fast linear subspace attacks on stream cipherscomsec.uwaterloo.ca/download/seletivedft09-v1.pdf ·...

Fast Linear Subspace Attacks on Stream Ciphers

Guang Gong

Department of Electrical and Computer EngineeringUniversity of Waterloo

CANADA<http://comsec.uwaterloo.ca/∼ggong>

Joint work with Sondre Rønjom, Tor Helleseth, and Honggang Hu

G. Gong (University of Waterloo) Fast DFT Attacks 2009 1 / 47

Outline

Basic Concepts and Properties of Sequences(Discrete) Fourier Transform (DFT) of Shifts and Convolution ofDFTFast Selective DFT Attacks on Filtering GeneratorsComparisons with Fast Algebraic AttacksNew Security Criteria: Spectral Immunity


Introduction

A General Model of PSGs


Introduction

Linear Feedback Shift Register (LFSR) Sequences

We associate f (x0, · · · , xn−1) with

f (x0, · · · , xn−1 = c0x0 + · · ·+ cn−1xn−1 ↔ t(x) = xn + cn−1xn−1 + · · ·+ c1x + 1

a polynomial over F2.An output sequence of the LFSR satisfies the following recursive relation

an+k =n−1Xi=0

ciak+i , k = 0, 1, · · · , (1)

(a0, · · · , an−1) is an initial state of a.t(x) is called a characteristic polynomial of a (the reciprocal of t(x) is referredto as a feedback polynomial of a, and we also say that a is generated by t(x).a is an m-sequences is t(x) is primitive (Golomb, 1954).


Introduction

Example

The sequence a = 1001011 is an m-sequence of period 7 generatedby an LFSR with t(x) = x3 + x + 1.


Introduction

Minimal Polynomials and Linear Span

A minimal polynomial of a is a polynomial with smallest degreewhich generates a. Let m(x) be the minimal polynomial of a, thenm(x) | t(x).Linear span of a is the degree of m(x), denoted as LS(a), andm(x) can be found using the Berlekamp-Massey algorithm fromany 2LS(a) consecutive bits of a.Linear span of a is the degree of m(x), denoted as LS(a), andm(x) can be found using the Berlekamp-Massey algorithm fromany 2LS(a) consecutive bits of a.


Introduction

The Shift Operator

The (Left cyclically) shift operator L:

La = a1, a2, · · · ,

Lr a = ar , ar+1, · · · .

If b = Lr a, then we say that they are shift equivalent. Otherwise,they are shift distinct.

Example: leta = 1001011

b = 1011100

c = 1110100

then a and b are shift equivalent, and a and c are shiftdistinct.


Introduction

DFT and Inverse DFT of Binary Sequences

Notation: N|2n − 1, Fq = GF (q), {at}: a binary sequence withperiod N; α: an element in F2n with order N.The (discrete) Fourier Transform (DFT) of {at } is defined by

Ak =N−1∑t=0

atα−tk , k = 0, 1, . . . , N − 1.

The inverse DFT (IDFT) is given by

at =N−1∑k=0

Akαkt , t = 0, 1, . . . , N − 1.

{Ak} is called the DFT spectral sequence of a (with respect to α).


Introduction

Trace Representation

Let A(x) =∑N−1

k=0 Akxk . Then at = A(αt) and A(x) can be writtenas

A(x) =∑

k

Trmk1 (Akxk ) (2)

where the k ’s are (cyclotomic) coset leaders modulo N, mk |n isthe length of the coset which contains k , and Trmk

1 (x) is a tracefunction from F2mk to F2. This is called a trace representation of{at}.Some times, for simplicity, we may use Tr(x) for all terms in A(x)where Tr(x) represents from which field to F2 depends on the sizeof the coset containing k .The linear span of a is equal to the number of nonzero spectra ofa.


Introduction

Example 1α: a primitive element in F24 with α4 + α + 1 = 0:

Sequences in Time Domain DFT Spectral Sequences in Frequency Domain

a =00010 01101 01111 A =011010001000000

b =111011000101001 B =011α 1 0 α2α61α80α3α4α9α12


Introduction

Example 1 (cont.)

Trace Representation Linear Span

A(x) = Tr(x) 4

at = Tr(αt), 0 ≤ t < 15

B(x) = Tr(x + αx3 + α6x7) 12

bt = B(αt), 0 ≤ t < 15


Introduction

DFT of Shifts

A sequence b = {bt} is a shift of a if and only in the DFT of b isgiven by

Bk = βkAk , 0 ≤ k < N, β ∈ F2n .

In this case,bt = A(βαt), t = 0, 1, · · · ,

i.e., B(x) = A(βx).The shift operator does not change the minimal polynomial ofa, nor the linear span.


Introduction

Example 2

For α, a primitive root of x4 + x + 1 which defines F24 , let

a =00010 01101 01111 A(x) = Tr(x), and

b = 01101 01111 00010 B(x) = Tr(α5x)

In this case b = L5a, a shift of a.


Introduction

DFT Convolution and Product Sequences

Let a and b be two sequences of period N with their respectiveDFTs A = {Ak} and B = {Bk}.For the term-by-term product c = a · b where ct = atbt ,0 ≤ t < N, let the DFT of {ct} be C = {Ck}. Then C is aconvolution of A and B, denoted as C = A ∗ B where

Ck =∑

i+j=k( mod N)

AiBj , 0 ≤ k < N.


Introduction

Example 3

Let b be the sequence in Example 1, i.e.,

b = 111011000101001 ↔ B(x) = Tr(x + αx3 + α6x7)

a = 000110001100011 ↔ A(x) = Tr(α2x3)

=⇒c = a · b = 000010000100001 ↔ C = B ∗ A

=⇒ C(x) = B(x)A(x) = Tr(α3x3) + 1


Introduction

Selective or Fast Selective DFT Attacks

Selective Filters in DFT Domain

LetNa = {k |Ak 6= 0, k is a coset leader mod N},

pk (x) be the minimal polynomial (MP) of αk over F2, and letq(x) =

∑ri=0 cix i be a polynomial over F2 of degree r .

The MP p(x) of a is equal to the product of pk for all k ∈ Na.Applying q(L) to a, we have

vt =r∑

i=0

ciai+t , t = 0, 1, · · · ,

which is a linear filtered sequence from a.


Introduction

DFT of {vt}

Proposition 1. The DFT of {vt} is given by

Vk = Akq(αk ), 0 ≤ k < N.


Introduction

Interesting Cases of DFT of {vt}

Two Extreme Cases:Case 1. p(x) |q(x) . Thus q(αk ) = 0,∀k ∈ Na. Hence

Vk = 0, 0 ≤ k < N =⇒ v is a zero sequence.

Case 2. gcd(p(x), q(x)) = 1 . Then q(αk ) 6= 0,∀k ∈ Na.

(Vk = 0 ⇐⇒ Ak = 0)

{v} has the same minimal polynomial as s, so does a, and v is ashift of a when α is a primitive element in F2n (in this case a hasperiod 2n − 1).


Introduction

Selective Case

Let c(x) = gcd(p(x), q(x)), c(x) 6= 1 and c(x) 6= p(x). Then

c(x) =∏k∈T

pk (x)

where T ⊂ Na, and

Vk = q(αk )Ak 6= 0 ⇐⇒ q(αk ) 6= 0 ⇐⇒ k ∈ Na \ T .


Introduction

Figure: Selective DFT Spectra


Introduction

Selective DFT (Cont.)

For the selective case, when q(x) is applied to a, the nonzeroDFT spectra of the resulting sequence is equal to a subset of thenonzero DFT spectra of a. Thus the linear span of v is less thanthe linear span of a.The functionality of q(x) here is analog to filters used incommunication systems for selecting frequency band forincreasing or reducing bandwidth of transmitted signals.

Thus q(x) is referred to as a selective DFT filter of a.


Introduction

Computing DFT of Shifted Sequences

Question. Given {Ak} and j (consecutive) bits of s, a shift of a,without loss in generality, we could assume that (s0, s1, · · · , sj−1)is known, find the DFT of s.Since Sk = βkAk , β ∈ F2n , it is enough to find β.A Very Old Naive Method: Directly solving a system of the linearequations in variables {βk} where j = LS(a).Selective DFT when j = LS(a).Fast Selective DFT when j < LS(a).


Introduction

A Very Old Naive Method

If a set P is a subset consisting of coset leaders modulo N, thenwe use P to represent the set ∪k∈PCk where Ck is the cosetmodulo N containing k as the coset leader.We write N a = {k0, k1, · · · , kLS(a)−1} (note that LS(a) is equal tothe cardinality of N a. ) Then

bt =∑

k∈Na

Tr(Akβkαtk ) =

j−1∑i=0

Aki βki αtki , t = 0, 1, · · · , j − 1.

