Distinguishing Attacks on the Stream Cipher Py (Roo ......Py and the evolution of RC4 RC4 (1987) by...
Transcript of Distinguishing Attacks on the Stream Cipher Py (Roo ......Py and the evolution of RC4 RC4 (1987) by...
![Page 1: Distinguishing Attacks on the Stream Cipher Py (Roo ......Py and the evolution of RC4 RC4 (1987) by 17th March 2006 FSE 2006 3 Rivest IA, IB, ISAAC (1996) by Jenkins Jr. RC4A (2004)](https://reader034.fdocuments.net/reader034/viewer/2022050502/5f9471a4f35e5d03ec639fa6/html5/thumbnails/1.jpg)
17th
Mar
ch 2
006
FSE
2006
1
Spe
aker
:Sou
rady
utiP
aul
(wor
k jo
intly
with
B.P
rene
elan
d G
. Sek
ar)
Com
pute
r Sec
urity
and
Indu
stria
l Cry
ptog
raph
y (C
OS
IC)
Dep
artm
ent o
f Ele
ctric
al E
ngin
eerin
g-E
SA
TK
atho
lieke
Uni
vers
iteit
Leuv
en, B
elgi
um
Emai
l: S
oura
dyut
i.Pau
l@es
at.k
uleu
ven.
be
Dis
tingu
ishi
ng A
ttack
s on
the
Stre
am C
iphe
r Py
(Roo
)
![Page 2: Distinguishing Attacks on the Stream Cipher Py (Roo ......Py and the evolution of RC4 RC4 (1987) by 17th March 2006 FSE 2006 3 Rivest IA, IB, ISAAC (1996) by Jenkins Jr. RC4A (2004)](https://reader034.fdocuments.net/reader034/viewer/2022050502/5f9471a4f35e5d03ec639fa6/html5/thumbnails/2.jpg)
17th
Mar
ch 2
006
FSE
2006
2
Out
line
Pyan
d a
Shor
t H
isto
ryD
escr
iptio
n of
Py
Basi
c Id
ea o
f At
tack
and
Ass
umpt
ions
Obs
erva
tion:
Inp
ut-O
utpu
t Co
rrel
atio
nTh
e Bi
as a
nd t
he D
istin
guis
her
Com
plex
ities
of th
e At
tack
Bias
es in
oth
er P
airs
of
Bits
Conc
lusi
ons
and
Rem
arks
![Page 3: Distinguishing Attacks on the Stream Cipher Py (Roo ......Py and the evolution of RC4 RC4 (1987) by 17th March 2006 FSE 2006 3 Rivest IA, IB, ISAAC (1996) by Jenkins Jr. RC4A (2004)](https://reader034.fdocuments.net/reader034/viewer/2022050502/5f9471a4f35e5d03ec639fa6/html5/thumbnails/3.jpg)
17th
Mar
ch 2
006
FSE
2006
3
Pyan
d th
e ev
olut
ion
of R
C4RC4
(19
87)
by
Riv
est
IA, I
B, I
SAAC
(19
96)
by J
enki
ns J
r.RC4
A (2
004)
by
Pau
l and
Pre
neel
VMPC
(20
04)
by
Zolta
kH
C-25
6 (2
004)
by
Wu
GG
HN
(20
05)
by
Gon
g et
al.
Py, P
y6 (
2005
) by
Bih
aman
d Se
berr
yPy
Py(2
006)
b
y Bi
ham
and
Sebe
rry
![Page 4: Distinguishing Attacks on the Stream Cipher Py (Roo ......Py and the evolution of RC4 RC4 (1987) by 17th March 2006 FSE 2006 3 Rivest IA, IB, ISAAC (1996) by Jenkins Jr. RC4A (2004)](https://reader034.fdocuments.net/reader034/viewer/2022050502/5f9471a4f35e5d03ec639fa6/html5/thumbnails/4.jpg)
17th
Mar
ch 2
006
FSE
2006
4
Stag
e I
: Ke
y/IV
set
-up
of P
y
P Y IVKey
Key/
IV s
et-u
p Al
go(S
tep
1)
Initi
aliz
atio
n
s YP
256
bits
128
bits
256x
8 bi
ts
260x
32 b
its
32 b
its
256x
8 bi
ts
260x
32 b
its
![Page 5: Distinguishing Attacks on the Stream Cipher Py (Roo ......Py and the evolution of RC4 RC4 (1987) by 17th March 2006 FSE 2006 3 Rivest IA, IB, ISAAC (1996) by Jenkins Jr. RC4A (2004)](https://reader034.fdocuments.net/reader034/viewer/2022050502/5f9471a4f35e5d03ec639fa6/html5/thumbnails/5.jpg)
17th
Mar
ch 2
006
FSE
2006
5
Stag
e II
: K
eyst
ream
byt
es
gene
ratio
n of
Py
. . .
mix
ing
mix
ing
Out
put
1O
utpu
t 2
Out
put
3
XOR
Plai
ntex
t 1
…
Ciph
erte
xt 1
…
s YPs’ Y’P’
s’’
Y’’
P’’
Ciph
erte
xt 2
XOR
Plai
ntex
t 2
Rou
nd 1
Rou
nd 2
Rou
nd 3
mix
ing
![Page 6: Distinguishing Attacks on the Stream Cipher Py (Roo ......Py and the evolution of RC4 RC4 (1987) by 17th March 2006 FSE 2006 3 Rivest IA, IB, ISAAC (1996) by Jenkins Jr. RC4A (2004)](https://reader034.fdocuments.net/reader034/viewer/2022050502/5f9471a4f35e5d03ec639fa6/html5/thumbnails/6.jpg)
17th
Mar
ch 2
006
FSE
2006
6
Sing
le r
ound
of
Py:
ithro
und
000
233
001
113
002
001
… ...
