Upcoming SlideShare
×

# Specification of SNOW 3G in Cryptol

4,619 views

Published on

Published in: Technology, Education
0 Likes
Statistics
Notes
• Full Name
Comment goes here.

Are you sure you want to Yes No
• Be the first to comment

• Be the first to like this

Views
Total views
4,619
On SlideShare
0
From Embeds
0
Number of Embeds
1,917
Actions
Shares
0
49
0
Likes
0
Embeds 0
No embeds

No notes for slide

### Specification of SNOW 3G in Cryptol

1. 1. Speciﬁcation of SNOW 3G in Cryptol Pedro Pereira Ulisses Costa Formal Methods in Software Engineering March 26, 2009 Pedro Pereira, Ulisses Costa Speciﬁcation of SNOW 3G in Cryptol
2. 2. Index 1 Cryptol 2 Stream Ciphers 3 Conclusion Pedro Pereira, Ulisses Costa Speciﬁcation of SNOW 3G in Cryptol
3. 3. Overview High-level language to deal with low-level problems Everything is a sequence Sequences can be either ﬁnite or inﬁnite Primitive polymorphic functions Information Structure can be changed easily Recursion and sequence comprehensions ⇒ recurrence relations Pedro Pereira, Ulisses Costa Speciﬁcation of SNOW 3G in Cryptol
4. 4. Types Cryptol Haskell tail : { a b } [ a +1] b -> [ a ] b ; tail :: [ b ] -> [ b ] Types are size and bit oriented Lists have inﬁnite length Sequences have inﬁnite size [b] - Polymorphism over b (inf) [a]b - Polymorphism over b Very similar notation Polymorphism Type inference Pedro Pereira, Ulisses Costa Speciﬁcation of SNOW 3G in Cryptol
5. 5. Types Types in Cryptol are size oriented Cryptol drop : { a b c } ( fin a , a >= 0) = > (a ,[ a + b ] c ) -> [ b ] c take : { a b c } ( fin a , b >= 0) = > (a ,[ a + b ] c ) -> [ a ] c join : { a b c } [ a ][ b ] c -> [ a * b ] c split : { a b c } [ a * b ] c -> [ a ][ b ] c tail : { a b } [ a +1] b -> [ a ] b Haskell drop :: Int -> [ a ] -> [ a ] take :: Int -> [ a ] -> [ a ] concat :: [[ a ]] -> [ a ] -- join in cryptol tail :: [ a ] -> [ a ] Pedro Pereira, Ulisses Costa Speciﬁcation of SNOW 3G in Cryptol
6. 6. Language Cryptol fib ( n ) = fibs @ n where { fibs = [0 1] # [| x + y || x <- drop (1 , fibs ) || y <- fibs |]; }; Haskell fib n = fibs !! n where fibs = [0 ,1] ++ [ x + y | x <- drop 1 fibs | y <- fibs ] 0 ghc -XParallelListComp Pedro Pereira, Ulisses Costa Speciﬁcation of SNOW 3G in Cryptol
7. 7. Language Speciﬁcation C MULα (c) = (MULxPOW (c, 23, 0xA9)|| MULxPOW (c, 245, 0xA9)|| MULxPOW (c, 48, 0xA9)|| /* The function MUL alpha . * Input c : 8 - bit input . MULxPOW (c, 239, 0xA9)) * Output : 32 - bit output . * See section 3.4.2 for details . */ u32 MULalpha ( u8 c ) { return Cryptol (((( u32 ) MULxPOW (c ,23 , 0 xa9 ) ) << 24 ) | ((( u32 ) MULxPOW (c , 245 ,0 xa9 ) ) << 16 ) | ((( u32 ) MULxPOW (c , 48 ,0 xa9 ) ) << 8 ) | ((( u32 ) MULxPOW (c , 239 ,0 xa9 ) ) ) ) ; MULa : [8] -> [32]; } MULa ( c ) = join ( reverse [ ( MULxPOW (c , 23 :[32] , 0 xA9 ) ) ( MULxPOW (c , 245:[32] , 0 xA9 ) ) ( MULxPOW (c , 48 :[32] , 0 xA9 ) ) ( MULxPOW (c , 239:[32] , 0 xA9 ) ) ] ); 0 ’reverse’ is used because Cryptol stores words in little-endian. Pedro Pereira, Ulisses Costa Speciﬁcation of SNOW 3G in Cryptol
8. 8. Index 1 Cryptol 2 Stream Ciphers 3 Conclusion Pedro Pereira, Ulisses Costa Speciﬁcation of SNOW 3G in Cryptol
9. 9. Stream Ciphers Characteristics Symmetric key ciphers ⇒ same key for encryption/decryption Typically very fast (faster than Block ciphers) Low hardware complexity Low memory requirements Encryption: plaintext ⊕ keystream Decryption: ciphertext ⊕ keystream Tries to capture the “essence” of the theoretically unbreakable One-Time Pad Pedro Pereira, Ulisses Costa Speciﬁcation of SNOW 3G in Cryptol
10. 10. Stream Ciphers One-Time Pad Uses a truly random keystream Impossible to determine any kind of relation between ciphertext and plaintext Best attack: guessing the plaintext ⇒ Impossible to break Ok but in reality... The best we can do is generate a pseudo-random keystream ⇒ Statistical randomness (susceptible to attacks) But it’s possible to make it very HARD to break We cannot aim for theoretical security but practical security is good enough Pedro Pereira, Ulisses Costa Speciﬁcation of SNOW 3G in Cryptol
11. 11. Linear Feedback Shift Register (LFSR) Generates a sequence of bits with near random properties But it’s mathematical structure gives too much away ⇒ possible to compute it’s polynomial representation S-boxes make it possible to hide its (low) linear complexity ⇒ practical security! Pedro Pereira, Ulisses Costa Speciﬁcation of SNOW 3G in Cryptol
12. 12. A simple LFSR in Cryptol lfsr : [ inf ] Bit ; lfsr = [ False True False False True False True True ] # [| ( x3 ^ x5 ^ x7 ) || x3 <- drop (3 , lfsr ) || x5 <- drop (5 , lfsr ) || x7 <- drop (7 , lfsr ) |]; Pedro Pereira, Ulisses Costa Speciﬁcation of SNOW 3G in Cryptol
13. 13. Substitution boxes (S-boxes) Lookup table of portions of bits Reduces relation between plaintext and ciphertext (Shannon’s confusion property) Increases resistance to diﬀerent Cryptanalysis techniques Pedro Pereira, Ulisses Costa Speciﬁcation of SNOW 3G in Cryptol
14. 14. S-boxes in Cryptol Pedro Pereira, Ulisses Costa Speciﬁcation of SNOW 3G in Cryptol
15. 15. SNOW 3G Invented at Lund University (Sweden) Chosen as the cipher of 3GPP encryption algorithms UEA2 and UIA2 Uses a 128/256 bit key Combination of a LFSR with a Finite State Machine (S-boxes) Best (known) attack is exaustive keyspace brute force (2128 ) ⇒ Completely safe by today’s standards Pedro Pereira, Ulisses Costa Speciﬁcation of SNOW 3G in Cryptol
16. 16. SNOW 3G Structure Pedro Pereira, Ulisses Costa Speciﬁcation of SNOW 3G in Cryptol
17. 17. SNOW 3G Spec I - MULx SNOW 3G Speciﬁcation MULx maps 16 bits to 8 bits. If the leftmost (i.e. the most signiﬁcant) bit of V equals 1, then MULx(V, c) = (V 8 1) ⊕ c else MULx(V, c) = V 8 1 MULx : ([8] , [8]) -> [8]; MULx (v , c ) = if ( v ! 0) == True then ( v << 1) ^ c else ( v << 1) ; Pedro Pereira, Ulisses Costa Speciﬁcation of SNOW 3G in Cryptol
18. 18. SNOW 3G Spec II - Initialization Pedro Pereira, Ulisses Costa Speciﬁcation of SNOW 3G in Cryptol
19. 19. Index 1 Cryptol 2 Stream Ciphers 3 Conclusion Pedro Pereira, Ulisses Costa Speciﬁcation of SNOW 3G in Cryptol
20. 20. Conclusion With Cryptol is much easier to specify low-level algorithms The speciﬁcation is formal and easier to read Pedro Pereira, Ulisses Costa Speciﬁcation of SNOW 3G in Cryptol
21. 21. Questions ? Pedro Pereira, Ulisses Costa Speciﬁcation of SNOW 3G in Cryptol