Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
[Crypto in CTF] LFSR
Search
oalieno
October 31, 2020
Technology
0
440
[Crypto in CTF] LFSR
https://github.com/oalieno/Crypto-Course/tree/master/LFSR
oalieno
October 31, 2020
Tweet
Share
More Decks by oalieno
See All by oalieno
[Crypto in CTF] Classical Cipher
oalieno
0
360
[Crypto in CTF] Block Cipher Mode
oalieno
0
910
[Crypto in CTF] HASH
oalieno
0
220
[Crypto in CTF] RSA
oalieno
0
630
[Crypto in CTF] Bleichenbacher RSA Signature Forgery
oalieno
0
520
[Crypto in CTF] Blockchain Security
oalieno
0
370
滲透測試基本技巧與經驗分享
oalieno
2
1k
Other Decks in Technology
See All in Technology
AWSアカウントのセキュリティ自動化、どこまで進める? 最適な設計と実践ポイント
yuobayashi
7
850
Snowflakeの開発・運用コストをApache Icebergで効率化しよう!~機能と活用例のご紹介~
sagara
1
490
入門 PEAK Threat Hunting @SECCON
odorusatoshi
0
170
アジャイルな開発チームでテスト戦略の話は誰がする? / Who Talks About Test Strategy?
ak1210
1
650
ウォンテッドリーのデータパイプラインを支える ETL のための analytics, rds-exporter / analytics, rds-exporter for ETL to support Wantedly's data pipeline
unblee
0
130
ABWG2024採択者が語るエンジニアとしての自分自身の見つけ方〜発信して、つながって、世界を広げていく〜
maimyyym
1
190
EMConf JP 2025 懇親会LT / EMConf JP 2025 social gathering
sugamasao
2
200
LINEギフトにおけるバックエンド開発
lycorptech_jp
PRO
0
350
Охота на косуль у древних
ashapiro
0
110
フォーイット_エンジニア向け会社紹介資料_Forit_Company_Profile.pdf
forit_tech
1
1.7k
システム・ML活用を広げるdbtのデータモデリング / Expanding System & ML Use with dbt Modeling
i125
1
340
【内製開発Summit 2025】イオンスマートテクノロジーの内製化組織の作り方/In-house-development-summit-AST
aeonpeople
2
960
Featured
See All Featured
Writing Fast Ruby
sferik
628
61k
Building Your Own Lightsaber
phodgson
104
6.2k
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
kevinliebholz
30
4.6k
Into the Great Unknown - MozCon
thekraken
35
1.6k
How to train your dragon (web standard)
notwaldorf
91
5.9k
Practical Orchestrator
shlominoach
186
10k
Principles of Awesome APIs and How to Build Them.
keavy
126
17k
Art, The Web, and Tiny UX
lynnandtonic
298
20k
Code Review Best Practice
trishagee
67
18k
Designing Experiences People Love
moore
140
23k
Chrome DevTools: State of the Union 2024 - Debugging React & Beyond
addyosmani
4
380
Build The Right Thing And Hit Your Dates
maggiecrowley
34
2.5k
Transcript
LFSR oalieno
⼩例⼦ ⊕ ⊗ ⊕ ⊗ ⊕ ⊗ 0 1 1
0 0 1
⼩例⼦ ⊕ ⊗ ⊕ ⊗ ⊕ ⊗ 0 1 1
1 0 0 0
⼩例⼦ ⊕ ⊗ ⊕ ⊗ ⊕ ⊗ 0 1 1
1 0 0 0 1
⼩例⼦ ⊕ ⊗ ⊕ ⊗ ⊕ ⊗ 0 1 1
1 0 0 0 1 1
⼩例⼦ clk FF2 FF1 FF0 0 1 0 0 1
0 1 0 2 1 0 1 3 1 1 0 4 1 1 1 5 0 1 1 6 0 0 1 7 1 0 0 7 個 clock ⼀個循環
從數學的觀點 s2 ⊕ s1 s0 ⊗ ⊕ ⊗ ⊕ ⊗
p2 p1 p0 • 初始值 • 回饋係數 • 轉移⽅程 s0 , s1 , s2 p0 , p1 , p2 si ≡ pi−1 si−1 + pi−2 si−2 + pi−3 si−3 mod 2
從數學的觀點 • 初始值 • 回饋係數 • 轉移⽅程 s0 , s1
, ⋯, sm−1 p0 , p1 , ⋯, pm−1 si ≡ pi−1 si−1 + pi−2 si−2 + ⋯ + pi−m si−m mod 2 sm ≡ pm−1 sm−1 + pm−2 sm−2 + ⋯ + p0 s0 mod 2 sm+1 ≡ pm−1 sm + pm−2 sm−1 + ⋯ + p0 s1 mod 2 ⋮
使⽤ LFSR 作為 Stream Cipher • 把 LFSR 產⽣的輸出當作 key,拿去做
xor cipher ⊕ ⊗ ⊕ ⊗ ⊕ ⊗ 0 1 1 1 0 0 0 1 1 0 0 1 ⊕ 0 0 1 密鑰 明⽂ 密⽂
Known Plaintext Attack • 攻擊者不知道黃⾊的部分 • 攻擊者知道了⼀⼩部分明⽂以及對應的密⽂,可推出⼀些 LFSR 的輸出 ⊕
⊗ ⊕ ⊗ ⊕ ⊗ 0 1 1 1 0 0 0 1 1 0 0 1 ⊕ 0 0 1 密鑰 明⽂ 密⽂
解聯立⽅程式 • 只要知道 2n 個 bits 的輸出,攻擊者就可以算出回饋係數 • 比如知道 ,那下⾯式⼦只會有
三個未知數 • 簡單的⾼斯消去法即可求解 ( 不⼀定有唯⼀解,也不⼀定最短 ) s0 , s1 , ⋯, s5 p0 , p1 , p2 s3 ≡ p2 s2 + p1 s1 + p0 s0 mod 2 s4 ≡ p2 s3 + p1 s2 + p0 s1 mod 2 s5 ≡ p2 s4 + p1 s3 + p0 s2 mod 2
Berlekamp Massey Algorithm • 先介紹 Linear Recurrence • 在 mod
13 下,[ 1, 2, 3, 2, 12 ] 符合 linear recurrence relation [ 7, 3, 1 ] • • 1 ⋅ 1 + 2 ⋅ 3 + 3 ⋅ 7 ≡ 2 mod 13 2 ⋅ 1 + 3 ⋅ 3 + 2 ⋅ 7 ≡ 12 mod 13 Sequence satisfy a linear recurrence relation iff a0 , a1 , ⋯ p1 , p2 , ⋯, pm ∀i ≥ m, ai = m ∑ j=1 ai−j pj
Berlekamp Massey Algorithm • 這個演算法可以找到最短的 Linear Recurrence Relation • 也可以⽤
Polynomial 來表⽰這個 Relation • Relation [ 7, 3, 1 ] 就會是 x3 − 7x2 − 3x − 1
Berlekamp Massey Algorithm from sage.matrix.berlekamp_massey import berlekamp_massey berlekamp_massey([GF(7)(1), 5, 1,
5]) x^2 + 6 sagemath output
Mixed LFSR https://en.wikipedia.org/wiki/Trivium_(cipher) • 既然⼀個 LFSR 很容易被預測,那就兩個 LFSR • 兩個不⾏,就三個,於是就有了
Trivium
Correlation Attack • 那⾃⼰來簡單的組合⼀組 LFSR 來試試 class MYLFSR: def getbit(self):
x1 = LFSR1.getbit() x2 = LFSR2.getbit() x3 = LFSR3.getbit() return (x1 & x2) ^ ((not x1) & x3)
Correlation Attack x1 x2 x3 輸出 0 0 0 0
0 0 1 1 0 1 0 0 0 1 1 1 1 0 0 0 1 0 1 0 1 1 0 1 1 1 1 1 75% of x3 = 輸出
Correlation Attack x1 x2 x3 輸出 0 0 0 0
0 0 1 1 0 1 0 0 0 1 1 1 1 0 0 0 1 0 1 0 1 1 0 1 1 1 1 1 75% of x2 = 輸出
Correlation Attack • 假設回饋係數是已知的 • 要找回三個 LFSR 的初始值最簡單的做法就是暴搜全部可能 • 假設⼀個
LFSR 有的初始值有 32 bits 那就要爆搜 96 bits • 其實可以單獨暴搜 LFSR3,根據暴搜的初始值產出的 x3 去跟輸出比對, 相同的比例有⼤約 75% 的話,就很有可能是真正的初始值 • 同理 LFSR2 也可以這樣做,最後只剩下 LFSR3 就直接暴 • 從要暴搜 296 變成暴搜 3 232 ×
Fast Correlation Attack • 有沒有比暴搜更好的做法,有 • Fast Correlation Attacks: Methods
and Countermeasures • A Fast Correlation Attack Implementation