Transcript Realtime A5/1 Attacks with Precomputation Tables

Application of FPGA Design:
Design Challenges for Implementing
Realtime A5/1 Attack with
Precomputation Tables
Martin Novotný, Andy Rupp
Ruhr University Bochum
Outline
A5/1 cipher
Time-Memory Trade-off Tables
– Original Hellman Approach
– Distinguished points
– TMTO with multiple data
– Rainbow tables
– Thin-rainbow tables
Architecture of the A5/1 TMTO engine – table generation
Implementation results
Outline
A5/1 cipher
Time-Memory Trade-off Tables
– Original Hellman Approach
– Distinguished points
– TMTO with multiple data
– Rainbow tables
– Thin-rainbow tables
Architecture of the A5/1 TMTO engine – table generation
Implementation results
A5/1 Cipher
Encrypts GSM communication
– GSM communication organized in
frames
– 1 frame = 114 bits in each direction
A5/1
Stream cipher
– produces the keystream KS being xored
with the plaintext P to form ciphertext C
C = P  KS
111101101001000000000
C
010010011101010010101
P
101111110100010010101
KS
A5/1
Architecture of A5/1 Cipher
3 linear feedback shift registers (LFSRs)
LFSRs irregularly clocked
– the register is clocked iff its clocking bit (yellow) is equal to the majority of all
3 clocking bits  at least 2 registers are clocked in each cycle
Algorithm of A5/1
1. Reset all 3 registers
2. (Initialization) Load 64 bits of key K
+ 22 bits of frame number FN into 3
registers
–K and FN xored bit-by-bit to the
least significant bits
–registers clocked regularly
3. (Warm-up) Clock for 100 cycles and
discard the output
–registers clocked irregularly
4. (Execution) Clock for 228 cycles,
generate 114+114 bits (for each
direction)
–registers clocked irregularly
5. Repeat for the next frame
Cryptanalysis of stream ciphers
with known plaintext
From the ciphertext C and known plaintext P compute keystream KS:
KS = P  C
Keystream KS is a function of:
• key K:
KS = f(K)
• internal state L:
KS = g(L)
We can skip
Initialization and
Warm-up!!!
(internal state = content of all registers)
1. Reset all 3 registers
2. (Initialization) Load 64 bits of key
K + 22 bits of frame number FN
into 3 registers
3. (Warm-up) Clock for 100 cycles
and discard the output
4. (Execution) Clock for 228 cycles,
generate 114+114 bits (for each
direction)
Cryptanalysis of A5/1
For (known) keystream KS find the internal state L
When L found, track the A5/1 cipher back through Warm-up phase and
Initialization to get the key K.
L
1. Reset all 3 registers
2. (Initialization) Load 64 bits of key K + 22
bits of frame number FN into 3 registers
3. (Warm-up) Clock for 100 cycles and
discard the output
4. (Execution) Clock for 228 cycles,
generate 114+114 bits (for each direction)
Cryptanalysis of A5/1
Internal state L has 64 bits
 we need (at least) 64 bits of keystream KS
One A5/1 frame has 114 bits
 we can make samples KSi
L3
L2
L1
L0
KS3
KS2
KS1
KS0
0100111101101010110100101010010100010010100010011110110001
It is sufficient to find any Li
Outline
A5/1 cipher
Time-Memory Trade-off Tables
– Original Hellman Approach
– Distinguished points
– TMTO with multiple data
– Rainbow tables
– Thin-rainbow tables
Architecture of the A5/1 TMTO engine – table generation
Implementation results
Two extreme approaches
Brute force attack
Check all combinations of a key K online
– time
T = N = 2k
– memory
M=1
Table lookup
(For a given plaintext P)
All pairs key-ciphertext {Ki, Ci} precomputed
and stored (sorted by C)
Online phase: Look-up C in the table (and
find K)
– time
T=1
– memory M = N = 2k
Time-Memory Trade-Off
(Hellman, 1981)
Compromises the above two extreme approaches
Precomputation phase: For a given plaintext P:
– precompute (ideally all) pairs key-ciphertext {Ki, Ci};
– store only some of them in the table.
Online phase:
– Perform some computations;
– lookup the table and find the key K.
• time
T = N2/3
• memory
M = N2/3
Precomputation (offline) phase
Idea: Encryption function E is a pseudo-random function
C = EK(P)
P
E
K
C
Pairs {Ki, Ci} organized in chains
– Ci is used to create a key Ki+1 for the next step
– E is pseudo-random  we perform a pseudo-random walk in the keyspace
plaintext P is the same
End Point
Start Point
P
SP = K1
1234
R
f
–
–
P
f
E
C
K
1
2
R
7A3D
reduction function
step function
P
f
C
E
2
K3
Kt
R
28DF
f
B05B
(DES: C has 64 bits, K has 56 bits)
f(x) = R(Ex(P))
EP
Ct
E
R
8EC0
Precomputation (offline) phase
1234 SP1 = k10
1235 SP2 = k20
1236 SP3 = k30
…
9999 SPm = km0
f k11
f k21
f k31
f km1
P
f k12 f
f k22 f
f k32 f
…
f km2 f
… f k1t-1 f k1t = EP1
… f k2t-1 f k2t = EP2
… f k3t-1 f k3t = EP3
…
… f kmt-1 f kmt = EPm
P
f
SPj = kj0
E
R
8EC0
2A1B
4D3C
02E3
P
f
kj1
E
R
kj2
f
kjt-1
E
kjt = EPj
R
m chains with a fixed length t generated
Only pairs {SPi, EPi} stored (sorted by EP)
 reducing memory requirements
Online phase
Given C. (and P)
… try to find K, such that C = EK(P)
f
SPi
f
f
f
K
E
C
R
Lookup:
y1
= EPi ?

