Correlation attacks on stream ciphers: Computing low-weight parity checks based on error-correcting codes

Penzhorn, W.T.

doi:10.1007/3-540-60865-6_51

Cited by 21 publications

(11 citation statements)

References 8 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Note that the technique of FWT was used in another context [7] to speed up other kinds of fast correlation attacks. In the next section we will see how it helps to speed up the attack [10] by a factor of 2 24 . We estimate similar correlation attacks like [6] can be speeded up by a factor of 10; undoubtedly, some other attacks can be significantly improved by our algorithm as well.…”

Section: Where W Is Defined By Eq(8)mentioning

confidence: 99%

Faster Correlation Attack on Bluetooth Keystream Generator E0

Vaudenay

2004

Advances in Cryptology – CRYPTO 2004

View full text Add to dashboard Cite

Abstract. We study both distinguishing and key-recovery attacks against E0, the keystream generator used in Bluetooth by means of correlation. First, a powerful computation method of correlations is formulated by a recursive expression, which makes it easier to calculate correlations of the finite state machine output sequences up to 26 bits for E0 and allows us to verify the two known correlations to be the largest for the first time. Second, we apply the concept of convolution to the analysis of the distinguisher based on all correlations, and propose an efficient distinguisher due to the linear dependency of the largest correlations. Last, we propose a novel maximum likelihood decoding algorithm based on fast Walsh transform to recover the closest codeword for any linear code of dimension L and length n. It requires time O(n + L · 2 L ) and memory min(n, 2 L ). This can speed up many attacks such as fast correlation attacks. We apply it to E0, and our best key-recovery attack works in 2 39 time given 2 39 consecutive bits after O(2 37 ) precomputation. This is the best known attack against E0 so far. BackgroundCorrelation properties play an important role in the security of nonlinear LFSRbased combination generators in stream ciphers. As name implies, the word correlation in stream ciphers is frequently referred to as the intrinsic relation between the keystream and a subset of the LFSR subsequences. The earliest studies dated back to [21,25,27] in the 80's and the concept of correlation immunity was proposed as a security criterion. In the 90's Meier-Staffelbach [22] analyzed correlation properties of combiners with one memory bit, followed by Golić [12] focusing on correlation properties of a general combiner with m-bit memory. Recently, a series of fast correlation attacks sprang up, to name but a few [5-7, 16, 24]. Thereupon we dedicate this paper to the generalized correlation attacks against E0, a combiner with 4-bit memory used in the short-range wireless technology Bluetooth. Prior to our work, existed various attacks [1, 8, 10, 11, 13-15, 17, 26] against E0. The best key-recovery attacks are algebraic attacks [1,8], whose basic approach is to use the polynomial canceling all memory bits and involving only key bits, instead of considering the multiple polynomial to cancel the key bits in the distinguishing attack; besides, [9,13,14] discussed correlations of E0. In [14], Hermelin-Nyberg for the first time presented a rough computation method to compute the correlation (called bias for our purpose), but neither did they formalize the computation systematically, nor did they attempt to find a larger correlation. In [9,13], two larger correlations for a short sequence of up to 6 bits were exposed. However, due to the limit of the computation method, no one was certain about the existence of a larger correlation for a longer sequence, which is critical to the security of E0.

show abstract

Section: Where W Is Defined By Eq(8)mentioning

confidence: 99%

Faster Correlation Attack on Bluetooth Keystream Generator E0

Vaudenay

2004

Advances in Cryptology – CRYPTO 2004

View full text Add to dashboard Cite

show abstract

“…For d > 4 the choice of the algorithm used in the preprocessing step then highly depends on the available memory amount. Similar techniques for finding low-weight parity-check equations are presented in [14].…”

Section: The Number Of Operations Required By This Algorithm Is Then mentioning

confidence: 99%

Improved Fast Correlation Attacks Using Parity-Check Equations of Weight 4 and 5

Canteaut

Trabbia

2000

Advances in Cryptology — EUROCRYPT 2000

168

160

View full text Add to dashboard Cite

Abstract. This paper describes new techniques for fast correlation attacks, based on Gallager iterative decoding algorithm using parity-check equations of weight greater than 3. These attacks can be applied to any key-stream generator based on LFSRs and it does not require that the involved feedback polynomial have a low weight. We give a theoretical analysis of all fast correlation attacks, which shows that our algorithm with parity-check equations of weight 4 or 5 is usually much more efficient than correlation attacks based on convolutional codes or on turbo codes. Simulation results confirm the validity of this comparison. In this context, we also point out the major role played by the nonlinearity of the Boolean function used in a combination generator.

show abstract

“…A necessary condition is that the feedback polynomial of the LFSR has a very low weight. This work was followed by several papers, providing improvements to the initial results of Meier and Staffelbach, see [16,4,5,17]. However, the algorithms are efficient (good performance and low complexity) only if the feedback polynomial is of low weight.…”

Section: Fig 1 a Binary Additive Stream Ciphersmentioning

confidence: 99%

Fast Correlation Attacks through Reconstruction of Linear Polynomials

Johansson

Jönsson

2000

Advances in Cryptology — CRYPTO 2000

View full text Add to dashboard Cite

Abstract. The task of a fast correlation attack is to efficiently restore the initial content of a linear feedback shift register in a stream cipher using a detected correlation with the output sequence. We show that by modeling this problem as the problem of learning a binary linear multivariate polynomial, algorithms for polynomial reconstruction with queries can be modified through some general techniques used in fast correlation attacks. The result is a new and efficient way of performing fast correlation attacks.

show abstract

Correlation attacks on stream ciphers: Computing low-weight parity checks based on error-correcting codes

Cited by 21 publications

References 8 publications

Faster Correlation Attack on Bluetooth Keystream Generator E0

Faster Correlation Attack on Bluetooth Keystream Generator E0

Improved Fast Correlation Attacks Using Parity-Check Equations of Weight 4 and 5

Fast Correlation Attacks through Reconstruction of Linear Polynomials

Contact Info

Product

Resources

About