Decim v2

DECIMv2 ∗ C. Berbain1 , O. Billet1 , A. Canteaut2 , N. Courtois3 , B. Debraize3,4 , H. Gilbert1 , L. Goubin4 , A. Gouget5 , L. Granboulan6 , C. Lauradoux2 , M. Minier2 , T. Pornin7 and H. Sibert5 Abstract Decim is a hardware oriented stream cipher with 80-bit key and 64-bit IV which was submitted to the ECRYPT stream cipher project. The design of Decim is based on both a nonlinear filter LFSR and an irregular decimation mechanism called the ABSG. As a consequence, Decim is of low hardware complexity. Recently, Hongjun Wu and Bart Preneel pointed out two flaws in the stream cipher Decim. The first flaw concerns the initialization stage and the second one, which is the more serious flaw, concerns the filter used in the keystream generation algorithm; the ABSG mechanism is not affected by these two flaws. In this paper, we propose a new version of Decim, called Decimv2 , which does not only appear to be more secure, but also has a lower hardware complexity than Decim. 1 Introduction Decim [3] is a hardware oriented stream cipher submitted to the ECRYPT Stream Cipher Project [1]; we now call it Decimv1 . It has been developed around the ABSG mechanism which provides a method for irregular decimation of pseudorandom sequences. The general running of Decimv1 (and also Decimv2 ) consists in generating a binary sequence y in a regular way from a Linear Feedback Shift Register (LFSR) which is filtered by a Boolean function. The sequence y is next filtered by the ABSG mechanism. Recently, Hongjun Wu and Bart Preneel [6] found two flaws in the stream cipher Decimv1 . The first flaw concerns the initialization stage, i.e. the computation of the initial inner state for starting the keystream generation. In a nutshell, the initialization mechanism of Decimv1 works as follows. 1 France Télécom Recherche et Développement, 38/40 rue du Général Leclerc, F-92794 Issy les Moulineaux cedex 9, {come.berbain,olivier.billet,henri.gilbert}@francetelecom.com 2 INRIA-Rocquencourt, projet CODES, domaine de Voluceau, B.P. 105, F-78153 Le Chesnay cedex, {anne.canteaut,marine.minier,cedric.lauradoux}@inria.fr 3 Axalto Smart Cards, 36-38, rue de la Princesse - B.P. 45, F-78431 Louveciennes cedex, {ncourtois,bdebraize}@axalto.com 4 Laboratoire PRiSM, Université de Versailles, 45 avenue des Etats-Unis, F-78035 Versailles cedex, louis.goubin@prism.uvsq.fr 5 France Télécom Recherche et Développement, 42 rue des Coutures, BP 6243, F-14066 Caen cedex, {aline.gouget,herve.sibert}@francetelecom.com 6 Département d’Informatique, École Normale Supérieure, 45 rue d’Ulm, F-75230 Paris cedex 05, louis.granboulan@ens.fr 7 Cryptolog International, 16-18 rue Vulpian, F-75013 Paris, thomas.pornin@cryptolog.com ∗ Work partially supported by the French Ministry of Research RNRT Project “X-CRYPT” and by the European Commission via ECRYPT network of excellence IST-2002-507932. 1 1. Filling of the LFSR from a 80-bit secret key and a 64-bit public IV. 2. 192 updates of the LFSR. One update consists of the three following steps: (a) Computation of the feedback value (in a nonlinear way); (b) Application of one among two permutations over 7 elements of the current LFSR state; the choice of the permutation is controlled by the output of the ABSG; (c) Shifting by one position of the LFSR. The aim of the permutations is to provide high nonlinearity during the initialization stage. However, the side effect of the permutations is that a large number of elements of the LFSR (after the initial filling) may never be updated with a high probability during the initialization process. This flaw allowed Hongjun Wu and Bart Preneel to mount an efficient key recovery attack on Decimv1 . For Decimv2 , we propose a simpler and more secure initialization procedure than the one of Decimv1 (in particular, the permutations involved in the initialization procedure of Decimv1 , which imply a significant increase of the hardware cost, are removed in Decimv2 ). The main flaw pointed out by Hongjun Wu and Bart Preneel [6] is in the keystream generation algorithm which is described in Figure 1. More precisely, the flaw is in the generation ... LFSR ... Filter y ABSG z Figure 1: Decim keystream generation of the sequence y which is the output of the filter (the sequence y is next decimated by the ABSG mechanism). In a few words, this flaw is due to the fact that the sequence y is directly the output of a symmetric Boolean function which is not correlation-immune of order 1. There exists a correlation between the outputs of the function associated to two input vectors which have one element in common. By using this weakness, Hongjun Wu and Bart Preneel show a correlation between some bits of the keystream sequence and then they show that the keystream of Decimv1 is heavily biased. For Decimv2 , we propose a simpler and more secure filter than the one of Decimv1 by choosing a filter which is correlation immune of order 1. The outline of the paper is as follows. In Section 2, we give an overview of Decimv2 and we describe the slight modifications between Decimv1 and Decimv2 . In Section 3, we provide a full description of Decimv2 . In Section 4, we explain the design modifications. In Section 5, 2 we discuss the hardware implementation of Decimv2 . In Section 6, we discuss the security properties of Decimv2 . Finally, we conclude in Section 7. 