guess then algebraic attack on the self shrinking
play

Guess-then-algebraic attack on the Self-Shrinking Generator - PowerPoint PPT Presentation

Nov 17, 2023 •175 likes •518 views

Guess-then-algebraic attack on the Self-Shrinking Generator Blandine Debraize, Louis Goubin Lausanne, February 12, 2008 Outline 1 Introduction The Self-Shrinking Generator Methods to Solve Algebraic Systems Guessing Information Lausanne,

  1. Guess-then-algebraic attack on the Self-Shrinking Generator Blandine Debraize, Louis Goubin Lausanne, February 12, 2008

  2. Outline 1 Introduction The Self-Shrinking Generator Methods to Solve Algebraic Systems Guessing Information Lausanne, February 12, 2008 2

  3. Outline 1 Introduction The Self-Shrinking Generator Methods to Solve Algebraic Systems Guessing Information 2 Previous Work and Known Attacks First Improved Attack Mihaljevi´ c Attack Hell-Johansson and Zhang-Feng Attack Lausanne, February 12, 2008 2

  4. Outline 1 Introduction The Self-Shrinking Generator Methods to Solve Algebraic Systems Guessing Information 2 Previous Work and Known Attacks First Improved Attack Mihaljevi´ c Attack Hell-Johansson and Zhang-Feng Attack 3 Our Attack First Method Using More Keystream Lausanne, February 12, 2008 2

  5. Outline 1 Introduction The Self-Shrinking Generator Methods to Solve Algebraic Systems Guessing Information 2 Previous Work and Known Attacks First Improved Attack Mihaljevi´ c Attack Hell-Johansson and Zhang-Feng Attack 3 Our Attack First Method Using More Keystream 4 Conclusion Lausanne, February 12, 2008 2

  6. 1 Introduction The Self-Shrinking Generator Methods to Solve Algebraic Systems Guessing Information 2 Previous Work and Known Attacks First Improved Attack Mihaljevi´ c Attack Hell-Johansson and Zhang-Feng Attack 3 Our Attack First Method Using More Keystream 4 Conclusion Lausanne, February 12, 2008 3

  7. Description of the self-shrinking Generator SSG is : A pseudo random sequence generator Proposed by Meier and Staffelbach in 1994 Derived from the Shrinking Generator Based on the irregular decimation of the output of one LFSR Decimation principle: LFSR sequence 01 ���� 11 10 ���� 01 00 ���� 11 10 00 ���� ���� ���� ���� ���� 1 0 1 0 When the first bit of the pair is 0, no output when the first bit of the pair is 1, the second bit is the output Lausanne, February 12, 2008 4

  8. 1 Introduction The Self-Shrinking Generator Methods to Solve Algebraic Systems Guessing Information 2 Previous Work and Known Attacks First Improved Attack Mihaljevi´ c Attack Hell-Johansson and Zhang-Feng Attack 3 Our Attack First Method Using More Keystream 4 Conclusion Lausanne, February 12, 2008 5

  9. Algorithms to solve polynomial systems Two main families 1 Linear algebra based systems: Algorithms: XL, XSL, T’ Gr¨ obner Bases based algorithms (Buchberger, F4, F5). No theory for non random systems. Large matrices need huge memory. 2 SAT solvers, only for GF(2): Recently proposed in algebraic cryptanalysis by Bard, Courtois and Jefferson. Already used in cryptanalysis on Keeloq and Bivium. One algorithm already used in crypto: MiniSAT. No theory either. Lausanne, February 12, 2008 6

  10. SAT solvers Method Method Converting the multivariate system into a CNF-SAT problem: a = xyz ⇐ ⇒ ( x ∨ ¯ a )( y ∨ ¯ a )( z ∨ ¯ a )( a ∨ ¯ x ∨ ¯ y ∨ ¯ z ) Then applying a SAT-solver algorithm on it. Choose a variable, try to assign it one value and then the other. When some information is learned, new clauses are added to the system. Important Parameters Number of clauses Total length of all the clauses Number of variables Lausanne, February 12, 2008 7

  11. 1 Introduction The Self-Shrinking Generator Methods to Solve Algebraic Systems Guessing Information 2 Previous Work and Known Attacks First Improved Attack Mihaljevi´ c Attack Hell-Johansson and Zhang-Feng Attack 3 Our Attack First Method Using More Keystream 4 Conclusion Lausanne, February 12, 2008 8

