Upload
meenakshi-tripathi
View
247
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Cryptanalysis of GSM stream cipher A5/1
Citation preview
CONTENTS OVERVIEW Keystream Generation Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only Attack on A5/1-Barkan ,Biham Golic -Cryptanalysis of alleged A5 Stream cipher Basic Correlation Attack : Patrik Ekdahl and Thomas Johansson ’2001 Basic Correlation Attack : Patrik Ekdahl and Thomas Johansson ’2001 Basic Correlation Attack : Patrik Ekdahl and Thomas Johansson ’2001 Comparison References
CRYPTANALYSIS OF A5/1
Submitted by:
Meenakshi Tripathi(113350005)
Guide: Prof. Saravanan Vijayakumaran
Electrical EngineeringIndian Institute of Technology Bombay
Mumbai-400076
Meenakshi Tripathi IIT Bombay
CONTENTS OVERVIEW Keystream Generation Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only Attack on A5/1-Barkan ,Biham Golic -Cryptanalysis of alleged A5 Stream cipher Basic Correlation Attack : Patrik Ekdahl and Thomas Johansson ’2001 Basic Correlation Attack : Patrik Ekdahl and Thomas Johansson ’2001 Basic Correlation Attack : Patrik Ekdahl and Thomas Johansson ’2001 Comparison References
CONTENTS
Overview Of A5/1 GSM Cipher
1 LFSR(Linear Feedback Shift Register)2 A5/1 Description
Man in the middle Attack: Barkan,Biham
Time Memory Tradeoff: Golic
Real Time cryptanalysis on PC: Biryukov, Shamir, Wagner
Correlation Attack: Ekdahl and Johansson
Comparison
References
Meenakshi Tripathi IIT Bombay
CONTENTS OVERVIEW Keystream Generation Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only Attack on A5/1-Barkan ,Biham Golic -Cryptanalysis of alleged A5 Stream cipher Basic Correlation Attack : Patrik Ekdahl and Thomas Johansson ’2001 Basic Correlation Attack : Patrik Ekdahl and Thomas Johansson ’2001 Basic Correlation Attack : Patrik Ekdahl and Thomas Johansson ’2001 Comparison References
LFSR of A5/1
The LFSR Structure used in GSM is as shown.
Figure: LFSR of A5/1
Meenakshi Tripathi IIT Bombay
CONTENTS OVERVIEW Keystream Generation Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only Attack on A5/1-Barkan ,Biham Golic -Cryptanalysis of alleged A5 Stream cipher Basic Correlation Attack : Patrik Ekdahl and Thomas Johansson ’2001 Basic Correlation Attack : Patrik Ekdahl and Thomas Johansson ’2001 Basic Correlation Attack : Patrik Ekdahl and Thomas Johansson ’2001 Comparison References
A5/1 Description
LFSRnumber
Lengthin bits
Feedback Poly-nomial
ClockingBit
Tapped Bits
1 19 x19 + x18 + x17+ x14 + 1
8 13, 16, 17, 18
2 22 x22 + x21 + 1 10 20, 21
3 23 x23 + x22 + x21+ x8 + 1
10 7, 20, 21, 22
Meenakshi Tripathi IIT Bombay
CONTENTS OVERVIEW Keystream Generation Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only Attack on A5/1-Barkan ,Biham Golic -Cryptanalysis of alleged A5 Stream cipher Basic Correlation Attack : Patrik Ekdahl and Thomas Johansson ’2001 Basic Correlation Attack : Patrik Ekdahl and Thomas Johansson ’2001 Basic Correlation Attack : Patrik Ekdahl and Thomas Johansson ’2001 Comparison References
Steps for Key Generation
All 3 registers are zeroed.
64 cycles (regular clocking): R[0] = R[0] ⊗ Kc [i]
22 cycles (regular clocking): R[0] = R[0] ⊗ Fc [i].
100 cycles (majority rule clocking), output discarded.
228 cycles (majority rule clocking) to produce the output bitsequence.
Meenakshi Tripathi IIT Bombay
CONTENTS OVERVIEW Keystream Generation Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only Attack on A5/1-Barkan ,Biham Golic -Cryptanalysis of alleged A5 Stream cipher Basic Correlation Attack : Patrik Ekdahl and Thomas Johansson ’2001 Basic Correlation Attack : Patrik Ekdahl and Thomas Johansson ’2001 Basic Correlation Attack : Patrik Ekdahl and Thomas Johansson ’2001 Comparison References
Keystream Generation
Figure: LFSR of A5/1Meenakshi Tripathi IIT Bombay
CONTENTS OVERVIEW Keystream Generation Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only Attack on A5/1-Barkan ,Biham Golic -Cryptanalysis of alleged A5 Stream cipher Basic Correlation Attack : Patrik Ekdahl and Thomas Johansson ’2001 Basic Correlation Attack : Patrik Ekdahl and Thomas Johansson ’2001 Basic Correlation Attack : Patrik Ekdahl and Thomas Johansson ’2001 Comparison References
Keystream Generation
Figure: LFSR of A5/1Meenakshi Tripathi IIT Bombay
CONTENTS OVERVIEW Keystream Generation Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only Attack on A5/1-Barkan ,Biham Golic -Cryptanalysis of alleged A5 Stream cipher Basic Correlation Attack : Patrik Ekdahl and Thomas Johansson ’2001 Basic Correlation Attack : Patrik Ekdahl and Thomas Johansson ’2001 Basic Correlation Attack : Patrik Ekdahl and Thomas Johansson ’2001 Comparison References
Keystream Generation
Figure: LFSR of A5/1Meenakshi Tripathi IIT Bombay
CONTENTS OVERVIEW Keystream Generation Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only Attack on A5/1-Barkan ,Biham Golic -Cryptanalysis of alleged A5 Stream cipher Basic Correlation Attack : Patrik Ekdahl and Thomas Johansson ’2001 Basic Correlation Attack : Patrik Ekdahl and Thomas Johansson ’2001 Basic Correlation Attack : Patrik Ekdahl and Thomas Johansson ’2001 Comparison References
Keystream Generation
Figure: LFSR of A5/1Meenakshi Tripathi IIT Bombay
CONTENTS OVERVIEW Keystream Generation Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only Attack on A5/1-Barkan ,Biham Golic -Cryptanalysis of alleged A5 Stream cipher Basic Correlation Attack : Patrik Ekdahl and Thomas Johansson ’2001 Basic Correlation Attack : Patrik Ekdahl and Thomas Johansson ’2001 Basic Correlation Attack : Patrik Ekdahl and Thomas Johansson ’2001 Comparison References
Instant Ciphertext only Attack on A5/1
Based on flaw in GSM Protocol- same key for A5/1, A5/2 andGPRS.Attack on A5/1 by three attacks-
Man-in the middle attack -attacker impersonates asnetwork to the user and as user to the network.
Classmark attack-By changing the classmark bit informationsent by the mobile by Man-in the middle attack.
Impersonating the network for a short radio session withthe mobile.
Meenakshi Tripathi IIT Bombay
CONTENTS OVERVIEW Keystream Generation Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only Attack on A5/1-Barkan ,Biham Golic -Cryptanalysis of alleged A5 Stream cipher Basic Correlation Attack : Patrik Ekdahl and Thomas Johansson ’2001 Basic Correlation Attack : Patrik Ekdahl and Thomas Johansson ’2001 Basic Correlation Attack : Patrik Ekdahl and Thomas Johansson ’2001 Comparison References
Instant Ciphertext only Attack on A5/1
The Attack has 3 main steps-
1 Known plaintext attack on A5/2-to recover the initial key.Algebraic in nature.By solving an overdefined system ofquadratic equations.
2 Improving Plaintext attack to Cipher-text onlyattack-Based on fact that GSM employs ECC beforeencrytion.
3 Active attack on A5/1- Leveraging of attack on A5/2 to anactive attack on A5/1.
Meenakshi Tripathi IIT Bombay
CONTENTS OVERVIEW Keystream Generation Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only Attack on A5/1-Barkan ,Biham Golic -Cryptanalysis of alleged A5 Stream cipher Basic Correlation Attack : Patrik Ekdahl and Thomas Johansson ’2001 Basic Correlation Attack : Patrik Ekdahl and Thomas Johansson ’2001 Basic Correlation Attack : Patrik Ekdahl and Thomas Johansson ’2001 Comparison References
Structure of A5/2
A5/2 is much weaker cipher, used as base for man in themiddle attack on A5/1
A5/2 has 4 LFSRs -R1,R2,R3 and R4 of length 19, 22, 23, 17.
R4 Controls the clocking of the other three registers with bitsR4[3],R4[7] and R4[10].
Output is: XOR of majority output of 3 registers and theMSB of each register.
One bit of each register is forced to be 1 after initialisation.
Meenakshi Tripathi IIT Bombay
CONTENTS OVERVIEW Keystream Generation Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only Attack on A5/1-Barkan ,Biham Golic -Cryptanalysis of alleged A5 Stream cipher Basic Correlation Attack : Patrik Ekdahl and Thomas Johansson ’2001 Basic Correlation Attack : Patrik Ekdahl and Thomas Johansson ’2001 Basic Correlation Attack : Patrik Ekdahl and Thomas Johansson ’2001 Comparison References
LFSR of A5/2
The LFSR Structure of A5/2 is asshown.maj(a, b, c) = a.b + b.c + c .a
Meenakshi Tripathi IIT Bombay
CONTENTS OVERVIEW Keystream Generation Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only Attack on A5/1-Barkan ,Biham Golic -Cryptanalysis of alleged A5 Stream cipher Basic Correlation Attack : Patrik Ekdahl and Thomas Johansson ’2001 Basic Correlation Attack : Patrik Ekdahl and Thomas Johansson ’2001 Basic Correlation Attack : Patrik Ekdahl and Thomas Johansson ’2001 Comparison References
Known plaintext attack on A5/2
Total no of equations required -R1- 18 variables and(17 ∗ 18)/2 = 153 quadratic terms. R2 21 + (21 ∗ 20)/2 = 220and R3 22 + (22 ∗ 21)/2 = 253, in all 655 variables.
61 variables form the initial state of R1, R2 and R3.
Each frame gives 114 equations and few such frames can give655 equations.
Frame number differs in just one bit - formulate the requiredno of equations i.t.o initial state of one frame say Vf .
Meenakshi Tripathi IIT Bombay
CONTENTS OVERVIEW Keystream Generation Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only Attack on A5/1-Barkan ,Biham Golic -Cryptanalysis of alleged A5 Stream cipher Basic Correlation Attack : Patrik Ekdahl and Thomas Johansson ’2001 Basic Correlation Attack : Patrik Ekdahl and Thomas Johansson ’2001 Basic Correlation Attack : Patrik Ekdahl and Thomas Johansson ’2001 Comparison References
Steps to Determine Initial State
All the 216 possible values of R4 are tried and for each thesystem of equations is solved to get the internal state ofR1,R2 and R3.
R4 known, so the number of times a register needs to beclocked to produce the output bit known.
216 − 1 wrong states are identified by inconsistencies in Gausselimination.
Result is verified by trial encryptions.
Meenakshi Tripathi IIT Bombay
CONTENTS OVERVIEW Keystream Generation Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only Attack on A5/1-Barkan ,Biham Golic -Cryptanalysis of alleged A5 Stream cipher Basic Correlation Attack : Patrik Ekdahl and Thomas Johansson ’2001 Basic Correlation Attack : Patrik Ekdahl and Thomas Johansson ’2001 Basic Correlation Attack : Patrik Ekdahl and Thomas Johansson ’2001 Comparison References
Optimise
Optimise - using pre-computed system of equations for eachvalue of R4.
For a given R4 value store the LD rows by Gauss elimination.
Check in the data for the same and discard R4 values whichdont have the same LD rows.
Meenakshi Tripathi IIT Bombay
CONTENTS OVERVIEW Keystream Generation Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only Attack on A5/1-Barkan ,Biham Golic -Cryptanalysis of alleged A5 Stream cipher Basic Correlation Attack : Patrik Ekdahl and Thomas Johansson ’2001 Basic Correlation Attack : Patrik Ekdahl and Thomas Johansson ’2001 Basic Correlation Attack : Patrik Ekdahl and Thomas Johansson ’2001 Comparison References
Cryptanalysis of alleged A5 Stream cipher-Golic
Based on solving system of linear equations.
Guess n clock controlling bits from each of the LFSR (3nequations)
4n/3 clocking sequence on average known hence 4n/3equations of registers content.
First O/P bit = parity of MSB of 3 LFSR , therefore 1 moreequation obtained.
Max possible n=10, hence 30+40/3+1 = 44.33 equationsknown.
Meenakshi Tripathi IIT Bombay
CONTENTS OVERVIEW Keystream Generation Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only Attack on A5/1-Barkan ,Biham Golic -Cryptanalysis of alleged A5 Stream cipher Basic Correlation Attack : Patrik Ekdahl and Thomas Johansson ’2001 Basic Correlation Attack : Patrik Ekdahl and Thomas Johansson ’2001 Basic Correlation Attack : Patrik Ekdahl and Thomas Johansson ’2001 Comparison References
Cryptanalysis of alleged A5 Stream cipher-Golic
Build a tree with valid options corresponding to 3 inputs tomajority clock control function.
5 branches per node so on avg. 2.5 valid options for eachpath.
By exhaustive search, on average consider 1/2 of the values toget the remaining bits .
Initial state s[0] from s[101] by guessing the number of 1’s inthe clocking sequence.
Check the state by generating s[101] again.
Meenakshi Tripathi IIT Bombay
CONTENTS OVERVIEW Keystream Generation Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only Attack on A5/1-Barkan ,Biham Golic -Cryptanalysis of alleged A5 Stream cipher Basic Correlation Attack : Patrik Ekdahl and Thomas Johansson ’2001 Basic Correlation Attack : Patrik Ekdahl and Thomas Johansson ’2001 Basic Correlation Attack : Patrik Ekdahl and Thomas Johansson ’2001 Comparison References
Time-memory Tradeoff -Golic
Time-memory Tradeoff -Golic
Known plaintext case- each sequence gives 102, 64 bitblocks(228 bits).
K frames give 102 K keystream blocks.
M 64-bit initial states stored in a table, sorted w.r.t. outputbits produced.
Precomputation time O(M) required for sorting is MlogMapprox. M
Meenakshi Tripathi IIT Bombay
CONTENTS OVERVIEW Keystream Generation Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only Attack on A5/1-Barkan ,Biham Golic -Cryptanalysis of alleged A5 Stream cipher Basic Correlation Attack : Patrik Ekdahl and Thomas Johansson ’2001 Basic Correlation Attack : Patrik Ekdahl and Thomas Johansson ’2001 Basic Correlation Attack : Patrik Ekdahl and Thomas Johansson ’2001 Comparison References
Time-memory Tradeoff -Golic
Time-memory Tradeoff -Golic
By B’Day paradox the probability of atleast one of the 102 Kkeystream blocks in the sample to coincide with one of theoutput block in the table-102.K .M > 263.32.
Time T to find the keystream block be 102.K then TMTO ispossible ifT .M > 263.32 and T < 102.222.
Meenakshi Tripathi IIT Bombay
CONTENTS OVERVIEW Keystream Generation Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only Attack on A5/1-Barkan ,Biham Golic -Cryptanalysis of alleged A5 Stream cipher Basic Correlation Attack : Patrik Ekdahl and Thomas Johansson ’2001 Basic Correlation Attack : Patrik Ekdahl and Thomas Johansson ’2001 Basic Correlation Attack : Patrik Ekdahl and Thomas Johansson ’2001 Comparison References
Real Time cryptanalysis of A51 on PC - Biryukov, Shamir , Wagner
Real Time cryptanalysis of A51 on PC
Disk access is time consuming-So store only Special states ondisk which produce output bits with a particular pattern alphaof length k=16
States which produce the output sequence starting with givenalpha are easily generated.
Meenakshi Tripathi IIT Bombay
CONTENTS OVERVIEW Keystream Generation Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only Attack on A5/1-Barkan ,Biham Golic -Cryptanalysis of alleged A5 Stream cipher Basic Correlation Attack : Patrik Ekdahl and Thomas Johansson ’2001 Basic Correlation Attack : Patrik Ekdahl and Thomas Johansson ’2001 Basic Correlation Attack : Patrik Ekdahl and Thomas Johansson ’2001 Comparison References
Real Time cryptanalysis of A51 on PC - Biryukov, Shamir , Wagner
Real Time cryptanalysis of A51 on PC
During precomputation store (prefix , state) pair in sortedorder for subset of chosen states.
Total number of states which generate this alpha as outputprefix is - 264 ∗ 2−16 = 248.
Search Output for the occurence of output prefixes in allpartially overlapping prefixs.
In a frame bit positions 1 to 177 are taken to get sufficientlylong prefix of say 35 bits after alpha.
Meenakshi Tripathi IIT Bombay
CONTENTS OVERVIEW Keystream Generation Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only Attack on A5/1-Barkan ,Biham Golic -Cryptanalysis of alleged A5 Stream cipher Basic Correlation Attack : Patrik Ekdahl and Thomas Johansson ’2001 Basic Correlation Attack : Patrik Ekdahl and Thomas Johansson ’2001 Basic Correlation Attack : Patrik Ekdahl and Thomas Johansson ’2001 Comparison References
Real Time cryptanalysis of A51 on PC - Biryukov, Shamir , Wagner
Real Time cryptanalysis of A51 on PC
Red State - the states which produce the output bits startingwith alpha. R is approx 248.
Green State - the states which produce the output bits withalpha anywhere in between 101 to 277 bits. G is 177 ∗ 248.
Weight W (s) of tree with root as red state is defined as thenumber of green states in its belt.
Meenakshi Tripathi IIT Bombay
CONTENTS OVERVIEW Keystream Generation Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only Attack on A5/1-Barkan ,Biham Golic -Cryptanalysis of alleged A5 Stream cipher Basic Correlation Attack : Patrik Ekdahl and Thomas Johansson ’2001 Basic Correlation Attack : Patrik Ekdahl and Thomas Johansson ’2001 Basic Correlation Attack : Patrik Ekdahl and Thomas Johansson ’2001 Comparison References
Real Time cryptanalysis of A51 on PC - Biryukov, Shamir , Wagner
Trees of Red and Green states
Figure: LFSR of A5/1Meenakshi Tripathi IIT Bombay
CONTENTS OVERVIEW Keystream Generation Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only Attack on A5/1-Barkan ,Biham Golic -Cryptanalysis of alleged A5 Stream cipher Basic Correlation Attack : Patrik Ekdahl and Thomas Johansson ’2001 Basic Correlation Attack : Patrik Ekdahl and Thomas Johansson ’2001 Basic Correlation Attack : Patrik Ekdahl and Thomas Johansson ’2001 Comparison References
Real Time cryptanalysis of A51 on PC - Biryukov, Shamir , Wagner
Real Time cryptanalysis of A51 on PC
Red states are kept on the disk and the collision with theirprefixes is checked for.
Green states contain alpha and can act as the initial state inthat frame.
Store only heavy trees and discard the parasitic red states bycomparing the sequence produced with the output beyondoccurence of alpha -reduced candidate states.
Further reduction by using the exact depth of occurence ofalpha.
Meenakshi Tripathi IIT Bombay
CONTENTS OVERVIEW Keystream Generation Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only Attack on A5/1-Barkan ,Biham Golic -Cryptanalysis of alleged A5 Stream cipher Basic Correlation Attack : Patrik Ekdahl and Thomas Johansson ’2001 Basic Correlation Attack : Patrik Ekdahl and Thomas Johansson ’2001 Basic Correlation Attack : Patrik Ekdahl and Thomas Johansson ’2001 Comparison References
Basic Correlation Attack
Known Plaintext Attack- N bits known from m frames.
Independent of length of LFSRs
Depends on number of clockings before O/P generated.
Exploits bad key initialisation-key and frame counter initialisedin linear fashion.
Breaks A5/1 in 5 few minutes with 2-5 min of plaintext.
Meenakshi Tripathi IIT Bombay
CONTENTS OVERVIEW Keystream Generation Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only Attack on A5/1-Barkan ,Biham Golic -Cryptanalysis of alleged A5 Stream cipher Basic Correlation Attack : Patrik Ekdahl and Thomas Johansson ’2001 Basic Correlation Attack : Patrik Ekdahl and Thomas Johansson ’2001 Basic Correlation Attack : Patrik Ekdahl and Thomas Johansson ’2001 Comparison References
Notation
uit = s it + f̄ i
t , t ≥ 0.
P(s176 + s2
76 + s376 = Oj
(76,76,76,1)) =
P(assumption correct) ∗ 1 +P(assumption not correct) ∗ 1/2.
Generalising over m frames gives one bit of information onebit of Information.
Meenakshi Tripathi IIT Bombay
CONTENTS OVERVIEW Keystream Generation Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only Attack on A5/1-Barkan ,Biham Golic -Cryptanalysis of alleged A5 Stream cipher Basic Correlation Attack : Patrik Ekdahl and Thomas Johansson ’2001 Basic Correlation Attack : Patrik Ekdahl and Thomas Johansson ’2001 Basic Correlation Attack : Patrik Ekdahl and Thomas Johansson ’2001 Comparison References
Steps of Attack
Calculate probability of clocking (cl1, cl2, cl3) in v:th position.
Consider an interval I for v, where probability of occurrence ofv is non-zero.
Enhance estimate by generalising the value of linearcombination using m frames.
Finally estimate the LinearCombination of keybits with simpleHard Decision.
One interval of 8 bits eg (79, 80, 81, .., 86) gives8 + 8 + 8 = 24 bit information of key K. Consider 3 suchsub-intervals to get 72 bits more than needed i.e. 64.
Meenakshi Tripathi IIT Bombay
CONTENTS OVERVIEW Keystream Generation Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only Attack on A5/1-Barkan ,Biham Golic -Cryptanalysis of alleged A5 Stream cipher Basic Correlation Attack : Patrik Ekdahl and Thomas Johansson ’2001 Basic Correlation Attack : Patrik Ekdahl and Thomas Johansson ’2001 Basic Correlation Attack : Patrik Ekdahl and Thomas Johansson ’2001 Comparison References
Comparison of Various Attacks
Attack Type Precompu-tation
AnalysisCom-plexity
DataCom-plexity
MemoryComplexity
Golic [1] TMTO 235.65 227.67 228.8 862 GB
Barkan,Biham[4]
Manin themiddle
Nil 247 Ciphertextonly
M = 228.8
Biryukov,Shamir [3]
TMTO 248 2 minutes 214.7 146 GB
Biham,Dulkelman[2]
TMTO 238 239.91 220.8 32 GB
Meenakshi Tripathi IIT Bombay
CONTENTS OVERVIEW Keystream Generation Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only Attack on A5/1-Barkan ,Biham Golic -Cryptanalysis of alleged A5 Stream cipher Basic Correlation Attack : Patrik Ekdahl and Thomas Johansson ’2001 Basic Correlation Attack : Patrik Ekdahl and Thomas Johansson ’2001 Basic Correlation Attack : Patrik Ekdahl and Thomas Johansson ’2001 Comparison References
References
J. Golic. Cryptanalysis of Alleged A5 Stream Cipher.Biham and Dunkelman. Cryptanalysis of the A5/1 GSMStream Cipher.Biryukov,Shamir, and Wagner. Real Time Cryptanalysis ofA5/1 on a PC.Barkan, Biham, and Keller. Instant Ciphertext-OnlyCryptanalysis of GSM Encrypted Commu- nications.Ekdahl and Johansson. Another Attack on A5/1.Maximov, Johansson, and Babbage. An Improved CorrelationAttack on A5/1.Barkan and Biham. Conditional Estimators: An effectiveAttack on A5/1.Wikipedia-http://www.wikipedia.org.
Meenakshi Tripathi IIT Bombay
CONTENTS OVERVIEW Keystream Generation Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only Attack on A5/1-Barkan ,Biham Golic -Cryptanalysis of alleged A5 Stream cipher Basic Correlation Attack : Patrik Ekdahl and Thomas Johansson ’2001 Basic Correlation Attack : Patrik Ekdahl and Thomas Johansson ’2001 Basic Correlation Attack : Patrik Ekdahl and Thomas Johansson ’2001 Comparison References
Thank You
Meenakshi Tripathi IIT Bombay