linear relations in irregularly clocked linear finite state machines cees jansen deltacrypto b.v....
TRANSCRIPT
Linear Relations in Irregularly Clocked Linear Finite State Machines
Cees JansenDeltaCrypto B.V.
NATO-ARW
Veliko Tarnovo, October 8, 2008
20081008 CJ 2
Outline Linear Finite State Machines Linear Relations in LFSMs The Basic Algorithm A More Efficient Way… An Example Conclusions
20081008 CJ 3
L-1
ML
c0
L-2
ML-1
c1
0
M1
cL-1
o
0,:
0,:Transition State
),,,(:State LFSM
0
1
021
t
ttt
tt
ttL
tL
t
T
T
1
2
1
0
100
010001000
:(LFSR)Matrix Transition
Lc
ccc
T
)( ofroot a of role theplays i.e. ,0)(
)det()(
:Then
of Polynomial sticCharacteri thebe )(Let
xCC
xxC
xC
TT
TI
T
A Linear Finite State Machine
Matrix approach: “Error-Correcting Codes”, W.W. Peterson, 1961
20081008 CJ 4
Another LFSM
L-1 L-2 0o
c0cL-2cL-1
0100
00100001
:Matrix Transition
0121
cccc LL
T
Similarity Transform:
GCLFSR TMMT 1
1000
10010
1
1
21
121
1
L
L
LL
c
ccccc
MM
M
MTMTMTMT
iGC
iLFSR
iGC
iLFSR
GCLFSRGCLFSR
1
1
20081008 CJ 5
And Another LFSM
11
22
11
100
0
010
1
00
dt
td
td
td
Tnn
nn
jLFSR
Jumping LFSR Transition Matrix
dn
Mn
tn
dn-1
Mn-1
tn-1
d1
M1
t1
s
10000
1
000
100
10
1
,1
,21,2
,21,223
,11,11312
nn
nnnn
nn
nn
m
mm
mmm
mmmm
M
1;
1;
;0
;1
21,
1,121,,
idm
ijnmdm
ij
ji
m
jnji
jijnjiji
Jumping LFSR – LFSR Similarity Transform Matrix:
20081008 CJ 6
And Another LFSMJumping LFSR – jumping GC Similarity Transform Matrix:
n
n
nn
jGC
d
d
d
tttdt
T
100
0
10
001
1
2
1211
Jumping GC Transition Matrix
d1 d2 dns
tnt2t1
10000
1
000
100
10
1
12
1323
1,11,223
,11,11312
m
mm
mmm
mmmm
M
nn
nn
njitddm
ijnmddm
ij
ji
m
jinjji
jiinjjiji
or1;)(
1;)(
;0
;1
1111,
1,1111,,
20081008 CJ 7
Other LFSMs Include:
Subfield implementations Optimized transition matrices
Implementation complexity (#gates) Side channel characteristics
Are just simple linear transforms away from each other… Similarity Transform Matrices
20081008 CJ 8
Pomaranch V3 Family
S-box: x-1 mod I(x)
Subfield implementation
M-1
10000
1
000
100
10
1
,1
,21,2
,21,223
,11,11312
nn
nnnn
nn
nn
m
mm
mmm
mmmm
M
M
10000
1
000
100
10
1
,1
,21,2
,21,223
,11,11312
nn
nnnn
nn
nn
m
mm
mmm
mmmm
M
Different irreducible polynomial
Different (sub)field implementation
Different F/S sequence (subfield elts)
Different feedback tapsDifferent Register
M
10000
1
000
100
10
1
,1
,21,2
,21,223
,11,11312
nn
nnnn
nn
nn
m
mm
mmm
mmmm
M
F F S SS F
6 1
20081008 CJ 9
0,:
0,:Transition State
),,,(:State LFSM
0
1
021
t
ttt
tt
ttL
tL
t
T
T
)( ofroot a of role theplays i.e. ,0)(
)det()(
:Then
of Polynomial sticCharacteri thebe )(Let
xCC
xxC
xC
TT
TI
T
A Linear Finite State Machine
0
:RelationLinear
:bitsOutput
01111
0
STT
ST
Coococo
o
tttLtLLt
tt
L-1
ML
c0
L-2
ML-1
c1
0
M1
cL-1
o
1
2
1
0
100
010001000
:(LFSR)Matrix Transition
Lc
ccc
T
20081008 CJ 10
Irregularly Clocked LFSMs Two or more Transition Matrices
Selected by some external control signal May change per output bit produced
Classic clock control: Jump control:
0
:RelationLinear
:bitsOutput
011011010
001111
100
11
SITTTTTT
STT
aaaoaoaoaoa
o
LL LL
tttLtLLtL
tt
eTTTT 10 ,ITTTT 10 ,
20081008 CJ 11
Linear Relations Linear relations in L+1 output bits of
irregularly stepped LFSM always occur Objective is to determine all linear relations
(aL,…,a0) and their occurrences (all combinations of external control signal bits resulting in Lin.Rel.)
Here output bits of Binary Jump Registers are considered
Bias in occurrence of Linear Relations leads to cryptanalysis
20081008 CJ 12
Power Polynomial & Notation Power Polynomial dependent on jump control bits ji
Linear Relation Coefficients for LFSM output bits ot
LFSM Characteristic Polynomial
Linear Relation
011
1)( cxcxcxcxC LL
LL
0,,,, 01111011 ttLtLLtLLL oaoaoaoaaaaa
0,
0,1)(
1
011
1
iijxpxpxpxpxP
jumping of casein )()(mod0)(0
xCxCxPaL
20081008 CJ 13
Solving for Linear Relations
Always solution: determinant = 1 Upper triangular matrix: use back substitution
)()(0
xCxPaL
011
10
10
12
021
011 ,,,,
1000
10010
1
,,,, ccccp
ppppp
aaaa LL
LLL
LLL
LL
LL
Lipaca
capapa
capapacapaca
L
ij
jijii
LL
LL
LLLLL
LLL
LLLLL
LL
0,
1
001
010
221212
111
Matrix PL
20081008 CJ 14
Basic AlgorithmTo determine the linear relation coefficients, given the L jump control bits and the LFSM’s Characteristic Polynomial C(x) of degree L
0,,Return .4
0 else 2.3
)()()(;1 then if 3.1
do 0 downto for .3
)()( polynomialauxiliary Set .2
,,1),( theCalculate .1
aa
a
xPxHxHaph
Li
xCxH
LxP
L
i
iiiii
Clearly the coefficients aL,…,a0 are functions of cL,…,c0 and the jump control bits jL,…,j1
Linear in L as polynomial arithmetic is used (in 32-/64-bit words)!But exponentially many combinations of jump control bits needed to determine LES /LEB!
20081008 CJ 15
Solving for Linear Relations Rev.
Matrix PL expanded into ji :
Note the relation from the definition of Pl :
111
,1
iii pjppp
10001000
10000100
101
,,,,
1
1212
123121323123
11
11211
011
jjjjjjjjjjjjjjjjj
jjjjjjjjjj
aaaa
L
LLLL
LL
20081008 CJ 16
Solving for Linear Relations (2)
The inverse matrix obtained through back substitution1
10
10
12
021
10
10
12
021
1000
10010
1
1000
10010
1
p
ppppp
e
eeeee
LLL
LLL
LL
LLL
LLL
LL
1;1
ii
ijj
jii epee
0,10 je 11
11
iiii ejee
20081008 CJ 17
Solving for Linear Relations (3)So far we have:
• Shown on next slide in hexadecimal truth table form• Contains Linear Relations for all 2l combinations of Jump Control bits in one vector
10001000
10000100
101
,,,,
1
112
11212123
12123121323
11
11111
011
jjjjjjjjjjjj
jjjjjjjjjjjjj
jjjjjj
cccc
L
LLL
LL
20081008 CJ 18
Linear Relation Coefficient Vectorsa0 a1 a2 a3 a4 a5 a6
c0 3 0 00 0000 00000000 0000000000000000 0000000000000000 0000000000000000c1 1 F 00 0000 00000000 0000000000000000 0000000000000000 0000000000000000c2 1 6 FF 0000 00000000 0000000000000000 0000000000000000 0000000000000000c3 1 7 69 FFFF 00000000 0000000000000000 0000000000000000 0000000000000000c4 1 6 7E 6996 FFFFFFFF 0000000000000000 0000000000000000 0000000000000000c5 1 7 68 7EE8 69969669 FFFFFFFFFFFFFFFF 0000000000000000 0000000000000000c6 1 6 7F 6880 7EE8E881 6996966996696996 FFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFFc7 1 7 69 7FFF 68808001 7EE8E881E8818117 6996966996696996 9669699669969669c8 1 6 7E 6996 7FFFFFFE 6880800180010116 7EE8E881E8818117 E88181178117177Ec9 1 7 68 7EE8 69969668 7FFFFFFEFFFEFEE8 6880800180010116 8001011601161668c10 1 6 7F 6880 7EE8E880 6996966896686880 7FFFFFFEFFFEFEE8 FFFEFEE8FEE8E880c11 1 7 69 7FFF 68808000 7EE8E880E8808000 6996966896686880 9668688068808000c12 1 6 7E 6996 7FFFFFFF 