PowerPoint Presentation

Linear feedback shift registers, Galois fields, and stream ciphersMike ThomsenCryptography IIMay 14th, 20121OutlineLinear Feedback Shift Registers (LFSR)

Interesting properties of LFSR

Stream ciphers with LFSR correlation attacks

A5/1 and its weaknesses

Looking forwardLinear Feedback Shift Registers (LFSR)Very basic example, 3 bit registerXOR123Output Bit101110Linear Feedback Shift Registers (LFSR)Linear Feedback Shift Registers (LFSR)

Properties of LFSRMaximal vs. non-maximal lengthCyclicNon-maximal governed by front two bits.

101110011101110111011001100010Properties of LFSRColumns are exact rotations of each other.If we look at it as a matrix, different initializations or start states yield a rotation of the entire matrix.

101110111011001100010001100010101110111011Properties of LFSRColumns are exact rotations of each other.If we look at it as a matrix, different initializations or start states yield a rotation of the entire matrix.

101110111011001100010001100010101110111011LFSR and Galois FieldsLFSR and Galois Fields101110111011001100010101010001100110111011LFSR and Galois FieldsLFSR and Galois FieldsCan reverse the tap positions to get another, identical set of LFSR states.

If the original feedback set is [m, A, B, C], the reversed feedback set is described by [m, m-C, m-B, m-A].

Easy to find another irreducible polynomial.LFSR and Galois FieldsLFSR and Stream CiphersLFSR can be used as a stream cipher.

Remember that stream ciphers are similar to PRNG in that they output a single bit at a time, and data is encrypted bit by bit until the whole plaintext has been encrypted.

A single LFSR as a cipher is vulnerable to due its cyclic nature, so we combine multiple LFSR to achieve this.

LFSR and Stream CiphersFirst, we define a boolean function.

For example, consider the following diagram.

LFSR and Stream Ciphers

LFSR and Stream Ciphers Correlation AttacksSince registers are private, they are not independent beings to an attacker, so the whole system must be broken.

Idea: Try to correlate one register to the boolean function, improving a brute force attack.

If it is correlated, it can be broken separately (independent of the system), vastly improving complexity.

More likely than it seems, with enough registers, due to the linear nature of LFSR, some patterns and correlations will appear linear recursive equations.

LFSR and Stream Ciphers Correlation AttacksLFSR and Stream Ciphers A5/1LFSR and Stream Ciphers A5/1Use the following LFSRs of length 19, 21, and 22.

R1 has taps 13,16,17,18 R2 has taps 20, 21R3 has taps 7, 20, 21, 22

LFSR and Stream Ciphers A5/1Attacks on A5/1 Known PlaintextAttacks on A5/1 Active AttacksBarkhan, Biham, and Keller developed the most serious weakness an active attack with A5/2 if the phone supports it. They also published another paper in 2006, furthering their attacks and fully breaking A5/1.

A5/3 or KASUMIFutureAlgorithms like RC4/5/6 have been developed and avoid the use of LFSR have their own set of problems.

LFSR are interesting and are good for random hardware testing, and if constructed correctly, can be useful in some cryptographic applications.

Note that A5/1s weaknesses are less about the structure of LFSR and more about the structure of GSM.

ReferencesElad Barkan, Eli Biham, Nathan Keller, Instant Ciphertext-Only Cryptanalysis of GSM Encrypted Communication, 2003/2006Patrik Edhal, On LFSR-based Stream Ciphers (PhD), 2003Alex Biryukov, Adi Shamir, David Wagner, Real Time Cryptanalysis of A5/1 on a PC, 2000http://www.newwaveinstruments.com/resources/articles/m_sequence_linear_feedback_shift_register_lfsr.htmThomas Johansson, Fredrik Jonsson, Improved Fast Correlation Attacks on Stream Ciphers via Convolutional Codes, 1999