Let xi = βki , i = 0, 1, · · · , LS(a)− 1. Then the above is a systemof m linear equations in LS(a) unknowns {xi}.


Introduction

Naive Method (Cont.)

Put m = LS(a). The matrix form is given by

b = Mx

where s = (s0, s1, · · · , sj−1)T where vT means the transpose of

the vector v , x = (x0, x1, · · · , xm−1)T , and

M =l−1∏i=0

Aki

1 1 1 · · · 1

αk0 αk1 αk2 · · · αkm−1

α2k0 α2k1 α2k2 · · · α2km−1

...

α(j−1)k0 α(j−1)k1 α(j−1)k2 · · · α(j−1)km−1

M is a j ×m Vandermonde matrix over F2n .


Introduction

Naive Method (Cont.)

Thus it has the unique solution if and only if m = j = LS(a).Hence from known m bits of s (not necessarily consecutive),the DFT of s can be uniquely determined by solving a system of mlinear equations over F2n with computational complexityO(m2.37η(n)) where η(n) = n log n log log n.


Introduction

Selective DFT Attack

Input: Given (a0, · · · , aj−1) and {Ak} where j = LS(a) with spectral sequenceβk Ak , k = 0, · · · , N − 1.Output: β.Procedure

Randomly select k ∈ Na with coset size n (not necessary gcd(k , N) = 1), andset q(x) = p(x)/pk (x) with r = deg(q) = m − n.

Applying q(L) to (s0, s1, · · · ), compute

vt =rX

i=0

cisi+t , t = 0, 1, · · · , n − 1.

Fromvt = Tr(γαtk ), t = 0, 1, · · · , n − 1

solve for γ in a system of n linear equations over F2n with the complexityO(n2.37η(n)). (Compared with the naive method O(m2.37η(n)) where m >> n.)


Introduction

Selective DFT Attack (Cont.)

Note that γ = Akq(αk )βk . If gcd(k , N) = 1, we obtain

β = γk ′ [Akq(αk )]−k ′ , k ′ = k−1.

If gcd(k , N) 6= 1, using the multiplexing method to reconstruct β(omitted there for the multiplexing method).


Introduction

Fast Selective DFT Attack

Input: Given (a0, · · · , aj−1) and {Ak} where j < LS(a) with spectral sequenceβk Ak , k = 0, · · · , N − 1.Output: β.Procedure

Select b = {bt} to compute the term-by-term product u = {ut} (i.e., ut = stbt )where bt = B(βαt), t ≥ 0 and ut = U(βαt) with |N b ∪N u| < LS(s).

Compute mu(x), the minimal polynomial of u, and q(x) =Q

k∈T pk (x) where

T =

(Nu \ Nb ∅⊂Nu ∩Nb ⊂ Nu Type 1

⊂ N ∗u N ∗

b = N ∗u Type 2

where T contains at least one k with coset size n for the type 2 and N ∗x denotes

the set of nonzero coset leaders in Nx.


Introduction

Fast Selective DFT Attack (Cont.)

=⇒ degree of q(x) is r = |T |, and n ≤ r < LS(u).

For q(L) =Pr

i=0 ciLi , compute

γk,t = Uk q(αk )αtk , k ∈ J ,

(J = Nb ∩Nu for q(x) of type 1

J = Nb \ T for q(x) of type 2

t = 0, 1, · · · , LS(b)− 1.

where J⊂Nb.

Computeηk,t = Bk ft(αk )αtk , t = 0, 1, · · · , LS(b)− 1, k ∈ N b

ft(x) =Pr

i=0 cisi+tx i

Form a system of LS(b) equations:Xk∈J

γk,tβk =

Xk∈Nb

ηk,tβk , t = 0, 1, · · · , LS(b)− 1.

which are in LS(b) unknowns βk ( N b = LS(b)), and solve for βk =⇒ β.


Introduction

Applications to Attacks on Stream Ciphers

Figure: A General Model of Stream Cipher


Introduction

Example: Filtering Sequence Generators

Let w = {wt} be an m-sequence of period 2n − 1, and0 ≤ d0 < d1 < · · · < dm−1 < n. A sequence s = {st} is referred to as a filteringsequence if

st = f (wd0+t , wd1+t , · · · , wdm−1+t) =, t = 0, 1, · · · (3)where f (x0, x1, · · · , xm−1) is a boolean function in m variables. The booleanfunction f is referred to as a filtering function.

