160 likes | 298 Views
Selective DFT Attacks against E0. Jingjing WANG, Kefei CHEN. Outline. Brief introduction to DFT, DFT Attack, E0 Selective DFT Filter for Nonlinear Filter Generator Our Attack against E0 And combiner with memory in general. What is DFT?. DFT = discrete Fourier transform
E N D
Selective DFT Attacks against E0 Jingjing WANG, Kefei CHEN
Outline • Brief introduction to • DFT, DFT Attack, E0 • Selective DFT Filter for Nonlinear Filter Generator • Our Attack againstE0 • And combiner with memory in general
What is DFT? • DFT = discrete Fourier transform • Used in analysis of signals • Fourier transform has one amazing feature • Sin signal • After Fourier transform • Is much simpler!
What is DFT Attack? • Discrete Fourier transform (DFT) Attack • Do DFT for periodic sequence, resulting in equations in GF(2^n) • For unknowns, solve it in GF(2^n) • Selective DFT Attack proposed for nonlinear filter by G. GONG • Unknowns: DFT coefficients of the LFSR sequence • Solve equations by: selective DFT filter
Selective DFT Filter • Selective DFT filter speeds up the DFT attack by • Filtering out few* components of the DFT result of the keystream • *the optimal number is one and the number of corresponding unknowns is no greater than n
What is E0 Keystream Generator? • E0 is a combiner with memory • 4 LFSRs • 2-bit memory with update function • Combine and output:
Extend DFT Attack to Combiner with Memory • To eliminate most items • Selective DFT filter needs: • Same equation • Filter function corresponds to the linear combination (the eliminates the items) • Challenge: • No same equation guaranteed • Filter function originally defined over consecutive equations
Step 1. • Convert update function into one equation* • *The equation is different from Armknecht’s • =>
The equation has such items that • Are products of zt , zt+1 … and unknowns • => unknowns with unpredictable coefficients because of unpredictable behavior of zt • Goal: make coefficients predictable!
Step 2. • Convert the equation into 16 equations • According to the value of zt , zt+1, zt+2, zt+3 • =>
Step 3. • Select equations where π1(t+1) can be filtered out* • *We do that by gcd the characteristic polynomial of π1(t+1) and that of the other items • *And pick these with gcd = 1
Step 4. • Compute selective discrete Fourier transform filter for the equation E selected Complexity? • Trick: • Use the characteristic polynomial of the other items computed in the last step; denote it by h(x) • Find linear combination of xtthat mod h(x) = 0 • for {t} that gives the equation E
Step 5. • Use the linear combination produced in the last step • To filter out an equation for π1(t+1) • Collect and solve equations
Some Remarks • Step 1, 2, 3 are done offline • Step 1 and 2 are applicable for all instances of E0 • Step 3 are done once for one set of parameters of E0 • Success of attack relies on Step 3 • Complexity of attack is dominated by Step 4
Conclusion • Selective DFT filter for combiner • Can be reduced to selective DFT filter for nonlinear filter • After O(N^3) computation, N ~ (n d) • Selective DFT filter for Estream Candidate? • Possible if its state update can be converted into an algebraic equation like E0.