Specification of SNOW 3G in Cryptol

4,619 views

Published on

Published in: Technology, Education
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
4,619
On SlideShare
0
From Embeds
0
Number of Embeds
1,917
Actions
Shares
0
Downloads
49
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Specification of SNOW 3G in Cryptol

  1. 1. Specification of SNOW 3G in Cryptol Pedro Pereira Ulisses Costa Formal Methods in Software Engineering March 26, 2009 Pedro Pereira, Ulisses Costa Specification of SNOW 3G in Cryptol
  2. 2. Index 1 Cryptol 2 Stream Ciphers 3 Conclusion Pedro Pereira, Ulisses Costa Specification of SNOW 3G in Cryptol
  3. 3. Overview High-level language to deal with low-level problems Everything is a sequence Sequences can be either finite or infinite Primitive polymorphic functions Information Structure can be changed easily Recursion and sequence comprehensions ⇒ recurrence relations Pedro Pereira, Ulisses Costa Specification of SNOW 3G in Cryptol
  4. 4. Types Cryptol Haskell tail : { a b } [ a +1] b -> [ a ] b ; tail :: [ b ] -> [ b ] Types are size and bit oriented Lists have infinite length Sequences have infinite size [b] - Polymorphism over b (inf) [a]b - Polymorphism over b Very similar notation Polymorphism Type inference Pedro Pereira, Ulisses Costa Specification of SNOW 3G in Cryptol
  5. 5. Types Types in Cryptol are size oriented Cryptol drop : { a b c } ( fin a , a >= 0) = > (a ,[ a + b ] c ) -> [ b ] c take : { a b c } ( fin a , b >= 0) = > (a ,[ a + b ] c ) -> [ a ] c join : { a b c } [ a ][ b ] c -> [ a * b ] c split : { a b c } [ a * b ] c -> [ a ][ b ] c tail : { a b } [ a +1] b -> [ a ] b Haskell drop :: Int -> [ a ] -> [ a ] take :: Int -> [ a ] -> [ a ] concat :: [[ a ]] -> [ a ] -- join in cryptol tail :: [ a ] -> [ a ] Pedro Pereira, Ulisses Costa Specification of SNOW 3G in Cryptol
  6. 6. Language Cryptol fib ( n ) = fibs @ n where { fibs = [0 1] # [| x + y || x <- drop (1 , fibs ) || y <- fibs |]; }; Haskell fib n = fibs !! n where fibs = [0 ,1] ++ [ x + y | x <- drop 1 fibs | y <- fibs ] 0 ghc -XParallelListComp Pedro Pereira, Ulisses Costa Specification of SNOW 3G in Cryptol
  7. 7. Language Specification C MULα (c) = (MULxPOW (c, 23, 0xA9)|| MULxPOW (c, 245, 0xA9)|| MULxPOW (c, 48, 0xA9)|| /* The function MUL alpha . * Input c : 8 - bit input . MULxPOW (c, 239, 0xA9)) * Output : 32 - bit output . * See section 3.4.2 for details . */ u32 MULalpha ( u8 c ) { return Cryptol (((( u32 ) MULxPOW (c ,23 , 0 xa9 ) ) << 24 ) | ((( u32 ) MULxPOW (c , 245 ,0 xa9 ) ) << 16 ) | ((( u32 ) MULxPOW (c , 48 ,0 xa9 ) ) << 8 ) | ((( u32 ) MULxPOW (c , 239 ,0 xa9 ) ) ) ) ; MULa : [8] -> [32]; } MULa ( c ) = join ( reverse [ ( MULxPOW (c , 23 :[32] , 0 xA9 ) ) ( MULxPOW (c , 245:[32] , 0 xA9 ) ) ( MULxPOW (c , 48 :[32] , 0 xA9 ) ) ( MULxPOW (c , 239:[32] , 0 xA9 ) ) ] ); 0 ’reverse’ is used because Cryptol stores words in little-endian. Pedro Pereira, Ulisses Costa Specification of SNOW 3G in Cryptol
  8. 8. Index 1 Cryptol 2 Stream Ciphers 3 Conclusion Pedro Pereira, Ulisses Costa Specification of SNOW 3G in Cryptol
  9. 9. Stream Ciphers Characteristics Symmetric key ciphers ⇒ same key for encryption/decryption Typically very fast (faster than Block ciphers) Low hardware complexity Low memory requirements Encryption: plaintext ⊕ keystream Decryption: ciphertext ⊕ keystream Tries to capture the “essence” of the theoretically unbreakable One-Time Pad Pedro Pereira, Ulisses Costa Specification of SNOW 3G in Cryptol
  10. 10. Stream Ciphers One-Time Pad Uses a truly random keystream Impossible to determine any kind of relation between ciphertext and plaintext Best attack: guessing the plaintext ⇒ Impossible to break Ok but in reality... The best we can do is generate a pseudo-random keystream ⇒ Statistical randomness (susceptible to attacks) But it’s possible to make it very HARD to break We cannot aim for theoretical security but practical security is good enough Pedro Pereira, Ulisses Costa Specification of SNOW 3G in Cryptol
  11. 11. Linear Feedback Shift Register (LFSR) Generates a sequence of bits with near random properties But it’s mathematical structure gives too much away ⇒ possible to compute it’s polynomial representation S-boxes make it possible to hide its (low) linear complexity ⇒ practical security! Pedro Pereira, Ulisses Costa Specification of SNOW 3G in Cryptol
  12. 12. A simple LFSR in Cryptol lfsr : [ inf ] Bit ; lfsr = [ False True False False True False True True ] # [| ( x3 ^ x5 ^ x7 ) || x3 <- drop (3 , lfsr ) || x5 <- drop (5 , lfsr ) || x7 <- drop (7 , lfsr ) |]; Pedro Pereira, Ulisses Costa Specification of SNOW 3G in Cryptol
  13. 13. Substitution boxes (S-boxes) Lookup table of portions of bits Reduces relation between plaintext and ciphertext (Shannon’s confusion property) Increases resistance to different Cryptanalysis techniques Pedro Pereira, Ulisses Costa Specification of SNOW 3G in Cryptol
  14. 14. S-boxes in Cryptol Pedro Pereira, Ulisses Costa Specification of SNOW 3G in Cryptol
  15. 15. SNOW 3G Invented at Lund University (Sweden) Chosen as the cipher of 3GPP encryption algorithms UEA2 and UIA2 Uses a 128/256 bit key Combination of a LFSR with a Finite State Machine (S-boxes) Best (known) attack is exaustive keyspace brute force (2128 ) ⇒ Completely safe by today’s standards Pedro Pereira, Ulisses Costa Specification of SNOW 3G in Cryptol
  16. 16. SNOW 3G Structure Pedro Pereira, Ulisses Costa Specification of SNOW 3G in Cryptol
  17. 17. SNOW 3G Spec I - MULx SNOW 3G Specification MULx maps 16 bits to 8 bits. If the leftmost (i.e. the most significant) bit of V equals 1, then MULx(V, c) = (V 8 1) ⊕ c else MULx(V, c) = V 8 1 MULx : ([8] , [8]) -> [8]; MULx (v , c ) = if ( v ! 0) == True then ( v << 1) ^ c else ( v << 1) ; Pedro Pereira, Ulisses Costa Specification of SNOW 3G in Cryptol
  18. 18. SNOW 3G Spec II - Initialization Pedro Pereira, Ulisses Costa Specification of SNOW 3G in Cryptol
  19. 19. Index 1 Cryptol 2 Stream Ciphers 3 Conclusion Pedro Pereira, Ulisses Costa Specification of SNOW 3G in Cryptol
  20. 20. Conclusion With Cryptol is much easier to specify low-level algorithms The specification is formal and easier to read Pedro Pereira, Ulisses Costa Specification of SNOW 3G in Cryptol
  21. 21. Questions ? Pedro Pereira, Ulisses Costa Specification of SNOW 3G in Cryptol

×