C ryptanalysis of Achterbahn-128/80 Maria Naya-Plasencia - PowerPoint PPT Presentation

C ryptanalysis of Achterbahn-128/80 Maria Naya-Plasencia INRIA-Projet CODES FRANCE

Outline 1 Achterbahn 2 Tools used in our cryptanalysis 3 Cryptanalysis of Achterbahn-128/80

Achterbahn [Gammel-G¨ ottfert-Kniffler05] ❅ ❅ ✲ ❅ NLFSR 1 ❅ ❅ ✲ NLFSR 2 ❅ f keystream ❅ ✲ . . . � � � � ✲ NLFSR N � � � Achterbahn version 1, version 2, 128-80. ◮ version 1 cryptanalysed by Johansson, Meier, Muller. ◮ version 2 cryptanalysed by Hell, Johansson. ◮ 1/23

Achterbahn-128/80 (July 2006) A chterbahn-128: key size = 128 bits 13 primitive NLFSRs of length L i = 21 + i , 0 ≤ i ≤ 12 ◮ Least significant bit of each NLFSR forced to 1 at the ◮ initialization process. Boolean combining function F : ◮ balanced • correlation immunity order = 8 • Inputs of F ← shifted outputs of NLFSRs. ◮ Keystream length limited to 2 63 . ◮ 2/23

Achterbahn-128/80 (July 2006) A chterbahn-80: key size = 80 bits 11 primitive NLFSRs of length L i = 21 + i , 1 ≤ i ≤ 11 ◮ Least significant bit of each NLFSR forced to 1 at the ◮ initialization process. Boolean function G ( x 1 , . . . , x 11 ) = F (0 , x 1 , . . . , x 11 , 0) : ◮ balanced • correlation immunity order = 6 • Inputs of G ← shifted outputs of NLFSRs. ◮ Keystream length limited to 2 63 . ◮ 3/23

Tools used in our cryptanalysis Parity checks ◮ Exhaustive search for the internal states of some ◮ registers Decimation by the period of a register ◮ Linear approximations ◮ Speeding up the exhaustive search ◮ 4/23

Parity checks Let ( s 1 ( t )) t ≥ 0 , . . . , ( s n ( t )) t ≥ 0 be n sequences of periods T 1 , . . . , T n , and ∀ t ≥ 0 , S ( t ) = � n i =1 s i ( t ) . ◮ Then, for all t ≥ 0 , � S ( t + τ ) = 0 , τ ∈� T 1 ,...,T n � � T 1 , . . . , T n � : set of all 2 n possible sums of T 1 , . . . , T n . ◮ Example: ( s 1 ( t )) , ( s 2 ( t )) with periods T 1 and T 2 S ( t ) + S ( t + T 1 ) + S ( t + T 2 ) + S ( t + T 1 + T 2 ) = 0 5/23

Cryptanalysis with parity checks Linear approximation ℓ ( t ) = � m j =1 x i j ( t ) where: ◮ Pr[ S ( t ) = ℓ ( t )] = 1 2(1 + ε ) Parity check: � τ ∈� T i 1 ,...,T im � ℓ ( t + τ ) = 0 ◮    ≥ 1 1 + ε 2 m � � � Pr S ( t + τ ) = 0   2  τ ∈� T i 1 ,...,T im � 6/23

Exhaustive search over some registers ◮ Exhaustive search for the initial states of m ′ registers   m ′ m  = 1 � � Pr  S ( t ) = x i j ( t ) + x i j ( t ) 2(1 + ε ) . j = m ′ +1 j =1 ◮ The parity check has 2 m − m ′ terms and satisfies:     m ′  = 1 � 1 + ε 2 m − m ′ � � � Pr  S ( t + τ ) + x i j ( t + τ )  = 0   2  τ ∈� T im ′ +1 ,...,T im � j =1 7/23

Required keystream length � m ′ j =1 ( L ij − 1) sequences of length N Decoding problem = 2 transmitted through a binary symmetric channel of capacity ≈ ( ε 2 m − m ′ ) 2 � 1 � 2(1 + ε 2 m − m ′ C ( p ) = C ) 2 ln 2 � m ′ 2 ln 2 � m ′ j =1 ( L i j − 1) j =1 ( L i j − 1) N ≈ ≈ ( ε 2 m − m ′ ) 2 C ( p ) • Keystream bits needed: m ′ m ( ε 2 m − m ′ ) − 2 × 2 ln 2 × � � ( L i j − 1) + T i j i = m ′ +1 j =1 8/23

Decimation [Hell-Johansson06] Parity check: ◮   m ′ � � pc ( t ) =  S ( t + τ ) + x i j ( t + τ )  j =1 τ ∈� T im ′ +1 ,...,T im � Decimate by the periods of p linear terms i 1 , . . . , i p : ◮ pc p ( t ) = pc ( tT i 1 . . . T i p ) Exhaustive search for the remaining ( m ′ − p ) terms ◮ 9/23

Complexity • Keystream bits needed: m ′ m ( ε 2 m − m ′ � p j =1 L ij + 2 L ij � � ) − 2 × 2 ln 2 × ( L i j − 1) × 2 j = m ′ +1 j = p +1 • Time complexity: m ′ � m ′ ( ε 2 m − m ′ ) − 2 × 2 ln 2 × j = p +1 ( L ij − 1) � ( L i j − 1) × 2 j = p +1 10/23

Cryptanalysis of Achterbahn-80 We use a linear approximation: as G has correlation ◮ immunity order 6, the best approximation by a 7-variable function is affine [Canteaut-Trabia00] We use the following one: ◮ g 2 ( x 1 , . . . , x 10 ) = x 1 + x 3 + x 4 + x 5 + x 6 + x 7 + x 10 with ε = 2 − 3 . 11/23

Cryptanalysis of Achterbahn-80 Linear approximation: ◮ g 2 ( x 1 , . . . , x 10 ) = ( x 4 + x 7 )+( x 5 + x 6 )+ x 1 + x 3 + x 10 with ε = 2 − 3 . Parity check: ◮ ℓℓ ( t ) = ℓ ( t ) + ℓ ( t + T 4 T 7 ) + ℓ ( t + T 6 T 5 ) + ℓ ( t + T 4 T 7 + T 6 T 5 ) Decimate by the period of the register 10. ◮ Exhaustive search over registers 1 and 3. ◮ 12/23

Cryptanalysis of Achterbahn-80 • Keystream bits needed: ( ε 4 ) − 2 × 2 ln 2 × ( L 1 + L 3 − 2) × 2 L 10 +2 L 4 + L 7 +2 L 5 + L 6 = 2 61 bits. • Time complexity: ( ε 4 ) − 2 × 2 ln 2 × ( L 1 + L 3 − 2) × 2 L 1 − 1 2 L 3 − 1 = 2 74 operations. • Time complexity can be reduced: final complexity 2 61 . • We recover the initial states of registers 1 and 3. 13/23

Cryptanalysis of Achterbahn-128 ◮ Linear approximation: ℓ ( x 0 , . . . , x 12 ) = ( x 0 + x 3 + x 7 )+( x 4 + x 10 )+( x 8 + x 9 )+ x 1 + x 2 with ε = 2 − 3 . ◮ Parity check: � ℓℓℓ ( t ) = ℓ ( t + τ ) , τ ∈ � T 0 , 3 , 7 ,T 4 , 10 ,T 8 , 9 � where T 0 , 3 , 7 = lcm ( T 0 , T 3 , T 7 ) ◮ Exhaustive search over registers 1 and 2 → we can reduce this complexity making profit of the independence of the registers 14/23

Improving the exhaustive search 2 54 − 2 8 − 1 � � ( S ( t ′ ) ⊕ x 1 ( t ′ ) ⊕ x 2 ( t ′ )) ϕ = t ′ =0 τ ∈ � T 0 , 3 , 7 ,T 4 , 10 ,T 8 , 9 � 2 31 +2 8 − 1 T 2 − 1 � � = σ ( tT 2 + k ) ⊕ σ 1 ( tT 2 + k ) ⊕ σ 2 ( tT 2 + k ) t =0 k =0    2 31 +2 8 − 1 T 2 − 1 � �  + =  ( σ 2 ( k ) ⊕ 1) σ ( tT 2 + k ) ⊕ σ 1 ( tT 2 + k )  t =0 k =0    2 31 +2 8 − 1  (2 31 + 2 8 ) − � σ 2 ( k ) σ ( tT 2 + k ) ⊕ σ 1 ( tT 2 + k )   t =0 15/23