Online phase
Given C. (and P)
… try to find K, such that C = EK(P)
Lookup:
C
R
y1
= EPi ?

Online phase
Given C. (and P)
… try to find K, such that C = EK(P)
C
R
y1
f
y2
Online phase
Given C. (and P)
… try to find K, such that C = EK(P)
Lookup:
C
R
y1
= EPyi2 ?
f

Online phase
Given C. (and P)
… try to find K, such that C = EK(P)
C
R
y1
f
y2
f
y3
Online phase
Given C. (and P)
… try to find K, such that C = EK(P)
Lookup:
C
R
y1
f
y2 = EP
y3i ?
f

Online phase
Given C. (and P)
… try to find K, such that C = EK(P)
C
R
y1
f
y2
f
y3
f
y4
Online phase
Given C. (and P)
… try to find K, such that C = EK(P)
Lookup:
C
R
y1
f
y2
f
y3 = EP
y4i ?
f

Online phase
Given C. (and P)
… try to find K, such that C = EK(P)
f
SPi
f
K
E
C
R
Lookup:
y1
f
y2
f
y3
f
y4 = EPi ?

Birthday paradox problem
m chains of fixed length t generated
R is not bijective ⇒ some kij collide.
Collisions yield in chain merges or in cycles in chains
Matrix stopping rule: Hellman proved that it is not worth to increase
– number of chains m or
– length of chain t
beyond the point at which
m × t2 = N
(the coverage of keyspace does not increase too much then)
Birthday paradox problem
Matrix stopping rule:
m × t2 = N
Recommendation: To use r tables,
each with different reduction (re-randomization) function R
Since also N = m  t  r, then r = t
Hellman recommends m = t = r = N1/3
SP1 … … … … … EP1
SP2 … … … … … EP2
SP1 …
… … … EP1 EP3
SP…
3 … … … … …
SPSP
EP
……
…
EP
1 …
1 2
…
2 … … ……
SPSP
…
…
…
…
…
EP
EP
………
1 SP
1 EP
2 …
SP…
3 …
200 … … …2...3EP200
SPSP
… … … ……
EP
EP
2 …
2…
3 … … … ……
3
…
SP3 …
…
…
…
EP
…
…
…
SP…
…
…
…
...
EP
3
200
200
…
SP200…………
…
...
EP
… … … 200
SP200 … …
…
… … ...
…EP200
………
Hellman TMTO – Complexity
Precomputation phase
– Precomputation time
– Memory
PT = m  t  r = N
M = m  r = N2/3
(e.g. 260)
(e.g. 240 )
Online phase
– Memory
– Online time
– Table accesses
M = N2/3
T = t  r = t2 = N2/3
TA = T = N2/3
(e.g. 240 )
(e.g. 240 )
Hellman TMTO – Complexity
Precomputation phase
– Precomputation time
– Memory
PT = m  t  r = N
M = m  r = N2/3
(e.g. 260)
(e.g. 240 )
Online phase
– Memory
– Online time
– Table accesses
M = N2/3
T = t  r = t2 = N2/3
TA = T = N2/3
(e.g. 240 )
(e.g. 240 )
34 years
(1 disk access
~ 1 ms)
Outline
A5/1 cipher
Time-Memory Trade-off Tables
– Original Hellman Approach
– Distinguished points
– TMTO with multiple data
– Rainbow tables
– Thin-rainbow tables
Architecture of the A5/1 TMTO engine – table generation
Implementation results
Distinguished points (DP)
(Rivest, ????)
Slight modification of original Hellman method
Goal: To reduce the number of table accesses TA (in Hellman TA = N2/3)
Distinguished point is a point of a certain property
(e.g. 20 most significant bits are equal to 0).
000000000000000000000010101001101100101010010111110010110101
Distinguished Points (DP)
Precomputation phase
Chains are generated until the distinguished point (DP) is reached
–
–
if the chain exceeds maximum length tmax, then it is discarded and the next chain is generated
the chain is also discarded if the DP has been reached, but the chain is too short tmin (to have better
coverage)
Triples {SPj, EPj, lj} stored, sorted by EP (lj is a length of the chain)
1234 SP1 = k10 f
1235 SP2 = k20 f
1236 SP3 = k30 f
…
9999 SPm = km0 f
k11 f … … … … … … … f k1u = EP1
k21 f … … f k2v = EP2
k31 f … … … … … f k3w = EP3
…
…
km1 f … … … f kmz = EPm
chains have different
lengths
0EC0
0A1B
043C
02E3
End Points are DP
Distinguished Points (DP)
Online phase
There is 1 distinguished point per chain – the End Point
End Point  Distinguished Point
Algorithm:
– compute yi+1 = f(yi) iteratively until the DP is reached
(or the maximum length tmax is exceeded)
– then lookup (just once per table)
(if tmax is exceeded, do not lookup at all)
f
SPi
f
K
E
C
R
y1
Lookup:
f
y2
f
y3
f
y4 = EPi ?
043C

Advantages
– Table accesses TA = r = N1/3 (c.f. TA = t  r = N2/3 in original Hellman)
– Chain loops are not possible
Outline
A5/1 cipher
Time-Memory Trade-off Tables
– Original Hellman Approach
– Distinguished points
– TMTO with multiple data
– Rainbow tables
– Thin-rainbow tables
Architecture of the A5/1 TMTO engine – table generation
Implementation results
TMTO with multiple data
(Biryukov & Shamir, 2000)
Important for stream ciphers: To reveal an internal state Li having k bits we
need only k bits of a keystream KSi
L3
L2
L1
L0
KS3
KS2
KS1
KS0
0100111101101010110100101010010100010010100010011110110001
Having D data samples of the ciphertext C (or the keystream KS)
we have D times more chances to find the key K (or the internal state L)
 We calculate r/D tables only
 we reduce the precomputation time PT and the memory M
× online time T and #table access TA remain unchanged
TMTO with multiple data
A5/1
1 frame:
114 bits
Internal state: 64 bits
 114 – 64 +1 = 51 data samples from 1 frame (each sample has 64 bits)
D = 51
 We calculate D times less tables ( save memory, save time)
L3
L2
L1
L0
KS3
KS2
KS1
KS0
0100111101101010110100101010010100010010100010011110110001
Outline
A5/1 cipher
Time-Memory Trade-off Tables
– Original Hellman Approach
– Distinguished points
– TMTO with multiple data
– Rainbow tables
– Thin-rainbow tables
Architecture of the A5/1 TMTO engine – table generation
Implementation results
Rainbow tables
(Oechslin, 2003)
Idea: to use different reduction/re-randomization function Ri in each
step of chain generation, hence the step functions are:
f1 f2 f3 … ft-1 ft
P
P
f1
SPj = kj0
E
R1
P
f2
kj1
E
R2
kj2
ft
xjt-1
E
Rt
Online phase:
– Compute y1 = Rt(C), compare with EPs, if no match, then
– Compute y2 = ft(Rt-1(C)), compare with EPs, if no match, then
– Compute y3 = ft(ft-1(Rt-2(C))), compare with EPs, if no match, then
– …
kjt = EPj
Rainbow tables
Just one table (or only several tables) generated,
– m = N2/3 (t reduction functions used ⇒ the table can be t times longer),
– t = N1/3
Advantages
– chain loops impossible
– point collisions lead to chain merges only if the equal points appear in the
same position of the chain
– online time T about ½ of the online time of original Hellman (for single data)
– number of table accesses the same like for the Hellman+DP method (for
single data)
Disadvantages
– Inferior to the Hellman+DP method in the case of multiple data (D > 1)
(online time T and the number of table accesses TA are D-times greater)
Outline
A5/1 cipher
Time-Memory Trade-off Tables
– Original Hellman Approach
– Distinguished points
– TMTO with multiple data
– Rainbow tables
– Thin-rainbow tables
Architecture of the A5/1 TMTO engine – table generation
Implementation results
Thin-rainbow tables
The way to cope with the rainbow tables when having multiple data
The sequence of S different reduction functions fi is applied k-times
periodically in order to create a chain:
1st
2nd
kth
f1 f2 f3 … fS-1 fS f1 f2 f3 … fS-1 fS … … … f1 f2 f3 … fS-1 fS
Chain length
t=S×k
Thin-rainbow tables + DP
(to reduce # table accesses TA)
DP criterion is checked after each fS
2nd
1st
kth
f1 f2 f3 … fS-1 fS f1 f2 f3 … fS-1 fS … … … f1 f2 f3 … fS-1 fS
DP ?
DP ?
We store only chains for which kmin < k < kmax
DP ?
DP ?
Candidates for implementation
(in case of multiple data, D>1)
Hellman + DP
Thin-rainbow + DP
DP-criterion checked
after each step-function f
DP-criterion checked
after fS only

simpler HW,
better time/area product
Both have the same precomputation complexity
Both have comparable online time T and # table accesses TA
Thin-rainbow tables + DP
(to reduce # table accesses TA)
DP criterion is checked after each fS
2nd
1st
kth
f1 f2 f3 … fS-1 fS f1 f2 f3 … fS-1 fS … … … f1 f2 f3 … fS-1 fS
DP ?
DP ?
We store only chains for which kmin < k < kmax
DP ?
DP ?
Outline
A5/1 cipher
Time-Memory Trade-off Tables
– Original Hellman Approach
– Distinguished points
– TMTO with multiple data
– Rainbow tables
– Thin-rainbow tables
Architecture of the A5/1 TMTO engine – table generation
Implementation results
Implementation choices
Pipeline?
Array of small computing elements?
Slice – FPGAs Basic Building Block
Look-up
Table
Look-up
Table
Flipflop
Flipflop
Implements combinational logic
(any logic function of 4 variables)
It is RAM 16x1 (holds the truth-table)
LUT – configuration choices
Look-up
Table
Look-up
Table
Flipflop
Flipflop
Can be configured as:
•LUT (function generator)
•RAM 16x1
•SRL16 (upto 16-bit shift register)
Implementation choices
Pipeline?
Array of small computing elements?
All A5/1 bits should
have been accessible in parallel
LFSRs can be implemented using SRL16
(1 LUT config. as up to 16-bit shift register)
max. 240 A5/1 units
(64x FF/unit)
(and no control unit, …)
max. 480 A5/1 units
(8x SRL16 + 5x FF/unit)
(enough FFs for control unit, …)
A5/1 TMTO basic element
Calculates one chain
Two-stroke mode:
1. core #1 generates keystream,
core #2 is loaded
2. core #2 generates keystream,
core #1 is loaded
A 5 /1 c o re # 1
lo a d /ru n _ 1
XOR
A 5 /1 c o re # 2
lo a d
XOR
lo a d /ru n _ 2
re -ra n d o m iz a tio n fu n c tio n
A5/1 TMTO basic element
First, the start point SPj
is loaded to core #1
A 5 /1 co re # 1
lo a d /ru n _ 1
XOR
A 5 /1 co re # 2
lo a d
XOR
lo a d /ru n _ 2
re -ra n d o m iza tio n fu n ctio n
A5/1 TMTO basic element
… then one rainbow period f1f2f3 … fS-1fS is performed …
In odd steps:
Core #1 generates keystream …
A 5 /1 co re # 1
lo a d /ru n _ 1
... that is rerandomized …
XOR
A 5 /1 co re # 2
lo a d
XOR
lo a d /ru n _ 2
re -ra n d o m iza tio n fu n ctio n
… and loaded to core # 2
as a new internal state
A5/1 TMTO basic element
… then one rainbow period f1f2f3 … fS-1fS is performed …
… and loaded to core # 1
as a new internal state
A 5 /1 co re # 1
lo a d /ru n _ 1
XOR
A 5 /1 co re # 2
lo a d
XOR
lo a d /ru n _ 2
re -ra n d o m iza tio n fu n ctio n
In even steps:
Core #2 generates keystream …
... that is rerandomized …
A5/1 TMTO basic element
After application of fS:
the result is shifted out to check the DP-criterion
A 5 /1 co re # 1
lo a d /ru n _ 1
XOR
A 5 /1 co re # 2
lo a d
XOR
lo a d /ru n _ 2
re -ra n d o m iza tio n fu n ctio n
A5/1 TMTO engine – table generation
(in 1 FPGA)
234 TMTO elements
 234 chains computed in
parallel in Spartan 3-1000 FPGA
A5/1 core #1
load/run_1
XOR
A5/1 core #2
load
XOR
load/run_2
TMTO
element
DP
checker
CONTROLLER
TMTO elements
share
the DP-checker
TMTO
element
re-randomization
function
generator
timer
start point generator
point register
FIFO
chain memory
(start point,
birthdate)
CONTROL & EVALUATION
TMTO
element
EXECUTION
re-randomization function
A5/1 TMTO engine – table generation
(in 1 FPGA)
A5/1 core #1
load/run_1
XOR
A5/1 core #2
Loading
Startpoints
load
XOR
load/run_2
TMTO
element
DP
checker
CONTROLLER
TMTO
element
re-randomization
function
generator
timer
1234
start point generator
point register
FIFO
chain memory
(start point,
birthdate)
CONTROL & EVALUATION
TMTO
element
EXECUTION
re-randomization function
A5/1 TMTO engine – table generation
(in 1 FPGA)
A5/1 core #1
load/run_1
XOR
A5/1 core #2
Loading
Startpoints
load
XOR
load/run_2
TMTO
element
DP
checker
CONTROLLER
TMTO
element
1234
re-randomization
function
generator
timer
1235
start point generator
point register
FIFO
chain memory
(start point,
birthdate)
CONTROL & EVALUATION
TMTO
element
EXECUTION
re-randomization function
A5/1 TMTO engine – table generation
(in 1 FPGA)
A5/1 core #1
load/run_1
XOR
A5/1 core #2
Loading
Startpoints
load
XOR
load/run_2
TMTO
1234
element
DP
checker
CONTROLLER
TMTO
element
1235
re-randomization
function
generator
timer
1236
start point generator
point register
FIFO
chain memory
(start point,
birthdate)
CONTROL & EVALUATION
TMTO
element
EXECUTION
re-randomization function
A5/1 TMTO engine – table generation
(in 1 FPGA)
A5/1 core #1
load/run_1
XOR
A5/1 core #2
Loading
Startpoints
load
XOR
load/run_2
TMTO
1235
element
DP
checker
CONTROLLER
TMTO
1236
element
re-randomization
function
generator
timer
start point generator
point register
FIFO
chain memory
(start point,
birthdate)
CONTROL & EVALUATION
TMTO
1234
element
EXECUTION
re-randomization function
A5/1 TMTO engine – table generation
(in 1 FPGA)
A5/1 core #1
load/run_1
XOR
A5/1 core #2
1st Rainbow
Sequence
load
XOR
load/run_2
TMTO
1235
element
DP
checker
CONTROLLER
TMTO
1236
element
re-randomization
function
generator
timer
start point generator
point register
FIFO
chain memory
(start point,
birthdate)
CONTROL & EVALUATION
TMTO
1234
element
EXECUTION
re-randomization function
A5/1 TMTO engine – table generation
(in 1 FPGA)
A5/1 core #1
load/run_1
XOR
A5/1 core #2
1st Rainbow
Sequence
load
XOR
load/run_2
TMTO
802B
element
DP
checker
CONTROLLER
TMTO
41C3
element
re-randomization
function
generator
timer
start point generator
point register
FIFO
chain memory
(start point,
birthdate)
CONTROL & EVALUATION
TMTO
7A3D
element
EXECUTION
re-randomization function
A5/1 TMTO engine – table generation
(in 1 FPGA)
A5/1 core #1
load/run_1
XOR
A5/1 core #2
1st Rainbow
Sequence
load
XOR
load/run_2
TMTO
4C81
element
DP
checker
CONTROLLER
TMTO
05A1
element
re-randomization
function
generator
timer
start point generator
point register
FIFO
chain memory
(start point,
birthdate)
CONTROL & EVALUATION
TMTO
27B3
element
EXECUTION
re-randomization function
A5/1 TMTO engine – table generation
(in 1 FPGA)
A5/1 core #1
load/run_1
XOR
A5/1 core #2
1st Rainbow
Sequence
load
XOR
load/run_2
TMTO
44DC
element
DP
checker
CONTROLLER
TMTO
820F
element
re-randomization
function
generator
timer
start point generator
point register
FIFO
chain memory
(start point,
birthdate)
CONTROL & EVALUATION
TMTO
5AB7
element
EXECUTION
re-randomization function
A5/1 TMTO engine – table generation
(in 1 FPGA)
A5/1 core #1
load/run_1
