CLOCK CONTROL SEQUENCE RECONSTRUCTION IN NOISY GENERATORS WITH IRREGULAR CLOCKING

Transcription

1 CLOCK CONTOL SEUENCE ECONSTUCTION IN NOISY GENEATOS ITH IEGULA CLOCKING Slobodan V Petrović Institute of Applied Physics Serrano Madrid, Spain slobodan@ieccsices Amparo úster-sabater Institute of Applied Physics Serrano Madrid, Spain amparo@ieccsices ABSTACT Clock control sequence reconstruction is a key phase in the cryptanalysis of irregularly clocked Linear eedback Shift egisters (LSs), which are widely used in spreadspectrum systems The previously published reconstruction methods have been designed to work in the known plaintext attack scenario, ie without noise However, the influence of noise on the effectiveness of the clock control sequence reconstruction is decisive e present a clock control reconstruction procedure for the ciphertext only attack scenario The reconstruction is performed by a directed depth-first like search through the edit distance matrix The attack is effective even if the noise level is relatively high KEY ODS Telecommunications technology, Spread-spectrum, Cryptanalysis, Irregular clocking, Edit distance 1 Introduction The pseudo-random sequence generator, which contains a Linear eedback Shift egister (LS) whose clock control sequence is produced by a subgenerator of general type, is often used in spread-spectrum systems Its output sequence has good cryptographic characteristics (long period, high linear complexity, good statistical properties, etc) The general scheme of this type of generator is presented in the ig 1 igure 1 The general scheme of the generator However, if a sufficiently long prefix of the output sequence of such a generator is known, it is possible to reconstruct the initial state of the LS by means of a generalized correlation attack In [1] it was shown that, by making use of a special statistical model, it is possible to determine a set of candidate initial states of the LS, which could generate the intercepted output sequence This model employs the edit distance with the constraint on the maximum length of the runs of deletions Once the set of candidate initial states is known, the attack continues by determining the clock control sequence that, together with one of the candidate initial states of the LS, could generate the intercepted sequence Several approaches to the problem of clock control sequences reconstruction can be found in the literature irst, for every candidate, all the possible initial states of the subgenerator can be enumerated In [2], the inefficiency of such a method is overcome by using a probabilistic coding theory approach for the reconstruction of the clock control sequence in the shrinking generator In [3], the possibility of clock control sequence reconstruction by backtracking through the edit distance matrix was mentioned in the context of cryptanalysis of the alternating step generator In [4], a MAP decoding technique is used for reconstructing both candidate initial states of the clocked LS(s) and the clock control sequence All the previous methods have been developed for the known plaintext attack scenario, ie without noise However, in the process of clock control sequence reconstruction, the influence of noise on the effectiveness of the procedure is decisive In this paper, we develop a deterministic method of reconstruction of clock control sequences, in which the influence of noise is included by relating the noise level with the permitted weight deviation used in the search process A depth-first -like search through the constrained edit distance matrix associated with every candidate initial state is used The paths in this matrix that correspond to candidate clock control sequences are reconstructed By starting with the reconstruction of paths whose weight deviation from the optimum is 0 (the optimal paths - without noise) and by increasing this weight deviation according to the noise level (the suboptimal paths), we make our search a directed one 2 econstruction of candidate initial states The statistical model of the generator from the ig 1 is presented in the ig 2

