Optimizing the placement of tap positions. joint work with Enes Pasalic, Samed Bajrić and Yongzhuang Wei

Similar documents
arxiv: v1 [cs.it] 27 Sep 2016

Algebraic Immunity of S-boxes and Augmented Functions

Lecture 10-11: General attacks on LFSR based stream ciphers

4.3 General attacks on LFSR based stream ciphers

Fast correlation attacks on certain stream ciphers

Pseudo-Random Number Generators

Cryptanalysis of Achterbahn

Analysis of Modern Stream Ciphers

A GENERAL FRAMEWORK FOR GUESS-AND-DETERMINE AND TIME-MEMORY-DATA TRADE-OFF ATTACKS ON STREAM CIPHERS

Combinatorics of p-ary Bent Functions

Sequences, DFT and Resistance against Fast Algebraic Attacks

Generalized Correlation Analysis of Vectorial Boolean Functions

Stream Ciphers: Cryptanalytic Techniques

L9: Galois Fields. Reading material

Open problems related to algebraic attacks on stream ciphers

On Stream Ciphers with Small State

Maximum Correlation Analysis of Nonlinear S-boxes in Stream Ciphers

The Filter-Combiner Model for Memoryless Synchronous Stream Ciphers

The LILI-128 Keystream Generator

Maiorana-McFarland class: Degree optimization and algebraic properties

Algebraic Attacks and Stream Ciphers

Time-Memory-Data Trade-Off Attack on Stream Ciphers Based on Maiorana-McFarland Functions

On The Nonlinearity of Maximum-length NFSR Feedbacks

Modified Alternating Step Generators

LILI Keystream Generator

Cryptographic D-morphic Analysis and Fast Implementations of Composited De Bruijn Sequences

3.8 MEASURE OF RUNDOMNESS:

4F5: Advanced Communications and Coding

Berlekamp-Massey decoding of RS code

Improvements to Correlation Attacks Against Stream. Ciphers with Nonlinear Combiners. Brian Stottler Elizabethtown College

Constructions of Resilient S-Boxes with Strictly Almost Optimal Nonlinearity Through Disjoint Linear Codes

Chosen IV Statistical Analysis for Key Recovery Attacks on Stream Ciphers

Algebraic attack on stream ciphers Master s Thesis

Computing the biases of parity-check relations

A new simple technique to attack filter generators and related ciphers

Cryptanalysis of the Stream Cipher DECIM

STREAM CIPHER. Chapter - 3

Cube Attacks on Stream Ciphers Based on Division Property

Some thoughts on Trivium

Fast Near Collision Attack on the Grain v1 Stream Cipher

Block vs. Stream cipher

Public-key Cryptography: Theory and Practice

Characterizations on Algebraic Immunity for Multi-Output Boolean Functions

FResCA: A Fault-Resistant Cellular Automata Based Stream Cipher

New attacks on Keccak-224 and Keccak-256

Finding Low Degree Annihilators for a Boolean Function Using Polynomial Algorithms

Design of Filter Functions for Key Stream Generators using Boolean Power Functions Jong-Min Baek

A survey of algebraic attacks against stream ciphers

Key Recovery with Probabilistic Neutral Bits

Linear Feedback Shift Registers

Heriot-Watt University

Constructions of Resilient S-Boxes with Strictly Almost Optimal Nonlinearity Through Disjoint Linear Codes

On the Statistically Optimal Divide and Conquer Correlation Attack on the Shrinking Generator

CRC Press has granted the following specific permissions for the electronic version of this book:

Cryptography Lecture 3. Pseudorandom generators LFSRs

Introducing a new variant of fast algberaic attacks and minimizing their successive data complexity

New Methods for Cryptanalysis of Stream Ciphers. The Selmer Centre Department of Informatics University of Bergen Norway

Classical Cryptography

Maximum Length Linear Feedback Shift Registers

ACORN: A Lightweight Authenticated Cipher (v3)

