Upload
others
View
4
Download
0
Embed Size (px)
Citation preview
17th
Mar
ch 2
006
FSE
2006
1
Spe
aker
:Sou
rady
utiP
aul
(wor
k jo
intly
with
B.P
rene
elan
d G
. Sek
ar)
Com
pute
r Sec
urity
and
Indu
stria
l Cry
ptog
raph
y (C
OS
IC)
Dep
artm
ent o
f Ele
ctric
al E
ngin
eerin
g-E
SA
TK
atho
lieke
Uni
vers
iteit
Leuv
en, B
elgi
um
Emai
l: S
oura
dyut
i.Pau
l@es
at.k
uleu
ven.
be
Dis
tingu
ishi
ng A
ttack
s on
the
Stre
am C
iphe
r Py
(Roo
)
17th
Mar
ch 2
006
FSE
2006
2
Out
line
Pyan
d a
Shor
t H
isto
ryD
escr
iptio
n of
Py
Basi
c Id
ea o
f At
tack
and
Ass
umpt
ions
Obs
erva
tion:
Inp
ut-O
utpu
t Co
rrel
atio
nTh
e Bi
as a
nd t
he D
istin
guis
her
Com
plex
ities
of th
e At
tack
Bias
es in
oth
er P
airs
of
Bits
Conc
lusi
ons
and
Rem
arks
17th
Mar
ch 2
006
FSE
2006
3
Pyan
d th
e ev
olut
ion
of R
C4RC4
(19
87)
by
Riv
est
IA, I
B, I
SAAC
(19
96)
by J
enki
ns J
r.RC4
A (2
004)
by
Pau
l and
Pre
neel
VMPC
(20
04)
by
Zolta
kH
C-25
6 (2
004)
by
Wu
GG
HN
(20
05)
by
Gon
g et
al.
Py, P
y6 (
2005
) by
Bih
aman
d Se
berr
yPy
Py(2
006)
b
y Bi
ham
and
Sebe
rry
17th
Mar
ch 2
006
FSE
2006
4
Stag
e I
: Ke
y/IV
set
-up
of P
y
P Y IVKey
Key/
IV s
et-u
p Al
go(S
tep
1)
Initi
aliz
atio
n
s YP
256
bits
128
bits
256x
8 bi
ts
260x
32 b
its
32 b
its
256x
8 bi
ts
260x
32 b
its
17th
Mar
ch 2
006
FSE
2006
5
Stag
e II
: K
eyst
ream
byt
es
gene
ratio
n of
Py
. . .
mix
ing
mix
ing
Out
put
1O
utpu
t 2
Out
put
3
XOR
Plai
ntex
t 1
…
Ciph
erte
xt 1
…
s YPs’ Y’P’
s’’
Y’’
P’’
Ciph
erte
xt 2
XOR
Plai
ntex
t 2
Rou
nd 1
Rou
nd 2
Rou
nd 3
mix
ing
17th
Mar
ch 2
006
FSE
2006
6
Sing
le r
ound
of
Py:
ithro
und
000
233
001
113
002
001
… ...
094
093
095
165
096
079
… ...
254
096
255
143
-3 X
-2 Y
-1 ZM
… …
094
N
095 P
…
Q
256 L
025
5
000
113
001
001
… …
093
093
094
233
095
079
… …
253
096
254
143
255
165
P Y
O(1,i)
-3 Y
-2 Z
-1 M
… …
094 P
095 F
… …L
256
X’
X’
233
165
O(2,i)
17th
Mar
ch 2
006
FSE
2006
7
The
basi
c id
ea o
f ou
r at
tack
s an
d as
sum
ptio
nsAs
sum
ptio
n: K
ey/I
V se
t-up
is p
erfe
ctFo
cus:
mix
ing
of b
its in
a r
ound
Id
entif
y:a
clas
s of
inte
rnal
sta
tes
intr
oduc
ing
bias
in t
he o
utpu
tsO
bser
ve:
rest
of
the
stat
esdo
not
ca
ncel
bia
s (r
easo
n: r
igor
ous
mix
ing)
Conc
lude
: ou
tput
is b
iase
don
a
rand
omly
cho
sen
inte
rnal
sta
te
8
Mai
n ob
serv
atio
n: A
luck
yca
se in
th
e ar
ray
P
1…
239
…20
8…
116
…72
…26
…
Y-1
8 m
od32
X…
239
…20
8…
116
…72
…26
…
X+1
254
7m
od32
Y+1
…23
9…
208
…11
6…
72…
26…
P P P
Rou
nd 1
Rou
nd 2
Rou
nd 3
17th
Mar
ch 2
006
FSE
2006
9
GH
Out
puts
at
1stan
d 3r
dro
unds G
H25
625
525
4…
……
10
-1-2
-3Y
Rou
nd 1
Rou
nd 2
Rou
nd 3
O(1
,1)
= (
S XO
R G
) +
H
O(2
,3)
= (
S XO
R H
) +
G
Bias
in t
he ls
b’s.