2 %& & igure 2 The statistical model of the generator Let be the binary sequence produced by the shift register Let be a sequence of integers, named decimation sequence,, where is given in advance In the decimation process, the sequence is obtained in the following way: "! $# ')( *,+-/0,1,1,1 (1) In the statistical model, it 2 0 is supposed that is the realization of the sequence of independent and identically distributed (iid) random variables, with the probability $87! :9 "< 9, = >,? A@B The binary noise sequence,, is CD the realization of the sequence of random iid variables with the probability 354 CE +! GIH 1 J,?, where is the correlation parameter The cryptanalyst L- possesses K consecutive bits of the sequence, A which is the sum modulo 2 A@B of the decimated sequence and the noise sequence His/her task is to determine the initial state of the generator that produced the K L intercepted bits of the sequence The correlation attack described in [1] is based on the edit distance measure with the constraint on the maximum length of the runs of deletions This distance measure is defined as follows: Let M and N be two binary sequences of lengths O and K, respectively Let us consider the transformation of M into N using the elementary edit operations substitutions and deletions The constrained edit distance between M and N is defined as the minimum number of elementary edit operations needed to transform M into N, where the number of consecutive deletions is P Besides, the elementary edit operations are ordered in the sense that first the deletions are performed and the substitutions The edit distance defined above can be determined in an iterative way, by filling the matrix of partial constrained edit distances In the edit transformation, if represents the number of deletions and represents the number of substitutions, the edit distance between the prefix MTS <"U of the sequencem and the prefixn U of the sequencen is given by the following expression: VX BY Z6[ \] VX_^* 9 _^ + Y # 9 S # S <"U L U!_` ZaAb c^ Z6[ \ Od^eK ^ +! - 9 Z6[ \] - +-,1,1,1, K +-,1,1,1B Z6[ \) Of^gK (2) where S represents the elementary edit distance associated with a deletion (we assume that this value is constant), L! represents the elementary edit distance associated L with the substitution of the symbol by the symbol and is the maximum number of consecutive L! deletions rom now on, we shall assume that T8L iff Any permitted sequence of elementary edit operations can be represented jikmln! by means of a two dimensional edit se- over the alphabet,+-o quence h, where the empty symbol o is introduced in order to represent the deletions, i M andn is obtained by removing the empty symbols from l The length of the sequences i and l is O The edit sequence is constructed according to the following rules: ip 7! lk 7! 1 If both and are non-empty symbols, the substitution + ip 7! lk 7! of the symbol by takes place, O lk 7! 2 If is ip the 7! empty symbol, + the deletion of the symbol takes place, >O The first phase of the attack consists of the following steps [1]: +q The length O of the output sequence of the LS without decimation is estimated O depends on the maximum number of consecutive deletions The mathematical expectation of O is used or example, if + O sr Kst Next, the threshold u necessary for the classification of the initial states of should be determined or this to be carried out, the probability of false alarm 3 as well as the probability of missing the event 3cv are selected in advance The threshold is computed by checking + ta3v initial states, selected at random or each of them, the edit distance defined above between the output sequence generated by the actual initial state without decimation and the intercepted output sequence is calculated The threshold is selected to be greater than the maximum edit distance value obtained in this process -q or every possible initial state of, not used in the step + q, the constrained edit distance between its corresponding output sequence of length O and the intercepted sequence of length K is computed All the initial states that produce the output sequences from, whose edit distance is less than the threshold u, are included in the set of candidate initial states 3 Clock control sequence reconstruction The reconstruction of clock control sequences can be carried out by determining suboptimal paths over the edit distance matrix e call the optimal paths the paths through the edit VX distance matrix that at Ow^xK KxY y Let K be the length of the clock control sequence needed

3 to reconstruct the initial state of the subgenerator mentioned above The optimal paths pass through the cells VX y Y,1,1,1B VX y Y y in the column of the matrix V, where depends on the particular sequences If the noise level is, it is sufficient VX to reconstruct all the optimal paths that start at y Y,1,1,1B VX y Y But in the presence of noise, the clock control sequences corresponding to the optimal paths do not necessarily generate the captured output sequence Thus, apart from the optimal paths, we also need to reconstruct the suboptimal paths, whose weight-difference from the optimal ones does not overcome a discrepancy given in advance The value of depends on the noise level in the statistical model y e first need to determine the points in the column, through which the optimal paths that VX VX start at O^ K KxY pass To carry out this, every cell BY has, besides the value of the edit distance, four associated vectors: +q The vector of primary pointers VX + to the cells Y ^ + Y,1,1,1B VX Y *^ + Y VX from which it is possible to arrive to the cell BY with the minimum weight increment, # -q The vector of updated pointers VX + to the cells Y y Y,1,1,1 VX y Y y Y, through which it is possible to arrive to the y VX cell BY with the minimum weight increment, Z6[ \) Of^gK #8+- +p# y! r q The vector of pointers VX to the cells + Y + =^ Y,1,1,1B VX Y VX ^ + Y from which it is possible to arrive to the cell BY regardless of the weight increment, # q The vector of values of the edit distances corresponding to the elements of the vector The cardinality of this vector is also The actual values of y,, and depend on the concrete sequences V The matrix is filled by means of the algorithm, in which the equation (2) is implemented, together with the updating of the four vectors mentioned above The complete algorithm is given in the Appendix (Algorithm 1) The next step is reconstructing the candidate clock control sequences There are three sets of paths to be reconstructed The first one consists of optimal paths that start at the points VXOw^IK KxY 1 7 Y 7e +-,1,1,1B VX BY 1 y The second one consists of suboptimal paths, whose weight-difference from the optimal ones is, that start at VX O ^K KxY 1 7 Y 7 +-,1,1,1B VX BY 1 y The third set consists of suboptimal paths, whose weight-difference from the optimal ones is, that start at other points in the column y In order to determine the optimal and suboptimal paths that start at every initial point of any set, a special depth-first like search algorithm is devised In this algorithm, every branching point is processed by enumerating systematically all the paths that start in it In this search, a special kind of stack is used A reconstructed path is rejected if at some point its weight becomes greater than the optimal weight plus The complete algorithm is given in the Appendix (Algorithm 2) 4 The analysis of complexity The number V of optimal and permitted suboptimal paths in the matrix depends on the sequences M and N Nevertheless, it is possible to estimate the total number of paths (optimal and suboptimal) that pass through the VX y column y Every path between the elements Y and VX AY can be represented by a string of symbols from the alphabet V 9,1,1,1 VX, where represents the step in the matrix from the cell BY VX to the cell ^ + Y, 9 VX represents the step from the cell BY to the cell VXD^ +- 5^ + Y,, represents the step from the cell VX BY VX to the cell 6^x =^ + Y Let be the total number & of runs of deletions in the y edit transformation The length of every string is equal to, the sum of indexes of, y +-,1,1,1B, 7_ +-,1,1,1B in each string is equal to and the number of symbols in each string is equal to ^ It is obvious that, given, the number of strings is equal to The indexes of the symbols represent a partition of the integer, with constraints on the size of the parts ( ) In order to determine the number of paths, the value of is needed So the number of partitions of the integer should be determined with the additional constraint +-,1,1,1, that the number of parts must be equal to, Let m"! be the number of partitions of with the number of parts, where every part is The generating function associated with this problem is called the Gauss polynomial of degree k :!! % #" %$ m"! (3) ( [5]: Theorem 1 Let '&s Then the following holds!! + ^ #"!! + -" (see [5]) "<!B + ^ "<)( 9B!)* * * + + ^ ^!B + ^ +( 9!)* * * + ^ < 9,!! e should also have in mind that Obviously the number of partitions of the integer into exactly parts less than or equal to is: m"! * m"! ^ It can be proved [5] that: (4),!! #" *^ +-m"! (5) +q m"! g ^ +- m! ^/ -q Let 0!! #"! #" ^! T^ +! " Then 0!! #" ^ +-! #"

