recent attacks on the filter generator tor helleseth department of informatics university of bergen...

Recent Attacks on the Filter Generator

Tor HellesethDepartment of Informatics

University of BergenNORWAY

Joint work: Sondre Rønjom and Guang Gong

Outline • Filter generator

- m-sequences

- Nonlinear Boolean functions

• Standard algebraic attack on the filter generator

• New attack on the binary filter generator

• Extending attack to filter generator over GF(2m)

• Linear representations of filter generator

• Generalizations of attack

m-Sequence (Example)

(st) : 000100110101111…

st+4 = st+1+ st

g(x)=x4+x+1

Properties of m-sequences• Period ε = 2n - 1• Balanced• Run properties• st+st+=st+ • Two-level autocorrelation

• st = Trn(Aαt) = Σj(Aαt)2j = A1αt + A2α2t + A3α4t + A4α8t

Binary Filter Generator

. . .

f

...LFSRS

zt

• LFSR of length n generating an m-sequence

(st) of period 2n-1 determined by initial state (s0,s1,...,sn-1)

• Nonlinear Boolean function f(x0,x1,...,xn-1) of degree d

f(x0,x1,...,xn-1) = Σ ca0a1..ar-1 xa0

xa1

...xar-1 = ΣA cAxA

Keystream

zt = f(st,st+1,...,st+n-1)

= ft(s0,s1,...,sn-1)

Standard Algebraic Attack• Shift register m-sequence (st) of period 2n - 1• Boolean function f(x0,x1,...,xn-1) of degree d zt = f(st,st+1,...,st+n-1) = ft(s0,s1,...,sn-1)• Nonlinear equation system of degree d in n unknowns

s0,...,sn-1

• Reduce to linear system in D unknowns monomials• D = ( ) + ( ) + ... + ( )• Need about D keystream bits• Complexity Dω , ω =log2 7 ≈ 2.807 • Courtois, Canteaut: filter generator to be secure needs - n=128, d ≥ 16 complexity > 2128 (ω≈2) - n=256, d ≥ 30 complexity > 2256 (ω≈2)

n n n d d-1 1

New Algebraic Attack • Rønjom-Helleseth 2006 • Recovering initial state of the binary filter generator

in complexity

- Pre-computation O(D (log2D)3)

- Attack O(D)

- Need D keystream bits

• Main idea - Coefficient sequences of I={i0,i1,...,ir-1}

- Consider (binary) coefficient KI,t in ft(s0,s1,...,sn-1)

of the monomial sI=si0si1...sir-1

at time t

- KI,t obeys some nice recursions

Example - Coefficient Sequences• Let st+4=st+1+st i.e., s4=s1+s0

• zt=f(st,st+1,st+2,st+3) = st+2+stst+1+st+1st+2st+3+stst+1st+2st+3

• z0 = f0(s0,s1,s2,s3) = s2+s0s1+s1s2s3+ s0s1s2s3

• z1 = f1(s0,s1,s2,s3) = s3+s1s2+ s0s2s3 +s0s1s2s3

• z2 = f2(s0,s1,s2,s3) = s0+s1+s1s3+s2s3 +s0s1s3+s1s2s3+ s0s1s2s3

• z3 = f3(s0,s1,s2,s3) = s1+s2+s0s2 +s0s3+s1s3+s0s1s2+ s0s2s3 +s0s1s2s3 • z4 = f4(s0,s1,s2,s3) = s1+s2+s3+s0s1+s0s2+s1s2+s0s1s3+ s0s1s2s3

• z5 = f5(s0,s1,s2,s3) = s0+s1+s2+s3+s1s3+s2s3+ s0s1s2+ s0s1s3+s0s1s2s3

Some coefficient sequences I={0,1,2,3} KI,t= 1 1 1 1 1 1... I={0,2,3} KI,t= 0 1 0 1 0 0... I={1,3} KI,t= 0 0 1 1 0 1...

Coefficient Sequence

• Let I = {i0,i1,...,ir-1} and sI = si0 si1

... sir-1

• The coefficients of the monomial sI at time t is called KI,t

• The coefficient sequence KI,t is defined by

zt = f(st,st+1,...,st+n-1)

= ft(s0,s1,...,sn-1)

= ΣI sI KI,t

• The main idea behind the attack is to determine the characteristic polynomial of KI,t

• The main task is to compute a polynomial p(x)=Σpjxj that generates KI,t for |I|≥2 (and hopefully not KI,t for |I|=1).