2 Overview of Decimv2 In accordance with the specification given by the Ecrypt stream cipher project, Decimv2 takes as an input a 80-bit length secret key and a 64-bit length public initialization vector. 2.1 Keystream generation The size of the inner state of Decimv2 is unchanged, i.e. 192 bits. The keystream generation mechanism is described in Figure 2. The bits of the internal state of the LFSR are numbered from 0 to 191, and they are denoted by (x0 , . . . , x191 ). The sequence of the linear feedback values of the LFSR is denoted by s = (st )t≥0 . M ... ... x191 x1 message x0 f y ABSG z z’ c Buffer ciphertext Figure 2: Decimv2 keystream generation The Boolean function f is a 13-variable quadratic symmetric function which is balanced. Let xi1 , . . . , xi14 denote the 14 initial internal state bits of the LFSR that are the inputs of the filter. The sequence y outputs by the filter is defined by: yt = f (si1 +t , . . . , si13 +t ) ⊕ si14 +t The ABSG takes as an input the sequence y = (yt )t≥0 . The sequence output by the ABSG is denoted by z = (zt )t≥0 . The buffer mechanism guarantees a constant throughput for the keystream; we choose a 32 bit-length buffer and the buffer outputs 1 bit for every 4 shifts by one position of the LFSR (see [3] for details). Remark 1 For the keystream generation, the gap between Decimv1 and Decimv2 is the choice of the filter. In Decimv1 , the filter is a vectorial function defined by: 2 F : F14 2 −→ F2 ; xi1 , . . . , xi14 7→ (f (xi1 , . . . , xi7 ), f (xi8 , . . . , xi14 )) where f is a 7-variable symmetric Boolean function which is balanced but which is not correlation immune of order 1. 3 2.2 Key/IV setup The initial filling of the LFSR from the key and the initialization vector is modified in Decimv2 compared to Decimv1 (see Section 3). The Key/IV setup mechanism consists in clocking 4 × 192 = 768 times the LFSR using the nonlinear feedback which is described in Figure 3. ... ... x191 x1 x0 f Figure 3: Key/IV setup mechanism Remark 2 For the initialization stage, the main differences between Decimv1 and Decimv2 are the filling of the LFSR which is changed, the deletion of the permutations and the choice of the filter. As a consequence, the number of clocks in the initialization stage increases from 192 up to 768. 3 Specification In this section, we describe each component of Decimv2 and we describe the changes between Decimv1 and Decimv2 ; we refer to [3] when no modification has been done. 3.1 The filtered LFSR This section describes the filtered LFSR that generates the sequence y (the sequence y is the input of the ABSG mechanism). The LFSR (unchanged). The underlying LFSR is a maximum-length LFSR of length 192 over F2 . It is defined by the following primitive feedback polynomial: P (X) = X 192 + X 189 + X 188 + X 169 + X 156 + X 155 + X 132 + X 131 + X 94 + X 77 + X 46 +X 17 + X 16 + X 5 + 1 . The filter (changed). The filter function is the 14-variable Boolean function defined by: F : F14 2 −→ F2 ; a1 , . . . , a14 7→ f (a1 , . . . , a13 ) ⊕ a14 where f is the symmetric quadratic Boolean function defined by: M M ai f (a1 , . . . , a13 ) = ai aj 1≤i<j≤13 1≤i≤13 The tap positions of the filter are: 191 − 186 − 178 − 172 − 162 − 144 − 111 − 104 − 65 − 54 − 45 − 28 − 13 − 1 4 and the input of the ABSG at the stage t is: yt = f (st+191 , st+186 , st+178 , st+172 , st+162 , st+144 , st+111 , st+104 , st+65 , st+54 , st+45 , st+28 , st+13 )⊕st+1 3.2 Decimation (unchanged) This part describes how the keystream sequence z is obtained from the sequence y. The ABSG algorithm is given in Figure 4. Input: (y0 , y1 , . . . ) Set: i ← 0; j ← 0; Repeat the following steps: 1. e ← yi , zj ← yi+1 ; 2. i ← i + 1; 3. while (yi = e) i ← i + 1; 4. i ← i + 1; 5. output zj 6. j ← j + 1 Figure 4: ABSG Algorithm 3.3 Buffer mechanism (unchanged) The rate of the ABSG mechanism is irregular and therefore we use a buffer in order to guarantee a constant throughput. We choose a buffer of length 32 and for every 4 bits that are input into the ABSG, the buffer is supposed to output one bit exactly. With these parameters, the probability that the buffer is empty while it has to output one bit is less than 2−89 . If the ABSG outputs one bit when the buffer is full, then the newly computed bit is not added into the queue, i.e. it is dropped. Assuming that the initial inner state is computed (it is denoted by z0 , . . . , z191 ), the ABSG mechanism starts at the beginning loop and the buffer is empty. The keystream generation process starts when the buffer is full. 3.4 Key/IV Setup This subsection describes the computation of the initial inner state for starting the keystream generation. Notice that the ABSG mechanism is not used anymore during the initialization stage. 