guess then algebraic attack on the self shrinking
play

Guess-then-algebraic attack on the Self-Shrinking Generator - PowerPoint PPT Presentation

Nov 17, 2023 •175 likes •518 views

Guess-then-algebraic attack on the Self-Shrinking Generator Blandine Debraize, Louis Goubin Lausanne, February 12, 2008 Outline 1 Introduction The Self-Shrinking Generator Methods to Solve Algebraic Systems Guessing Information Lausanne,

  1. Guess-then-algebraic attack on the Self-Shrinking Generator Blandine Debraize, Louis Goubin Lausanne, February 12, 2008

  2. Outline 1 Introduction The Self-Shrinking Generator Methods to Solve Algebraic Systems Guessing Information Lausanne, February 12, 2008 2

  3. Outline 1 Introduction The Self-Shrinking Generator Methods to Solve Algebraic Systems Guessing Information 2 Previous Work and Known Attacks First Improved Attack Mihaljevi´ c Attack Hell-Johansson and Zhang-Feng Attack Lausanne, February 12, 2008 2

  4. Outline 1 Introduction The Self-Shrinking Generator Methods to Solve Algebraic Systems Guessing Information 2 Previous Work and Known Attacks First Improved Attack Mihaljevi´ c Attack Hell-Johansson and Zhang-Feng Attack 3 Our Attack First Method Using More Keystream Lausanne, February 12, 2008 2

  5. Outline 1 Introduction The Self-Shrinking Generator Methods to Solve Algebraic Systems Guessing Information 2 Previous Work and Known Attacks First Improved Attack Mihaljevi´ c Attack Hell-Johansson and Zhang-Feng Attack 3 Our Attack First Method Using More Keystream 4 Conclusion Lausanne, February 12, 2008 2

  6. 1 Introduction The Self-Shrinking Generator Methods to Solve Algebraic Systems Guessing Information 2 Previous Work and Known Attacks First Improved Attack Mihaljevi´ c Attack Hell-Johansson and Zhang-Feng Attack 3 Our Attack First Method Using More Keystream 4 Conclusion Lausanne, February 12, 2008 3

  7. Description of the self-shrinking Generator SSG is : A pseudo random sequence generator Proposed by Meier and Staffelbach in 1994 Derived from the Shrinking Generator Based on the irregular decimation of the output of one LFSR Decimation principle: LFSR sequence 01 ���� 11 10 ���� 01 00 ���� 11 10 00 ���� ���� ���� ���� ���� 1 0 1 0 When the first bit of the pair is 0, no output when the first bit of the pair is 1, the second bit is the output Lausanne, February 12, 2008 4

  8. 1 Introduction The Self-Shrinking Generator Methods to Solve Algebraic Systems Guessing Information 2 Previous Work and Known Attacks First Improved Attack Mihaljevi´ c Attack Hell-Johansson and Zhang-Feng Attack 3 Our Attack First Method Using More Keystream 4 Conclusion Lausanne, February 12, 2008 5

  9. Algorithms to solve polynomial systems Two main families 1 Linear algebra based systems: Algorithms: XL, XSL, T’ Gr¨ obner Bases based algorithms (Buchberger, F4, F5). No theory for non random systems. Large matrices need huge memory. 2 SAT solvers, only for GF(2): Recently proposed in algebraic cryptanalysis by Bard, Courtois and Jefferson. Already used in cryptanalysis on Keeloq and Bivium. One algorithm already used in crypto: MiniSAT. No theory either. Lausanne, February 12, 2008 6

  10. SAT solvers Method Method Converting the multivariate system into a CNF-SAT problem: a = xyz ⇐ ⇒ ( x ∨ ¯ a )( y ∨ ¯ a )( z ∨ ¯ a )( a ∨ ¯ x ∨ ¯ y ∨ ¯ z ) Then applying a SAT-solver algorithm on it. Choose a variable, try to assign it one value and then the other. When some information is learned, new clauses are added to the system. Important Parameters Number of clauses Total length of all the clauses Number of variables Lausanne, February 12, 2008 7

  11. 1 Introduction The Self-Shrinking Generator Methods to Solve Algebraic Systems Guessing Information 2 Previous Work and Known Attacks First Improved Attack Mihaljevi´ c Attack Hell-Johansson and Zhang-Feng Attack 3 Our Attack First Method Using More Keystream 4 Conclusion Lausanne, February 12, 2008 8

  12. Notations and Definitions The length of the LFSR L is n , at clock t it outputs s t . The internal sequence at clock t is S t = s 0 s 1 ... s t . Definition (Compression function) C such that at clock t KG produces C ( S t ). KG ouput sequence is C ( S 0 ) C ( S 1 ) · · · C ( S t ). The compression ratio η is the average number of keystream bits C outputs per internal bit. Definition (Information Rate) The keystream reveals about the first m bits of internal sequence the information rate per bit: α ( m ) = 1 m ( H ( S m ) − H ( S m | Y )) Lausanne, February 12, 2008 9

  13. First Attack on this type of PRNG Method Guess all the missing information. Complexity For m output bits, the leakage of information given by the keystream is α m /η . Then the entropy to recover m /η key bits is H ( S m | Y ) = (1 − α ) m η . Final complexity O (2 (1 − α ) n ). On the SSG This is the first attack proposed on the SSG by Meier and Staffelbach. Lausanne, February 12, 2008 10

  14. How to improve this attack Method and Complexity Decrease the amount of information we guess. Guess an amount of information h on the internal sequence per keystream bit, then the known information per keystream bit is h + α/η . The ratio “guessed information”/“total information known per keystream” bit is h h + α η h η n ) h + α Final complexity of the guess is O (2 Issue Once the information is obtained, it has to be exploited to recover the key. Lausanne, February 12, 2008 11

  15. 1 Introduction The Self-Shrinking Generator Methods to Solve Algebraic Systems Guessing Information 2 Previous Work and Known Attacks First Improved Attack Mihaljevi´ c Attack Hell-Johansson and Zhang-Feng Attack 3 Our Attack First Method Using More Keystream 4 Conclusion Lausanne, February 12, 2008 12

  16. First Improved Attack (Hell-Johansson 06) Guess Method Instead of guessing all the internal bits, guess the even bits. It is equivalent to guessing the positions of the pairs (1 , e ) in the internal sequence Complexity The entropy per keystream bits for this information is H ( L ) = � + ∞ j +1 2 j +1 = 2 j =0 2 3 n ) The complexity of the guess is then O (2 The information is linear in the key bits, then a Gaussian 2 elimination ( O ( n 3 )) is performed. Final complexity: O ( n 3 2 3 n ) Lausanne, February 12, 2008 13

  17. Mihaljevi´ c Attack (96) Method Look for the case when n 2 consecutive even internal bits are 1s. Then we know n internal bits. n 2 ) Time and Data complexity O (2 Familly of attacks Time/Data Tradeoff with n 3 4 n ) 2 ) to O (2 Time complexity varying from O (2 n 2 ) to O ( n ) accordingly Data complexity varying from O (2 Lausanne, February 12, 2008 14

  18. Combining Attack [Hell-Johannson 06] and [Zhang-Feng 06] Another tradeoff: Look for an internal sequence of length l ( γ ) where the rate of 1s among the even bits is at least γ > 1 2 . l is computed such that it provides enough information (at least n bits). For each subsequence of length l guess the even bits compatible with rate of 1s > γ . Perform a Gaussian elimination on the linear equations provided by the known bits. n 1+ γ ). Time complexity O ( n 3 2 Lausanne, February 12, 2008 15

  19. 1 Introduction The Self-Shrinking Generator Methods to Solve Algebraic Systems Guessing Information 2 Previous Work and Known Attacks First Improved Attack Mihaljevi´ c Attack Hell-Johansson and Zhang-Feng Attack 3 Our Attack First Method Using More Keystream 4 Conclusion Lausanne, February 12, 2008 16

  20. Quadratic Attack Method Still decrease the amount of information guessed. Instead of guessing the position of the even internal 1s, guess the position of one out of two. Consequence: if keystream sequence is x i , x i +1 , · · · , x i + k , · · · we do not know the position of the internal pair 1 x 2 i +1 but it ranges between pairs 1 x 2 i and 1 x 2 i +2 positions. Complexity of the Guess We guess size of ”blocks” containing 2 even 1s. The entropy of the information guessed by keystream bit is: ( k +1 2 k +2 log(( k +1 k ) k ) � H = − 1 2 k +2 ) ≈ 1 . 356 k ≥ 0 2 1 . 356 n 1 . 356+1 = 2 0 . 575 n The complexity of the guess is then 2 Lausanne, February 12, 2008 17

