1 / 37

An improvement to a correlation attack on A5/1

An improvement to a correlation attack on A5/1. H. Nikoonia , F. Amin , A. H. Jahangir Computer Engineering Department, Sharif University of Technology. Outline. Introduction Attacks Time-memory trade off Guess-and-determine Correlation Attacks A brief description of A5/1

dylan-franks
Download Presentation

An improvement to a correlation attack on A5/1

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. An improvement to a correlation attack on A5/1 H. Nikoonia, F. Amin, A. H. Jahangir Computer Engineering Department, Sharif University of Technology

  2. Outline • Introduction • Attacks • Time-memory trade off • Guess-and-determine • Correlation Attacks • A brief description of A5/1 • Correlation Attack on A5/1 • The New Method • Conclusions • References

  3. Introduction

  4. Introduction • Over a billion customers world-wide own a GSM cell-phone. • The privacy of conversation in GSM standard is protected by A5/1 or A5/2. • A5/2 proved to be insecure [4]. • The design of A5/1 and A5/2 was kept secret until 1999 that the exact design of A5/1 and A5/2 was reversed engineered by Briceno [7].

  5. Attacks Guess-and-determine Time-memory trade-off Correlation Attacks

  6. Attacks • The first attack on A5/1 was proposed by Golic [5]. • Biryukov, Shamir and Wagner proposed attacks that in some scenarios find the key in less than a second [6].

  7. Correlation Attacks • Ekdahl and Johansson proposed the first correlation attack on A5/1 [1]. • Requires 10,000 to 70,000 of known frames. • Success rate of 2 to 76%.

  8. Correlation Attacks • Maximov, Johansson and Babbage improved the previous attack [2]. • Requires 2,000 to 10,000 of known-frames. • Success rate of 5 to 99%

  9. Correlation Attacks • In [3], Barkan and Biham proposed “Conditional Estimators”. • They discovered some weaknesses of R2. • Requires 1,500 to 2,000 of known-frames. • Success rate of 91%. • They also present a new source of known-keystream.

  10. Advantages of Correlation Attacks • Require no long-term storage. • No preprocessing. • they are immune to transmission errors [3].

  11. A Brief Description of A5/1

  12. A Brief Description of A5/1 • 228 bit frames. • 64 bit key. 22 bit frame number. • LFSRs of size 19, 22, 23 bits.

  13. A Brief Description of A5/1 • Irregular clocking. • Each LFSR is clocked with probability of 3/4.

  14. Initialization Process • Step 1: • LFSRs are initiated with zero. • they are clocked regularly 64 times and key bits are XOR-ed to the feedback of each LFSR in parallel. • Then registers are clocked another 22 times, again regularly, and each bit of frame number is XOR-ed to the feedback of each register. • Let us call the value of LFSRs at this moment the “initial state”.

  15. Initialization Process • Step 2: • LFSRs are clocked 100 times with irregular clocking. • But this step does not produce any output.

  16. Initialization Process • Step 3: • LFSRs are clocked 228 times with irregular clocking. • The output of this step is used as keystream.

  17. Correlation attack on A5/1

  18. Correlation attack on A5/1 • the output of R1 after i-times of regular clocking • Ui1 : Key K, frame number j • Si1 : Key K, frame number 0 • Fi1 : Key 0, frame number j • Fi2, Si2, Ui2, Fi3, Si3 and Ui3 are defined in the similar way for R2 and R3. • (U01, U11... U181) describes the initial state of R1.

  19. Correlation attack on A5/1 • The “bad property” : key and frame number are combined linearly to form the initial state. • We can write:

  20. Correlation attack on A5/1 • Let us call the output Z1 to Z228. • It holds with P(cl1,cl2,cl3,i+100) probability.

  21. Correlation attack on A5/1 • What we want is the bellow formula for different value of cl1,cl2,cl3. • We will recover initial state of R1, R2 and R3 with them.

  22. Correlation attack on A5/1 • It is non zero for interval of size of 18 to 47.

  23. Correlation attack on A5/1

  24. Correlation attack on A5/1

  25. Correlation attack on A5/1 • A “received word” • A guess.

  26. Correlation attack on A5/1 • A configuration defines intervals for clis.

  27. Correlation attack on A5/1 • Decoding this word is done by exhaustive search. • For each interval 1000 results with closer hamming distance to received word is stored. • Results from different intervals are joined to make final candidates. • These candidates checked for validation. • Overlapped intervals are used to reduce the number of final candidates.

  28. Correlation attack on A5/1

  29. The New Method

  30. The New Method • The proposed attack by Ekdahl and Johansson in [1] with 65536 frames and 8/3 configuration has a success rate of 32%. • This means that 32% of final candidates describe the initial state completely. • But we observe that there are some conditions that 2 LFSRs have been guessed correctly but not the other one. • Doing exhaustive search over 219 to 223 states is practical.

  31. Observation

  32. Success Rate with Our Method

  33. The New Method • If we do exhaustive search on R2 for each final candidate, we are adding a search space of 222 states to the original attack. • Searching this search space for each candidate and validating the result takes about 12.5 seconds on our simulation machine. • But we don’t have to examine all candidates. • there are some candidates that have the same R1 and R3 but different R2 (51% to 81%).

  34. Additional Time

  35. Conclusion

  36. Conclusion • Our method increases the success rate of the attack by additional 16% in some cases. • It adds some hours to the original attack time. • This time could be reduced by reducing the number of final candidates.

  37. References

More Related