View
215
Download
0
Category
Tags:
Preview:
Citation preview
1
KCipher-2
KDDI R&D Laboratories Inc.
©KDDI R&D Laboratories Inc. All rights Reserved.
2
Introduction
LFSR-based stream ciphers Linear recurrence between internal
states as a feedback polynomial. LFSR-based stream ciphers have been
attacked using the linear recurrence.
In KCipher-2, Dynamic Feedback Control mechanism is used for hiding the linear recurrence.
©KDDI R&D Laboratories Inc. All rights Reserved.
3
Design policy Security
Produce sufficient period sequences Use different two functions (NLF, and
Dynamic Feedback Control) Satisfy 128 -bit key level security
Performance Good Performance for Software
implementation Consist of basic operations
©KDDI R&D Laboratories Inc. All rights Reserved.
4
Advantages of KCipher-2 Fast Encryption/Decryption
KCipher-2 suits fast software implementations 128-bit keys are available Size of Internal State is Small
The size is 640 bits Security Margin
KCipher-2 is secure without the need for a DFC mechanism. The DFC mechanism is an extra security margin.
Resistance against Existing Attacks NLF is designed in consideration of attacks on
SNOW 2.0 such as an algebraic attack and a distinguishing attack.
©KDDI R&D Laboratories Inc. All rights Reserved.
5
Profile of K2 128- Key 128-bit IV 640-bit state
32-bit X 16 Registers (FSR-A, FSR-B) 32-bit X 4 Internal Memories for NLF
64-bit keystream per cycle Max cycle without re-initialization is 2^58
cycle (2^64 keystream bits) The algorithm was presented in SASC 2007
workshop (Jan. 2007) -> satisfy the maturity criteria
©KDDI R&D Laboratories Inc. All rights Reserved.
6
KCipher-2
Registers (A)
Registers (B)
Feedback Controller
Feedback Function
Controlled Feedback Function
Non-Linear Function with Internal Memories Keystream
©KDDI R&D Laboratories Inc. All rights Reserved.
7
Use Two Functions
Non-Linear Function (NLF) and Dynamic Feedback Control (DFC) NLF
Provide nonlinearity of output keystream Dynamic Feedback Control
Hide Linear Recurrence of FSR-B
©KDDI R&D Laboratories Inc. All rights Reserved.
8
Dynamic Feedback Control
Control coefficients for FSR-B
Feedback (Clock) Controller
0, 1 0, 1
2 bits of FSR-A
©KDDI R&D Laboratories Inc. All rights Reserved.
9
Dynamic Feedback Control (cont.) Performance
Do not increase the cost significantly Only change a table of multiplying coefficients α_i.
Security The attacker may need to guess control bits in
some attacks such as Guess-and-Determine Attacks Algebraic Attacks
Hide linear recurrence between internal states of FSR-B Effective for protecting against several attacks
©KDDI R&D Laboratories Inc. All rights Reserved.
10
Non-Linear Function Four 32-bit Substitution
functions are used Connect Four internal
Memories via the Substitution Functions
Input six registers Output 64-bit keystream
per cycle Well-evaluated structure
(like SNOW) The number of S-Box is
twice as that of SNOW
04910
R2
20
LFSR-B
LFSR-A
Keystream (64bits)
Clock Controller
L2
4
Sub
L1
Sub
R1
Sub Sub
©KDDI R&D Laboratories Inc. All rights Reserved.
11
Non-Linear Function (2) Left Part and Right part of NLF is connected
Produce double-length keystream Improve the security
Left or right keystream is computed from previous memories of both sides.
L2
L1 R2
R1
Sub
Sub
Sub
Sub
Substitution consists of well-evaluated S-boxes and a linear permutation (same as SNOW).
Internal memories hide relation between registers and keystream.
LFSR-A LFSR-ALFSR-B LFSR-B
©KDDI R&D Laboratories Inc. All rights Reserved.
12
Analysis of KCipher-2 Stream Cipher
Periods The period is expected to be more than
the periods of output of FSR-A
Statistical Tests Evaluated output of FSR-A, FSR-B, and
keystream These properties were good
©KDDI R&D Laboratories Inc. All rights Reserved.
13
Security against Existing Attacks
Time-Memory trade off Lengths of IV and the secret keys are sufficiently
large. Internal state is sufficiently larger than the
secret key Correlation Attack
No correlation that has large probability was found.
Chosen/Related IV Attack The internal state is well mixed by the
initialization process.
Secure
Secure
Secure
©KDDI R&D Laboratories Inc. All rights Reserved.
14
Security against existing Attacks(2)
Guess-and-Determine Attack In case of attacking FSR-B without multiplying αi
(i=1,2,3) Assume that the attacker obtain values
The attacker have to guess two registers and four memories to recover all registers of FSR-B. The complexity is O(2^196)
However, the attacker have to guess at least two registers of FSR-A without the assumption.
The attack is more than O(2^256) Dynamic feedback makes the attack more
complicated.
Secure
©KDDI R&D Laboratories Inc. All rights Reserved.
15
Security against Existing Attacks(3)
Distinguishing Attack
Sub
Bt+9
Sub
Bt+10
Bt+11
Sub Sub
Bt+5
Bt
Bt+1
L2t L1t R1t R2t
ZLt+At
ZLt+1+At+1
ZRt+At+4
ZRt+1+At+5
G L
F Y
Secure
The attacker have to use four mask values. (two masks for attacking SNOW 2.0)
Sub consists of AES S-boxes; thus, it has a good linear property.
We could not find a linear distinguisher with a feasible linear probability.
Dynamic feedback prevents the attack
©KDDI R&D Laboratories Inc. All rights Reserved.
16
Security against Existing Attacks(4)
Algebraic Attacks General evaluation results were good. A algebraic attack such as an attack on
SNOW 2.0 is impossible, because;The attacker cannot obtain a
linear equation of fixed values of keystream and registers.
The attacker have to guess control bits of FSR-B.
Secure
©KDDI R&D Laboratories Inc. All rights Reserved.
17
Performance Performance on Pentium4 3.2 GHz
The algorithm consists of XOR, ADD, and Table lookups. Performances of these computation is expected to be independent against CPU types.
Key. Gen. Init.
Kcipher-2 (Optimal)
5.45 C/Byte 1162 C/Init.
Recommended