Exploiting Transformations of the Galois Configuration to Improve Guess-and-Determine Attacks on NFSRs

Size: px

Start display at page:

Download "Exploiting Transformations of the Galois Configuration to Improve Guess-and-Determine Attacks on NFSRs"

Anne Rose
5 years ago
Views:

1 Exploiting Tranformation of the Galoi Configuration to Improve Gue-and-Determine Attack on NFSR Gefei Li, Yuval Yarom, and Damith C. Ranainghe Univerity of Adelaide, Adelaide, South Autralia, Autralia Abtract. Gue-and-determine attack are baed on gueing a ubet of internal tate bit and ubequently uing thee guee together with the cipher output function to determine the value of the remaining tate. Thee attack have been uccefully employed to break NFSRbaed tream cipher. The complexity of a gue-and-determine attack i directly related to the number of tate bit ued in the output function. Conequently, an opportunity exit for efficient cryptanalyi of NFSRbaed tream cipher if NFSR ued can be tranformed to derive an equivalent tream cipher with a implified output function. In thi paper, we preent a new technique for tranforming NFSR. We how how we can ue thi technique to tranform NFSR to equivalent NFSR with implified output function. We explain how uch tranformation can ait in cryptanalyi of NFSR-baed cipher and demontrate the application of the technique to uccefully cryptanalye the lightweight cipher Sprout. Our attack on Sprout ha a time complexity of , which i time better than any publihed non-tmd attack, and require only 64 bit of plaintext-ciphertext pair. Keyword: Gue-and-determine, NFSR, Sprout Introduction Stream cipher generate a equence of peudorandom bit called a keytream which i combined with plaintext to produce a tream of ciphertext. Stream cipher are attractive becaue, generally, they can achieve high throughput and their implicity make them uitable for reource contrained device uch a wirele enor and Radio Frequency Identification tag. A typical tream cipher for achievement of fat encryption of meage contain feedback function and an output function [28]. Linear feedback hift regiter (LFSR) are often ued in the deign of tream cipher becaue LFSR are imple and eay to implement in hardware. However, they are inecure againt everal attack uch a fat correlation attack [24], and algebraic attack [, 25]. Nonlinear feedback hift regiter (NFSR) are introduced a a protection againt thee attack.

2 2 There are two way to implement NFSR. An n-bit NFSR in the Fibonacci configuration (Figure ), ha one feedback function which update the mot ignificant bit (bit n ) of the regiter. The value of other bit are determined by hifting. That i, bit i i hifted to the bit i (i = n,..., ). Feedback function n- n-2 n-3... Output Fig. : The Fibonacci configuration of NFSR In the Galoi configuration of NFSR (Figure 2), each bit i updated uing it own feedback function. Therefore, there are up to n feedback function. fn- n- fn-2 n-2... f Output Fig. 2: The Galoi configuration of NFSR Dubrova [] ha formulated a tranformation of the Fibonacci configuration to the Galoi configuration for NFSR with the aim of increaing the computation peed. She later outlined a method for deriving the correponding initial tate to generate identical output keytream [2]. Dubrova [4] further elaborate tranformation for NFSR. In [, 4], Dubrova identifie everal criteria that hould be atified in order to maintain an equivalent output keytream equence before and after the tranformation of the tream cipher. Dubrova [4] note the potential for exploiting NFSR tranformation for cryptanalyi, however no uch ue i propoed and to the bet of our knowledge thi concept ha, o far, not been ued for cryptanalyi. The baic idea of gue-and-determine attack (GD attack) i to gue a part of the internal tate of the cipher, and ue the gueed tate to determine the value of other unknown tate. The attack wa firt introduced by Knuden et al. [2] and by Bleichenbacher and Patel [9] and wa later named gue-

3 3 and-determine [5, 9]. Since then, the gue-and-determine attack ha been ued to target everal tream cipher [, 7, 27, 29, 3]. We propoe an improved gue-and-determine attack againt NFSR-baed tream cipher. The attack require everal round to gue and determine internal tate bit involved in the output function of the tream cipher. At each round, one bit of the keytream equence i ued to determine one bit of the internal tate. Meanwhile, the output function ued in other clock feedback function of the tream cipher are ued to create Boolean function ytem. More information collected from the keytream equence i able to reduce the complexity of the attack and alo increae the number of round we need. Conequently, to reduce the cardinality of the dependence et of the output function of tream cipher, the technique of tranformation on NFSR are adopted in thi attack. However, previou work on tranformation on NFSR contain everal criteria on tranformation. We develop the theorem on tranformation on NFSR a well. In FSE 25, Armknecht and Mikhalev [3] propoed a lightweight tream cipher called Sprout. The main inpiration of the deign i to reit the timememory-data (TMD) tradeoff attack [4, 6 8, 8], and break the rule of thumb that the ize of internal tate hould be at leat twice the ize of key. To achieve thee goal, the key bit are treated a implied internal tate and are included in the feedback function. Thi bring the total number of expreed and implied internal tate bit to twice the ize of key. While only mall part of key bit involved in the feedback function of Sprout. In cryptanalytic perpective, by gueing a mall ize of the key bit, the attacker are able to recover the whole expreed internal tate. Lallemand and Naya-Plaencia [22] apply a rebound attack [26] with a time complexity of , which i 2 time fater than a brute force attack. (The attack require the equivalent of trie of a brute force attack, compared with 2 8 required for the full brute force attack.) Thi attack, a well a other attack on Sprout, are ummaried in Table. Table : Summary of attack on Sprout Type of attack Data Time Memory Rebound attack [22] TMD tradeoff attack[6] terabyte Ditinguihing attack[5] 2 75 O(n) Gue-and-determine attack (thi paper) O(n) The main contribution of thi paper i howing how to exploit NFSR tranformation for cryptanalyi, in particular for reducing the time complexity of gue-and-determine attack. Firtly, we generalie the work of Dubrova [4] by relaxing the limitation on NFSR tranformation. We prove that our tranformation reult in equivalent NFSR, producing the ame output equence. We then how how to ue thee tranformation to reduce the complexity of the

4 4 NFSR output function, and with it the complexity of a gue-and-determine attack againt the NFSR. Finally, we apply the tranformation to the NFSR ued in the Sprout cipher and implement a gue-and-determine attack on the tranformed cipher. Our attack ha a complexity of , which i time better than the bet known non-tmd attack [22]. The paper i organied a follow: Section 2 provide background on NFSR and their tranformation and introduce the notation ued in thi paper. Section 3 preent our new tranformation of NFSR and prove that they preerve the output equence. Section 4 how how to ue the tranformation to improve gue-and-determine attack againt NFSR-baed cipher. In Section 5 we apply the technique to the Sprout cipher. 2 Preliminarie 2. Boolean function We firt introduce ome definition and notation we ue throughout the paper. Thee are, motly, baed on the notation of Dubrova []. Let GF (2) be the binary field with denoting the addition operation and juxtapoition denoting the field multiplication. For an arbitrary n, GF n (2) i the n-dimenional vector pace over GF (2). A Boolean function i a function f : GF n (2) GF (2). We ometime ue f(x) to replace the explicit notation f(x,..., x n ) when the number of variable i clear from the context. A product term of the variable x,..., x n i a term of the form x I = i I x i for ome I {,..., n }. Any Boolean function can be written a the um of product term of it input variable a format called the algebraic normal form (ANF). More formally, f(x,..., x n ) = c I x I I {,...,n } where c I {, } i called the coefficient of the product term x I. The dependence et of a Boolean function f i the et of thoe input variable that affect the function value. That i, i dep(f) iff there exit x,..., x i, x i+,..., x n uch that f(x,..., x i,, x i+,..., x n ) f(x,..., x i,, x i+,..., x n ) We note that for a product term we alway have dep(x I ) = I. Product term for which the cardinality of the dependence et i one, uch a x or x 5, are called linear product term. Product term with a larger cardinality of the dependence et, for example x x 2, are non-linear product term. The affine product term x = i neither linear nor non-linear. We do not ue the affine product term in thi work. For a Boolean function f(x,..., x n ) we define the poitive and negative m-hift of f, denoted by f +m and f m, a the function obtained from f by increaing and decreaing the indice of the input variable by m. That i, f +m (x,..., x n ) = f(x m,..., x n, x,..., x m ) f m (x,..., x n ) = f(x n m,..., x n, x,..., x n m )

5 5 2.2 Feedback Shift Regiter A hift regiter i a torage element coniting of n bit, known a the tate of the regiter. We ue the notation t i for the value of bit i of the tate at time t, and collectively denote the whole tate at time t by t = ( t,..., t n ). At each round, each of the tate bit receive the value of the next bit, i.e. t i = t i+ for i < n. At time t the regiter get an input which i entered into t n. The output of the regiter at time t i the value t. In a imple form of a feedback hift regiter, the input i calculated uing a Boolean feedback function f n of the tate. That i, t n = f n ( t ) = f n ( t,..., t n ). Thi form of feedback hift regiter i uually called the Fibonacci configuration. A more generalied form, known a the Galoi configuration, ha feedback function feeding into each bit. More formally, t i = f i( t ). A feedback function of the type f i ( t ) = t i+ g i( t ) uch that i + dep(g i ) i called ingular. Note that index arithmetic i done modulo-n, i.e. t n i the ame a t and n dep(g i ) iff dep(g i ). Further generaliation of feedback hift regiter include combining external input with the feedback function or uing a Boolean output function z( t ) to generate the output at time t. Two feedback hift regiter are conidered equivalent if they produce the ame output equence when given the ame input equence. In a linear feedback hift regiter (LFSR) the feedback function and the output function are all linear. Otherwie the regiter i a non-linear feedback hift regiter (NFSR). 2.3 Tranformation of NFSR Several work have looked at converion between Galoi and Fibonacci NFSR. Dubrova [] look at converting Fibonacci NFSR to the Galoi configuration with the aim of improving the performance by reducing the depth of the logical circuit ued for implementing the feedback function. Dubrova notice that under certain condition, an NFSR can be converted to an equivalent NFSR by hifting product term between the feedback function of the bit of the NFSR. More pecifically, the hift are poible if the NFSR are uniform. That i, they are plit around a terminal bit τ, uch that all of the non-trivial feedback function update bit above the terminal bit and take their input from tate bit below the terminal bit. Dubrova [2] how how to update the initial tate of the NFSR to enure that the output equence i the ame after the hift of product term when uing a trivial output function z(t) = t. Dubrova [4] pecifie a et of contraint for hifting product term between feedback function. The contraint are the ame a thoe we preent in Section 3.. Thee contraint are more relaxed than the requirement of uing uniform NFSR.