  12. Notations and Definitions The length of the LFSR L is n , at clock t it outputs s t . The internal sequence at clock t is S t = s 0 s 1 ... s t . Definition (Compression function) C such that at clock t KG produces C ( S t ). KG ouput sequence is C ( S 0 ) C ( S 1 ) · · · C ( S t ). The compression ratio η is the average number of keystream bits C outputs per internal bit. Definition (Information Rate) The keystream reveals about the first m bits of internal sequence the information rate per bit: α ( m ) = 1 m ( H ( S m ) − H ( S m | Y )) Lausanne, February 12, 2008 9

  13. First Attack on this type of PRNG Method Guess all the missing information. Complexity For m output bits, the leakage of information given by the keystream is α m /η . Then the entropy to recover m /η key bits is H ( S m | Y ) = (1 − α ) m η . Final complexity O (2 (1 − α ) n ). On the SSG This is the first attack proposed on the SSG by Meier and Staffelbach. Lausanne, February 12, 2008 10

  14. How to improve this attack Method and Complexity Decrease the amount of information we guess. Guess an amount of information h on the internal sequence per keystream bit, then the known information per keystream bit is h + α/η . The ratio “guessed information”/“total information known per keystream” bit is h h + α η h η n ) h + α Final complexity of the guess is O (2 Issue Once the information is obtained, it has to be exploited to recover the key. Lausanne, February 12, 2008 11

  15. 1 Introduction The Self-Shrinking Generator Methods to Solve Algebraic Systems Guessing Information 2 Previous Work and Known Attacks First Improved Attack Mihaljevi´ c Attack Hell-Johansson and Zhang-Feng Attack 3 Our Attack First Method Using More Keystream 4 Conclusion Lausanne, February 12, 2008 12

  16. First Improved Attack (Hell-Johansson 06) Guess Method Instead of guessing all the internal bits, guess the even bits. It is equivalent to guessing the positions of the pairs (1 , e ) in the internal sequence Complexity The entropy per keystream bits for this information is H ( L ) = � + ∞ j +1 2 j +1 = 2 j =0 2 3 n ) The complexity of the guess is then O (2 The information is linear in the key bits, then a Gaussian 2 elimination ( O ( n 3 )) is performed. Final complexity: O ( n 3 2 3 n ) Lausanne, February 12, 2008 13

  17. Mihaljevi´ c Attack (96) Method Look for the case when n 2 consecutive even internal bits are 1s. Then we know n internal bits. n 2 ) Time and Data complexity O (2 Familly of attacks Time/Data Tradeoff with n 3 4 n ) 2 ) to O (2 Time complexity varying from O (2 n 2 ) to O ( n ) accordingly Data complexity varying from O (2 Lausanne, February 12, 2008 14

  18. Combining Attack [Hell-Johannson 06] and [Zhang-Feng 06] Another tradeoff: Look for an internal sequence of length l ( γ ) where the rate of 1s among the even bits is at least γ > 1 2 . l is computed such that it provides enough information (at least n bits). For each subsequence of length l guess the even bits compatible with rate of 1s > γ . Perform a Gaussian elimination on the linear equations provided by the known bits. n 1+ γ ). Time complexity O ( n 3 2 Lausanne, February 12, 2008 15

  19. 1 Introduction The Self-Shrinking Generator Methods to Solve Algebraic Systems Guessing Information 2 Previous Work and Known Attacks First Improved Attack Mihaljevi´ c Attack Hell-Johansson and Zhang-Feng Attack 3 Our Attack First Method Using More Keystream 4 Conclusion Lausanne, February 12, 2008 16

  20. Quadratic Attack Method Still decrease the amount of information guessed. Instead of guessing the position of the even internal 1s, guess the position of one out of two. Consequence: if keystream sequence is x i , x i +1 , · · · , x i + k , · · · we do not know the position of the internal pair 1 x 2 i +1 but it ranges between pairs 1 x 2 i and 1 x 2 i +2 positions. Complexity of the Guess We guess size of ”blocks” containing 2 even 1s. The entropy of the information guessed by keystream bit is: ( k +1 2 k +2 log(( k +1 k ) k ) � H = − 1 2 k +2 ) ≈ 1 . 356 k ≥ 0 2 1 . 356 n 1 . 356+1 = 2 0 . 575 n The complexity of the guess is then 2 Lausanne, February 12, 2008 17