Coefficient Sequences – Examplef(s0,s1,s2,s3) = s2+s0s1+s1s2s3+s0s1s2s3 ; s4=s0+s1

f0 f1 f2 f3 f4 f5 f6 f7 f8 f9 f10 f11 f12 f13 f14

s0 0 0 1 0 0 1 1 1 1 0 1 0 0 0 1 K0,t

s1 0 0 1 1 1 1 0 1 0 0 0 1 0 0 1 K1,t

s2 1 0 0 1 1 1 1 0 1 0 0 0 1 0 0 K2,t

s3 0 1 0 0 1 1 1 1 0 1 0 0 0 1 0 K3,t

s0s1 1 0 0 0 1 0 0 1 0 1 1 0 0 0 0 K01,t

s0s2 0 0 0 1 1 0 1 1 0 1 1 0 0 0 0 K02,t

s1s2 0 1 0 0 1 0 1 1 0 0 0 0 1 0 0 K12,t

s0s3 0 0 0 1 0 0 1 0 1 1 0 0 0 0 1 K03,t

s1s3 0 0 1 1 0 1 1 0 1 1 0 0 1 0 0 K13,t

s2s3 0 0 1 0 0 1 0 1 1 0 0 0 1 0 0 K23,t

s0s1s2 0 0 0 1 0 1 0 0 1 1 0 1 1 1 0 K012,t

s0s1s3 0 0 1 0 1 0 0 1 1 0 1 1 1 0 0 K013,t

s0s2s3 0 1 0 1 0 0 1 1 0 1 1 1 0 0 0 K023,t

s1s2s3 1 0 1 0 0 1 1 0 1 1 1 0 0 0 0 K123,t

s0s1s2s3 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 K0123,t

Recursion - Coefficient Sequences f0 f1 f2 f3 f4 f5 f6 f7 f8 f9 f10 f11 f12 f13 f14

s0 0 0 1 0 0 1 1 1 1 0 1 0 0 0 1 K0,t

s1 0 0 1 1 1 1 0 1 0 0 0 1 0 0 1 K1,t

s2 1 0 0 1 1 1 1 0 1 0 0 0 1 0 0 K2,t

s3 0 1 0 0 1 1 1 1 0 1 0 0 0 1 0 K3,t

s0s1 1 0 0 0 1 0 0 1 0 1 1 0 0 0 0 K01,t

s0s2 0 0 0 1 1 0 1 1 0 1 1 0 0 0 0 K02,t

s1s2 0 1 0 0 1 0 1 1 0 0 0 0 1 0 0 K12,t

s0s3 0 0 0 1 0 0 1 0 1 1 0 0 0 0 1 K03,t

s1s3 0 0 1 1 0 1 1 0 1 1 0 0 1 0 0 K13,t

s2s3 0 0 1 0 0 1 0 1 1 0 0 0 1 0 0 K23,t

s0s1s2 0 0 0 1 0 1 0 0 1 1 0 1 1 1 0 K012,t

s0s1s3 0 0 1 0 1 0 0 1 1 0 1 1 1 0 0 K013,t

s0s2s3 0 1 0 1 0 0 1 1 0 1 1 1 0 0 0 K023,t

s1s2s3 1 0 1 0 0 1 1 0 1 1 1 0 0 0 0 K123,t

s0s1s2s3 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 K0123,t

Calculating gi(x) - m=4Characteristic polynomial g(x)=x4+x+1• g(α) = α4+ α+1 = 0, α15=1

• g4(x) = Πwt(l)=4(x+αl) = x + 1 • g3(x) = Πwt(l)=3(x+αl) = x4+x3+1• g2(x) = Πwt(l)=2(x+αl) = (x4+x3+x2+x+1)(x2+x+1) • g1(x) = Πwt(l)=1(x+αl) = x4+x+1

• p(x) = g2(x)g3(x)g4(x) = x11+x8+x7+x5+x3+x2+x+1 = Σi pixi

• KI,t , |I|=4 generated by g4(x) (and by p(x) )• KI,t , |I|=3 generated by g3(x) g4(x) (and by p(x) )• KI,t , |I|=2 generated by g2(x) g3(x) g4(x) (and by p(x) )• KI,t , |I|=1 generated by g1(x) g2(x) g3(x) g4(x)

Characteristic polynomial of KI,t

• (st) є Ω(g(x)) (denotes (st) is generated by g(x))

- Zeros of g(x) : α2i (= αr ) , w(r)=1

- zt=f(st,st+1,...,st+n-1) = ΣI sI KI,t , d=deg(f)

- st= Σi si lit (lit є Ω(g(x)), lit= Σj Aijα2jt )

Let |I|=d KI,t є Ω(gd(x)) with zeros αr , w(r)=d

Let |I|=d-1 KI,t є Ω(gd-1(x)gd(x)) with zeros αr , w(r) є {d-1,d}

...........................

Let |I|=2 KI,t є Ω(g2(x)... gd(x)) with zeros αr , w(r) є {2,3,...,d}

Conclusion

KI,t є Ω(p(x)), p(x)=g2(x)... gd(x) for all coefficient sequences with |I|≥2 (i.e., for all nonlinear terms)

Key Argument in Attack

• From the received keystream zj for j=0,1,..,D-1 compute for t=0,1,..,n-1

zt* = Σj pjzt+j (= Σj pjft+j(s0,s1,...,sn-1))

= Σj pj ΣI sIKI,t+j

= ΣI sI Σj pjKI,t+j

= Σ|I|≤1 sI Σ pjKI,t+j

= Affine in s0,s1,...,sn-1

gives a linear n x n system of equations for

finding the (initial state) s0,s1,...,sn-1

The New Attack• zt = f(st,st+1,...,st+n-1) = ft(s0,s1,...,sn-1) = ΣI sI KI,t

Precomputation - Complexity O(D(log2 D)3)• Compute p(x)=Πd≥wt(l)≥2(x+αl) of degree D–n that generates all coefficient sequences KI,t for |I|≥2 (and hopefully not KI,t for |I|=1)• Compute ft

*(s0,s1,...,sn-1) = Σj pj ft+j(s0,s1,...,sn-1) (= zt* = Σj pjzt+j )

for t=0,1,...,n-1• (Need only linear part of ft+j and only f0* since f1*,f2*,..,fn-1* easily

found from f0*. If f0*=0 need to modify attack)

Attack – Complexity O(D)• From the received keystream zt for i=0,1,..,D-1 compute zt

* = Σj pjzt+j ( = ΣI sI Σ pjKI,t+j = ft*= Affine in s0,s1,...,sn-1)

gives a linear n x n system of equations for finding the bits in initial state (secret key) s0,s1,...,sn-1

The Attack - ExamplePrecomputation ( f0*=f11+f8+f7+f5+f3+f2+f1+f0 )

f0*

f1 f2 f3 f4 f5 f6 f7 f8 f9 f10 f11 f12 f13 f14

s0 0 0 1 0 0 1 1 1 1 0 1 0 0 0 1 s1 1 0 1 1 1 1 0 1 0 0 0 1 0 0 1 s2 0 0 0 1 1 1 1 0 1 0 0 0 1 0 0 s3 1 1 0 0 1 1 1 1 0 1 0 0 0 1 0

Attack – Keystream 100010010011110Equation system (zt*=zt+11+zt+8+zt+7+zt+5+zt+3+zt+2+zt+1+zt )

f0* = s1 + s3 = z0* = 1 f1* = s0 + s1 + s2 = z1* = 0 f2* = s1 + s2 + s3 = z2* = 0 f3* = s0 + s1 + s2 + s3 = z3* = 1

Solution (secret key) s0=1, s1=0, s2=1, s3=1

Filter Generator over GF(2m)

• LFSR of length k generating an m-sequence

(St) of period 2n – 1 over GF(2m) , n=mk

• Boolean function f(x0,x1,...,xm-1) of degree d

(f acts on single m-bits word St=(smt,smt+1,...,smt+m-1))

Keystream

zt = f(smt,smt+1,...,smt+m-1)

= ft(s0,s1,...,sn-1)

. . .

f

LFSRS

zt

Filter Generator over GF(2m)

• Let St=(smt,smt+1,..,smt+m-1)• Let (s0,s1,..,sn-1) be the n=mk bits in initial state• Define coefficient sequences zt= ΣIsIKI,t

Results

1. KI,t generated by g|I|(x) with zeros αr, |I|≤w(r)≤d

2. Linear complexity of zt is reduced (when f acts on single word). Typically reduction in linear complexity is by a factor of roughly e-d2(k-1)/2n

WG Cipher

• LFSR of length k=11 over GF(229) (n=319)• Boolean function of degree 11 acts on a single

29-bits word• Linear complexity of keystream L=245.014

• L < < D = ( )• Restrict keystream to 245 bits• Attack can reconstruct initial state with

complexity L with precomputation of complexity O(L(log2L)3) ≈ 262 but needs L bits of keystream

319 11

Linear Representation - Filter Generator

• Example st+3 =st+1 + st

• State St+1=StT1 , St = (st,st+1,st+2)

(s1,s2,s3) = (s0,s1,s2)T1 , T1= [ ]• Extended state

St = (st,st+1,st+2,stst+1,stst+2,st+1st+2,stst+1st+2)

