FPGA Implementation of an Improved Attack against the DECT Standard Cipher - Information Security and Cryptology-ICISC 2010 - page 184

Cryptography Reference

In-Depth Information

algorithm, and they can be implemented much more eciently on an FPGA

than on a CPU or GPU platform.

5.1

Basic Implementation Idea

Our improved DSC attack requires the knowledge of a valid reference

(IV,

Keystream) pair and an underdetermined equation system

A

·

k = b

(1)

that constrains the key space. A and b are determined by the first part of the

attack (see section 3), k denotes the cipher key.

The FPGA design must iterate over all potentially valid cipher keys accord-

ing to equation (1), compute the keystream and compare it to the reference

keystream. Therefore, a cipher key generator, a DSC keystream generator and

a compare unit comparing the keystream output to the reference keystream is

necessary for the FPGA implementation. The design shall report cipher keys

that produce an identical keystream as the reference.

The most convincing way to implement the key generator is using a counter or

full-cycle LFSR that generates “independent” bits and a combinatorial function

generating “dependent” bits that use the “independent” bits as an input. The

equation systems must be transformed beforehand for this purpose, such that

the dependent bits are described as a function of the independent bits. The DSC

keystream generator can be implemented straight-forward as described in [4].

5.2

Optimizations

Optimizations are possible on several levels compared to a straight-forward im-

plementation. A list of all matrices used for describing the optimizations is given

in Table for clarity reasons.

Table 1. Matrices describing the Key Loading and the Equation System

Matrix

Dimension

Description

k

64

×

1

Cipher Key

sk

128

×

1

Session Key

sk i,j

len

(

R j )

×

1

Vector that loads the

i

-th Bit of

sk

into Register

j

ck

128

×

1

Zero-extended Cipher Key

k

iv

128

×

1

Zero-extended Initialization Vector

d i

80

×

1

DSC State after

i

clocked in bits, without Output Combiner

d i,j

len

(

R j )

×

1

State of

R j

after

i

clocked in bits

R j len

(

R j )

× len

(

R j ) Clock Matrix of Register

j

L

80

×

128

Load Matrix (Session Key to Initial State)

A

128

× len

(

x

)

Equation System Matrix

b

128

×

1

Equation System Offset Vector

x

len

(

x

)

×

1

Key Generator Counter Value

Next Page

Information Security and Cryptology-ICISC 2010

Search WWH ::

Custom Search

Home