Resynchronization Attacks
on WG and LEX
Hongjun Wu and Bart Preneel
Katholieke Universiteit Leuven
ESAT/COSIC
Overview
1. Introduction to WG
2. Differential Attack on WG
3. Introduction to LEX
4. Slide Attack on LEX
KULeuven, ESAT/COSIC
2
Description of WG (1)
submission to the eStream
key up to 128 bits, IV up to 128 bits
hardware efficient stream cipher (profile II)
consists of
a regularly clocked LFSR over GF(229)
defined by p(x) = x11 + x10 + x9 + x6 + x3 + x + γ
and a WG transform that maps GF(229)  GF(2)
KULeuven, ESAT/COSIC
3
Description of WG (2)
Keystream generation of WG
KULeuven, ESAT/COSIC
4
Description of WG (3)
WG Transformation
KULeuven, ESAT/COSIC
5
Description of WG (4)
Key and IV setup of WG (22 Steps)
KULeuven, ESAT/COSIC
6
Differential Attack on WG (1)
Overview of the Attack
the taps of LFSR are poorly chosen
22 steps fail to randomize the differential propagation
at the end of the 22nd step, the differential in the
LFSR is exploited to recover the secret key
=> 48 key bits recovered with about 231 chosen IVs
(80-bit key and 80-bit IV)
KULeuven, ESAT/COSIC
7
Differential Attack on WG (2)
Attack - differential propagation in key/IV setup of WG
KULeuven, ESAT/COSIC
8
Differential Attack on WG (3)
Attack - differential propagation in key/IV setup of WG (Contd.)
KULeuven, ESAT/COSIC
9
Differential Attack on WG (4)
At the end of the 22nd step, the difference at S(10) is
S(10) is related to the first keystream bit.
Observing the values of the first keystream bits generated
from the related IV, we are able to determine whether the
value of
is 0, then we can recover 29 bits of key.
231 IVs for the version with 80-bit IV, 80-bit key
(details are omitted here)
KULeuven, ESAT/COSIC
10
Differential Attack on WG (5)
The differential attack on WG is different from the differential
attack on block ciphers
Difference generation -change the input difference and SOME input value to generate
many different
Filtering -change OTHER input value (without modifying
) to
generate keystream bits to see whether the related keystream
bits are always identical, then to identify whether
is 0
KULeuven, ESAT/COSIC
11
How to Improve WG
WG designers proposed 44-step key/IV setup
=> small change
secure against the differential attack
=> but not that efficient
with properly chosen LFSR taps and output tap,
it is possible to use only 22 steps
KULeuven, ESAT/COSIC
12
Description of LEX (1)
submission to the eStream
128-bit key, 128-bit IV
software and hardware efficient (profile I & II)
Design:
based on AES OFB mode
4 bytes extracted from each round to form keystream
KULeuven, ESAT/COSIC
13
Description of LEX (2)
Initialization and keystream generation
KULeuven, ESAT/COSIC
14
Description of LEX (3)
Extracted bytes in the even and odd rounds
KULeuven, ESAT/COSIC
15
Slide Attack on LEX (1)
Security of LEX depends on that only a
small fraction of information is leaked
from each round
If one round input in LEX is known, then
the key could be recovered easily.
KULeuven, ESAT/COSIC
16
Slide Attack on LEX (2)
In LEX, the same key with two IVs,
if keystream1 is the shifted version of keystream2,
then one input to AES for generating keystream1 is
equivalent to IV2
=> The input to AES is known
32 bits of the first round output are known
=> 32 bits of the key could be recovered easily
KULeuven, ESAT/COSIC
17
Slide Attack on LEX (3)
If each IV is used to generate about 500 outputs,
then with about 261 IVs, 3 pairs of the shifted
keystreams could be observed and 96 key bits could
be recovered.
KULeuven, ESAT/COSIC
18
Slide Attack on LEX (4)
LEX is as strong as AES counter mode?
No.
AES counter mode =>
A particular key can never be recovered faster
than brute force search
LEX =>
A particular key recovered with 260.8 random IVs,
20,000 bytes from each IV, faster than brute force search
KULeuven, ESAT/COSIC
19
How to Improve LEX
Our suggestion =>
For each LEX IV, use LEX key and LEX IV to generate
an AES key and AES IV
KULeuven, ESAT/COSIC
20
Conclusion (1)
Lesson from the WG design =>
To ensure that the tap distances are co-prime
in a FSR (including the LFSR on GF(2m))
KULeuven, ESAT/COSIC
21
Conclusion (2)
Lessons from the LEX design =>
1) It is better to mix the key and IV in a non-linear way, then
use the mixed values to generate the keystream
2) try to avoid using the stream cipher key directly in the
keystream generation
(more general, try to avoid using static secret parameters in the
keystream generation) (LEX, Salsa20, ABC, SEAL …)
KULeuven, ESAT/COSIC
22
Thank you!
Q&A
KULeuven, ESAT/COSIC
23