). • The numbers q are not optimal; as indicated in Section 2.1, q should ideally have certain number theoretic properties. While we only exploited the first of these observations, a serious redesign should address these potential weaknesses. 8.1 Improving the Attack We do not claim that our approach for deriving e.g., s is optimal. One can easily make assumptions on some bits of s, increasing the probability of guessing correctly. By assuming some specific configuration of d bits, which should occur with probability 2−d , one can make more advanced guesswork recovering the remaining bits with probability 2−e , where e should be “small”. The data complexity would then be 2d+e , and we suspect that the time complexity can be lower than what we have found in this paper. However, to find the “optimal” attack, one needs to consider several properties of f , bits that reoccur in the equations, and build decision trees that allow the implementation to adapt its behaviour to the guesses already made. 9. CONCLUSION We have seen that the non-linear function in BEAN, combined with other properties of the construction, allows for an efficient distinguisher and a key-recovery faster than brute force. We also show how access to more keystream allows for a faster key recovery. Already at a very modest 6 KiB, the 80-bit key is recovered in time 273 . While the distinguisher requires slightly more data, and thus is information theoretically inferior to the distinguisher inherent in the keyrecovery attack, it is of practical time complexity, making it interesting in its own right. 10. ACKNOWLEDGMENT This work was supported by the Swedish Foundation for Strategic Research (SSF) through its Strategic Center for High Speed Wireless Communication at Lund. The authors are grateful for the insightful comments received from the anonymous reviewers. 11. REFERENCES [1] F. Arnault and T. Berger. Design of new pseudo random generators based on filtered FCSR automaton. The State of the Art of Stream Ciphers, Workshop Record, SASC 2004, Brugge, Belgium, October 2004. [2] F. Arnault, T. Berger, and C. Lauradoux. Update on F-FCSR stream cipher. eSTREAM, ECRYPT Stream Cipher Project, Report 2006/025, 2006. http://www.ecrypt.eu.org/stream. [3] F. Arnault, T. Berger, and M. Minier. Some results on FCSR automata with applications to the security of FCSR-based pseudorandom generators. IEEE Transactions on Information Theory, 54(2):836–840, February 2008. [4] A. Braeken and J. Lano. On the (im)possibility of practical and secure nonlinear filters and combiners. In B. Preneel and S. Tavares, editors, Selected Areas in Cryptography—SAC 2005, volume 3897 of Lecture Notes in Computer Science, pages 159–174. Springer-Verlag, 2005. [5] D. Coppersmith, S. Halevi, and C.S. Jutla. Cryptanalysis of stream ciphers with linear masking. In M. Yung, editor, Advances in Cryptology—CRYPTO 2002, volume 2442 of Lecture Notes in Computer Science, pages 515–532. Springer-Verlag, 2002. [6] S. Fischer, W. Meier, and D. Stegemann. Equivalent representations of the F-FCSR keystream generator. The State of the Art of Stream Ciphers, Workshop Record, SASC 2008, Lausanne, Switzerland, February 2008. [7] M. Hell and T. Johansson. Breaking the F-FCSR-H stream cipher in real time. In Advances in Cryptology—ASIACRYPT 2008, volume 5350/2008 of Lecture Notes in Computer Science, pages 557–569. Springer-Verlag, 2008. [8] M. Hell, T. Johansson, and L. Brynielsson. An overview of distinguishing attacks on stream ciphers. Cryptography and Communications, 1(1):71–94, 2008. [9] M. Hell, T. Johansson, and W. Meier. Grain - a stream cipher for constrained environments. International Journal of Wireless and Mobile Computing, Special Issue on Security of Computer Network and Mobile Systems., 2(1):86–93, 2006. [10] A. Klapper and M. Goresky. Feedback shift registers, 2-adic span, and combiners with memory. Journal of Cryptology, 10(2):111–147, 1997. [11] N. Kumar, S. Ojha, K. Jain, and S. Lal. BEAN: a lightweight stream cipher. In Proceedings of the 2nd international conference on Security of information and networks, SIN ’09, pages 168–171, New York, NY, USA, 2009. ACM. [12] M. Matsui. Linear cryptanalysis method for DES cipher. In T. Helleseth, editor, Advances in Cryptology—EUROCRYPT’93, volume 765 of Lecture Notes in Computer Science, pages 386–397. Springer-Verlag, 1994. [13] NIST. A statistical test suite for random and pseudorandom number generators for cryptographic applications. NIST Special Publication 800-22b, 2010. [14] N. R. Pillai and Y. K. Lather. Algebraic attack on BEAN a lightweight stream cipher. To appear.

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertisement