A survey on fast correlation attacks

Abstract

Fast correlation attacks, pioneered by Meier and Staffelbach in 1988, constitute an important class of attacks on stream ciphers. They exploit a correlation between the keystream and the output of a linear feedback shift register (LFSR) within the cipher. Several factors affect the feasibility of such an attack, e.g., the amount of available keystream and the number of taps in the LFSR. Notably, for a fixed number of taps, the length of the LFSR does not affect the complexity of the attack. When the register does not have a sufficiently small number of taps, however, the attacker will try to find parity check equations of low weight, at which point the length of the register does matter. In this paper, we go through the significant contributions to this field of cryptanalysis, reiterating the various algorithms that have been developed for finding parity check equations and performing the online stage on received keystream. We also suggest some new generalizations of Meier-Staffelbach’s original formulations.

Appendix: The BCJR algorithm

The BCJR algorithm is a MAP decoding algorithm that was introduced in [1] in 1974. It can be applied to any linear block or convolutional code. The complexity is about three times that of the Viterbi algorithm.

In MAP decoding, the decoder computes a posteriori log-likelihood values. Such a value is basically a measure of the reliability of a binary random variable: Every information bit \(\hat u_l\) has one such log-likelihood value \({\rm LLR}(\hat u_l)\). Consider a mapping of the binary informations symbols \(f:U \rightarrow \hat U\), where \(u \mapsto \hat u\). More specifically, 1 ↦ + 1 and 0 ↦ − 1. The information symbol probability can be written as

$$ \mathbf{Pr}\left[\hat u_l = +1 | \mathbf{r}\right] = \frac{p\left(\hat u_l = +1, {\boldsymbol{r}}\right)}{\mathbf{Pr}\left[\mathbf{r}\right]} = \frac{\sum_{\ensuremath{\boldsymbol{u}}\in \mathbf{U}^+}p\left(\ensuremath{\boldsymbol{r}}| \ensuremath{\boldsymbol{v}}\right)\mathbf{Pr}\left[{\boldsymbol{u}}\right]} {\sum_{\ensuremath{\boldsymbol{u}}}p\left(\ensuremath{\boldsymbol{r}}|\ensuremath{\boldsymbol{v}}\right)\mathbf{Pr}\left[{\boldsymbol{u}}\right]}, $$

where \(\mathbf{U}^+ = \left\{ {{\boldsymbol{u}}} : {\hat u_l = +1} \right\}\) and \(p\left({\boldsymbol{r}}|{\boldsymbol{v}}\right)\) is the probability distribution function of \({\boldsymbol{r}}\) given \({\boldsymbol{v}}\). Similarly, by rewriting \(\mathbf{Pr}\left[\hat u_l = +1 | \mathbf{r}\right]\), the log-likelihood values can be formulated as

$$ {\rm LLR}(\hat u_l) = \ln \left(\frac{\mathbf{Pr}\left[\hat u_l = +1 | \mathbf{r}\right]}{\mathbf{Pr}\left[\hat u_l = -1 | \mathbf{r}\right]}\right) = \ln\left(\frac{\sum_{\ensuremath{\boldsymbol{u}}\in \mathbf{U}^+}p\left(\ensuremath{\boldsymbol{r}}|\ensuremath{\boldsymbol{v}}\right)\mathbf{Pr}\left[{\boldsymbol{u}}\right]}{\sum_{{{\boldsymbol{u}}}\in \mathbf{U}^-}p\left({{\boldsymbol{r}}}|{{\boldsymbol{v}}}\right)\mathbf{Pr}\left[{\boldsymbol{u}}\right]}\right), $$

where \(\mathbf{U}^+ = \left\{ {{\boldsymbol{u}}} : {\hat u_l = -1} \right\}\). Since this implies listing all possible information blocks \({\boldsymbol{u}}\), computation quickly becomes infeasible with increasing block size. However, exploiting the regular structure of the trellis, it is possible to further rewrite \({\rm LLR}(\hat u_l)\). It can be seen that \(p\left(\hat u_l = +1, {\boldsymbol{r}}\right) = \sum_{\left(s,s^{\prime}\right)\in\Sigma^+} p(s_l=s, s_{l+1}=s^{\prime},{\boldsymbol{r}})\), where Σ ⁺ is the set of all state pairs \(\left(s,s^{\prime}\right)\) that correspond to input \(\hat u_l = +1\) at time l, and \(p\left(\hat u_l = +1, {\boldsymbol{r}}\right)\) respectively. Consequently,

$$ {\rm LLR}(\hat u_l) = \ln\left(\frac{\sum_{\left(s,s^{\prime}\right)\in\Sigma^+} p(s_l=s, s_{l+1}=s^{\prime},{\boldsymbol{r}})}{\sum_{\left(s,s^{\prime}\right)\in\Sigma^-} p(s_l=s, s_{l+1}=s^{\prime},{\boldsymbol{r}})}\right). $$

Since the sets Σ ⁺ and Σ − are considerably smaller than U ⁺ and U −, one only needs to consider 2^ν state pairs instead of \(2^{|{\boldsymbol{u}}|-1}\) information blocks at each time instance. Here ν is the length of the memory of the code. Note that Σ ⁺ ∪ Σ − is the set of all possible transitions from s _l to s _l + 1.

It is possible to compute the value \(p\left(s^{\prime},s,{\boldsymbol{r}}\right)\) recursively. By rewriting \(p\left(s^{\prime},s,{\boldsymbol{r}}\right)\) as \(p\left(s^{\prime},s,{\boldsymbol{r}}_{t<l}{\boldsymbol{r}}_l,{\boldsymbol{r}}_{t>l}\right)\), where \({\boldsymbol{r}}_{t<l}\) is a subsequence of the received sequence at all time indices before l and \({\boldsymbol{r}}_{t>l}\) at all time indices after l, and by using Bayes’ rule, one finds that

$$ \begin{array}{rll} p\left(s^{\prime},s,{\boldsymbol{r}}\right) &=& p\left({\boldsymbol{r}}_{t>l}|s^{\prime},s,{\boldsymbol{r}}_{t<l}{\boldsymbol{r}}_l\right)p\left(s^{\prime},s,{\boldsymbol{r}}_{t<l}{\boldsymbol{r}}_l\right)\\ &=& p\left({\boldsymbol{r}}_{t>l}|s^{\prime},s,{\boldsymbol{r}}_{t<l}{\boldsymbol{r}}_l\right)p\left(s,{\boldsymbol{r}}_l | s^{\prime},{\boldsymbol{r}}_{t<l}\right)p\left(s^{\prime},{\boldsymbol{r}}_{t<l}\right) \end{array} $$

Now, it is known that the probability of a received branch at time instance l is statistically independent of previous and future received branches. Thus,

$$ p\left(s^{\prime},s,{\boldsymbol{r}}\right) = p\left({\boldsymbol{r}}_{t>l}|s\right)p\left(s,{\boldsymbol{r}}_l|s\right)p\left(s^{\prime},{\boldsymbol{r}}_{t<l}\right). $$

In the BCJR algorithm, the three functions in the product are calculated separately. Define

$$ \begin{array}{rll} \alpha_l(s^{\prime}) &\stackrel{\mbox{\textnormal{\tiny def}}}{=}& p\left(s^{\prime},{\boldsymbol{r}}_{t<l}\right), \\ \gamma_l(s^{\prime},s) &\stackrel{\mbox{\textnormal{\tiny def}}}{=}& p\left(s,{\boldsymbol{r}}_l|s^{\prime}\right), \\ \beta_{l+1}(s) &\stackrel{\mbox{\textnormal{\tiny def}}}{=}& p\left({\boldsymbol{r}}_{t>l}|s\right). \end{array} $$

(24)

Then, (24) can be recursively defined. Let σ _l be set of all possible states at time instance l. Finally, rewrite \(\alpha_{l+1}(s^{\prime})\) from previous values using Bayes’ rule and statistical independence:

$$ \alpha_{l+1}(s^{\prime}) = \sum\limits_{s^{\prime} \in \sigma_l}p\left(s^{\prime},s,{\boldsymbol{r}}_{t<l+1}\right) = \sum\limits_{s^{\prime} \in \sigma_l}\underbrace{p\left(s,{\boldsymbol{r}}_{l}|s^{\prime}\right)}_{\gamma_l(s^{\prime},s)}\underbrace{p\left(s^{\prime},{\boldsymbol{r}}_{t<l}\right)}_{\alpha_l(s^{\prime})}. $$

Likewise, \(\beta_{l}(s^{\prime})\) can be written as

$$ \beta_l(s) = \sum\limits_{s \in \sigma_l}p\left(s,{\boldsymbol{r}}_{t>l-1}|s^{\prime}\right) = \sum\limits_{s \in \sigma_l}\underbrace{p\left(s,{\boldsymbol{r}}_{l}|s^{\prime}\right)}_{\gamma_l(s^{\prime},s)}\underbrace{p\left({\boldsymbol{r}}_{t>l-1}|s\right)}_{\beta_l(s)}. $$

It remains to find an expression for \(\gamma_l(s^{\prime},s)\). Bayes’ rule and independence directly gives that

$$ \gamma_l(s^{\prime},s) = p\left(s,{\boldsymbol{r}}_l|s^{\prime}\right) = p\left(s,{\boldsymbol{r}}_l|s^{\prime}\right) = \mathbf{Pr}\left[s|s^{\prime}\right]p\left({\boldsymbol{r}}_l|s^{\prime},s\right) = \mathbf{Pr}\left[\hat u_l\right]p\left({\boldsymbol{r}}_l|{\boldsymbol{v}}_l\right). $$

So if the state transition from s ^prime to s is not valid, \(\mathbf{Pr}\left[s|s^{\prime}\right]\), and thus \(\gamma_l(s^{\prime},s)\), is zero. In the model considered, a binary symmetric channel with crossover probability p is used. Let the code \(\mathcal{C}\) be a mapping from g:{0,1} →{0,1}ⁿ. Then,

$$ p\left({\boldsymbol{r}}_l|{\boldsymbol{v}}_l\right) = \prod\limits_{0 \leq j < n} \mathbf{Pr}\left[r_{l,j}=v_{l,j}\right] = p_{l,j}^{|{\boldsymbol{r}}_l-{\boldsymbol{v}}_l|}(1-p_{l,j})^{n-|{\boldsymbol{r}}_l-{\boldsymbol{v}}_l|}, $$

where p _l,j is the crossover probability of the jth codeword symbol corresponding to the lth information symbol.