KCipher-2
KDDI R&D Laboratories Inc.
1
Introduction
 LFSR-based stream ciphers
 Linear recurrence between internal
states as a feedback polynomial.
 LFSR-based stream ciphers have been
attacked using the linear recurrence.
In KCipher-2, Dynamic Feedback Control
mechanism is used for hiding the linear
recurrence.
2
©KDDI R&D Laboratories Inc. All rights Reserved.
Design policy
 Security
 Produce sufficient period sequences
 Use different two functions (NLF, and
Dynamic Feedback Control)
 Satisfy １２８-bit key level security
 Performance
 Good Performance for Software
implementation
 Consist of basic operations
3
©KDDI R&D Laboratories Inc. All rights Reserved.
Advantages of KCipher-2
 Fast Encryption/Decryption
 KCipher-2 suits fast software implementations
 128-bit keys are available
 Size of Internal State is Small
 The size is 640 bits
 Security Margin
 KCipher-2 is secure without the need for a DFC
mechanism. The DFC mechanism is an extra
security margin.
 Resistance against Existing Attacks
 NLF is designed in consideration of attacks on
SNOW 2.0 such as an algebraic attack and a
distinguishing attack.
4
©KDDI R&D Laboratories Inc. All rights Reserved.
Profile of K2
 128- Key
 128-bit IV
 640-bit state
 32-bit X 16 Registers (FSR-A, FSR-B)
 32-bit X 4 Internal Memories for NLF
 64-bit keystream per cycle
 Max cycle without re-initialization is 2^58
cycle (2^64 keystream bits)
 The algorithm was presented in SASC 2007
workshop (Jan. 2007) -> satisfy the
maturity criteria
5
©KDDI R&D Laboratories Inc. All rights Reserved.
KCipher-2
Feedback Function
Registers (A)
Feedback Controller
Controlled Feedback Function
Registers (B)
Non-Linear Function
with Internal Memories
Keystream
6
©KDDI R&D Laboratories Inc. All rights Reserved.
Use Two Functions
 Non-Linear Function (NLF) and
Dynamic Feedback Control (DFC)
 NLF
 Provide nonlinearity of output keystream
 Dynamic Feedback Control
 Hide Linear Recurrence of FSR-B
7
©KDDI R&D Laboratories Inc. All rights Reserved.
Dynamic Feedback Control
 Control coefficients for FSR-B
2 bits of FSR-A
Feedback (Clock) Controller
a3
0, 1
a2
a1
0, 1
8
©KDDI R&D Laboratories Inc. All rights Reserved.
Dynamic Feedback Control (cont.)
 Performance
 Do not increase the cost significantly
 Only change a table of multiplying coefficients α_i.
 Security
 The attacker may need to guess control bits in
some attacks such as
 Guess-and-Determine Attacks
 Algebraic Attacks
 Hide linear recurrence between internal states of
FSR-B
 Effective for protecting against several attacks
9
©KDDI R&D Laboratories Inc. All rights Reserved.
Non-Linear Function
 Four 32-bit Substitution
functions are used
 Connect Four internal
Memories via the
Substitution Functions
 Input six registers
 Output 64-bit keystream
per cycle
 Well-evaluated structure
(like SNOW)
 The number of S-Box is
twice as that of SNOW
LFSR-A
0
2
4
Clock Controller
10
9
LFSR-B
4
L2
Sub
0
R2
Sub
Sub
L1
Sub
R1
Keystream (64bits)
10
©KDDI R&D Laboratories Inc. All rights Reserved.
Non-Linear Function (2)

Left Part and Right part of NLF is connected


Produce double-length keystream
Improve the security

LFSR-A
Left or right keystream is computed from previous memories
of both sides.
LFSR-B
LFSR-B
L2
Sub
L1
Sub

Substitution consists of
well-evaluated S-boxes
and a linear permutation
(same as SNOW).

Internal memories hide
relation between registers
and keystream.
R1
Sub
Sub
LFSR-A
R2
11
©KDDI R&D Laboratories Inc. All rights Reserved.
Analysis of KCipher-2 Stream
Cipher
 Periods
 The period is expected to be more than
the periods of output of FSR-A
 Statistical Tests
 Evaluated output of FSR-A, FSR-B, and
keystream
 These properties were good
12
©KDDI R&D Laboratories Inc. All rights Reserved.
Security against Existing Attacks
 Time-Memory trade off
Secure
 Lengths of IV and the secret keys are sufficiently
large.
 Internal state is sufficiently larger than the
secret key
 Correlation Attack
Secure
 No correlation that has large probability was
found.
 Chosen/Related IV Attack
Secure
 The internal state is well mixed by the
initialization process.
13
©KDDI R&D Laboratories Inc. All rights Reserved.
Security against existing Attacks(2)
 Guess-and-Determine Attack
Secure
 In case of attacking FSR-B without multiplying αi
(i=1,2,3)
 Assume that the attacker obtain values
 The attacker have to guess two registers and four
memories to recover all registers of FSR-B. The
complexity is O(2^196)
 However, the attacker have to guess at least two
registers of FSR-A without the assumption.
 The attack is more than O(2^256)
 Dynamic feedback makes the attack more
complicated.
14
©KDDI R&D Laboratories Inc. All rights Reserved.
Security against Existing Attacks(3)
 Distinguishing Attack




The attacker have to use
four mask values. (two
masks for attacking SNOW
2.0)
Sub consists of AES S- Z +A
boxes; thus, it has a good
linear property.
We could not find a linear
distinguisher with a feasible
linear probability.
Z +A
Dynamic feedback prevents
the attack
Bt+10
L1t
R1t
Bt+9
R2t
Bt
Bt+5
L
t+4
R
t+1
L2t
G
R
t
Secure
t+5
Sub
Sub
Sub
Sub
ZLt+At
Bt+1
Bt+11
F
Y
15
©KDDI R&D Laboratories Inc. All rights Reserved.
ZLt+1+At+1
Security against Existing Attacks(4)
 Algebraic Attacks
Secure
 General evaluation results were good.
 A algebraic attack such as an attack on
SNOW 2.0 is impossible, because;
 The attacker cannot obtain a
linear equation of fixed values of
keystream and registers.
 The attacker have to guess
control bits of FSR-B.
16
©KDDI R&D Laboratories Inc. All rights Reserved.
Performance
 Performance on Pentium4 3.2 GHz
Kcipher-2
(Optimal)
Key. Gen.
Init.
5.45 C/Byte
1162 C/Init.
 The algorithm consists of XOR, ADD, and Table
lookups. Performances of these computation is
expected to be independent against CPU types.
17
©KDDI R&D Laboratories Inc. All rights Reserved.