Attacks on the Filter Generator and the Nonlinear Combiner Generator
Tor Helleseth
Department of Informatics
University of Bergen
NORWAY
Joint work: Sondre Rønjom, Guang Gong and M. Hojsik
Outline • Filter generator
- m-sequences
- Nonlinear Boolean functions
• Standard algebraic attack on the filter generator
• New attack on the binary filter generator
• Extending attack to filter generator over GF(2m)
• Linear representations of filter generator
• Generalizations of attack to nonlinear combiner
Symmetric Stream Cipher
Plaintext
Key
Pseudorandom-generator
Key
Pseudorandom-generator
Plaintext Ciphertext
Keystream Keystream
Requirements for a good keystream - Good randomness distribution - Long period - High complexity
m-Sequence (Example)
(st) : 000100110101111…
st+4 = st+1+ st
g(x)=x4+x+1
Properties of m-sequences• Period ε = 2n - 1• Balanced• Run properties• st+st+=st+ • Two-level autocorrelation
• st = Trn(Aαt) = Σj(Aαt)2j = A1αt + A2α2t + A3α4t + A4α8t
Binary Filter Generator
. . .
f
...LFSRS
zt
• LFSR of length n generating an m-sequence
(st) of period 2n-1 determined by initial state (s0,s1,...,sn-1)
• Nonlinear Boolean function f(x0,x1,...,xn-1) of degree d
f(x0,x1,...,xn-1) = Σ ca0a1..ar-1 xa0
xa1
...xar-1 = ΣA cAxA
Keystream
zt = f(st,st+1,...,st+n-1)
= ft(s0,s1,...,sn-1)
Example – Filter Generator
zt = stst+1 + st+1st+3 + st+3
st st+1 st+2 st+3
·
f(x0,x1,x2,x3) = x0x1+x1x3+x3
·
z0 = f(s0,s1,s2,s3) = s0s1+s1s3+s3 (= f0 )
z1 = f(s1,s2,s3,s4) = f(s1,s2,s3,s0+s1) = s0+s1+s0s2 (= f1)z2 = f(s2,s3,s4,s5) = f(s2,s3,s0+s1,s1+s2) = s1+s2+s1s3 (= f2) .........................
g(x)=x4+x+1 st+4=st+1+st
Multivariate Equations
z0 = s0s1+s1s3+s3
z1 = s0s2+s0+s1
z2 = s1s3+s1+s2
z3 = s0s2+s1s2+s2+s3
z4 = s1s3+s2s3+s0+s1+s3
z5 = s0s2+s0s3+s1s2+s1s3+s0+s1+s2 ...Linearization gives a linear system with ( )+( ) = 10 unknowns z0 = a4 + a8 + a3
z1 = a5 + a0 + a1
z2 = a8 + a1+ a2
z3 = a5 + a7 + a2 + a3
z4 = a8 + a9 + a0 + a1 + a3
z5 = a5 + a6 + a7 + a8 + a0 + a1 + a2 ...Solve by using Gaussian elimination
4 4 2 1
Standard Algebraic Attack• Shift register m-sequence (st) of period 2n - 1• Boolean function f(x0,x1,...,xn-1) of degree d zt = f(st,st+1,...,st+n-1) = ft(s0,s1,...,sn-1)• Nonlinear equation system of degree d in n unknowns
s0,...,sn-1
• Reduce to linear system in D unknowns monomials• D = ( ) + ( ) + ... + ( )• Need about D keystream bits• Complexity Dω , ω =log2 7 ≈ 2.807 • Courtois, Canteaut: filter generator to be secure needs - n=128, d ≥ 16 complexity > 2128 (ω≈2) - n=256, d ≥ 30 complexity > 2256 (ω≈2)
n n n d d-1 1
New Algebraic Attack • Rønjom-Helleseth 2006 • Recovering initial state of the binary filter generator
