390 likes | 529 Views
An improvement to a correlation attack on A5/1. H. Nikoonia , F. Amin , A. H. Jahangir Computer Engineering Department, Sharif University of Technology. Outline. Introduction Attacks Time-memory trade off Guess-and-determine Correlation Attacks A brief description of A5/1
E N D
An improvement to a correlation attack on A5/1 H. Nikoonia, F. Amin, A. H. Jahangir Computer Engineering Department, Sharif University of Technology
Outline • Introduction • Attacks • Time-memory trade off • Guess-and-determine • Correlation Attacks • A brief description of A5/1 • Correlation Attack on A5/1 • The New Method • Conclusions • References
Introduction • Over a billion customers world-wide own a GSM cell-phone. • The privacy of conversation in GSM standard is protected by A5/1 or A5/2. • A5/2 proved to be insecure [4]. • The design of A5/1 and A5/2 was kept secret until 1999 that the exact design of A5/1 and A5/2 was reversed engineered by Briceno [7].
Attacks Guess-and-determine Time-memory trade-off Correlation Attacks
Attacks • The first attack on A5/1 was proposed by Golic [5]. • Biryukov, Shamir and Wagner proposed attacks that in some scenarios find the key in less than a second [6].
Correlation Attacks • Ekdahl and Johansson proposed the first correlation attack on A5/1 [1]. • Requires 10,000 to 70,000 of known frames. • Success rate of 2 to 76%.
Correlation Attacks • Maximov, Johansson and Babbage improved the previous attack [2]. • Requires 2,000 to 10,000 of known-frames. • Success rate of 5 to 99%
Correlation Attacks • In [3], Barkan and Biham proposed “Conditional Estimators”. • They discovered some weaknesses of R2. • Requires 1,500 to 2,000 of known-frames. • Success rate of 91%. • They also present a new source of known-keystream.
Advantages of Correlation Attacks • Require no long-term storage. • No preprocessing. • they are immune to transmission errors [3].
A Brief Description of A5/1 • 228 bit frames. • 64 bit key. 22 bit frame number. • LFSRs of size 19, 22, 23 bits.
A Brief Description of A5/1 • Irregular clocking. • Each LFSR is clocked with probability of 3/4.
Initialization Process • Step 1: • LFSRs are initiated with zero. • they are clocked regularly 64 times and key bits are XOR-ed to the feedback of each LFSR in parallel. • Then registers are clocked another 22 times, again regularly, and each bit of frame number is XOR-ed to the feedback of each register. • Let us call the value of LFSRs at this moment the “initial state”.
Initialization Process • Step 2: • LFSRs are clocked 100 times with irregular clocking. • But this step does not produce any output.
Initialization Process • Step 3: • LFSRs are clocked 228 times with irregular clocking. • The output of this step is used as keystream.
Correlation attack on A5/1 • the output of R1 after i-times of regular clocking • Ui1 : Key K, frame number j • Si1 : Key K, frame number 0 • Fi1 : Key 0, frame number j • Fi2, Si2, Ui2, Fi3, Si3 and Ui3 are defined in the similar way for R2 and R3. • (U01, U11... U181) describes the initial state of R1.
Correlation attack on A5/1 • The “bad property” : key and frame number are combined linearly to form the initial state. • We can write:
Correlation attack on A5/1 • Let us call the output Z1 to Z228. • It holds with P(cl1,cl2,cl3,i+100) probability.
Correlation attack on A5/1 • What we want is the bellow formula for different value of cl1,cl2,cl3. • We will recover initial state of R1, R2 and R3 with them.
Correlation attack on A5/1 • It is non zero for interval of size of 18 to 47.
Correlation attack on A5/1 • A “received word” • A guess.
Correlation attack on A5/1 • A configuration defines intervals for clis.
Correlation attack on A5/1 • Decoding this word is done by exhaustive search. • For each interval 1000 results with closer hamming distance to received word is stored. • Results from different intervals are joined to make final candidates. • These candidates checked for validation. • Overlapped intervals are used to reduce the number of final candidates.
The New Method • The proposed attack by Ekdahl and Johansson in [1] with 65536 frames and 8/3 configuration has a success rate of 32%. • This means that 32% of final candidates describe the initial state completely. • But we observe that there are some conditions that 2 LFSRs have been guessed correctly but not the other one. • Doing exhaustive search over 219 to 223 states is practical.
The New Method • If we do exhaustive search on R2 for each final candidate, we are adding a search space of 222 states to the original attack. • Searching this search space for each candidate and validating the result takes about 12.5 seconds on our simulation machine. • But we don’t have to examine all candidates. • there are some candidates that have the same R1 and R3 but different R2 (51% to 81%).
Conclusion • Our method increases the success rate of the attack by additional 16% in some cases. • It adds some hours to the original attack time. • This time could be reduced by reducing the number of final candidates.