![17
Key Estimation Algorithm
• The FG of the nonlinear combiner generator (NCG)
q
r
(1)
x n
s t
zn
xn )
(k
1 (𝐾)
[𝑧 𝑛 = 𝑓(𝑥 𝑛 , ⋯ , 𝑥 𝑛 )]
To estimate the key bits, the SPA is operated on this factor graph.](https://image.slidesharecdn.com/ma99992012id5371507-121210111222-phpapp02/85/ma99992012id537-17-320.jpg)
ma99992012id537
- 1. The Optimal Key Estimation of Stream Ciphers and Its Approximation Algorithm Based on a Probabilistic Inference Yuji Iikubo, Shunsuke Horii, Toshiyasu Matsushima Waseda University ISITA 2012, October 30 1
- 2. 2 Background • Stream Cipher – A class of symmetric-key algorithm. – A cipher-text is produced by bitwise adding plaintext bits and keystream bits. Secret key Secret key Pseudo-Random Pseudo-Random Number Generator Number Generator keystream keystream plaintext …010… cipher-text …010… plaintext …110… …100… …110… encryption decryption The safety of stream ciphers depends on the structure of the Pseudo-Random Number Generator (PRNG).
- 3. 3 Previous Study There are various types of PRNGs. Attack algorithms used on them have been studied individually. • Example) – Mihaljevic et al. proposed a fast correlation attack against a nonlinear combiner generator (NCG). – Forre suggested a fast correlation attack against a nonlinear filter generator (NFG). • These attack algorithms can NOT be applied to other stream ciphers. • The optimal attack is NOT clear.
- 4. 4 Aim of Our Study We propose a unified framework of an attack algorithm that can be applied to a wide variety of stream ciphers. Outline General PRNG Specific PRNG I. Express the problem of III. Describe some specific attacks on a general PRNG PRNGs as probabilistic as a probabilistic inference models. problem IV. Propose the approximation II. Formulate the optimal key algorithm to calculate the estimation optimal key estimation
- 5. 5 Outline General PRNG Specific PRNG I. Express the problem of III. Describe some specific attacks on a general PRNG PRNGs as probabilistic as a probabilistic inference models. problem IV. Propose the approximation II. Formulate the optimal key algorithm to calculate the estimation optimal key estimation
- 6. 6 Problem Description We express the problem of attacks on a general stream cipher as a probabilistic inference problem. s {0,1}L : secret key z {0,1}N : keystream P ( z | s) P(s) s Pseudo-Random z Number Generator z is determined deterministically from s 0 P ( z | s) Assumption (known-plaintext attack) 1 • An attacker knows the keystream z and the structure of PRNG P (z | s) . • P (s) is a uniform distribution. The aim of the attacker is to find a secret key s under these assumptions.
- 7. 7 Outline General PRNG Specific PRNG I. Express the problem of III. Describe some specific attacks on a general PRNG PRNGs as probabilistic as a probabilistic inference models. problem IV. Propose the approximation II. Formulate the optimal key algorithm to calculate the estimation optimal key estimation
- 8. 8 The Optimal Estimation We formulate the optimal key estimation based on statistical decision theory. s {0,1}L : the estimated value of s . ˆ s (z ) : Decision function ˆ The optimal decision function (z ) minimizes the mean error rate. (maximizes the joint probability.) (z ) arg max P(s, z ) s
- 9. 9 Outline General PRNG Specific PRNG I. Express the problem of III. Describe some specific attacks on a general PRNG PRNGs as probabilistic as a probabilistic inference models. problem IV. Propose the approximation II. Formulate the optimal key algorithm to calculate the estimation optimal key estimation
- 10. 10 Pseudo-Random Number Generator (PRNG) Some PRNGs consist of a linear feedback shift register (LFSR). Input a secret key as an output of LFSR initial state of LFSR 𝑁 𝒔 𝒙 = 𝑥1 𝑥2 ⋯ 𝑥 𝑁 ∈ 0,1 LFSR 𝒔 and 𝒙 are a one-to-one correspondence with linear maps. There exists a parity check matrix 𝐻 which satisfies 𝐻𝒙 𝑇 = 0. 𝒔 can be easily obtained from 𝒙. We consider an estimation of 𝒙 instead of 𝒔.
- 11. 11 Pseudo-Random Number Generator As an example, we describe about the nonlinear combiner generator (NCG). (1) 𝒙 Keystream LFSR(1) Nonlinear 𝒛 function 𝒙(𝐾) LFSR(K) • The joint probability mass function 𝑃(𝒙, 𝒛) of the NCG is denoted by The number Nonlinear function of secret keys is false is true The computational complexity in calculating 𝜓 ∗ 𝒛 = arg max 𝑃(𝒙, 𝒛) is an 𝒙 exponential order of the secret key length.
