Time and Space Complexity Reduction of a Cryptanalysis Algorithm

Similar documents
Applied Mathematics Letters

System in Weibull Distribution

Least Squares Fitting of Data

Least Squares Fitting of Data

Excess Error, Approximation Error, and Estimation Error

The Parity of the Number of Irreducible Factors for Some Pentanomials

Denote the function derivatives f(x) in given points. x a b. Using relationships (1.2), polynomials (1.1) are written in the form

Our focus will be on linear systems. A system is linear if it obeys the principle of superposition and homogenity, i.e.

Xiangwen Li. March 8th and March 13th, 2001

COS 511: Theoretical Machine Learning

BAYESIAN CURVE FITTING USING PIECEWISE POLYNOMIALS. Dariusz Biskup

1 Definition of Rademacher Complexity

Several generation methods of multinomial distributed random number Tian Lei 1, a,linxihe 1,b,Zhigang Zhang 1,c

Three Algorithms for Flexible Flow-shop Scheduling

An Optimal Bound for Sum of Square Roots of Special Type of Integers

Designing Fuzzy Time Series Model Using Generalized Wang s Method and Its application to Forecasting Interest Rate of Bank Indonesia Certificate

The Synchronous 8th-Order Differential Attack on 12 Rounds of the Block Cipher HyRAL

XII.3 The EM (Expectation-Maximization) Algorithm

Determination of the Confidence Level of PSD Estimation with Given D.O.F. Based on WELCH Algorithm

Towards strong security in embedded and pervasive systems: energy and area optimized serial polynomial multipliers in GF(2 k )

AN ANALYSIS OF A FRACTAL KINETICS CURVE OF SAVAGEAU

Study of the possibility of eliminating the Gibbs paradox within the framework of classical thermodynamics *

Chapter 12 Lyes KADEM [Thermodynamics II] 2007

Finite Fields and Their Applications

Module 3 LOSSY IMAGE COMPRESSION SYSTEMS. Version 2 ECE IIT, Kharagpur

Solutions for Homework #9

SINCE the 1990s, chaotic cryptography has attracted more

What is LP? LP is an optimization technique that allocates limited resources among competing activities in the best possible manner.

Multipoint Analysis for Sibling Pairs. Biostatistics 666 Lecture 18

,..., k N. , k 2. ,..., k i. The derivative with respect to temperature T is calculated by using the chain rule: & ( (5) dj j dt = "J j. k i.

Chapter 1. Theory of Gravitation

Revision: December 13, E Main Suite D Pullman, WA (509) Voice and Fax

ON THE NUMBER OF PRIMITIVE PYTHAGOREAN QUINTUPLES

Computational and Statistical Learning theory Assignment 4

Slobodan Lakić. Communicated by R. Van Keer

Algorithm for reduction of Element Calculus to Element Algebra

= z 20 z n. (k 20) + 4 z k = 4

Gadjah Mada University, Indonesia. Yogyakarta State University, Indonesia Karangmalang Yogyakarta 55281

Collaborative Filtering Recommendation Algorithm

Quantum Particle Motion in Physical Space

PROBABILITY AND STATISTICS Vol. III - Analysis of Variance and Analysis of Covariance - V. Nollau ANALYSIS OF VARIANCE AND ANALYSIS OF COVARIANCE

Numerical Heat and Mass Transfer

Decision Diagrams Derivatives

Calculation of time complexity (3%)

Speeding up Computation of Scalar Multiplication in Elliptic Curve Cryptosystem

On the Multicriteria Integer Network Flow Problem

COMPARISON OF SOME RELIABILITY CHARACTERISTICS BETWEEN REDUNDANT SYSTEMS REQUIRING SUPPORTING UNITS FOR THEIR OPERATIONS

1 Review From Last Time

Cryptanalysis of pairing-free certificateless authenticated key agreement protocol

