IEOR SEMINAR SERIES Cryptanalysis: Fast Correlation Attacks on LFSR-based Stream Ciphers

Similar documents
Classical Cryptography

Cryptanalysis of Achterbahn

Thesis Research Notes

Fast correlation attacks on certain stream ciphers

STREAM CIPHER. Chapter - 3

Maximum Correlation Analysis of Nonlinear S-boxes in Stream Ciphers

a fast correlation attack implementation

CODING AND CRYPTOLOGY III CRYPTOLOGY EXERCISES. The questions with a * are extension questions, and will not be included in the assignment.

Lecture 10-11: General attacks on LFSR based stream ciphers

Linear Approximations for 2-round Trivium

Algebraic Attacks and Stream Ciphers

Algebraic attack on stream ciphers Master s Thesis

Topics. Probability Theory. Perfect Secrecy. Information Theory

Improved Cascaded Stream Ciphers Using Feedback

Improved Fast Correlation Attacks Using Parity-Check Equations of Weight 4 and 5

The LILI-128 Keystream Generator

Appendix A. Pseudo-random Sequence (Number) Generators

New Methods for Cryptanalysis of Stream Ciphers. The Selmer Centre Department of Informatics University of Bergen Norway

Improvements to Correlation Attacks Against Stream. Ciphers with Nonlinear Combiners. Brian Stottler Elizabethtown College

Searching Cubes for Testing Boolean Functions and Its Application to Trivium

SOBER Cryptanalysis. Daniel Bleichenbacher and Sarvar Patel Bell Laboratories Lucent Technologies

Private-key Systems. Block ciphers. Stream ciphers

Chair for Network Architectures and Services Institute of Informatics TU München Prof. Carle. Network Security. Chapter 2 Basics

THEORETICAL SIMPLE POWER ANALYSIS OF THE GRAIN STREAM CIPHER. A. A. Zadeh and Howard M. Heys

Modified Alternating Step Generators

Fast Correlation Attack on Stream Cipher ABC v3

New Implementations of the WG Stream Cipher

Stream Ciphers: Cryptanalytic Techniques

Fast Correlation Attacks: an Algorithmic Point of View

Correcting Codes in Cryptography

Lecture Notes. Advanced Discrete Structures COT S

Fast Correlation Attacks: An Algorithmic Point of View

Cryptographic D-morphic Analysis and Fast Implementations of Composited De Bruijn Sequences

3.8 MEASURE OF RUNDOMNESS:

FResCA: A Fault-Resistant Cellular Automata Based Stream Cipher

Cryptanalysis of a Multistage Encryption System

LILI Keystream Generator

Cellular Automata in Cryptography" Information Security Group,Royal Holloway, Abstract The cipher systems based on Cellular Automata proposed by Nandi

Pseudo-random Number Generation. Qiuliang Tang

Fast Low Order Approximation of Cryptographic Functions

Public-key Cryptography: Theory and Practice

Computers and Mathematics with Applications

Smart Hill Climbing Finds Better Boolean Functions

Lecture 12: Block ciphers

Filtering Nonlinear Feedback Shift Registers using Welch-Gong Transformations for Securing RFID Applications

Univ.-Prof. Dr. rer. nat. Rudolf Mathar. Written Examination. Cryptography. Tuesday, August 29, 2017, 01:30 p.m.

An average case analysis of a dierential attack. on a class of SP-networks. Distributed Systems Technology Centre, and

Cryptanalysis of the Stream Cipher ABC v2

CRC Press has granted the following specific permissions for the electronic version of this book:

Pseudo-Random Generators

Pseudo-Random Generators

THE UNIVERSITY OF CALGARY FACULTY OF SCIENCE DEPARTMENT OF COMPUTER SCIENCE DEPARTMENT OF MATHEMATICS & STATISTICS MIDTERM EXAMINATION 1 FALL 2018

CSc 466/566. Computer Security. 5 : Cryptography Basics

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Pseudo-Random Number Generators

Generalized Correlation Analysis of Vectorial Boolean Functions

REU 2015: Complexity Across Disciplines. Introduction to Cryptography

Design of Filter Functions for Key Stream Generators using Boolean Power Functions Jong-Min Baek

Topics. Pseudo-Random Generators. Pseudo-Random Numbers. Truly Random Numbers

A new simple technique to attack filter generators and related ciphers

L9: Galois Fields. Reading material

Block vs. Stream cipher

Cryptanalysis of the Knapsack Generator

ACORN: A Lightweight Authenticated Cipher (v3)