6880800080000000 7EE8E880E8808000 E880800080000000c13 1 7 68 7EE8 69969669 7FFFFFFFFFFFFFFF 6880800080000000 8000000000000000c14 1 6 7F 6880 7EE8E881 6996966996696996 7FFFFFFFFFFFFFFF FFFFFFFFFFFFFFFFc15 1 7 69 7FFF 68808001 7EE8E881E8818117 6996966996696996 9669699669969669c16 1 6 7E 6996 7FFFFFFE 6880800180010116 7EE8E881E8818117 E88181178117177Ec17 1 7 68 7EE8 69969668 7FFFFFFEFFFEFEE8 6880800180010116 8001011601161668c18 1 6 7F 6880 7EE8E880 6996966896686880 7FFFFFFEFFFEFEE8 FFFEFEE8FEE8E880c19 1 7 69 7FFF 68808000 7EE8E880E8808000 6996966896686880 9668688068808000c20 6880800080000000 7EE8E880E8808000 E880800080000000c21 7FFFFFFFFFFFFFFF 6880800080000000 8000000000000000c22 7FFFFFFFFFFFFFFF FFFFFFFFFFFFFFFF
20081008 CJ 20
Symmetric Boolean Functions
nnnnxxnn xxSxxSxxSn
,,,,:,, 11,,1 1
n
mn
mnmnnn
mn xxSxxSxxS
0111 ,,,,:,,
Symmetric Boolean Functions of order m, nm0
Function values: nH
n
mmnn xxwwm
wxxS ,,;2mod,, 10
1
Property: 111111
11 ,,,,,, n
mnn
mnnn
mn xxSxxSxxxS
20081008 CJ 21
Symmetric Boolean Functions
General SBFs:
1112
2121
11101
12
211
10
11
00
1
)()()(
)()()(
: with,
nnnnnnn
nnnnnnn
nnnnnn
nnnn
SSSS
SSSS
SSSS
SSSx
Proposition:
11
10
11
11
111
1 21,
nnnn
nn
nn
nn
nnn
nn
nnn
mn
mn
mn
mn
mnn
SSSx
SSSSx
SSx
nmSSSSSx
20081008 CJ 22
Applying SBFsThe inverse matrix:
10000010000
1000
10010
1
1000
10010
1
11
11
12
12
22
13
12
13
23
11
11
11
21
1
10
10
12
021
SSS
SSSSSS
SSSSS
e
eeeee L
LLL
LLL
LLL
LL
11
11
iiii ejee
nmSnmSS
S nn
mn
mnm
n ;;1From Proposition
20081008 CJ 23
Applying SBFs Same columnwise recursion for all
matrix elements above diagonal Linear SBF allways included
Very compact representation SBF vector of length n versus truth
table of length 2n Easy to evaluate SBFs
n+1 weight values
20081008 CJ 24
Calculating Linear Relations
126A1E2266AA1FE202206A1E22266E220120262
011FE26201AA1FE262
0166AAFE262012266AA7E22
011E22662A3E2201A1E22662A1E2
016A1E2226AE20126A1E226A2
0126A1E2620126A1E262
0126AE220126A62
01262201262
0122012
0000000000000000001
18
17
16
15
11314
13
12
11
10
9
8
7
6
5
4
3
2
1
0
1817161514131211109876543210
cccc
fccccccccccccccc
aaaaaaaaaaaaaaaaaaa
L
ik
iikki fca
1;2mod2 12
1
kfff ik
iik
ik
20081008 CJ 25
Pomaranch V3 Even sections: 1410761
Odd sections: 1501203
134C14C345CE1523F6B1D27719B2C14411410761 1817161514131211109876543210 aaaaaaaaaaaaaaaaaaa
145678121718 xxxxxxxx
179151718 xxxxxx
J = 84074, LEB = 660, |LES| = 7172
134D16A3E4D217639B2AC1F5E12262AE311501203 1817161514131211109876543210 aaaaaaaaaaaaaaaaaaa
J =27044, LEB = 720, |LES| = 4962
20081008 CJ 26
All Linear Relations
111810017110016101001511110014100010113110011101210101001011111111011010100000110109110000101111810100011100007111100100100006100010110110001511001110110100114101010011011101013111111010110011111210000011110101000011110000100011111000101817161514131211109876543210 aaaaaaaaaaaaaaaaaaawH C(x): 1410761
C(x+1): 1410237
20081008 CJ 27
Conclusions
Similarity Transforms: Jumping LFSMs optimized for implementation
Linear Relations in output of jump controlled LFSMs: Coefficients are symmetric Boolean
functions of jump control bits Speed-up of LES/LEB calculations
enormously Generalizations