On the number of regions in an m-dimensional space cut by n hyperplanes

On the Construction of Polar Codes

On Pfaff s solution of the Pfaff problem

Approximate Technique for Solving Class of Fractional Variational Problems

On the Construction of Polar Codes

2E Pattern Recognition Solutions to Introduction to Pattern Recognition, Chapter 2: Bayesian pattern classification

Week 5: Neural Networks

A Novel Feistel Cipher Involving a Bunch of Keys supplemented with Modular Arithmetic Addition

LOW BIAS INTEGRATED PATH ESTIMATORS. James M. Calvin

Kernel Methods and SVMs Extension

Chapter 13. Gas Mixtures. Study Guide in PowerPoint. Thermodynamics: An Engineering Approach, 5th edition by Yunus A. Çengel and Michael A.

A Hybrid Variational Iteration Method for Blasius Equation

LECTURE :FACTOR ANALYSIS

Comments on a secure dynamic ID-based remote user authentication scheme for multiserver environment using smart cards

ANSWERS. Problem 1. and the moment generating function (mgf) by. defined for any real t. Use this to show that E( U) var( U)

THE ADJACENCY-PELL-HURWITZ NUMBERS. Josh Hiller Department of Mathematics and Computer Science, Adelpi University, New York

NP-Completeness : Proofs

Interactive Bi-Level Multi-Objective Integer. Non-linear Programming Problem

The Minimum Universal Cost Flow in an Infeasible Flow Network

On Syndrome Decoding of Punctured Reed-Solomon and Gabidulin Codes 1

Differential Cryptanalysis of Nimbus

International Journal of Mathematical Archive-9(3), 2018, Available online through ISSN

Fermi-Dirac statistics

Two Conjectures About Recency Rank Encoding

4 Column generation (CG) 4.1 Basics of column generation. 4.2 Applying CG to the Cutting-Stock Problem. Basic Idea of column generation

Design and Optimization of Fuzzy Controller for Inverse Pendulum System Using Genetic Algorithm

04 - Treaps. Dr. Alexander Souza

Integral Transforms and Dual Integral Equations to Solve Heat Equation with Mixed Conditions

Chapter 8 SCALAR QUANTIZATION

Preference and Demand Examples

Semi-supervised Classification with Active Query Selection

Worst Case Interrupt Response Time Draft, Fall 2007

Finite Vector Space Representations Ross Bannister Data Assimilation Research Centre, Reading, UK Last updated: 2nd August 2003

Formulas for the Determinant

EXACT TRAVELLING WAVE SOLUTIONS FOR THREE NONLINEAR EVOLUTION EQUATIONS BY A BERNOULLI SUB-ODE METHOD

Module 2. Random Processes. Version 2 ECE IIT, Kharagpur

Departure Process from a M/M/m/ Queue

The Order Relation and Trace Inequalities for. Hermitian Operators

Solving Fuzzy Linear Programming Problem With Fuzzy Relational Equation Constraint

CALCULUS CLASSROOM CAPSULES

The Non-equidistant New Information Optimizing MGM(1,n) Based on a Step by Step Optimum Constructing Background Value

Problem Set 9 Solutions

Message modification, neutral bits and boomerangs

Reliability estimation in Pareto-I distribution based on progressively type II censored sample with binomial removals

Solving Nonlinear Differential Equations by a Neural Network Method

By M. O'Neill,* I. G. Sinclairf and Francis J. Smith

Uncertainty in measurements of power and energy on power networks

On the Calderón-Zygmund lemma for Sobolev functions

NEW CONSTRUCTIONS IN LINEAR CRYPTANALYSIS OF BLOCK CIPHERS

Structure and Drive Paul A. Jensen Copyright July 20, 2003

NUMERICAL DIFFERENTIATION

Transcription:

Te and Space Coplexty Reducton of a Cryptanalyss Algorth Mohaad Ghasezadeh Electrcal and Coputer Engneerng Departent, Yazd Unversty, Yazd, Iran.ghasezadeh@yazdun.ac.r Receved: /4/6; Accepted: /5/4 Pages: 9-46 Abstract Bnary Decson Dagra (n short BDD s an effcent data structure whch has been used wdely n coputer scence and engneerng. BDD-based attack n key strea cryptanalyss s one of the best fors of attack n ts category. In ths paper, we propose a new key strea attack whch s based on ZDD(Zero-suppressed BDD. We show how a ZDD-based key strea attack s ore effcent n te and space coplexty over ts BDD-based varant aganst the E type of the Bluetooth securty echans. We pleented t by usng the CUDD - Colorado Unversty Decson Dagra package. Experental results show great proveents. We have also derved a atheatcal proof, whch shows that t s better than the BDDbased attack ethod even for the worst case analyss. Keywords: Bnary Decson Dagra, Cryptanalyss, Algorth coplexty. Introducton In cryptography, pseudo rando sequences are frequently used. A pseudo rando sequence generator requres to be unforly dstrbuted, ndependent, and noncorrelated [8]. In pleentaton of key strea generators, the FSR (near Feedback Shft Regster s beng used because all above condtons are et and the correspondng algebrac analyss s qute sple. The FSR-based key strea generators consst of two coponents: a lnear bt strea generator and a nonlnear copresson functon C,.e. K=(,C. Frst they generate the key strea Y=C((k, for the cpher key k, then Y and the plan text P are btwse XORed to produce the cpher text E. In cryptanalyss of these generators, the encrypton syste s supposed to be known and we are nterested n fndng k. BDD and ts varants are data structures that are used effectvely n coputer scence and engneerng. These data structures gve copact and canoncal representatons for Boolean functons. Recently, a new attack aganst FSR-based key strea generators s ntroduced by Krause [] whch s based on a varant of BDD known as FBDD. ater Shacked and Wool [9] ntroduced ther OBDD-based attack to E key strea generator. In ths paper, we ntroduce a new attack to key strea generators whch uses ZDD. Experental results show that t akes a rearkable reducton n te and space coplexty regardng OBDD and FBDD based attacks. We have also derved a proof whch confrs the experental results. Ths paper s organzed as follows. Secton provdes the basc defntons and the an concepts: E encrypton syste and a bref ntroducton to BDD and ZDD. In secton the proposed attack s ntroduced. Frst the FBDD attack s dscussed, then the 9

Te and Space Coplexty Reducton of M. Ghasezadeh attack to E wth OBDD s revewed. Fnally our ZDD-based attack s ntroduced. Secton 4 s dedcated to the theoretcal coplexty analyss of our ethod. Secton 5 provdes concludes.. Prelnares. E Key Strea Generator E s an FSR-based key strea generator whch s used n Bluetooth securty echans. FSR-based key strea generators consst of two coponents, a lnear bt strea generator and a nonlnear copresson functon. After ntalzaton, the lnear bt strea generator, generates the bt strea Z. It eploys four near Feedback Shft Regsters(FSR, whose output s the nput to the copresson functon C. The output of the copresson functon would be the key strea Y = C( ( k. The lengths of the four FSR are = 5, =, = and = 9, and ther feedback polynoals are: 5 8 p ( x = x + x + x + x + 4 6 p ( x = x + x + x + x + 8 4 4 p ( x = x + x + x + x + 9 6 8 4 p ( x = x + x + x + x + At the begnnng, the lnear generator needs to be loaded wth an ntal value for the four FSRs(8 bts n total. Suaton of the four output bts of the FSRs ake the nput of the copresson functon. The copresson functon s usually organzed wth a fnte state achnec :(,,,,, E ΣΓ I F δ, States of the FSM are ={ q : 5},ts nput alphabet Σ ={,,,,4}, output alphabet Γ ={,} and I, F stand for the set of ntal and fnal states. The set of FSM transton rulesδ Σ Γ have eleents n the for of ( qn, a q n + [, 9, 4].. BDD versus ZDD There are several known ethods for representng Boolean forulas. The ost portant of the are: Truth table, Karnough ap and Boolean expressons. BDD or ore precsely ROBDD s also a data structure nvented for ths purpose. Ths data structure s a graph whch can be obtaned fro the bnary decson tree of the Boolean forula by applyng ergng and reovng rules [, 6]. Altogether ths ethod s better than other ethods. The benefts of ROBDD are:. Provdes a canoncal representaton,.represents Boolean functons ore copactly and.offers faster Boolean operatons. A set can be represented by ts characterstc functon. In ths regard, accordng to each eleent/subset we consder a nter n the correspondng characterstc functon. Theoretcal analyss and practcal experents has shown that a varant of BDD called ZDD (Zero suppressed Bnary Decson Dagras [7] s ore sutable for representng such a characterstc functon. A ZDD can also be obtaned fro bnary decson tree of a Boolean forula. In a BDD whenever -edge and -edge of a node pont to the sae node that node ust be 4