• Then

S0 = (s0,s1,s2,s0s1,s0s2,s1s2,s0s1s2) ↓ T

S1= (s1,s2,s3,s1s2,s1s3,s2s3,s1s2s3)

= (s1,s2,s0+s1,s1s2,s1+s0s1,s0s2+s1s2,s0s1s2+s1s2)

001101010

Matrix Representation – Filter Generator

S0 = (s0,s1,s2,s0s1,s0s2,s1s2,s0s1s2)

↓ T

S1 = (s1,s2,s0+s1,s1s2,s1+s0s1,s0s2+s1s2,s0s1s2+s1s2)

T =

0 0 1 0 0 0 0 1 0 1 0 1 0 0 0 1 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 1 0 0 0 0 1 0 1 1 0 0 0 0 0 0 1

s1 s2 s3 s1s2 s1s3 s2s3 s1s2s3

s0 s1

s2 s0s1

s0s2

s1s2

s0s1s2

• St+1 = St T

T - Transforms Boolean Function

• Let I = {i0,i1,...,ir-1} and sI = si0 si1

... sir-1

• f(s0,s1,...,sn-1) = ΣI cI,fsI

• Consider f as a vector (in a natural way) such that

f = (0101101) (=cI,f ) ↔ s1+s0s1+s0s2+s0s1s2

• Then

ft+1 = T ft

• Thus the equations in filter generator are

zt = S0Ttf

represents the relation

zt= ft(s0,s1,..,sn-1)=f(st,st+1,...,st+n-1)

Tt - Coefficient Sequences• Let I, J be subsets of {0,1,...,n-1}• Let J={j0,j1,...,jr-1}• gi(x)=Π(x+αl), wt(l)=i

• st+J = st+j0st+j1

...st+jr-1= ΣI sI KI,J,t

• KI,J,t generated by g|I|(x) g|I|+1(x) ... g|J|(x)

• Lemma Let p(x)=g2(x)...gd(x)

- (Tt)I,J = KI,J,t

- p(T) = 0 except for the elements in the first n rows

Attack Described Using T

• Let p(x)=g2(x)...gd(x), gi(x)=Π(x+αl), wt(l)=i• zt = S0 Tt f• From the received keystream zj for j=0,1,..,D-1 compute

for t=0,1,..,n-1 zt

* = Σj pjzt+j (= Σj pjft+j(s0,s1,...,sn-1)) = S0 Σj pj Tt+j f = S0 Tt Σj pj Tj f = S0 Tt p(T) f = Affine in s0,s1,...,sn-1

gives a linear n x n system of equations for finding the (initial state) s0,s1,...,sn-1 since all rows except the first n rows in p(T) are 0

Finding Initial State• Let st= Tr(βαt) represent initial state of LFSR• Let gi(x) have zeros αj where wt(j)=i• Let zt = ΣjTr(Aj(βαt)j) ε Ω(g1 g2 ... gd)• Let p(x)= (g1g2...gd)/pk , pk(x) min. pol. αk , wt(j)≤d where Ak≠0 and gcd(k,2n-1)=1• Then ut = p(E)zt = Σjpjzt+j = ΣjTr(Ajβj p(αj) αtj) = Tr(Akβk p(αk) αtk)• Let r =Akβkp(αk) and we can find r• Gong (1990) give explicite formulaes for Ak

• Since Ak≠0 if gcd(k,2n-1)=1 we find β i.e initial state (alternatively if gcd(k,2n-1)>1 we do it once more to find

k’ and hopefully gcd(k-k’,2n-1)>1’

Conclusions

• New attack on the filter generator of complexity O(D)

• If zt є Ω(h(x)) for all keystreams for some h(x) of degree L (< D) then initial state can be recovered in complexity O(L) with a precomputation O(L(log2L)3)

• Linear representation related to coefficient sequences• Generalized to filter generator over GF(2m)• Can be generalized LSM not neccesarily LFSR• Can be generalized to nonlinear combiner generator• Can reduce number of known bits needed by finding

a sequence bt such that ztbt=at has certain properties

Simple underlying idea

• Let

zt= A1α1t + A2α2

t +...+ ADαDt

• Let p(x) have roots αi

• Compute p(E)zt = Σ pjzt+j

• Then

ut = p(E)zt = ΣAip(αit )

recent attacks on the filter generator tor helleseth department of informatics university of bergen...

Documents

n n n d d

s1 s0zt

time t ki

binary coefficient ki

coefficient sequence

n unknowns s0

d keystream bitscomplexity

filter generatornew