selective dft attacks against e0
Post on 30-Dec-2015
22 Views
Preview:
DESCRIPTION
TRANSCRIPT
Selective DFT Attacks against E0
Jingjing WANG, Kefei CHEN
Outline
• Brief introduction to– DFT, DFT Attack, E0
• Selective DFT Filter for Nonlinear Filter Generator
• Our Attack against E0– And combiner with memory in general
What is DFT?
• DFT = discrete Fourier transform– Used in analysis of signals
• Fourier transform has one amazing feature– Sin signal
– After Fourier transform
– Is much simpler!
What is DFT Attack?
• Discrete Fourier transform (DFT) Attack– Do DFT for periodic sequence, resulting in
equations in GF(2^n)– For unknowns, solve it in GF(2^n)
• Selective DFT Attack proposed for nonlinear filter by G. GONG– Unknowns: DFT coefficients of the LFSR sequence– Solve equations by: selective DFT filter
Selective DFT Filter
• Selective DFT filter speeds up the DFT attack by– Filtering out few* components of the DFT result of
the keystream– *the optimal number is one and the number of
corresponding unknowns is no greater than n
What is E0 Keystream Generator?
• E0 is a combiner with memory– 4 LFSRs– 2-bit memory with update function
– Combine and output:
Extend DFT Attack to Combiner with Memory
• To eliminate most items– Selective DFT filter needs:– Same equation– Filter function corresponds to the linear combination
(the eliminates the items)
• Challenge:– No same equation guaranteed– Filter function originally defined over consecutive
equations
• Step 1.– Convert update function into one equation*– *The equation is different from Armknecht’s– =>
1 1 2
2 1 1 1 1 2
1 1 2
1
2
1 1
2 3 4
1 1 1
1 1 1
1
1 1 2
0
( ) ( )
( ) ( ) ( ) ( )
( 1) ( 1) ( )(1 ) ( 1) ( )
( 1) ( 1) ( ) (1 ) ( 1) ( )
t t t t
t t t t t t t t t t
t t t t t
t
t t t t
z z z z
t z z z z z z z z z z
t z z z z t z t
t t t z t t
t z t t z z t t z
2 1 22
1
2
1 1 1 2
( 1) ( 1) ( )(1 ) ( 1) ( )
( 2) ( 2) ( )(1 ) ( 2) ( )t
t
t t t z t t
t t t z t t
• The equation has such items that– Are products of zt , zt+1 … and unknowns
• => unknowns with unpredictable coefficients because of unpredictable behavior of zt
• Goal: make coefficients predictable!
• Step 2.– Convert the equation into 16 equations– According to the value of zt , zt+1, zt+2, zt+3
– =>zt+zt+1+zt+2+zt+3+1 = g(at, bt, ct, dt)zt+zt+1+zt+2+zt+3+1 = g(at, bt, ct, dt)+π1(t+2)π2(t+1)+π1(t+2)+ π1(t+2)π1(t+1)zt+zt+1+zt+2+zt+3+1 = g(at, bt, ct, dt)+π3(t+1) … …zt+zt+1+zt+2+zt+3+1 = g(at, bt, ct, dt)+π1(t+1)+π2(t+1)+π3(t+1)zt+zt+1+zt+2+zt+3+1 = g(at, bt, ct, dt) +π1(t+1)+π2(t+1)+π1(t+2)π2(t+1)+π1(t+2)+π3(t+1)
• Step 3.– Select equations where π1(t+1) can be filtered
out*– *We do that by gcd the characteristic polynomial
of π1(t+1) and that of the other items
– *And pick these with gcd = 1
• Step 4.– Compute selective discrete Fourier transform
filter for the equation E selected Complexity?
• Trick:– Use the characteristic polynomial of the other
items computed in the last step; denote it by h(x)– Find linear combination of xt that mod h(x) = 0• for {t} that gives the equation E
• Step 5.– Use the linear combination produced in the last
step– To filter out an equation for π1(t+1)
– Collect and solve equations
• Some Remarks– Step 1, 2, 3 are done offline – Step 1 and 2 are applicable for all instances of E0– Step 3 are done once for one set of parameters of
E0
• Success of attack relies on Step 3• Complexity of attack is dominated by Step 4
Conclusion
• Selective DFT filter for combiner– Can be reduced to selective DFT filter for
nonlinear filter– After O(N^3) computation, N ~ (n d)
• Selective DFT filter for Estream Candidate?– Possible if its state update can be converted into
an algebraic equation like E0.
• Thank you!
top related