Improving the exhaustive search for k = 0 to T 2 − 1 do V 2 [ k ] = σ 2 ( k ) for the all-one initial state. end for for each possible initial state of R 1 do for k = 0 to T 2 − 1 do V 1 [ k ] = � 2 31 +2 8 − 1 σ ( T 2 t + k ) ⊕ σ 1 ( T 2 t + k ) t =0 end for for each possible initial state i of R 2 do � T 2 − 1 � � 2 31 +2 8 − V 1 [ k ] � � ( V 2 [ k + i mod T 2 ] ⊕ 1) V 1 [ k ] + V 2 [ k + i mod T 2 ] k =0 if we find the bias then return the initial states of R 1 and R 2 end if end for end for 16/23

Reducing complexity with an FFT 2 31 + 2 8 − V 1 [ k ] • � T 2 − 1 � � �� ( V 2 [ k + i ] ⊕ 1) V 1 [ k ] + V 2 [ k + i ] k =0 2 L 2 − 1 × T 2 × 2 × 2 5 k =0 ( − 1) V 2 [ k + i ] � � V 1 [ k ] − 2 31 +2 8 + T 22 31 +2 8 • � T 2 − 1 2 2 T 2 log 2 T 2 with an FFT. 17/23

Cryptanalysis of Achterbahn-128 • Keystream bits needed: ( ε 8 ) − 2 × 2 ln 2 × ( L 1 + L 2 − 2)+ T 0 , 3 , 7 + T 4 , 10 + T 8 , 9 < 2 61 bits. • Time complexity: 2 31 × T 2 × 2 4 + 31 + T 2 × 2 3 = 2 80 . 58 . 2 L 1 − 1 × � � � � + T 2 log T 2 18/23

Achterbahn-128 limited to 2 56 bits The same attack as before using the linear ◮ approximation: ℓ ( x 0 , . . . , x 12 ) = ( x 3 + x 8 )+( x 1 + x 10 )+( x 2 + x 9 )+ x 0 + x 4 + x 7 Improved exhaustive search over registers 0,4 and 7, ◮ considering R 0 and R 4 together. keystream bits needed < 2 56 • time complexity: 2 104 operations. • 19/23

Achterbahn-80 limited to 2 52 bits Linear approximation: ◮ ℓ ( x 1 , . . . , x 11 ) = ( x 3 + x 7 ) + ( x 4 + x 5 ) + x 1 + x 6 + x 10 With the same attack as before, we need more than ◮ 2 52 keystream bits. We can adapt the algorithm in order to reduce the data ◮ complexity. 20/23

Achterbahn-80 limited to 2 52 bits Instead of one decimated sequence of parity checks of ◮ length L , 4 decimated sequences of length L/ 4 : S ( t ( T 1 ) + i ) + S ( t ( T 1 ) + i + T 7 T 3 ) + S ( t ( T 1 ) + i + T 4 T 5 ) + S ( t ( T 1 ) + i + T 7 T 3 + T 4 T 5 ) , for i ∈ { 0 , . . . , 3 } . Keystream bits needed < 2 52 ◮ Time complexity: 2 67 operations. ◮ 21/23

Recovering the key From the previously recovered initial states of some registers: Meet-in-the-middle attack on the key-loading. ◮ No need to invert all the clocking steps. ◮ Additional complexity: Achterbahn-80: 2 40 in time and 2 41 in memory. • Achterbahn-128: 2 73 in time and 2 48 in memory. • 22/23

Conclusions Attacks complexities against all versions of Achterbahn version data complexity time complexity references 2 32 2 55 v1 (80-bit) [JMM06] 2 64 2 67 v2 (80-bit) [HJ06] 2 52 2 53 v2 (80-bit) 2 61 2 55 v80 (80-bit) 2 60 2 80 . 58 v128 (128-bit) 23/23