Introducing a new variant of fast algberaic attacks and minimizing their successive data complexity

Size: px

Start display at page:

Download "Introducing a new variant of fast algberaic attacks and minimizing their successive data complexity"

Joshua Brooks
5 years ago
Views:

1 Introducing a new variant of fast algberaic attacks and minimizing their successive data complexity Frederik Armknecht 1 Gwénolé Ars 2 1 Theoretische Informatik, University of Mannheim, Germany 2 IRMAR, University of Rennes, France MyCrypt, September 28th, 2005, Kuala Lumpur, Malaysia Frederik Armknecht New variant and redcuing succ. data compl. 1/22

2 Outline 1 Introduction 2 3 Frederik Armknecht New variant and redcuing succ. data compl. 2/22

3 Outline 1 Introduction 2 3 Frederik Armknecht New variant and redcuing succ. data compl. 3/22

4 c t δ Cz 1 t C 1 f 1 (z t ) Introduction General Situation F 1 z t F 1 K Alice m t Y 1 Y 2 Y 13 Message bits Insecure Channel Eve m t Bob Frederik Armknecht New variant and redcuing succ. data compl. 4/22

5 L K P C f Introduction Keystream generators K δ 1 z t 1 keystream generator 1 (z t ) keystream 1 bits z t z t 1 Alice m t c t Y 1 secret key K keystream generator z t c t m t Bob Y 2 Y 13 plaintext bits ciphertext bits Eve Frederik Armknecht New variant and redcuing succ. data compl. 5/22

6 c t Introduction Combiners with Memory C 1 z t C 1 f 1 (z t ) Fz 1 t F 1 Y 1 Y 2 Y 13 K Initialization LFSRs Memory L t K f z t δ Example (E 0 ) Bluetooth standard K : 128 bit, Memory: 4 bit Frederik Armknecht New variant and redcuing succ. data compl. 6/22

7 Algebraic Attack (Courtois, Meier, Krause, Armknecht) 1 Set up system of equations (depends on cipher) F(L K, z 1,..., z r ) = 0 F(L 2 K, z 2,..., z r+1 ) = Solve it (Linearization) Successive data complexity (SDC): r (= # succ. z i in eq.) Frederik Armknecht New variant and redcuing succ. data compl. 7/22

8 Attack effort Table: Algebraic attacks Deg(F) SDC Data Space Time general d r r + O( K d ) O(r K d ) O( K 2d ) O( K 3d ) E Frederik Armknecht New variant and redcuing succ. data compl. 8/22

9 Fast Algebraic Attack (Courtois) Reduce the degree in precomputation step: 9 8 L F(L K, z 1,..., z r ) = 0 Ri=1 λ i F(L i K, z i,..., z i+r ) = 0 >= >< F(L 2 L K, z 2,..., z r+1 ) = 0 Ri=1 λ i F(L 1+i K, z 1+i,..., z 1+i+r ) = 0 >;. >:. Degree: Successive data complexity: e < d R + r r Frederik Armknecht New variant and redcuing succ. data compl. 9/22

10 Attack effort Table: Algebraic Attacks Deg(F) SDC Data Space Time general d r O(r + K d )... O(r K d ) O( K 2d ) O( K 3d ) E Table: Fast Algebraic Attacks Deg(F) SDC Data Space Time general e R + r O(R + r + K d )... O((R + r) K d ) O( K 2e ) O( K 3e ) E Frederik Armknecht New variant and redcuing succ. data compl. 10/22

11 Our contributions Reduce successive data complexity R to the minimum Introduce divide-and-conquer Efficient algorithms Uses special representation of Boolean functions: F 2 [x 1,..., x n ] F[y 1,..., y n ], F 2 F Frederik Armknecht New variant and redcuing succ. data compl. 11/22

12 Outline 1 Introduction 2 3 Frederik Armknecht New variant and redcuing succ. data compl. 12/22

13 Idea behind Fast Algebraic Attacks Condition: F(L t K, z t,...) }{{} deg=d = G(L t K ) }{{} deg=d Task: Find λ 1,..., λ R {0, 1} s. t. H(L t K, z t,...) }{{} deg=e<d R λ i G(L t+i K ) = 0 i=1 t Then: R λ i F(L t+i K, z t+i,...) = 0 has degree e i=1 t Frederik Armknecht New variant and redcuing succ. data compl. 13/22