3.4.1 Initial filling of the LFSR (changed) The secret key K is a 80-bit key denoted by K = K0 , . . . , K79 and the initialization vector IV is a 64-bit IV denoted by IV0 , . . . , IV63 . 5 The initial filling of the LFSR is done as follows.   Ki    K i−80 ⊕ IVi−80 xi = Ki−80 ⊕ IVi−144 ⊕ IVi−128 ⊕ IVi−112 ⊕ IVi−96    IV i−160 ⊕ IVi−128 ⊕ 1 0 ≤ i ≤ 79 80 ≤ i ≤ 143 144 ≤ i ≤ 159 160 ≤ i ≤ 191 The number of possible initial values of the LFSR state is 280+64 = 2144 . 3.4.2 Update of the LFSR state The LFSR is clocked 4 × 192 = 768 times using a nonlinear feedback relation. Let yt denote the output of f at time t and let lvt denote the linear feedback value at time t > 0. Then, the value of x191 at time t is computed using the equation: x191 = lvt ⊕ yt . Notice that there is no bit of the LFSR state output during this step. 4 Design rationale The rationale behind the design of Decimv2 relies on the fact that the main ideas behind Decimv1 , namely, to filter and then decimate the output of an LFSR using the ABSG mechanism was in no way questioned. Thus, the core of Decimv2 is a single Boolean function-based filtering, followed by an ABSG-based decimation. 4.1 The filter In Decimv2 (and also in Decimv1 ) a Boolean function is used to filter the LFSR whereas the Shrinking Generator or the Self-Shrinking Generator are both directly applied on LFSRs. The linear complexity of the sequence outputs by an LFSR with a primitive feedback polynomial is the length of the LFSR. The interest of the filter is to significantly increase the linear complexity of the sequence which is the input sequence of the ABSG mechanism. That comes to significantly increase the minimal length of the equivalent LFSR which generates the same sequence as those outputs by the filtered LFSR. The choice of the filter is very important since the filter must not introduce some weaknesses in the stream cipher (as it is the case for Decimv1 ). An important property for the filter is that the output of the filter must be uniformly distributed. In Decimv1 , the 7-variable Boolean function f used in the filter is balanced, i.e., the value of f is uniformly distributed in {0, 1} when the evaluation of f is done uniformly over {0, 1}7 . Decimv1 is a hardware-oriented stream cipher and the filter must have a low-cost hardware implementation. In Decimv1 , the filter is a symmetric Boolean function f (i.e. the value of f only depends on the Hamming weight of the input) in order to reduce the hardware cost and the function f is balanced. The attack given by Hongjun Wu and Bart Preneel [6] has shown that it is important to choose a Boolean function f which is correlation-immune of order 1, i.e. a function such that there is no correlation between the outputs of the function associated to two input vectors 6 which have one element in common. Since the Boolean function f must also be balanced, that means that f must be 1-resilient. In Decimv1 , the Boolean function is balanced but it is not 1-resilient. The filter of Decimv2 is constructed from a balanced 13-variable symmetric function (which is not correlation immune of order 1) and the whole filter F is a 1-resilient Boolean function. 4.2 Tap positions : filter and feedback polynomial Assuming knowledge of the keystream z, an attacker will have to guess some bits of the sequence y in order to attack the function f . The knowledge of the bits of y directly yields equations in the bits of the initial state of the LFSR. Thus, the number of monomials in the bits of the initial state of the LFSR that are involved in these equations has to be maximized. Moreover, this number has to grow quickly during the first clocks of the LFSR. This implies the following two conditions: 1. each difference between two positions of bits that are input to f should appear only once; 2. some inputs of f should be taken at positions near the one of the feedback bit (which means that some inputs should be leftmost on Figure 2). Finally, the tap positions of the inputs of the Boolean function f and the inputs of the feedback relation should be independent. 