6 6 Lin [23] examine the equivalence between the Galoi and the Fibonacci configuration of NFSR demontrating that Galoi NFSR of a pecific contruction can be converted into equivalent Fibonacci NFSR. The contruction require that the feedback function only take input from lower bit than the bit they update. That i, t+ i = t i+ g i( t ), uch that dep(g i ) {,..., i }. For thee NFSR, Lin [23] iteratively replace occurrence of t i in the feedback function with the expanded form t i = t i+ g i( t,..., t i ). Each uch replacement effectively hift the non-trivial part of the feedback function of bit i, creating an equivalent NFSR in which the feedback function of bit i i trivial, i.e. t+ i = t i. The reulting NFSR at the end of the proce ha only one non-trivial feedback function and i, therefore, a Fibonacci NFSR. 3 A Generalied NFSR Tranformation In thi ection we preent a generaliation of the tranformation uggeted in previou work. For implicity, we look at tranformation that hift a ingle product term one bit down the NFSR. Equivalent tranformation that hift the product term up one bit can be contructed in a imilar manner. We note that by repeatedly hifting multiple product term we can achieve the hift uggeted in the prior work. 3. The Baic Shift We have an n-bit NFSR N, with feedback function f i (x) = x i+ g i (x) and an output function z(x). We want to hift a product term p = x I, for ome I {,..., n }, from the feedback function f α to f α. Intuitively, what we want i to create an equivalent NFSR N with feedback function f i (x) = x i+ ḡ i (x) and an output function z(x) uch that the main difference between N and N i that f α (x) = f α (x) p(x) and f α (x) = f α p (x). In the general cae, we expect to need to have more difference between N and N to achieve equivalence. However, a a warmup, we firt look at a retricted cenario, in which N doe not require any further change. The contraint we have are:. α + I. 2. f i (x) = x i for all i I. 3. α dep(g i ) for any i α. 4. α dep(z). A mentioned above, thee contraint are the ame a the contraint of Dubrova [4]. The main difference between the etting we preent here and the etting of Dubrova i that we only hift the product term to a neighbouring bit, hence we require multiple hift to achieve the reult of Dubrova. Lin [23] define Galoi NFSR a thoe having thi pecific contruction. Thi i a ubet of the Galoi configuration a the term i ued in Dubrova [] and in thi paper.

7 7 We now define a hift tate tranform that we will ue for howing that N and N are equivalent. Definition. Let p = x I be a product term, and α < n. The hift tate tranform T p,α : GF n (2) GF n (2) i defined a follow: T p,α (,..., n ) = (,..., α, α p (,..., n ), α+,..., n ) Lemma. Let t and t denote the tate of N and N, repectively, at time t. If t = T p,α ( t ) then t+ = T p,α ( t+ ). Proof. We firt note that due to Contraint 2 if i I, t+ i = t i+. Hence, we have p( t ) = p ( t+ ). We alo note that from Contraint we have α + dep(p), which implie α dep(p ). Becaue the only difference between t and t i in bit α we have p ( t ) = p ( t ) and alo, by Contraint 3, we have g i ( t ) = g i ( t ). We now look at the bit of tate t+. For i α, i α we have ḡ i = g i. Conequently For tate bit α. For bit α we have: Thu t+ i = t i+ ḡ i ( t ) = t i+ g i ( t ) = t+ i t+ α = f α ( t ) = f α ( t ) p ( t ) = t α g α ( t ) p ( t ) = t α p ( t ) g α ( t ) p ( t ) = t α g α ( t ) = t α g α ( t ) = t+ α t+ α = f α ( t ) = f α ( t ) p( t ) = f α ( t ) p( t ) = f α ( t ) p ( t+ ) = f α ( t ) p ( t+ ) t+ = ( t+,..., t+ n ) = ( t+,..., t+ α, t+ α p ( t+ ), t+ α+,..., t+ n ) = T p,α ( t+ ) Theorem. If = T p,α ( ) then for all t, t = T p,α ( t ). Proof. Follow from Lemma by induction on t.

8 8 Theorem 2. N and N are equivalent. Proof. By definition, z, the output function of N i the ame a the output function of N. We need to how that for any initial tate of N we can find an initial tate of N uch that the output equence of the two NFSR are the ame. Let be the initial tate of N. We how that if N i initialied to T p,α ( ) then the output equence are the ame. By Theorem we know that for any t, t = T p,α ( t ). Hence, for any t, and for any i α, t i = t i. From Contraint 4 we know that z(t ) doe not depend on the value of t α. Hence, z( t ) = z( t ) = z( t ). We note that the operation we ue in the tranform are all reverible, hence a imilar contruction can be ued to hift p in the revere direction, i.e. from f α to f α+ 3.2 Relaxing the Contraint In Section 3. we pecified everal contraint on the hifted product term and ued thoe to etablih an invariant, baed on the hift tate tranform of Definition. In thi ection we want to relax ome of the contraint, namely Contraint 3 and 4, while preerving the invariant. The idea i imple: if we aume that the invariant hold we can modify the feedback and output function of N to account for the modified tate value t α. That i, the feedback function we ue i uch that f(x) = f(tp,α(x)), and becaue T p,α = Tp,α, we have f(x) = f(t p,α (x)). The following theorem applie thi idea more formally. Theorem 3. Let N be an n-bit NFSR, with feedback function f i (x) = x i+ g i (x), and an output function z(x). Let p = x I be a product term uch that Contraint and 2 above hold. If N i an n-bit NFSR, with feedback function f i (x) and an output function z(x) defined a follow: x α g α (T p,α (x)) p (x) i = α f i (x) = f α (T p,α (x)) p(x) i = α f i (T p,α (x)) Otherwie z(x) = z(t p,α (x)) then N and N are equivalent. Proof. We firt how that the invariant hold, i.e. that if t t+ = T p,α ( t+ ). For i α, i α we have: = T p,α ( t ) then t+ i = f i ( t ) = f i (T p,α ( t )) = f i ( t ) = t+ i