14 δ C 1 Computing λ 1,.. C. 1, λ R Reducing degree z t f 1 (z t ) F 1 z t F 1 K Y 1 F, L Y 2 Berlekamp Y 13 Massey with R min. New representation of λ 1,..., λ R Frederik Armknecht New variant and redcuing succ. data compl. 14/22

15 Minimizing R Condition: F(L t K, z t,...) }{{} deg=d = G(L t K ) }{{} deg=d Task: Find λ 1,..., λ R {0, 1} s. t. H(L t K, z t,...) }{{} deg=e<d R λ i G(L t+i K ) = 0 i=1 t Then: R λ i F(L t+i K, z t+i,...) = 0 has degree e i=1 t Frederik Armknecht New variant and redcuing succ. data compl. 15/22

16 Minimizing R Condition: F(L t K, z t,...) }{{} deg=d = G(L t K ) }{{} deg=d Task: Find λ 1,..., λ R {0, 1} s. t. H(L t K, z t,...) }{{} deg=e<d R λ i G(L t+i K ) has degree e i=1 t Then: R λ i F(L t+i K, z t+i,...) = 0 has degree e i=1 t Frederik Armknecht New variant and redcuing succ. data compl. 15/22

17 δ C 1 Computing λ 1,... z, t λ R with R min. Reducing degree C 1 f 1 (z t ) F 1 z t F 1 K Y 1 Y 2 Y 13 Berlekamp Massey F, L New representation of λ 1,..., λ R with R min. Frederik Armknecht New variant and redcuing succ. data compl. 16/22

18 Introduction δ Cz 1 t C 1 Computing λ 1,..., λ R with R min. f 1 (z t ) Fz 1 t Reducing degree F 1 K Y 1 Y 2 Y 13 Berlekamp Massey F, L New representation of F, L λ 1,..., λ R with R min. Frederik Armknecht New variant and redcuing succ. data compl. 16/22

19 Introduction δ Cz 1 t C 1 Computing λ 1,..., λ R with R min. f 1 (z t ) Fz 1 t Reducing degree F 1 K F, L Y 1 Y 2 easy& Y efficient 13 method New representation of F, L λ 1,..., λ R with R min. Frederik Armknecht New variant and redcuing succ. data compl. 16/22

20 Attack effort Table: Algebraic Attacks Deg(F) SDC Data Space Time general d r O(r + K d )... O(r K d ) O( K 2d ) O( K 3d ) E Table: Fast Algebraic Attacks Deg(F) SDC Data Space Time general e R + r O(R + r + K d )... O((R + r) K d ) O( K 2e ) O( K 3e ) E 0 3 8,822, E 0 3 8,496, Frederik Armknecht New variant and redcuing succ. data compl. 17/22

21 Divide-and-conquer Condition: F(L t K, z t,...) = G(L t K ) }{{}}{{} LFSRs 1,...,m LFSRs 1,...,m Task: Find λ 1,..., λ R {0, 1} s. t. H(L t K, z t,...) }{{} LFSRs 2,...,m R λ i G(L t+i K ) = 0 i=1 t Then: R λ i F(L t+i K, z t+i,...) = 0 indep. of LFSR 1 i=1 t Frederik Armknecht New variant and redcuing succ. data compl. 18/22

22 Introduction δ Cz 1 t C 1 Computing λ 1,..., λ R with R min. f 1 (z t ) Fz 1 t Divide-and-conquer F 1 K F, L Y 1 Y 2 easy& Y efficient 13 method New representation of F, L λ 1,..., λ R with R min. Frederik Armknecht New variant and redcuing succ. data compl. 19/22

23 Outline 1 Introduction 2 3 Frederik Armknecht New variant and redcuing succ. data compl. 20/22

24 Summary New methods to compute λ 1,..., λ R Adapted to minimize R Allow divide-and-conquer attacks Methods easy and efficient Frederik Armknecht New variant and redcuing succ. data compl. 21/22

25 Final remarks Complicated mathematics only needed for proof of correctness No further improvements possible New directions? Frederik Armknecht New variant and redcuing succ. data compl. 22/22

A survey of algebraic attacks against stream ciphers

A survey of algebraic attacks against stream ciphers Frederik Armknecht NEC Europe Ltd. Network Laboratories frederik.armknecht@netlab.nec.de Special semester on Gröbner bases and related methods, May