Cryptanalysis of Achterbahn-128/80 Maria Naya-Plasencia INRIA-Projet CODES FRANCE
Outline 1 Achterbahn 2 Tools used in our cryptanalysis 3 Cryptanalysis of Achterbahn-128/80
Achterbahn [Gammel-Göttfert-Kniffler05]... f keystream NLFSR 1 NLFSR 2 NLFSR N Achterbahn version 1, version 2, 128-80. version 1 cryptanalysed by Johansson, Meier, Muller. version 2 cryptanalysed by Hell, Johansson. 1/23
Achterbahn-128/80 (July 2006) Achterbahn-128: key size = 128 bits 13 primitive NLFSRs of length L i = 21 + i, 0 i 12 Least significant bit of each NLFSR forced to 1 at the initialization process. Boolean combining function F : balanced correlation immunity order = 8 Inputs of F shifted outputs of NLFSRs. Keystream length limited to 2 63. 2/23
Achterbahn-128/80 (July 2006) Achterbahn-80: key size = 80 bits 11 primitive NLFSRs of length L i = 21 + i, 1 i 11 Least significant bit of each NLFSR forced to 1 at the initialization process. Boolean function G(x 1,..., x 11 ) = F (0, x 1,..., x 11, 0): balanced correlation immunity order = 6 Inputs of G shifted outputs of NLFSRs. Keystream length limited to 2 63. 3/23
Tools used in our cryptanalysis Parity checks Exhaustive search for the internal states of some registers Decimation by the period of a register Linear approximations Speeding up the exhaustive search 4/23
Parity checks Let (s 1 (t)) t 0,..., (s n (t)) t 0 be n sequences of periods T 1,..., T n, and t 0, S(t) = n i=1 s i(t). Then, for all t 0, τ T 1,...,T n S(t + τ) = 0, T 1,..., T n : set of all 2 n possible sums of T 1,..., T n. Example: (s 1 (t)), (s 2 (t)) with periods T 1 and T 2 S(t) + S(t + T 1 ) + S(t + T 2 ) + S(t + T 1 + T 2 ) = 0 5/23
Cryptanalysis with parity checks Linear approximation l(t) = m j=1 x i j (t) where: Pr[S(t) = l(t)] = 1 (1 + ε) 2 Parity check: τ T i1,...,t i m l(t + τ) = 0 Pr S(t + τ) = 0 1 ( 1 + ε 2 m ) 2 τ T i1,...,t i m 6/23
Exhaustive search over some registers Exhaustive search for the initial states of m registers Pr S(t) = m j=1 x ij (t) + m j=m +1 x ij (t) = 1 (1 + ε). 2 Pr The parity check has 2 m m terms and satisfies: τ T im +1,...,T i m S(t + τ) + m j=1 x ij (t + τ) = 0 = 1 2 (1 + ε 2m m ) 7/23
Required keystream length m j=1 Decoding problem = 2 (L i j 1) sequences of length N transmitted through a binary symmetric channel of capacity C(p) = C ( ) 1 m m (1 + ε2 ) (ε2m m ) 2 2 2 ln 2 N m j=1 (L i j 1) C(p) 2 ln 2 m j=1 (L i j 1) (ε 2m m ) 2 Keystream bits needed: (ε 2m m ) 2 2 ln 2 (L ij 1) + m m T ij j=1 i=m +1 8/23
Decimation [Hell-Johansson06] Parity check: pc(t) = S(t + τ) + m x ij (t + τ) τ T im +1,...,T i m j=1 Decimate by the periods of p linear terms i 1,..., i p : pc p (t) = pc(tt i1... T ip ) Exhaustive search for the remaining (m p) terms 9/23
Complexity Keystream bits needed: (ε 2m m ) 2 2 ln 2 m j=p+1 (L ij 1) 2 p j=1 L i j + m j=m +1 2 L i j Time complexity: (ε 2m m ) 2 2 ln 2 m j=p+1 m j=p+1 (L ij 1) 2 (L i j 1) 10/23
Cryptanalysis of Achterbahn-80 We use a linear approximation: as G has correlation immunity order 6, the best approximation by a 7-variable function is affine [Canteaut-Trabia00] We use the following one: g 2 (x 1,..., x 10 ) = x 1 +x 3 +x 4 +x 5 +x 6 +x 7 +x 10 with ε = 2 3. 11/23
Cryptanalysis of Achterbahn-80 Linear approximation: g 2 (x 1,..., x 10 ) = (x 4 +x 7 )+(x 5 +x 6 )+x 1 +x 3 +x 10 with ε = 2 3. Parity check: ll(t) = l(t) + l(t + T 4 T 7 ) + l(t + T 6 T 5 ) + l(t + T 4 T 7 + T 6 T 5 ) Decimate by the period of the register 10. Exhaustive search over registers 1 and 3. 12/23
