Correlation Attacks on Stream Ciphers - PowerPoint PPT Presentation

1 / 25
About This Presentation
Title:

Correlation Attacks on Stream Ciphers

Description:

Best Affine Approximation Attack. Correlation Attack by Siegenthaler ... Best Affine Appoximation Attack ... by using an affine approximation of the combination ... – PowerPoint PPT presentation

Number of Views:436
Avg rating:3.0/5.0
Slides: 26
Provided by: AB278
Category:

less

Transcript and Presenter's Notes

Title: Correlation Attacks on Stream Ciphers


1
Correlation Attacks on Stream Ciphers
2
  • Linear Feedback Shift Register
  • C(D)1c1D...c LDL
  • un c1un-1 c2un-2 ... cLun-L , nL,L1

3
  • 1 LFSR not secure
  • Feedback polynomial known use linear relations
    O(L)
  • Feedback polynomial is unknown use
    Berlekamp-Massey algorithm O(L2)

4
  • Filter generator
  • Combination generator
  • ? LFSR has length L? f(L1,...,LM)

5
Attacks on Combination Generator
  • Berlekamp-Massey Linearity Synthesis Attack
  • Correlation Attack
  • Best Affine Approximation Attack

6
Correlation Attack by Siegenthaler
  • Known plaintext attack keystream z is known
  • Feedback polynomials of LFSRs are known
  • Input are i.i.d. random variables
  • Correlation between at least one of the LFSRs
    output u and the keystream z,
  • P(zu) ? 1/2

7
Basic idea
  • a C(z,u)
  • j 0,1...,M

8
Correlation Attack by Meier and Staffelbach
  • Idea not all phases of the LFSR are equally
    likely.
  • 2 Algorithms if the number of taps is not too
    high
  • Idea Every digit of u satisfies several linear
    relations consisting of t other digits.
    Substitute z in these relations.

9
First Algorithm
  • Search digits which satisfy the most equations.
  • ? estimate of the sequence u at corresponding
    positions.
  • ? Slight modifications of estimation

10
  • Complexity of the algorithm is based on the
    number of modifications that have to me made
  • Complexity O(2ck)
  • c(t,q,N/L), 0 lt c ? 1
  • t ? 10 and q ? 0.75

11
Second Algorithm
  • Idea Take all digits together with their prob.
    of being correct into account
  • To each digit of z, we assign a new prob. prob.
    that znun conditioned on the number of equations
    satisfied. This procedure can be iterated with
    the varied new prob. as input to every round.
  • After few rounds, digits of z whose prob. is
    lower than probT are complemented.

12
  • Introduction of F(q,t,N/L)
  • If F(q,t,N/L) ? 0
  • Limite for the attack t ? 10, q ? 0.75
  • Complexity O(L)

13
Suggestions
  • Any correlation to a LFSR with less than 10 taps
    chould be avoided.
  • There should be no correlation to a LFSR of
    length shorter than 100.

14
Correlation attack as decoding problem
  • Set of LFSR (length L) sequences is ?
  • N keystream digits, set of all truncated
    sequences is linear N,L block code
  • ? LFSR sequence u is regarded as codeword and
    keystream sequence z is regarded as output from
    BSC.

15
Small improvements
  • Find more parity check equations and low weight
    parity check equations for feedback polynomials
    with low weight.
  • Golic and Mihaljevic
  • Chepyshov and Smeets
  • Penzhorn
  • Use more powerful iterative decoding methods.

16
Correlation attack based on convolutional codes
  • Improvement same performance and low weight
    complexity for feedback polynomials of arbitrary
    weight.
  • Idea associate convolutional code with memory B
    to code stemming from the LFSR, use Viterbi
    algorithm for decoding.
  • Drawback memory requirements are high

17
Correlation attack based on turbo codes
  • Basic Algorithm
  • Idea Combination of best parts of previous
    algorithms
  • use of convolutional code
  • Use of APP
  • General Algorithm
  • Idea use M convolutional codes in parallel with
    permutation between

18
Algorithm by Canteaut and Trabbia
  • Idea Use parity check equations of weight 4 and
    5, decode with Gallaghers iterative decoding
    algorithm
  • Complexity slightly badder then algorithms that
    use convolutional codes

19
Algorithm by Chepyzhov, Johansson and Smeets
  • Idea Associate binary linear n2,k code with
    targer LFSR of length L (kltL) and decode this
    code.
  • Complexity better than earlier proposed
    algorithms

20
Algorithm based on reconstruction of linear
polynomials
  • Idea Correlation attack is modelled as the
    problem of learning a binary linear multi-variate
    polynomial U(x1,...,xn)u1x1...uLxL
  • (u1,...,uL) initial state
  • N noisy observations z
  • Complexity very good in comparison with previous
    algorithms

21
Milhaljevic, Fossorier and Imai
  • Idea combine exhaustive search over the first B
    bits with list decoding algorithm.
  • Complexity same order as algorithm based on
    learning polynomials

22
Chose, Joux and Mitton
  • Idea new methods for efficient implementations
  • method for finding parity check equations based
    on a match-and-sort problem
  • New decoding algorithm

23
Decimation Attack
  • Idea Use d-decimation of the LFSR output
    sequence in a correlation attack. If length of
    LFSR is prime, the length of this new sequence is
    shorter than original LFSR

24
Best Affine Appoximation Attack
  • Idea no recovering of the key, just a new
    construction of the original generator, by using
    an affine approximation of the combination
    generator.

25
General Conclusions
  • LFSRs
  • Boolean function
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Correlation Attacks on Stream Ciphers" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!