  21. Quadratic Attack Exploiting the information algebraically Suppose the block contains k pairs beginning by 0. We have to describe the following information: 1 First and second bits of each block are known (linear) Lausanne, February 12, 2008 18

  22. Quadratic Attack Exploiting the information algebraically Suppose the block contains k pairs beginning by 0. We have to describe the following information: 1 First and second bits of each block are known (linear) 2 Only one pair among the remaining ones begins by 1: Lausanne, February 12, 2008 18

  23. Quadratic Attack Exploiting the information algebraically Suppose the block contains k pairs beginning by 0. We have to describe the following information: 1 First and second bits of each block are known (linear) 2 Only one pair among the remaining ones begins by 1: There is at most one “1” among the even bits: ( s 2 i j = 1) ⇒ ( s 2 i l = 0) gives s 2 i j s 2 i l = 0 Lausanne, February 12, 2008 18

  24. Quadratic Attack Exploiting the information algebraically Suppose the block contains k pairs beginning by 0. We have to describe the following information: 1 First and second bits of each block are known (linear) 2 Only one pair among the remaining ones begins by 1: There is at most one “1” among the even bits: ( s 2 i j = 1) ⇒ ( s 2 i l = 0) gives s 2 i j s 2 i l = 0 There is at least one “1” among the even bits of the block: � k +1 j =1 s 2 i j = 1 Lausanne, February 12, 2008 18

Recommend

Computational Complexity Lecture 9 Alternation (Continued) 1 ATM Guess 0 Guess 1

Computational Complexity Lecture 9 Alternation (Continued) 1 ATM Guess 0 Guess 1

Computational Complexity Lecture 9 Alternation (Continued) 1 ATM Guess 0 Guess 1 Guess 0 Guess 1 Guess 0 Guess 1 2 ATM Alternating Turing Machine Guess 0 Guess 1 Guess 0 Guess 1

1.35k views • 120 slides
CS70: Lecture 33. Lets Guess! Dollar or not with equal probability? Guess how much you get!

CS70: Lecture 33. Lets Guess! Dollar or not with equal probability? Guess how much you get!

CS70: Lecture 33. Lets Guess! Dollar or not with equal probability? Guess how much you get! Guess a 1/2! The expected value. Win X, 100 times. How much will you win the 101st. Guess average! Lets Guess! How much does random person

410 views • 27 slides
Experimentally Verifying a Complex Algebraic Attack on the Grain-128 Cipher Using Dedicated

Experimentally Verifying a Complex Algebraic Attack on the Grain-128 Cipher Using Dedicated

Experimentally Verifying a Complex Algebraic Attack on the Grain-128 Cipher Using Dedicated Reconfigurable Hardware SHARCS 2012 Washington D.C. Itai Dinur 1 , Tim Gneysu 2 , Christof Paar 2 , Adi Shamir 1 , and Ralf Zimmermann 2 1

754 views • 58 slides
INSTILLING A DESIRE TO STRUGGLE IN PROBLEM SOLVING CAN YOU GUESS THE RULE? CAN YOU GUESS THE

INSTILLING A DESIRE TO STRUGGLE IN PROBLEM SOLVING CAN YOU GUESS THE RULE? CAN YOU GUESS THE

MATHEMATICAL PERSEVERANCE: INSTILLING A DESIRE TO STRUGGLE IN PROBLEM SOLVING CAN YOU GUESS THE RULE? CAN YOU GUESS THE RULE? 4, 6, 8 10, 12, 14 Guess the rule that applies to both sequences OR You can guess a set of three numbers you

544 views • 25 slides
Financial Literacy CFA Society of Buffalo Introduction 1 Guess ss their net worth: $320

Financial Literacy CFA Society of Buffalo Introduction 1 Guess ss their net worth: $320

Financial Literacy CFA Society of Buffalo Introduction 1 Guess ss their net worth: $320 Million Guess ss their net worth: $440 Million Guess ss their net worth: $3.2 Billion https://www.youtube.com/watch?v=ib-0_N9G0Lo Guess ss their

1.71k views • 145 slides
Clock Control Sequence Reconstruction in the Generalized Shrinking Generator Jan Inge Trontveit

Clock Control Sequence Reconstruction in the Generalized Shrinking Generator Jan Inge Trontveit

Outline Introduction The Attack Experiment Conclusions Future Work Clock Control Sequence Reconstruction in the Generalized Shrinking Generator Jan Inge Trontveit June 7, 2006 Jan Inge Trontveit Clock Control Sequence Reconstruction in

235 views • 19 slides
Guess Whos Coming to Dinner? Luke 7:36-50 (Psalm 23) Guess Whos Coming to Dinner?