Cryptanalysis of Achterbahn-80 Keystream bits needed: (ε 4 ) 2 2 ln 2 (L 1 +L 3 2) 2 L 10 +2 L 4+L 7 +2 L 5+L 6 = 2 61 bits. Time complexity: (ε 4 ) 2 2 ln 2 (L 1 +L 3 2) 2 L1 1 2 L3 1 = 2 74 operations. Time complexity can be reduced: final complexity 2 61. We recover the initial states of registers 1 and 3. 13/23
Cryptanalysis of Achterbahn-128 Linear approximation: l(x 0,..., x 12 ) = (x 0 +x 3 +x 7 )+(x 4 +x 10 )+(x 8 +x 9 )+x 1 +x 2 with ε = 2 3. Parity check: lll(t) = τ T 0,3,7,T 4,10,T 8,9 l(t + τ), where T 0,3,7 = lcm(t 0, T 3, T 7 ) Exhaustive search over registers 1 and 2 we can reduce this complexity making profit of the independence of the registers 14/23
Improving the exhaustive search ϕ = 2 54 2 8 1 t =0 τ T 0,3,7,T 4,10,T 8,9 (S(t ) x 1 (t ) x 2 (t )) = = T 2 1 k=0 T 2 1 k=0 2 31 +2 8 1 t=0 (σ 2 (k) 1) σ(tt 2 + k) σ 1 (tt 2 + k) σ 2 (tt 2 + k) σ 2 (k) (2 31 + 2 8 ) 2 31 +2 8 1 t=0 2 31 +2 8 1 t=0 σ(tt 2 + k) σ 1 (tt 2 + k) + σ(tt 2 + k) σ 1 (tt 2 + k) 15/23
Improving the exhaustive search for k = 0 to T 2 1 do V 2 [k] = σ 2 (k) for the all-one initial state. end for for each possible initial state of R1 do for k = 0 to T 2 1 do V 1 [k] = 2 31 +2 8 1 t=0 σ(t 2 t + k) σ 1 (T 2 t + k) end for for each [ possible initial state i of R2 do (V2 [k+imodt 2 ] 1) V 1 [k] + V 2 [k+imodt 2 ] ( 2 31 +2 8 V 1 [k] )] T2 1 k=0 if we find the bias then return the initial states of R1 and R2 end if end for end for 16/23
Reducing complexity with an FFT T 2 1 k=0 [ (V2 [k + i] 1) V 1 [k] + V 2 [k + i] ( 2 31 + 2 8 V 1 [k] )] 2 L 2 1 T 2 2 2 5 T 2 1 k=0 ( 1)V 2[k+i] ( V 1 [k] 231 +2 8 2 ) + T 2 2 31 +2 8 2 T 2 log 2 T 2 with an FFT. 17/23
Cryptanalysis of Achterbahn-128 Keystream bits needed: (ε 8 ) 2 2 ln 2 (L 1 +L 2 2)+T 0,3,7 +T 4,10 +T 8,9 < 2 61 bits. Time complexity: 2 L 1 1 [ 2 31 T 2 ( 2 4 + 31 ) + T 2 log T 2 ] +T2 2 3 = 2 80.58. 18/23
Achterbahn-128 limited to 2 56 bits The same attack as before using the linear approximation: l(x 0,..., x 12 ) = (x 3 +x 8 )+(x 1 +x 10 )+(x 2 +x 9 )+x 0 +x 4 +x 7 Improved exhaustive search over registers 0,4 and 7, considering R 0 and R 4 together. keystream bits needed< 2 56 time complexity:2 104 operations. 19/23
Achterbahn-80 limited to 2 52 bits Linear approximation: l(x 1,..., x 11 ) = (x 3 + x 7 ) + (x 4 + x 5 ) + x 1 + x 6 + x 10 With the same attack as before, we need more than 2 52 keystream bits. We can adapt the algorithm in order to reduce the data complexity. 20/23
Achterbahn-80 limited to 2 52 bits Instead of one decimated sequence of parity checks of length L, 4 decimated sequences of length L/4: S(t(T 1 ) + i) + S(t(T 1 ) + i + T 7 T 3 ) + S(t(T 1 ) + i + T 4 T 5 ) +S(t(T 1 ) + i + T 7 T 3 + T 4 T 5 ), for i {0,..., 3}. Keystream bits needed < 2 52 Time complexity: 2 67 operations. 21/23
Recovering the key From the previously recovered initial states of some registers: Meet-in-the-middle attack on the key-loading. No need to invert all the clocking steps. Additional complexity: Achterbahn-80: 2 40 in time and 2 41 in memory. Achterbahn-128: 2 73 in time and 2 48 in memory. 22/23
Conclusions Attacks complexities against all versions of Achterbahn version data complexity time complexity references v1 (80-bit) 2 32 2 55 [JMM06] v2 (80-bit) 2 64 2 67 [HJ06] v2 (80-bit) 2 52 2 53 v80 (80-bit) 2 61 2 55 v128 (128-bit) 2 60 2 80.58 23/23