LINEAR FEEDBACK SHIFT REGISTERS, GALOIS FIELDS, AND STREAM CIPHERS Mike Thomsen Cryptography II May 14 th, 2012
Outline Linear Feedback Shift Registers (LFSR) Interesting properties of LFSR Stream ciphers with LFSR – correlation attacks A5/1 and it’s weaknesses Looking forward
Linear Feedback Shift Registers (LFSR) Very basic example, 3 bit register XOR 123 Output Bit
Linear Feedback Shift Registers (LFSR)
Properties of LFSR Maximal vs. non-maximal length Cyclic Non-maximal governed by front two bits
Properties of LFSR Columns are exact rotations of each other. If we look at it as a matrix, different “initializations” or start states yield a rotation of the entire matrix
Properties of LFSR Columns are exact rotations of each other. If we look at it as a matrix, different “initializations” or start states yield a rotation of the entire matrix
LFSR and Galois Fields
Can reverse the tap positions to get another, identical set of LFSR states. If the original feedback set is [m, A, B, C], the reversed feedback set is described by [m, m-C, m-B, m-A]. Easy to find another irreducible polynomial.
LFSR and Galois Fields
LFSR and Stream Ciphers LFSR can be used as a stream cipher. Remember that stream ciphers are similar to PRNG in that they output a single bit at a time, and data is encrypted bit by bit until the whole plaintext has been encrypted. A single LFSR as a cipher is vulnerable to due it’s cyclic nature, so we combine multiple LFSR to achieve this.
LFSR and Stream Ciphers First, we define a boolean function. For example, consider the following diagram.
LFSR and Stream Ciphers
LFSR and Stream Ciphers – Correlation Attacks Since registers are private, they are not independent beings to an attacker, so the whole system must be broken. Idea: Try to correlate one register to the boolean function, improving a brute force attack. If it is correlated, it can be broken separately (independent of the system), vastly improving complexity. More likely than it seems, with enough registers, due to the linear nature of LFSR, some patterns and correlations will appear – linear recursive equations.
LFSR and Stream Ciphers – Correlation Attacks
LFSR and Stream Ciphers – A5/1
Use the following LFSR’s of length 19, 21, and 22. R1 has taps 13,16,17,18 R2 has taps 20, 21 R3 has taps 7, 20, 21, 22
LFSR and Stream Ciphers – A5/1
Attacks on A5/1 – Known Plaintext
Attacks on A5/1 – Active Attacks Barkhan, Biham, and Keller developed the most serious weakness – an active attack with A5/2 – if the phone supports it. They also published another paper in 2006, furthering their attacks and fully breaking A5/1. A5/3 or KASUMI
Future Algorithms like RC4/5/6 have been developed and avoid the use of LFSR – have their own set of problems. LFSR are interesting and are good for ‘random’ hardware testing, and if constructed correctly, can be useful in some cryptographic applications. Note that A5/1’s weaknesses are less about the structure of LFSR and more about the structure of GSM.
References Elad Barkan, Eli Biham, Nathan Keller, Instant Ciphertext- Only Cryptanalysis of GSM Encrypted Communication, 2003/2006 Patrik Edhal, On LFSR-based Stream Ciphers (PhD), 2003 Alex Biryukov, Adi Shamir, David Wagner, Real Time Cryptanalysis of A5/1 on a PC, _sequence_linear_feedback_shift_register_lfsr.htm _sequence_linear_feedback_shift_register_lfsr.htm Thomas Johansson, Fredrik Jonsson, Improved Fast Correlation Attacks on Stream Ciphers via Convolutional Codes, 1999