330 likes | 511 Views
Attacks on the Filter Generator and the Nonlinear Combiner Generator. Tor Helleseth Department of Informatics University of Bergen NORWAY Joint work: Sondre Rønjom, Guang Gong and M. Hojsik. Outline. Filter generator - m-sequences - Nonlinear Boolean functions
E N D
Attacks on the Filter Generator and the Nonlinear Combiner Generator Tor Helleseth Department of Informatics University of Bergen NORWAY Joint work: Sondre Rønjom, Guang Gong and M. Hojsik
Outline Filter generator - m-sequences - Nonlinear Boolean functions Standard algebraic attack on the filter generator New attack on the binary filter generator Extending attack to filter generator over GF(2m) Linear representations of filter generator Generalizations of attack to nonlinear combiner
Key Key Pseudorandom- generator Pseudorandom- generator Plaintext Keystream Keystream Plaintext Ciphertext Symmetric Stream Cipher Requirements for a good keystream - Good randomness distribution - Longperiod - High complexity
m-Sequence (Example) st+4 = st+1+ st g(x)=x4+x+1 (st) :000100110101111… Properties of m-sequences • Period ε = 2n - 1 • Balanced • Run properties • st+st+=st+ • Two-level autocorrelation • st = Trn(Aαt) = Σj(Aαt)2j = A1αt + A2α2t + A3α4t + A4α8t
. . . LFSRS ... zt f Binary Filter Generator • LFSR of length n generating an m-sequence (st) of period 2n-1 determined by initial state (s0,s1,...,sn-1) • Nonlinear Boolean function f(x0,x1,...,xn-1) of degree d Keystream zt = f(st,st+1,...,st+n-1) = ft(s0,s1,...,sn-1) f(x0,x1,...,xn-1) = Σ ca0a1..ar-1 xa0xa1...xar-1 = ΣA cAxA
st st+1 st+2 st+3 · · f(x0,x1,x2,x3) = x0x1+x1x3+x3 Example – Filter Generator g(x)=x4+x+1 st+4=st+1+st zt = stst+1 + st+1st+3 + st+3 z0 = f(s0,s1,s2,s3) = s0s1+s1s3+s3 (= f0 ) z1 = f(s1,s2,s3,s4) = f(s1,s2,s3,s0+s1) = s0+s1+s0s2 (= f1) z2 = f(s2,s3,s4,s5) = f(s2,s3,s0+s1,s1+s2) = s1+s2+s1s3 (= f2) .........................
Multivariate Equations z0 = s0s1+s1s3+s3 z1 = s0s2+s0+s1 z2 = s1s3+s1+s2 z3 = s0s2+s1s2+s2+s3 z4 = s1s3+s2s3+s0+s1+s3 z5 = s0s2+s0s3+s1s2+s1s3+s0+s1+s2 ... Linearization gives a linear system with ( )+( ) = 10 unknowns z0 = a4 + a8 + a3 z1 = a5 + a0 + a1 z2 = a8 + a1+ a2 z3 = a5 + a7 + a2 + a3 z4 = a8 + a9 + a0 + a1 + a3 z5 = a5 + a6 + a7 + a8 + a0 + a1 + a2 ... Solve by using Gaussian elimination 4 4 2 1
Standard Algebraic Attack • Shift register m-sequence (st) of period 2n - 1 • Boolean function f(x0,x1,...,xn-1) of degree d zt = f(st,st+1,...,st+n-1) = ft(s0,s1,...,sn-1) • Nonlinear equation system of degree d in n unknowns s0,...,sn-1 • Reduce to linear system in D unknowns monomials • D = ( ) + ( ) + ... + ( ) • Need about D keystream bits • Complexity Dω , ω =log2 7 ≈ 2.807 • Courtois, Canteaut: filter generator to be secure needs - n=128, d ≥ 16 complexity > 2128 (ω≈2) - n=256, d ≥ 30 complexity > 2256 (ω≈2) n n n d d-1 1
New Algebraic Attack • Rønjom-Helleseth 2006 • Recovering initial state of the binary filter generator in complexity - Pre-computation O(D (log2D)3) - Attack O(D) - Need D keystream bits • Main idea - Coefficient sequences of I={i0,i1,...,ir-1} - Consider (binary) coefficient KI,t in ft(s0,s1,...,sn-1) of the monomial sI=si0si1...sir-1 at time t - KI,tobeys some nice recursions
Example - Coefficient Sequences • Let st+4=st+1+st i.e., s4=s1+s0 • zt=f(st,st+1,st+2,st+3) = st+2+stst+1+st+1st+2st+3+stst+1st+2st+3 • z0 = f0(s0,s1,s2,s3) = s2+s0s1+s1s2s3+ s0s1s2s3 • z1 = f1(s0,s1,s2,s3) = s3+s1s2+ s0s2s3 +s0s1s2s3 • z2 = f2(s0,s1,s2,s3) = s0+s1+s1s3+s2s3 +s0s1s3+s1s2s3+ s0s1s2s3 • z3 = f3(s0,s1,s2,s3) = s1+s2+s0s2 +s0s3+s1s3+s0s1s2+ s0s2s3 +s0s1s2s3 • z4 = f4(s0,s1,s2,s3) = s1+s2+s3+s0s1+s0s2+s1s2+s0s1s3+ s0s1s2s3 • z5 = f5(s0,s1,s2,s3) = s0+s1+s2+s3+s1s3+s2s3+ s0s1s2+ s0s1s3+s0s1s2s3 Some coefficient sequences I={0,1,2,3} KI,t= 1 1 1 1 1 1... I={0,2,3}KI,t= 0 1 0 1 0 0... I={1,3} KI,t= 0 0 1 1 0 1...
Coefficient Sequence • Let I = {i0,i1,...,ir-1} and sI = si0 si1... sir-1 • The coefficients of the monomial sI at time t is called KI,t • The coefficient sequence KI,tis defined by zt= f(st,st+1,...,st+n-1) = ft(s0,s1,...,sn-1) = ΣI sI KI,t • The main idea behind the attack is to determine the characteristic polynomial of KI,t • The main task is to compute a polynomial p(x)=Σpjxj that generates KI,t for |I|≥2 (and hopefully not KI,t for |I|=1).
Coefficient Sequences – Examplef(s0,s1,s2,s3) = s2+s0s1+s1s2s3+s0s1s2s3 ; s4=s0+s1 f0 f1 f2 f3 f4 f5 f6 f7 f8 f9 f10 f11 f12 f13 f14 s00 0 1 0 0 1 1 1 1 0 1 0 0 0 1K0,t s10 0 1 1 1 1 0 1 0 0 0 1 0 0 1K1,t s21 0 0 1 1 1 1 0 1 0 0 0 1 0 0K2,t s30 1 0 0 1 1 1 1 0 1 0 0 0 1 0K3,t s0s11 0 0 0 1 0 0 1 0 1 1 0 0 0 0K01,t s0s20 0 0 1 1 0 1 1 0 1 1 0 0 0 0K02,t s1s2 0 1 0 0 1 0 1 1 0 0 0 0 1 0 0 K12,t s0s30 0 0 1 0 0 1 0 1 1 0 0 0 0 1 K03,t s1s30 0 1 1 0 1 1 0 1 1 0 0 1 0 0 K13,t s2s30 0 1 0 0 1 0 1 1 0 0 0 1 0 0 K23,t s0s1s20 0 0 1 0 1 0 0 1 1 0 1 1 1 0 K012,t s0s1s3 0 0 1 0 1 0 0 1 1 0 1 1 1 0 0 K013,t s0s2s3 0 1 0 1 0 0 1 1 0 1 1 1 0 0 0 K023,t s1s2s3 1 0 1 0 0 1 1 0 1 1 1 0 0 0 0 K123,t s0s1s2s3 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 K0123,t
