1 / 17

KCipher-2

KCipher-2. KDDI R&D Laboratories Inc. Introduction. LFSR-based stream ciphers Linear recurrence between internal states as a feedback polynomial. LFSR-based stream ciphers have been attacked using the linear recurrence.

chipo
Download Presentation

KCipher-2

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. KCipher-2 KDDI R&D Laboratories Inc.

  2. Introduction • LFSR-based stream ciphers • Linear recurrence between internal states as a feedback polynomial. • LFSR-based stream ciphers have been attacked using the linear recurrence. In KCipher-2, Dynamic Feedback Control mechanism is used for hiding the linear recurrence.

  3. Design policy • Security • Produce sufficient period sequences • Use different two functions (NLF, and Dynamic Feedback Control) • Satisfy 128-bit key level security • Performance • Good Performance for Software implementation • Consist of basic operations

  4. Advantages of KCipher-2 • Fast Encryption/Decryption • KCipher-2 suits fast software implementations • 128-bit keys are available • Size of Internal State is Small • The size is 640 bits • Security Margin • KCipher-2 is secure without the need for a DFC mechanism. The DFC mechanism is an extra security margin. • Resistance against Existing Attacks • NLF is designed in consideration of attacks on SNOW 2.0 such as an algebraic attack and a distinguishing attack.

  5. Profile of K2 • 128- Key • 128-bit IV • 640-bit state • 32-bit X 16 Registers (FSR-A, FSR-B) • 32-bit X 4 Internal Memories for NLF • 64-bit keystream per cycle • Max cycle without re-initialization is 2^58 cycle (2^64 keystream bits) • The algorithm was presented in SASC 2007workshop (Jan. 2007) -> satisfy the maturity criteria

  6. KCipher-2

  7. Use Two Functions • Non-Linear Function (NLF) and Dynamic Feedback Control (DFC) • NLF • Provide nonlinearity of output keystream • Dynamic Feedback Control • Hide Linear Recurrence of FSR-B

  8. Dynamic Feedback Control • Control coefficients for FSR-B 2 bits of FSR-A Feedback (Clock) Controller a2 a1 a3 0, 1 0, 1

  9. Dynamic Feedback Control (cont.) • Performance • Do not increase the cost significantly • Only change a table of multiplying coefficients α_i. • Security • The attacker may need to guess control bits in some attacks such as • Guess-and-Determine Attacks • Algebraic Attacks • Hide linear recurrence between internal states of FSR-B • Effective for protecting against several attacks

  10. Non-Linear Function • Four 32-bit Substitution functions are used • Connect Four internal Memories via the Substitution Functions • Input six registers • Output 64-bit keystream per cycle • Well-evaluated structure (like SNOW) • The number of S-Box is twice as that of SNOW

  11. Non-Linear Function (2) • Left Part and Right part of NLF is connected • Produce double-length keystream • Improve the security • Left or right keystream is computed from previous memories of both sides. • Substitution consists of well-evaluated S-boxes and a linear permutation (same as SNOW). • Internal memories hide relation between registers and keystream. LFSR-A LFSR-B LFSR-B LFSR-A L2 Sub R1 Sub Sub L1 R2 Sub

  12. Analysis of KCipher-2 Stream Cipher • Periods • The period is expected to be more than the periods of output of FSR-A • Statistical Tests • Evaluated output of FSR-A, FSR-B, and keystream • These properties were good

  13. Security against Existing Attacks Secure • Time-Memory trade off • Lengths of IV and the secret keys are sufficiently large. • Internal state is sufficiently larger than the secret key • Correlation Attack • No correlation that has large probability was found. • Chosen/Related IV Attack • The internal state is well mixed by the initialization process. Secure Secure

  14. Security against existing Attacks(2) Secure • Guess-and-Determine Attack • In case of attacking FSR-B without multiplying αi (i=1,2,3) • Assume that the attacker obtain values • The attacker have to guess two registers and four memories to recover all registers of FSR-B. The complexity is O(2^196) • However, the attacker have to guess at least two registers of FSR-A without the assumption. • The attack is more than O(2^256) • Dynamic feedback makes the attack more complicated.

  15. Security against Existing Attacks(3) Secure • Distinguishing Attack • The attacker have to use four mask values. (two masks for attacking SNOW 2.0) • Sub consists of AES S-boxes; thus, it has a good linear property. • We could not find a linear distinguisher with a feasible linear probability. • Dynamic feedback prevents the attack

  16. Security against Existing Attacks(4) Secure • Algebraic Attacks • General evaluation results were good. • A algebraic attack such as an attack on SNOW 2.0 is impossible, because; • The attacker cannot obtain a linear equation of fixed values of keystream and registers. • The attacker have to guess control bits of FSR-B.

  17. Performance • Performance on Pentium4 3.2 GHz • The algorithm consists of XOR, ADD, and Table lookups. Performances of these computation is expected to be independent against CPU types.

More Related