- 12. 12 Outline General PRNG Specific PRNG I. Express the problem of III. Describe some specific attacks on a general PRNG PRNGs as probabilistic as a probabilistic inference models. problem IV. Propose the approximation II. Formulate the optimal key algorithm to calculate the estimation optimal key estimation
- 13. 13 Approximation Algorithm We adopted the sum-product algorithm (SPA) as an approximation algorithm as this is known to be effective in certain fields. coding theory signal processing artificial intelligence etc… The SPA is an iterative message-passing algorithm operating on a factor graph (FG) to efficiently compute the approximate marginal probability.
- 14. 14 Factor Graph (FG) —a bipartite graph that represents the structure of the factorization of the function. Example) g ( x1 , x2 , x3 , x4 ) f A ( x1 , x2 , x3 ) f B ( x2 , x3 , x4 ) fA fB ○: variable node ■: factor node x1 x2 x3 x4 Factor graph of 𝑔(𝑥1 , 𝑥2 , 𝑥3 , 𝑥4 )
- 15. 15 Sum-Product Algorithm (SPA) In SPA, messages on the FG are updated. • Update rule x f (x) f variable node → factor node x f x (x) factor node → variable node n( x ) { f } n( f ) {x} • Termination x exact marginal probability if the FG has no cycles. approximate marginal probability if the FG has any cycles.
- 16. 16 Preprocessing The FG of the LFSR part ⋯ 𝑥1 𝑥2 ⋯ 𝑥𝐿 ⋯ 𝑥𝑁 many edges → the complexity of the SPA is quite large Preprocessing proposed by Mihaljevic et al. to reduce the complexity of the SPA. very sparse FG ⋯ 𝑥1 𝑥2 ⋯ 𝑥𝐿 ⋯ 𝑥𝑁 However, the first B bits should be searched exhaustively.
- 17. 17 Key Estimation Algorithm • The FG of the nonlinear combiner generator (NCG) q r (1) x n s t zn xn ) (k 1 (𝐾) [𝑧 𝑛 = 𝑓(𝑥 𝑛 , ⋯ , 𝑥 𝑛 )] To estimate the key bits, the SPA is operated on this factor graph.
- 18. 18 Key Estimation Algorithm • Nonlinear filter generator (NFG) 𝒙 Keystream Nonlinear 𝒛 LFSR function • The FG of the NFG q r xn t s zn
- 19. 19 Key Estimation Algorithm • E0 𝒙(1) LFSR(1) 𝑦𝑛 Finite sum state 𝜎 𝑛+1 = 𝑇(𝜎 𝑛, 𝑦 𝑛 ) machine 𝒙(4) LFSR(4) 𝜎𝑛 Keystream 𝒛 • The FG of the part of E0 xn2 ) ( xn3) ( (1) t xn4 ) ( • sum part x n s yn n n 1 • Finite state machine part zn
- 20. 20 Experimental Results • We simulated our proposed attack on NCG, NFG and E0. • We changed preprocessing parameter B, and examined the success rate. This B bits should be searched exhaustively. • We compared the proposed algorithm with a random attack. the remaining (N – B )bits are randomly selected.
- 21. 21 Experimental Results • Experiment 1 (Attack on NCG) The number of LFSR : 3 The length of each LFSR : 40 The length of given keystream (N) : 1024 The nonlinear function: f ( x (1) , x ( 2) , x (3) ) x (1) x ( 2) x ( 2) x (3) x (3) 1.E-01 1.E-03 1.E-05 Success Rate 1.E-07 Proposed 1.E-09 Attack 1.E-11 1.E-13 Random 1.E-15 Attack 1.E-17 1.E-19 57 60 63 66 69 72 B
- 22. 22 Experimental Results • Experiment 2 (Attack on NFG) The length of the LFSR : 40 The length of given keystream (N) : 1024 The nonlinear function: f ( x1 , x5 , x16 , x23 ) x1 x1 x5 x5 x16 x5 x16 x23 1.E+00 1.E-01 Success Rate 1.E-02 1.E-03 Proposed 1.E-04 Attack 1.E-05 Random 1.E-06 Attack 1.E-07 19 20 21 22 23 24 B
- 23. 23 Experimental Results • Experiment 3 (Attack on E0) The length of each LFSR : 25, 31, 33, 39 The length of given keystream (N) : 128 1.E+00 1.E-01 1.E-02 Success Rate 1.E-03 Proposed 1.E-04 Attack 1.E-05 Random 1.E-06 Attack 1.E-07 1.E-08 104 108 112 116 120 124 B
- 24. 24 Discussion • The experimental results show that the success rate of the proposed attack is higher than that of a random attack. It is effective to adopt both the SPA as an approximation algorithm and Mihaljevic et al.’s proposed preprocessing. • As the number of exhaustively searched bits decreases, the success rate also decreases.
- 25. 25 Conclusion • Summary – We proposed a unified framework of an attack algorithm that can be applied to various PRNGs. – The experimental results show that the proposed algorithm is effective. • Future works – We will arrange the previous researches on attacks against stream cipher based on our framework. – We will examine another approximation algorithm to compute the optimal key estimation and preprocessing method.