Recursion - Coefficient Sequences f0 f1 f2 f3 f4 f5 f6 f7 f8 f9 f10 f11 f12 f13 f14 s00 0 1 0 0 1 1 1 1 0 1 0 0 0 1K0,t s10 0 1 1 1 1 0 1 0 0 0 1 0 0 1K1,t s21 0 0 1 1 1 1 0 1 0 0 0 1 0 0K2,t s30 1 0 0 1 1 1 1 0 1 0 0 0 1 0K3,t s0s11 0 0 0 1 0 0 1 0 1 1 0 0 0 0K01,t s0s20 0 0 1 1 0 1 1 0 1 1 0 0 0 0K02,t s1s20 1 0 0 1 0 1 1 0 0 0 0 1 0 0 K12,t s0s30 0 0 1 0 0 1 0 1 1 0 0 0 0 1 K03,t s1s30 0 1 1 0 1 1 0 1 1 0 0 1 0 0 K13,t s2s30 0 1 0 0 1 0 1 1 0 0 0 1 0 0 K23,t s0s1s20 0 0 1 0 1 0 0 1 1 0 1 1 1 0 K012,t s0s1s30 0 1 0 1 0 0 1 1 0 1 1 1 0 0 K013,t s0s2s30 1 0 1 0 0 1 1 0 1 1 1 0 0 0 K023,t s1s2s31 0 1 0 0 1 1 0 1 1 1 0 0 0 0 K123,t s0s1s2s311 1 1 1 1 1 1 1 1 1 1 1 1 1 K0123,t
Calculating gi(x) - m=4 Characteristic polynomialg(x)=x4+x+1 • g(α) = α4+ α+1 = 0, α15=1 • g4(x) = Πwt(l)=4(x+αl) = x + 1 • g3(x) = Πwt(l)=3(x+αl) = x4+x3+1 • g2(x) = Πwt(l)=2(x+αl) = (x4+x3+x2+x+1)(x2+x+1) • g1(x) = Πwt(l)=1(x+αl) = x4+x+1 • p(x) = g2(x)g3(x)g4(x) = x11+x8+x7+x5+x3+x2+x+1 = Σi pixi • KI,t , |I|=4 generated by g4(x) (and by p(x) ) • KI,t , |I|=3 generated by g3(x) g4(x) (and by p(x) ) • KI,t , |I|=2 generated by g2(x) g3(x) g4(x) (and by p(x) ) • KI,t , |I|=1 generated by g1(x) g2(x) g3(x) g4(x)
Characteristic polynomial of KI,t • (st) єΩ(g(x)) (denotes (st) is generated by g(x)) - Zeros of g(x) : α2i (= αr ) , w(r)=1 - zt=f(st,st+1,...,st+n-1) = ΣI sI KI,t , d=deg(f) Let |I|=d KI,tєΩ(gd(x)) with zeros αr , w(r)=d Let |I|=d-1 KI,tєΩ(gd-1(x)gd(x)) with zeros αr , w(r) є {d-1,d} ........................... Let |I|=2 KI,tєΩ(g2(x)... gd(x)) with zeros αr , w(r) є {2,3,...,d} Conclusion KI,tєΩ(p(x)), p(x)=g2(x)... gd(x) for all coefficient sequences with |I|≥2 (i.e., for all nonlinear terms)
Key Argument in Attack • From the received keystream zj for j=0,1,..,D-1 compute for t=0,1,..,n-1 zt* = Σjpjzt+j (= Σjpjft+j(s0,s1,...,sn-1)) = Σj pj ΣI sIKI,t+j = ΣIsIΣj pjKI,t+j = Σ|I|≤1sIΣ pjKI,t+j = Affine in s0,s1,...,sn-1 gives a linear n x n system of equations for finding the (initial state) s0,s1,...,sn-1
The New Attack • zt= f(st,st+1,...,st+n-1) = ft(s0,s1,...,sn-1) = ΣI sI KI,t Precomputation - Complexity O(D(log2 D)3) • Compute p(x)=Πd≥wt(l)≥2(x+αl) of degree D–n that generates all coefficient sequences KI,t for |I|≥2 (and hopefully not KI,t for |I|=1) • Compute ft*(s0,s1,...,sn-1) = Σj pj ft+j(s0,s1,...,sn-1) (= zt* = Σj pjzt+j ) for t=0,1,...,n-1 • (Need only linear part of ft+j and only f0* since f1*,f2*,..,fn-1* easily found from f0*. If f0*=0 need to modify attack) Attack– Complexity O(D) • From the received keystream zt for i=0,1,..,D-1 compute zt* = Σj pjzt+j ( = ΣI sIΣ pjKI,t+j = ft*= Affine in s0,s1,...,sn-1) gives a linear n x n system of equations for finding the bits in initial state (secret key) s0,s1,...,sn-1
