Selective DFT Attacks against E0

Jingjing WANG, Kefei CHEN

Outline

• Brief introduction to– DFT, DFT Attack, E0

• Selective DFT Filter for Nonlinear Filter Generator

• Our Attack against E0– And combiner with memory in general

What is DFT?

• DFT = discrete Fourier transform– Used in analysis of signals

• Fourier transform has one amazing feature– Sin signal

– After Fourier transform

– Is much simpler!

What is DFT Attack?

• Discrete Fourier transform (DFT) Attack– Do DFT for periodic sequence, resulting in

equations in GF(2^n)– For unknowns, solve it in GF(2^n)

• Selective DFT Attack proposed for nonlinear filter by G. GONG– Unknowns: DFT coefficients of the LFSR sequence– Solve equations by: selective DFT filter

Selective DFT Filter

• Selective DFT filter speeds up the DFT attack by– Filtering out few* components of the DFT result of

the keystream– *the optimal number is one and the number of

corresponding unknowns is no greater than n

What is E0 Keystream Generator?

• E0 is a combiner with memory– 4 LFSRs– 2-bit memory with update function

– Combine and output:

Extend DFT Attack to Combiner with Memory

• To eliminate most items– Selective DFT filter needs:– Same equation– Filter function corresponds to the linear combination

(the eliminates the items)

• Challenge:– No same equation guaranteed– Filter function originally defined over consecutive

equations

• Step 1.– Convert update function into one equation*– *The equation is different from Armknecht’s– =>

1 1 2

2 1 1 1 1 2

1 1 2

1

2

1 1

2 3 4

1 1 1

1 1 1

1

1 1 2

0

( ) ( )

( ) ( ) ( ) ( )

( 1) ( 1) ( )(1 ) ( 1) ( )

( 1) ( 1) ( ) (1 ) ( 1) ( )

t t t t

t t t t t t t t t t

t t t t t

t

t t t t

z z z z

t z z z z z z z z z z

t z z z z t z t

t t t z t t

t z t t z z t t z

2 1 22

1

2

1 1 1 2

( 1) ( 1) ( )(1 ) ( 1) ( )

( 2) ( 2) ( )(1 ) ( 2) ( )t

t

t t t z t t

t t t z t t

• The equation has such items that– Are products of zt , zt+1 … and unknowns

• => unknowns with unpredictable coefficients because of unpredictable behavior of zt

• Goal: make coefficients predictable!

• Step 2.– Convert the equation into 16 equations– According to the value of zt , zt+1, zt+2, zt+3

– =>zt+zt+1+zt+2+zt+3+1 = g(at, bt, ct, dt)zt+zt+1+zt+2+zt+3+1 = g(at, bt, ct, dt)+π1(t+2)π2(t+1)+π1(t+2)+ π1(t+2)π1(t+1)zt+zt+1+zt+2+zt+3+1 = g(at, bt, ct, dt)+π3(t+1) … …zt+zt+1+zt+2+zt+3+1 = g(at, bt, ct, dt)+π1(t+1)+π2(t+1)+π3(t+1)zt+zt+1+zt+2+zt+3+1 = g(at, bt, ct, dt) +π1(t+1)+π2(t+1)+π1(t+2)π2(t+1)+π1(t+2)+π3(t+1)

• Step 3.– Select equations where π1(t+1) can be filtered

out*– *We do that by gcd the characteristic polynomial

of π1(t+1) and that of the other items

– *And pick these with gcd = 1

• Step 4.– Compute selective discrete Fourier transform

filter for the equation E selected Complexity?

• Trick:– Use the characteristic polynomial of the other

items computed in the last step; denote it by h(x)– Find linear combination of xt that mod h(x) = 0• for {t} that gives the equation E

• Step 5.– Use the linear combination produced in the last

step– To filter out an equation for π1(t+1)

– Collect and solve equations

• Some Remarks– Step 1, 2, 3 are done offline – Step 1 and 2 are applicable for all instances of E0– Step 3 are done once for one set of parameters of

E0

• Success of attack relies on Step 3• Complexity of attack is dominated by Step 4

Conclusion

• Selective DFT filter for combiner– Can be reduced to selective DFT filter for

nonlinear filter– After O(N^3) computation, N ~ (n d)

• Selective DFT filter for Estream Candidate?– Possible if its state update can be converted into

an algebraic equation like E0.

• Thank you!