Attacks on the Filter Generator and the Nonlinear Combiner Generator

Tor Helleseth

Department of Informatics

University of Bergen

NORWAY

Joint work: Sondre Rønjom, Guang Gong and M. Hojsik

Outline • Filter generator

- m-sequences

- Nonlinear Boolean functions

• Standard algebraic attack on the filter generator

• New attack on the binary filter generator

• Extending attack to filter generator over GF(2m)

• Linear representations of filter generator

• Generalizations of attack to nonlinear combiner

Symmetric Stream Cipher

Plaintext

Key

Pseudorandom-generator

Key

Pseudorandom-generator

Plaintext Ciphertext

Keystream Keystream

Requirements for a good keystream - Good randomness distribution - Long period - High complexity

m-Sequence (Example)

(st) : 000100110101111…

st+4 = st+1+ st

g(x)=x4+x+1

Properties of m-sequences• Period ε = 2n - 1• Balanced• Run properties• st+st+=st+ • Two-level autocorrelation

• st = Trn(Aαt) = Σj(Aαt)2j = A1αt + A2α2t + A3α4t + A4α8t

Binary Filter Generator

. . .

f

...LFSRS

zt

• LFSR of length n generating an m-sequence

(st) of period 2n-1 determined by initial state (s0,s1,...,sn-1)

• Nonlinear Boolean function f(x0,x1,...,xn-1) of degree d

f(x0,x1,...,xn-1) = Σ ca0a1..ar-1 xa0

xa1

...xar-1 = ΣA cAxA

Keystream

zt = f(st,st+1,...,st+n-1)

= ft(s0,s1,...,sn-1)

Example – Filter Generator

zt = stst+1 + st+1st+3 + st+3

st st+1 st+2 st+3

·

f(x0,x1,x2,x3) = x0x1+x1x3+x3

·

z0 = f(s0,s1,s2,s3) = s0s1+s1s3+s3 (= f0 )

z1 = f(s1,s2,s3,s4) = f(s1,s2,s3,s0+s1) = s0+s1+s0s2 (= f1)z2 = f(s2,s3,s4,s5) = f(s2,s3,s0+s1,s1+s2) = s1+s2+s1s3 (= f2) .........................

g(x)=x4+x+1 st+4=st+1+st

Multivariate Equations

z0 = s0s1+s1s3+s3

z1 = s0s2+s0+s1

z2 = s1s3+s1+s2

z3 = s0s2+s1s2+s2+s3

z4 = s1s3+s2s3+s0+s1+s3

z5 = s0s2+s0s3+s1s2+s1s3+s0+s1+s2 ...Linearization gives a linear system with ( )+( ) = 10 unknowns z0 = a4 + a8 + a3

z1 = a5 + a0 + a1

z2 = a8 + a1+ a2

z3 = a5 + a7 + a2 + a3

z4 = a8 + a9 + a0 + a1 + a3

z5 = a5 + a6 + a7 + a8 + a0 + a1 + a2 ...Solve by using Gaussian elimination

4 4 2 1

Standard Algebraic Attack• Shift register m-sequence (st) of period 2n - 1• Boolean function f(x0,x1,...,xn-1) of degree d zt = f(st,st+1,...,st+n-1) = ft(s0,s1,...,sn-1)• Nonlinear equation system of degree d in n unknowns

s0,...,sn-1

• Reduce to linear system in D unknowns monomials• D = ( ) + ( ) + ... + ( )• Need about D keystream bits• Complexity Dω , ω =log2 7 ≈ 2.807 • Courtois, Canteaut: filter generator to be secure needs - n=128, d ≥ 16 complexity > 2128 (ω≈2) - n=256, d ≥ 30 complexity > 2256 (ω≈2)

n n n d d-1 1

New Algebraic Attack • Rønjom-Helleseth 2006 • Recovering initial state of the binary filter generator

in complexity

- Pre-computation O(D (log2D)3)

- Attack O(D)