9 9 For tate bit α we have: t+ α = f α ( t ) = t α g α (T p,α ( t )) p ( t ) = t α p ( t ) g α (T p,α ( t )) p ( t ) = t α g α (T p,α ( t )) = t α g α ( t ) = t+ α Finally, for tate bit α: t+ α = f α ( t ) = f α (T p,α ( t )) p( t ) = f α ( t ) p( t ) = f α ( t ) p ( t+ ) = f α ( t ) p ( t+ ) Thu, t+ = ( t+,..., t+ n ) = ( t+,..., t+ α, t+ α p ( t+ ), t+ α+,..., t+ n ) = T p,α ( t+ ) By induction on t we how that if = T p,α ( ) than for all t t = T p,α ( t ) hence we have z( t ) = z(t p,α ( t )) = z( t ) and the output equence of N and N are identical. 3.3 Generalied Tranformation We now want to remove Contraint 2. When we remove the contraint, we can no longer claim that hifting the product term only introduce a one round delay. That i, we no longer have p( t ) = p ( t+ ). Conequently, to preerve the invariant we need to update f α. The fix, baically, revere the feedback function of the input of p. Thi fix i formalied in Theorem 4. Theorem 4. Let N be an n-bit NFSR, with feedback function f i (x) = x i+ g i (x), and an output function z(x). Let p = x I be a product term uch that α + I. If N i an n-bit NFSR, with feedback function fi (x) and an output function z(x) defined a follow: x α g α (T p,α (x)) p (x) i = α f i (x) = f α (T p,α (x)) p ( f (x),..., f α (x),, f α+ (x),..., f n (x)) i = α f i (T p,α (x)) Otherwie z(x) = z(t p,α (x)) then N and N are equivalent. Proof. We note that the only difference from Theorem 3 i the definition of f α, which only affect tate bit α. For thi bit we now have: t+ α = f α ( t ) = f α (T p,α ( t )) p ( f ( t ),..., f α ( t ),, f α+ ( t ),..., f n ( t )) = f α ( t ) p ( t+,..., t+ α,, t+ α+,..., t+ n )

10 Output and becaue α dep(p ), we have t+ α = f α ( t ) p ( t+ ) = t+ α p ( t+ ). The ret of the proof i the ame a the proof of Theorem Dicuion We can compare our work to previouly uggeted tranformation baed on two different criteria: the allowed combination of input and output of the product term that can be hifted and the other contraint on the hift. On the firt criterion, we ee that the work of Dubrova [] and it extenion [2] are limited to only move product term that have input below τ and output above τ. The pace of poible hift i depicted in Figure 3. The diagram diplay the poible input in the X axi and poible output in the Y axi, with a rectangular area correponding to thee hift. Input... τ... n- fn-... Dubrova [2] fτ fτ-... Lin [24] Our work and Dubrova [5] f Fig. 3: The condition to apply different method of tranformation on NFSR In Lin [23] the feedback function of bit i depend only on tate bit below i. Thi et of combination i a uperet of the poible combination in Dubrova []. Thi et cover all the area above the main diagonal in Figure 3. Dubrova [4] and our work increae the poible combination. Both work can hift product term from bit α a long a the product term do not depend on bit α +. The reaon we cannot hift product term from bit α if they depend on bit α + i that uch hift are not generally invertible. A Dubrova [4] note, uch product term are not common in cryptography becaue the ue of non-invertible function may reult in a lo of entropy [2].

11 On the econd criterion, we have already mentioned that Dubrova [4] impoe the ame contraint a our Theorem 2. Thee contraint alo apply implicitly to uniform NFSR [, 2]. A dicued above, when all of the contraint are impoed, the only change required for equivalence are in the feedback function of the bit the product term i hifted from and the bit the product term i hifted to. By adjuting the initial tate, we can guarantee equivalence of the output equence. The tranformation of Lin [23] doe not impoe our Contraint 3. Conequently, it reult in change in feedback function that depend on the original output of the hifted product term. The order of applying the tranformation implie our Contraint 2 and the implied ue of the output function z(x) = x implie our Contraint 4. Thu, our work i the firt to apply NFSR tranformation without Contraint 2 and 4. Another contraint implicit in all prior work i that they all hift product term that exit in the ANF of the feedback function. Our tranformation doe not impoe thi contraint. Naturally, hifting a product term from a feedback function it doe not exit in will add the product term to that feedback function, increaing it complexity. However, a we how below the complexity of the feedback function ha little implication on the gue-and-determine attack we ue. 4 Tranforming NFSR to Improve Gue-and-Determine Attack Dubrova [4] peculate that NFSR tranformation may be ueful for cryptanalyi, however, thi peculation i not ubtantiated and exploring thi i left for future work. In thi ection we how an example of how tranforming an NFSR can facilitate gue-and-determine attack. We firt introduce gue-anddetermine attack, with focu on attack in the context of NFSR-baed tream cipher and how how to apply the attack to a toy NFSR. We then explain how reducing the complexity of the output function facilitate gue-and-determine attack, and how how tranforming the toy NFSR can be reduce the complexity of the output function and with it the complexity of the attack. 4. The Gue-and-Determine Attack A gue-and-determine attack i a type of known plaintext attack that ha been uccefully employed againt tream cipher [9, 5, 7, 9, 2, 29, 3]. In a known plaintext attack model the adverary ha acce to both the plaintext and it encrypted ciphertext and, conequently, the adverary can recover the ecret keytream ued for encrypting the known plaintext to the known ciphertext. The central idea of a gue-and-determine attack i to part of the internal tate of a cipher and ubequently ue the known keytream bit to determine the remaining tate.