Guess Whos Coming to Dinner? Luke 7:36-50 (Psalm 23) Guess Whos Coming to Dinner?

Guess Whos Coming to Dinner? Luke 7:36-50 (Psalm 23) Guess Whos Coming to Dinner? HOSPITALITY Jesus the Lover and Host Passover The Lords Supper (Eucharist) The Marriage Feast of the Lamb Jesus the Stranger and Guest

274 views • 10 slides
2 To produce strong economic growth in a country with a shrinking population is close to

2 To produce strong economic growth in a country with a shrinking population is close to

S UPERWOMAN IS AN I MMIGRANT KAJAL SANGHRAJKA Churchill Fellow 2017-18 @kajalnyclon 2 To produce strong economic growth in a country with a shrinking population is close to impossiblein only 3 of 698 cases did a country with a shrinking

1.1k views • 22 slides
Attack on Traffic Systems These attack examples have happened in the past. We will take an

Attack on Traffic Systems These attack examples have happened in the past. We will take an

From start to finish how a cyber attack would be performed on traffic system, we will go over first day >> exploitation of the device >> the real-world aftermath. Mission Secure, Inc. Attack on Traffic Systems These attack examples

556 views • 18 slides
Algebraic Properties of ln( x ) We can derive algebraic properties of our new function f ( x ) =

Algebraic Properties of ln( x ) We can derive algebraic properties of our new function f ( x ) =

Algebraic Properties of ln( x ) We can derive algebraic properties of our new function f ( x ) = ln( x ) by comparing derivatives. We can in turn use these algebraic rules to simplify the natural logarithm of products and quotients. If a and b are

182 views • 5 slides
U G L I C H T O W N R E V I T A L I Z A T I O N

U G L I C H T O W N R E V I T A L I Z A T I O N

U G L I C H T O W N R E V I T A L I Z A T I O N PROBLEM SHRINKING CITIES increasing global problem Shrinking cities means the cities which have a signifjcant

439 views • 15 slides
Guess Whos Coming to Dinner? Psalm 23 Luke 7:36 50 In 1967, Spencer Tracy and Katherine

Guess Whos Coming to Dinner? Psalm 23 Luke 7:36 50 In 1967, Spencer Tracy and Katherine

Belmont UMC / Missions Month April 22, 2018 Guess Whos Coming to Dinner? Psalm 23 Luke 7:36 50 In 1967, Spencer Tracy and Katherine Hepburn made their ninth and final film together. In Guess Whos Coming to Dinner? , the famous pair

328 views • 5 slides
Algebraic and holomorphic flows in the bi-algebraic context Emmanuel Ullmo, IHES joint work with

Algebraic and holomorphic flows in the bi-algebraic context Emmanuel Ullmo, IHES joint work with

Algebraic and holomorphic flows in the bi-algebraic context Emmanuel Ullmo, IHES joint work with Andrei Yafaev. Cetraro, July 14, 2017. Hermitian Locally Symmetric Spaces-bi-Algebraic point of view. The following transcendental maps relates

368 views • 21 slides
States Growing Interest in Sins Despite Shrinking Sin Tax Revenues National Tax

States Growing Interest in Sins Despite Shrinking Sin Tax Revenues National Tax

States Growing Interest in Sins Despite Shrinking Sin Tax Revenues National Tax Association 49th Annual Spring Symposium May 17, 2019 Lucy Dadayan and Richard Auxier Cigarette / tobacco taxation 1864 Federal government enacted

346 views • 20 slides
Some Algebraic Structures Here are some algebraic structures we will study this year : Rings

Some Algebraic Structures Here are some algebraic structures we will study this year : Rings

Some Algebraic Structures Here are some algebraic structures we will study this year : Rings Fields Groups Vector Spaces (in more details) Modules Rings Perhaps the most familiar algebraic structure is rings . Rings have two

243 views • 8 slides
What Does Algebraic Thinking Mean to You? padlet.com/mcanham1/CMC Integrating Algebraic Thinking

