Reducing the collision probability of Alleged. Abstract. Wagner, Goldberg and Briceno have recently published an

Transcription

1 Reducing the collision probability of Alleged Comp128 Helena Handschuh Pascal Paillier ENST GEMPLUS Computer Science Department Cryptography Department 46, rue Barrault 34, rue Guynemer F Paris Cedex 13 F Issy-les-Moulineaux Both authors jointly work with Gemplus and ENST Abstract. Wagner, Goldberg and Briceno have recently published an attack [2] on what they believe to be Comp128, the GSM A3A8 authentication hash function [1]. Provided that the attacker has physical access to the card and to its secret PIN code (the card has to be activated), this chosen plaintext attack recovers the secret key of the personalized SIM (Secure Identication Module) card by inducing collisions on the second (out of 40) round of the hash function. In this paper we suggest two dierent approaches to strengthen the alleged Comp128 algorithm with respect to this attack. An evaluation of the number of chosen plaintexts and the new complexity of the attack are given. Keywords. Alleged Comp128, chosen plaintext attack, authentication, hash function, cryptanalysis, smart cards, GSM. 1 Introduction GSM networks use an authentication and session key generation algorithm called A3A8. An example of A3A8 is the Comp128 algorithm. An alleged version of Comp128 (we shall call it AComp128 hereafter) was recently published on the Web [1]. AComp128 is a hash function that takes the card's secret key Ki and a challenge sent over the air by the base station as an input to compute a MAC and a session key. The SIM card sends the MAC back to the base station for authentication and uses the session key for voice encryption with A5. Briceno, Goldberg and Wagner's attack [2] is a chosen plaintext attack which induces collisions on the second round of the hash function and performs a 2R-attack to recover the secret key Ki. Details of AComp128 and of the attack are given in the next two sections. In this paper we suggest two ways to prevent this attack; the rst is by slightly modifying the protocol in order to disable any collisions after the second or third round, and

2 the second is by changing the structure of the inner permutations of indices referred to as a buttery structure. Both methods oer protection against this attack but may also be of independent interest. 2 The AComp128 algorithm The hash function takes 256 bits as an input and computes a hash value of 128 bits. The 32 leftmost bits are used as a MAC and sent back to the basestation, and the 64 rightmost bits are used as a session key for voice encryption with the A5 algorithm. Let Ki be the secret key of the target SIM card, and R the challenge sent to the card by the base station. Ki and R are each 16 bytes long. Let X[0..15] = Ki and X[16..31] = R be the 32 byte input to the hash function. Let T0[0..511], T1[0..255], T2[0..127], T3[0..63] and T4[0..31] be the four secret tables. Then there are 8 loops of the following compression function : apply 5 rounds of table lookups and substitutions using tables T0 to T4, and except in the last loop, perform a permutation on the 128 output bits before entering the next loop. In order to achieve a better comprehension of the attack, we will describe the 5 rounds inside one loop in pseudocode : For i = 0 to 4 do : For j = 0 to 2 i? 1 do : For k = 0 to 2 4?i? 1 do : f s = k + j*2 5?i t = s + 2 4?i x = (X[s] + 2X[t]) mod 2 9?i y = (2X[s] + X[t]) mod 2 9?i X[s] = Ti[x] X[t] = Ti[y] g The way the substitutions are performed in each round is referred to by Wagner et al. as a buttery structure. The size of the elements in the tables decreases from one table to the next. Starting from 8 bit outputs for table T0, and 7 bit outputs for table T1, we get down to 4 bit outputs in table T4. Actually, the 32 output bytes only have 4 signicant bits each. Therefore these 32 bytes are reorganised into 16 bytes. After the permutation, the 16 byte output updates X[16..31], and X[0..15] is updated with the key Ki. 3 BGW's attack After the second round of the rst loop, the bytes X[i],X[i+8],X[i+16],X[i+24] depend only on the input bytes having the same indexes. Two of these bytes are key bytes, namely X[i] = Ki[i] and X[i+8] = Ki[i+8] (for every i from 0 to 7). Thus, performing

3 a chosen challenge attack, we can hope to nd a collision on the four bytes after the second round. The birthday paradox guarantees that with 2 14 random challenges, a collision most probably occurs on the corresponding 28 bit output (table T1 has 7 bit outputs). Once a collision occurs on the second round, it propagates right through the hash function until the end of the last round. Comparing the MACs that are sent back by the card, this collision can be recognized. Next, perform a 2R-attack to recover the two secret key bytes involved in the collision. This attack can be iterated for each pair of key bytes (i.e. for i from 0 to 7), and the whole secret key Ki can be recovered. The attack requires approximately 8*2 14 = 2 17 chosen plaintexts and can be performed on a card within 8 hours. 4 Modifying the authentication protocol The rst suggestion we make in order to x the aw in AComp128, is to reduce the size of the input challenge in a specic way. The rst thing to mention here is that collisions cannot occur after the rst round. Actually, T0 has the following property : Consider the function t(x,y) = T0[(x + 2y) mod 512]. When either x or y are xed, the partial functions t(x,.) and t(.,y) of one variable are both permutations. Thus no collision can occur after the rst round. Let us now consider the second and the following rounds. The birthday paradox guarantees that with enough random challenges a collision can be found on each combination of four output bytes as mentioned in the last section. The idea is to x some parts of the challenge to a constant value in order to reduce the probability that there exists a collision. Say we x for example the 8 rst bytes of the challenge to a given value. Then 2 8 random challenges will almost certainly not produce a collision on 28 output bits. Let N be the maximum number of challenges that can be issued to the card. Actually the probability to have no collision on these 28 bits can be approximated to : N2 P i = e? = e?2?13 This probability is very close to 1. The probability to have no collision on either of the 8 combinations of four input bytes (two key bytes, one constant challenge byte, and one variable challenge byte) is approximately : P = (e? (28 ) ) 8 = e?2?10 There are many dierent ways to x parts of the challenge, each one with a corresponding probability to get no collision at all. We suggest xing half of the challenge,

4 but considering each pair of bytes R[i],R[i+8] involved in a birthday attack, one might want to x only l i bits out of the 16. The location of those bits is not relevant. The l i parameter may even vary for each index i. Dierent combinations can be found giving a satisfactory probability to be protected from the BGW attack. We can even allow some of the key bytes to be found, leaving the rest to be found by exhaustive search, but this game seems rather dangerous to us. Note that collisions on the third or even fourth round seem easier to achieve as the size of the outputs of tables T2 and T3 decreases, but if we x some parts of the challenge this will not be the case any more. At round 3 for example, 8 bytes (4 key bytes and 4 challenge bytes) are involved in a collision search. In the BGW case, 2 32 random challenges eventually lead to a collision on 48 bits (8 times 6 output bits). Nevertheless, with only half of the bits available for collision search, the probabilities are even worse than in the 2 round case. 5 Generalized Attack on AComp128 The birthday attack works out ne because there is a \narrow pipe" in this hash function that causes bad diusion of small changes in the input. We suggest to change the indexes to the table lookups in a way such that no narrow pipe subsists. In other words, if you choose one byte of the challenge and follow the bytes that are modied at the second round, going upwards in that network, far more than four bytes should be involved in the structure. In this section we give an evaluation of the complexity of a generalized BGW-style attack. We suppose that a given network structure is given instead of the buttery structure and analyse the probability of having an exploitable collision after the second round, as well as the number of chosen challenges an attacker has to perfom in order to extract some information on the key. Details will be given in the full version of the paper. 6 Using Mix-Optimal Permutations This is the second modication we suggest in order to repaire AComp128. Following the analysis of the previous section, we suggest a new structure for the diusion network instead of the buttery structure used in the actual version of AComp128. We still use one key byte and one random byte for the index of every table lookup at the rst and the following rounds, but we change the byte permutations in the rst and second rounds, such that the collision-free property is still valid on the rst round, and such that the probability of having a collision on the second or the next rounds is optimally low. We analyse the new probability of success for a "narrow pipe" attack, and deduce the number of cards needed in order for one of them to reveal it's secret key.

5 6.1 Round1 Let f be the permutation on byte indexes at the rst round; the buttery structure mixes X[i] and X[i+16], which means that indexes i and i+16 are used to update indexes i and i+16. We adopt the following notation : f = (0; 16)(1; 17)(2; 18)(3; 19):::(14; 30)(15; 31) This means that index 0 updates itself and index 16, index 16 updates itself and index 0, index 1 updates itself and index 17, etc. f is to be read as a permutation on indexes : the current buttery structure is therefore represented with 16 transpositions. It is easy to see that f is an involution. For a new rst round function we suggest a cyclic f' function which destroys part of the symmetry. Nevertheless, keep in mind that one key byte and one challenge byte are requested to update each byte of X at the rst round. f 0 = (0; 16; 1; 17; 2; 18; :::; 14; 30; 15; 31) Index 0 updates itself and index f'( 0 ) = 16, index 16 updates itself and index f'(16) = 1, etc. f' is no more involutive and its cyclic structure guarantees a minimal cycle length of 32, whereas the minimal cycle length of f is only Round2 The cyclic structure is not enough in the rst round. The new permutation on the second round, noted g' hereafter, is mix-optimal in the sense that for a realistic collision search (no more than 8 challenge bytes involved), the bytes involved after round 2 are suciently numerous to achieve optimally low collision probabilities. An exhaustive search of the best g' led us to the following results : we can achieve at least a factor 3 between the number of involved challenge bytes, and the number of bytes involved in a collision after round 2. In the buttery structure, this factor is only 2, which makes BGW's birthday attack feasible. In order to dene g', let us introduce the following notation. If f' is read from left to right, we call f'(k)(0), the k-th element in the list, i.e. if f' is applied k times the index of the involved byte is f'(k)(0). There are 2 mix-optimal g' functions dened as follows : and g 0 (k)(0) = f 0 (9k + 3mod32)(0) (1) g 0 (k)(0) = f 0 (9k + 2mod32)(0) (2) For example (1) has a maximal cycle length of 16 and two cylces of length 8.

6 6.3 New probabilities With a factor of at least 3 between the number of bytes involved at the second round and the number i of challenge bytes on which an attacker chooses to perform a collision search, the probabilities of such a collision drop to a reasonable value. For small i values (such as i = 1), the factor is at least 4 or 5. More details will be given in the full paper. For large i (at least 3), we achieve the following lower bound on the probability of having no collision : P = e? (28i ) i = e?2?5i?1 These mix-optimal permutations at rounds 1 and 2 suggest that the attacker has to have a fair amount of dierent activated cards in order to recover at least one secret key, which achieves some improvement over the actual performance of AComp128 with respect to BGW's attack. Attacks on subsequent rounds are even harder. 7 Conclusion We have shown two ways to x the aw in AComp128, an example of the GSM A3A8 authentication algorithm. We analysed the probability of success of a narrow pipe attack in a general case with dierent permutation structures. These results may lead to the implementation of algorithms with higher collision-resistance derived from AComp128- like algorithms with buttery structures, by introducing only minor changes. References This article was processed using the LATEX macro package with LLNCS style