Cryptography Reference
In-Depth Information
Simple Improvements:
The key generator can be shared among several DSC
units, as it generates one key per cycle whereas the compare units need multiple
clock cycles for verifying one key. Unnecessary control signals may be removed
and logic delays shall be kept short by inserting registers on critical paths.
DSC Speedup:
The fundamental DSC implementation as described in [4] re-
quires three clock cycles per bit of keystream output. This can be reduced to
one clock cycle by multiplexing and re-arranging the feedback taps. The corre-
sponding feedback taps can be determined from the feedback matrices
R
j
and
R
j
.[1]
Key Loading:
[4] suggests to load the session key in 128 clock cycles by clocking
in one bit per cycle. This can be represented as iterating 128 times over the
linear transformation
d
i,j
=
R
j
d
i−
1
,j
+
sk
i,j
for all four registers
j
,where
d
0
=(0
, ...,
0) and
sk
i,j
is a vector with the size of register
j
in which the most
significant position is set to bit
i
of the session key and all other positions are
zero.
The key can be loaded in one cycle by summarizing the four matrices
R
1
,
2
,
3
,
4
into one load matrix
L
such that
·
d
128
=
L
·
sk
(2)
holds. A similar optimization is described in [1], but they only propose to load
16 bits per clock cycle.
As a second step of improvement, the calculation of the full cipher key can
be skipped: As described before, the “dependent” part of the cipher key is a
combinational function of the “independent” cipher key bits. A matrix
A
and
a vector
b
transforming an independent value
x
into the cipher key
ck
can be
derived from
A
and
b
, such that the equation
ck
=
A
x
+
b
·
(3)
generates one key candidate compliant to equation (1) for each value of
x
.As
the session key is the sum of cipher key and initialization vector,
sk
=
ck
+
iv
(4)
the whole initial state can be expressed as a function of the independent cipher
key bits by inserting equation (4) into equation (2) and then equation (2) into
equation (3):
d
128
=
LA
x
+
L
(
b
+
iv
)
(5)
dynamic
static
Hard-Coding:
Where the plain NTW attack proposed
one
equation system
A
k
=
b
, our key ranking allows us to reuse the matrix
A
and just invert one
or more equations, i.e. modify
b
, if no key has been found for a particular sub
key space. Hence, only the
b
vector needs to be loaded into the FPGA at run
·
Search WWH ::
Custom Search