094
093
095
165
096
079
… ...
254
096
255
143
-3 X
-2 Y
-1 ZM
… …
094
N
095 P
…
Q
256 L
025
5
000
113
001
001
… …
093
093
094
233
095
079
… …
253
096
254
143
255
165
P Y
O(1,i)
-3 Y
-2 Z
-1 M
… …
094 P
095 F
… …L
256
X’
X’
233
165
O(2,i)
![Page 7: Distinguishing Attacks on the Stream Cipher Py (Roo ......Py and the evolution of RC4 RC4 (1987) by 17th March 2006 FSE 2006 3 Rivest IA, IB, ISAAC (1996) by Jenkins Jr. RC4A (2004)](https://reader034.fdocuments.net/reader034/viewer/2022050502/5f9471a4f35e5d03ec639fa6/html5/thumbnails/7.jpg)
17th
Mar
ch 2
006
FSE
2006
7
The
basi
c id
ea o
f ou
r at
tack
s an
d as
sum
ptio
nsAs
sum
ptio
n: K
ey/I
V se
t-up
is p
erfe
ctFo
cus:
mix
ing
of b
its in
a r
ound
Id
entif
y:a
clas
s of
inte
rnal
sta
tes
intr
oduc
ing
bias
in t
he o
utpu
tsO
bser
ve:
rest
of
the
stat
esdo
not
ca
ncel
bia
s (r
easo
n: r
igor
ous
mix
ing)
Conc
lude
: ou
tput
is b
iase
don
a
rand
omly
cho
sen
inte
rnal
sta
te
![Page 8: Distinguishing Attacks on the Stream Cipher Py (Roo ......Py and the evolution of RC4 RC4 (1987) by 17th March 2006 FSE 2006 3 Rivest IA, IB, ISAAC (1996) by Jenkins Jr. RC4A (2004)](https://reader034.fdocuments.net/reader034/viewer/2022050502/5f9471a4f35e5d03ec639fa6/html5/thumbnails/8.jpg)
8
Mai
n ob
serv
atio
n: A
luck
yca
se in
th
e ar
ray
P
1…
239
…20
8…
116
…72
…26
…
Y-1
8 m
od32
X…
239
…20
8…
116
…72
…26
…
X+1
254
7m
od32
Y+1
…23
9…
208
…11
6…
72…
26…
P P P
Rou
nd 1
Rou
nd 2
Rou
nd 3
![Page 9: Distinguishing Attacks on the Stream Cipher Py (Roo ......Py and the evolution of RC4 RC4 (1987) by 17th March 2006 FSE 2006 3 Rivest IA, IB, ISAAC (1996) by Jenkins Jr. RC4A (2004)](https://reader034.fdocuments.net/reader034/viewer/2022050502/5f9471a4f35e5d03ec639fa6/html5/thumbnails/9.jpg)
17th
Mar
ch 2
006
FSE
2006
9
GH
Out
puts
at
1stan
d 3r
dro
unds G
H25
625
525
4…
……
10
-1-2
-3Y
Rou
nd 1
Rou
nd 2
Rou
nd 3
O(1
,1)
= (
S XO
R G
) +
H
O(2
,3)
= (
S XO
R H
) +
G
Bias
in t
he ls
b’s.
z=O
(1,1
)[0]
XO
R O
(2,3
)[0]
P(z=
0)=
1
![Page 10: Distinguishing Attacks on the Stream Cipher Py (Roo ......Py and the evolution of RC4 RC4 (1987) by 17th March 2006 FSE 2006 3 Rivest IA, IB, ISAAC (1996) by Jenkins Jr. RC4A (2004)](https://reader034.fdocuments.net/reader034/viewer/2022050502/5f9471a4f35e5d03ec639fa6/html5/thumbnails/10.jpg)
17th
Mar
ch 2
006
FSE
2006
10
The
luck
y ca
seL
occu
rs w
ith p
rob.
2-4
1.9
For
the
luck
y ca
seth
e P(
z=0|
L)=
1Fo
r th
e re
st o
f th
e ca
ses,
we
obse
rve
that
P(z
=0|
L’)
=1/
2 (s
ee t
he p
aper
)
The
over
all p
rob.