4.3 Key/IV Setup The components of the keystream generation are re-used for the key/IV setup; we do not introduce new components. By using a 80-bit key and a 64-bit IV, the number of possible initial states is at most 2144 which is the case in Decimv2 whereas the number of possible initial states is 2136 in Decimv1 . The first attack given in [6] exploits the effects of the permutations π1 and π2 used in the initialization process. Indeed, some bits of the LFSR are improperly updated. Then, the attack consists in tracing some bits during the initialization process. In Decimv2 , the permutations are removed and the number of clocks of the register is increased in order to ensure that the nonlinearity of the initialization stage is sufficient. 5 Hardware implementation The number of gates involved in an hardware implementation can be estimated as follows, based on the estimation for elementary components given in [2], i.e., 12 gates for a flip-flop, 2.5 gates for an XOR, 1.5 gates for an AND and 5 gates for a MUX. Here, we have the following values for each component in the circuit: • LFSR: 2339 gates corresponding to 192 flip-flops and 14 XORs (instead of 3334 gates for Decimv1 ). • Filtering function: 86.5 gates corresponding to 6 Full Adders and 7 XORs (instead of 74 gates for Decimv1 ; details on the hardware implementation of quadratic symmetric functions are given in [3]). 7 • 1-input ABSG, as described in Figure 5: 67 gates corresponding to 2 MUX, 3 XORs, 1 AND, and 4 flip-flops. mux pattern data Pattern seeker mux next command_pattern 1 Figure 5: Hardware implementation of the ABSG Remark 3 For the proposed hardware implementation, the main differences between Decimv1 and Decimv2 is that the LFSR has now to be clocked 4 times instead of 2 before outputting a bit, i.e. Decimv2 is twice as low as Decimv1 . Moreover, the throughput of the generator can be doubled at a low implementation cost by using a simple speed-up mechanism. This can be done with a circuit which computes two feedback bits for the LFSR, simultaneously, as described in [3, Section 6.1]. This LFSR with doubled clock rate can be implemented within 192 flip-flops and 28 XORs. One additional copy of the filtering function is also required, and a 2-input ABSG mechanism must be used (see [3] for further details). 6 Security properties The discussion given in [3] on guess-and-determine attacks, distinguishing attacks and also side channel attacks holds for Decimv2 . Clock-controlled linear feedback shift registers, i.e. LFSRs that are irregularly clocked according to a decimation sequence which defines the number of symbols to be deleted before the next output symbol is produced, are immune to fast correlation attacks [5]. In [4], Golic developed a theory of fast correlation attacks on irregularly clocked LFSRs based on a linear statistical weakness. This attack may be realistic in special cases but Decimv2 may be immune to such type of attack. Indeed, in order to increase the linear complexity of the sequence (i.e. the minimal length of the equivalent LFSR that generates the same sequence) that is shrunked by the ABSG mechanism, we use an LFSR which is filtered by a Boolean function. Like this, the expected linear complexity of the sequence outputs by the Boolean function is 18528, i.e. the expected minimal length of the LFSR that generates the same sequence as those generated by the filtered LFSR of Decim is 18528. 8 7 Conclusion We have proposed a new stream cipher Decimv2 . The design is based on the eStream proposal Decimv1 and addresses all weaknesses found in the original construction. A complete description of Decimv2 was given and the differences from Decimv1 were discussed. The stream cipher Decimv2 is especially suitable for hardware applications with restricted resources such as limited storage or gate count. For applications requiring higher throughputs, speed-up mechanisms can be used to accelerate Decimv2 at the expense of a higher hardware complexity. Acknowledgements. The authors wish to thank Frédéric Muller and Matt Robshaw for helpful comments. References [1] eStream, Stream cipher project of the European Network of Excellence in Cryptology ECRYPT. http://www.ecrypt.eu.org/stream/. [2] L. Batina, J. Lano, S.B. Örs, B. Preneel, and I. Verbauwhede. Energy, perfomance, area versus security trade-offs for stream ciphers. In The State of the Art of Stream Ciphers: Workshop Record, pages 302–310, Brugge, Belgium, October 2004. [3] C. Berbain, O. Billet, A. Canteaut, N. Courtois, B. Debraize, H. Gilbert, L. Goubin, A. Gouget, L. Granboulan, C. Lauradoux, M. Minier, T. Pornin, and H. Sibert. Decim – A new Stream Cipher for Hardware applications. In ECRYPT Stream Cipher Project Report 2005/004. Available at http://www.ecrypt.eu.org/stream/. [4] J. Golić. Towards fast correlation attacks on irregularly clocked shift registers. In Proceedings of Eurocrypt’95, Lecture Notes in Computer Science, 1995. [5] Willi Meier and Othmar Staffelbach. Fast correlation attacks on certain stream ciphers. J. Cryptol., 1(3):159–176, 1989. [6] Hongjun Wu and Bart Preneel. Cryptanalysis of Stream Cipher Decim. Available at http://www.ecrypt.eu.org/stream/. 9 View publication stats