A Low Data Complexity Attack on the GMR-2 Cipher Used in the Satellite Phones

THEORETICAL SIMPLE POWER ANALYSIS OF THE GRAIN STREAM CIPHER. A. A. Zadeh and Howard M. Heys

Cryptanalysis of the Knapsack Generator

Lecture 22: Counting

Lecture 11: Non-Interactive Zero-Knowledge II. 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian problem

1 Introduction. 2 Calculation of the output signal

MILP-based Cube Attack on the Reduced-Round WG-5 Lightweight Stream Cipher

The Hash Function JH 1

University of Bergen Faculty of Mathematical and Natural Sciences Department of Informatics The Selmer Center

Fast Low Order Approximation of Cryptographic Functions

Perfectly Balanced Boolean Functions and Golić Conjecture

Clock-Controlled Shift Registers for Key-Stream Generation

Algebraic Attacks on Stream Ciphers with Linear Feedback

arxiv: v2 [cs.cr] 20 Mar 2015

Fast Discrete Fourier Spectra Attacks on Stream Ciphers

Algebraic Aspects of Symmetric-key Cryptography

Correcting Codes in Cryptography

New Implementations of the WG Stream Cipher

Efficient probabilistic algorithm for estimating the algebraic properties of Boolean functions for large n

SOBER Cryptanalysis. Daniel Bleichenbacher and Sarvar Patel Bell Laboratories Lucent Technologies

Improved Linear Cryptanalysis of SOSEMANUK

Attacks against Filter Generators Exploiting Monomial Mappings

Chapter 6 Reed-Solomon Codes. 6.1 Finite Field Algebra 6.2 Reed-Solomon Codes 6.3 Syndrome Based Decoding 6.4 Curve-Fitting Based Decoding

Chapter 4 Mathematics of Cryptography

Resilience to Distinguishing Attacks on WG-7 Cipher and Their Generalizations

Modified Berlekamp-Massey algorithm for approximating the k-error linear complexity of binary sequences

2 n -Periodic Binary Sequences with Fixed k-error Linear Complexity for k = 2 or 3

IEOR SEMINAR SERIES Cryptanalysis: Fast Correlation Attacks on LFSR-based Stream Ciphers

A Byte-Based Guess and Determine Attack on SOSEMANUK

F-FCSR: Design of a New Class of Stream Ciphers

Searching for the Optimum Correlation Attack. Ross Anderson. Computer Laboratory, Pembroke Street, Cambridge CB2 3QG rj ac.

Construction of 1-Resilient Boolean Functions with Optimal Algebraic Immunity and Good Nonlinearity

Thesis Research Notes

Lecture Notes on Cryptographic Boolean Functions

On the Security of Nonlinear Filter Generators

Cryptanalysis of Achterbahn-128/80. Maria Naya-Plasencia. INRIA-Projet CODES FRANCE

Improved Cascaded Stream Ciphers Using Feedback

On Welch-Gong Transformation Sequence Generators

Analysis of Message Injection in Stream Cipher-based Hash Functions

(Solution to Odd-Numbered Problems) Number of rounds. rounds

Transcription:

Optimizing the placement of tap positions Samir Hodžić joint work with Enes Pasalic, Samed Bajrić and Yongzhuang Wei

Filtering generator Linear feedback shift register (LFSR). Nonlinear filtering function F : GF(2) n GF(2) m, whose inputs are taken from Tap positions of register. Outputs of F are keystream blocks y t = (y t 1,...,yt m).

Attacks? Different properties of Boolean function vs different attacks: Algebraic degree and resiliency vs Berlekamp Massey synthesis algorithm and Correlation attacks. Algebraic immunity vs Algebraic attacks (Fast algebraic attacks, Probabilistic algebraic attacks). Filter state guessing attack (FSGA). and others... What about tap positions, can we use these in an attack?