What Does Algebraic Thinking Mean to You? padlet.com/mcanham1/CMC Integrating Algebraic Thinking

What Does Algebraic Thinking Mean to You? padlet.com/mcanham1/CMC Integrating Algebraic Thinking In Elementary Math: The Power of a Routine Melissa Canham @Melissa_Canham Glenda Martinez @GCMartinez23 Common Components of CGI / CCS-M

962 views • 47 slides
Doesnt, Whats Next? QUOTES GUESS WHO SAID WHAT? Thats been one of my mantras

Doesnt, Whats Next? QUOTES GUESS WHO SAID WHAT? Thats been one of my mantras

Key Thoughts Events, What Works, What Doesnt, Whats Next? QUOTES GUESS WHO SAID WHAT? Thats been one of my mantras focus and simplicity. Simple can be harder than complex: you have to work hard to get your thinking clean to

237 views • 7 slides
GUESS THE CORRECT LOG CT INSIGHTS 1 2 3 4 5 Content TLS + Vulnerabilities CA +

GUESS THE CORRECT LOG CT INSIGHTS 1 2 3 4 5 Content TLS + Vulnerabilities CA +

create your own exercise Berkay Kozan, Jan Krol Group 202 GUESS THE CORRECT LOG CT INSIGHTS 1 2 3 4 5 Content TLS + Vulnerabilities CA + Black Tulip How Certificate Transparency Works SCT delivering methods Merkle

729 views • 55 slides
MHD FLOW AND HEAT TRANSFER THROUGH A POROUS MEDIUM OVER A STRETCHING / SHRINKING SURFACE WITH

MHD FLOW AND HEAT TRANSFER THROUGH A POROUS MEDIUM OVER A STRETCHING / SHRINKING SURFACE WITH

MHD FLOW AND HEAT TRANSFER THROUGH A POROUS MEDIUM OVER A STRETCHING / SHRINKING SURFACE WITH SUCTION By Ali Mansoor Alanbri & Rakan Saud Alharbi Mathematics Department, College of Science, Majmaah University, Alzul, KSA Rajab 14, 1436

1.34k views • 82 slides
Performance Prediction and Shrinking Language Models . Chen Stanley F IBM T.J. Watson

Performance Prediction and Shrinking Language Models . Chen Stanley F IBM T.J. Watson

Performance Prediction and Shrinking Language Models . Chen Stanley F IBM T.J. Watson Research Center Yorktown Heights, New York, USA 27 June 2011 Joint work with Stephen Chu, Ahmad Emami, Lidia Mangu, Bhuvana Ramabhadran,

886 views • 41 slides
ATTACK: Learning the Distributions of Adversarial Examples for an Improved Black-Box Attack on

ATTACK: Learning the Distributions of Adversarial Examples for an Improved Black-Box Attack on

ATTACK: Learning the Distributions of Adversarial Examples for an Improved Black-Box Attack on Deep Neural Networks Yandong Li* 1 Lijun Li* 1 Liqiang Wang 1 Tong Zhang 2 Boqing Gong 3 *Equal Contribution 1 University of Central Florida 2 Hong

440 views • 11 slides
Detecting a Biological Attack The attack will not be obvious; it may take hours or days to know.

Detecting a Biological Attack The attack will not be obvious; it may take hours or days to know.

Detecting a Biological Attack The attack will not be obvious; it may take hours or days to know. Current biological diagnostics are very effective at identifying agents, but theyre slow. We already have an infrastruc- ture in place to

233 views • 8 slides
ss 8 Class Cl CSC 495/583 Topics of Software Security PLT, GOT & Return-to-plt Attack

ss 8 Class Cl CSC 495/583 Topics of Software Security PLT, GOT & Return-to-plt Attack

ss 8 Class Cl CSC 495/583 Topics of Software Security PLT, GOT & Return-to-plt Attack & GOT Overwrite Attack Dr. Si Chen (schen@wcupa.edu) Review Page 2 ret2libc Attack Page 3 libc C standard library Provides

662 views • 36 slides
-1- INTRODUCTION When I was first approached to make this presentation, I was surprised. I guess

-1- INTRODUCTION When I was first approached to make this presentation, I was surprised. I guess

-1- INTRODUCTION When I was first approached to make this presentation, I was surprised. I guess I assumed that one would start a session on the results of the Programme for International Assessment of Adult Competencies or PIAAC with someone

609 views • 29 slides

More recommend