Correlation Attacks on Stream Ciphers - PowerPoint PPT Presentation

1 / 25
About This Presentation
Title:

Correlation Attacks on Stream Ciphers

Description:

Best Affine Approximation Attack. Correlation Attack by Siegenthaler ... Best Affine Appoximation Attack ... by using an affine approximation of the combination ... – PowerPoint PPT presentation

Number of Views:437
Avg rating:3.0/5.0
Slides: 26
Provided by: AB278
Category:

less

Transcript and Presenter's Notes

Title: Correlation Attacks on Stream Ciphers


1
Correlation Attacks on Stream Ciphers
2
  • Linear Feedback Shift Register
  • C(D)1c1D...c LDL
  • un c1un-1 c2un-2 ... cLun-L , nL,L1

3
  • 1 LFSR not secure
  • Feedback polynomial known use linear relations
    O(L)
  • Feedback polynomial is unknown use
    Berlekamp-Massey algorithm O(L2)

4
  • Filter generator
  • Combination generator
  • ? LFSR has length L? f(L1,...,LM)

5
Attacks on Combination Generator
  • Berlekamp-Massey Linearity Synthesis Attack
  • Correlation Attack
  • Best Affine Approximation Attack

6
Correlation Attack by Siegenthaler
  • Known plaintext attack keystream z is known
  • Feedback polynomials of LFSRs are known
  • Input are i.i.d. random variables
  • Correlation between at least one of the LFSRs
    output u and the keystream z,
  • P(zu) ? 1/2

7
Basic idea
  • a C(z,u)
  • j 0,1...,M

8
Correlation Attack by Meier and Staffelbach
  • Idea not all phases of the LFSR are equally
    likely.
  • 2 Algorithms if the number of taps is not too
    high
  • Idea Every digit of u satisfies several linear
    relations consisting of t other digits.
    Substitute z in these relations.

9
First Algorithm
  • Search digits which satisfy the most equations.
  • ? estimate of the sequence u at corresponding
    positions.
  • ? Slight modifications of estimation

10
  • Complexity of the algorithm is based on the
    number of modifications that have to me made
  • Complexity O(2ck)
  • c(t,q,N/L), 0 lt c ? 1
  • t ? 10 and q ? 0.75

11
Second Algorithm
  • Idea Take all digits together with their prob.
    of being correct into account
  • To each digit of z, we assign a new prob. prob.
    that znun conditioned on the number of equations
    satisfied. This procedure can be iterated with
    the varied new prob. as input to every round.
  • After few rounds, digits of z whose prob. is
    lower than probT are complemented.

12
  • Introduction of F(q,t,N/L)
  • If F(q,t,N/L) ? 0
  • Limite for the attack t ? 10, q ? 0.75
  • Complexity O(L)

13
Suggestions
  • Any correlation to a LFSR with less than 10 taps
    chould be avoided.
  • There should be no correlation to a LFSR of
    length shorter than 100.

14
Correlation attack as decoding problem
  • Set of LFSR (length L) sequences is ?
  • N keystream digits, set of all truncated
    sequences is linear N,L block code
  • ? LFSR sequence u is regarded as codeword and
    keystream sequence z is regarded as output from
    BSC.

15
Small improvements
  • Find more parity check equations and low weight
    parity check equations for feedback polynomials
    with low weight.
  • Golic and Mihaljevic
  • Chepyshov and Smeets
  • Penzhorn
  • Use more powerful iterative decoding methods.

16
Correlation attack based on convolutional codes
  • Improvement same performance and low weight
    complexity for feedback polynomials of arbitrary
    weight.
  • Idea associate convolutional code with memory B
    to code stemming from the LFSR, use Viterbi
    algorithm for decoding.
  • Drawback memory requirements are high

17
Correlation attack based on turbo codes
  • Basic Algorithm
  • Idea Combination of best parts of previous
    algorithms
  • use of convolutional code
  • Use of APP
  • General Algorithm
  • Idea use M convolutional codes in parallel with
    permutation between

18
Algorithm by Canteaut and Trabbia
  • Idea Use parity check equations of weight 4 and
    5, decode with Gallaghers iterative decoding
    algorithm
  • Complexity slightly badder then algorithms that
    use convolutional codes

19
Algorithm by Chepyzhov, Johansson and Smeets
  • Idea Associate binary linear n2,k code with
    targer LFSR of length L (kltL) and decode this
    code.
  • Complexity better than earlier proposed
    algorithms

20
Algorithm based on reconstruction of linear
polynomials
  • Idea Correlation attack is modelled as the
    problem of learning a binary linear multi-variate
    polynomial U(x1,...,xn)u1x1...uLxL
  • (u1,...,uL) initial state
  • N noisy observations z
  • Complexity very good in comparison with previous
    algorithms

21
Milhaljevic, Fossorier and Imai
  • Idea combine exhaustive search over the first B
    bits with list decoding algorithm.
  • Complexity same order as algorithm based on
    learning polynomials

22
Chose, Joux and Mitton
  • Idea new methods for efficient implementations
  • method for finding parity check equations based
    on a match-and-sort problem
  • New decoding algorithm

23
Decimation Attack
  • Idea Use d-decimation of the LFSR output
    sequence in a correlation attack. If length of
    LFSR is prime, the length of this new sequence is
    shorter than original LFSR

24
Best Affine Appoximation Attack
  • Idea no recovering of the key, just a new
    construction of the original generator, by using
    an affine approximation of the combination
    generator.

25
General Conclusions
  • LFSRs
  • Boolean function
Write a Comment
User Comments (0)
About PowerShow.com