z=O
(1,1
)[0]
XO
R O
(2,3
)[0]
P(z=
0)=
1
17th
Mar
ch 2
006
FSE
2006
10
The
luck
y ca
seL
occu
rs w
ith p
rob.
2-4
1.9
For
the
luck
y ca
seth
e P(
z=0|
L)=
1Fo
r th
e re
st o
f th
e ca
ses,
we
obse
rve
that
P(z
=0|
L’)
=1/
2 (s
ee t
he p
aper
)
The
over
all p
rob.
P(z
=0)
=½
·(1+
2-4
1.9 )
Qua
ntify
ing
the
bias
17th
Mar
ch 2
006
FSE
2006
11
The
dist
ingu
ishe
r (I
)
Py
……
Key/
IVBi
ased
Out
put
z
n
Opt
imal
Dis
tingu
ishe
r: I
f #
of 0’
s ≥
# o
f 1’
s th
en P
yel
seRan
dom
The
adva
ntag
e is
clo
se t
o 0%
for
n=1
If n
=28
4.7th
en a
dvan
tage
is m
ore
than
50%
17th
Mar
ch 2
006
FSE
2006
12
The
dist
ingu
ishe
r (I
I)Re
quire
men
ts:
# o
f Ke
y/IV
’s=
284
.7
key
stre
am p
er K
ey/I
V=24
byte
stim
e =
284
.7·
T ini
The
dist
ingu
ishe
r w
orks
w
ithin
Py
spec
ifica
tions
with
less
tha
n ex
haus
tive
sear
ch
17th
Mar
ch 2
006
FSE
2006
13
A va
riant
of
the
dist
ingu
ishe
r w
orks
in a
si
ngle
key
stre
ambu
t ta
kes
long
er
outp
uts
than
spe
cifie
d 26
4
To r
educ
e w
ork
load
, a h
ybrid
di
stin
guis
her
with
man
y ke
y/IV
’san
d le
ss t
han
264
outp
ut b
ytes
per
Key
/IV
is
also
pos
sibl
e w
ithin
the
sco
pe o
f th
e Py
spec
ifica
tion
The
dist
ingu
ishe
r (I
II)
17th
Mar
ch 2
006
FSE
2006
14
Bias
in o
ther
pai
rs o
f bi
ts
O(1
,1)
= (
S XO
R G
) +
H
O(2
,3)
= (
S XO
R H
) +
G
Bias
in t
he it
hbi
ts.
z=O
(1,1
)[i]
XOR
O(2
,3)[
i]
P(z=
0)=
1/2+
µ
17th
Mar
ch 2
006
FSE
2006
15
Conc
lusi
on a
nd r
emar
ksLa
test
New
s: P
aul C
row
ley
redu
ced
the
wor
kloa
d of
the
dis
tingu
ishe
r to
272
by
com
bini
ng a
ll th
e in
divi
dual
bia
sed
bits
The
mod
ified
ver
sion
PyP
yce
rtai
nly
does
not
con
tain
thi
s w
eakn
ess
A co
mpl
etel
y un
subs
tant
iate
d pe
rson
al
opin
ion:
PyP
ym
ay c
ome
unde
r di
stin
guis
hing
att
ack
with
wor
kloa
d le
ss
than
exh
aust
ive
sear
ch
17th
Mar
ch 2
006
FSE
2006
16
Than
ks.