12 2 When applied to NFSR-baed tream cipher, the attack firt guee the value of tate bit in the dependence et of the output function. It then eliminate guee that are inconitent with the (known) output bit. Thi gue and elimination tep can be viewed a gueing ome tate bit and uing the output function to determine the value of other. If there are remaining guee, the attack ue the NFSR feedback function to propagate the previouly gueed bit and repeat with a gue of the next round. If there are no remaining guee at a round, the attack backtrack to the previou round and trie another gue. If, at ome tage, all of the tate bit are gueed, the attack run the NFSR for everal round to enure it i conitent with the known output tream. Thi general attack methodology i illutrated in algorithm. Input : An n-bit keytream equence, the output function and feedback function of the cipher Output: Internal tate Initialie the ytem of Boolean function baed on the output function and feedback function; i ; while Sytem of boolean function i not recovered do Gue value of unknown variable in the dependent et of the output function in the i-th round; Ue the i-th bit of the keytream to determine variable() in the dependence et of the output function; if the ytem of Boolean function i olved then return the information from the i-th round to determine the value of key bit end ele if the Boolean function ytem i conitent then i i + ; Move to the next round; end ele Reject the wrong gue, and move to the next gue; if all guee are exhauted and there i no correct gue then i i Move to the previou round; end end end Algorithm : Gue-and-Determine Attack Generally, a the attack progree, information from ome of the previouly gueed bit will propagate to tate bit in the dependence et of the output function, reducing the number of bit to be gueed in future round. For example, if the output function depend on x i and x i+2, and auming trivial feedback

13 function for tate bit i and i+, a gue of t i+2 would propagate in two round to t+2 i, hence there would be no need to gue the latter. When the output function i non-linear, the amount of reduction in the number of bit to gue may depend on the value of previouly gueed bit. For example, if the ANF of the output function contain the product term x i x j, and at round t the adverary ha a gue for t i, the gueed value will determine whether t j need to be gueed. If t i =, the product term evaluate to irrepective of the value of t j. There i, therefore, no need to gue the latter. If, however, t i =, the value of the product term depend on t j, which need to be gueed. Similarly, when the a feedback function i not linear, it may ometime be poible to ue it to propagate guee even if not all of it input are known Attack Example A an illutrative example we now conider a toy 6-bit NFSR N with the following feedback function: f 5 (x) = x x x 2 x x 2 f 4 (x) = x 5 f 3 (x) = x 4 f 2 (x) = x 3 f (x) = x 2 f (x) = x which ha a period of 63 [3]. The output function we ue i z(x) = x x x 2 x 3 x 4 x 5 A brute force attack on the cipher ha to gue each poible combination of the initial tate of the cipher, reulting in a earch pace of ize 2 6. To perform a gue-and-determine attack on N, we gue the initial tate of bit to 4, i.e.,..., 4. Uing the output function and the firt output bit, we can now determine the value of 5 and recover the initial tate with an attack complexity of 2 5. Figure 4 illutrate thi attack. 4.3 Improving the Gue-and-Determine Attack When we examine the gue-and-determine attack above, we can ee that we ue one bit of information from the output equence. By uing thi bit we can reduce the attack complexity by one bit. To do better we will need to ue more bit from the output equence, and for that we need to be able to gue le than five bit in the firt round and till be able to ue the firt output bit to determine part of the tate.

14 4 bit round t d g g g g g 2 nd d Gueed in thi round Unknown Determined by output function Determined by feedback function From previou round Fig. 4: The gue-and-determine attack on NFSR N One way to achieve thi i to rely on the non-linearity of the output function. For the pecific example of N, we note that if we gue 2 =, there i no need to gue 3. We can ue,, 2, 4 and the output bit to determine 5. Not gueing 3 mean that we cannot propagate it value the econd round, hence we will not have the value 2, but we will have the value of all of the other tate bit. If 3 =, we can ue the next output bit to determine the value of 2 and complete the attack. Otherwie, we note that =, hence 2 5 doe not depend on 2 and we can move to the next round. In the next round we till mi the value of the lat bit 2, which we can determine from the output bit. Thee cenario are illutrated in Figure 5. In ummary, in half of the cae, when we gue 2 =, we need to gue 5 bit and in the other half, when 2 = we only need to gue 4 bit. Thi give a total of 24 cae to earch and the attack complexity i Reducing the Complexity of the Output Function Another way of reducing the number of tate bit we need to gue in each round i to reduce the cardinality of the dependence et of the output function. To be able to ue the output function to determine tate bit value, we need to gue the value of all but one of the input of the output function. Reducing the cardinality of the output function reduce the number of bit we need to gue each round and ha the potential of increaing the number of output bit we can ue. The main contribution of thi paper i howing how tranforming the NFSR can reduce the attack complexity by reducing the cardinality of the dependence et of the output function. Suppoe that the output function can be expreed a z(x) = x a x a+i z (x), uch that a dep(z ), a + i dep(z ) and i >. We want to eliminate x a from the output function. We note that if we hift the product term p = x a+ from f a+i to f a+i, we get a new output function z(x) = z(t xa+,a+i(x)) = x a (x a+i x a ) z (x) = x a+i z (x). Note that becaue a + i dep(z ), the tranform doe not modify z. While thi approach reduce the cardinality of the output function, it may complicate the feedback function. In particular, for the cae of Fibonacci NF-

