Download presentation

Presentation is loading. Please wait.

Published byTyshawn Dillon Modified over 2 years ago

1
Application of FPGA Design: Design Challenges for Implementing Realtime A5/1 Attack with Precomputation Tables Martin Novotný, Andy Rupp Ruhr University Bochum

2
Outline A5/1 cipher Time-Memory Trade-off Tables –Original Hellman Approach –Distinguished points –TMTO with multiple data –Rainbow tables –Thin-rainbow tables Architecture of the A5/1 TMTO engine – table generation Implementation results

3
Outline A5/1 cipher Time-Memory Trade-off Tables –Original Hellman Approach –Distinguished points –TMTO with multiple data –Rainbow tables –Thin-rainbow tables Architecture of the A5/1 TMTO engine – table generation Implementation results

4
A5/1 Cipher Encrypts GSM communication –GSM communication organized in frames –1 frame = 114 bits in each direction Stream cipher –produces the keystream KS being xored with the plaintext P to form ciphertext C C = P KS A5/ A5/1 C P KS

5
Architecture of A5/1 Cipher 3 linear feedback shift registers (LFSRs) LFSRs irregularly clocked yellow –the register is clocked iff its clocking bit (yellow) is equal to the majority of all 3 clocking bits at least 2 registers are clocked in each cycle

6
Algorithm of A5/1 1. Reset all 3 registers 2.(Initialization) Load 64 bits of key K + 22 bits of frame number FN into 3 registers –K and FN xored bit-by-bit to the least significant bits –registers clocked regularly 3.(Warm-up) Clock for 100 cycles and discard the output –registers clocked irregularly 4.(Execution) Clock for 228 cycles, generate bits (for each direction) –registers clocked irregularly 5.Repeat for the next frame

7
We can skip Initialization and Warm-up!!! Cryptanalysis of stream ciphers with known plaintext From the ciphertext C and known plaintext P compute keystream KS: KS = P C Keystream KS is a function of: key K:KS = f(K) internal state L: KS = g(L) (internal state = content of all registers) 1. Reset all 3 registers 2.(Initialization) Load 64 bits of key K + 22 bits of frame number FN into 3 registers 3.(Warm-up) Clock for 100 cycles and discard the output 4.(Execution) Clock for 228 cycles, generate bits (for each direction)

8
Cryptanalysis of A5/1 For (known) keystream KS find the internal state L When L found, track the A5/1 cipher back through Warm-up phase and Initialization to get the key K. 1. Reset all 3 registers 2.(Initialization) Load 64 bits of key K + 22 bits of frame number FN into 3 registers 3.(Warm-up) Clock for 100 cycles and discard the output 4.(Execution) Clock for 228 cycles, generate bits (for each direction) L

9
Cryptanalysis of A5/1 Internal state L has 64 bits we need (at least) 64 bits of keystream KS One A5/1 frame has 114 bits we can make samples KS i It is sufficient to find any L i KS 0 L0L0 KS 1 L1L1 KS 2 L2L2 KS 3 L3L3

10
Outline A5/1 cipher Time-Memory Trade-off Tables –Original Hellman Approach –Distinguished points –TMTO with multiple data –Rainbow tables –Thin-rainbow tables Architecture of the A5/1 TMTO engine – table generation Implementation results

11
Two extreme approaches Brute force attack Check all combinations of a key K online –timeT = N = 2 k –memoryM = 1 Table lookup (For a given plaintext P) All pairs key-ciphertext {K i, C i } precomputed and stored (sorted by C) Online phase: Look-up C in the table (and find K) –timeT = 1 –memoryM = N = 2 k

12
Time-Memory Trade-Off (Hellman, 1981) Compromises the above two extreme approaches Precomputation phase: For a given plaintext P: –precompute (ideally all) pairs key-ciphertext {K i, C i }; –store only some of them in the table. Online phase: –Perform some computations; –lookup the table and find the key K. timeT = N 2/3 memoryM = N 2/3

13
Precomputation (offline) phase Idea: Encryption function E is a pseudo-random function C = E K (P) Pairs {K i, C i } organized in chains – C i is used to create a key K i+1 for the next step – E is pseudo-random we perform a pseudo-random walk in the keyspace R –reduction function (DES: C has 64 bits, K has 56 bits) f –step function f(x) = R(E x (P)) E KC P plaintext P is the same C2C2 P E R K3K3 28DF P E K1K1 C1C1 SP = 1234 Start Point fff P E R EP KtKt CtCt B05B 8EC0 End Point 7A3D R K2K2

14
Precomputation (offline) phase Idea: Encryption function E is a pseudo-random function C = E K (P) Pairs {K i, C i } organized in chains – C i is used to create a key K i+1 for the next step – E is pseudo-random we perform a pseudo-random walk in the keyspace R –reduction function (DES: C has 64 bits, K has 56 bits) f –step function f(x) = R(E x (P)) E KC P plaintext P is the same P E R f P E R f P E R f K1K1 EP K2K2 K3K3 KtKt C1C1 C2C2 CtCt SP = A3D 28DFB05B 8EC0 Start Point End Point

15
1234SP 1 = k 10 f k 11 f k 12 f … f k 1t-1 f k 1t =EP 1 8EC0 1235SP 2 = k 20 f k 21 f k 22 f … f k 2t-1 f k 2t =EP 2 2A1B 1236SP 3 = k 30 f k 31 f k 32 f … f k 3t-1 f k 3t =EP 3 4D3C ……………… 9999SP m = k m0 f k m1 f k m2 f … f k mt-1 f k mt =EP m 02E3 m chains with a fixed length t generated Only pairs {SP i, EP i } stored (sorted by EP) reducing memory requirements Precomputation (offline) phase P E R f P E R f P E R f SP j = k j0 k jt = EP j kj1kj1 kj2kj2 k jt-1

16
Online phase Given C. (and P) … try to find K, such that C = E K (P) R C y1y1 f SP i ff f E K = EP i ? Lookup:

17
Online phase Given C. (and P) … try to find K, such that C = E K (P) R C y1y1 = EP i ? Lookup:

18
Online phase Given C. (and P) … try to find K, such that C = E K (P) R C y1y1 f y2y2

19
Online phase Given C. (and P) … try to find K, such that C = E K (P) R C y1y1 f y2y2 = EP i ? Lookup:

20
Online phase Given C. (and P) … try to find K, such that C = E K (P) R C y1y1 f y2y2 f y3y3

21
R C y1y1 f y2y2 f y3y3 Online phase Given C. (and P) … try to find K, such that C = E K (P) = EP i ? Lookup:

22
R C y1y1 f y2y2 f y3y3 Online phase Given C. (and P) … try to find K, such that C = E K (P) f y4y4

23
Online phase Given C. (and P) … try to find K, such that C = E K (P) R C y1y1 f y2y2 f y3y3 f y4y4 = EP i ? Lookup:

24
Online phase Given C. (and P) … try to find K, such that C = E K (P) R C y1y1 f y2y2 f y3y3 f y4y4 = EP i ? Lookup: SP i f K E f

25
Birthday paradox problem m chains of fixed length t generated R is not bijective some k ij collide. Collisions yield in chain merges or in cycles in chains Matrix stopping rule: Hellman proved that it is not worth to increase –number of chains m or –length of chain t beyond the point at which m × t 2 = N (the coverage of keyspace does not increase too much then)

26
Birthday paradox problem Matrix stopping rule: m × t 2 = N Recommendation: To use r tables, each with different reduction (re-randomization) function R Since also N = m t r, then r = t Hellman recommends m = t = r = N 1/3 SP 1 … … … … … EP 1 SP 2 … … … … … EP 2 SP 3 … … … … … EP 3 … … … SP 200 … … …... EP 200 … … … SP 1 … … … … … EP 1 SP 2 … … … … … EP 2 SP 3 … … … … … EP 3 … … … SP 200 … … …... EP 200 … … … SP 1 … … … … … EP 1 SP 2 … … … … … EP 2 SP 3 … … … … … EP 3 … … … SP 200 … … …... EP 200 … … … SP 1 … … … … … EP 1 SP 2 … … … … … EP 2 SP 3 … … … … … EP 3 … … … SP 200 … … …... EP 200 … … …

27
Hellman TMTO – Complexity Precomputation phase –Precomputation time PT = m t r = N(e.g ) –Memory M = m r = N 2/3 (e.g ) Online phase –Memory M = N 2/3 –Online time T = t r = t 2 = N 2/3 (e.g ) –Table accesses TA = T = N 2/3 (e.g )

28
Hellman TMTO – Complexity Precomputation phase –Precomputation time PT = m t r = N(e.g ) –Memory M = m r = N 2/3 (e.g ) Online phase –Memory M = N 2/3 –Online time T = t r = t 2 = N 2/3 (e.g ) –Table accesses TA = T = N 2/3 (e.g ) 34 years (1 disk access ~ 1 ms)

29
Outline A5/1 cipher Time-Memory Trade-off Tables –Original Hellman Approach –Distinguished points –TMTO with multiple data –Rainbow tables –Thin-rainbow tables Architecture of the A5/1 TMTO engine – table generation Implementation results

30
Distinguished points (DP) (Rivest, ????) Slight modification of original Hellman method Goal: To reduce the number of table accesses TA (in Hellman TA = N 2/3 ) Distinguished point is a point of a certain property (e.g. 20 most significant bits are equal to 0)

31
Distinguished Points (DP) Precomputation phase Chains are generated until the distinguished point (DP) is reached –if the chain exceeds maximum length t max, then it is discarded and the next chain is generated –the chain is also discarded if the DP has been reached, but the chain is too short t min (to have better coverage) Triples {SP j, EP j, l j } stored, sorted by EP (l j is a length of the chain) 1234SP 1 = k 10 f k 11 f … … … … … … … f k 1u = EP 1 0EC0 1235SP 2 = k 20 f k 21 f … … f k 2v = EP 2 0A1B 1236SP 3 = k 30 f k 31 f … … … … … f k 3w = EP 3 043C … … … 9999SP m = k m0 f k m1 f … … … f k mz = EP m 02E3 End Points are DP chains have different lengths

32
Distinguished Points (DP) Online phase There is 1 distinguished point per chain – the End Point End Point Distinguished Point Algorithm: –compute y i+1 = f(y i ) iteratively until the DP is reached (or the maximum length t max is exceeded) –then lookup (just once per table) (if t max is exceeded, do not lookup at all) Advantages –Table accesses TA = r = N 1/3 (c.f. TA = t r = N 2/3 in original Hellman) –Chain loops are not possible = EP i ? Lookup: SP i f K E f R C y1y1 f y2y2 f y3y3 f y4y4 043C

33
Outline A5/1 cipher Time-Memory Trade-off Tables –Original Hellman Approach –Distinguished points –TMTO with multiple data –Rainbow tables –Thin-rainbow tables Architecture of the A5/1 TMTO engine – table generation Implementation results

34
TMTO with multiple data (Biryukov & Shamir, 2000) Important for stream ciphers: To reveal an internal state L i having k bits we need only k bits of a keystream KS i Having D data samples of the ciphertext C (or the keystream KS) we have D times more chances to find the key K (or the internal state L) We calculate r/D tables only we reduce the precomputation time PT and the memory M × online time T and #table access TA remain unchanged KS 0 L0L0 KS 1 L1L1 KS 2 L2L2 KS 3 L3L3

35
TMTO with multiple data A5/1 1 frame:114 bits Internal state: 64 bits 114 – = 51 data samples from 1 frame (each sample has 64 bits) D = 51 We calculate D times less tables ( save memory, save time) KS 0 L0L0 KS 1 L1L1 KS 2 L2L2 KS 3 L3L3

36
Outline A5/1 cipher Time-Memory Trade-off Tables –Original Hellman Approach –Distinguished points –TMTO with multiple data –Rainbow tables –Thin-rainbow tables Architecture of the A5/1 TMTO engine – table generation Implementation results

37
Rainbow tables (Oechslin, 2003) Idea: to use different reduction/re-randomization function R i in each step of chain generation, hence the step functions are: f 1 f 2 f 3 … f t-1 f t Online phase: –Compute y 1 = R t (C), compare with EPs, if no match, then –Compute y 2 = f t (R t-1 (C)), compare with EPs, if no match, then –Compute y 3 = f t (f t-1 (R t-2 (C))), compare with EPs, if no match, then –… P E R1R1 f1f1 P E R2R2 f2f2 P E RtRt ftft SP j = k j0 k jt = EP j kj1kj1 kj2kj2 x jt-1

38
Rainbow tables Just one table (or only several tables) generated, – m = N 2/3 (t reduction functions used the table can be t times longer), – t = N 1/3 Advantages –chain loops impossible –point collisions lead to chain merges only if the equal points appear in the same position of the chain –online time T about ½ of the online time of original Hellman (for single data) –number of table accesses the same like for the Hellman+DP method (for single data) Disadvantages –Inferior to the Hellman+DP method in the case of multiple data (D > 1) (online time T and the number of table accesses TA are D-times greater)

39
Outline A5/1 cipher Time-Memory Trade-off Tables –Original Hellman Approach –Distinguished points –TMTO with multiple data –Rainbow tables –Thin-rainbow tables Architecture of the A5/1 TMTO engine – table generation Implementation results

40
Thin-rainbow tables The way to cope with the rainbow tables when having multiple data The sequence of S different reduction functions f i is applied k-times periodically in order to create a chain: f 1 f 2 f 3 … f S-1 f S f 1 f 2 f 3 … f S-1 f S … … … f 1 f 2 f 3 … f S-1 f S Chain length t = S × k 1 st 2 nd k th

41
Thin-rainbow tables + DP (to reduce # table accesses TA) DP criterion is checked after each f S f 1 f 2 f 3 … f S-1 f S f 1 f 2 f 3 … f S-1 f S … … … f 1 f 2 f 3 … f S-1 f S We store only chains for which k min < k < k max 1 st 2 nd k th DP ?

42
Candidates for implementation (in case of multiple data, D>1) Hellman + DP DP-criterion checked after each step-function f Thin-rainbow + DP DP-criterion checked after f S only simpler HW, better time/area product Both have the same precomputation complexity Both have comparable online time T and # table accesses TA

43
Thin-rainbow tables + DP (to reduce # table accesses TA) DP criterion is checked after each f S f 1 f 2 f 3 … f S-1 f S f 1 f 2 f 3 … f S-1 f S … … … f 1 f 2 f 3 … f S-1 f S We store only chains for which k min < k < k max 1 st 2 nd k th DP ?

44
Outline A5/1 cipher Time-Memory Trade-off Tables –Original Hellman Approach –Distinguished points –TMTO with multiple data –Rainbow tables –Thin-rainbow tables Architecture of the A5/1 TMTO engine – table generation Implementation results

45
Implementation choices Pipeline?Array of small computing elements?

46
Slice – FPGAs Basic Building Block Look-up Table Flip- flop Look-up Table Flip- flop Implements combinational logic (any logic function of 4 variables) It is RAM 16x1 (holds the truth-table)

47
LUT – configuration choices Look-up Table Flip- flop Look-up Table Flip- flop Can be configured as: LUT (function generator) RAM 16x1 SRL16 (upto 16-bit shift register)

48
Implementation choices Pipeline? All A5/1 bits should have been accessible in parallel max. 240 A5/1 units (64x FF/unit) (and no control unit, …) Array of small computing elements? LFSRs can be implemented using SRL16 (1 LUT config. as up to 16-bit shift register) max. 480 A5/1 units (8x SRL16 + 5x FF/unit) (enough FFs for control unit, …)

49
A5/1 TMTO basic element Calculates one chain Two-stroke mode: 1.core #1 generates keystream, core #2 is loaded 2.core #2 generates keystream, core #1 is loaded

50
A5/1 TMTO basic element First, the start point SP j is loaded to core #1

51
A5/1 TMTO basic element In odd steps: Core #1 generates keystream …... that is re- randomized … … and loaded to core # 2 as a new internal state … then one rainbow period f 1 f 2 f 3 … f S-1 f S is performed …

52
A5/1 TMTO basic element In even steps: Core #2 generates keystream …... that is re- randomized … … and loaded to core # 1 as a new internal state … then one rainbow period f 1 f 2 f 3 … f S-1 f S is performed …

53
A5/1 TMTO basic element After application of f S : the result is shifted out to check the DP-criterion

54
234 TMTO elements 234 chains computed in parallel in Spartan FPGA A5/1 TMTO engine – table generation (in 1 FPGA) TMTO elements share the DP-checker

55
A5/1 TMTO engine – table generation (in 1 FPGA) 1234 Loading Startpoints

56
A5/1 TMTO engine – table generation (in 1 FPGA) Loading Startpoints

57
A5/1 TMTO engine – table generation (in 1 FPGA) Loading Startpoints

58
A5/1 TMTO engine – table generation (in 1 FPGA) Loading Startpoints

59
A5/1 TMTO engine – table generation (in 1 FPGA) st Rainbow Sequence

60
A5/1 TMTO engine – table generation (in 1 FPGA) 7A3D41C3802B 1 st Rainbow Sequence

61
A5/1 TMTO engine – table generation (in 1 FPGA) 27B305A14C81 1 st Rainbow Sequence

62
A5/1 TMTO engine – table generation (in 1 FPGA) 5AB7820F44DC 1 st Rainbow Sequence

63
A5/1 TMTO engine – table generation (in 1 FPGA) 654C82A105B5 1 st Rainbow Sequence

64
A5/1 TMTO engine – table generation (in 1 FPGA) 57A2120B91D6 1 st Rainbow Sequence

65
A5/1 TMTO engine – table generation (in 1 FPGA) 12835A1BAB45 1 st Rainbow Sequence

66
A5/1 TMTO engine – table generation (in 1 FPGA) 987B420B651E 1 st Rainbow Sequence

67
A5/1 TMTO engine – table generation (in 1 FPGA) 1A568ACD02BA 1 st Rainbow Sequence

68
A5/1 TMTO engine – table generation (in 1 FPGA) 1A568ACD02BA 1 st Rainbow Sequence

69
A5/1 TMTO engine – table generation (in 1 FPGA) 1A568ACD02BA Evaluation (DP checking)

70
A5/1 TMTO engine – table generation (in 1 FPGA) 1A568ACD02BA Evaluation (DP checking)

71
A5/1 TMTO engine – table generation (in 1 FPGA) 02BA1A568ACD Evaluation (DP checking)

72
A5/1 TMTO engine – table generation (in 1 FPGA) 8ACD12371A56 Evaluation (DP checking) 02BA 1235

73
A5/1 TMTO engine – table generation (in 1 FPGA) 1A568ACD1237 Evaluation (DP checking) 02BA 1235

74
A5/1 TMTO engine – table generation (in 1 FPGA) 1A568ACD nd Rainbow Sequence … 02BA 1235

75
Data error detection Data MUST be correct Errors may appear during the data transfer via COPA bus (120 FPGAs sharing the same bus) Hamming code (72, 64) –TED (triple error detection) –detects 99.19% quadruple errors –(detects also all errors of 5, 6, 7, 9, 10, 11, … bits) If an error appears, the data are discarded Hamming encoding COPA bus

76
Outline A5/1 cipher Time-Memory Trade-off Tables –Original Hellman Approach –Distinguished points –TMTO with multiple data –Rainbow tables –Thin-rainbow tables Architecture of the A5/1 TMTO engine – table generation Implementation results

77
COPACOBANA is able to perform up to 2 36 (~69 billion) step-functions f i per second – 234 TMTO elements/FPGA – 120 FPGAs – maximum frequency f max = 156 MHz – one step-function takes 64 clock cycles 234 × 120 × /

78
Parameter choices chains computed m rainbow sequence S DP criterion d [bits] #seq. in chain k precomp. time PT [days] disk usage DU [TB] # data samples: D = 64 online time OT [s] table accesses TA success ratio SR [2 3, 2 6 ] [2 3, 2 7 ] [2 4, 2 7 ] [2 3, 2 6 ] [2 3, 2 6 ] [2 4, 2 6 ] [2 4, 2 8 ]

Similar presentations

© 2017 SlidePlayer.com Inc.

All rights reserved.

Ads by Google