An Improved Correlation Attack on A51

1
An Improved Correlation Attack on A5/1
Alexander Maximov Thomas Johansson Lund
University, SWEDEN
Steve Babbage Vodafone Group RD, UK

• Outline
• A5/1 cipher overview
• Previous attack
• Our Improvements
• Results

2
The Structure of A5/1
 
Majority rule
3
One Frame Generation
4
One Frame Generation
5
One Frame Generation
6
One Frame Generation
7
One Frame Generation
8
A Simple Correlation Attack
9
A Simple Correlation Attack
10
One Information Bit Extraction
 
 
1. LFSRs are clocked
at time t101 with probability
2. Random source
 
 
Examples ?
11
Ekdahl-Johansson Attack (2002)
1. Not only t101 is used to estimate
but t101164
Information from one frame Fnj
Information from all frames j1,2,
Note as
as
12
Ekdahl-Johansson Attack (2002)
2. To recover the Key uniquely, 64 bits must be
estimated

• 19 bits from LFSR1
• 22 bits from LFSR2
• 23 bits from LFSR3

Example ?
13
Ekdahl-Johansson Attack (2002)
Note some details are omitted
Performance
14
Our Approach. First Idea.
For each frame Fn
Consider time t. Assume at time t1 LFSR3 is not
clocked
Recall
15
Our Approach. First Idea.
For each frame Fn
Consider time t. Assume at time t1 LFSR3 is not
clocked
 
1. LFSR1 and LFSR2 are clocked
at time t
AND at time t1 LFSR3 is NOT clocked. The
probability is
2. Random source
Examples ?
16
Our Approach. First Idea.
For each frame Fnj
Consider time t. Assume at time t1 LFSR3 is not
clocked
 
Introduce new random variables for 3 cases
17
Our Approach. Second Idea.
For each frame Fnj
Consider d consecutive estimators

jointly
Introduce new d-dimension random variable, and
its estimator
known vector, when
d-dimension random variable,
unknown for the attacker
is given (or guessed)
18
Information Extraction
1. From each frame extract the following
probability table
? Example
2. Combine the probability tables from all m
frames
? Example
3. When enough tables are collected (for
different pairs ), perform the
decoding.
19
Information Extraction
1. Extracting Information from one frame Fnj
For all possible guesses
calculate
20
Information Extraction
2. Combining Information from all frames
21
Information Extraction
3. Decoding
h Distribution tables are derived (input)
Decoding purpose (output)
22
Up to now
For any pair
we can derive the distribution of d-dimension
random variable of the form
I.e., we know
Note as
as for the real vector of
its probability
23
Our Simulation Results
24
Our Simulation Results
25
Our Simulation Results
26
Results in Comparison
 
 
 
 
27
Part III--------------
To be removed before the presentation

• Time planned 5 min
• Actual time
• Try1
• Try2

• Contents
• Problems with Decoding
• Intervals Good and Bad
• Tables Many of them

28
Information Extraction
Error pattern
Example, d4 ?
where
29
Our Target
Recall To recover the Key uniquely, 64 bits must
be estimated 19 bits from LFSR1, 22
from LFSR2, and 23 from LFSR3.
A Simple Decoding Idea
Collect distributions of
for all
Good 22 bits of LFSR1 and LFSR2 will be decoded
two sequences
and
Bad Decoding is an exhaustive search of size
30
Ekdahl-Johansson Attack (2002)

• 3. Use short intervals and decode short
  sequences
• For decoding, use several intersecting intervals,
  of smaller size.
• When decoding, find the best r solutions (short
  sequences) for each interval independently.
• The real sequence is a join of two or more short
  sequences. Short sequences intercect each other,
  due to interval design.

Questions
Which intervals are good?
How intervals must be designed?
31
One Interval 87..97 at Different t
32
Different Intervals at Different t
33
Our Design of Intervals
34
Exhaustive Search of Short Sequences on One
Interval Ia
35
Many Tables of Short Sequences
r the number of the most likelihood candidates
for short-sequences
36
Part IV--------------
To be removed before the presentation

• Time planned 5 min
• Actual time
• Try1
• Try2

• Contents
• Strategies I, II, and III
• Simulation Results
• Results in Comparison

37
Strategy I 9 tables
 
 
 
 
38
Strategy II 6 tables
 
 
 
 
39
Strategy III 4 tables
 
 
 
40
Our Simulation Results