The Attack - Example Precomputation( f0*=f11+f8+f7+f5+f3+f2+f1+f0 ) f0*f1 f2 f3 f4 f5 f6 f7 f8 f9 f10 f11 f12 f13 f14 s00 0 1 0 0 1 1 1 1 0 1 0 0 0 1 s11 0 1 1 1 1 0 1 0 0 0 1 0 0 1 s20 0 0 1 1 1 1 0 1 0 0 0 1 0 0 s31 1 0 0 1 1 1 1 0 1 0 0 0 1 0 Attack – Keystream 100010010011110 Equation system(zt*=zt+11+zt+8+zt+7+zt+5+zt+3+zt+2+zt+1+zt) f0* = s1 + s3 = z0* = 1 f1* = s0 + s1 + s2 = z1* = 0 f2* = s1 + s2 + s3 = z2* = 0 f3* = s0 + s1 +s2 + s3 = z3* = 1 Solution (secret key) s0=1, s1=0, s2=1, s3=1
. . . LFSRS zt f Filter Generator over GF(2m) • LFSR of lengthk generating an m-sequence (St) of period 2n – 1 over GF(2m) , n=mk • Boolean function f(x0,x1,...,xm-1) of degree d (f acts on single m-bits word St=(smt,smt+1,...,smt+m-1)) Keystream zt = f(smt,smt+1,...,smt+m-1) = ft(s0,s1,...,sn-1)
Filter Generator over GF(2m) • Let St=(smt,smt+1,..,smt+m-1) • Let (s0,s1,..,sn-1) be the n=mk bits in initial state • Define coefficient sequences zt= ΣIsIKI,t Results • KI,t generated by g|I|(x) with zeros αr, |I|≤w(r)≤d • Linear complexity of ztis reduced (when f acts on single word). Typically reduction in linear complexity is by a factor of roughly e-d2(k-1)/2n
WG Cipher • LFSR of length k=11 over GF(229) (n=319) • Boolean function of degree 11 acts on a single 29-bits word • Linear complexity of keystream L=245.014 • L < < D = ( ) • Restrict keystream to 245 bits • Attack can reconstruct initial state with complexity L with precomputation of complexity O(L(log2L)3) ≈ 262but needs L bits of keystream 319 11
Linear Representation - Filter Generator 001101010 • Example st+3 =st+1 + st • State St+1=StT1 , St = (st,st+1,st+2) (s1,s2,s3) = (s0,s1,s2)T1 , T1= [ ] • Extended state St = (st,st+1,st+2,stst+1,stst+2,st+1st+2,stst+1st+2) • Then S0 = (s0,s1,s2,s0s1,s0s2,s1s2,s0s1s2) ↓ T S1= (s1,s2,s3,s1s2,s1s3,s2s3,s1s2s3) = (s1,s2,s0+s1,s1s2,s1+s0s1,s0s2+s1s2,s0s1s2+s1s2)
Matrix Representation – Filter Generator S0 = (s0,s1,s2,s0s1,s0s2,s1s2,s0s1s2) ↓ T S1 = (s1,s2,s0+s1,s1s2,s1+s0s1,s0s2+s1s2,s0s1s2+s1s2) T = s1 s2 s3s1s2 s1s3 s2s3s1s2s3 s0 s1 s2s0s1s0s2s1s2s0s1s2 0 0 1 0 0 0 0 1 0 1 0 1 0 0 0 1 00 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 1 0 0 0 0 1 0 1 1 0 0 0 0 0 0 1 St+1 = St T
T - Transforms Boolean Function • Let I = {i0,i1,...,ir-1} and sI = si0 si1... sir-1 • f(s0,s1,...,sn-1) = ΣI cI,fsI • Consider f as a vector (in a natural way) such that f = (0101101) (=cI,f ) ↔ s1+s0s1+s0s2+s0s1s2 • Then ft+1 = T ft • Thus the equations in filter generator are zt = S0Ttf represents the relation zt= ft(s0,s1,..,sn-1)=f(st,st+1,...,st+n-1)
Tt - Coefficient Sequences • Let I, J be subsets of {0,1,...,n-1} • Let J={j0,j1,...,jr-1} • gi(x)=Π(x+αl), wt(l)=i • st+J = st+j0st+j1...st+jr-1= ΣI sI KI,J,t • KI,J,t generated by g|I|(x) g|I|+1(x) ... g|J|(x) • Lemma Let p(x)=g2(x)...gd(x) - (Tt)I,J= KI,J,t - p(T) = 0 except for the elements in the first n rows
Attack Described Using T • Let p(x)=g2(x)...gd(x), gi(x)=Π(x+αl), wt(l)=i • zt = S0 Tt f • From the received keystream zj for j=0,1,..,D-1 compute for t=0,1,..,n-1 zt* = Σjpjzt+j (= Σjpjft+j(s0,s1,...,sn-1)) = S0 Σj pj Tt+j f = S0 Tt Σj pj Tj f = S0 Tt p(T) f = Affine in s0,s1,...,sn-1 gives a linear n x n system of equations for finding the (initial state) s0,s1,...,sn-1 since all rows except the first n rows in p(T) are 0
Finding Initial State • Let st= Tr(βαt) represent initial state of LFSR • Let gi(x) have zeros αj where wt(j)=i • Let zt = ΣiTr(Ai(βαt)i) εΩ(g1 g2 ... gd) • Let p(x)= (g1g2...gd)/pk , pk(x) min. pol. αk , wt(j)≤d where Ak≠0 and gcd(k,2n-1)=1 • Then ut = p(E)zt = Σjpjzt+j =ΣjTr(Ajβi p(αj) αti) = Tr(Akβk p(αk) αtk) • Let r =Akβkp(αk) and we can find r • Gong (1990) give explicite formulaes for Ak • Since Ak≠0 if gcd(k,2n-1)=1 we findβi.e initial state (alternatively if gcd(k,2n-1)>1 we do it once more to find k’ and hopefully gcd(k-k’,2n-1)>1’
Finding r from ut=Tr(rγt) • Let xi=r2i and αi=γ2i • ut = Tr(rγt ) = rγt + (rγt)2 + ··· + (rγt )2n-1 = α0t x0 + α1t x1 + ··· + αn-1t xn-1 • Then x0 + x1 + ··· + xn-1 = u0 α0 x0 + α1x1 + ··· + αn-1xn-1 = u1 ··············· α0n-1x0 + α1n-1x1 + ··· + αn-1n-1xn-1 = un-1 • Then r =x0 can be determined from u0,u1,..,un-1 since coefficient matrix is a Van der Monde matrix
Simple underlying idea • Let zt= A1α1t + A2α2t +...+ ADαDt • Let p(x) have roots αi • Compute p(E)zt = Σ pjzt+j • Then ut = p(E)zt = ΣAip(αi) αit • Select p(E) with ”almost” all roots of the keystream
LFSR 1 zt f LFSR 2 ... . . . LFSR n Nonlinear Combining LFSRs Using several LFSRs ut1 ut2 utn f(x1,x2,...,xn) = Σ ai1i2..in xi1xi2...xin
Nonlinear Combining LFSRs • Using several LFSR’s and f(x1,x2,…,xr) • LFSRi degree ni and period 2ni-1, (ni,nj)=1 for all i≠j • Linear complexity of keystream is f(n1,n2,…,nr) • Can calculate zeros of zt= A1α1t + A2α2t +...+ Arαrt Observations • If f has linear term xi we find intial state of LFSRi • We can use linear combinations over GF(2n) For example f=x1x2 gives an irreducible min. pol. of zt. Then using a combination for a divisor of degree n2 over the extension field GF(2n1) works.
Conclusions • New attack on the filter generator of complexity O(D) • If ztєΩ(h(x)) for all keystreams for some h(x) of degree L (< D) then initial state can be recovered in complexity O(L) with a precomputation O(L(log2L)3) • Linear representation related to coefficient sequences • Generalized to filter generator over GF(2m) • Can be generalized LSM not neccesarily LFSR • Can be generalized to nonlinear combiner generator • Can reduce number of known bits needed by finding a sequence bt such that ztbt=ut has certain properties