Journal of Advances n Coputer Research (Vol., No., August 9-46 reoved, but n a ZDD whenever the -edge of a node ponts to -ternal, that node ust be reoved. The ergng rule s the sae for both of the. In a ZDD each path fro the root to the -ternal stands for an eleent of the set [, 5].. ZDD Based Cryptanalyss Of E In ths secton we frst ntroduce the FBDD based attacker of Krause [], then we reveal the otvaton led us usng ZDD nstead of FBDD or OBDD. Fnally we ntroduce and dscuss our ZDD-based attacker.. FBDD Based Cryptanalyss Of Key Strea Generator Krause n hs work [] assues that except for key k, all other paraeters are known, also he assues that the attacker s able to obtan the frst bts of the key strea Y. The goal of the attacker s coputng k {{,} n }. Snce n an FSR, the frst output bts are the sae as ts ntal values, Z = ( k would contan k n the frst bts. Therefore the proble reduces to fndng a bt strea Z satsfyng the followng condtons:. Z can be produced by the lnear bt strea generator.. C (Z s prefx of the observed key strea Y. For, and the bt strea z {,} the followng tes are defned: C G s an oracle graph representng the order n whch the bts of Z are beng read by the copresson functon C. R s a nal G C FBDD graph whch decdes whether Z can be produced by or not. s a nal G C FBDD graph whch decdes whether C (Z s a prefx of Y or not. P s a nal G C FBDD graph whch decdes whether Z can be produced by where C (Z s a prefx of Y or not. In ths ethod, the key s consdered to be n bts and t coputes, where denotes the length of the consecutve bts requred for fndng the key k. Consderng above forulatons, the followng algorth can copute k :. P n.. for n + to do: P ( P R. return Z where P ( Z =. On the other words, the above loop terates untl P has only one assgnent z {,} where P ( Z =.. Reducton of FBDD-based Cryptanalyss usng OBDDs The algorth descrbed by Krause s generc and needs to be adapted. Shacked and Wool [9] ade reductons and adopted t for E, by usng OBDD nstead of FBDD. 4

Te and Space Coplexty Reducton of M. Ghasezadeh Krause n [4] generalzed OBDD attack to oblvous key strea generator. In the OBDD attack the output bts of (k are consdered as: Z =(..., z4j, z4j +, z4j+, z4j +,..., where z4 j+ ( k. Ths orderng leads to the followng equatons for the lnear key strea generator : =4 j : z = z z z z ( 48 8 = 4 j + : z = z 48 64 96 4 = 4 j + : z = z 6 96 = 4 j + : z = z 6 44 56 Afterwards, accordng to the obtaned equatons, R graph s produced by buldng OBDDs for each z. In buldng OBDDs whch check bts for each, the algorth calls the frst bts n ts bt strea. The goal of the algorth s to copute these leadng bts of. Accordng to above equatons, an algorth ust buld OBDDs for : j 4. A BDD structure called basc chan s used to copute graph whch represents sus of 4 bts. For each state and each of the 5 possble sus, f the output bt atches the bt gven n the key streay, t can proceed to next chan; otherwse ths path would lead to a Ternal. z j. ZDD-Based Cryptanalyss Of E Cobnatons of n tes can be represented by an n-bt vector, x,... x, where ( n x {,} deternes whether x s ncluded n the cobnaton or not. In ths way, a set of cobnatons can be represented wth a Boolean functon. Such a Boolean functon s called characterstc functon of the set. In general, OBDDs are ore effcent n copact representaton of characterstc functons than other ethods, but Mnato[7] has shown that f we change the elnaton rule, we can represent characterstcs functons uch ore effcently. The goal of key strea Cryptanalyss s to analyse all possble keys and fnd the rght one. FBDD attack can be reduced by usng OBDD, because these generators have the sae orderng, n buldng R and graphs as well as n buldng P. The copresson functon of these generators can be shown wth a fnte state achne. We ay use ZDD to construct a ore effcent attack on ths knd of key strea generators (to attack E key strea generator. In our ZDD attack aganst E generator, we pleented the R graph n a slar way as n OBDD attack, the only dfference s usng ZDD nstead of OBDD. Each synthetc ZDD contans of 5 varables and 9 vertces, therefore, t requres 456 vertces. We coputed the graph by the followng ethod; Snce fnte state achne of E generator has 6 states, we used 4 varables the followng functon can be coputed:, to ark the states. Thus n q 4

Journal of Advances n Coputer Research (Vol., No., August 9-46 Clearly, + + + + = F ( q, q, q, q, z z,, z,.., 4 +, 4+ 4+ z conssts of 4 + 4varables. It stands for all the possble paths n the fnte state achne after readng + nput sybols. We pleented usng the followng algorth:. If C ncludes transton rule ( q, a q + AND correspondent output rule E ( q, a b AND b = b ( b s th bt n known key strea Y: (a Copute q and q + based on q : q = ( q ( q ( q ( q where ( q s q or ( q s ( q accordng to labels of the states of the achne. For exaple n step, the 5 th state s : ( q ( q ( q ( q. (b For all. Copute z = 4 + X a, copute: j = ( q+ z4+ z4+ z4+ z4 functon based on:. Copute by reovng = ( X... X j q = (( X... ( X j ( q fro. We need to enton that fnally we are nterested n coputng 8. The constructed correctly decdes whether C(Z s prefx ofy or not. By scannng all the paths fro root to T, we copute all Z s whch produce the sae prefx asy. A pseudo rando sequence ust be dstrbuted unforly,.e., the probablty of occurrence ust be equal to the probablty of occurrence. Ths property along wth other requred propertes, enforce the constructed to be a sparse graph. In pleentng our proposed attack, we apped the proble to a cobnatoral set proble. In fact, n each teraton of coputng, we checked all possble cobnatons of nput bts and fnal states. Most operaton on sets such as unon, ntersect, dfference are already defned and pleented for ZDD. In addton soe other useful functons lke: Z.onset(N selects the subset of the cobnatons ncludng N, and then deletes N fro each cobnaton. Z.offset(N returns the subset of the cobnatons excludng N. Z.Count(N returns nuber of cobnatons n the ZDD Z. are avalable n ost BDD packages. We ran our algorth n C along wth the CUDD package[]; Our algorth can be dsplayed wth the followng pseudo code: 4

Te and Space Coplexty Reducton of M. Ghasezadeh δ For eleent { If q, a q ( q, a b ( b = b } (( + { q } = ZDDIntersect( q,( q,( q,( q q = ZDDIntersect(( q,( q, ( q,( q + + + Z4 j +, For { } f For every Z 4 j + = a + + X ZDDIntersect( q, z, z, z, q j = + 4+ ZDDUnon( j, ZDDIntersct ( X j,. Oneset( q, f (( q == ( q q. Oneset( q X j z 4+, 4+ 4 4. Theoretcal Coplexty Analyss The te coplexty of the algorth s deterned by the space coplexty of the constructed ZDD durng the entre process of constructon. Frst, lets take a look at the coplexty of functons whch are used n the algorth: The te coplexty of producng the ZDD representng F ( x,..., x n s O ( GF, where G F denotes the nuber of vertexes n constructed graph. Te coplexty of each set operaton such as unon and ntersect of two graph F,G s O ( G F. GG In the algorth, durng the steps, t ntroduces 4 new varables, and one constrant z = 4 a j +, then the nuber of assgnents s ultpled by. After steps t has two constrants, z4 j s deterned, then the nuber of assgnents s ultpled by. After steps t has three constrants, z4 j and z4 j + are deterned, then the nuber of assgnents s ultpled by. After step t has four constrants and there are no ore choces, then the nuber of assgnents wll be constant. In the next steps, the nuber of assgnents start to decrease to half. On the other hand, due to ZDD propertes, the average nuber of vertces n each path would be 44

Journal of Advances n Coputer Research (Vol., No., August 9-46 C(4,.. = 4 therefore, based on above arguents, we can copute the hgher bound as ( : 8 : : P = ( : P = ( : P = ( ( : P = ( : P = On the other hand, P s obtaned by ntersecton of and R, then we can copute the other hgher bound: : Te( P = R = 4 : Te( P = ( : Te( P = ( : Te( P = ( : Te( P = ( = ( 8 In practce, has approxately 4 nodes. The overall upper bound of coplexty can be obtaned fro ntersecton of the above two bounds, whch wll gve a space coplexty of, and te coplexty of 8. We need to enton that ths s a nonrefned approxaton bound, accurate analyss would gve even better values. Here we can see that usng ZDD gves a graph wth 8 nodes less than ts predecessor whch used OBDD. 5. Concluson Zero-suppressed Bnary Decson Dagra (n short ZBDD or ZDD s a varant of BDD. Whle BDD gves ore copact representaton and ore effcent operatons on Bollean forulas, ZDD gves ore copact representaton and ore effcent operatons on characterstcs functons representngd sets of subsets. Ths research shows, by utlzng ths property, how ZDD can be used to construct an attacker ore effcent than the outstandng OBDD-based attacker. 6. References [] Randal E. Bryant. Graph-Based Algorths for Boolean Functon Manpulaton. IEEE Transactons on Coputers, 5(8:677-69, 986. [] Fluhrer, Scott R. and ucks, Stefan. Analyss of the E Encrypton Syste. 8th Annual Internatonal Workshop on Selected Areas n Cryptography, pages 8-48, ondon, UK,. Sprnger-Verlag. [] Matthas Krause. BDD-Based Cryptanalyss of Keystrea Generators. EUROCRYPT, pages - 7,. 45

Te and Space Coplexty Reducton of M. Ghasezadeh [4] Matthas Krause. OBDD-Based Cryptanalyss of Oblvous Keystrea Generators. Theor. Cop. Sys., 4(:-, 7. [5] Matthas Krause and Drk Stegeann. Reducng the Space Coplexty of BDD-Based Attacks on Keystrea Generators. th annual Fast Software Encrypton Workshop, pages 6-78, 6. [6] Chrstoph Menel and Thorsten Theobald. Algorths and data structures n VSI desgn: OBDD - foundatons and applcatons. Berln, Hedelberg, New York: Sprnger-Verlag, 998. [7] Shn-ch Mnato, Zero-suppressed bdds and ther applcatons, n:proceedngs of Internatonal Journal on Software Tools for Technology Transfer, Sprnger,, pp. 56-7. [8] Matt Robshaw. Strea Cphers. Techncal report, RSA aboratores, 995. [9] Yanv Shaked and Avsha Wool. Cryptanalyss of the Bluetooth E cpher usng OBDDs. Proceedngs of 9th Inforaton Securty Conference, NCS 476, pages 87-, 6. [] Fabo Soenz. CUDD: Colorado Unversty Decson Dagra Package. http://vls.colorado. edu/~fabo/cudd/, 9. 46

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback