2007 Interntionl Conference on Convergence Informtion Technology PingPong-128, A New Strem Cipher for Uiquitous Appliction HoonJe Lee, Kevin Chen Dept. Informtion Network Eng., Dongseo University, Busn, Kore ISI, Queensln Univ. of Technology, Brisne, Austrli E-mil: hlee@ongseo.c.kr, chenk@isrc.qut.eu.u Astrct The PingPong fmily of keystrem genertor is se on the LM-type summtion genertor. A mutulclock-control mechnism is e to the LM-type summtion genertor to provie security enhncement. PingPong-128, specific cipher from the PingPong fmily, is propose. It tkes 128-it key n 128-it initilistion vector, hs 257 its of internl stte, n chieves security level of 128 its. In this pper, we present the security nlysis of PingPong-128, incluing the resistnce to known ttcks ginst the summtion genertor n other clock-controlle genertors. 1. Introuction The two sic methos for encrypting text into ciphertext re strem n lock ciphers. Strem ciphers (s the nme suggests) encrypt text it-y-it n re firly rre with only few exmples in commercil pplictions such s RC4 [1]. The vntge of strem cipher is tht it is fster n much more efficient thn lock ciphers. For exmple, RC4 is close to twice s fst s the nerest lock cipher n cn e written in 30 lines of coe wheres the typicl lock cipher lgorithm tkes severl hunre lines of coe, mking them iel for Internet pplictions like SSL were spee n efficiency is more vlule [2]. The summtion genertor [3] ws propose in 1985, n correltion ttcks on it were pulishe in [4, 5]. In [6], fst correltion ttck on the summtion genertor is escrie. The LM genertor [7] ws propose in 2000 s n improvement to the summtion genertor. The propose improvement is the ition of n extr memory it to the comining function. The summtion genertor succums to rnge of ivie n conquer ttcks, from the strightforwr ivie n conquer ttck escrie in [5, 8], to correltion n fst correltion ttck in [4, 5] n [6], respectively. In this pper, we propose new genertor, PingPong, se on the summtion genertor, with the ition of mutul clock control structure. The purpose of the mutul clock control structure is to introuce irregulr clocking of the unerlying LFSRs thus implicitly incresing the nonlinerity of the output keystrem. In other wors, The PingPong genertor is clock controlle genertor. It is se on the LM genertor [7], which is moifiction of summtion genertor [3] se on two liner feeck shift registers (LFSRs). We emonstrte tht the moifiction efets the known ttcks ginst the summtion genertor, n other ttcks such s ttcks on irregulrly clocke keystrem genertors. An initilistion n rekeying process for the PingPong genertor is lso efine. The PingPong genertor extens the LM genertor through the use of irregulrly clocke unerlying shift registers. 2. Summtion-like Genertor 2.1. Description of the Summtion Genertor Fig. 1. Summtion Genertor(r 2) The summtion genertor uses r regulrly clocke inry LFSRs n Log 2 n its of crry. The LM genertor is se on summtion genertor with r 2. Denote the two LFSRs L 1 n L 2, respectively, n the crry it is enote y c. At time, enote the output of L 1 s, the output of L 2 s, n the output of f c s c, s shown in fig. 1. The initil stte of the crry it, 0-7695-3038-9/07 $25.00 2007 IEEE DOI 10.1109/ICCIT.2007.375 1893
c -1, is efine to e 0. At time, the output of the function f is the keystrem it, n is enote y. The outputs of functions f c n f t time re efine s: c f ) c (1) c ( 1 (2) f c 1 2.2. Cryptnlysis of the Summtion Genertor There re severl wys to recover the initil stte of the summtion genertor. A simple pproch is the ivie n conquer ttck [5]. Alterntively, fst correltion ttck [6] coul e performe. 2.3. Description of the LM Genertor recover the initil stte of the LM genertor. The ttcking lgorithm is given elow[14]: 1. Guess the initil stte of L n crry its c 1 n 1 2. Set 0 3. Clculte, it of R, using eqution 2 n the known keystrem it 4. Clculte c using eqution 1 n the clculte 5. Clculte using eqution 3 n the clculte 6. Increment, if < k then goto step 3 7. Initilise the LM genertor with the guesse initil stte of L n the clculte initil sttes L, c n 1, n n 1 8. Prouce cnite keystrem sequence { } k n { } k n n compre with oserve keystrem sequence 9. If { } k n { } k n n re ienticl, then the correct initil sttes of L n L re successfully recovere, else go to step 1 Fig. 2. LM Genertor(r 2) The LM genertor, shown in fig. 2 is very similr to the summtion genertor, in tht L, L n c re efine in exctly the sme wy. Another it of memory,, is e to the comining function, in n ttempt to overcome some of the pulishe ttcks on the summtion genertor. The crry it, c, is efine y eqution 1, ienticl to the summtion genertor. The itionl memory it is clculte y the function f n the output function f is chnge to inclue. The vlue of -1 is efine to e 0. f ) (3) ( 1 (4) f c 1 1 2.4. Cryptnlysis of the LM Genertor Due to the similrity in construction etween the summtion genertor n the LM genertor, similr lgorithms cn e use to ttck oth genertors. These re outline elow[14]. Divie n Conquer Attck The ttck on the summtion genertor given in [5] cn e pte to Fig.3. Fst Correltion Attck Moel for the LM Genertor This ttck requires exhustive serch of m+2 its, tht is, the sie of L n the crry it c n the memory it, to recover the initil sttes of oth registers, tht is, the m+n its of initil stte. Uner this ttck, the ition of offers only one extr it of security over the summtion genertor. Fst Correltion Attck The LM genertor cn e moelle s the moulo-two sum of two LFSRs, plus some inry noise, s shown in fig. 3, where e is the noise n is the output keystrem it. For the LM genertor, the noise is provie y the moulo-two sum of the crry it c n the memory it. The two memory its re highly correlte, with P(c ) 0.75. Therefore, moelling the LM genertor this wy, the noise level is 0.25. This is significnt evition 1894
from 0.5, n mkes the LM genertor vulnerle to fst correltion ttck, similr to the fst correltion ttck on the summtion genertor. Tle 1. Distriution of c n c 1 1 c 0 1 1 0 0 1 0 1 0 1 0 0 0 1 1 0 1 1 1 0 1 0 1 0 0 1 1 0 in the LM Genertor 0 1 1 0 0 1 1 0 The crry it, c, n the memory it,, re ienticl with proility of 0.75, s shown in Tle 1. Recll tht the output of the LM genertor is efine s c 1 1 ( ) ( c 1 1 1 1 Since c 0 is true with proility 0.75, is lso true with proility 0.75. This cn e exploite in fst correltion ttck to recover the initil sttes of the LM genertor [7]. 3. PingPong Genertor 3.1. Description of the PingPong Genertor ) Propose PingPong fmily genertors re simple, esy to implement in hrwre n in softwre, n high secure. PingPong fmily in fig.4 is hyri genertor, comining the LM genertor (improve summtion genertor) with high secure clockcontrolle genertor. LFSR A is clock-controlle y function f, it hs rnom integer output. An LFSR B is clock-controlle y function f, it lso hs rnom output. Two clock-controlle functions give multiple clock to the other LFSR. It mkes tht the output shoul e more unpreictle. Pingpong Fmily genertor outputs, c n c from ech LFSR outputs n, previous crry c -1 n previous memory -1 s in fig.4. f y (5) 1 f f (,, 1 ) ( ) 1 Fig.4. PingPong Fmily Genertor (6) where (y) is the output sequence of summtion genertor, () the output sequence of LFSR 1, () the output sequence of LFSR 2, (c) crry sequence, c -1 0 crry initilition vlue, () memory sequences, -1 0 memory initilition vlue. 3.2. PingPong-128 In this Section, we escrie in etil PingPong-128, n instnce from the PingPong fmily of strem ciphers. It hs two mutully clocking LFSRs n single memory it. The LFSRs re of lengths 127 its n 129 its. Together with the memory it they give PingPong-128 n internl stte of 257 its. PingPong- 128 tkes 128-it key n 128-it initilistion vector to fill the internl stte. Keystrem Genertion The PingPong genertor prouces the output keystrem y comining the LFSR sequences n the memory sequence. PingPong-128 hs two mutully clocking LFSRs L n L, n 1895
single it of memory c. Two primitive polynomils, P (x) n P (x) re following: p p 127 ( x) x 55 x 23 x 1 x 1 ( x) x x x x 129 93 53 13 9 109 52 21 125 89 49 91 48 20 1 Fig. 5. PingPong-128 Genertor Two clock-control functions, f (L ) n f (L ), n the output keystrem it n memory it c t time re efine to e ienticl to the summtion genertor: f ( L ) 2L 42 ( t) + L85( t) (7) f ( L ) 2L 43 ( t) + L86( t) (8) (9) y 1 5 85 45 121 84 45 19 81 41 117 (10) f (,, 1 ) ( ) 1 16 77 37 Clock Control For PingPong-128, oth LFSRs re irregulrly clocke, with ech register controlling the clocking of the other. Two tps re tken from L to clculte vlue in the rnge 1... 4, n L is clocke 1 to 4 times ccoring to this vlue. Similrly, vlue is clculte from two tps tken from L to clock L. The clock control is clculte y ove two functions, f A n f B. This clocking scheme cn e pplie to the PingPong fmily of keystrem genertors with n unerlying LFSRs, where L is use to clock L +1 n L 1 is clocke y L n. Key Loing n Rekeying In some communiction systems, errors occur which require tht the entire messge e resent. When synchronous strem cipher is use, then security requires tht ifferent keystrem sequence e use. To chieve this, the rekeying of strem cipher shoul inclue metho 73 42 113 41 13 73 33 67 109 37 12 69 29 66 105 7 63 34 65 25 6 101 56 30 61 21 2 97 27 57 17 for reinitilistion using oth the secret key n n itionl initilistion vector which is sent in the cler, or otherwise pulicly known. We now escrie propose metho for the initil key loing n for the rekeying of PingPong-128. For PingPong-128, oth k n iv hve length of 128 its, n together they fill 257 its of internl stte. The initilistion process cn lso e use for rekeying. The process to generte the initil stte for the keystrem genertor uses the genertor itself twice. The strting stte of L is otine simply y XORing the two 128-it inry strings of the key, k, n iv, tht is, L (k iv)mo 2 127. The strting stte of 129 its for L is otine y consiering the 128-it key, emee in 129-it wor n shifte 1 it to the left, n XORing tht with the initilistion vector emee in 129-it wor with leing ero, tht is, L (k<<1) (0 iv). Now the cipher is run to prouce n output string of length 257 its. For the secon itertion of the cipher, the first 128 its of this output string re use to form the initil stte of L, n the remining 129 its re use to form the initil stte of L. The cipher is run secon time to prouce n output string of length 257 its. The output from this secon ppliction is use to form the initil stte of the keystrem genertor when we egin keystrem prouction. As previously, the first 128 its form the initil stte of L, n the remining 129 its form the initil stte of L. It is very unlikely tht either LFSR will e initilise with the ll ero stte. By employing the PingPong lgorithm itself, we tke vntge of oth the known security properties of the lgorithm n lso its fst implementtion. Due to the high security of PingPong we conclue tht the est ttck in the rekeying scenrio is exhustive key serch. Implementtion Issue Both LFSRs in PingPong-128 use the Glois implementtion rther thn the Fioncci implementtion. This is esign ecision se on the softwre performnce of the implementtion. It is oserve tht the Glois implementtion is much more efficient in softwre thn the Fioncci, lthough oth implementtions re eqully efficient in hrwre. It is worth noting tht these two implementtions give ifferent output sequences with the sme initil LFSR sttes, therefore it is essentil to specify the style of implementtion. 4. Anlysis of the PingPong Genertor In this Section, we present the keystrem properties of the PingPong genertor se on empiricl results.we lso show the resistnce of the PingPong genertor to known ttcks. 1896
4.1. Keystrem Properties There re three sic requirements for the pseuornom inry sequences: long perio, high liner complexity, n goo sttisticl properties. Long perio vois the keystrem to e reuse when encrypting long messges. High liner complexity prevents ttcks using the Berlekmp-Mssey lgorithm [12]. Goo sttisticl properties gur ginst ttcks exploiting the ises in the keystrem. Experiments hve een one on severl instnces from the PingPong fmily of keystrem genertors to oserve the keystrem properties of PingPong. Ech instnce of PingPong hs pir of LFSRs of ifferent lengths. For ech pir, we use numer of ifferent feeck polynomils n took clocking tps from vrious stges of the registers. It ws oserve tht the choice of feeck polynomils n clocking tp position i not influence the keystrem properties. For ech pir of LFSR lengths, 50 rnom initil sttes were use to run the experiment. The results of the experiments vrie wiely, for exmple, for register lengths 9 n 10, the liner complexity vrie etween 400 n 822. The lowest resulting liner complexity n shortest perio of the experiments re tulte in Tle 2. Tle 2. PingPong Keystrem Properties Register Lengths Liner Complexity Perio 5, 6 5, 7 6, 7 7, 8 8, 9 9, 10 10, 11 11, 13 13, 15 23 50 43 93 200 400 815 3276 13100 25 50 51 101 200 401 815 3276 13105 From the empiricl results, we erive the following equtions for clculting the minimum liner complexity n perio. Denote the sum of register lengths n, the lower oun of the liner complexity LC cn e expresse s ( n 11) / 2 4.6 ( n 11) / 2 LC 25 2 2 2 Similrly, the perio P cn e expresse s ( n 11) / 2 4.6 ( n 11) / 2 25 2 2 2 P For PingPong-128, n 256, the lower oun of the liner complexity is therefore 4.6 (256 / 2 LC 2 2 11) 4.6 123 2 2 128 2 n the Perio P is 4.6 (256 / 2 4.6 123 P 2 2 2 2 128 2 The esign strength of PingPong-128 is 2 128. It is therefore resistnt ginst ttcks se on sic keystrem properties such s liner complexity n perio. 4.2. Time Memory Treoff Attck The oective of time-memory treoff ttcks is to recover the internl stte t known time. The ttcks re conucte in two stges. During preprocessing phse, the cryptnlyst constructs lookup tle, mpping possile internl sttes to prefixes of the corresponing output keystrems. In the rel time phse of the ttck, the cryptnlyst tkes segment of known keystrem n tries to fin the corresponing internl stte, y serching through the lookup tle. Let S, M, T, P n D enote the crinlity of the internl stte spce, the memory(in inry wors of sie equl to log 2 S), the computtionl time (in tle lookups), the pre-computtion time (in tle lookups), n the mount of t (without re-keying, this is the length of known keystrem), respectively. For the time-memory ttcks escrie in [15] T M S, P M n D T. For exmple, 2 128 2 128 2 256 treoff coul e use. Therefore PingPong-256 with 256-it of internl stte cn only hve 128 its of security. The more generl time-memory-t treoff[16] sserts tht T M2 D2 S2, P S/D, D2 T. This ecreses D t the cost of incresing P. For exmple, one my choose M D S 1/3 n T P S 2/3, ut for PingPong-256, with S 256, this gives M D 2 85.3 n T P 2 170.7, clerly etter thn exhustive key serch. 4.3. Mutul Irregulr Clocking of LFSRs In this section we consier two LFSRs tht clock ech other in n irregulr fshion. Let L n L e the two LFSRs with primitive polynomils n length len n len respectively. When clocke utonomously they prouce m-sequences with perio 2 len 1 n len 2 1 for ny non-ero initil stte. Now consier the cycle structure for the sitution where they clock ech other using two its from ech register to select from 1, 2, 3 or 4 clock cycles for the other register to otin the next stte. This is the generl moel for the PingPong structure. 1897
Let L e clocke step cycles y the its L [c1] n L [c2] n similrly L is clocke step cycles y L [c3] n L [c4]. The clocking positions c i re fixe y the lgorithm specifiction, n lso step 2 L[ c1] + L [ c2] step 2 L[ c3] + L[ c4] Clerly step n step re in the set {1,2,3,4}. Now efine the cumultive clocking vlues An similrly Then the stte of the system t time t is given y Now consier how Evolves into Any stte coul hve up to four precursor sttes, corresponing to step in {1,2,3,4}. Consier the precursor stte ssocite with setp i, then we hve SUM [ t 1] + i SUM [ t] Clerly there must lso e some vlue for step. Noting tht the vlues for i n re specifie y the its in the registers t time t 1. Clerly, in orer to otin stte from the previous stte with clocking of (i,), we must hve oth i step 2 L[ SUM [ t 1]][ c1] + L[ SUM [ t 1]][ c2] An Where oth An SUM [ t] SUM [ t] t i 0 t i 0 step [ i] Given ny stte, there re 16 its (4 its fter ech of the 4 clocking tps) tht coul hve influence the progression to tht stte. Four checks of the ove expressions gives the mens to etermine how mny precursor sttes exist. Note tht there will e sttes tht step [ i] [ L [ SUM [ t]], L [ SUM [ t]]] [ L [ SUM [ t 1]], L [ SUM [ t 1]]] [ L [ SUM [ t]], L [ SUM [ t]]] [ L [ SUM [ t]], L [ SUM [ t]]] setp 2 L [ SUM L [ SUM [ t 1]][ c3] + [ t 1]][ c4] SUM [ t 1] + i SUM [ t] SUM [ t 1] + SUM [ t] re unrechle (the hve no precursor sttes), n these re the sttes tht exist s the strts of trils leing to cycles. The next-stte igrm is more comprle to tht of rnom functions, rther thn rnom iections. Although more precise work nees to e one in the nlysis n security comprison of the PingPong style structure, it seems cler tht it oes not prouce the sme qulity stte sequences s n LFSR of the sme sie. 5. Conclusion In this pper, we hve propose PingPong, genertor se on the summtion genertor with mutul clock control structure. It efets known ttcks ginst the summtion genertor n other clock controlle keystrem genertors. 6. Acknowlegement This reserch ws supporte y University IT Reserch Center Proect, n y the Progrm for Trining of Grute Stuents in Regionl Innovtion. 7. References [1] A.J. Menees, P.C. Oorschot n S.A. Vnstone, Hnook of Applie Cryptogrphy, CRC Press, 1997. [2] Weush Morgn Securities - Inustril Report, Access Mngement/Internet Security Inustry, on http://www.viksqupt.com, Fe. 28, 2002. [3] R. A. Rueppel, Correltion Immunity n the Summtion Genertor, Avnces in Cryptology, Proceeings of CRYPTO 85, pp. 260-272, 1985. [4] W. Meier n O. Stffelch, Correltion Properties of Cominers with Memory in Strem Ciphers, Avnces in Cryptology, Proceeings of EUROCRYPT90, pp. 204-213, 1991. [5] E. Dwson, Cryptnlysis of Summtion Genertor, Avnces in Cryptology - AUSCRYPT 92, Lecture Notes in Computer Science, Springer-Verlg, pp. 209-215, 1993. [6] J. Golic, n M. Slmsieh n E. Dwson, Fst Correltion Attcks on the Summtion Genertor, Journl of Cryptology, Vol. 13, No. 2, pp.245-262, 2000. [7] Hoone Lee, Snge Moon, On An Improve Summtion Genertor with 2-Bit Memory, Signl Processing, 80(1), pp. 211217, Jn. 2000. [8] T. Siegenthler, Design of Cominers to Prevent Divie n Conquer Attcks, Avnces in Cryptology, Proceeings of CRYPTO 85, pp. 273-279, 1985. [9] R. A. Rueppel, Anlysis n Design of Strem Ciphers, Springer-Verlg, 1986. 1898
[10] W. Meier n O. Stffelch, Correltion Properties of Cominers with Memory in Strem Ciphers, Journl of Cryptology, Vol. 5, pp. 67-86, 1992. [11] A. Clrk, E. Dwson, J. Fuller, J. Golic, Hoon-Je Lee, W. Milln, Sng-Je Moon, L. Simpson, The LILI-II Keystrem Genertor, LNCS 2384, pp.25-39, Jul. 2002 (ACISP 2002). [12] J. L. Mssey, Shift-Register Synthesis n BCH Decoing, IEEE Trns. on Infor. Theo., Vol. IT-15, No. 1, pp. 122-127, Jn. 1969. [13] R. A. Rueppel n O. J. Stfflech, Proucts of Liner Recurring Sequences with Mximum Complexity, IEEE Trns. on Infor. Theo., Vol. IT-33, No. 1, pp. 124-131, Jn. 1987. [14] Kevin Chen, E.Dwson, etc. Security Anlysis of the LM Genertor, Report, Aug. 2004. [15] S. Bge, Improve exhustive serch ttcks on strem ciphers, Europen Convention on Security n Detection, Vol. 408, pp. 161-166, My 1995. [16] A. Biryikov n A. Shmir, Cryptnlytic Time/Memory/Dt Treoffs for Strem Ciphers, Avnces in Cryptology, Proceeings of ASIACRYPT00, LNCS 1976, pp.1-13, 2000. 1899