Te and Space Coplexty Reducton of a Cryptanalyss Algorth Mohaad Ghasezadeh Electrcal and Coputer Engneerng Departent, Yazd Unversty, Yazd, Iran.ghasezadeh@yazdun.ac.r Receved: /4/6; Accepted: /5/4 Pages: 9-46 Abstract Bnary Decson Dagra (n short BDD s an effcent data structure whch has been used wdely n coputer scence and engneerng. BDD-based attack n key strea cryptanalyss s one of the best fors of attack n ts category. In ths paper, we propose a new key strea attack whch s based on ZDD(Zero-suppressed BDD. We show how a ZDD-based key strea attack s ore effcent n te and space coplexty over ts BDD-based varant aganst the E type of the Bluetooth securty echans. We pleented t by usng the CUDD - Colorado Unversty Decson Dagra package. Experental results show great proveents. We have also derved a atheatcal proof, whch shows that t s better than the BDDbased attack ethod even for the worst case analyss. Keywords: Bnary Decson Dagra, Cryptanalyss, Algorth coplexty. Introducton In cryptography, pseudo rando sequences are frequently used. A pseudo rando sequence generator requres to be unforly dstrbuted, ndependent, and noncorrelated [8]. In pleentaton of key strea generators, the FSR (near Feedback Shft Regster s beng used because all above condtons are et and the correspondng algebrac analyss s qute sple. The FSR-based key strea generators consst of two coponents: a lnear bt strea generator and a nonlnear copresson functon C,.e. K=(,C. Frst they generate the key strea Y=C((k, for the cpher key k, then Y and the plan text P are btwse XORed to produce the cpher text E. In cryptanalyss of these generators, the encrypton syste s supposed to be known and we are nterested n fndng k. BDD and ts varants are data structures that are used effectvely n coputer scence and engneerng. These data structures gve copact and canoncal representatons for Boolean functons. Recently, a new attack aganst FSR-based key strea generators s ntroduced by Krause [] whch s based on a varant of BDD known as FBDD. ater Shacked and Wool [9] ntroduced ther OBDD-based attack to E key strea generator. In ths paper, we ntroduce a new attack to key strea generators whch uses ZDD. Experental results show that t akes a rearkable reducton n te and space coplexty regardng OBDD and FBDD based attacks. We have also derved a proof whch confrs the experental results. Ths paper s organzed as follows. Secton provdes the basc defntons and the an concepts: E encrypton syste and a bref ntroducton to BDD and ZDD. In secton the proposed attack s ntroduced. Frst the FBDD attack s dscussed, then the 9
Te and Space Coplexty Reducton of M. Ghasezadeh attack to E wth OBDD s revewed. Fnally our ZDD-based attack s ntroduced. Secton 4 s dedcated to the theoretcal coplexty analyss of our ethod. Secton 5 provdes concludes.. Prelnares. E Key Strea Generator E s an FSR-based key strea generator whch s used n Bluetooth securty echans. FSR-based key strea generators consst of two coponents, a lnear bt strea generator and a nonlnear copresson functon. After ntalzaton, the lnear bt strea generator, generates the bt strea Z. It eploys four near Feedback Shft Regsters(FSR, whose output s the nput to the copresson functon C. The output of the copresson functon would be the key strea Y = C( ( k. The lengths of the four FSR are = 5, =, = and = 9, and ther feedback polynoals are: 5 8 p ( x = x + x + x + x + 4 6 p ( x = x + x + x + x + 8 4 4 p ( x = x + x + x + x + 9 6 8 4 p ( x = x + x + x + x + At the begnnng, the lnear generator needs to be loaded wth an ntal value for the four FSRs(8 bts n total. Suaton of the four output bts of the FSRs ake the nput of the copresson functon. The copresson functon s usually organzed wth a fnte state achnec :(,,,,, E ΣΓ I F δ, States of the FSM are ={ q : 5},ts nput alphabet Σ ={,,,,4}, output alphabet Γ ={,} and I, F stand for the set of ntal and fnal states. The set of FSM transton rulesδ Σ Γ have eleents n the for of ( qn, a q n + [, 9, 4].. BDD versus ZDD There are several known ethods for representng Boolean forulas. The ost portant of the are: Truth table, Karnough ap and Boolean expressons. BDD or ore precsely ROBDD s also a data structure nvented for ths purpose. Ths data structure s a graph whch can be obtaned fro the bnary decson tree of the Boolean forula by applyng ergng and reovng rules [, 6]. Altogether ths ethod s better than other ethods. The benefts of ROBDD are:. Provdes a canoncal representaton,.represents Boolean functons ore copactly and.offers faster Boolean operatons. A set can be represented by ts characterstc functon. In ths regard, accordng to each eleent/subset we consder a nter n the correspondng characterstc functon. Theoretcal analyss and practcal experents has shown that a varant of BDD called ZDD (Zero suppressed Bnary Decson Dagras [7] s ore sutable for representng such a characterstc functon. A ZDD can also be obtaned fro bnary decson tree of a Boolean forula. In a BDD whenever -edge and -edge of a node pont to the sae node that node ust be 4
Journal of Advances n Coputer Research (Vol., No., August 9-46 reoved, but n a ZDD whenever the -edge of a node ponts to -ternal, that node ust be reoved. The ergng rule s the sae for both of the. In a ZDD each path fro the root to the -ternal stands for an eleent of the set [, 5].. ZDD Based Cryptanalyss Of E In ths secton we frst ntroduce the FBDD based attacker of Krause [], then we reveal the otvaton led us usng ZDD nstead of FBDD or OBDD. Fnally we ntroduce and dscuss our ZDD-based attacker.. FBDD Based Cryptanalyss Of Key Strea Generator Krause n hs work [] assues that except for key k, all other paraeters are known, also he assues that the attacker s able to obtan the frst bts of the key strea Y. The goal of the attacker s coputng k {{,} n }. Snce n an FSR, the frst output bts are the sae as ts ntal values, Z = ( k would contan k n the frst bts. Therefore the proble reduces to fndng a bt strea Z satsfyng the followng condtons:. Z can be produced by the lnear bt strea generator.. C (Z s prefx of the observed key strea Y. For, and the bt strea z {,} the followng tes are defned: C G s an oracle graph representng the order n whch the bts of Z are beng read by the copresson functon C. R s a nal G C FBDD graph whch decdes whether Z can be produced by or not. s a nal G C FBDD graph whch decdes whether C (Z s a prefx of Y or not. P s a nal G C FBDD graph whch decdes whether Z can be produced by where C (Z s a prefx of Y or not. In ths ethod, the key s consdered to be n bts and t coputes, where denotes the length of the consecutve bts requred for fndng the key k. Consderng above forulatons, the followng algorth can copute k :. P n.. for n + to do: P ( P R. return Z where P ( Z =. On the other words, the above loop terates untl P has only one assgnent z {,} where P ( Z =.. Reducton of FBDD-based Cryptanalyss usng OBDDs The algorth descrbed by Krause s generc and needs to be adapted. Shacked and Wool [9] ade reductons and adopted t for E, by usng OBDD nstead of FBDD. 4
Te and Space Coplexty Reducton of M. Ghasezadeh Krause n [4] generalzed OBDD attack to oblvous key strea generator. In the OBDD attack the output bts of (k are consdered as: Z =(..., z4j, z4j +, z4j+, z4j +,..., where z4 j+ ( k. Ths orderng leads to the followng equatons for the lnear key strea generator : =4 j : z = z z z z ( 48 8 = 4 j + : z = z 48 64 96 4 = 4 j + : z = z 6 96 = 4 j + : z = z 6 44 56 Afterwards, accordng to the obtaned equatons, R graph s produced by buldng OBDDs for each z. In buldng OBDDs whch check bts for each, the algorth calls the frst bts n ts bt strea. The goal of the algorth s to copute these leadng bts of. Accordng to above equatons, an algorth ust buld OBDDs for : j 4. A BDD structure called basc chan s used to copute graph whch represents sus of 4 bts. For each state and each of the 5 possble sus, f the output bt atches the bt gven n the key streay, t can proceed to next chan; otherwse ths path would lead to a Ternal. z j. ZDD-Based Cryptanalyss Of E Cobnatons of n tes can be represented by an n-bt vector, x,... x, where ( n x {,} deternes whether x s ncluded n the cobnaton or not. In ths way, a set of cobnatons can be represented wth a Boolean functon. Such a Boolean functon s called characterstc functon of the set. In general, OBDDs are ore effcent n copact representaton of characterstc functons than other ethods, but Mnato[7] has shown that f we change the elnaton rule, we can represent characterstcs functons uch ore effcently. The goal of key strea Cryptanalyss s to analyse all possble keys and fnd the rght one. FBDD attack can be reduced by usng OBDD, because these generators have the sae orderng, n buldng R and graphs as well as n buldng P. The copresson functon of these generators can be shown wth a fnte state achne. We ay use ZDD to construct a ore effcent attack on ths knd of key strea generators (to attack E key strea generator. In our ZDD attack aganst E generator, we pleented the R graph n a slar way as n OBDD attack, the only dfference s usng ZDD nstead of OBDD. Each synthetc ZDD contans of 5 varables and 9 vertces, therefore, t requres 456 vertces. We coputed the graph by the followng ethod; Snce fnte state achne of E generator has 6 states, we used 4 varables the followng functon can be coputed:, to ark the states. Thus n q 4
Journal of Advances n Coputer Research (Vol., No., August 9-46 Clearly, + + + + = F ( q, q, q, q, z z,, z,.., 4 +, 4+ 4+ z conssts of 4 + 4varables. It stands for all the possble paths n the fnte state achne after readng + nput sybols. We pleented usng the followng algorth:. If C ncludes transton rule ( q, a q + AND correspondent output rule E ( q, a b AND b = b ( b s th bt n known key strea Y: (a Copute q and q + based on q : q = ( q ( q ( q ( q where ( q s q or ( q s ( q accordng to labels of the states of the achne. For exaple n step, the 5 th state s : ( q ( q ( q ( q. (b For all. Copute z = 4 + X a, copute: j = ( q+ z4+ z4+ z4+ z4 functon based on:. Copute by reovng = ( X... X j q = (( X... ( X j ( q fro. We need to enton that fnally we are nterested n coputng 8. The constructed correctly decdes whether C(Z s prefx ofy or not. By scannng all the paths fro root to T, we copute all Z s whch produce the sae prefx asy. A pseudo rando sequence ust be dstrbuted unforly,.e., the probablty of occurrence ust be equal to the probablty of occurrence. Ths property along wth other requred propertes, enforce the constructed to be a sparse graph. In pleentng our proposed attack, we apped the proble to a cobnatoral set proble. In fact, n each teraton of coputng, we checked all possble cobnatons of nput bts and fnal states. Most operaton on sets such as unon, ntersect, dfference are already defned and pleented for ZDD. In addton soe other useful functons lke: Z.onset(N selects the subset of the cobnatons ncludng N, and then deletes N fro each cobnaton. Z.offset(N returns the subset of the cobnatons excludng N. Z.Count(N returns nuber of cobnatons n the ZDD Z. are avalable n ost BDD packages. We ran our algorth n C along wth the CUDD package[]; Our algorth can be dsplayed wth the followng pseudo code: 4
Te and Space Coplexty Reducton of M. Ghasezadeh δ For eleent { If q, a q ( q, a b ( b = b } (( + { q } = ZDDIntersect( q,( q,( q,( q q = ZDDIntersect(( q,( q, ( q,( q + + + Z4 j +, For { } f For every Z 4 j + = a + + X ZDDIntersect( q, z, z, z, q j = + 4+ ZDDUnon( j, ZDDIntersct ( X j,. Oneset( q, f (( q == ( q q. Oneset( q X j z 4+, 4+ 4 4. Theoretcal Coplexty Analyss The te coplexty of the algorth s deterned by the space coplexty of the constructed ZDD durng the entre process of constructon. Frst, lets take a look at the coplexty of functons whch are used n the algorth: The te coplexty of producng the ZDD representng F ( x,..., x n s O ( GF, where G F denotes the nuber of vertexes n constructed graph. Te coplexty of each set operaton such as unon and ntersect of two graph F,G s O ( G F. GG In the algorth, durng the steps, t ntroduces 4 new varables, and one constrant z = 4 a j +, then the nuber of assgnents s ultpled by. After steps t has two constrants, z4 j s deterned, then the nuber of assgnents s ultpled by. After steps t has three constrants, z4 j and z4 j + are deterned, then the nuber of assgnents s ultpled by. After step t has four constrants and there are no ore choces, then the nuber of assgnents wll be constant. In the next steps, the nuber of assgnents start to decrease to half. On the other hand, due to ZDD propertes, the average nuber of vertces n each path would be 44
Journal of Advances n Coputer Research (Vol., No., August 9-46 C(4,.. = 4 therefore, based on above arguents, we can copute the hgher bound as ( : 8 : : P = ( : P = ( : P = ( ( : P = ( : P = On the other hand, P s obtaned by ntersecton of and R, then we can copute the other hgher bound: : Te( P = R = 4 : Te( P = ( : Te( P = ( : Te( P = ( : Te( P = ( = ( 8 In practce, has approxately 4 nodes. The overall upper bound of coplexty can be obtaned fro ntersecton of the above two bounds, whch wll gve a space coplexty of, and te coplexty of 8. We need to enton that ths s a nonrefned approxaton bound, accurate analyss would gve even better values. Here we can see that usng ZDD gves a graph wth 8 nodes less than ts predecessor whch used OBDD. 5. Concluson Zero-suppressed Bnary Decson Dagra (n short ZBDD or ZDD s a varant of BDD. Whle BDD gves ore copact representaton and ore effcent operatons on Bollean forulas, ZDD gves ore copact representaton and ore effcent operatons on characterstcs functons representngd sets of subsets. Ths research shows, by utlzng ths property, how ZDD can be used to construct an attacker ore effcent than the outstandng OBDD-based attacker. 6. References [] Randal E. Bryant. Graph-Based Algorths for Boolean Functon Manpulaton. IEEE Transactons on Coputers, 5(8:677-69, 986. [] Fluhrer, Scott R. and ucks, Stefan. Analyss of the E Encrypton Syste. 8th Annual Internatonal Workshop on Selected Areas n Cryptography, pages 8-48, ondon, UK,. Sprnger-Verlag. [] Matthas Krause. BDD-Based Cryptanalyss of Keystrea Generators. EUROCRYPT, pages - 7,. 45
Te and Space Coplexty Reducton of M. Ghasezadeh [4] Matthas Krause. OBDD-Based Cryptanalyss of Oblvous Keystrea Generators. Theor. Cop. Sys., 4(:-, 7. [5] Matthas Krause and Drk Stegeann. Reducng the Space Coplexty of BDD-Based Attacks on Keystrea Generators. th annual Fast Software Encrypton Workshop, pages 6-78, 6. [6] Chrstoph Menel and Thorsten Theobald. Algorths and data structures n VSI desgn: OBDD - foundatons and applcatons. Berln, Hedelberg, New York: Sprnger-Verlag, 998. [7] Shn-ch Mnato, Zero-suppressed bdds and ther applcatons, n:proceedngs of Internatonal Journal on Software Tools for Technology Transfer, Sprnger,, pp. 56-7. [8] Matt Robshaw. Strea Cphers. Techncal report, RSA aboratores, 995. [9] Yanv Shaked and Avsha Wool. Cryptanalyss of the Bluetooth E cpher usng OBDDs. Proceedngs of 9th Inforaton Securty Conference, NCS 476, pages 87-, 6. [] Fabo Soenz. CUDD: Colorado Unversty Decson Dagra Package. http://vls.colorado. edu/~fabo/cudd/, 9. 46