15 5 bit bit round t d u g g t d u g g 2 nd d g 2 nd u d u (A) Gueed in thi round Unknown 3 rd 2 d g (B) Determined by output function Determined by feedback function From previou round Fig. 5: Improved attack on NFSR N. (A) when 2 = and 3 =. (B) when 2 = and 3 =

16 6 SR, uch a tranformation introduce two non-trivial feedback function at f a+i and f a+i that reduce the amount of tate propagation we can ue. Hence, tranforming the NFSR preent a balancing act between the complexity of the feedback function and the cardinality of the dependence et of the output function. Depending on the tructure of the original NFSR, we can ue two heuritic to reduce the effect of the tranformation on the tructure of the feedback function. Auming a Fibonacci NFSR, when a + i i cloe to n, we ue multiple hift to hift x n i from f n to f a+i. uch a hift will only reult in one non-trivial feedback function at f a+i. Furthermore, if we have a < b < a + i, uch that z(x) = x a x b x a+i x b+i z (x) () and a, b, a + i, b + i dep(z ), hifting x n i from f n to f a+i would eliminate both x a and x b from the output function, while only introducing one non-trivial feedback function at f a+i. 4.5 Attacking a Tranformed NFSR Oberving N we note that there i a combination of four product term in the output function which atifie the criteria outlined in Equation. Therefore, we hift the product term x 2 from the bit 5 to the bit 4, and then to the bit 3 to produce the following equivalent Galoi NFSR N 2 : f 5 (x) = x x x x 2 f 4 (x) = x 5 f 3 (x) = x 4 x f 2 (x) = x 3 f (x) = x 2 f (x) = x with a tranformed output function we ue i z(x) = x 2 x 3 x 4 x 5 Now we perform the gue-and-determine attack on N 2. In the firt round we gue bit 2, 3 and 4 and ue the output function to determine 5. We now propagate the known tate we know the value of, 2 and 4. However, becaue the feedback function f 3 i not trivial we do not know 3, o we gue it, and can ue the econd output bit to determine 5. We now have guee for 3 and 4 combining thee with 3 = f 3 ( ) = 4 allow u to determine. If 2 =, we can ue with 5 = f 5 ( ) = 2 = = to determine. Thi recover the complete initial tate. Thi cae i diplayed in Figure 6 (A).

17 7 If 2 = (Figure 6 (B)), we can reduce f 5 ( ) = 2 = =. Becaue i determined via f 3, it i independent of 5. Hence there i a 5% chance that the ytem i inconitent, with 5. When the ytem i conitent, we propagate the data we have to 2, gue 2 3 and determine 2 5 and we have the complete tate. bit bit round t d g g u u t d g g u u 2 nd d g d d 2 nd u d d g u 3 rd 2 d d g (A) (B) Gueed in thi round Unknown Determined by output function Determined by feedback function From previou round Fig. 6: Gue-and-determine attack on NFSR N 2. (A) 2 =, (B) 2 = To um up, we gue four bit for the firt two round. In 3/4 of the cae we can completely determine the internal tate. For the other /4 we need an additional gue. Hence, the attack complexity i = 2 = Admittedly, thi i a very mall improvement over the attack on the original NFSR. However, thi i a toy example. A we hall now ee, for larger NFSR the improvement can be much more ignificant.

18 8 5 A Gue-and-Determine Attack on the Sprout Stream Cipher So far we have demontrated that NFSR tranformation can improve gueand-determine attack only in a very limited cenario. We now how that the technique alo work for real cipher. In thi ection we decribe an attack on the Sprout cipher [3]. We tart with a decription of the cipher, proceed with a decription of a tranformation that reduce the cardinality of the output function and implement a gue-anddetermine attack on the cipher. 5. Decription of Sprout Stream Cipher k k... k79 Round key function * kt g Counter f NFSR LFSR Output Zt Fig. 7: Sprout cipher Sprout [3] i a Grain-family tream cipher, which i inpired by Grain-28a [2]. It internal tate conit of a 4-bit LFSR l, a 4-bit Fibonacci NFSR n and a 7-bit counter c. The counter elect key bit that are fed together with counter bit c t 4 to the feedback function of the NFSR. Sprout ue an 8 bit key and a 7 bit initialiation vector (IV). To decribe the cipher We adopt a notation imilar to that of Lallemand and Naya-Plaencia [22]: t: clock-cycle number.

19 9 l t i the ith tate of the LFSR at clock t. n t i the ith tate of the NFSR at clock t. k = (k, k,..., k 79 ) the key bit. IV = (IV, IV,..., IV 69 ) initialiation vector. k t t round key bit generated at clock t. z t keytream bit generated at clock t. c t the value of the counter at clock t. The LFSR ue the following feedback function: l t+ 39 = l t l t 5 l t 5 l t 2 l t 25 l t 34 The NFSR ue the following feedback function: n t+ 39 =k t l t c t n t n t 3 n t 9 n t 35 n t 39 n t 2n t 25 n t 3n t 5 n t 7n t 8 n t 4n t 2 n t 6n t 8 n t 22n t 24 n t 26n t 32 n t 33n t 36n t 37n t 38 n t n t n t 2 n t 27n t 3n t 3 where k t i defined a: { kt k = t t 79 (k t mod 8 )(l4 t l2 t l37 t n t 9 n t 2 n t 29) t 8 The output function i: z t = n t 4l t 6 l t 8l t l t 32l t 7 l t 9l t 23 n t 4n t 38l t 32 l t 3 n t n t 6 n t 5 n t 7 n t 23 n t 28 n t 34 When the cipher tart, the NFSR and the LFSR are initialied from the IV uing the following formula: n i = IV i, i 39, li = IV i+4, i 29, and li =, 3 i 38, l39 =. The cipher then execute 32 initialiation round, in which rather than producing output, z t i fed back into the feedback function of the LFSR and the NFSR to update internal tate. 5.2 Tranformation of Sprout Cipher We oberve that the four linear product term n 7, n 23, n 28, n 34 of the output function meet the requirement of Equation, with a = 7, b = 23 and i =. We, therefore apply the tranformation uggeted above by hifting p = x n i = x 29 from f 39 to f 27. We note that x 29 i not in the ANF of the feedback function. Conequently, moving it from the feedback function will add the product term, making the function lightly more complex. Furthermore, for each hift we execute, we might have to update the feedback function a decribed in Theorem 4. The reulting

20 2 feedback function i: n t+ 39 =k t l t c t n t n t 3 n t 7 n t 8 n t 9 n t 24 n t 28 n t 29 n t 35 n t 39 n t 2n t 25 n t 3n t 5 n t 7n t 8 n t 4n t 2 n t 6n t 8 n t 22n t 24 n t 26(n t 32 n t 2) (n t 33 n t 22)(n t 36 n t 25)(n t 37 n t 26)(n t 38 n t 27) n t n t n t 2 n t 27(n t 3 n t 9)(n t 3 n t 2) n t+ 27 =n t 28 n t 7 We alo note that kt depend on ome internal tate that i modified by the tranform hence we need to update it to: { kt k = t t 79 (k t mod 8 )(l4 t l2 t l37 t n t 9 n t 8 n t 2 n t 29) t 8 Finally, the output function depend on n 38. Conequently, while the tranformation remove n 7 and n 23 from the output function, it alo add a dependency on n 27. Thu the cardinality of the output function i only reduced by. The new output function i: z t = n t 4l t 6 l t 8l t l t 32l t 7 l t 9l t 23 n t 4l t 32(n t 38 n t 27) l t 3 n t n t 6 n t 5 n t 28 n t 34 For initialiation, we apply the hift tate tranformation of Definition to initialie the 4-bit NFSR of the tranformed Sprout by: (IV, IV,..., IV 27, IV 28 IV 6, IV 29 IV 7,..., IV 39 IV 28 ) 5.3 Implementation of Gue-and-Determine Attack on the Sprout In each of the firt 8 round, we ue one keytream bit to determine one bit in the internal tate. In the firt round, we gue 5 bit (8 from the LFSR and 7 from the NFSR), and determine one bit by the output function (ee Figure 8. For implicity, we do not preent the tatu of the LFSR in the diagram. In the econd round, we again gue 5 bit and determine one (Figure 9). Additionally, becaue we know both n 27 and n 28 we can ue the feedback function of n 27 to determine n 7 = n 6. From the third round forward, the tate propagation provide u with ome guee to the dependence et of the output function. Conequently, we only need to gue 9 bit (4 LFSR and 5 NFSR) in the third round. (Figure.) The number of bit we gue keep decreaing we only need to gue 8, 6, 6, 5 and 3 bit for the fourth, fifth, ixth, eventh and eighth round, repectively. Thee are hown in Figure 5. During thee round, we continue to ue the feedback function of n 27 to determine n 7. For the ninth round we know all but four of the input of the output function, o we need to gue three to determine the fourth. We gue two additional tate bit in the NFSR (ee Figure 6) to increae the number of NFSR bit we know.

21 2 473 g g 478 d g g g g g 484 Determined by output function Unknown Gueed in thi round Fig. 8: The t round of gue-and-determine attack on Sprout d g g g 479 d g g g g Determined by output function Determined by feedback function Unknown Gueed in thi round From previou round Fig. 9: The 2nd round of gue-and-determine attack on Sprout d g g g d g g Determined by output function Determined by feedback function Unknown Gueed in thi round From previou round Fig. : The 3rd round of gue-and-determine attack on Sprout d g g d g g Determined by output function Determined by feedback function Unknown Gueed in thi round From previou round Fig. : The 4th round of gue-and-determine attack on Sprout d g g d g Determined by output function Determined by feedback function Unknown Gueed in thi round From previou round Fig. 2: The 5th round of gue-and-determine attack on Sprout d g g d g Determined by output function Determined by feedback function Unknown Gueed in thi round From previou round Fig. 3: The 6th round of gue-and-determine attack on Sprout

22 d g g d Determined by output function Determined by feedback function Unknown Gueed in thi round From previou round Fig. 4: The 7th round of gue-and-determine attack on Sprout d g g d Determined by output function Determined by feedback function Unknown Gueed in thi round From previou round Fig. 5: The 8th round of gue-and-determine attack on Sprout At thi tage mot of the tate ha been gueed and we can tart exploiting the non-linear term of the output function to determine ome more bit and to reject inconitent tate. (See Section 4.3.) If we are able to determine all of the tate bit, we are done. Otherwie we need to gue an additional bit and repeat the attempt to complete the tate d g g d g g Determined by output function Determined by feedback function Unknown Gueed in thi round From previou round Additional guee Fig. 6: The 9th round of gue-and-determine attack on Sprout Once the internal tate i recovered we follow the technique of Lallemand and Naya-Plaencia [22] to recover the key. Each round there i a 5% probability of having a key bit in the feedback function. Hence, by running the cipher for 6 round we expect to have 6 of the key bit affecting at leat one of thee

23 23 6 round. We need to run the cipher for four more round for the key bit to affect the output function. Hence after 64 round we can expect to recover 6 key bit. We can then brute force the remaining 2 bit. To etimate the complexity of the attack, we ran,, intance of the lat 3 round and counted the number of guee in each. More pecifically, for each of the,, intance we choe a random key, a random IV and a random gue of 59 bit gueed in for firt ix round of the attack. We then count the number of guee we make for round 7 to 9. The average number of guee we make i = For the firt ix round we need to gue a total of 59 bit. Hence, the attack complexity i = Thi compare favourably with the attack of Lallemand and Naya-Plaencia [22] and Banik [5] which require and 2 75 guee, repectively. The attack i ignificantly lower than the TMD attack of Egin and Kara [6], however, our attack ha modet memory requirement wherea their attack require over 77 terabyte of memory. 6 Concluion In thi paper we how that tranformation of NFSR from the Fibonacci configuration to the Galoi configuration can ait cryptanalyi. To demontrate thi, we generalie and extend pat work on NFSR tranformation. We dicu the condition under which uch tranformation can facilitate cryptanalytic attack and demontrate the ue of the technique to cryptanalye the Sprout cipher. Our gue-and-determine attack i fater than all previouly publihed non-tmd attack on Sprout. Our technique eentially hift complexity from the output function to the feedback function of the NFSR. While we are able to demontrate improvement in cryptanalyi, further work i required for better undertanding the trade-off in NFSR tranformation. Such undertanding i alo likely to help in deigning more ecure NFSR.

24 Bibliography [] Mohamed Ahmed Abdelraheem, Julia Borghoff, Erik Zenner, and Mathieu David. Cryptanalyi of the light-weight cipher A2U2. In Proceeding of the 3th IMA International Conference on Cryptography and Coding (IMACC), page , Oxford, UK, December 2. [2] Martin Ågren, Martin Hell, Thoma Johanon, and Willi Meier. Grain- 28a: a new verion of Grain-28 with optional authentication. International Journal of Wirele and Mobile Computing, 5():48 59, December 2. [3] Frederik Armknecht and Vaily Mikhalev. On lightweight tream cipher with horter internal tate. In Proceeding of the 22nd International Workhop on Fat Software Encryption (FSE), page 45 47, Itanbul, Turkey, mar 25. [4] S. H. Babbage. Improved exhautive earch attack on tream cipher. In European Convention on Security and Detection, page 6 66, Brighton, UK, May 995. [5] Subhadeep Banik. Some reult on Sprout. Cryptology eprint Archive Report 25/327, April 25. [6] Elad Barkan, Eli Biham, and Adi Shamir. Rigorou bound on cryptanalytic time/memory tradeoff. In Advance in Cryptology Crypto 26, page 2, Santa Barbara, CA, US, aug 26. [7] Alex Biryukov and Adi Shamir. Cryptanalytic time/memory/data tradeoff for tream cipher. In Advance in Cryptology ASIACRYPT 2, page 3, Kyoto, Japan, December 2. [8] Alex Biryukov, Adi Shamir, and David Wagner. Real time cryptanalyi of A5/ on a PC. In Fat Software Encryption, page 8, New York, NY, US, April 2. [9] Daniel Bleichenbacher and Sarvar Patel. SOBER cryptanalyi. In Fat Software Encryption, page 35 36, Rome, Italy, March 999. [] Nicola T. Courtoi and Willi Meier. Algebraic attack on tream cipher with linear feedback. In Advance in Cryptology EUROCRYPT 23, page , Waraw, Poland, May 23. [] Elena Dubrova. A tranformation from the Fibonacci to the Galoi NLFSR. IEEE Tranaction on Information Theory, 55(): , November 29. [2] Elena Dubrova. Finding matching initial tate for equivalent NLFSR in the Fibonacci and the Galoi configuration. IEEE Tranaction on Information Theory, 56(6): , June 2. [3] Elena Dubrova. A lit of maximum period NLFSR. Cryptology eprint Archive Report 22/66, March 22. [4] Elena Dubrova. An equivalence-preerving tranformation of hift regiter. In Sequence and Their Application, page 87 99, Melbourne, VIC, Autralia, November 24.

Codes Correcting Two Deletions

Codes Correcting Two Deletions 1 Code Correcting Two Deletion Ryan Gabry and Frederic Sala Spawar Sytem Center Univerity of California, Lo Angele ryan.gabry@navy.mil fredala@ucla.edu Abtract In thi work, we invetigate the problem of