kcipher 2 n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
KCipher-2 PowerPoint Presentation
Download Presentation
KCipher-2

Loading in 2 Seconds...

play fullscreen
1 / 17

KCipher-2 - PowerPoint PPT Presentation


  • 135 Views
  • Uploaded on

KCipher-2. KDDI R&D Laboratories Inc. Introduction. LFSR-based stream ciphers Linear recurrence between internal states as a feedback polynomial. LFSR-based stream ciphers have been attacked using the linear recurrence.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'KCipher-2' - chipo


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
kcipher 2

KCipher-2

KDDI R&D Laboratories Inc.

introduction
Introduction
  • LFSR-based stream ciphers
    • Linear recurrence between internal states as a feedback polynomial.
    • LFSR-based stream ciphers have been attacked using the linear recurrence.

In KCipher-2, Dynamic Feedback Control mechanism is used for hiding the linear recurrence.

design policy
Design policy
  • Security
    • Produce sufficient period sequences
    • Use different two functions (NLF, and Dynamic Feedback Control)
    • Satisfy 128-bit key level security
  • Performance
    • Good Performance for Software implementation
    • Consist of basic operations
advantages of kcipher 2
Advantages of KCipher-2
  • Fast Encryption/Decryption
    • KCipher-2 suits fast software implementations
  • 128-bit keys are available
  • Size of Internal State is Small
    • The size is 640 bits
  • Security Margin
    • KCipher-2 is secure without the need for a DFC mechanism. The DFC mechanism is an extra security margin.
  • Resistance against Existing Attacks
    • NLF is designed in consideration of attacks on SNOW 2.0 such as an algebraic attack and a distinguishing attack.
profile of k2
Profile of K2
  • 128- Key
  • 128-bit IV
  • 640-bit state
    • 32-bit X 16 Registers (FSR-A, FSR-B)
    • 32-bit X 4 Internal Memories for NLF
  • 64-bit keystream per cycle
  • Max cycle without re-initialization is 2^58 cycle (2^64 keystream bits)
  • The algorithm was presented in SASC 2007workshop (Jan. 2007) -> satisfy the maturity criteria
use two functions
Use Two Functions
  • Non-Linear Function (NLF) and Dynamic Feedback Control (DFC)
    • NLF
      • Provide nonlinearity of output keystream
    • Dynamic Feedback Control
      • Hide Linear Recurrence of FSR-B
dynamic feedback control
Dynamic Feedback Control
  • Control coefficients for FSR-B

2 bits of FSR-A

Feedback (Clock) Controller

a2

a1

a3

0, 1

0, 1

dynamic feedback control cont
Dynamic Feedback Control (cont.)
  • Performance
    • Do not increase the cost significantly
      • Only change a table of multiplying coefficients α_i.
  • Security
    • The attacker may need to guess control bits in some attacks such as
      • Guess-and-Determine Attacks
      • Algebraic Attacks
    • Hide linear recurrence between internal states of FSR-B
      • Effective for protecting against several attacks
non linear function
Non-Linear Function
  • Four 32-bit Substitution functions are used
  • Connect Four internal Memories via the Substitution Functions
  • Input six registers
  • Output 64-bit keystream per cycle
  • Well-evaluated structure (like SNOW)
  • The number of S-Box is twice as that of SNOW
non linear function 2
Non-Linear Function (2)
  • Left Part and Right part of NLF is connected
    • Produce double-length keystream
    • Improve the security
      • Left or right keystream is computed from previous memories of both sides.
  • Substitution consists of well-evaluated S-boxes and a linear permutation (same as SNOW).
  • Internal memories hide relation between registers and keystream.

LFSR-A

LFSR-B

LFSR-B

LFSR-A

L2

Sub

R1

Sub

Sub

L1

R2

Sub

analysis of kcipher 2 stream cipher
Analysis of KCipher-2 Stream Cipher
  • Periods
    • The period is expected to be more than the periods of output of FSR-A
  • Statistical Tests
    • Evaluated output of FSR-A, FSR-B, and keystream
    • These properties were good
security against existing attacks
Security against Existing Attacks

Secure

  • Time-Memory trade off
    • Lengths of IV and the secret keys are sufficiently large.
    • Internal state is sufficiently larger than the secret key
  • Correlation Attack
    • No correlation that has large probability was found.
  • Chosen/Related IV Attack
    • The internal state is well mixed by the initialization process.

Secure

Secure

security against existing attacks 2
Security against existing Attacks(2)

Secure

  • Guess-and-Determine Attack
    • In case of attacking FSR-B without multiplying αi (i=1,2,3)
      • Assume that the attacker obtain values
        • The attacker have to guess two registers and four memories to recover all registers of FSR-B. The complexity is O(2^196)
        • However, the attacker have to guess at least two registers of FSR-A without the assumption.
        • The attack is more than O(2^256)
        • Dynamic feedback makes the attack more complicated.
security against existing attacks 3
Security against Existing Attacks(3)

Secure

  • Distinguishing Attack
  • The attacker have to use four mask values. (two masks for attacking SNOW 2.0)
  • Sub consists of AES S-boxes; thus, it has a good linear property.
  • We could not find a linear distinguisher with a feasible linear probability.
  • Dynamic feedback prevents the attack
security against existing attacks 4
Security against Existing Attacks(4)

Secure

  • Algebraic Attacks
    • General evaluation results were good.
    • A algebraic attack such as an attack on SNOW 2.0 is impossible, because;
      • The attacker cannot obtain a linear equation of fixed values of keystream and registers.
      • The attacker have to guess control bits of FSR-B.
performance
Performance
  • Performance on Pentium4 3.2 GHz
  • The algorithm consists of XOR, ADD, and Table lookups. Performances of these computation is expected to be independent against CPU types.