Embed Size (px)
DESCRIPTION
This dissertation is about a key recovery attack called Random Subgraph Attackon A5/1 Stream Cipher. A5/1 is the strong version of the encryption algorithm toprotect overtheairprivacy of the cellular voice and data communication.
Citation preview
RANDOM SUBGRAPH ATTACK ON A5/1
A Dissertation submitted to the University of Hyderabad in partial fulfillment of
the degree of
MASTER OF TECHNOLOGY
in
Computer Science
by
N SHIVA KRISHNA
Department of Computers and Information Sciences
School of Mathematics and Computers & Information Sciences
University of Hyderabad
(P.O.) Central University, Gachibowli,
Hyderabad – 500 046
Andhra Pradesh
CERTIFICATE
This is to certify that the dissertation entitled “ RANDOM SUBGRAPH ATTACK
ON A5/1 ” submitted by N.SHIVA KRISHNA bearing Reg. No 09MCMT65 in partial
fulfillment of the requirements for the award of Master of Technology in Computer
Sciences is a bonafide work carried out by him under my supervision and guidance.
The dissertation has not been submitted previously in part or in full to this or
any other University or Institution for the award of any degree or diploma.
Ms Rukma Rekha
(Project Supervisor)
Department of Computer and Information Sciences
University of Hyderabad, Hyderabad500046
Head of the Department Dean
Department of Computer & Information Sciences School of Mathematics
University of Hyderabad Computer & Information Sciences
University of Hyderabad
DECLARATION
I, N.SHIVA KRISHNA, hereby declare that this Dissertation entitled
“RANDOM SUBGRAPH ATTACK ON A5/1”, submitted by me under the guidance and
supervision of Ms Rukma Rekha is a bonafide work. I also declare that it has not been
submitted previously in part or in full to this University or other University or
Institution for the award of any degree or diploma.
Name : N.SHIVA KRISHNA
Signature of the Student
R No. 09MCMT65
Acknowledgments
It is a great pleasure to acknowledge the support and encouragement received in the
successful completion of this project. It is a privilege to express my profound gratitude
and indebtedness to my supervisor Ms N. Rukma Rekha for her valuable, inspiring and
constant support throughout the progress of this project.
I am very much thankful to Mr. Y.V.Subba Rao for the continuous guidance provided
throughout the project.
I am grateful to the Head of Department (DCIS), Prof P N Girija for providing us
both the freedom and an excellent lab facility where we could test our work effectively.
I am extremely thankful to A.I Lab staff for their kind cooperation. A special thanks
to all my friends, especially my lab mates for their valuable suggestions and
encouragement.
I express my gratitude to all friends for their immense support, without which this
work would not have been possible.
N. SHIVA KRISHNA
ABSTRACT
This dissertation is about a key recovery attack called Random Subgraph Attack
on A5/1 Stream Cipher. A5/1 is the strong version of the encryption algorithm to
protect overtheair privacy of the cellular voice and data communication. A5/1 is
based on irregular clocking of three linear feedback shift registers. The key size is 64
bits. Random subgraph attack is a Timememory Tradeoff attack. We use Hellman's
Timememory Tradeoff on subgraph of special states. After a 248 parallelizable data
preparation stage the actual attacks can be carried out in real time on a single PC.
The implementation of random function, generating special states is done.
CONTENTS
1. Introduction
1.1 Cryptography
1.2 Cryptographic Techniques
1.3 Cryptanalysis
1.4 Attacks
1.5 Building Blocks
2. STREAM CIPHERS
2.1 Types of stream ciphers
2.2 Attacks on stream ciphers
3. GSM ARCHITECTURE
3.1 GSM Architecture and A5/1
3.2 Previous attacks on A5/1
4. RANDOM SUBGRAPH ATTACK
4.1 Overview of the attack
4.2 Detailed description of the attack
5. Results and Discussion
5.1 Implementation details
5.2 Analysis and Improvisation
6. Conclusion and Future Work
6.1 Conclusion
6.2 Future Work
BIBILOGRAPHY
1. INTRODUCTION
Cryptology is the science of information protection against unauthorized parties.
It can be split up into cryptography (design of cryptographic systems) and cryptanalysis
(security analysis of cryptographic systems)[14].
1.1 Cryptography:
It is the study of mathematical techniques related to aspects of information
security such as confidentiality, data integrity, entity authentication, and data origin
authentication. Cryptography is not the only means of providing information security,
but rather one set of techniques and its aim is to detect and prevent the attacks.
1.2 cryptographic techniques:
Cryptographic techniques are divided into 2 types. They are
I. Symmetrickey encryption
II. Asymmetric key encryption.
Symmetrickey encryption
The encryption scheme in which sender and receiver use the same key for
encryption and decryption. It is also called as private key, single key, conventional or
one key encryption. The 2 types of symmetrickey ciphers are block ciphers and stream
ciphers.
1) Block ciphers
A block cipher is an encryption scheme in which the plaintext bits are
transmitted into blocks of a fixed length t over an alphabet A, and encrypts one block
at a time . Examples of block cipher are IDEA,SAFER,AES,FEAL,RC5 and DES etc.
2) Stream ciphers
Stream cipher is an encryption scheme in which 1 bit is encrypted at a time. Examples
of stream ciphers are HC128, GRAIN, SALSA 20, TRIVIUM, WG, A5/1 and SCREAM
etc..
Asymmetric key encryption
The encryption scheme in which 2 keys are used , one for encryption which is
publicly known and the another for decryption which is private and secure. Examples
of public key cipher are RSA and ElGamal.
1.3 Cryptanalysis:
Cryptanalysis attempts to defeat cryptographic techniques (in general
information security services) by using the mathematical techniques. The goal of
cryptanalysis is to find some weakness or insecurity in a cryptographic scheme, thus
permitting its subversion or evasion. Cryptanalyst does the job of cryptanalysis.
Resistance against all known cryptanalytic attacks is the most important property of a
new cipher. There should be no attack faster than exhaustive key search.
1.4 Attacks
The following are the attack models in cryptography[17].
A ciphertextonly attack is one where the cryptanalyst tries to deduce the
decryption key or plaintext by only observing ciphertext. Adversary knows only
cipher text.
A knownplaintext attack is one where the adversary has a quantity of plaintext
and corresponding ciphertext.
A chosenplain text attack is one where the adversary chooses plaintext and is
then given corresponding ciphertext.
An adaptive chosenplaintext attack is a chosenplaintext attack wherein the
choice of plaintext may depend on the ciphertext received from previous
requests.
A chosenciphertext attack is one where the adversary selects the ciphertext and
is then given the corresponding plaintext . Adversary has the access to the
equipment used for decryption for some restricted amount of time.
An adaptive chosenciphertext attack is a chosenciphertext attack where the
choice of ciphertext may depend on the plaintext received from previous
requests.
1.5 Building blocks:
a) LFSR
This is the main building block of stream ciphers because of its simplicity , the
keystream it produces and speed of their hardware implementations. The only linear
function of single bit is XOR, thus it is a shift register whose input bit is driven by the
XOR of some bits of the overall shift register value. It is well known that an LFSR with
primitive feedback polynomial of degree d produces an output with period 2d− 1.
A linear feedback shift register (LFSR) of length L consists of L stages
numbered 0, 1, . . . , L − 1, each capable of storing one bit and having one input and
one output; and a clock which controls the movement of data. During each unit of
time the following operations are performed:
(i) the content of stage 0 is output and forms part of the output sequence;
(ii) the content of stage i is moved to stage i − 1 for each i, 1 ≤ i ≤ L − 1;
(iii) the new content of stage L−1 is the feedback bit sj which is calculated
by adding together modulo2 the previous contents of a fixed subset of stages 0.. L−1.
The following are advantages of LFSRs[17].
• LFSRs are wellsuited to hardware implementation;
• They can produce sequences of large period
• They can produce sequences with good statistical properties and
• Because of their structure, they can be readily analyzed using algebraic
techniques.
The main disadvantage of LFSR is its linearity which leads easy cryptanalysis. In
order to destroy linearity of LFSRs we can use combination generators , filter
generators and clockcontrolled generators.
b) NLFSR
In Non linear Feedback Shift Register the current state is a non linear
function of its previous state. The state of an (n, k)NLFSR is defined by the ordered set
of values of its state variables (X0 , X1 , . . . , Xn1 ). Since an (n, k)NLFSR is
deterministic and finite, any sequence of consecutive states eventually converges to
either a single state, or a cycle of states. The period of an (n, k)NLFSR is the length of
the longest cyclic output sequence it produces. The period of an (n, k)NLFSR can be
less than or equal to 2n .
A number of different implementations of NLFSR based stream ciphers for
RFID and smartcards applications have been proposed, including Achterbahn , Grain,
KeeLoq, Trivium and VEST . NLFSRs have been shown to be more resistant to
cryptanalytic attacks than LFSRs. However, construction of large NLFSRs with
guaranteed long periods remains an open problem. A systematic algorithm for NLFSR
synthesis has not been discovered so far.
c) Non linear filter generator
Although LFSR sequences have many desirable properties, using the LFSR
output sequence directly as keystream is not advisable due to the linearity of LFSR
sequences. To make use of the desirable properties of the LFSR in a keystream
generator for a stream cipher, it is necessary to introduce nonlinearity. A simple
method is to use the contents of several stages of the LFSR as inputs to a nonlinear
Boolean function, and use the output of the function as the keystream. The nonlinear
Boolean function is referred to as a filter function, and keystream generators based on
a single LFSR and a nonlinear combining functions are known as nonlinear filter
generators
d) S Boxes
An SBox (Substitutionbox) is a basic component of symmetrickey
encryption which performs substitution. In block ciphers they are typically used to
obscure the relationship between the key and the cipher text.
e) Finite State machine
In a digital circuit , an FSM may be built using a programmable logic device,
programmable logic controller, logic gates , and flip flops or relays. More specifically, a
hardware implementation requires a register to store state variables, a block of
combinational logic which determines the state transition, and a second block of
combinational logic that determines the output of an FSM. One of the classic hardware
implementations is the Richards controller.
2. STREAM CIPHERS
In Cryptography , a stream cipher is a symmetric key cipher where plaintext bits
are combined with a pseudorandom bit stream (i.e. keystream), typically by an
exclusiveor (XOR) operation. Stream ciphers are based on OneTimePad. Stream
ciphers are an important class of symmetric key encryption algorithms.
Stream ciphers can be designed to be exceptionally fast, much faster than any block
cipher. While block ciphers operate on large blocks of data, stream ciphers typically
operate on smaller units of plaintext, usually bits. The encryption of any particular
plaintext with a block cipher will result in the same ciphertext when the same key is
used. With a stream cipher, the transformation of these smaller plaintext units will vary,
depending on when they are encountered during the encryption process. A stream
cipher generates a sequence of bits used as a key, which is called as keystream.
Encryption is accomplished by combining the keystream with the plaintext, usually
with the bitwise XOR operation.
Onetime pads
A onetime pad, sometimes called Vernam cipher uses a string of bits which are
generated completely at random. The keystream is the same length as the plaintext
message and the random string is combined using bitwise XOR with the plaintext to
produce the ciphertext. Since the entire keystream is random, even an opponent with
infinite computational resources can only guess the plaintext if he or she sees the
ciphertext. Such a cipher is said to offer perfect secrecy, and the analysis of the one
time pad is seen as one of the cornerstones of modern cryptography. While the onetime
pad saw use during wartime over diplomatic channels requiring exceptionally high
security, the fact that the secret key (which can be used only once) is as long as the
message introduces severe key management problems. While perfectly secure, the one
time pad is in general impractical. Stream ciphers were developed as an approximation
to the action of the onetime pad. While contemporary stream ciphers are unable to
provide the satisfying theoretical security of the onetime pad, they are at least
practical.
2.1 Types of stream ciphers
A stream cipher generates successive elements of the keystream based on an
internal state. This state is updated in essentially two ways: if the state changes
independently of the plaintext or ciphertext messages, the cipher is classified as a
synchronous stream cipher. By contrast, selfsynchronising stream ciphers update their
state based on previous ciphertext bits.
Synchronous stream ciphers
In a synchronous stream cipher a stream of pseudorandom digits is generated
independently of the plaintext and ciphertext messages, and then combined with the
plaintext (to encrypt) or the ciphertext (to decrypt). In the most common form, binary
digits are used , and the keystream is combined with the plaintext using the Exclusive
OR operation (XOR). This is termed a binary additive stream cipher.
In a synchronous stream cipher, the sender and receiver must be exactly in step
for decryption to be successful. If digits are added or removed from the message during
transmission, synchronisation is lost. To restore synchronisation, various offsets can be
tried systematically to obtain the correct decryption. Another approach is to tag the
ciphertext with markers at regular points in the output.
If, however, a digit is corrupted in transmission, rather than added or lost, only a
single digit in the plaintext is affected and the error does not propagate to other parts
of the message. This property is useful when the transmission error rate is high;
however, it makes it less likely the error would be detected without further
mechanisms. Moreover, because of this property, synchronous stream ciphers are very
susceptible to active attacks— if an attacker can change a digit in the ciphertext, he
might be able to make predictable changes to the corresponding plaintext bit; for
example, flipping a bit in the ciphertext causes the same bit to be flipped in the
plaintext.
Selfsynchronizing stream ciphers
Another approach uses several of the previous N ciphertext digits to compute the
keystream. Such schemes are known as selfsynchronizing stream ciphers,
asynchronous stream ciphers or ciphertext autokey (CTAK). The advantage that the
receiver will automatically synchronise with the keystream generator after receiving N
ciphertext digits, making it easier to recover if digits are dropped or added to the
message stream. Singledigit errors are limited in their effect, affecting only up to N
plaintext digits. An example of a selfsynchronising stream cipher is a block cipher in
CFB mode.
2.2 Attacks on Stream Ciphers
LFSRsynthesis
The linear complexity C of any binary sequence is defined by the length of the
shortest LFSR that generates the sequence. Given at least 2C bits of a binary sequence
with linear complexity C, the BerlekampMassey algorithm [10] determines an LFSR of
length C in O(C2 ) time.
Algebraic Attacks
Any stream cipher can be expressed as a system of multivariate algebraic
equations, depending on the secret key and on the known keystream. The observed
keystream can be substituted in this system, and the system can be solved to recover
the secret key. These two steps (find equations and solve the system) are the principle
of algebraic attacks[12] . If the system corresponds to simultaneous equations in a
large number of unknowns and of a complex (nonlinear) type, then solving the system
is difficult. An overdefined nonlinear system could be linearized (where each monomial
is replaced by a new variable) and solved by Gaussian elimination. The efficiency of the
method depends on the algebraic degree of the equations.
Correlation and Linear Attacks
In correlation and linear attacks one considers an overdefined system of linear
inputoutput relations of some correlation (i.e. some noisy equations). In contrast,
algebraic attacks deal with exact equations.
Correlation Attacks: The main scenario of correlation attacks are combination
generators, assuming that the keystream bit Zt is correlated to one individual LFSR
output sequence Xt due to the combining function, hence Pr( Xt=Zt)=p=0.5.
Linear Attacks: The bitcorrelations of correlation attacks can be viewed as a special
case of linear cryptanalysis[16], which tries to take advantage of high probability
occurrences of linear relations involving keystream bits and initial state bits. In general,
the starting point is a system of linear relations in some of the initial state bits x which
hold with probabilities different from 1/2 for the observed keystream.
Differential Attacks
Differential cryptanalysis [13] is a general method of cryptanalysis that is
applicable primarily to block ciphers, but also to stream ciphers and cryptographic hash
functions. One investigates how a difference in the input of the cipher affects the
difference in the output (requiring chosen plaintext). The difference is traced through
the network of transformations F , discovering where the cipher exhibits nonrandom
behavior. The goal is to find a suitable differential, i.e. a fixed inputdifference ∆x and a
fixed output difference ∆z such that ∆z=F(x) ⊕ F(x⊕∆x ) with high probability for a
random input x. The differential can be exploited to distinguish the output with
statistical methods (or to recover the key using more sophisticated variants). The
statistical properties of the differential mainly depend on the nonlinear part of the
cipher.
Tradeoff Attacks:
Tradeoff attacks are generic attacks, where a tradeoff in time, memory and data
can be achieved to attack the stream cipher. During the precomputation phase, which
requires P steps, the adversary explores the general structure of the stream cipher and
summarizes his findings in large tables, requiring memory of size M. During the
realtime phase, which requires T steps, the adversary is given D frames (i.e. data which
corresponds to D different keystreams produced by unknown keys and IV’s), and his
goal is to use the tables to find the key of one frame as fast as possible. In [6], Babbage
concludes that the internal state of the stream cipher should be at least twice as large
as the key. Biryukov and Shamir presented some improved TMD tradeoffs in [1].
3. GSM Architecture
3.1 GSM Architecture and A5/1
Global system for mobile communication (GSM) is a globally accepted
standard for digital cellular communication. GSM is the name of a standardization
group established in 1982 to create a common European mobile telephone standard
that would formulate specifications for a panEuropean mobile cellular radio system
operating at 900 MHz. The below figure[19] depicts the parameters of GSM security.
The cipher used for voice communication confidentiality is commonly
known as A5/1, which is used in Europe. A weaker version called the A5/2 also exists,
but it provides security against attackers capable of significantly less than 216
operations. The algorithms were intended to be kept secret, but have been reverse
engineered [3] based on information released in [9]. This paper considers attacks only
against the cipher A5/1. A5/1 is a synchronous symmetrickey stream cipher, which
relies on a 64bit secret key.
GSM uses A3 Authentication Algorithm, A8 Key Generating Algorithm for authentication and key generation respectively.
A3 Algorithm: The A3 algorithm computes a 32bit Signed Response (SRES). The Ki
and RAND are given as input into the A3 algorithm and the result is the 32bit SRES.
The A3 algorithm resides on the SIM card and at the AuC(Authentication Center).
A8 Algorithm The A8 algorithm computes a 64bit ciphering key (Kc). The Ki and the
RAND are inputted into the A8 algorithm and the result is the 64bit Kc. The A8
algorithm resides on the ISM card and at the AuC.
There are three versions of the A5 algorithm:
1) A5/1 The current standard for U.S. and European networks. A5/1 is a stream
cipher.
2) A5/2 The deliberately weakened version of A5/1 that is intended for export to non
western countries. A5/2 is also a stream cipher.
3) A5/3 A newly developed algorithm used for 3G communication. A5/3 is a block
cipher.
A5/1
A5/1 is an encryption algorithm used in the GSM cellular telephone standard for
privacy which is used by 100 million customers in Europe.It is a hardware efficient
stream cipher used for GSM conversation. A GSM conversation is sent as a sequence of
frames, each frame containing 114 bits representing the digitized A to B
communication, and 114 bits representing the digitized B to A communication, every
4.6 millisecond. A new session key is used for every conversation and a publicly known
frame counter Fn is mixed with session key Kc. Handset(Mobile Station) and Base
Station use the first and last halves alternatively to encrypt and decrypt.
Pictorial representation of encryption and decryption using A5/1 is given
below[8].
Fig 2 A5/1 encryption and decryption using A5/1 for GSM
It uses 64bit secret key and 22bit publicly known frame counter which are
loaded in parallel into 3 LFSRs of lengths 19 ,22 and 23 bits. All the 3 registers are
clocked based on a majority function which is based on clocking taps of the 3 registers
and registers whose clocking tap agrees with majority bit are clocked. The msbs of 3
LFSRs are XORed to produce 1bit key stream after every single clock. Random
subgraph attack and Birth day bias attack are the two important attacks against A5/1.
These two attacks are based on Time Memory TradeOff[1].
The pictorial representation of A5/1 keystream generator is given below[18].
Fig 3 A5/1 Key Stream Generator
But there are subtle flaws in tap structure of registers,their non invertible
clocking and frequent resets. In 2000, Alex Biryukov, Adi Shamir and David Wagner
showed that A5/1 can be cryptanalysed in real time using a timememory tradeoff
attack, based on earlier work by Javan Golic[4]. There are 2 attacks on alleged A5/1
in which small amount of data is needed to extract the key in real time. First attack is
Biased Birthday attack which require 2 minutes of data and 1 second processing time.
Second attack is Random subgraph attack which needs 2 seconds of data and several
minutes of processing time. Both require extensive preprocessing of 248 steps. These 2
attacks are based on special states which generate output bits starting with a particular
pattern of length k=16 . Use of special states reduces number of disk accesses.
Known plaintext attack can be carried out in following 3 steps[8], for the
random subgraph and biased birthday attacks the initial step is performed using a
time/memory tradeoff algorithm.
1. Determine from the set of output bit streams the internal state of A5/1 for some
cycle t > 100.
2. Reverse A5/1 to determine a set of possible initial states.
3. Reverse the mixing of the frame counter to determine a state of A5/1 with only the
session key mixed in.
The state obtained in the last step can be used to generate a bit stream for any
desired frame counter and therefore is sufficient to perform decryption and encryption
for the session key.
3.2 Previous attacks on A5/1
Anderson and Roe[2] proposed an attack based on guessing the 41 bits in the
shorter R1 and R2 registers, and deriving the 23 bits of the longer R3 register from the
output. However, they occasionally have to guess additional bits to determine the
majoritybased clocking sequence, and thus the total complexity of the attack is about
O(245). Assuming that a standard PC can test ten million guesses per second, this attack
needs more than a month to find one key.
Briceno[3] found out that in all the deployed versions of the A5/1 algorithm, the
10 least significant of the 64 key bits were always set to zero. The complexity of
exhaustive search is thus reduced to O(254 )
Golic[4] described an improved attack which requires O(240) steps. However,
each operation in this attack is much more complicated, since it is based on the solution
of a system of linear equations. In practice, this algorithm is not likely to be faster than
the previous attack on a PC.
Golic[4] describes a general timememory tradeoff attack on stream ciphers
(which was independently discovered by Babbage two years earlier), and concludes
that it is possible to find the A5/1 key in 224 probes into random locations in a
precomputed table with 248 128 bit entries. Since such a table requires a 64 terabyte
hard disk, the space requirement is unrealistic. Alternatively, it is possible to reduce the
space requirement to 862GB, but then the number of probes increases to O (228). Since
random access to the fastest commercially available PC disks requires about 6
milliseconds, the total probing time is almost three weeks. In addition, this tradeoff
point can only be used to attack GSM phone conversations that lasts more than 3
hours, which again makes it unrealistic.
4. RANDOM SUBGRAPH ATTACK
4.1 Overview of the attack
This attack can be carried out in the following steps.
1. Generation of random special states
2. Generation of Start points.
3. Iterate Random Function on each of the start points(SP). Store (Start Point,End Point) pairs
4. Define different variants of Random Function.
5. Actual attack. Gives 64bit internal stateof A5/1 for some t>100.(t= no of clockings
6. Reverse engineer on internal state to determine a set of possible initial states.
7. Reverse the mixing of the frame counter to determine a state of A5/1 with only the session key mixed in.
4.1.1Generating Random special states
In this step we have to generate 64bit special states from 41bit partial states.
We need to generate 224
random special states in this step.
4.1.2 Generation of Start points
In this step we have to generate 224
48bit random start points from the 41bit partial states.
4.1.3 Store (Start Point End Point) pairs
Iterate random function on 224
48bit random start points. After 212 iterations
store the 48bit output as Endpoint. Store all the (Start Point,Endpoint) pairs on Hard
Disk, sorted into increasing endpoint order.
4.1.4 Variants of Random Function
We have to find 212
different variants of random function by permuting the order
of output bits of random function.
4.1.5Actual Attack
If we are given f(K) (48bit keystream)for some unknown key K which is located
somewhere along one of the covered paths, we can recover K by repeatedly applying f
in the easy forward direction until we hit a stored end point, jump to its corresponding
start point and continue to apply f from there. The last point before we hit f(K) again is
likely to be the key K which corresponds to the given ciphertext f(K)[1].
4.1.6 Reverse engineer on Internal state
After a set of initial states S(t) for 101≤t≤327 has been obtained the attack
proceeds to determining the actual premixing phase state S(0). Each register R1, R2
and R3 has been clocked between 0 and t−1 times during the mixing. Iterate through
the 106 < 220 possible combinations and see which ones create initial states S(0) that
generate the known bit stream[8].
4.1.7 Reverse mixing of Frame counter
The final step of the attack is to compute the session key. It is sufficient to reverse
the mixing of the frame counter and compute S(22). This state of A5/1 with only kc
mixed in is sufficient to encrypt and decrypt for kc [8].
4.2 Detailed description of the attack
Random subgraph attack is a TimeMemory Tradeoff attack. This attack requires
2 seconds of GSM conversation and we can carry out the attack in 4 minutes of
execution time on a PC, after a 248
preprocessing ( stores special states on HD) stage
which explores the structure of random function f, which maps one special into
another special state. A state is called as special state it produces output sequence that
start with a particular kbit pattern alpha with k = 16. The probability of a frame
containing such a sequence is (228−64) × 216
= 164 ×2 16
. This means in practice
4.6 ms ×2 16
/164 < 2 s of GSM voice traffic. The main idea of the attack is to make
most of the special states accessible by simple computations from the subset of special
states which are actually stored on the hard disk .
4.2.1 Time Memory Tradeoff
Timememory tradeoff (TMTO) is a situation where the computation time can
be reduced at the cost of increased memory use, conversely the memory use can be
reduced at the cost of slower program execution. As the relative costs of CPU cycles,
RAM space, and hard drive space change — hard drive space has for some time been
getting cheaper at a much faster rate than other components of computers the
appropriate choices for timememory tradeoffs have changed radically. Often, by
exploiting a timememory tradeoff, a program can be made to run much faster. Usually,
a TMTO is developed to improve the speed of an algorithm by utilizing onetime work,
which results in increased storage (memory) requirements when the resulting
algorithm is executed. In TMTO the attack requires some onetime work, producing a
table of results. This table is then used in order to reduce the amount of work required
in any particular attack.
4.2.2 Precomputation phase: In Precomputation phase all the special states must
be produced. Approximately 248
(264
*2k) special states are possible for k=16. We can
generate only special states as there is possibility that clocking taps are and output taps
are unrelated for 16 clock cycles. But we have to make sure that alpha is not coincided
with shifted versions itself. Special states can be produced as follows[1].
1. Chose 19 arbitrary bits for register R1, 11 arbitrary bits each for registers R2 and
R3 for rightmost bits . Now we can make sure that clocking taps are known to us
for 16 clock cycles as each register moves with a probability of 0.75. This 41bit
state is called as partial state.
2. For each partial state, and for each transition we can easily chose unknown bits
of R2 and R3 as we have knowledge of clocking taps ,output bit of R1 and output
bit.
3. For every transition either R2 or R3 or both will be moved. When only one
register is moved ( either R1 or R2 ) one new bit is shifted and its choice is
forced. When 2 registers are moved 2 bits are shifted and there will be two
valuations for each bit. These bits are called choice bits. If the state is not yet
fully defined after 16 clock cycles then the undefined bits may be treated as
choice bits and any assignment to them is valid.
4. 41 arbitrary bits and its corresponding first 7 choice bits give us a special state.
5. Above process is repeated for every partial state.
Define a random function f : {0, 1}48 → {0, 1}48 . Let a be the special state
identified by the 48bit input(i.e. 48 bit sequence following ).α Initialize the internal
state of A5/1 to this and clock A5/1 for 64 cycles. Now y(1)...y(16) = .α Let bits
y(17)...y(64) be the result of f(a).
The recommended preprocessing stage stores 212
tables on the hard disk. Each
table is defined by iterating one of the variants fi 212
times on 224
randomly chosen 48
bit strings. Each table contains 224
(start point, end point) pairs, but implicitly covers
about 236
intermediate states. The collection of all the 212
tables requires 236
disk space,
but implicitly covers about 248
red states.
At 6 ms per probe, this requires more than a day. However, we can again use
Rivest's idea of special points: We say that a red state is bright if the first 28 bits of its
output sequence contain the 16bit alpha extended by 12 additional zero bits. During
preprocessing, we pick a random red start point, and use fi to quickly jump from one
red state to another. After approximately 212
jumps, we expect to encounter another
bright red state, at which we stop and store the pair of (start point, endpoint) in the
hard disk. During the actual attack, we find the first red state in the data, iterate each
one of the 212
variants of f over it until we encounter a bright red state, and only then
search this state among the pairs stored in the disk. We thus have to probe the disk only
once in each one of the t= 212
tables, and the total probing time is reduced to 24
seconds. The time complexity of the attack is 224
assuming table lookups are performed
in constant time. The attack can be performed on a PC in 4 minutes[1].
5. RESULTS AND DISCUSSION
5.1 Implementation Details
In this section we will discuss about the implementation details of random
function and generation of special states .
Generation of Special States:
Input to this module is 41bit partial state. Then it gives 64bit special state as
output, which guarantees to produce output bits starting with 16bit length alpha.
Output:
Initial values of 3 registers
R1=0444aa
R2=000000
R3=0007ff
No. of times R2 & R3 clocked is R2 counter= 9 R3 counter= 7.
Partial state is successful.
Special state is
R11=0444aa
R22=394000
R33=6687FF.
Below is the screen shot of the above output.
We have verified the special state whether it generates keystream that starts with
16bit alpha or not.
Output:
The 64bit special state taken is
R1=0444aa
R2=394000
R3=6687FF
First 16 bits of key stream is
1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0.
Below is the screen shot of the above output.
Random Function:
Random function takes 48bit output prefix as input, expands it to 64bit internal
state and runs A5/1 Algorithm for 64 clock cycles .Then deletes first 16 bits(i.e., alpha)
from the 64bit output sequence and gives remaining 48 bits as output. The 48bit
output is used as input to the random function.
Output:
48bit input to the Random function is AA AA AA AA AA AA
The partial state is 02AAAA,000555,0002AA
Special state is 02AAAA 000555 4002AA
48bit output is: 04 04 04 04 04 04
Below is the screen shot of the output of Random function.
5.2 Analysis and Improvisation
This attack requires a significant effort during the setup, but can later be used to
perform real time attacks using a single PC . So much effort is needed in generating
special states and we need 224 probes( 212 per each of the table) to random disk
locations. At 6 ms per probe, this requires more than a day . A solution to this problem
is call a special state a bright a red state if the first 12 bits following α are all 0 s. We
can generate the table now by iterating the functions fi from the start point onwards
until a bright red state is encountered (on an average every 212 special state is also a
bright red state). A bright red state can be generated by sampling special states and
filtering out non bright red states. Now during the actual attack disk access is needed
on an average only for every 212 special states. It takes 24 seconds of time (i.e.,6ms X
212 disk probes) which makes the attack feasible. But sampling of table for bright red
states is a huge and complex process as we don't know how to sample the table of
bright red states[1]. The attack requires approximately 160 GB of disk space, and 4
minutes of execution time on a PC[8]]
6. CONCLUSION AND FUTURE WORK
6.1 Conclusion:
We have generated few special states from 41bit arbitrary partial states.
We have implemented Random function. The Random function, which maps one
special state into another special state.
6.2 Future Work:
As a future work Random Subgraph Attack can be fully implemented. By using
Random Function we can store (Start point,End point) pairs. Develop 212 different
variants of Random Function so that we can cover all the Special States. We have to
sample special states by generating bright red states which makes the attack feasible.
BIBILOGRAPHY
1 )Alex Biryukov Adi Shamir David Wagner "Real Time Cryptanalysis of A5/1 on a
PC"
2) R. Anderson, M. Roe, A5, http://jya.com/cracka5.htm, 1994.
3)M. Briceno, I. Goldberg, D. Wagner, “A pedagogical implementation of A5/1”,
3)An implementation of the GSM A/3 and A/8 algorithms:
http://www.scard.org/gsm/a3a8.txt
4)J. Golic, “Cryptanalysis of Alleged A5 Stream Cipher”, proceedings of
EUROCRYPT'97, LNCS 1233,pp.239{255, SpringerVerlag 1997.
5)M. E. Hellman, “A Cryptanalytic TimeMemory TradeOff”, IEEE Transactions on
Information Theory, Vol. IT26, N 4, pp.401{406, July 1980.
6)S. Babbage, “A Space/Time Tradeoff in Exhaustive Search Attacks on Stream
Ciphers”, European Convention on Security and Detection, IEEE Conference
publication, No. 408, May 1995.
7)Tim Guneysu, Timo Kasper, Martin Novotny, Christof Paar, Member, IEEE, and Andy
Rupp "Cryptanalysis with COPACOBANA"
8)Lauri Tarkkala "Tik110.551: Attacks against A5".
[9] Racal Research Ltd. Extracts from Technical Information GSM System Security
Study. 10.6.1988 [ referred 28.10.2000 ].
< http://jya.com/gsm061088.htm, Racal Research Ltd, 19880610 >
10) James Massey. ShiftRegister Synthesis and BCH Decoding. IEEE Transactions on
Information Theory, 15(1):122–127, 1969.
11) web sources http://en.wikipedia.org/wiki/Cryptography
12) Nicolas Courtois and Willi Meier. Algebraic Attacks on Stream Ciphers with Linear
Feedback. In Eli Biham, editor, EUROCRYPT, volume 2656 of Lecture Notes in
Computer Science, pages 345–359. Springer, 2003.
13)Eli Biham and Adi Shamir. Differential Cryptanalysis of DESlike Cryptosystems.
J. Cryptology, 4(1):3–72, 1991.
14)Analysis of Light Weight Stream Ciphers by Simon FISCHER
15)GSM http://www.gsmfordummies.com
16) Mitsuru Matsui. Linear Cryptoanalysis Method for DES Cipher.
17) Handbook of Applied Cryptography, by A. Menezes, P. van Oorschot, and S.
Vanstone, CRC Press, 1996.
18)Wikipedia http://en.wikipedia.org/wiki/A5/1
19)Other Web Sources