Filter state guessing attack (FSGA) Observe several outputs y t 1,...,y tc so that c n > L, where L is length of LFSR. Look at the preimage space S y = {x GF(2) n : F(x) = y} Given any output y tu there is 2 n m possibilities for input (x tu 1,...,xtu n ), where x tu i = L 1 j=0 atu i,j s j (linear equation) Solve linear system and check whether the solution is correct.

Regarding the preimage spaces, it may happen that and preimage space reduces... x t 1 j x t 2 k Design should prevent from finding many x t 1 j x t 2 k, xt 1 u xt 2 v

Generalized Filter state guessing attack (GFSGA) Unlike FSGA, GFSGA (Y. Wei et al. 11) utilizes the tap positions! The outputs y t 1,...,y tc may give identical equations Distance between the consecutive outputs is σ. If I 0 = {i 1,i 2,...,i n } is the set of tap positions, then r i = #I i, r i number of repeated bits per state, I i = I i 1 {I 0 {i 1 +iσ,i 2 +iσ,...,i n +iσ}}.

Satisfying nc R > L, the total number of repeated equations R: If c k: R = c 1 i=1 r i If c > k: R = k i=1 r i +(c k 1)r k, where k = in i 1 σ. Complexities of the attack in both cases: T c k Comp. = 2 (n m) 2 (n m r 1)... 2 (n m r (c 1)) L 3. T c>k Comp. = 2 (n m)... 2 (n m r k) 2 (n m r k) (c k 1) L 3. Problem: How to maximize T Comp. for any σ?

Designer/attacker rationales In the position of the attacker: Search for optimal σ that gives minimal T Comp.! Q1: What about parameters R and c in the formula T Comp. = 2 (n m)c R L 3? A1: For a given set of taps I 0 = {i 1,i 2,...,i n }, (not optimally taken?) the step σ which results in maximal R does not imply minimal complexity!

Our approach... Can we calculate R in a different way? Can we get some new information? Example: Let I 0 = {i 1,i 2,i 3,i 4,i 5 } = {1,4,8,9,11}, L = 15 and σ = 2. We adopt the notation: For easier tracking of repeated bits in LFSR states, we use the notation s k (k +1). We consider only bits on tap positions on states which differ for σ.

States i 1 i 2 i 3 i 4 i 5 s t1 s 0 1 s 3 4 s 7 8 s 8 9 s 10 11 s t2 s 2 3 s 5 6 s 9 10 s 10 11 s 12 13 s t3 s 4 5 s 7 8 s 11 12 s 12 13 s 14 15 s t4 s 6 7 s 9 10 s 13 14 s 14 15 s 16 17 s t5 s 8 9 s 11 12 s 15 16 s 16 17 s 18 19 s t6 s 10 11 s 13 14 s 17 18 s 18 19 s 20 21 s t7 s 12 13 s 15 16 s 19 20 s 20 21 s 22 23 s t8 s 14 15 s 17 18 s 21 22 s 22 23 s 24 25 s t9 s 16 17 s 19 20 s 23 24 s 24 25 s 26 27 s t10 s 18 19 s 21 22 s 25 26 s 26 27 s 28 29

Questions: When will bit from tap position i 3 repeat on i 1? Will ever repeat? If yes, in how many states? States i 1 i 2 i 3 i 4 i 5 s t 1 1 4 8 9 11 s t 2 3 6 10 11 13 s t 3 5 8 12 13 15 s t 4 7 10 14 15 17 s t 5 9 12 16 17 19 s t 6 11 14 18 19 21 s t 7 13 16 20 21 23 s t 8 15 18 22 23 25 s t 9 17 20 24 25 27 s t 10 19 22 26 27 29

We define the set of differences (from I 0 = {1,4,8,9,11}) between the consecutive tap positions as D = { d j d j = i j+1 i j, j = 1,2,3,4} = {3,4,1,2}. Regarding the non-consecutive differences, we construct the scheme of differences: Row\Columns Col. 1 Col. 2 Col. 3 Col. 4 Row 1 d 1 d 2 d 3 d 4 Row 2 d 1 +d 2 d 2 +d 3 d 3 +d 4 Row 3 d 1 +d 2 +d 3 d 2 +d 3 +d 4 Row 4 d 1 +d 2 +d 3 +d 4

In our example, the scheme of differences is given as Row\Columns Col. 1 Col. 2 Col. 3 Col. 4 Row 1 3 4 1 2 Row 2 7 5 3 Row 3 8 7 Row 4 10 Total sum of all repeated bits on all tap positions is given as n 1 R = (c 1 σ i=1 m d k ), k=i where σ m k=i d k for some m N, i m n 1.

Further analysing From the previous formula, the complexity will increase if 1. We maximize m k=i d k, and 2. Avoid the divisibility by σ in the table of differences. It turns out that: Maximizing m k=i d k means to distribute the taps over entire LFSR. Regarding the divisibility, what about prime numbers?

Which differences to choose: Suboptimal algorithms Prime numbers are still favourable (for many reasons). In many cases, we will have to choose the same differences. In general choose co-prime numbers. HOW? Permutation algorithm: Input: The set D and the numbers L, n and m. Output: The best ordering of the chosen differences, that is, an ordered set D that maximizes the complexity of the attack. Complexity of algorithm is O(K n!), where K is a constant (large)

Open problem: Find an efficient algorithm, which returns the best ordering of the set D without searching all permutations. When #D is large, we give a modified algorithm - construct D by parts: Choose a starting set (6-7 elements) in its best ordering (use previous algorithm). Chose another few elements and find a permutation which fits best to the starting set - maximized complexity. Measuring the quality: Lower value of optimal σ is a greater indicator than the complexity. By putting the parts from right to left, continue the previous steps until you obtain the set D.

Example: Let L = 160, n = 17 and m = 6. Starting set in its best ordering X = {5,13,7,26,11,17} The second set (part) is Y p = {9,1,2,23,15} in its best ordering which fits to the set X, i.e. we have Y p X = {9,1,2,23,15,5,13,7,26,11,17} The last part in its best ordering is Z p = {5,11,4,3,7} which fits to the set Y p X. Finally we get D = Z p Y p X, i.e. D = {5,11,4,3,7,9,1,2,23,15,5,13,7,26,11,17}.

Since d i = 159, we need to take the first tap to be 1, which implies the last one to be L. The set of tap positions is given by I 0 = {1,6,17,21,24,31,40,41,43,66,81,86,99,106,132,143,160}. Optimal step of the attack is σ = 1 with complexity T Comp. 2 86.97. Exhaustive search requires 2 80. In some cases we have a space to increase the number of output bits m, and still preserve the security margins.

SOBER-t32: The tap positions are given by I 0 = {1,4,11,16,17}, and we have D = {3,7,5,1}. In GFSGA article, the complexity of the attack is T D = (17 32) 3 2 266. According to the rules for choosing elements and permutation algorithm, we take D = {5,2,7,2} and we have T D = (17 32) 3 2 291.

SFINX: The set of differences is given as D = {1,5,3,10,2,23,14,16,24,7,29,27,32,34,17,11}. Estimated complexity is T Comp. = 2 256 with R = 200 and σ = 2 as an optimal step of the attack. Modified algorithm may be used to improve the existing set D. In its best orderings, we take the following parts: X = {29,32,17,34,27,11}, Y p = {2,23,14,16,24,7} and Z p = {1,5,3,10}.

Estimated complexity is T Comp. = 2 257 with R = 167, thus only a minor improvement has been achieved. We get the set D = Z p Y p X given as D = {1,5,3,10,2,23,14,7,16,24,29,32,17,34,27,11}, with the optimal steps σ {1,2} for the attack.

Thanks for your attention!

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback