Lecture 10-11: General attacks on LFSR based stream ciphers

Similar documents
4.3 General attacks on LFSR based stream ciphers

Stream Ciphers: Cryptanalytic Techniques

Analysis of Modern Stream Ciphers

Cryptanalysis of Achterbahn

Fast correlation attacks on certain stream ciphers

Block vs. Stream cipher

On Stream Ciphers with Small State

Optimizing the placement of tap positions. joint work with Enes Pasalic, Samed Bajrić and Yongzhuang Wei

Lecture 12: Block ciphers

CRC Press has granted the following specific permissions for the electronic version of this book:

New Methods for Cryptanalysis of Stream Ciphers. The Selmer Centre Department of Informatics University of Bergen Norway

On The Nonlinearity of Maximum-length NFSR Feedbacks

Design of Filter Functions for Key Stream Generators using Boolean Power Functions Jong-Min Baek

Combinatorics of p-ary Bent Functions

Berlekamp-Massey decoding of RS code

3.8 MEASURE OF RUNDOMNESS:

2 n -Periodic Binary Sequences with Fixed k-error Linear Complexity for k = 2 or 3

A new simple technique to attack filter generators and related ciphers

Introducing a new variant of fast algberaic attacks and minimizing their successive data complexity

Chosen IV Statistical Analysis for Key Recovery Attacks on Stream Ciphers

Sequences, DFT and Resistance against Fast Algebraic Attacks

Algebraic attack on stream ciphers Master s Thesis

Improved Linear Cryptanalysis of SOSEMANUK

Improved Fast Correlation Attacks Using Parity-Check Equations of Weight 4 and 5

Cryptographic D-morphic Analysis and Fast Implementations of Composited De Bruijn Sequences

The LILI-128 Keystream Generator

Characterization of 2 n -Periodic Binary Sequences with Fixed 2-error or 3-error Linear Complexity

MILP-based Cube Attack on the Reduced-Round WG-5 Lightweight Stream Cipher

Maximum Correlation Analysis of Nonlinear S-boxes in Stream Ciphers

Cryptanalysis of the Bluetooth Stream Cipher

Cryptanalysis of the Stream Cipher ABC v2

Characterizations on Algebraic Immunity for Multi-Output Boolean Functions

Numerical Solvers in Cryptanalysis

IEOR SEMINAR SERIES Cryptanalysis: Fast Correlation Attacks on LFSR-based Stream Ciphers

Fast Correlation Attacks: an Algorithmic Point of View

Computing the biases of parity-check relations

Counting Functions for the k-error Linear Complexity of 2 n -Periodic Binary Sequences

L9: Galois Fields. Reading material

Key Recovery with Probabilistic Neutral Bits

Pseudo-Random Number Generators

STREAM CIPHER. Chapter - 3

Improvements to Correlation Attacks Against Stream. Ciphers with Nonlinear Combiners. Brian Stottler Elizabethtown College

Finding Low Degree Annihilators for a Boolean Function Using Polynomial Algorithms

Correcting Codes in Cryptography

Fast Correlation Attacks: An Algorithmic Point of View

On the Statistically Optimal Divide and Conquer Correlation Attack on the Shrinking Generator

Pseudorandom Sequences I: Linear Complexity and Related Measures

A GENERAL FRAMEWORK FOR GUESS-AND-DETERMINE AND TIME-MEMORY-DATA TRADE-OFF ATTACKS ON STREAM CIPHERS

Algebraic Immunity of S-boxes and Augmented Functions

Functions on Finite Fields, Boolean Functions, and S-Boxes

Stream ciphers I. Thomas Johansson. May 16, Dept. of EIT, Lund University, P.O. Box 118, Lund, Sweden

LILI Keystream Generator

4F5: Advanced Communications and Coding

Breaking the F-FCSR-H Stream Cipher in Real Time

Correlation Analysis of the Shrinking Generator

Modified Berlekamp-Massey algorithm for approximating the k-error linear complexity of binary sequences