Figure: A Diagram of Filtering Sequence GeneratorG. Gong (University of Waterloo) Fast DFT Attacks 2009 31 / 47

Introduction

Known Plaintext Attack

An initial state of the LFSR is a key when {st} is served as a keystream generator, denoted by K = (k0, · · · , kn−1), ki ∈ F2.Then

st = f (Lt(k0, k1, · · · , kn−1)) = ft(k0, · · · , kn−1), t = 0, 1, · · ·

whereft(x0, · · · , xn−1) = f (Lt(x0, · · · , xn−1)).

Known plaintext attack: if a certain plaintext is known, thensome bits of {st} can be recovered. If the key can be recoveredfrom those known bits of {st}, then the rest of bits of the keystream can be reconstructed.


Introduction

Properties of Filtering Sequence Generators

We denote the degree of f (x0, · · · , xm−1) by deg(f ). The DFT of{st} has the following structure:

Sk = 0, for H(k) ≥ deg(f )

where H(k) is the Hamming weight of k .w has the trace representation Tr(βx) for some β ∈ F2n . Thusthose β’s and initial states of the LFSR are in one-to-onecorrespondence.Let {at} be a filtering sequence corresponds to an initial state withβ = 1. Then any filtering sequence s is a shift of a.


Introduction

Shifts and Keys

Recovering a key in the filtering sequence is to recover an initialstate in the LFSR, which is equal to recover β.The initial state of the LFSR can be recovered

by either the selective DFT if the number of known consecutive bitsof {st} is equal to the linear span of {st},or by the fast selective DFT if it is less than its linear span, aspresented before.


Introduction

Figure: (Fast) Select DFT Attacks on a Filtering Generator


Introduction

How Good the Selective DFT Attack?

Case 1: # required consecutive bits = LS(s)

Rønjom-Helleseth (06): q(x) is the quotient of the minimalpolynomial of s and the minimal polynomial of α. So, q(L)removes all DFT spectra except for A1. It works if A1 6= 0.Rønjom-Gong-Helleseth (07): q(x) is the quotient of the minimalpolynomial of s and the minimal polynomial of αk . So, q(L)removes all DFT spectra except for Ak for some k with Ak 6= 0and gcd(k , N) = 1.Selective DFT (new case): In Rønjom-Gong-Helleseth (07)’swork, k does not need to be relatively coprime with N, it is enoughthat the coset size of k is equal to n.


Introduction

Selective DFT and Rønjom et al. Attacks

Rønjom-Helleseth (06)

# required # unknowns deg(q) solvable

consecutive bits in equations

solving a system of

LS(s) n LS(s)− n homogeneous

not applicable equations over F2

if A1 = 0 in n unknowns

solve for all

n unknowns


Introduction

Selective DFT and Rønjom et al. Attacks (Cont.)

Rønjom-Gong-Helleseth (07)


consecutive in equations

bits

solving a system of

LS(s) n LS(s)− n homogeneous

not applicable equations over F2n

if gcd(k , N) 6= 1 in n unknowns

obtaining one

unknown is enough

New Case of Selective DFT

Replace the condition gcd(k , N) = 1 by |Ck | = n


Introduction

Compared with Fast Algebraic Attack

Case 2: # required consecutive bits < LS(s)

Summary of the time complexity and required known bits of the linearization, algebraicattack, and fast algebraic attacks.

Methods and The Number of MinimumEquations Unknowns Required Known Bits

Linearization (folk sense): ft (K ) = st Tµ Tµ

µ = deg(f )

Algebraic Attack : Tτ Tτ

(Paratin’96, Courtois et al.’03) τ = deg(g)

Find g such that fg = 0st gt (K ) = 0 The best case:

τ=algebraic immunity of f<µ

Fast Algebraic Attacks: Td γ = Td + (Te − δTd )

(Courtois’03 [a], Armknecht-Ars’05 [b]):a) find g such that fg = h 6= 0; d = deg(g), e = deg(h) δ = 0 [a], δ = 1 [b]; d < eb) applying q(x) to st gt (K ) = ht (K ) r = deg(q)Pr

i=0 ci si+t gi+t (K ) =Pr

i=0 ci hi+t (K ) consecutive bits


Introduction

Fast Algebraic Attack

The case of Courtois’03: q(x) is the product of the minimalpolynomials of αk for all k with H(k) ≤ d (= deg(g)), so {vt} is azero sequence.The case of Armknecht-Ars’05: q(x) is equal to pe(x)/pd(x)where pk (x) is the product of the minimal polynomials of αi for all iwith H(i) ≤ k . So nonzero spectra of the DFT of {vt} is a subsetof that of b.In order to get Td equations from applying q(L) to{stgt(k0, k1, · · · , kn−1)}, it needs to know (s0, s1, · · · , sTd+deg(q)−1)for creating a system of homogeneous equations in linearizedvariables of boolean function gt(k0, k1, · · · , kn−1).