  21. Quadratic Attack Exploiting the information algebraically Suppose the block contains k pairs beginning by 0. We have to describe the following information: 1 First and second bits of each block are known (linear) Lausanne, February 12, 2008 18

  22. Quadratic Attack Exploiting the information algebraically Suppose the block contains k pairs beginning by 0. We have to describe the following information: 1 First and second bits of each block are known (linear) 2 Only one pair among the remaining ones begins by 1: Lausanne, February 12, 2008 18

  23. Quadratic Attack Exploiting the information algebraically Suppose the block contains k pairs beginning by 0. We have to describe the following information: 1 First and second bits of each block are known (linear) 2 Only one pair among the remaining ones begins by 1: There is at most one “1” among the even bits: ( s 2 i j = 1) ⇒ ( s 2 i l = 0) gives s 2 i j s 2 i l = 0 Lausanne, February 12, 2008 18

  24. Quadratic Attack Exploiting the information algebraically Suppose the block contains k pairs beginning by 0. We have to describe the following information: 1 First and second bits of each block are known (linear) 2 Only one pair among the remaining ones begins by 1: There is at most one “1” among the even bits: ( s 2 i j = 1) ⇒ ( s 2 i l = 0) gives s 2 i j s 2 i l = 0 There is at least one “1” among the even bits of the block: � k +1 j =1 s 2 i j = 1 Lausanne, February 12, 2008 18

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Computational Complexity Lecture 9 Alternation (Continued) 1 ATM Guess 0 Guess 1

Computational Complexity Lecture 9 Alternation (Continued) 1 ATM Guess 0 Guess 1

Computational Complexity Lecture 9 Alternation (Continued) 1 ATM Guess 0 Guess 1 Guess 0 Guess 1 Guess 0 Guess 1 2 ATM Alternating Turing Machine Guess 0 Guess 1 Guess 0 Guess 1

1.35k views • 120 slides
CS70: Lecture 33. Lets Guess! Dollar or not with equal probability? Guess how much you get!

CS70: Lecture 33. Lets Guess! Dollar or not with equal probability? Guess how much you get!

CS70: Lecture 33. Lets Guess! Dollar or not with equal probability? Guess how much you get! Guess a 1/2! The expected value. Win X, 100 times. How much will you win the 101st. Guess average! Lets Guess! How much does random person

410 views • 27 slides
Experimentally Verifying a Complex Algebraic Attack on the Grain-128 Cipher Using Dedicated

Experimentally Verifying a Complex Algebraic Attack on the Grain-128 Cipher Using Dedicated

Experimentally Verifying a Complex Algebraic Attack on the Grain-128 Cipher Using Dedicated Reconfigurable Hardware SHARCS 2012 Washington D.C. Itai Dinur 1 , Tim Gneysu 2 , Christof Paar 2 , Adi Shamir 1 , and Ralf Zimmermann 2 1

754 views • 58 slides
INSTILLING A DESIRE TO STRUGGLE IN PROBLEM SOLVING CAN YOU GUESS THE RULE? CAN YOU GUESS THE

INSTILLING A DESIRE TO STRUGGLE IN PROBLEM SOLVING CAN YOU GUESS THE RULE? CAN YOU GUESS THE

MATHEMATICAL PERSEVERANCE: INSTILLING A DESIRE TO STRUGGLE IN PROBLEM SOLVING CAN YOU GUESS THE RULE? CAN YOU GUESS THE RULE? 4, 6, 8 10, 12, 14 Guess the rule that applies to both sequences OR You can guess a set of three numbers you

544 views • 25 slides
Financial Literacy CFA Society of Buffalo Introduction 1 Guess ss their net worth: $320

Financial Literacy CFA Society of Buffalo Introduction 1 Guess ss their net worth: $320

Financial Literacy CFA Society of Buffalo Introduction 1 Guess ss their net worth: $320 Million Guess ss their net worth: $440 Million Guess ss their net worth: $3.2 Billion https://www.youtube.com/watch?v=ib-0_N9G0Lo Guess ss their

1.71k views • 145 slides
Clock Control Sequence Reconstruction in the Generalized Shrinking Generator Jan Inge Trontveit

Clock Control Sequence Reconstruction in the Generalized Shrinking Generator Jan Inge Trontveit

Outline Introduction The Attack Experiment Conclusions Future Work Clock Control Sequence Reconstruction in the Generalized Shrinking Generator Jan Inge Trontveit June 7, 2006 Jan Inge Trontveit Clock Control Sequence Reconstruction in

235 views • 19 slides
Guess Whos Coming to Dinner? Luke 7:36-50 (Psalm 23) Guess Whos Coming to Dinner?

Guess Whos Coming to Dinner? Luke 7:36-50 (Psalm 23) Guess Whos Coming to Dinner?

Guess Whos Coming to Dinner? Luke 7:36-50 (Psalm 23) Guess Whos Coming to Dinner? HOSPITALITY Jesus the Lover and Host Passover The Lords Supper (Eucharist) The Marriage Feast of the Lamb Jesus the Stranger and Guest

274 views • 10 slides
2 To produce strong economic growth in a country with a shrinking population is close to

2 To produce strong economic growth in a country with a shrinking population is close to

S UPERWOMAN IS AN I MMIGRANT KAJAL SANGHRAJKA Churchill Fellow 2017-18 @kajalnyclon 2 To produce strong economic growth in a country with a shrinking population is close to impossiblein only 3 of 698 cases did a country with a shrinking

1.1k views • 22 slides
Attack on Traffic Systems These attack examples have happened in the past. We will take an

Attack on Traffic Systems These attack examples have happened in the past. We will take an

From start to finish how a cyber attack would be performed on traffic system, we will go over first day >> exploitation of the device >> the real-world aftermath. Mission Secure, Inc. Attack on Traffic Systems These attack examples

556 views • 18 slides
Algebraic Properties of ln( x ) We can derive algebraic properties of our new function f ( x ) =

Algebraic Properties of ln( x ) We can derive algebraic properties of our new function f ( x ) =

Algebraic Properties of ln( x ) We can derive algebraic properties of our new function f ( x ) = ln( x ) by comparing derivatives. We can in turn use these algebraic rules to simplify the natural logarithm of products and quotients. If a and b are

182 views • 5 slides
U G L I C H T O W N R E V I T A L I Z A T I O N

U G L I C H T O W N R E V I T A L I Z A T I O N

U G L I C H T O W N R E V I T A L I Z A T I O N PROBLEM SHRINKING CITIES increasing global problem Shrinking cities means the cities which have a signifjcant

439 views • 15 slides
Guess Whos Coming to Dinner? Psalm 23 Luke 7:36 50 In 1967, Spencer Tracy and Katherine

Guess Whos Coming to Dinner? Psalm 23 Luke 7:36 50 In 1967, Spencer Tracy and Katherine

Belmont UMC / Missions Month April 22, 2018 Guess Whos Coming to Dinner? Psalm 23 Luke 7:36 50 In 1967, Spencer Tracy and Katherine Hepburn made their ninth and final film together. In Guess Whos Coming to Dinner? , the famous pair

328 views • 5 slides
Algebraic and holomorphic flows in the bi-algebraic context Emmanuel Ullmo, IHES joint work with

Algebraic and holomorphic flows in the bi-algebraic context Emmanuel Ullmo, IHES joint work with

Algebraic and holomorphic flows in the bi-algebraic context Emmanuel Ullmo, IHES joint work with Andrei Yafaev. Cetraro, July 14, 2017. Hermitian Locally Symmetric Spaces-bi-Algebraic point of view. The following transcendental maps relates

368 views • 21 slides
States Growing Interest in Sins Despite Shrinking Sin Tax Revenues National Tax

States Growing Interest in Sins Despite Shrinking Sin Tax Revenues National Tax

States Growing Interest in Sins Despite Shrinking Sin Tax Revenues National Tax Association 49th Annual Spring Symposium May 17, 2019 Lucy Dadayan and Richard Auxier Cigarette / tobacco taxation 1864 Federal government enacted

346 views • 20 slides
Some Algebraic Structures Here are some algebraic structures we will study this year : Rings

Some Algebraic Structures Here are some algebraic structures we will study this year : Rings

Some Algebraic Structures Here are some algebraic structures we will study this year : Rings Fields Groups Vector Spaces (in more details) Modules Rings Perhaps the most familiar algebraic structure is rings . Rings have two

243 views • 8 slides
What Does Algebraic Thinking Mean to You? padlet.com/mcanham1/CMC Integrating Algebraic Thinking

What Does Algebraic Thinking Mean to You? padlet.com/mcanham1/CMC Integrating Algebraic Thinking

What Does Algebraic Thinking Mean to You? padlet.com/mcanham1/CMC Integrating Algebraic Thinking In Elementary Math: The Power of a Routine Melissa Canham @Melissa_Canham Glenda Martinez @GCMartinez23 Common Components of CGI / CCS-M

962 views • 47 slides
Introduction to ODE systems and linear algebra notation Nathan Albin November 5, 2017 1 The

Introduction to ODE systems and linear algebra notation Nathan Albin November 5, 2017 1 The

Introduction to ODE systems and linear algebra notation Nathan Albin November 5, 2017 1 The mass-spring equation as a system Starting from the mass-spring equation mx + cx + kx = 0 , we can generate an equivalent first-order system

451 views • 5 slides
Chapte Chapter 1: Nuts and ts and Bolts CS105: Great Insights in Com ights in Computer Science

Chapte Chapter 1: Nuts and ts and Bolts CS105: Great Insights in Com ights in Computer Science

Chapte Chapter 1: Nuts and ts and Bolts CS105: Great Insights in Com ights in Computer Science Comput omputers Design: a hierarchy of par hy of parts Interactions between par een parts are simple and well-defined They are

1.53k views • 139 slides
Theano primer What is Theano? From Theanos online documentation: Theano is a Python library

Theano primer What is Theano? From Theanos online documentation: Theano is a Python library

Theano primer What is Theano? From Theanos online documentation: Theano is a Python library that allows you to define, optimize, and evaluate mathematical expressions involving multi-dimensional arrays e ffi ciently. Does symbolic computation

120 views • 8 slides
Chapter 2 Early History: low level languages The 1950s: first programming languages History of

Chapter 2 Early History: low level languages The 1950s: first programming languages History of

Topics Chapter 2 Early History: low level languages The 1950s: first programming languages History of Programming The 1960s: an explosion in programming languages Languages The 1970s: back to simplicity Functional and logic programming

582 views • 8 slides
Analyzing Student Equation Entries in a Computer Tutorial System Joel A. Shapiro Dept. of

Analyzing Student Equation Entries in a Computer Tutorial System Joel A. Shapiro Dept. of

AAPT meeting, Jan. 23, 2002, EH05 Analyzing Student Equation Entries in a Computer Tutorial System Joel A. Shapiro Dept. of Physics and Astronomy Rutgers University shapiro@physics.rutgers.edu Intelligent Tutoring Systems Interactively

537 views • 15 slides
Real Solving on Algebraic Systems of Small Dimension Masters Thesis Presentation Dimitrios I.

Real Solving on Algebraic Systems of Small Dimension Masters Thesis Presentation Dimitrios I.

Real Solving on Algebraic Systems of Small Dimension Masters Thesis Presentation Dimitrios I. Diochnos University of Athens March 8, 2007 D. I. Diochnos (Univ. of Athens, Q ) Real Solving on Bivariate Algebraic Systems Mar 07

1.22k views • 93 slides
Laplace Transforms e st f ( t ) dt . Definition 1 (Laplace Transform) . L [ f ( t )] =

Laplace Transforms e st f ( t ) dt . Definition 1 (Laplace Transform) . L [ f ( t )] =

Laplace Transforms e st f ( t ) dt . Definition 1 (Laplace Transform) . L [ f ( t )] = 0 Well often write Y ( s ) = L [ y ( t )]. Because e st = 1 e st is very small is s > 0 and t is large, the Laplace Transform will be

630 views • 3 slides
Algebraic Attacks and Stream Ciphers Mikko Kiviharju Helsinki University of Technology

Algebraic Attacks and Stream Ciphers Mikko Kiviharju Helsinki University of Technology

T-79.514 Special Course on Cryptology November 25 th , 2004 Algebraic Attacks and Stream Ciphers Mikko Kiviharju Helsinki University of Technology mkivihar@cc.hut.fi T-79.514 Special Course on Cryptology Mikko Kiviharju 1 Overview

493 views • 28 slides

More recommend