1

KCipher-2

KDDI R&D Laboratories Inc.

©KDDI R&D Laboratories Inc. All rights Reserved.

2

Introduction

LFSR-based stream ciphers Linear recurrence between internal

states as a feedback polynomial. LFSR-based stream ciphers have been

attacked using the linear recurrence.

In KCipher-2, Dynamic Feedback Control mechanism is used for hiding the linear recurrence.

©KDDI R&D Laboratories Inc. All rights Reserved.

3

Design policy Security

Produce sufficient period sequences Use different two functions (NLF, and

Dynamic Feedback Control) Satisfy １２８ -bit key level security

Performance Good Performance for Software

implementation Consist of basic operations

©KDDI R&D Laboratories Inc. All rights Reserved.

4

Advantages of KCipher-2 Fast Encryption/Decryption

KCipher-2 suits fast software implementations 128-bit keys are available Size of Internal State is Small

The size is 640 bits Security Margin

KCipher-2 is secure without the need for a DFC mechanism. The DFC mechanism is an extra security margin.

Resistance against Existing Attacks NLF is designed in consideration of attacks on

SNOW 2.0 such as an algebraic attack and a distinguishing attack.

©KDDI R&D Laboratories Inc. All rights Reserved.

5

Profile of K2 128- Key 128-bit IV 640-bit state

32-bit X 16 Registers (FSR-A, FSR-B) 32-bit X 4 Internal Memories for NLF

64-bit keystream per cycle Max cycle without re-initialization is 2^58

cycle (2^64 keystream bits) The algorithm was presented in SASC 2007

workshop (Jan. 2007) -> satisfy the maturity criteria

©KDDI R&D Laboratories Inc. All rights Reserved.

6

KCipher-2

Registers (A)

Registers (B)

Feedback Controller

Feedback Function

Controlled Feedback Function

Non-Linear Function with Internal Memories Keystream

©KDDI R&D Laboratories Inc. All rights Reserved.

7

Use Two Functions

Non-Linear Function (NLF) and Dynamic Feedback Control (DFC) NLF

Provide nonlinearity of output keystream Dynamic Feedback Control

Hide Linear Recurrence of FSR-B

©KDDI R&D Laboratories Inc. All rights Reserved.

8

Dynamic Feedback Control

Control coefficients for FSR-B

Feedback (Clock) Controller

0, 1 0, 1

2 bits of FSR-A

©KDDI R&D Laboratories Inc. All rights Reserved.

9

Dynamic Feedback Control (cont.) Performance

Do not increase the cost significantly Only change a table of multiplying coefficients α_i.

Security The attacker may need to guess control bits in

some attacks such as Guess-and-Determine Attacks Algebraic Attacks

Hide linear recurrence between internal states of FSR-B Effective for protecting against several attacks

©KDDI R&D Laboratories Inc. All rights Reserved.

10

Non-Linear Function Four 32-bit Substitution

functions are used Connect Four internal

Memories via the Substitution Functions

Input six registers Output 64-bit keystream

per cycle Well-evaluated structure

(like SNOW) The number of S-Box is

twice as that of SNOW

04910

R2

20

LFSR-B

LFSR-A

Keystream (64bits)

Clock Controller

L2

4

Sub

L1

Sub

R1

Sub Sub

©KDDI R&D Laboratories Inc. All rights Reserved.

11

Non-Linear Function (2) Left Part and Right part of NLF is connected

Produce double-length keystream Improve the security

Left or right keystream is computed from previous memories of both sides.

L2

L1 R2

R1

Sub

Sub

Sub

Sub

Substitution consists of well-evaluated S-boxes and a linear permutation (same as SNOW).

Internal memories hide relation between registers and keystream.

LFSR-A LFSR-ALFSR-B LFSR-B

©KDDI R&D Laboratories Inc. All rights Reserved.

12

Analysis of KCipher-2 Stream Cipher

Periods The period is expected to be more than

the periods of output of FSR-A

Statistical Tests Evaluated output of FSR-A, FSR-B, and

keystream These properties were good

©KDDI R&D Laboratories Inc. All rights Reserved.

13

Security against Existing Attacks

Time-Memory trade off Lengths of IV and the secret keys are sufficiently

large. Internal state is sufficiently larger than the

secret key Correlation Attack

No correlation that has large probability was found.

Chosen/Related IV Attack The internal state is well mixed by the

initialization process.

Secure

Secure

Secure

©KDDI R&D Laboratories Inc. All rights Reserved.

14

Security against existing Attacks(2)

Guess-and-Determine Attack In case of attacking FSR-B without multiplying αi

(i=1,2,3) Assume that the attacker obtain values

The attacker have to guess two registers and four memories to recover all registers of FSR-B. The complexity is O(2^196)

However, the attacker have to guess at least two registers of FSR-A without the assumption.

The attack is more than O(2^256) Dynamic feedback makes the attack more

complicated.

Secure

©KDDI R&D Laboratories Inc. All rights Reserved.

15

Security against Existing Attacks(3)

Distinguishing Attack

Sub

Bt+9

Sub

Bt+10

Bt+11

Sub Sub

Bt+5

Bt

Bt+1

L2t L1t R1t R2t

ZLt+At

ZLt+1+At+1

ZRt+At+4

ZRt+1+At+5

G L

F Y

Secure

The attacker have to use four mask values. (two masks for attacking SNOW 2.0)

Sub consists of AES S-boxes; thus, it has a good linear property.

We could not find a linear distinguisher with a feasible linear probability.

Dynamic feedback prevents the attack

©KDDI R&D Laboratories Inc. All rights Reserved.

16

Security against Existing Attacks(4)

Algebraic Attacks General evaluation results were good. A algebraic attack such as an attack on

SNOW 2.0 is impossible, because;The attacker cannot obtain a

linear equation of fixed values of keystream and registers.

The attacker have to guess control bits of FSR-B.

Secure

©KDDI R&D Laboratories Inc. All rights Reserved.

17

Performance Performance on Pentium4 3.2 GHz

The algorithm consists of XOR, ADD, and Table lookups. Performances of these computation is expected to be independent against CPU types.

Key. Gen. Init.

Kcipher-2 (Optimal)

5.45 C/Byte 1162 C/Init.