Upload
lamar-shilling
View
213
Download
0
Embed Size (px)
Citation preview
AN IMPROVEMENT TO A CORRELATION ATTACK ON A5/1H. Nikoonia, F. Amin, A. H. JahangirComputer Engineering Department, Sharif University of Technology
Outline
Introduction Attacks
Time-memory trade off Guess-and-determine Correlation Attacks
A brief description of A5/1 Correlation Attack on A5/1 The New Method Conclusions References
Introduction
Introduction
Over a billion customers world-wide own a GSM cell-phone.
The privacy of conversation in GSM standard is protected by A5/1 or A5/2.
A5/2 proved to be insecure [4]. The design of A5/1 and A5/2 was kept
secret until 1999 that the exact design of A5/1 and A5/2 was reversed engineered by Briceno [7].
Guess-and-determineTime-memory trade-offCorrelation Attacks
Attacks
Attacks
The first attack on A5/1 was proposed by Golic [5].
Biryukov, Shamir and Wagner proposed attacks that in some scenarios find the key in less than a second [6].
Correlation Attacks
Ekdahl and Johansson proposed the first correlation attack on A5/1 [1].
Requires 10,000 to 70,000 of known frames.
Success rate of 2 to 76%.
Correlation Attacks
Maximov, Johansson and Babbage improved the previous attack [2].
Requires 2,000 to 10,000 of known-frames.
Success rate of 5 to 99%
Correlation Attacks
In [3], Barkan and Biham proposed “Conditional Estimators”.
They discovered some weaknesses of R2.
Requires 1,500 to 2,000 of known-frames.
Success rate of 91%. They also present a new source of
known-keystream.
Advantages of Correlation Attacks Require no long-term storage. No preprocessing. they are immune to transmission errors
[3].
A Brief Description of A5/1
A Brief Description of A5/1
228 bit frames. 64 bit key. 22 bit frame number. LFSRs of size 19, 22, 23 bits.
A Brief Description of A5/1
Irregular clocking. Each LFSR is clocked with probability of
3/4.
Initialization Process
Step 1: LFSRs are initiated with zero. they are clocked regularly 64 times and key
bits are XOR-ed to the feedback of each LFSR in parallel.
Then registers are clocked another 22 times, again regularly, and each bit of frame number is XOR-ed to the feedback of each register.
Let us call the value of LFSRs at this moment the “initial state”.
Initialization Process
Step 2: LFSRs are clocked 100 times with irregular
clocking. But this step does not produce any
output.
Initialization Process
Step 3: LFSRs are clocked 228 times with irregular
clocking. The output of this step is used as
keystream.
Correlation attack on A5/1
Correlation attack on A5/1
the output of R1 after i-times of regular clocking Ui
1 : Key K, frame number j Si
1 : Key K, frame number 0 Fi
1 : Key 0, frame number j
Fi2, Si
2, Ui2, Fi
3, Si3 and Ui
3 are defined in the similar way for R2 and R3.
(U01, U1
1... U181) describes the initial state
of R1.
Correlation attack on A5/1
The “bad property” : key and frame number are combined linearly to form the initial state.
We can write:
Correlation attack on A5/1
Let us call the output Z1 to Z228. It holds with P(cl1,cl2,cl3,i+100)
probability.
Correlation attack on A5/1
What we want is the bellow formula for different value of cl1,cl2,cl3.
We will recover initial state of R1, R2 and R3 with them.
Correlation attack on A5/1
It is non zero for interval of size of 18 to 47.
Correlation attack on A5/1
Correlation attack on A5/1
Correlation attack on A5/1
A “received word” A guess.
Correlation attack on A5/1
A configuration defines intervals for clis.
Correlation attack on A5/1
Decoding this word is done by exhaustive search.
For each interval 1000 results with closer hamming distance to received word is stored.
Results from different intervals are joined to make final candidates.
These candidates checked for validation. Overlapped intervals are used to reduce the
number of final candidates.
Correlation attack on A5/1
The New Method
The New Method
The proposed attack by Ekdahl and Johansson in [1] with 65536 frames and 8/3 configuration has a success rate of 32%.
This means that 32% of final candidates describe the initial state completely.
But we observe that there are some conditions that 2 LFSRs have been guessed correctly but not the other one.
Doing exhaustive search over 219 to 223 states is practical.
Observation
Success Rate with Our Method
The New Method
If we do exhaustive search on R2 for each final candidate, we are adding a search space of 222 states to the original attack.
Searching this search space for each candidate and validating the result takes about 12.5 seconds on our simulation machine.
But we don’t have to examine all candidates. there are some candidates that have the same
R1 and R3 but different R2 (51% to 81%).
Additional Time
Conclusion
Conclusion
Our method increases the success rate of the attack by additional 16% in some cases.
It adds some hours to the original attack time.
This time could be reduced by reducing the number of final candidates.
References