- Need D keystream bits

• Main idea - Coefficient sequences of I={i0,i1,...,ir-1}

- Consider (binary) coefficient KI,t in ft(s0,s1,...,sn-1)

of the monomial sI=si0si1...sir-1

at time t

- KI,t obeys some nice recursions

Example - Coefficient Sequences• Let st+4=st+1+st i.e., s4=s1+s0

• zt=f(st,st+1,st+2,st+3) = st+2+stst+1+st+1st+2st+3+stst+1st+2st+3

• z0 = f0(s0,s1,s2,s3) = s2+s0s1+s1s2s3+ s0s1s2s3

• z1 = f1(s0,s1,s2,s3) = s3+s1s2+ s0s2s3 +s0s1s2s3

• z2 = f2(s0,s1,s2,s3) = s0+s1+s1s3+s2s3 +s0s1s3+s1s2s3+ s0s1s2s3

• z3 = f3(s0,s1,s2,s3) = s1+s2+s0s2 +s0s3+s1s3+s0s1s2+ s0s2s3 +s0s1s2s3 • z4 = f4(s0,s1,s2,s3) = s1+s2+s3+s0s1+s0s2+s1s2+s0s1s3+ s0s1s2s3

• z5 = f5(s0,s1,s2,s3) = s0+s1+s2+s3+s1s3+s2s3+ s0s1s2+ s0s1s3+s0s1s2s3

Some coefficient sequences I={0,1,2,3} KI,t= 1 1 1 1 1 1... I={0,2,3} KI,t= 0 1 0 1 0 0... I={1,3} KI,t= 0 0 1 1 0 1...

Coefficient Sequence

• Let I = {i0,i1,...,ir-1} and sI = si0 si1

... sir-1

• The coefficients of the monomial sI at time t is called KI,t

• The coefficient sequence KI,t is defined by

zt = f(st,st+1,...,st+n-1)

= ft(s0,s1,...,sn-1)

= ΣI sI KI,t

• The main idea behind the attack is to determine the characteristic polynomial of KI,t

• The main task is to compute a polynomial p(x)=Σpjxj that generates KI,t for |I|≥2 (and hopefully not KI,t for |I|=1).

Coefficient Sequences – Examplef(s0,s1,s2,s3) = s2+s0s1+s1s2s3+s0s1s2s3 ; s4=s0+s1

f0 f1 f2 f3 f4 f5 f6 f7 f8 f9 f10 f11 f12 f13 f14

s0 0 0 1 0 0 1 1 1 1 0 1 0 0 0 1 K0,t

s1 0 0 1 1 1 1 0 1 0 0 0 1 0 0 1 K1,t

s2 1 0 0 1 1 1 1 0 1 0 0 0 1 0 0 K2,t

s3 0 1 0 0 1 1 1 1 0 1 0 0 0 1 0 K3,t

s0s1 1 0 0 0 1 0 0 1 0 1 1 0 0 0 0 K01,t

s0s2 0 0 0 1 1 0 1 1 0 1 1 0 0 0 0 K02,t

s1s2 0 1 0 0 1 0 1 1 0 0 0 0 1 0 0 K12,t

s0s3 0 0 0 1 0 0 1 0 1 1 0 0 0 0 1 K03,t

s1s3 0 0 1 1 0 1 1 0 1 1 0 0 1 0 0 K13,t

s2s3 0 0 1 0 0 1 0 1 1 0 0 0 1 0 0 K23,t

s0s1s2 0 0 0 1 0 1 0 0 1 1 0 1 1 1 0 K012,t

s0s1s3 0 0 1 0 1 0 0 1 1 0 1 1 1 0 0 K013,t

s0s2s3 0 1 0 1 0 0 1 1 0 1 1 1 0 0 0 K023,t

s1s2s3 1 0 1 0 0 1 1 0 1 1 1 0 0 0 0 K123,t

s0s1s2s3 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 K0123,t

Recursion - Coefficient Sequences f0 f1 f2 f3 f4 f5 f6 f7 f8 f9 f10 f11 f12 f13 f14

s0 0 0 1 0 0 1 1 1 1 0 1 0 0 0 1 K0,t

s1 0 0 1 1 1 1 0 1 0 0 0 1 0 0 1 K1,t

s2 1 0 0 1 1 1 1 0 1 0 0 0 1 0 0 K2,t

s3 0 1 0 0 1 1 1 1 0 1 0 0 0 1 0 K3,t

s0s1 1 0 0 0 1 0 0 1 0 1 1 0 0 0 0 K01,t

s0s2 0 0 0 1 1 0 1 1 0 1 1 0 0 0 0 K02,t

s1s2 0 1 0 0 1 0 1 1 0 0 0 0 1 0 0 K12,t

s0s3 0 0 0 1 0 0 1 0 1 1 0 0 0 0 1 K03,t

s1s3 0 0 1 1 0 1 1 0 1 1 0 0 1 0 0 K13,t

s2s3 0 0 1 0 0 1 0 1 1 0 0 0 1 0 0 K23,t

s0s1s2 0 0 0 1 0 1 0 0 1 1 0 1 1 1 0 K012,t

s0s1s3 0 0 1 0 1 0 0 1 1 0 1 1 1 0 0 K013,t

s0s2s3 0 1 0 1 0 0 1 1 0 1 1 1 0 0 0 K023,t

s1s2s3 1 0 1 0 0 1 1 0 1 1 1 0 0 0 0 K123,t

s0s1s2s3 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 K0123,t

Calculating gi(x) - m=4Characteristic polynomial g(x)=x4+x+1• g(α) = α4+ α+1 = 0, α15=1

• g4(x) = Πwt(l)=4(x+αl) = x + 1 • g3(x) = Πwt(l)=3(x+αl) = x4+x3+1• g2(x) = Πwt(l)=2(x+αl) = (x4+x3+x2+x+1)(x2+x+1) • g1(x) = Πwt(l)=1(x+αl) = x4+x+1

• p(x) = g2(x)g3(x)g4(x) = x11+x8+x7+x5+x3+x2+x+1 = Σi pixi

• KI,t , |I|=4 generated by g4(x) (and by p(x) )• KI,t , |I|=3 generated by g3(x) g4(x) (and by p(x) )• KI,t , |I|=2 generated by g2(x) g3(x) g4(x) (and by p(x) )• KI,t , |I|=1 generated by g1(x) g2(x) g3(x) g4(x)

Characteristic polynomial of KI,t

• (st) є Ω(g(x)) (denotes (st) is generated by g(x))

- Zeros of g(x) : α2i (= αr ) , w(r)=1

- zt=f(st,st+1,...,st+n-1) = ΣI sI KI,t , d=deg(f) Let |I|=d KI,t є Ω(gd(x)) with zeros αr , w(r)=d

Let |I|=d-1 KI,t є Ω(gd-1(x)gd(x)) with zeros αr , w(r) є {d-1,d}

...........................

Let |I|=2 KI,t є Ω(g2(x)... gd(x)) with zeros αr , w(r) є {2,3,...,d}

Conclusion

KI,t є Ω(p(x)), p(x)=g2(x)... gd(x) for all coefficient sequences with |I|≥2 (i.e., for all nonlinear terms)

Key Argument in Attack

• From the received keystream zj for j=0,1,..,D-1 compute for t=0,1,..,n-1

zt* = Σj pjzt+j (= Σj pjft+j(s0,s1,...,sn-1))

= Σj pj ΣI sIKI,t+j

= ΣI sI Σj pjKI,t+j

= Σ|I|≤1 sI Σ pjKI,t+j

= Affine in s0,s1,...,sn-1

gives a linear n x n system of equations for

finding the (initial state) s0,s1,...,sn-1

The New Attack• zt = f(st,st+1,...,st+n-1) = ft(s0,s1,...,sn-1) = ΣI sI KI,t

Precomputation - Complexity O(D(log2 D)3)• Compute p(x)=Πd≥wt(l)≥2(x+αl) of degree D–n that generates all coefficient sequences KI,t for |I|≥2 (and hopefully not KI,t for |I|=1)• Compute ft

*(s0,s1,...,sn-1) = Σj pj ft+j(s0,s1,...,sn-1) (= zt* = Σj pjzt+j )

for t=0,1,...,n-1• (Need only linear part of ft+j and only f0* since f1*,f2*,..,fn-1* easily

found from f0*. If f0*=0 need to modify attack)

Attack – Complexity O(D)• From the received keystream zt for i=0,1,..,D-1 compute zt

* = Σj pjzt+j ( = ΣI sI Σ pjKI,t+j = ft*= Affine in s0,s1,...,sn-1)

gives a linear n x n system of equations for finding the bits in initial state (secret key) s0,s1,...,sn-1

The Attack - ExamplePrecomputation ( f0*=f11+f8+f7+f5+f3+f2+f1+f0 )

f0*

f1 f2 f3 f4 f5 f6 f7 f8 f9 f10 f11 f12 f13 f14

s0 0 0 1 0 0 1 1 1 1 0 1 0 0 0 1 s1 1 0 1 1 1 1 0 1 0 0 0 1 0 0 1 s2 0 0 0 1 1 1 1 0 1 0 0 0 1 0 0 s3 1 1 0 0 1 1 1 1 0 1 0 0 0 1 0

Attack – Keystream 100010010011110Equation system (zt*=zt+11+zt+8+zt+7+zt+5+zt+3+zt+2+zt+1+zt )

f0* = s1 + s3 = z0* = 1 f1* = s0 + s1 + s2 = z1* = 0 f2* = s1 + s2 + s3 = z2* = 0 f3* = s0 + s1 + s2 + s3 = z3* = 1

Solution (secret key) s0=1, s1=0, s2=1, s3=1

Filter Generator over GF(2m)

• LFSR of length k generating an m-sequence

(St) of period 2n – 1 over GF(2m) , n=mk

• Boolean function f(x0,x1,...,xm-1) of degree d

(f acts on single m-bits word St=(smt,smt+1,...,smt+m-1))

Keystream

zt = f(smt,smt+1,...,smt+m-1)

= ft(s0,s1,...,sn-1)

. . .

f

LFSRS

zt

Filter Generator over GF(2m)

• Let St=(smt,smt+1,..,smt+m-1)• Let (s0,s1,..,sn-1) be the n=mk bits in initial state• Define coefficient sequences zt= ΣIsIKI,t

Results

1. KI,t generated by g|I|(x) with zeros αr, |I|≤w(r)≤d

2. Linear complexity of zt is reduced (when f acts on single word). Typically reduction in linear complexity is by a factor of roughly e-d2(k-1)/2n

WG Cipher

• LFSR of length k=11 over GF(229) (n=319)• Boolean function of degree 11 acts on a single

29-bits word• Linear complexity of keystream L=245.014

• L < < D = ( )• Restrict keystream to 245 bits• Attack can reconstruct initial state with

complexity L with precomputation of complexity O(L(log2L)3) ≈ 262 but needs L bits of keystream

319 11

Linear Representation - Filter Generator

• Example st+3 =st+1 + st

• State St+1=StT1 , St = (st,st+1,st+2)

(s1,s2,s3) = (s0,s1,s2)T1 , T1= [ ]• Extended state

St = (st,st+1,st+2,stst+1,stst+2,st+1st+2,stst+1st+2)

• Then

S0 = (s0,s1,s2,s0s1,s0s2,s1s2,s0s1s2) ↓ T

S1= (s1,s2,s3,s1s2,s1s3,s2s3,s1s2s3)

= (s1,s2,s0+s1,s1s2,s1+s0s1,s0s2+s1s2,s0s1s2+s1s2)

001101010

Matrix Representation – Filter Generator

S0 = (s0,s1,s2,s0s1,s0s2,s1s2,s0s1s2)

↓ T

S1 = (s1,s2,s0+s1,s1s2,s1+s0s1,s0s2+s1s2,s0s1s2+s1s2)

T =

0 0 1 0 0 0 0 1 0 1 0 1 0 0 0 1 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 1 0 0 0 0 1 0 1 1 0 0 0 0 0 0 1

s1 s2 s3 s1s2 s1s3 s2s3 s1s2s3

s0 s1

s2 s0s1

s0s2

s1s2

s0s1s2

• St+1 = St T

T - Transforms Boolean Function

• Let I = {i0,i1,...,ir-1} and sI = si0 si1

... sir-1

• f(s0,s1,...,sn-1) = ΣI cI,fsI

• Consider f as a vector (in a natural way) such that

f = (0101101) (=cI,f ) ↔ s1+s0s1+s0s2+s0s1s2

• Then

ft+1 = T ft

• Thus the equations in filter generator are

zt = S0Ttf

represents the relation

zt= ft(s0,s1,..,sn-1)=f(st,st+1,...,st+n-1)

Tt - Coefficient Sequences• Let I, J be subsets of {0,1,...,n-1}• Let J={j0,j1,...,jr-1}• gi(x)=Π(x+αl), wt(l)=i

• st+J = st+j0st+j1

...st+jr-1= ΣI sI KI,J,t

• KI,J,t generated by g|I|(x) g|I|+1(x) ... g|J|(x)

• Lemma Let p(x)=g2(x)...gd(x)

- (Tt)I,J = KI,J,t

- p(T) = 0 except for the elements in the first n rows

Attack Described Using T

• Let p(x)=g2(x)...gd(x), gi(x)=Π(x+αl), wt(l)=i• zt = S0 Tt f• From the received keystream zj for j=0,1,..,D-1 compute

for t=0,1,..,n-1 zt

* = Σj pjzt+j (= Σj pjft+j(s0,s1,...,sn-1)) = S0 Σj pj Tt+j f = S0 Tt Σj pj Tj f = S0 Tt p(T) f = Affine in s0,s1,...,sn-1

gives a linear n x n system of equations for finding the (initial state) s0,s1,...,sn-1 since all rows except the first n rows in p(T) are 0

Finding Initial State• Let st= Tr(βαt) represent initial state of LFSR• Let gi(x) have zeros αj where wt(j)=i• Let zt = ΣiTr(Ai(βαt)i) ε Ω(g1 g2 ... gd)• Let p(x)= (g1g2...gd)/pk , pk(x) min. pol. αk , wt(j)≤d where Ak≠0 and gcd(k,2n-1)=1• Then ut = p(E)zt = Σjpjzt+j = ΣjTr(Ajβi p(αj) αti) = Tr(Akβk p(αk) αtk)• Let r =Akβkp(αk) and we can find r• Gong (1990) give explicite formulaes for Ak

• Since Ak≠0 if gcd(k,2n-1)=1 we find β i.e initial state (alternatively if gcd(k,2n-1)>1 we do it once more to find

k’ and hopefully gcd(k-k’,2n-1)>1’

Finding r from ut=Tr(rγt)

• Let xi=r2i and αi=γ2i

• ut = Tr(rγt ) = rγt + (rγt)2 + ··· + (rγt )2n-1

= α0t x0 + α1

t x1 + ··· + αn-1t xn-1

• Then x0 + x1 + ··· + xn-1 = u0

α0 x0 + α1x1 + ··· + αn-1xn-1 = u1

···············

α0n-1x0 + α1

n-1x1 + ··· + αn-1n-1xn-1 = un-1

• Then r =x0 can be determined from u0,u1,..,un-1 since coefficient matrix is a Van der Monde matrix

Simple underlying idea

• Let

zt= A1α1t + A2α2

t +...+ ADαDt

• Let p(x) have roots αi • Compute p(E)zt = Σ pjzt+j

• Then

ut = p(E)zt = ΣAip(αi) αit

• Select p(E) with ”almost” all roots of the keystream

Nonlinear Combining LFSRs

• Using several LFSRs

. . .

f

...

LFSR 1

ztLFSR 2

LFSR n

ut1

ut2

utn

f(x1,x2,...,xn) = Σ ai1i2..in xi1

xi2...xin

Nonlinear Combining LFSRs • Using several LFSR’s and f(x1,x2,…,xr)

• LFSRi degree ni and period 2ni-1, (ni,nj)=1 for all i≠j

• Linear complexity of keystream is f(n1,n2,…,nr)

• Can calculate zeros of zt= A1α1t + A2α2

t +...+ Arαrt

Observations

• If f has linear term xi we find intial state of LFSRi

• We can use linear combinations over GF(2n)

For example f=x1x2 gives an irreducible min. pol. of zt. Then using a combination for a divisor of degree n2 over the extension field GF(2n1) works.

Conclusions

• New attack on the filter generator of complexity O(D)

• If zt є Ω(h(x)) for all keystreams for some h(x) of degree L (< D) then initial state can be recovered in complexity O(L) with a precomputation O(L(log2L)3)

• Linear representation related to coefficient sequences• Generalized to filter generator over GF(2m)• Can be generalized LSM not neccesarily LFSR• Can be generalized to nonlinear combiner generator• Can reduce number of known bits needed by finding

a sequence bt such that ztbt=ut has certain properties