Modified Alternating Step Generators

A Fast Correlation Attack on the Shrinking Generator

Open problems related to algebraic attacks on stream ciphers

Security Evaluation of Stream Cipher Enocoro-128v2

An Improved Estimate of the Correlation of Distinguisher for Dragon

Algebraic Attacks and Stream Ciphers

The Filter-Combiner Model for Memoryless Synchronous Stream Ciphers

Generalized Correlation Analysis of Vectorial Boolean Functions

arxiv: v2 [cs.cr] 20 Mar 2015

Cryptanalysis of the Stream Cipher DECIM

THEORETICAL SIMPLE POWER ANALYSIS OF THE GRAIN STREAM CIPHER. A. A. Zadeh and Howard M. Heys

An algorithm for computing minimal bidirectional linear recurrence relations

Resilience to Distinguishing Attacks on WG-7 Cipher and Their Generalizations

Algebraic Aspects of Symmetric-key Cryptography

Distinguishing Stream Ciphers with Convolutional Filters

Cryptanalysis of Grain

A Scalable Method for Constructing Galois NLFSRs with Period 2 n 1 using Cross-Join Pairs

Public-key Cryptography: Theory and Practice

Cryptanalysis of Lightweight Cryptographic Algorithms

Linear Feedback Shift Registers

arxiv: v1 [cs.it] 27 Sep 2016

Nonlinear Equivalence of Stream Ciphers

New Implementations of the WG Stream Cipher

ORYX. ORYX not an acronym, but upper case Designed for use with cell phones. Standard developed by. Cipher design process not open

Binary Additive Counter Stream Ciphers

Fast Low Order Approximation of Cryptographic Functions

Topic 3. Design of Sequences with Low Correlation

Searching Cubes for Testing Boolean Functions and Its Application to Trivium

A survey of algebraic attacks against stream ciphers

Deterministic Cube Attacks:

Analysis of Message Injection in Stream Cipher-based Hash Functions

Design of Pseudo-Random Spreading Sequences for CDMA Systems

A Byte-Based Guess and Determine Attack on SOSEMANUK

CODING AND CRYPTOLOGY III CRYPTOLOGY EXERCISES. The questions with a * are extension questions, and will not be included in the assignment.

Thesis Research Notes

Cryptography Lecture 3. Pseudorandom generators LFSRs

On Welch-Gong Transformation Sequence Generators

Nonlinear feedback shift registers and generating of binary de Bruijn sequences

Algebraic Attack Against Trivium

Counting Functions for the k-error Linear Complexity of 2 n -Periodic Binary Sequences

SOBER Cryptanalysis. Daniel Bleichenbacher and Sarvar Patel Bell Laboratories Lucent Technologies

Correlated Keystreams in Moustique

Time-Memory-Data Trade-Off Attack on Stream Ciphers Based on Maiorana-McFarland Functions

IEOR 265 Lecture 14 (Robust) Linear Tube MPC

Transcription:

Lecture 10-11: General attacks on LFSR based stream ciphers Thomas Johansson T. Johansson (Lund University) 1 / 23

Introduction z = z 1, z 2,..., z N is a known keystream sequence find a distinguishing attack, or find a key recovery attack with complexity lower than exhaustive key search. T. Johansson (Lund University) 2 / 23

Linear complexity and Berlekamp-Massey algorithm the keystream sequence z = z 1, z 2,... will be periodic (after possibly removing some of the first symbols). Any such sequence can be generated by an LFSR. One possible approach would then be to replace the entire generator with an (in general very long) LFSR. T. Johansson (Lund University) 3 / 23

I Definition The linear complexity of a sequence s (finite or semi-infinite), denoted L(s), is the length of the shortest LFSR that can produce the sequence. To find the shortest LFSR producing a certain sequence we use the Berlekamp-Massey algorithm. T. Johansson (Lund University) 4 / 23

Berlekamp-Massey algorithm IN: A sequence s = (s 0, s 1,..., s N 1 ) of length N. OUT: The shortest LFSR < C(D), L > generating s. 1. Initilization C(D) = 1, L = 0, C (D) = 1, d = 1, m = 1, n = 0. 2. While (n < N) do the following: 2.1 Compute the discrepancy L d = s n c i s n i. 2.2 If d 0 do the following: T (D) = C(D), C(D) = C(D) d (d ) 1 C (D)D n m. If L n/2 then L = n + 1 L, C (D) = T (D), d = d, m = n. 2.3 n = n + 1. 3. Return < C(D), L > i=1 T. Johansson (Lund University) 5 / 23

Massey's algorithm C(z) 1 L 0 C0(z) 1 d0 1 e 1 N 0 N N +1 d s N, LX (,c i)s N,i i=1 e e +1 Ja d =0? Nej C(z) C(z), dd,1 0 z,e C0(z) Ja N < 2L? Nej C1(z) C(z) C(z) C(z), dd,1 0 z,e C0(z) L N +1, L C0(z) C1(z) d0 d c 1 T. Johansson (Lund University) 6 / 23

Properties of Berlekamp-Massey algorithm The running time of the Berlekamp-Massey algorithm for determining the linear complexity of a length n sequence is O(n 2 ) operations. Delivers one connection polynomial and the length L of the LFSR. If (and only if) L N/2 there is a unique connection polynomial. The proof is left out... T. Johansson (Lund University) 7 / 23

Properties of Berlekamp-Massey algorithm We want to find the shortest LFSR generating s, a periodic sequence with period T. Berlekamp-Massey algorithm can provide the solution if the input is the length 2T sequence (s 0, s 1,..., s T 1, s 0, s 1,..., s T 1 ). You only need to process the first T + k symbols of the sequence, where k is the first positive integer such that (s 0, s 1,..., s T 1, s 0, s 1,..., s k 1 ) has linear complexity k. T. Johansson (Lund University) 8 / 23

Linear complexity Let s 1 = s 1 0, s1 1, s1 2,... and s2 = s 2 0, s2 1, s2 2,... f(x 1, x 2 ) be a function in two variables, x 1, x 2 F q. By s = f(s 1, s 2 ) we mean the sequence s = f(s 1 0, s2 0 ), f(s1 1, s2 1 ), f(s1 2, s2 2 ),.... T. Johansson (Lund University) 9 / 23

Linear complexity Theorem Let s 1 and s 2 be two sequences with linear complexity L(s 1 ) and L(s 2 ) respectively. Then If f(x 1, x 2 ) = x 1 + x 2 then L(f(s 1, s 2 )) L(s 1 ) + L(s 2 ). If f(x 1, x 2 ) = x 1 x 2 then L(f(s 1, s 2 )) L(s 1 )L(s 2 ). T. Johansson (Lund University) 10 / 23

Example z = f(s 1, s 2, s 3, s 4 ), where s i, i = 1,..., 4 are LFSR sequences with period 2 L i 1 (m-sequences). Let f(x 1, x 2, x 3, x 4 ) = x 1 + x 2 x 3 + x 3 x 4 + x 2 x 4. Find a bound on the linear complexity of the keystream sequence L(z). Solution: Using Theorem 2 we get L(z) = L(f(s 1, s 2, s 3, s 4 )) L(s 1 )+L(s 2 )L(s 3 )+L(s 3 )L(s 4 )+L(s 2 )L(s 4 ) T. Johansson (Lund University) 11 / 23

Correlation attacks - idea A common method to build a keystream generator is to combine several linear feedback shift registers to get a keystream with desired statistical properties. Correlation attack: If one can detect a correlation between z and the output of one individual LFSR, this can be used in a divide-and-conquer attack on the individual LFSR. T. Johansson (Lund University) 12 / 23

Project 3 T. Johansson (Lund University) 13 / 23

Project 3 The values of L i and C i (D) for the different LFSRs are, L 1 = 13, C 1 (D) = 1 + D 1 + D 2 + D 4 + D 6 + D 7 + D 10 + D 11 + D 13, L 2 = 15, C 2 (D) = 1 + D 2 + D 4 + D 6 + D 7 + D 10 + D 11 + D 13 + D 15, L 3 = 17, C 3 (D) = 1 + D 2 + D 4 + D 5 + D 8 + D 10 + D 13 + D 16 + D 17. The secret key K is the initial state of the three LFSRs. K = (K 1, K 2, K 3 ), where K i is the initial state of the ith LFSR. T. Johansson (Lund University) 14 / 23

Project 3 Exercise 1: Each group is given a keystream z 1, z 2,..., z N of some length N. Find the key K that was used to produce this keystream. Exercise 2: Assume that the attack takes T seconds. How long would it take to attack by an exhaustive search over the entire keyspace? T. Johansson (Lund University) 15 / 23

Project 3 - the correlation attack a correlation between the output of one of the shift registers and the keystream, i.e., P u i = z i 0.5, T. Johansson (Lund University) 16 / 23

Project 3 - the correlation attack Let u (j) i be the output of the jth LFSR and assume that P u (j) i = z i = p, where p 0.5. What is the exact value of p? Guess that the initial state of the jth LFSR is û 0 = (û (j) 1, û(j) 2,..., û(j) L j ). We can calculate an LFSR output sequence û = (û 1, û 2,..., û N ), where û i =û (j) i, 0 < i L j, L j û i = c l û i l, L j < i N. l=1 T. Johansson (Lund University) 17 / 23

Project 3 - the correlation attack The Hamming distance between x and y, d H (x, y), is defined to be the number of coordinates in which x and y differ. Estimate the correlation p with p, where p = 1 d H(û, z) N. If the guessed initial state, û 0, is correct, we get p p, otherwise p 0.5. T. Johansson (Lund University) 18 / 23

Algorithm 1. For each possible initial state, calculate p ; 2. Output the initial state for which p is maximal. T. Johansson (Lund University) 19 / 23

Linear distinguishing attacks Introduce linear approximations of all nonlinear operations in a specific path of the cipher. The path should connect some know values, i.e., key stream symbols. If the linear approximation is true, this leads to a linear relationship among the known key stream symbols. If it is not true, we can think of the error introduced by the linear approximation as truly random noise. A linear combination of key stream symbols above can be viewed as a sample from a very noisy (but not uniform) distribution. By collecting many such samples, we can eventually distinguish the distribution they are drawn from, from the uniform distribution. T. Johansson (Lund University) 20 / 23

Example A long LFSR with connection polynomial C(D) = 1 + D 34 + D 69 is generating a sequence s = (s 0, s 1, s 2,...) in F 2. The output of the generator is generated as z i = f(s i, s i+1, s i+2, s i+3 ), i = 0, 1,..., where f is the Boolean function f(x 1, x 2, x 3, x 4 ) = x 1 + x 2 + x 3 + x 1 x 2 x 3 x 4. filter generator Describe a linear distinguishing attack on the generator. T. Johansson (Lund University) 21 / 23

Example The LFSR sequence obeys the recursion s i + s i+35 + s i+69 = 0, i = 0, 1,.... Replace f with the linear function g(x 1, x 2, x 3, x 4 ) = x 1 + x 2 + x 3. After replacement, we have z i = g(s i, s i+1, s i+2, s i+3 ) = s i + s i+1 + s i+2, i = 0, 1,.... Now we try to find a set of dependent linear equations. As s i + s i+35 + s i+69 = 0 we also have s i +s i+1 +s i+2 +s i+35 +s i+36 +s i+37 +s i+69 +s i+70 +s i+71 = 0, i = 0, 1,... T. Johansson (Lund University) 22 / 23

Example cont But z i = s i + s i+1 + s i+2, so we must have z i + z i+35 + z i+69 = 0 (assuming that g always gives the result of f). So in our attack we create a sequence of sample values Q i = z i + z i+35 + z i+69, i = 0, 1,.... Calculating P (Q i ) gives P (Q i = 0) = 0.835. The number of zeros in Q has a binomial distribution with probability 0.835, whereas a random Q probability 0.5. Apply hypothesis testing! T. Johansson (Lund University) 23 / 23

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback