1 / 9

State space convergence in the A5/1 keystream generator

State space convergence in the A5/1 keystream generator. Ali Al Hamdan and Harry Bartlett Information Security Institute / Faculty of Science and Technology, Queensland University of Technology. Background. A5/1 Keystream generator

diem
Download Presentation

State space convergence in the A5/1 keystream generator

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. State space convergence in the A5/1 keystream generator Ali Al Hamdan and Harry Bartlett Information Security Institute /Faculty of Science and Technology,Queensland University of Technology

  2. Background A5/1 Keystream generator • provides keystream for packet encryption in GSM mobile phone systems • uses 3 linear feedback shift registers (LFSRs) with a majority clocking arrangement[the only non-linear element in this generator] • after loading key and IV, registers are clocked 100 times before being used to generate keystream • non-linear clocking arrangement leads to shrinkage of available internal state space

  3. Background (2) • Diagram of shift registers and clocking:

  4. Previous work • Golic (1997, 2000): 3/8 of possible states become unattainable after one clock step[drop from 264 to 5*261 “working” states] • Al Hamdan (2009): exhaustive evaluation of smaller analogue (215 initial states): within 10 steps, over 50% of states unreachable.

  5. Previous work (2) • Others have obtained similar results through random sampling of full generator: • Birukov, Shamir and Wagner (2001): of 108 random states − ≈15% attainable after 100 clocks − up to 120 initial states lead to each • others (www.reflextor.com/trac/a51/wiki, 2010): from 106 and 108 random starting states− similar results to BSW above− 50% of final states from 18% of initial states; other 50% from remaining 82% of initial states

  6. Current work (1) • extension to second clock step: another3/64 of states unattainable (‘blocked’) • comparison of patterns involved giveslower bound on proportion blocked: 3/8 + 3/64 + 3/512 + . . . 3/7 • Blocked states at first and second steps: 1st step: 2nd step:[Golic]

  7. Current work (2) • extension to third step: further 9/512 blocked • additional pattern appears: gives a new lower bound estimate 3/8 + 3/64 + 9/512 + 27/4096 + . . . 9/20 • Blocked states at third step:

  8. Current work (3) • further extension to fourth and fifth steps gives still more blocked patterns • after 5 steps, total proportion of blocked states is 3/8 + 3/64 + 9/512 + 57/4096 + 423/32768 ≈ 0.466 − almost identical to Al Hamdan’s results. • arranging blocked states as branching tree, branch proportions suggest that extra proportion blocked at each step remains above 1% for next 10-20 steps

  9. Implications of state convergence • During the 100 clock steps before producing keystream, expect usable state space to drop to about 15−20% of possible states. • This reduces search requirements for brute force search. • Since convergence is not uniform, some key-IV combinations will be more likely than others to generate collisions in keystream output. • Use of majority clocking to provide non-linearity has introduced other security issues.

More Related