Combinatorics of p-ary Bent Functions

Solution to Problem Set 3

Some Comments on the Security of RSA. Debdeep Mukhopadhyay

Experiments on the Multiple Linear Cryptanalysis of Reduced Round Serpent

Binary Additive Counter Stream Ciphers

Sequences, DFT and Resistance against Fast Algebraic Attacks

Stream ciphers I. Thomas Johansson. May 16, Dept. of EIT, Lund University, P.O. Box 118, Lund, Sweden

A Pseudo-Random Encryption Mode

CHAPTER 3 CHAOTIC MAPS BASED PSEUDO RANDOM NUMBER GENERATORS

Mathematics of Cryptography

Linear Cellular Automata as Discrete Models for Generating Cryptographic Sequences

Computing the biases of parity-check relations

Public-Key Cryptosystems CHAPTER 4

CHAPMAN & HALL/CRC CRYPTOGRAPHY AND NETWORK SECURITY ALGORITHMIC CR YPTAN ALY51S. Ant nine J aux

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 9: Encryption modes. AES

Cryptanalysis on An ElGamal-Like Cryptosystem for Encrypting Large Messages

Nonlinear Equivalence of Stream Ciphers

YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE

Cook-Levin Theorem. SAT is NP-complete

Lecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography

The WG Stream Cipher

Distinguishing Attacks on T-functions

An Algebraic Approach to NTRU (q = 2 n ) via Witt Vectors and Overdetermined Systems of Nonlinear Equations

Final Exam Math 105: Topics in Mathematics Cryptology, the Science of Secret Writing Rhodes College Tuesday, 30 April :30 11:00 a.m.

The ANF of the Composition of Addition and Multiplication mod 2 n with a Boolean Function

The Filter-Combiner Model for Memoryless Synchronous Stream Ciphers

GENERALIZED NONLINEARITY OF S-BOXES. Sugata Gangopadhyay

Cryptanalysis of the Light-Weight Cipher A2U2 First Draft version

UNPREDICTABLE BINARY STRINGS

A new security notion for asymmetric encryption Draft #10

Characterizations on Algebraic Immunity for Multi-Output Boolean Functions

Random number generators

CPSC 467b: Cryptography and Computer Security

A new security notion for asymmetric encryption Draft #12

Cube attack in finite fields of higher order

arxiv:nlin/ v1 [nlin.cd] 10 Aug 2006

Transcription:

IEOR SEMINAR SERIES Cryptanalysis: Fast Correlation Attacks on LFSR-based Stream Ciphers presented by Goutam Sen Research Scholar IITB Monash Research Academy. 1

Agenda: Introduction to Stream Ciphers Linear Feedback Shift Register(LFSR) Cryptanalysis of LFSR-based Stream Ciphers. Statistical Model Exponential-Time Correlation Attack Polynomial-Time Correlation Attack Computational Complexity and Limits of Attack References 2

A Cryptosystem or Cipher 5-tuple Cryptosystem: (P, C, K, E, D) P is a finite set of possible plaintexts; C is finite set of possible ciphertexts; K is the keyspace, finite set of possible keys; For each K ϵ K, there is an encryption rule e K ϵ E and a corresponding decryption rule d K ϵ D. Each e K : P C and d k : C P are functions such that d K (e K (x)) = x for every plaintext element x ϵ P. 3

Block Ciphers vs. Stream Ciphers Block Ciphers: x = x 1 x 2 x n for some integer n 1 and x i ϵ P K: predetermined key(might be different for E and D). y i =e K (x i ), where e K () is an injective function(one-to-one). y=y 1 y 2 y n Encrypted with the same key K ϵ K Stream Ciphers: Keystream K= k 1 k 2 k 3 Cipher y = e k1 (x 1 )e k2 (x 2 )e k3 (x 3 ) P = C = Z 2 e k (x) = (x+k)%2 d k (y) = (y+k)%2 Hardware implementation: XOR gate 4

Random Number Generators: True Random Number Generator (TRNG) Pseudo-Random Number Generator (PRNG) Example: Linear Congruential Generator(LCG) s 0 = seed; s i+1 = as i + b mod m; for i = 0,1,2 chi-square test for statistical randomness not truly random, having periodicity. Cryptographically Secure Pseudo-Random Number Generator (CSPRNG) statistical properties of truly random sequence Given n output bits s i, s i+1,,s i+n-1 No polynomial time algorithm that can predict the next bit s n+1 with better than 50% chance of success. Computationally infeasible to predict s i+n, s i+n+1, and also s i-1, s i-2, 5

Linear Feedback Shift Register(LFSR) 6

Properties of LFSR Periodicity: 2 l -1 for maximum-length LFSR. Tap polynomial: Primitive polynomial(maximum-length LFSR) t(x) has no proper non-trivial factors does not divide x d +1 for d<2 l -1 Linear complexity of a binary sequence k = {k j } is the length of the shortest LFSR that generates k. Berlekamp Massey Algorithm suggests that for a binary sequence k = {k j } having linear complexity L, there exists a unique LFSR of length L iff L n/2 7

Cryptology, Cryptography and Cryptanalysis 8

Cryptanalysis Mathematical analysis to defeat cryptographic methods. Kerckhoff s Principle: To obtain security while assuming that Oscar knows the cryptosystem (i.e. encryption and decryption algorithms). Types of Attack: Ciphertext only attack (knowledge of y ) Known plaintext attack (knowledge of x and y) Chosen plaintext attack (temporary access to cryptosystem x y) Chosen ciphertext attack (temporary access to decryption machinery y x) Objective: To determine the key so that target ciphertext can be decrypted. 9

Cryptanalysis of LFSR-based stream ciphers y i = (x i +k i )%2 (k 1,k 2,,k m ) initial tuple. Linear recurrence: Known-plaintext attack: x=x 1 x 2 x n y=y 1 y 2 y n k i =(x i + y i )%2 To reproduce the entire keystream, we require n 2m, assuming m, the length of the LFSR, is known. What remains to compute is the tap sequence c 0,c 1,c 2,,c m-1 10

Matrix Form 11

Siegenthaler shows that if the keystream is correlated to (at least) one of the LFSR sequences, the correlation attack against this individual LFSR significantly reduces a bruteforce attack. Divide and Conquer: Attempt first to determine initial states of subset of LFSRs, in order to reduce complexity of search for right key. 12

Algebraic and Statistical Foundation Assume that N digits of the output sequence z are given. Correlation probability p>0.5 to an LFSR sequence a. The LFSR in question has few feedback tabs, say t. (This is desired for the ease of hardware). Further assume that feedback connection is known(although not an essential restriction). LFSR sequence a is given by linear relation(for LFSR-length k) Feedback polynomial: 13

Algebraic and Statistical foundations Every polynomial multiple of c(x) defines a linear relation for a. In particular, c(x) j = c(x j ) for exponents j=2 i All having same number t number of feedback taps. Suppose a n is fixed. Linear relations obtained by shifting and iterated squaring: where a=a n and each b i, i=1,,m is a sum of exactly t different terms of the LFSR sequence a. We substitute the digits of z at same index positions: 14

Statistical Model Introducing a set of binary random variables A = {a, b 11, b 12,, b 1t, b 21, b 22,, b 2t,, b m1, b m2,, b mt } Similarly introducing a set of binary random variables Z = {z, y 11, y 12,, y 1t, y 21, y 22,, y 2t,, y m1, y m2,, y mt } 15

Statistical Model(contd.) Consider random variables L 1, L 2,, L m. The probability that the outcome of these random variable vanishes for a given set of exactly h indices is given by For simplicity, assume that L 1 =0, L 2 =0,, L h =0 and L h+1 =1, L h+2 =1,, L m =1. z corresponds to the fixed digit z n, and a to the fixed digit a n we wish to determine. 16

p* as a function of h 17

An Efficient Exponential-Time Attack To select k digits of z with the highest probability p* LFSR sequence a can be constructed out of its any k digits solving linear equations for the initial state. The probability Q(p,m,h) that a fixed digit z satisfies at least h of m relations: The probability R(p,m,h) that z=a and at least h of m relations hold: So, the prob. for z=a, given that at least h of m relations hold is the quotient: Q(p,m,h).N are expected to satisfy at least h relations and these digits have probability T(p,m,h) of being correct. T(p,m,h) increases with h. So maximize h with Q(p.m.h) k 18

Algorithm A Step1. Determine m. Step2. Find the maximum value of h such that Q(p.m.h) k. Step3. Search for digits of z satisfying at least h relations and use these digits as a reference guess I 0 of a at the corresponding index positions. Step4. Find the correct guess by testing modifications of I 0 with Hamming distance 0,1,2, by correlation of the corresponding LFSR sequence with the sequence z. Observation: digits in the middle part of z satisfy more relations that the digits near the boundaries. This leads to slight modification of step3 as Step3 : Compute new probability p* for the given digits of z and choose k digits having highest probability p*. Average number of erroneous digits is computed as (1-T(p,m,h)).k. Under favorable conditions(e.g., <<1), step4 is not necessary. 19

Computational Complexity of Algorithm A Computation time for Step 1-3 is negligible. Only estimate average number of trials in step4. Suppose exactly r among the digits found in step3 are incorrect. Max number of trials in step4 is A well-known estimate using binary entropy function Then with θ=r/k. Algorithm A has computational complexity O(2 ck ), where c=h(r/k), 0 c 1 20

A Polynomial-Time Attack We do not search for correct digits here. Instead, we assign new probability p* to each digit of z iteratively and under some favorable conditions, complement all digits to get maximum correction effect. The probability U(p,m,h) that at most h of m relations are satisfied: The probability V(p,m,h) that z=a and at most h of m relations are satisfied: The probability W(p,m,h) that z a and at most h of m relations are satisfied: U(p,m,h).N is the expected number of digits of z which satisfy at most h relations. Relative increase in correct digits after complementation: For given p and m, choose h=h max so as to maximize I(p,m,h). 21

Taking p* into account, we replace h max by a corresponding probability threshold on p* Expected number of digits with p* below p thr is: Generalized formula to compute s(p,t): 22

Algorithm B Step1: Determine m. Step2: Find the value of h=h max such that I(p,m,h) is maximized. Compute p thr and N thr. Step3. Initialize the iteration counter i=0. Step4. For every digit of z compute the new probability p* with respect to the individual number of relations satisfied. Determine the number N w of digits with p*<p thr. Step5. if N w <N thr or i<α increment i and go to step4. Step6. Complement those digits of z with p*<p thr and reset the probability of each digit to the original value of p. Step7. If there are digits not satisfying linear recurrence, go to step3. Step8. Terminate with a=z. 23

Computational Complexity and Limits of Attack: m=m(t,d), d=n/k. h max =h max (p,m) I max =I max (p,t,d) The expected number of digits corrected in one iteration N c =I max (p,t,d).n N c = F(p,t,d).k where F(p,t,d)=I max (p,t,d).d If F(p,t,d) 0, no correction effect. Attack will fail. For F(p,t,d) 0.5, successful attack. p with F(p,t,d)=0.5 24

An Example Consider the following situation p=0.75 t=4 d=100 N=10,000 k=100 F(p,t,d)=0.392 Parameters of Algorithm B: p thr =0.524 N thr =448 25

Complexity and Limits of Attack: Algorithm B grows linearly with LFSR length k i.e., is of order O(k). F(p,t,d)<0.5 has led to successful attack. Same is reported even for F(p,t,d)=0.1 Definite barrier with F(p,t,d) 0 p with F(p,t,d)=0 26

Suggestion: Any correlation to an LFSR with less than 10 taps should be avoided. 27

References: Christof Paar and Jan Pelzl, Understanding Cryptography, Springer, 2010 Douglas R. Stinson, Cryptography Theory and Practice, 3 rd ed., Chapman and Hall/CRC, Taylor & Francis group, 2006 Mark Stamp and Richard M. Low, Applied Cryptanalysis: Breaking Ciphers in the Real World, John Wiley and Sons, Inc., publication, Wiley-Interscience, 2007 Nigel Smart, Cryptography: An Introduction, 3 rd Ed., University of Bristol. Richard A. Mollin, An Introduction to Cryptography, 2 nd ed.,chapman and Hall/CRC, Taylor & Francis group, 2007. Willi Meier and Othmar Staffelbach, Fast Correlation Attacks on Certain Stream Ciphers, Journal of Cryptology(1989) 1:159-176. T. Siegenthaler, Decrypting a class of stream ciphers using ciphertext only, IEEE Trans. Comput.,34, 81-85, 1985. S. Palit, B. Roy and A. De, "A Fast Correlation Attack for LFSR-Based Stream Ciphers," ACNS 2003, Lecture Notes in Computer Science, vol. 2843, pp. 331-342, 2003 28

Acknowledgements: Dr. Sarbani Palit, Professor, Computer Vision and Pattern Recognition Unit, Indian Statistical Institute, Calcutta. 29

Thank You 30

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback