Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
[Crypto in CTF] LFSR
Search
oalieno
October 31, 2020
Technology
540
0
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
[Crypto in CTF] LFSR
https://github.com/oalieno/Crypto-Course/tree/master/LFSR
oalieno
October 31, 2020
More Decks by oalieno
See All by oalieno
[Crypto in CTF] Classical Cipher
oalieno
0
490
[Crypto in CTF] Block Cipher Mode
oalieno
0
1.1k
[Crypto in CTF] HASH
oalieno
0
300
[Crypto in CTF] RSA
oalieno
0
770
[Crypto in CTF] Bleichenbacher RSA Signature Forgery
oalieno
0
640
[Crypto in CTF] Blockchain Security
oalieno
0
440
滲透測試基本技巧與經驗分享
oalieno
2
1.2k
Other Decks in Technology
See All in Technology
フルカイテン株式会社 エンジニア向け採用資料
fullkaiten
0
11k
『AIに負けない』より『AIと遊ぶ』」〜ワクワクが最強のテスト・QA学習戦略_公開用
odan611
1
370
AIペネトレーションテスト・ セキュリティ検証「AgenticSec」紹介資料
laysakura
2
8k
RAGの精度向上とエージェント活用
kintotechdev
2
130
テスト設計の本質を改めて考えてみる~生成AIを活用する時代だからこそ、作ったテストの説明性を高めよう~
yamasaki696
1
290
Mastraエージェント、どのクラウドにデプロイする?
minorun365
PRO
2
160
最近評価が難しくなった
maroon8021
0
210
10x Speed With QA Agent Platform - How we scaled adoption from individual effort to organizational capability
lycorptech_jp
PRO
0
130
プロンプト_きのこカンファレンス2026_LT
yurufuwahealer
0
130
#エンジニアBooks 30分でわかる 「技術記事を書く技術」 / engineer-books 2026-06-30
jnchito
1
180
SRE Lounge Hiroshimaへの招待
grimoh
0
150
5分でわかる Amazon Connect_20260608
hwangbyeonghun
0
180
Featured
See All Featured
Testing 201, or: Great Expectations
jmmastey
46
8.2k
Designing for Performance
lara
611
70k
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
333
23k
The Hidden Cost of Media on the Web [PixelPalooza 2025]
tammyeverts
2
340
How People are Using Generative and Agentic AI to Supercharge Their Products, Projects, Services and Value Streams Today
helenjbeal
1
230
Building the Perfect Custom Keyboard
takai
2
810
Self-Hosted WebAssembly Runtime for Runtime-Neutral Checkpoint/Restore in Edge–Cloud Continuum
chikuwait
0
640
SEO Brein meetup: CTRL+C is not how to scale international SEO
lindahogenes
1
2.8k
From Legacy to Launchpad: Building Startup-Ready Communities
dugsong
0
240
AI Search: Where Are We & What Can We Do About It?
aleyda
0
7.7k
Dominate Local Search Results - an insider guide to GBP, reviews, and Local SEO
greggifford
PRO
0
200
Lessons Learnt from Crawling 1000+ Websites
charlesmeaden
PRO
1
1.3k
Transcript
LFSR oalieno
⼩例⼦ ⊕ ⊗ ⊕ ⊗ ⊕ ⊗ 0 1 1
0 0 1
⼩例⼦ ⊕ ⊗ ⊕ ⊗ ⊕ ⊗ 0 1 1
1 0 0 0
⼩例⼦ ⊕ ⊗ ⊕ ⊗ ⊕ ⊗ 0 1 1
1 0 0 0 1
⼩例⼦ ⊕ ⊗ ⊕ ⊗ ⊕ ⊗ 0 1 1
1 0 0 0 1 1
⼩例⼦ clk FF2 FF1 FF0 0 1 0 0 1
0 1 0 2 1 0 1 3 1 1 0 4 1 1 1 5 0 1 1 6 0 0 1 7 1 0 0 7 個 clock ⼀個循環
從數學的觀點 s2 ⊕ s1 s0 ⊗ ⊕ ⊗ ⊕ ⊗
p2 p1 p0 • 初始值 • 回饋係數 • 轉移⽅程 s0 , s1 , s2 p0 , p1 , p2 si ≡ pi−1 si−1 + pi−2 si−2 + pi−3 si−3 mod 2
從數學的觀點 • 初始值 • 回饋係數 • 轉移⽅程 s0 , s1
, ⋯, sm−1 p0 , p1 , ⋯, pm−1 si ≡ pi−1 si−1 + pi−2 si−2 + ⋯ + pi−m si−m mod 2 sm ≡ pm−1 sm−1 + pm−2 sm−2 + ⋯ + p0 s0 mod 2 sm+1 ≡ pm−1 sm + pm−2 sm−1 + ⋯ + p0 s1 mod 2 ⋮
使⽤ LFSR 作為 Stream Cipher • 把 LFSR 產⽣的輸出當作 key,拿去做
xor cipher ⊕ ⊗ ⊕ ⊗ ⊕ ⊗ 0 1 1 1 0 0 0 1 1 0 0 1 ⊕ 0 0 1 密鑰 明⽂ 密⽂
Known Plaintext Attack • 攻擊者不知道黃⾊的部分 • 攻擊者知道了⼀⼩部分明⽂以及對應的密⽂,可推出⼀些 LFSR 的輸出 ⊕
⊗ ⊕ ⊗ ⊕ ⊗ 0 1 1 1 0 0 0 1 1 0 0 1 ⊕ 0 0 1 密鑰 明⽂ 密⽂
解聯立⽅程式 • 只要知道 2n 個 bits 的輸出,攻擊者就可以算出回饋係數 • 比如知道 ,那下⾯式⼦只會有
三個未知數 • 簡單的⾼斯消去法即可求解 ( 不⼀定有唯⼀解,也不⼀定最短 ) s0 , s1 , ⋯, s5 p0 , p1 , p2 s3 ≡ p2 s2 + p1 s1 + p0 s0 mod 2 s4 ≡ p2 s3 + p1 s2 + p0 s1 mod 2 s5 ≡ p2 s4 + p1 s3 + p0 s2 mod 2
Berlekamp Massey Algorithm • 先介紹 Linear Recurrence • 在 mod
13 下,[ 1, 2, 3, 2, 12 ] 符合 linear recurrence relation [ 7, 3, 1 ] • • 1 ⋅ 1 + 2 ⋅ 3 + 3 ⋅ 7 ≡ 2 mod 13 2 ⋅ 1 + 3 ⋅ 3 + 2 ⋅ 7 ≡ 12 mod 13 Sequence satisfy a linear recurrence relation iff a0 , a1 , ⋯ p1 , p2 , ⋯, pm ∀i ≥ m, ai = m ∑ j=1 ai−j pj
Berlekamp Massey Algorithm • 這個演算法可以找到最短的 Linear Recurrence Relation • 也可以⽤
Polynomial 來表⽰這個 Relation • Relation [ 7, 3, 1 ] 就會是 x3 − 7x2 − 3x − 1
Berlekamp Massey Algorithm from sage.matrix.berlekamp_massey import berlekamp_massey berlekamp_massey([GF(7)(1), 5, 1,
5]) x^2 + 6 sagemath output
Mixed LFSR https://en.wikipedia.org/wiki/Trivium_(cipher) • 既然⼀個 LFSR 很容易被預測,那就兩個 LFSR • 兩個不⾏,就三個,於是就有了
Trivium
Correlation Attack • 那⾃⼰來簡單的組合⼀組 LFSR 來試試 class MYLFSR: def getbit(self):
x1 = LFSR1.getbit() x2 = LFSR2.getbit() x3 = LFSR3.getbit() return (x1 & x2) ^ ((not x1) & x3)
Correlation Attack x1 x2 x3 輸出 0 0 0 0
0 0 1 1 0 1 0 0 0 1 1 1 1 0 0 0 1 0 1 0 1 1 0 1 1 1 1 1 75% of x3 = 輸出
Correlation Attack x1 x2 x3 輸出 0 0 0 0
0 0 1 1 0 1 0 0 0 1 1 1 1 0 0 0 1 0 1 0 1 1 0 1 1 1 1 1 75% of x2 = 輸出
Correlation Attack • 假設回饋係數是已知的 • 要找回三個 LFSR 的初始值最簡單的做法就是暴搜全部可能 • 假設⼀個
LFSR 有的初始值有 32 bits 那就要爆搜 96 bits • 其實可以單獨暴搜 LFSR3,根據暴搜的初始值產出的 x3 去跟輸出比對, 相同的比例有⼤約 75% 的話,就很有可能是真正的初始值 • 同理 LFSR2 也可以這樣做,最後只剩下 LFSR3 就直接暴 • 從要暴搜 296 變成暴搜 3 232 ×
Fast Correlation Attack • 有沒有比暴搜更好的做法,有 • Fast Correlation Attacks: Methods
and Countermeasures • A Fast Correlation Attack Implementation