P(z
=0)
=½
·(1+
2-4
1.9 )
Qua
ntify
ing
the
bias
![Page 11: Distinguishing Attacks on the Stream Cipher Py (Roo ......Py and the evolution of RC4 RC4 (1987) by 17th March 2006 FSE 2006 3 Rivest IA, IB, ISAAC (1996) by Jenkins Jr. RC4A (2004)](https://reader034.fdocuments.net/reader034/viewer/2022050502/5f9471a4f35e5d03ec639fa6/html5/thumbnails/11.jpg)
17th
Mar
ch 2
006
FSE
2006
11
The
dist
ingu
ishe
r (I
)
Py
……
Key/
IVBi
ased
Out
put
z
n
Opt
imal
Dis
tingu
ishe
r: I
f #
of 0’
s ≥
# o
f 1’
s th
en P
yel
seRan
dom
The
adva
ntag
e is
clo
se t
o 0%
for
n=1
If n
=28
4.7th
en a
dvan
tage
is m
ore
than
50%
![Page 12: Distinguishing Attacks on the Stream Cipher Py (Roo ......Py and the evolution of RC4 RC4 (1987) by 17th March 2006 FSE 2006 3 Rivest IA, IB, ISAAC (1996) by Jenkins Jr. RC4A (2004)](https://reader034.fdocuments.net/reader034/viewer/2022050502/5f9471a4f35e5d03ec639fa6/html5/thumbnails/12.jpg)
17th
Mar
ch 2
006
FSE
2006
12
The
dist
ingu
ishe
r (I
I)Re
quire
men
ts:
# o
f Ke
y/IV
’s=
284
.7
key
stre
am p
er K
ey/I
V=24
byte
stim
e =
284
.7·
T ini
The
dist
ingu
ishe
r w
orks
w
ithin
Py
spec
ifica
tions
with
less
tha
n ex
haus
tive
sear
ch
![Page 13: Distinguishing Attacks on the Stream Cipher Py (Roo ......Py and the evolution of RC4 RC4 (1987) by 17th March 2006 FSE 2006 3 Rivest IA, IB, ISAAC (1996) by Jenkins Jr. RC4A (2004)](https://reader034.fdocuments.net/reader034/viewer/2022050502/5f9471a4f35e5d03ec639fa6/html5/thumbnails/13.jpg)
17th
Mar
ch 2
006
FSE
2006
13
A va
riant
of
the
dist
ingu
ishe
r w
orks
in a
si
ngle
key
stre
ambu
t ta
kes
long
er
outp
uts
than
spe
cifie
d 26
4
To r
educ
e w
ork
load
, a h
ybrid
di
stin
guis
her
with
man
y ke
y/IV
’san
d le
ss t
han
264
outp
ut b
ytes
per
Key
/IV
is
also
pos
sibl
e w
ithin
the
sco
pe o
f th
e Py
spec
ifica
tion
The
dist
ingu
ishe
r (I
II)
![Page 14: Distinguishing Attacks on the Stream Cipher Py (Roo ......Py and the evolution of RC4 RC4 (1987) by 17th March 2006 FSE 2006 3 Rivest IA, IB, ISAAC (1996) by Jenkins Jr. RC4A (2004)](https://reader034.fdocuments.net/reader034/viewer/2022050502/5f9471a4f35e5d03ec639fa6/html5/thumbnails/14.jpg)
17th
Mar
ch 2
006
FSE
2006
14
Bias
in o
ther
pai
rs o
f bi
ts
O(1
,1)
= (
S XO
R G
) +
H
O(2
,3)
= (
S XO
R H
) +
G
Bias
in t
he it
hbi
ts.
z=O
(1,1
)[i]
XOR
O(2
,3)[
i]
P(z=
0)=
1/2+
µ
![Page 15: Distinguishing Attacks on the Stream Cipher Py (Roo ......Py and the evolution of RC4 RC4 (1987) by 17th March 2006 FSE 2006 3 Rivest IA, IB, ISAAC (1996) by Jenkins Jr. RC4A (2004)](https://reader034.fdocuments.net/reader034/viewer/2022050502/5f9471a4f35e5d03ec639fa6/html5/thumbnails/15.jpg)
17th
Mar
ch 2
006
FSE
2006
15
Conc
lusi
on a
nd r
emar
ksLa
test
New
s: P
aul C
row
ley
redu
ced
the
wor
kloa
d of
the
dis
tingu
ishe
r to
272
by
com
bini
ng a
ll th
e in
divi
dual
bia
sed
bits
The
mod
ified
ver
sion
PyP
yce
rtai
nly
does
not
con
tain
thi
s w
eakn
ess
A co
mpl
etel
y un
subs
tant
iate
d pe
rson
al
opin
ion:
PyP
ym
ay c
ome
unde
r di
stin
guis
hing
att
ack
with
wor
kloa
d le
ss
than
exh
aust
ive
sear
ch
![Page 16: Distinguishing Attacks on the Stream Cipher Py (Roo ......Py and the evolution of RC4 RC4 (1987) by 17th March 2006 FSE 2006 3 Rivest IA, IB, ISAAC (1996) by Jenkins Jr. RC4A (2004)](https://reader034.fdocuments.net/reader034/viewer/2022050502/5f9471a4f35e5d03ec639fa6/html5/thumbnails/16.jpg)
17th
Mar
ch 2
006
FSE
2006
16
Than
ks.