in complexity
- Pre-computation O(D (log2D)3)
- Attack O(D)
- Need D keystream bits
• Main idea - Coefficient sequences of I={i0,i1,...,ir-1}
- Consider (binary) coefficient KI,t in ft(s0,s1,...,sn-1)
of the monomial sI=si0si1...sir-1
at time t
- KI,t obeys some nice recursions
Example - Coefficient Sequences• Let st+4=st+1+st i.e., s4=s1+s0
• zt=f(st,st+1,st+2,st+3) = st+2+stst+1+st+1st+2st+3+stst+1st+2st+3
• z0 = f0(s0,s1,s2,s3) = s2+s0s1+s1s2s3+ s0s1s2s3
• z1 = f1(s0,s1,s2,s3) = s3+s1s2+ s0s2s3 +s0s1s2s3
• z2 = f2(s0,s1,s2,s3) = s0+s1+s1s3+s2s3 +s0s1s3+s1s2s3+ s0s1s2s3
• z3 = f3(s0,s1,s2,s3) = s1+s2+s0s2 +s0s3+s1s3+s0s1s2+ s0s2s3 +s0s1s2s3 • z4 = f4(s0,s1,s2,s3) = s1+s2+s3+s0s1+s0s2+s1s2+s0s1s3+ s0s1s2s3
• z5 = f5(s0,s1,s2,s3) = s0+s1+s2+s3+s1s3+s2s3+ s0s1s2+ s0s1s3+s0s1s2s3
Some coefficient sequences I={0,1,2,3} KI,t= 1 1 1 1 1 1... I={0,2,3} KI,t= 0 1 0 1 0 0... I={1,3} KI,t= 0 0 1 1 0 1...
Coefficient Sequence
• Let I = {i0,i1,...,ir-1} and sI = si0 si1
... sir-1
• The coefficients of the monomial sI at time t is called KI,t
• The coefficient sequence KI,t is defined by
zt = f(st,st+1,...,st+n-1)
= ft(s0,s1,...,sn-1)
= ΣI sI KI,t
• The main idea behind the attack is to determine the characteristic polynomial of KI,t
• The main task is to compute a polynomial p(x)=Σpjxj that generates KI,t for |I|≥2 (and hopefully not KI,t for |I|=1).
Coefficient Sequences – Examplef(s0,s1,s2,s3) = s2+s0s1+s1s2s3+s0s1s2s3 ; s4=s0+s1
f0 f1 f2 f3 f4 f5 f6 f7 f8 f9 f10 f11 f12 f13 f14
s0 0 0 1 0 0 1 1 1 1 0 1 0 0 0 1 K0,t
s1 0 0 1 1 1 1 0 1 0 0 0 1 0 0 1 K1,t
s2 1 0 0 1 1 1 1 0 1 0 0 0 1 0 0 K2,t
s3 0 1 0 0 1 1 1 1 0 1 0 0 0 1 0 K3,t
s0s1 1 0 0 0 1 0 0 1 0 1 1 0 0 0 0 K01,t
s0s2 0 0 0 1 1 0 1 1 0 1 1 0 0 0 0 K02,t
s1s2 0 1 0 0 1 0 1 1 0 0 0 0 1 0 0 K12,t
s0s3 0 0 0 1 0 0 1 0 1 1 0 0 0 0 1 K03,t
s1s3 0 0 1 1 0 1 1 0 1 1 0 0 1 0 0 K13,t
s2s3 0 0 1 0 0 1 0 1 1 0 0 0 1 0 0 K23,t
s0s1s2 0 0 0 1 0 1 0 0 1 1 0 1 1 1 0 K012,t
s0s1s3 0 0 1 0 1 0 0 1 1 0 1 1 1 0 0 K013,t
s0s2s3 0 1 0 1 0 0 1 1 0 1 1 1 0 0 0 K023,t
s1s2s3 1 0 1 0 0 1 1 0 1 1 1 0 0 0 0 K123,t
s0s1s2s3 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 K0123,t
Recursion - Coefficient Sequences f0 f1 f2 f3 f4 f5 f6 f7 f8 f9 f10 f11 f12 f13 f14
s0 0 0 1 0 0 1 1 1 1 0 1 0 0 0 1 K0,t
s1 0 0 1 1 1 1 0 1 0 0 0 1 0 0 1 K1,t
s2 1 0 0 1 1 1 1 0 1 0 0 0 1 0 0 K2,t
s3 0 1 0 0 1 1 1 1 0 1 0 0 0 1 0 K3,t
s0s1 1 0 0 0 1 0 0 1 0 1 1 0 0 0 0 K01,t
s0s2 0 0 0 1 1 0 1 1 0 1 1 0 0 0 0 K02,t
s1s2 0 1 0 0 1 0 1 1 0 0 0 0 1 0 0 K12,t
s0s3 0 0 0 1 0 0 1 0 1 1 0 0 0 0 1 K03,t
s1s3 0 0 1 1 0 1 1 0 1 1 0 0 1 0 0 K13,t
s2s3 0 0 1 0 0 1 0 1 1 0 0 0 1 0 0 K23,t
s0s1s2 0 0 0 1 0 1 0 0 1 1 0 1 1 1 0 K012,t
s0s1s3 0 0 1 0 1 0 0 1 1 0 1 1 1 0 0 K013,t
s0s2s3 0 1 0 1 0 0 1 1 0 1 1 1 0 0 0 K023,t
s1s2s3 1 0 1 0 0 1 1 0 1 1 1 0 0 0 0 K123,t
s0s1s2s3 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 K0123,t
Calculating gi(x) - m=4Characteristic polynomial g(x)=x4+x+1• g(α) = α4+ α+1 = 0, α15=1
• g4(x) = Πwt(l)=4(x+αl) = x + 1 • g3(x) = Πwt(l)=3(x+αl) = x4+x3+1• g2(x) = Πwt(l)=2(x+αl) = (x4+x3+x2+x+1)(x2+x+1) • g1(x) = Πwt(l)=1(x+αl) = x4+x+1
• p(x) = g2(x)g3(x)g4(x) = x11+x8+x7+x5+x3+x2+x+1 = Σi pixi
• KI,t , |I|=4 generated by g4(x) (and by p(x) )• KI,t , |I|=3 generated by g3(x) g4(x) (and by p(x) )• KI,t , |I|=2 generated by g2(x) g3(x) g4(x) (and by p(x) )• KI,t , |I|=1 generated by g1(x) g2(x) g3(x) g4(x)
Characteristic polynomial of KI,t
• (st) є Ω(g(x)) (denotes (st) is generated by g(x))
- Zeros of g(x) : α2i (= αr ) , w(r)=1
- zt=f(st,st+1,...,st+n-1) = ΣI sI KI,t , d=deg(f) Let |I|=d KI,t є Ω(gd(x)) with zeros αr , w(r)=d
Let |I|=d-1 KI,t є Ω(gd-1(x)gd(x)) with zeros αr , w(r) є {d-1,d}
...........................
Let |I|=2 KI,t є Ω(g2(x)... gd(x)) with zeros αr , w(r) є {2,3,...,d}
Conclusion
KI,t є Ω(p(x)), p(x)=g2(x)... gd(x) for all coefficient sequences with |I|≥2 (i.e., for all nonlinear terms)
Key Argument in Attack
• From the received keystream zj for j=0,1,..,D-1 compute for t=0,1,..,n-1
zt* = Σj pjzt+j (= Σj pjft+j(s0,s1,...,sn-1))
= Σj pj ΣI sIKI,t+j
= ΣI sI Σj pjKI,t+j
= Σ|I|≤1 sI Σ pjKI,t+j
= Affine in s0,s1,...,sn-1
gives a linear n x n system of equations for
finding the (initial state) s0,s1,...,sn-1
The New Attack• zt = f(st,st+1,...,st+n-1) = ft(s0,s1,...,sn-1) = ΣI sI KI,t
Precomputation - Complexity O(D(log2 D)3)• Compute p(x)=Πd≥wt(l)≥2(x+αl) of degree D–n that generates all coefficient sequences KI,t for |I|≥2 (and hopefully not KI,t for |I|=1)• Compute ft
*(s0,s1,...,sn-1) = Σj pj ft+j(s0,s1,...,sn-1) (= zt* = Σj pjzt+j )
for t=0,1,...,n-1• (Need only linear part of ft+j and only f0* since f1*,f2*,..,fn-1* easily
found from f0*. If f0*=0 need to modify attack)
Attack – Complexity O(D)• From the received keystream zt for i=0,1,..,D-1 compute zt
* = Σj pjzt+j ( = ΣI sI Σ pjKI,t+j = ft*= Affine in s0,s1,...,sn-1)
gives a linear n x n system of equations for finding the bits in initial state (secret key) s0,s1,...,sn-1
The Attack - ExamplePrecomputation ( f0*=f11+f8+f7+f5+f3+f2+f1+f0 )
f0*
f1 f2 f3 f4 f5 f6 f7 f8 f9 f10 f11 f12 f13 f14
s0 0 0 1 0 0 1 1 1 1 0 1 0 0 0 1 s1 1 0 1 1 1 1 0 1 0 0 0 1 0 0 1 s2 0 0 0 1 1 1 1 0 1 0 0 0 1 0 0 s3 1 1 0 0 1 1 1 1 0 1 0 0 0 1 0
Attack – Keystream 100010010011110Equation system (zt*=zt+11+zt+8+zt+7+zt+5+zt+3+zt+2+zt+1+zt )
f0* = s1 + s3 = z0* = 1 f1* = s0 + s1 + s2 = z1* = 0 f2* = s1 + s2 + s3 = z2* = 0 f3* = s0 + s1 + s2 + s3 = z3* = 1
Solution (secret key) s0=1, s1=0, s2=1, s3=1
Filter Generator over GF(2m)
• LFSR of length k generating an m-sequence
(St) of period 2n – 1 over GF(2m) , n=mk
• Boolean function f(x0,x1,...,xm-1) of degree d
(f acts on single m-bits word St=(smt,smt+1,...,smt+m-1))
Keystream
zt = f(smt,smt+1,...,smt+m-1)
= ft(s0,s1,...,sn-1)
. . .
f
LFSRS
zt
Filter Generator over GF(2m)
• Let St=(smt,smt+1,..,smt+m-1)• Let (s0,s1,..,sn-1) be the n=mk bits in initial state• Define coefficient sequences zt= ΣIsIKI,t
Results
1. KI,t generated by g|I|(x) with zeros αr, |I|≤w(r)≤d
2. Linear complexity of zt is reduced (when f acts on single word). Typically reduction in linear complexity is by a factor of roughly e-d2(k-1)/2n
WG Cipher
• LFSR of length k=11 over GF(229) (n=319)• Boolean function of degree 11 acts on a single
29-bits word• Linear complexity of keystream L=245.014
• L < < D = ( )• Restrict keystream to 245 bits• Attack can reconstruct initial state with
complexity L with precomputation of complexity O(L(log2L)3) ≈ 262 but needs L bits of keystream
319 11
Linear Representation - Filter Generator
• Example st+3 =st+1 + st
• State St+1=StT1 , St = (st,st+1,st+2)
(s1,s2,s3) = (s0,s1,s2)T1 , T1= [ ]• Extended state
St = (st,st+1,st+2,stst+1,stst+2,st+1st+2,stst+1st+2)
• Then
S0 = (s0,s1,s2,s0s1,s0s2,s1s2,s0s1s2) ↓ T
S1= (s1,s2,s3,s1s2,s1s3,s2s3,s1s2s3)
= (s1,s2,s0+s1,s1s2,s1+s0s1,s0s2+s1s2,s0s1s2+s1s2)
001101010
Matrix Representation – Filter Generator
S0 = (s0,s1,s2,s0s1,s0s2,s1s2,s0s1s2)
↓ T
S1 = (s1,s2,s0+s1,s1s2,s1+s0s1,s0s2+s1s2,s0s1s2+s1s2)
T =
0 0 1 0 0 0 0 1 0 1 0 1 0 0 0 1 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 1 0 0 0 0 1 0 1 1 0 0 0 0 0 0 1
s1 s2 s3 s1s2 s1s3 s2s3 s1s2s3
s0 s1
s2 s0s1
s0s2
s1s2
s0s1s2
• St+1 = St T
T - Transforms Boolean Function
• Let I = {i0,i1,...,ir-1} and sI = si0 si1
... sir-1
• f(s0,s1,...,sn-1) = ΣI cI,fsI
• Consider f as a vector (in a natural way) such that
f = (0101101) (=cI,f ) ↔ s1+s0s1+s0s2+s0s1s2
• Then
ft+1 = T ft
• Thus the equations in filter generator are
zt = S0Ttf
represents the relation
zt= ft(s0,s1,..,sn-1)=f(st,st+1,...,st+n-1)
Tt - Coefficient Sequences• Let I, J be subsets of {0,1,...,n-1}• Let J={j0,j1,...,jr-1}• gi(x)=Π(x+αl), wt(l)=i
• st+J = st+j0st+j1
...st+jr-1= ΣI sI KI,J,t
• KI,J,t generated by g|I|(x) g|I|+1(x) ... g|J|(x)
• Lemma Let p(x)=g2(x)...gd(x)
- (Tt)I,J = KI,J,t
- p(T) = 0 except for the elements in the first n rows
Attack Described Using T
• Let p(x)=g2(x)...gd(x), gi(x)=Π(x+αl), wt(l)=i• zt = S0 Tt f• From the received keystream zj for j=0,1,..,D-1 compute
for t=0,1,..,n-1 zt
* = Σj pjzt+j (= Σj pjft+j(s0,s1,...,sn-1)) = S0 Σj pj Tt+j f = S0 Tt Σj pj Tj f = S0 Tt p(T) f = Affine in s0,s1,...,sn-1
gives a linear n x n system of equations for finding the (initial state) s0,s1,...,sn-1 since all rows except the first n rows in p(T) are 0
Finding Initial State• Let st= Tr(βαt) represent initial state of LFSR• Let gi(x) have zeros αj where wt(j)=i• Let zt = ΣiTr(Ai(βαt)i) ε Ω(g1 g2 ... gd)• Let p(x)= (g1g2...gd)/pk , pk(x) min. pol. αk , wt(j)≤d where Ak≠0 and gcd(k,2n-1)=1• Then ut = p(E)zt = Σjpjzt+j = ΣjTr(Ajβi p(αj) αti) = Tr(Akβk p(αk) αtk)• Let r =Akβkp(αk) and we can find r• Gong (1990) give explicite formulaes for Ak
• Since Ak≠0 if gcd(k,2n-1)=1 we find β i.e initial state (alternatively if gcd(k,2n-1)>1 we do it once more to find
k’ and hopefully gcd(k-k’,2n-1)>1’
Finding r from ut=Tr(rγt)
• Let xi=r2i and αi=γ2i
• ut = Tr(rγt ) = rγt + (rγt)2 + ··· + (rγt )2n-1
= α0t x0 + α1
t x1 + ··· + αn-1t xn-1
• Then x0 + x1 + ··· + xn-1 = u0
α0 x0 + α1x1 + ··· + αn-1xn-1 = u1
···············
α0n-1x0 + α1
n-1x1 + ··· + αn-1n-1xn-1 = un-1
• Then r =x0 can be determined from u0,u1,..,un-1 since coefficient matrix is a Van der Monde matrix
Simple underlying idea
• Let
zt= A1α1t + A2α2
t +...+ ADαDt
• Let p(x) have roots αi • Compute p(E)zt = Σ pjzt+j
• Then
ut = p(E)zt = ΣAip(αi) αit
• Select p(E) with ”almost” all roots of the keystream
Nonlinear Combining LFSRs
• Using several LFSRs
. . .
f
...
LFSR 1
ztLFSR 2
LFSR n
ut1
ut2
utn
f(x1,x2,...,xn) = Σ ai1i2..in xi1
xi2...xin
Nonlinear Combining LFSRs • Using several LFSR’s and f(x1,x2,…,xr)
• LFSRi degree ni and period 2ni-1, (ni,nj)=1 for all i≠j
• Linear complexity of keystream is f(n1,n2,…,nr)
• Can calculate zeros of zt= A1α1t + A2α2
t +...+ Arαrt
Observations
• If f has linear term xi we find intial state of LFSRi
• We can use linear combinations over GF(2n)
For example f=x1x2 gives an irreducible min. pol. of zt. Then using a combination for a divisor of degree n2 over the extension field GF(2n1) works.
Conclusions
• New attack on the filter generator of complexity O(D)
• If zt є Ω(h(x)) for all keystreams for some h(x) of degree L (< D) then initial state can be recovered in complexity O(L) with a precomputation O(L(log2L)3)
• Linear representation related to coefficient sequences• Generalized to filter generator over GF(2m)• Can be generalized LSM not neccesarily LFSR• Can be generalized to nonlinear combiner generator• Can reduce number of known bits needed by finding
a sequence bt such that ztbt=ut has certain properties