1 / 16

Selective DFT Attacks against E0

Selective DFT Attacks against E0. Jingjing WANG, Kefei CHEN. Outline. Brief introduction to DFT, DFT Attack, E0 Selective DFT Filter for Nonlinear Filter Generator Our Attack against E0 And combiner with memory in general. What is DFT?. DFT = discrete Fourier transform

Download Presentation

Selective DFT Attacks against E0

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Selective DFT Attacks against E0 Jingjing WANG, Kefei CHEN

  2. Outline • Brief introduction to • DFT, DFT Attack, E0 • Selective DFT Filter for Nonlinear Filter Generator • Our Attack againstE0 • And combiner with memory in general

  3. What is DFT? • DFT = discrete Fourier transform • Used in analysis of signals • Fourier transform has one amazing feature • Sin signal • After Fourier transform • Is much simpler!

  4. What is DFT Attack? • Discrete Fourier transform (DFT) Attack • Do DFT for periodic sequence, resulting in equations in GF(2^n) • For unknowns, solve it in GF(2^n) • Selective DFT Attack proposed for nonlinear filter by G. GONG • Unknowns: DFT coefficients of the LFSR sequence • Solve equations by: selective DFT filter

  5. Selective DFT Filter • Selective DFT filter speeds up the DFT attack by • Filtering out few* components of the DFT result of the keystream • *the optimal number is one and the number of corresponding unknowns is no greater than n

  6. What is E0 Keystream Generator? • E0 is a combiner with memory • 4 LFSRs • 2-bit memory with update function • Combine and output:

  7. Extend DFT Attack to Combiner with Memory • To eliminate most items • Selective DFT filter needs: • Same equation • Filter function corresponds to the linear combination (the eliminates the items) • Challenge: • No same equation guaranteed • Filter function originally defined over consecutive equations

  8. Step 1. • Convert update function into one equation* • *The equation is different from Armknecht’s • =>

  9. The equation has such items that • Are products of zt , zt+1 … and unknowns • => unknowns with unpredictable coefficients because of unpredictable behavior of zt • Goal: make coefficients predictable!

  10. Step 2. • Convert the equation into 16 equations • According to the value of zt , zt+1, zt+2, zt+3 • =>

  11. Step 3. • Select equations where π1(t+1) can be filtered out* • *We do that by gcd the characteristic polynomial of π1(t+1) and that of the other items • *And pick these with gcd = 1

  12. Step 4. • Compute selective discrete Fourier transform filter for the equation E selected Complexity? • Trick: • Use the characteristic polynomial of the other items computed in the last step; denote it by h(x) • Find linear combination of xtthat mod h(x) = 0 • for {t} that gives the equation E

  13. Step 5. • Use the linear combination produced in the last step • To filter out an equation for π1(t+1) • Collect and solve equations

  14. Some Remarks • Step 1, 2, 3 are done offline • Step 1 and 2 are applicable for all instances of E0 • Step 3 are done once for one set of parameters of E0 • Success of attack relies on Step 3 • Complexity of attack is dominated by Step 4

  15. Conclusion • Selective DFT filter for combiner • Can be reduced to selective DFT filter for nonlinear filter • After O(N^3) computation, N ~ (n d) • Selective DFT filter for Estream Candidate? • Possible if its state update can be converted into an algebraic equation like E0.

  16. Thank you!

More Related