THE NEW HEURISTIC GUESS AND DETERMINE ATTACK ON SNOW 2.0 STREAM CIPHER

Similar documents
Cryptanalysis of RAKAPOSHI Stream Cipher

Li An-Ping. Beijing , P.R.China

Spring Ammar Abu-Hudrouss Islamic University Gaza

10. State Space Methods

Cryptanalysis of Reduced NORX initially discussed at ASK 2016

Algebraic Attacks on Summation Generators

Robust estimation based on the first- and third-moment restrictions of the power transformation model

Single-Pass-Based Heuristic Algorithms for Group Flexible Flow-shop Scheduling Problems

Modal identification of structures from roving input data by means of maximum likelihood estimation of the state space model

STATE-SPACE MODELLING. A mass balance across the tank gives:

Vehicle Arrival Models : Headway

Computer-Aided Analysis of Electronic Circuits Course Notes 3

Learning Objectives: Practice designing and simulating digital circuits including flip flops Experience state machine design procedure

Improved Approximate Solutions for Nonlinear Evolutions Equations in Mathematical Physics Using the Reduced Differential Transform Method

Technical Report Doc ID: TR March-2013 (Last revision: 23-February-2016) On formulating quadratic functions in optimization models.

Simulation-Solving Dynamic Models ABE 5646 Week 2, Spring 2010

d 1 = c 1 b 2 - b 1 c 2 d 2 = c 1 b 3 - b 1 c 3

Chapter 2. First Order Scalar Equations

More Digital Logic. t p output. Low-to-high and high-to-low transitions could have different t p. V in (t)

Christos Papadimitriou & Luca Trevisan November 22, 2016

Georey E. Hinton. University oftoronto. Technical Report CRG-TR February 22, Abstract

Notes on Kalman Filtering

Article from. Predictive Analytics and Futurism. July 2016 Issue 13

3.1.3 INTRODUCTION TO DYNAMIC OPTIMIZATION: DISCRETE TIME PROBLEMS. A. The Hamiltonian and First-Order Conditions in a Finite Time Horizon

Shiva Akhtarian MSc Student, Department of Computer Engineering and Information Technology, Payame Noor University, Iran

CHAPTER 10 VALIDATION OF TEST WITH ARTIFICAL NEURAL NETWORK

Particle Swarm Optimization

Section 3.5 Nonhomogeneous Equations; Method of Undetermined Coefficients

Pade and Laguerre Approximations Applied. to the Active Queue Management Model. of Internet Protocol

ERROR LOCATING CODES AND EXTENDED HAMMING CODE. Pankaj Kumar Das. 1. Introduction and preliminaries

Math 315: Linear Algebra Solutions to Assignment 6

An recursive analytical technique to estimate time dependent physical parameters in the presence of noise processes

Designing Information Devices and Systems I Spring 2019 Lecture Notes Note 17

Morning Time: 1 hour 30 minutes Additional materials (enclosed):

Applying Genetic Algorithms for Inventory Lot-Sizing Problem with Supplier Selection under Storage Capacity Constraints

The field of mathematics has made tremendous impact on the study of

WEEK-3 Recitation PHYS 131. of the projectile s velocity remains constant throughout the motion, since the acceleration a x

ADDITIONAL PROBLEMS (a) Find the Fourier transform of the half-cosine pulse shown in Fig. 2.40(a). Additional Problems 91

Chapter 7: Solving Trig Equations

Chapter 3 Boundary Value Problem

5.1 - Logarithms and Their Properties

Random Walk with Anti-Correlated Steps

2.160 System Identification, Estimation, and Learning. Lecture Notes No. 8. March 6, 2006

State-Space Models. Initialization, Estimation and Smoothing of the Kalman Filter

A DELAY-DEPENDENT STABILITY CRITERIA FOR T-S FUZZY SYSTEM WITH TIME-DELAYS

Longest Common Prefixes

Finding Near-Optimum Message Scheduling Settings for SHA-256 Variants Using Genetic Algorithms

Mechanical Fatigue and Load-Induced Aging of Loudspeaker Suspension. Wolfgang Klippel,

Some Basic Information about M-S-D Systems

Chapter 4. Truncation Errors

Application of a Stochastic-Fuzzy Approach to Modeling Optimal Discrete Time Dynamical Systems by Using Large Scale Data Processing

This document is downloaded from DR-NTU, Nanyang Technological University Library, Singapore.

References are appeared in the last slide. Last update: (1393/08/19)

Lecture 3: Exponential Smoothing

The Rosenblatt s LMS algorithm for Perceptron (1958) is built around a linear neuron (a neuron with a linear

Sliding Mode Controller for Unstable Systems

KINEMATICS IN ONE DIMENSION

Physics 235 Chapter 2. Chapter 2 Newtonian Mechanics Single Particle

Presentation Overview

A Hop Constrained Min-Sum Arborescence with Outage Costs

Timed Circuits. Asynchronous Circuit Design. Timing Relationships. A Simple Example. Timed States. Timing Sequences. ({r 6 },t6 = 1.

CSE Computer Architecture I

20. Applications of the Genetic-Drift Model

Ensamble methods: Boosting

Probabilistic Models for Reliability Analysis of a System with Three Consecutive Stages of Deterioration

WATER LEVEL TRACKING WITH CONDENSATION ALGORITHM

Sliding Mode Extremum Seeking Control for Linear Quadratic Dynamic Game

EXPLICIT TIME INTEGRATORS FOR NONLINEAR DYNAMICS DERIVED FROM THE MIDPOINT RULE

6.01: Introduction to EECS I Lecture 8 March 29, 2011

Lecture Notes 2. The Hilbert Space Approach to Time Series

MATHEMATICAL DESCRIPTION OF THEORETICAL METHODS OF RESERVE ECONOMY OF CONSIGNMENT STORES

Analyze patterns and relationships. 3. Generate two numerical patterns using AC

Topic Astable Circuits. Recall that an astable circuit has two unstable states;

Solutionbank Edexcel AS and A Level Modular Mathematics

Lie Group Analysis of Second-Order Non-Linear Neutral Delay Differential Equations ABSTRACT

Sequential Importance Resampling (SIR) Particle Filter

FITTING EQUATIONS TO DATA

The Optimal Stopping Time for Selling an Asset When It Is Uncertain Whether the Price Process Is Increasing or Decreasing When the Horizon Is Infinite

PROC NLP Approach for Optimal Exponential Smoothing Srihari Jaganathan, Cognizant Technology Solutions, Newbury Park, CA.

PENALIZED LEAST SQUARES AND PENALIZED LIKELIHOOD

Speech and Language Processing

EECE251. Circuit Analysis I. Set 4: Capacitors, Inductors, and First-Order Linear Circuits

EE202 Circuit Theory II , Spring. Dr. Yılmaz KALKAN & Dr. Atilla DÖNÜK

Sub Module 2.6. Measurement of transient temperature

Guest Lectures for Dr. MacFarlane s EE3350 Part Deux

Echocardiography Project and Finite Fourier Series

Navneet Saini, Mayank Goyal, Vishal Bansal (2013); Term Project AML310; Indian Institute of Technology Delhi

A Specification Test for Linear Dynamic Stochastic General Equilibrium Models

An introduction to the theory of SDDP algorithm

Section 4.4 Logarithmic Properties

dt = C exp (3 ln t 4 ). t 4 W = C exp ( ln(4 t) 3) = C(4 t) 3.

A Forward-Backward Splitting Method with Component-wise Lazy Evaluation for Online Structured Convex Optimization

EE363 homework 1 solutions

EE 301 Lab 2 Convolution

Decentralized Stochastic Control with Partial History Sharing: A Common Information Approach

Section 4.4 Logarithmic Properties

Let us start with a two dimensional case. We consider a vector ( x,

An Invariance for (2+1)-Extension of Burgers Equation and Formulae to Obtain Solutions of KP Equation

Mean-square Stability Control for Networked Systems with Stochastic Time Delay

Methodology. -ratios are biased and that the appropriate critical values have to be increased by an amount. that depends on the sample size.

Transcription:

THE NEW HEURISTIC GUESS AND DETERMINE ATTACK ON SNOW 0 STREAM CIPHER Mohammad Sadegh Nemai Nia 1, Ali Payandeh 1, Faculy of Informaion, Telecommunicaion and Securiy Technologies, Malek-e- Ashar Universiy of Technology, Tehran, Iran (m_s_nemai; payandeh)@muacir ABSTRACT SNOW 0 is a word oriened sream cipher ha has been seleced as a sandard sream cipher on ISO/IEC 18033-4 One of he general aacks on he sream ciphers is Guess and Deermine aack Heurisic GD aack is GD aack ha represens an algorihmic mehod o analysis he sream cipher wih he variables of he same size The resuls of HGD aack on TIPSY, SNOW 10 and SNOW 0 sream ciphers led o less compleiy raher han previously known GD aacks In his paper, he auhors use of wo auiliary polynomials o improve HGD aack on SNOW 0 This aack reduces he compleiy and he size of he guessed basis from O ( 6 ) o O ( 19 ) and 8 o 6, respecively, compared wih previous ad-hoc and heurisic GD aacks KEYWORDS Crypanalysis, Sream cipher, Guess and Deermine aack, SNOW 0 1 INTRODUCTION Crypology is he science ha provides securiy for he sorage and communicaion daa The crypography is a branch of crypology ha sudies design of crypographic algorihms and proocols [1] The sream ciphers are he classes of symmeric crypographic algorihms ha ofen use in he wireless and elecommunicaion securiy applicaions [] A family sream cipher use in he GSM mobile elephone and RC4 uses in he wireless LAN [3] Unlike block ciphers ha have a sandard block cipher, i is AES, here is no one sream cipher as a sandard sream cipher Alhough, some compeiions are hold around he sream cipher such as NESSIE projec in 000 and estream projec in 004, bu no one sream cipher was sandard One of he reasons, here is no mehod o design of he sream cipher algorihms [4] However, in he final porfolio of estream, afer hree sages in wo profiles suiable for Sofware and Hardware applicaions, seven sream ciphers were proposed [] SNOW family are sream ciphers consis of four algorihms ha evolved a si year Firs, he SNOW 10 [6] was submied o NESSIE projec [7] by Ekdahel and Ericsson in 000 Hawkes and Rose launched GD aack [8] on SNOW 10 ha eploied he second power of LFSR polynomial of he algorihm This aack show a weakness in apping of LFSR equaions Anoher weakness of he cipher, he FSM akes one inpu from he Linear Feedback Shif Regiser ha is led o linear crypanalysis of SNOW 10 [9] These weaknesses improved in new version of he algorihm ha reinroduced o NESSIE projec A he end of he projec, he new algorihm, was called SNOW 0, was suggesed by evaluaors [10] Many general aacks are applied on sream ciphers for he securiy evaluaion of hem The guess and deermine aack is one of hese general aacks In his aack, he aacker,

firs guesses some regisers of he cipher and hen deermine remaining regisers Ne, he running he keysream If he resuled keysream is equal wih he observed keysream, he guessed values is rue and he cipher is broken Oherwise he aacker guessed anoher values for regisers and repea he above sages The elemens of he cipher ha is guessed by aacker is named as guessed basis [11] Ahmadi and Eghlidos inroduced a sysemaic algorihm for GD aack as Heurisic Guess and Deermine (HGD) aack This mehod improved he compleiy of GD aacks on SNOW family [11] In his paper, auhors improve he compleiy of HGD aack on SNOW 0 by he auiliary equaions from O( 6 ) o O( 19 ) For his sake, he paper organized as follows In secion, he srucure of SNOW 0 is described In secion 3, he new HGD aack launched on SNOW 0 and discussed on he resul of he aack The las secion is allocaed o he conclusion of he paper A SHORT DESCRIPTION OF SNOW 0 SNOW 0 is a word oriened sream cipher, wih 18-regisers inernal sae The oupu words are holding 3 bis The srucure of he cipher like SNOW family, consiss wo pars: Linear feedback shif regiser (LFSR) and Finie sae machine (FSM) The srucure of he cipher is depiced in Figure 1 Figure 1 The srucure of SNOW 0 [10] The lengh of LFSR is sages The feedback polynomial of LFSR is as follows p( ) F 3 [ ] (1) 4 3 3 4 48 39 Where α is a roo of F [ ], and β is a roo of 8 8 S 7 3 F[ ] The recursive equaion of LFSR is given by S1 S S () The FSM consiss of wo 3-bi regisers, called R1 and R and is feed by wo words inpu, aken from LFSR The oupu of FSM is 3-bi word F The recursive equaions of FSM which updae he regisers R1 and R and generae he oupu F are given by

R1 R S 4 (3) R S _ Bo( R1 1) (4) F ( R1 S 1) R () By subsiuing (4) in R of (3) he following equaion is yielded: R 1 S 4 S _ Bo( R1 ) (6) The cipher has wo modes of operaion: key iniializaion mode and normal mode In he key iniializaion mode, he cipher is iniialized by wo parameers as inpu values; a 18- bi or 6-bi word as a secre key and 18-bi word as iniializaion vecor (IV) Afer he iniializaion he inpu values, he cipher is clocked 3 imes In his mode, he oupu of FSM is incorporaed o feedback loop (see figure 3), and in he normal mode i XORed wih he righmos regiser of LFSR o produce keysream, see figure The equaion of oupus of algorihm as follows: Z S F (7) By subsiuing () in F and (4) in R he following equaion is concluded: Z S S R1 ) S _ Bo( R1 ) (8) ( 3 HGD ATTACK ON SNOW 0 Heurisic guess and deermine aack is a sysemaic GD aack ha inroduces an algorihm for GD aack on he sream ciphers The main idea of he procedure is eploiaion of inde ables The inde ables are made corresponding o he equaions induced by he updae and oupu funcion of he sream cipher, according o [11] The searching operaion o selecs he bes inde as a guessed candidae is performed according o he prioriy crieria [11] Ahmadi and Eghlidos launched HGD aack on SNOW 0 sream cipher wih compleiy of O( 6 ) wih he size of guessed basis of 8 This aack eploi equaions (), (6), (8) and he square of recursive equaion of LFSR equaion The inde ables corresponding o hese equaions are shown on Table 1, respecively 31 Improved HGD aack The auhors define wo ypes of equaions as following: - Main equaion: The equaion is eraced from he cipher, direcly - Auiliary equaion: The equaion is he muliple of recursive equaion of LFSR (as a main equaion) - Table 1 Main Inde ables corresponding o equaions (), (6) and (8) M1 M M3 0 11 4 48 0 0 1 49 0 1 3 1 17 49 1 1 0 1 17 19 8 34 6 67 17 3 66 67 18 0 9 3 3 66 68 18 33 67 68

The algorihm eploi auiliary inde able corresponding o auiliary equaion o improve HGD aack Bu he number of facor is infiniive and he compleiy of selecing he bes facor for recursive equaion of LFSR is high Therefore, we presen a general form for facors ha i gives a finie number of he facors The auiliary equaion is convenien when is weigh and maimum degree of he equaion should be low Therefore, he weigh of he facor polynomial is chosen lowes weigh, equals o On he oher hand o increase he efficiency of auiliary inde able, he indices of main inde able should be repeaed on i Then one of he erms of binomial is consan Then he form of he facor is a n +b In he field of GF() or eension of i, "a" and "b" is 1 The our eperiences show when he amoun of n is chosen from se of differen degrees of main polynomial, hen he algorihm of HGD aack gives lowes guessed basis raher han n is chosen oherwise The auhors eploi from his mehod o improve he HGD aack on SNOW 0 sream cipher The aack eplain in he ne 3 Improved HGD aack on SNOW 0 To launch HGD aack on SNOW 0 is used inde ables M1, M and M3 corresponding o main equaions (), () and (8) The auhors use of auiliary inde ables corresponding o auiliary equaions o improve HGD aack To make he auiliary equaions is used from facors +1 and +1 as following: q ( ) ( )( 18 ( ) 3 q ( ) ( )( 1 19 ) F 7 ) F 10 3 3 ( [ ) [ ) ) Where he recursive equaions corresponding o polynomials as following: (9) (10) S S 8 S6 S3 S1 S 4 ) S 1 ) S6 S1 S 7 S S ( S (11) ( S (1) and he auiliary inde ables corresponding auiliary equaions (11), (1) are demonsraed in Table The sages of Improved HGD aack on SNOW 0 sream cipher shows in Table 3 Table Auiliary Inde ables corresponding o equaions (11) and (1) M4 M 0 4 11 13 18 0 7 11 1 1 3 1 17 19 1 3 6 8 1 17 18 0 9 31 34 36 18 0 3 9 34 39 19 1 3 30 3 3 37 19 1 4 6 30 3 40

Sep Known indices Table 3 Consecuive sages of improved HGD aack on SNOW 0 Used equaion(s) (inde ables) Deermined indices Sep Known indices Used equaion(s) (inde ables) Deermined indices 1 guessed basis - 18,6,,,6 3,0 7 13,7 M 9 18,6 M 64 8,0, M3 4 3, 6 M 60 9,9,60 M3 10 4,60 M 8 30 10,1,1 M1 6,63,64 M3 9 31 4,3,4 M3 19 6 18,0,9 M1 34 3,,19 M1 3 7 30,63 M 66 33 19,1,30 M1 3 8,18,9,34 M1,M4 7,3 34 19,63 M 6 9,,7,3 M1,M4,30 3 1,6 M 67 10 13,0,,,7 M1,M4 9,11 36 3,67 M 69 11 9,11,18,0,3 M1,M4 7,3 37 3,18,3 M3 1 18,0,3,,9,34 M 39 38,4 M 8 13 7,9,18,3 M1,M4,1 39 8,10,19 M1 4,18,1,3,7,3 M 37 40 13,4,9 M1 1 1,7,11,,1 M1,M 0, 41 4,1,0 M1 6 0,,11,,18 M1,M4 4,13 4 6,8, M1 17 17 11,13,17 M1 43 3,1,17 M1 1 18,66 M 68 44 1,17,6 M 31 19 13,6,63 M3 8 4 17,19,8 M1 33 0,3,8 M1 1 46 0,1,49 M3 0 1 1,8 M 6 47 4,0 M 48 7,,6 M3 7 48 1,9 M 61 3 11,7 M 49 18,0,,9,31,34 M4 36 4 9, M 3 0 17,19,,4,8,33 M 38 7,3 M 1 1 19,1,4,6,30,3 M 40 6,1 M 49 - - - The rows of 1 and 1 are shown he effec of auiliary inde ables in Table 3 While each of auiliary inde ables isn used in HGD aack, hen he algorihm of HGD aack should guess number of indices {,0,37,1,,39} Then he size of guessed basis and he compuaional compleiy of he aack increases 33 The compleiy During aack, he algorihm found si linear sysem of wo equaions and wo unknowns Though, he sysems are linear and hen he compleiy of aack is resuled of he compleiy of guessed basis The guessed basis is {18, 6,,, 63, 0} and hen he aack reduces he compleiy of he pervious HGD aack from O( 6 ) o O( 19 ) Table 4, show he comparison of he GD aacks are applied on SNOW 0 Table 4 compare Guess and Deermine aack on SNOW 0 Sream cipher Type of aack Add hoc GD aack HGD aack Improved HGD aack Guessed Basis - 8 6 6 Compleiy - O( ) O( 19 )

4 CONCLUSIONS In his paper, he auhors presened new mehod for improve HGD aack by using addiional equaions are named auiliary equaions on SNOW 0 sream cipher The auiliary equaions can improve he deermine sage of HGD aack on sream cipher The aack on SNOW 0 used wo inde ables corresponding wo muliples of LFSR connecion polynomial The resul shows decreasing he compleiy and he size of guessed basis from O( 6 ) o O( 19 ) and 8 o 6, respecively, and implies using of auiliary equaions idea leads o significan reducion in compleiy of GD aack REFERENCES [1] J LANO, hesis: CRYPTANALYSIS AND DESIGN OF SYNCHRONOUS STREAM CIPHERS, B Preneel, Ed, KATHOLIEKE UNIVERSITEIT LEUVEN, 006 [] A Menezes, P v Oorscho and S Vansone, Handbook of Applied Crypography, CRC Press, 1997 ISBN 0-8493-83-7 [3] A Klein, Sream Ciphers, Ghen, Belgium: Springer-Verlag London, 013 [4] A w Den and C J Michell, User s Guide o Crypography and Sandards, Norwood, US: Arech House, 00 [] S Babbage, J Borghoff and V Velichkov, The estream Porfolio in 01, Babbage, Seve ; Borghoff, Julia; Velichkov,Vesselin, Carlos Cid and Ma Robshaw ed, 01 [6] P EKDAHL and T JOHANSSON, SNOW a new sream cipher, Firs NESSIE Workshop, Heverlee, Belgium, 000 [7] P B, New European Schemes for Signaure, Inegriy and Encrypion (NESSIE): A Saus Repor, in h Inernaional Workshop PKC 00, 00 [8] P Hawkes and G Rose, Guess and deermine aaks on SNOW, in In Seleced Area of Crypography-SAC00, 00 [9] D Coppersmih, S Halevi and C Jula, Crypanalysis of sream ciphers wih linear masking, in Advances in Crypology CRYPTO 00, 00 [10] P EKDAHL and T JOHANSSON, A New Version of he Sream Cipher SNOW, in SAC 00, Berlin Heidelberg 003, Springer_Verlag, LNCS 9, PP 47-61, 00 [11] H Ahmadi and T Eghlidos, Heurisic guess-and-deermine aacks on sream ciphers, in Informaion Securiy IET, Vol3, No, PP66-73, 0h January 009

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback