Download presentation

Presentation is loading. Please wait.

Published byTaylor Maden Modified over 2 years ago

1
State space convergence in the A5/1 keystream generator Ali Al Hamdan and Harry Bartlett Information Security Institute / Faculty of Science and Technology, Queensland University of Technology

2
Background A5/1 Keystream generator provides keystream for packet encryption in GSM mobile phone systems uses 3 linear feedback shift registers (LFSRs) with a majority clocking arrangement [the only non-linear element in this generator] after loading key and IV, registers are clocked 100 times before being used to generate keystream non-linear clocking arrangement leads to shrinkage of available internal state space

3
Background (2) Diagram of shift registers and clocking:

4
Previous work Golic (1997, 2000): 3/8 of possible states become unattainable after one clock step [drop from 2 64 to 5*2 61 “working” states] Al Hamdan (2009): exhaustive evaluation of smaller analogue (2 15 initial states): within 10 steps, over 50% of states unreachable. Clock steps: 05102050100150 Reachable states:32768174911560112833888862785204 Proportion:1.00.530.480.390.270.190.16 Proportion not reachable: 00.470.520.610.730.810.84

5
Previous work (2) Others have obtained similar results through random sampling of full generator: −Birukov, Shamir and Wagner (2001): of 10 8 random states − ≈15% attainable after 100 clocks − up to 120 initial states lead to each −others (www.reflextor.com/trac/a51/wiki, 2010) : from 10 6 and 10 8 random starting states − similar results to BSW above − 50% of final states from 18% of initial states; other 50% from remaining 82% of initial states

6
Current work (1) extension to second clock step: another 3/64 of states unattainable (‘blocked’) comparison of patterns involved gives lower bound on proportion blocked: 3/8 + 3/64 + 3/512 +... 3/7 Blocked states at first and second steps: 1 st step: 2 nd step: [Golic]

7
Current work (2) extension to third step: further 9/512 blocked additional pattern appears: gives a new lower bound estimate 3/8 + 3/64 + 9/512 + 27/4096 +... 9/20 Blocked states at third step:

8
Current work (3) further extension to fourth and fifth steps gives still more blocked patterns after 5 steps, total proportion of blocked states is 3/8 + 3/64 + 9/512 + 57/4096 + 423/32768 ≈ 0.466 − almost identical to Al Hamdan’s results. arranging blocked states as branching tree, branch proportions suggest that extra proportion blocked at each step remains above 1% for next 10-20 steps

9
Implications of state convergence * During the 100 clock steps before producing keystream, expect usable state space to drop to about 15−20% of possible states. * This reduces search requirements for brute force search. * Since convergence is not uniform, some key-IV combinations will be more likely than others to generate collisions in keystream output. * Use of majority clocking to provide non-linearity has introduced other security issues.

Similar presentations

© 2017 SlidePlayer.com Inc.

All rights reserved.

Ads by Google