cryptoppt

CONTENTS OVERVIEW Keystream Generation Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only Attack on A5/1-Barkan ,Biham Golic -Cryptanalysis of alleged A5 Stream cipher Basic Correlation Attack : Patrik Ekdahl and Thomas Johansson ’2001 Basic Correlation Attack : Patrik Ekdahl and Thomas Johansson ’2001 Basic Correlation Attack : Patrik Ekdahl and Thomas Johansson ’2001 Comparison References

CRYPTANALYSIS OF A5/1

Submitted by:

Meenakshi Tripathi(113350005)

Guide: Prof. Saravanan Vijayakumaran

Electrical EngineeringIndian Institute of Technology Bombay

Mumbai-400076

Meenakshi Tripathi IIT Bombay


CONTENTS

Overview Of A5/1 GSM Cipher

1 LFSR(Linear Feedback Shift Register)2 A5/1 Description

Man in the middle Attack: Barkan,Biham

Time Memory Tradeoff: Golic

Real Time cryptanalysis on PC: Biryukov, Shamir, Wagner

Correlation Attack: Ekdahl and Johansson

Comparison

References



LFSR of A5/1

The LFSR Structure used in GSM is as shown.

Figure: LFSR of A5/1



A5/1 Description

LFSRnumber

Lengthin bits

Feedback Poly-nomial

ClockingBit

Tapped Bits

1 19 x19 + x18 + x17+ x14 + 1

8 13, 16, 17, 18

2 22 x22 + x21 + 1 10 20, 21

3 23 x23 + x22 + x21+ x8 + 1

10 7, 20, 21, 22



Steps for Key Generation

All 3 registers are zeroed.

64 cycles (regular clocking): R[0] = R[0] ⊗ Kc [i]

22 cycles (regular clocking): R[0] = R[0] ⊗ Fc [i].

100 cycles (majority rule clocking), output discarded.

228 cycles (majority rule clocking) to produce the output bitsequence.



Keystream Generation

Figure: LFSR of A5/1Meenakshi Tripathi IIT Bombay


Instant Ciphertext only Attack on A5/1

Based on flaw in GSM Protocol- same key for A5/1, A5/2 andGPRS.Attack on A5/1 by three attacks-

Man-in the middle attack -attacker impersonates asnetwork to the user and as user to the network.

Classmark attack-By changing the classmark bit informationsent by the mobile by Man-in the middle attack.

Impersonating the network for a short radio session withthe mobile.



Instant Ciphertext only Attack on A5/1

The Attack has 3 main steps-

1 Known plaintext attack on A5/2-to recover the initial key.Algebraic in nature.By solving an overdefined system ofquadratic equations.

2 Improving Plaintext attack to Cipher-text onlyattack-Based on fact that GSM employs ECC beforeencrytion.

3 Active attack on A5/1- Leveraging of attack on A5/2 to anactive attack on A5/1.



Structure of A5/2

A5/2 is much weaker cipher, used as base for man in themiddle attack on A5/1

A5/2 has 4 LFSRs -R1,R2,R3 and R4 of length 19, 22, 23, 17.

R4 Controls the clocking of the other three registers with bitsR4[3],R4[7] and R4[10].

Output is: XOR of majority output of 3 registers and theMSB of each register.

One bit of each register is forced to be 1 after initialisation.



LFSR of A5/2

The LFSR Structure of A5/2 is asshown.maj(a, b, c) = a.b + b.c + c .a



Known plaintext attack on A5/2

Total no of equations required -R1- 18 variables and(17 ∗ 18)/2 = 153 quadratic terms. R2 21 + (21 ∗ 20)/2 = 220and R3 22 + (22 ∗ 21)/2 = 253, in all 655 variables.

61 variables form the initial state of R1, R2 and R3.

Each frame gives 114 equations and few such frames can give655 equations.

Frame number differs in just one bit - formulate the requiredno of equations i.t.o initial state of one frame say Vf .



Steps to Determine Initial State

All the 216 possible values of R4 are tried and for each thesystem of equations is solved to get the internal state ofR1,R2 and R3.

R4 known, so the number of times a register needs to beclocked to produce the output bit known.

216 − 1 wrong states are identified by inconsistencies in Gausselimination.

Result is verified by trial encryptions.



Optimise

Optimise - using pre-computed system of equations for eachvalue of R4.

For a given R4 value store the LD rows by Gauss elimination.

Check in the data for the same and discard R4 values whichdont have the same LD rows.



Cryptanalysis of alleged A5 Stream cipher-Golic

Based on solving system of linear equations.

Guess n clock controlling bits from each of the LFSR (3nequations)

4n/3 clocking sequence on average known hence 4n/3equations of registers content.

First O/P bit = parity of MSB of 3 LFSR , therefore 1 moreequation obtained.

Max possible n=10, hence 30+40/3+1 = 44.33 equationsknown.