Introduction

Compared with Fast Algebraic Attack


consecutive bits in equations

FastAlgebraicAttack

Td + (Te − δTd) Td Te − δTd solving a system ofhomogeneous equa-tions over F2 in Td un-knowns

FastSelectiveDFTAttack

LS(b) + deg(q) LS(b) < Td < LS(u)< Te − Td

solving a systemof homogeneousequations over F2n inLS(b) unknowns,


Introduction

Difference between the Fast Algebraic Attacks andSelective DFT Attacks

Coefficients of monomial terms in bt = gt(x0, x1, · · · , xn−1) invariables x0, x1, · · · , xn−1 are changed for each t , but the DFT of{bt} are only changed by a scalar multiple of βk where βcorresponds to the desired initial state.The number of nonzero coefficients of variables (linearized case)in gt(x0, x1, · · · , xn−1) are dynamically changed which isbounded by Td , but the number of nonzero DFT spectral of {bt}remains as a constant which is LS(b), the linear span of b.This phenomenon is not astonished, since it is an analogue to acosine function cos x which is hard to predict the values in reals.But the Fourier transform of cos x has only two pulses (i.e., twovalues), which is a simplest case in spectral analysis.


Introduction

Spectral Immunity

Resistant to Fast Selective DFT AttackThe sequence s is said to be resistant to the fast selective DFT attackif |Ns| = 1 (i.e., the minimal polynomial of s is irreducible) orLS(u + b) ≥ LS(s) for any sequence b ∈ ZN

2 with LS(b) < LS(s) andu 6= 0, where u is the term-by-term product sequence of s and b.

Spectral ImmunityLet

Ps = minb∈ZN

0

{LS(b) |s · b = 0 or (s + 1)b = 0}.

Then Ps is referred to as the spectral immunity of s.


Introduction

Example: Filtering Generator

Let w be a sequence generated by the primitive polynomial x4 + x + 1, and s bea filtering sequence generated by st = f (wt , wt+1, wt+2, wt+3), wheref (x0, x1, x2, x3) = x1 + x0x2 + x0x3 + x0x1x2.

LS(s) =P3

i=1

`4i

´= 14 which is the maximal achievable linear complexity for a

filtering function of degree 3.

The algebraic immunity of f , AI(f ), is equal to 2.

Then Ps is not bigger than the linear complexity of a sequencebt = g(wt , wt+1, wt+2, wt+3), where g is in a function in the set consisting of theannihilators of f , i.e., g ∈ ANN(f ) = {g | fg = 0 or (f + 1)g = 0}.

It is easily verified that Ps ≤PAI(f )

i=1

`4i

´= 10.

Let bt = wt + wt+2 + wtwt+1 + wt+1wt+2 + wtwt+3, then LS(b) = 4 with theminimal polynomial x4 + x3 + x2 + x + 1. Thus Ps = 4.


Introduction

Example: Filtering Generator (Cont.)

This means that there exist an annihilator which yields a systemcontaining linear equations in at most 4 unknowns, whileapplying a fast algebraic attack one ends up with a quadraticequation system with 10 unknowns.


Introduction

Open Questions

How to construction functions which are resistant to the fastselective DFT attack ?(Note that stop-and-go generatedsequences resist this attack, why?)What is the bounds of spectral immunity?The method introduced here is of only theoretical interests, if theDFT spectra is unknown. In general, the degree of the filteringfunction or combiner functions are relatively easier to obtain thanthe DFT of the key stream sequences, which leads to the followingproblem.How to estimate the DFT spectrum of the product sequence?


Introduction

Reference

Guang Gong, Sondre Rønjom, Tor Helleseth, and Honggang Hu,Fast Linear Subspace Attacks on Stream Ciphers, TechnicalReport, CACR 2009-04, 2009, University of Waterloo, Canada.Submitted to IEEE Transactions on Information Theory.


fast linear subspace attacks on stream cipherscomsec.uwaterloo.ca/download/seletivedft09-v1.pdf ·...

Documents