Specification of SNOW 3G in Cryptol
-
Upload
ulisses-costa -
Category
Technology
-
view
3.683 -
download
4
description
Transcript of Specification of SNOW 3G in Cryptol
Specification of SNOW 3G in Cryptol
Pedro Pereira Ulisses Costa
Formal Methods in Software Engineering
March 26, 2009
Pedro Pereira, Ulisses Costa Specification of SNOW 3G in Cryptol
Index
1 Cryptol
2 Stream Ciphers
3 Conclusion
Pedro Pereira, Ulisses Costa Specification of SNOW 3G in Cryptol
Overview
High-level language to deal with low-level problems
Everything is a sequence
Sequences can be either finite or infinite
Primitive polymorphic functions
Information Structure can be changed easily
Recursion and sequence comprehensions ⇒ recurrencerelations
Pedro Pereira, Ulisses Costa Specification of SNOW 3G in Cryptol
Types
Cryptol
tail : {a b} [a+1]b -> [a]b;
Types are size and bitoriented
Sequences have infinite size(inf)
[a]b - Polymorphism over b
Haskell
tail :: [b] -> [b]
Lists have infinite length
[b] - Polymorphism over b
Very similar notation
Polymorphism
Type inference
Pedro Pereira, Ulisses Costa Specification of SNOW 3G in Cryptol
Types
Types in Cryptol are size oriented
Cryptol
drop : {a b c} (fin a,a >= 0) => (a,[a+b]c) -> [b]c
take : {a b c} (fin a,b >= 0) => (a,[a+b]c) -> [a]c
join : {a b c} [a][b]c -> [a*b]c
split : {a b c} [a*b]c -> [a][b]c
tail : {a b} [a+1]b -> [a]b
Haskell
drop :: Int -> [a] -> [a]
take :: Int -> [a] -> [a]
concat :: [[a]] -> [a] -- join in cryptol
tail :: [a] -> [a]
Pedro Pereira, Ulisses Costa Specification of SNOW 3G in Cryptol
Language
Cryptol
fib(n) = fibs @ n
where {
fibs = [0 1] # [| x + y || x <- drop (1,fibs) || y <- fibs |];
};
Haskell
fib n = fibs !! n
where fibs = [0,1] ++ [ x + y | x <- drop 1 fibs | y <- fibs ]
0ghc -XParallelListCompPedro Pereira, Ulisses Costa Specification of SNOW 3G in Cryptol
Language
Specification
MULα(c) = (MULxPOW (c, 23, 0xA9)||MULxPOW (c, 245, 0xA9)||MULxPOW (c, 48, 0xA9)||MULxPOW (c, 239, 0xA9))
Cryptol
MULa : [8] -> [32];
MULa(c) = join ( reverse [
( MULxPOW(c, 23 :[32] , 0xA9) )
( MULxPOW(c, 245:[32] , 0xA9) )
( MULxPOW(c, 48 :[32] , 0xA9) )
( MULxPOW(c, 239:[32] , 0xA9) ) ] );
C
/* The function MUL alpha.
* Input c: 8-bit input.
* Output : 32-bit output.
* See section 3.4.2 for details.
*/
u32 MULalpha(u8 c) {
return
(((( u32)MULxPOW(c,23, 0xa9)) << 24 ) |
((( u32)MULxPOW(c, 245,0xa9)) << 16 ) |
((( u32)MULxPOW(c, 48,0xa9)) << 8 ) |
((( u32)MULxPOW(c, 239,0xa9)))) ;
}
0’reverse’ is used because Cryptol stores words in little-endian.Pedro Pereira, Ulisses Costa Specification of SNOW 3G in Cryptol
Index
1 Cryptol
2 Stream Ciphers
3 Conclusion
Pedro Pereira, Ulisses Costa Specification of SNOW 3G in Cryptol
Stream Ciphers
Characteristics
Symmetric key ciphers ⇒ same key for encryption/decryption
Typically very fast (faster than Block ciphers)
Low hardware complexity
Low memory requirements
Encryption: plaintext ⊕ keystream
Decryption: ciphertext ⊕ keystream
Tries to capture the “essence” of the theoretically unbreakableOne-Time Pad
Pedro Pereira, Ulisses Costa Specification of SNOW 3G in Cryptol
Stream Ciphers
One-Time Pad
Uses a truly random keystream
Impossible to determine any kind of relation betweenciphertext and plaintext
Best attack: guessing the plaintext ⇒ Impossible to break
Ok but in reality...
The best we can do is generate a pseudo-random keystream⇒ Statistical randomness (susceptible to attacks)
But it’s possible to make it very HARD to break
We cannot aim for theoretical security but practical security isgood enough
Pedro Pereira, Ulisses Costa Specification of SNOW 3G in Cryptol
Linear Feedback Shift Register (LFSR)
Generates a sequence of bits with near random properties
But it’s mathematical structure gives too much away ⇒possible to compute it’s polynomial representation
S-boxes make it possible to hide its (low) linear complexity ⇒practical security!
Pedro Pereira, Ulisses Costa Specification of SNOW 3G in Cryptol
A simple LFSR in Cryptol
lfsr : [inf]Bit;
lfsr = [ False True False False True False True True ] #
[| (x3 ^ x5 ^ x7)
|| x3 <- drop(3, lfsr)
|| x5 <- drop(5, lfsr)
|| x7 <- drop(7, lfsr) |];
Pedro Pereira, Ulisses Costa Specification of SNOW 3G in Cryptol
Substitution boxes (S-boxes)
Lookup table of portions of bits
Reduces relation between plaintext and ciphertext (Shannon’sconfusion property)
Increases resistance to different Cryptanalysis techniques
Pedro Pereira, Ulisses Costa Specification of SNOW 3G in Cryptol
S-boxes in Cryptol
Pedro Pereira, Ulisses Costa Specification of SNOW 3G in Cryptol
SNOW 3G
Invented at Lund University (Sweden)
Chosen as the cipher of 3GPP encryption algorithms UEA2and UIA2
Uses a 128/256 bit key
Combination of a LFSR with a Finite State Machine (S-boxes)
Best (known) attack is exaustive keyspace brute force (2128)⇒ Completely safe by today’s standards
Pedro Pereira, Ulisses Costa Specification of SNOW 3G in Cryptol
SNOW 3G Structure
Pedro Pereira, Ulisses Costa Specification of SNOW 3G in Cryptol
SNOW 3G Spec I - MULx
SNOW 3G Specification
MULx maps 16 bits to 8 bits.If the leftmost (i.e. the most significant) bit of V equals 1, thenMULx(V, c) = (V �8 1) ⊕ c else MULx(V, c) = V �8 1
MULx : ([8], [8]) -> [8];
MULx(v, c) = if (v ! 0) == True then (v << 1) ^ c
else (v << 1);
Pedro Pereira, Ulisses Costa Specification of SNOW 3G in Cryptol
SNOW 3G Spec II - Initialization
Pedro Pereira, Ulisses Costa Specification of SNOW 3G in Cryptol
Index
1 Cryptol
2 Stream Ciphers
3 Conclusion
Pedro Pereira, Ulisses Costa Specification of SNOW 3G in Cryptol
Conclusion
With Cryptol is much easier to specify low-level algorithms
The specification is formal and easier to read
Pedro Pereira, Ulisses Costa Specification of SNOW 3G in Cryptol
Questions
?
Pedro Pereira, Ulisses Costa Specification of SNOW 3G in Cryptol