Cryptanalysis of alleged A5 Stream cipher-Golic

Build a tree with valid options corresponding to 3 inputs tomajority clock control function.

5 branches per node so on avg. 2.5 valid options for eachpath.

By exhaustive search, on average consider 1/2 of the values toget the remaining bits .

Initial state s[0] from s[101] by guessing the number of 1’s inthe clocking sequence.

Check the state by generating s[101] again.



Time-memory Tradeoff -Golic


Known plaintext case- each sequence gives 102, 64 bitblocks(228 bits).

K frames give 102 K keystream blocks.

M 64-bit initial states stored in a table, sorted w.r.t. outputbits produced.

Precomputation time O(M) required for sorting is MlogMapprox. M





By B’Day paradox the probability of atleast one of the 102 Kkeystream blocks in the sample to coincide with one of theoutput block in the table-102.K .M > 263.32.

Time T to find the keystream block be 102.K then TMTO ispossible ifT .M > 263.32 and T < 102.222.



Real Time cryptanalysis of A51 on PC - Biryukov, Shamir , Wagner

Real Time cryptanalysis of A51 on PC

Disk access is time consuming-So store only Special states ondisk which produce output bits with a particular pattern alphaof length k=16

States which produce the output sequence starting with givenalpha are easily generated.





During precomputation store (prefix , state) pair in sortedorder for subset of chosen states.

Total number of states which generate this alpha as outputprefix is - 264 ∗ 2−16 = 248.

Search Output for the occurence of output prefixes in allpartially overlapping prefixs.

In a frame bit positions 1 to 177 are taken to get sufficientlylong prefix of say 35 bits after alpha.





Red State - the states which produce the output bits startingwith alpha. R is approx 248.

Green State - the states which produce the output bits withalpha anywhere in between 101 to 277 bits. G is 177 ∗ 248.

Weight W (s) of tree with root as red state is defined as thenumber of green states in its belt.




Trees of Red and Green states

Figure: LFSR of A5/1Meenakshi Tripathi IIT Bombay




Red states are kept on the disk and the collision with theirprefixes is checked for.

Green states contain alpha and can act as the initial state inthat frame.

Store only heavy trees and discard the parasitic red states bycomparing the sequence produced with the output beyondoccurence of alpha -reduced candidate states.

Further reduction by using the exact depth of occurence ofalpha.



Basic Correlation Attack

Known Plaintext Attack- N bits known from m frames.

Independent of length of LFSRs

Depends on number of clockings before O/P generated.

Exploits bad key initialisation-key and frame counter initialisedin linear fashion.

Breaks A5/1 in 5 few minutes with 2-5 min of plaintext.



Notation

uit = s it + f̄ i

t , t ≥ 0.

P(s176 + s2

76 + s376 = Oj

(76,76,76,1)) =

P(assumption correct) ∗ 1 +P(assumption not correct) ∗ 1/2.

Generalising over m frames gives one bit of information onebit of Information.



Steps of Attack

Calculate probability of clocking (cl1, cl2, cl3) in v:th position.

Consider an interval I for v, where probability of occurrence ofv is non-zero.

Enhance estimate by generalising the value of linearcombination using m frames.

Finally estimate the LinearCombination of keybits with simpleHard Decision.

One interval of 8 bits eg (79, 80, 81, .., 86) gives8 + 8 + 8 = 24 bit information of key K. Consider 3 suchsub-intervals to get 72 bits more than needed i.e. 64.



Comparison of Various Attacks

Attack Type Precompu-tation

AnalysisCom-plexity

DataCom-plexity

MemoryComplexity

Golic [1] TMTO 235.65 227.67 228.8 862 GB

Barkan,Biham[4]

Manin themiddle

Nil 247 Ciphertextonly

M = 228.8

Biryukov,Shamir [3]

TMTO 248 2 minutes 214.7 146 GB

Biham,Dulkelman[2]

TMTO 238 239.91 220.8 32 GB



References

J. Golic. Cryptanalysis of Alleged A5 Stream Cipher.Biham and Dunkelman. Cryptanalysis of the A5/1 GSMStream Cipher.Biryukov,Shamir, and Wagner. Real Time Cryptanalysis ofA5/1 on a PC.Barkan, Biham, and Keller. Instant Ciphertext-OnlyCryptanalysis of GSM Encrypted Commu- nications.Ekdahl and Johansson. Another Attack on A5/1.Maximov, Johansson, and Babbage. An Improved CorrelationAttack on A5/1.Barkan and Biham. Conditional Estimators: An effectiveAttack on A5/1.Wikipedia-http://www.wikipedia.org.



Thank You


cryptoppt

Technology

biham instant ciphertext

a51 a52

classmark attack

active attack

cryptanalysis of a51

keystream generation

known plaintext attack

middle attack attacker