4 % The previous expressions give rise to the following result: Theorem 2 The total number of paths between VX y Y VX and AY, for the given, takes the following form: O ' 9! The equation (6) is the direct consequence of the application of the Theorem 1 and the posterior considerations It gives the number of paths corresponding to one starting point in the column y of the matrix V The behaviour of the value O y (6) is presented in the Table g y y 1 for different values of, assuming that t Table 1 - O for different values of ^ + O O t ^ +! , The total number of paths that pass through the column y depends on the sequencesm andn, as well as on The maximum number of points in the column y through which the paths can pass is given by the following expression: 8Z6[ \) Of^gK #8+- +p# y! Then the total number of paths that pass through the column y can be estimated to be (7) O O (8) where the maximum value of is equal to 5 Experimental results The number of paths necessary to find the clock control sequence should be as small as possible This number depends on Given a certain level of noise in the statistical model, the behaviour of the maximum value of, denoted by v, has been analysed experimentally The experiment has been carried out in the following way: 1000 initial states of a structure with two LSs are chosen at random In this structure one LS, 9, gen- erates the clock control sequence for the other, or each of them, the output sequence corrupted by the noise sequence generated at random is produced The noise level is the control variable of the experiment The set of candidates for the initial state of is determined Once the candidates have been obtained, for a fixed value of, the optimal and suboptimal paths are determined This process is repeated starting from and incrementing the value of until the clock control sequence generated by 9 is found The maximum value v obtained in this process is stored At the end of the experiment, the mean value v is calculated The dependence of v on for different values of y is depicted in the ig 3 ig 3 - Dependence of v on rom the ig 3 it can be concluded that: 1 or e, only the optimal paths that start in the column y of the edit distance matrix need to be reconstructed or relatively low levels of noise, the value 2 of v is small v depends approximately linearly on y 3 The dependence of v on is also approximately linear 6 Conclusion In this paper, a deterministic method of clock control sequence reconstruction in the presence of noise is described The method is applied in the cryptanalysis of a family of schemes containing irregularly clocked LSs, which are widely used in spread-spectrum systems The influence of noise on the clock control sequence reconstruction process is decisive because the level of noise affects significantly the effectiveness of the method Therefore, in our algorithm the influence of noise is taken into account by relating the noise level with the permitted deviation from the noiseless-case path weight The clock control reconstruction is performed by a directed depth-first like search through the edit distance matrix The search procedure maintains a special kind of stack, which is updated during the execution of the algorithm The maximum value of weight deviation necessary for the reconstruction of the actual clock control sequence depends on the noise level Experimental results show that the average number of paths that have to be reconstructed in order to find the true clock control sequence increases moderately with the noise level Acknowledgement This work was supported by Ministerio de Ciencia y Tecnología (Spain) under grant TIC

5 ? H eferences [1] J Golić and M Mihaljević, A Generalized Correlation Attack on a Class of Stream Ciphers Based on the Levenshtein Distance, Journal of Cryptology, Vol 3, No 3 (1991) [2] Chambers and J Golić, ast econstruction of Clock-Control Sequence, Electronics Letters, Vol 38, No 20 (2002) [3] J Golić and Menicocci, Edit Distance Correlation Attack on the Alternating Step Generator, Proceedings of CYPTO 97, LNCS 1294, Springer-Verlag, New York, 1997, pp [4] T Johansson, educed Complexity Correlation Attacks on Two Clock-Controlled Generators, Proceedings of ASIACYPT 98, LNCS 1514, Springer- Verlag, New York, 1998, pp [5] G Andrews, The Theory of Partitions, Addison- esley, eading, 1976 Appendix Algorithm 1 Input: Output: The sequences M and N of lengths O and K, respectively The length y of the clock control sequence necessary to reconstruct the initial state of the subgenerator that generates it The maximum length of runs of deletions The elementary distance S associated with the deletion of a symbol L The elementary edit distance Y associated with the L L substitution of the symbol by the symbol, V The matrix of edit distances with the vectors,, and associated with every cell comment Initialization VX BY 1 ^,,1,1,1B Of^gK,1,1,1B K The vectors,,, and associated with every cell VX BY are empty VX AY 1 ^ comment The row V of the matrix : for ^ + until K do VX BY 1 ^ + VX BY 1 ^ VX _^ + Y 1 # M BY N BY Y VX BY 1 + Y ^>, end comment Main loop for ^ + until K do for ^ + Z6[ \) until Of^gK p +! do Let be the minimum value of the expression VX ^* 9 ^ + Y 1 # 9 # M # BY N BY Y, (1) 9 ZaAb 7 X^ O ^ K -,1,1,1 Z6[ \] P^ Let be the number of values of 9 for which the expression (1) takes the value Then VX BY 1 ^ VX BY 1 ^ VX The vector BY 1 is filled with values of the expression =^8 + corresponding to the values 9 for which the expression (1) VX takes the value The vector BY 1 is filled with all the values (not necessarily the minimum ones) of the expression (1) end comment Determining updated pointers or y #8+, these pointers are not needed if g y #8+ for ^ Z6[ \) until Of^gK p VX BY 1 ^ VX BY 1 y #8+ else if VX or every element of BY 1,,1,1,1B Z6[ \) O ^ K VX the corresponding vector BY 1 of updated pointers is determined in the following way: the elements of VX VX VX BY 1 7 Y ]^ + Y ,1,1,1B VX, BY 1 are placed into BY 1, deleting the repeated ones end end, Algorithm 2: Input: The matrix V of edit distances, obtained by means of the Algorithm 1 The values of y, and Output: VX y All the paths that start at the point Y that belong to the corresponding set(s) mentioned above comment Initialization ^ ^ ^ comment Main loop y ^ do

6 H H ^ false comment This is the path overweight indicator while (! or >! ) and comment Detect a branching point VX if BY 1 +! and ( Y 1! ) ^ #8+ do comment Put, VX and BY on the Y 1 V ^ VX BY Y 1 ^> Y 1 ^8 end comment Process a branching point if Y 1! ^ false repeat Y 1 Y 1! or! Consider the possibility of branching from the current branching point to one of the possible successors, ie the point If this possibility is chosen, and after that only the branchings to the points that lead to the optimal subpaths are followed, the total weight of the chosen subpath is ^8 Y 1 V 1 and the total weight of the corresponding path is 7 ^ 7 jikml!"# Y 1 V 1 Y where is the function that jikmln! returns the weight of the path before the branching and is the prefix of the edit sequence of length comment 4A is the value of that corresponds to the previous path element if HE VX y Y 1 # 4A ^8 Y 1 V 1 Y 1 V 1 Y Y 1 V 1 ^8 Y 1 V 1 ^ + if Y 1 V 1 ^ ^ + 4A has been initialized from the 4A has not been initialized from ^ true until ( (all the successors have been examined) if end comment Process a non-branching point if ( and (not badpath) 4A has not been initialized from the ^ VX BY 1 VX BY 1 Y 7 ^ jikml!]# ) or ) if HE VX y Y 1 # 4A ^ VX BY 1 VX BY 1 Y ^ true end comment econstruct the current path if not if > ^ #8+ i Y ^>M # l,y Y ^N BY end 7 7 for ^ + until ^* 4A do ^ #8+ i Y ^>M # _^ 7 7 l Y Y ^ o end ^ if 4A ^8_^ + end end Store the obtained clock control sequence comment Back to the current branching point if > ^ ^g Y 1 _^g ^8 Y 1 ^8 Y 1 end until Y 1,