Presentation is loading. Please wait.

Presentation is loading. Please wait.

AN IMPROVEMENT TO A CORRELATION ATTACK ON A5/1 H. Nikoonia, F. Amin, A. H. Jahangir Computer Engineering Department, Sharif University of Technology.

Published byLamar Shilling Modified over 8 years ago

Similar presentations

Presentation on theme: "AN IMPROVEMENT TO A CORRELATION ATTACK ON A5/1 H. Nikoonia, F. Amin, A. H. Jahangir Computer Engineering Department, Sharif University of Technology."— Presentation transcript:

1 AN IMPROVEMENT TO A CORRELATION ATTACK ON A5/1 H. Nikoonia, F. Amin, A. H. Jahangir Computer Engineering Department, Sharif University of Technology

2 Outline  Introduction  Attacks  Time-memory trade off  Guess-and-determine  Correlation Attacks  A brief description of A5/1  Correlation Attack on A5/1  The New Method  Conclusions  References

3 Introduction

4  Over a billion customers world-wide own a GSM cell-phone.  The privacy of conversation in GSM standard is protected by A5/1 or A5/2.  A5/2 proved to be insecure [4].  The design of A5/1 and A5/2 was kept secret until 1999 that the exact design of A5/1 and A5/2 was reversed engineered by Briceno [7].

5 Guess-and-determine Time-memory trade-off Correlation Attacks Attacks

6  The first attack on A5/1 was proposed by Golic [5].  Biryukov, Shamir and Wagner proposed attacks that in some scenarios find the key in less than a second [6].

7 Correlation Attacks  Ekdahl and Johansson proposed the first correlation attack on A5/1 [1].  Requires 10,000 to 70,000 of known frames.  Success rate of 2 to 76%.

8 Correlation Attacks  Maximov, Johansson and Babbage improved the previous attack [2].  Requires 2,000 to 10,000 of known-frames.  Success rate of 5 to 99%

9 Correlation Attacks  In [3], Barkan and Biham proposed “Conditional Estimators”.  They discovered some weaknesses of R2.  Requires 1,500 to 2,000 of known-frames.  Success rate of 91%.  They also present a new source of known- keystream.

10 Advantages of Correlation Attacks  Require no long-term storage.  No preprocessing.  they are immune to transmission errors [3].

11 A Brief Description of A5/1

12  228 bit frames.  64 bit key. 22 bit frame number.  LFSRs of size 19, 22, 23 bits.

13 A Brief Description of A5/1  Irregular clocking.  Each LFSR is clocked with probability of 3/4.

14 Initialization Process  Step 1:  LFSRs are initiated with zero.  they are clocked regularly 64 times and key bits are XOR-ed to the feedback of each LFSR in parallel.  Then registers are clocked another 22 times, again regularly, and each bit of frame number is XOR-ed to the feedback of each register.  Let us call the value of LFSRs at this moment the “initial state”.

15 Initialization Process  Step 2:  LFSRs are clocked 100 times with irregular clocking.  But this step does not produce any output.

16 Initialization Process  Step 3:  LFSRs are clocked 228 times with irregular clocking.  The output of this step is used as keystream.

17 Correlation attack on A5/1

18  the output of R1 after i-times of regular clocking  U i 1 : Key K, frame number j  S i 1 : Key K, frame number 0  F i 1 : Key 0, frame number j  F i 2, S i 2, U i 2, F i 3, S i 3 and U i 3 are defined in the similar way for R2 and R3.  (U 0 1, U 1 1... U 18 1 ) describes the initial state of R1.

19 Correlation attack on A5/1  The “bad property” : key and frame number are combined linearly to form the initial state.  We can write:

20 Correlation attack on A5/1  Let us call the output Z 1 to Z 228.  It holds with P(cl 1,cl 2,cl 3,i+100) probability.

21 Correlation attack on A5/1  What we want is the bellow formula for different value of cl 1,cl 2,cl 3.  We will recover initial state of R1, R2 and R3 with them.

22 Correlation attack on A5/1  It is non zero for interval of size of 18 to 47.

23 Correlation attack on A5/1

24

25  A “received word”  A guess.

26 Correlation attack on A5/1  A configuration defines intervals for cl i s.

27 Correlation attack on A5/1  Decoding this word is done by exhaustive search.  For each interval 1000 results with closer hamming distance to received word is stored.  Results from different intervals are joined to make final candidates.  These candidates checked for validation.  Overlapped intervals are used to reduce the number of final candidates.

28 Correlation attack on A5/1

29 The New Method

30  The proposed attack by Ekdahl and Johansson in [1] with 65536 frames and 8/3 configuration has a success rate of 32%.  This means that 32% of final candidates describe the initial state completely.  But we observe that there are some conditions that 2 LFSRs have been guessed correctly but not the other one.  Doing exhaustive search over 2 19 to 2 23 states is practical.

31 Observation

32 Success Rate with Our Method

33 The New Method  If we do exhaustive search on R2 for each final candidate, we are adding a search space of 2 22 states to the original attack.  Searching this search space for each candidate and validating the result takes about 12.5 seconds on our simulation machine.  But we don’t have to examine all candidates.  there are some candidates that have the same R1 and R3 but different R2 (51% to 81%).

34 Additional Time

35 Conclusion

36  Our method increases the success rate of the attack by additional 16% in some cases.  It adds some hours to the original attack time.  This time could be reduced by reducing the number of final candidates.

37 References

Download ppt "AN IMPROVEMENT TO A CORRELATION ATTACK ON A5/1 H. Nikoonia, F. Amin, A. H. Jahangir Computer Engineering Department, Sharif University of Technology."

Similar presentations

1 KCipher-2 KDDI R&D Laboratories Inc.. ©KDDI R&D Laboratories Inc. All rights Reserved. 2 Introduction LFSR-based stream ciphers Linear recurrence between.

1 KCipher-2 KDDI R&D Laboratories Inc.. ©KDDI R&D Laboratories Inc. All rights Reserved. 2 Introduction LFSR-based stream ciphers Linear recurrence between.
DES The Data Encryption Standard (DES) is a classic symmetric block cipher algorithm. DES was developed in the 1970’s as a US government standard The block.

DES The Data Encryption Standard (DES) is a classic symmetric block cipher algorithm. DES was developed in the 1970’s as a US government standard The block.
GSM Security: Cryptanalysis of A5/1 Arber Ceni – 07.02.2011.

GSM Security: Cryptanalysis of A5/1 Arber Ceni –
Cryptography, Attacks and Countermeasures Lecture 3 - Stream Ciphers

Cryptography, Attacks and Countermeasures Lecture 3 - Stream Ciphers
Xiutao Feng Institute of Software Chinese Academy of Sciences A Byte-Based Guess and Determine Attack on SOSEMANUK.

Xiutao Feng Institute of Software Chinese Academy of Sciences A Byte-Based Guess and Determine Attack on SOSEMANUK.
GSM network and its privacy Thomas Stockinger. Overview Why privacy and security? GSM network‘s fundamentals Basic communication Authentication Key generation.

GSM network and its privacy Thomas Stockinger. Overview Why privacy and security? GSM network‘s fundamentals Basic communication Authentication Key generation.
CS470, A.SelcukStream Ciphers1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukStream Ciphers1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
State space convergence in the A5/1 keystream generator Ali Al Hamdan and Harry Bartlett Information Security Institute / Faculty of Science and Technology,

State space convergence in the A5/1 keystream generator Ali Al Hamdan and Harry Bartlett Information Security Institute / Faculty of Science and Technology,
Modern Symmetric-Key Ciphers

Modern Symmetric-Key Ciphers
GSM Security Threats and Countermeasures Saravanan Bala Tanvir Ahmed Samuel Solomon Travis Atkison.

GSM Security Threats and Countermeasures Saravanan Bala Tanvir Ahmed Samuel Solomon Travis Atkison.
8.1 Chapter 8 Encipherment Using Modern Symmetric-Key Ciphers Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.

8.1 Chapter 8 Encipherment Using Modern Symmetric-Key Ciphers Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
Modern Symmetric-Key Ciphers

Modern Symmetric-Key Ciphers
LINEAR FEEDBACK SHIFT REGISTERS, GALOIS FIELDS, AND STREAM CIPHERS Mike Thomsen Cryptography II May 14 th, 2012.

LINEAR FEEDBACK SHIFT REGISTERS, GALOIS FIELDS, AND STREAM CIPHERS Mike Thomsen Cryptography II May 14 th, 2012.
Syed Safi Uddin Qadri BETL/F07/0112 GSM Stream Cipher Algorithm Presented To Sir Adnan Ahmed Siddiqui.

Syed Safi Uddin Qadri BETL/F07/0112 GSM Stream Cipher Algorithm Presented To Sir Adnan Ahmed Siddiqui.
Dan Boneh Stream ciphers Real-world Stream Ciphers Online Cryptography Course Dan Boneh.

Dan Boneh Stream ciphers Real-world Stream Ciphers Online Cryptography Course Dan Boneh.
An Introduction to Stream Ciphers Zahra Ahmadian Electrical Engineering Department Sahrif University of Technology

An Introduction to Stream Ciphers Zahra Ahmadian Electrical Engineering Department Sahrif University of Technology
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.
Fast Algorithms For Hierarchical Range Histogram Constructions

Fast Algorithms For Hierarchical Range Histogram Constructions
1 CIS 5371 Cryptography 5b. Pseudorandom Objects in Practice Block Ciphers.

1 CIS 5371 Cryptography 5b. Pseudorandom Objects in Practice Block Ciphers.
Class 25: Security through Complexity? Karsten Nohl cs302: Theory of Computation University of Virginia, Computer Science PS6 is due today. Lorenz cipher.

Class 25: Security through Complexity? Karsten Nohl cs302: Theory of Computation University of Virginia, Computer Science PS6 is due today. Lorenz cipher.

Similar presentations

Ads by Google