XOR
A5/1 core #2
1st Rainbow
Sequence
load
XOR
load/run_2
TMTO
05B5
element
DP
checker
CONTROLLER
TMTO
82A1
element
re-randomization
function
generator
timer
start point generator
point register
FIFO
chain memory
(start point,
birthdate)
CONTROL & EVALUATION
TMTO
654C
element
EXECUTION
re-randomization function
A5/1 TMTO engine – table generation
(in 1 FPGA)
A5/1 core #1
load/run_1
XOR
A5/1 core #2
1st Rainbow
Sequence
load
XOR
load/run_2
TMTO
91D6
element
DP
checker
CONTROLLER
TMTO
120B
element
re-randomization
function
generator
timer
start point generator
point register
FIFO
chain memory
(start point,
birthdate)
CONTROL & EVALUATION
TMTO
57A2
element
EXECUTION
re-randomization function
A5/1 TMTO engine – table generation
(in 1 FPGA)
A5/1 core #1
load/run_1
XOR
A5/1 core #2
1st Rainbow
Sequence
load
XOR
load/run_2
TMTO
AB45
element
DP
checker
CONTROLLER
TMTO
5A1B
element
re-randomization
function
generator
timer
start point generator
point register
FIFO
chain memory
(start point,
birthdate)
CONTROL & EVALUATION
TMTO
1283
element
EXECUTION
re-randomization function
A5/1 TMTO engine – table generation
(in 1 FPGA)
A5/1 core #1
load/run_1
XOR
A5/1 core #2
1st Rainbow
Sequence
load
XOR
load/run_2
TMTO
651E
element
DP
checker
CONTROLLER
TMTO
420B
element
re-randomization
function
generator
timer
start point generator
point register
FIFO
chain memory
(start point,
birthdate)
CONTROL & EVALUATION
TMTO
987B
element
EXECUTION
re-randomization function
A5/1 TMTO engine – table generation
(in 1 FPGA)
A5/1 core #1
load/run_1
XOR
A5/1 core #2
1st Rainbow
Sequence
load
XOR
load/run_2
TMTO
02BA
element
DP
checker
CONTROLLER
TMTO
8ACD
element
re-randomization
function
generator
timer
start point generator
point register
FIFO
chain memory
(start point,
birthdate)
CONTROL & EVALUATION
TMTO
1A56
element
EXECUTION
re-randomization function
A5/1 TMTO engine – table generation
(in 1 FPGA)
A5/1 core #1
load/run_1
XOR
A5/1 core #2
1st Rainbow
Sequence
load
XOR
load/run_2
TMTO
02BA
element
DP
checker
CONTROLLER
TMTO
8ACD
element
re-randomization
function
generator
timer
start point generator
point register
FIFO
chain memory
(start point,
birthdate)
CONTROL & EVALUATION
TMTO
1A56
element
EXECUTION
re-randomization function
A5/1 TMTO engine – table generation
(in 1 FPGA)
A5/1 core #1
load/run_1
XOR
A5/1 core #2
Evaluation
(DP checking)
load
XOR
load/run_2
TMTO
02BA
element
DP
checker
CONTROLLER
TMTO
8ACD
element
re-randomization
function
generator
timer
start point generator
point register
FIFO
chain memory
(start point,
birthdate)
CONTROL & EVALUATION
TMTO
1A56
element
EXECUTION
re-randomization function
A5/1 TMTO engine – table generation
(in 1 FPGA)
A5/1 core #1
load/run_1
XOR
A5/1 core #2
Evaluation
(DP checking)
load
XOR
load/run_2

TMTO
02BA
element
DP
checker
CONTROLLER
TMTO
8ACD
element
re-randomization
function
generator
timer
start point generator
point register
FIFO
chain memory
(start point,
birthdate)
CONTROL & EVALUATION
TMTO
1A56
element
EXECUTION
re-randomization function
A5/1 TMTO engine – table generation
(in 1 FPGA)
A5/1 core #1
load/run_1
XOR
A5/1 core #2
Evaluation
(DP checking)
load
XOR
load/run_2

TMTO
8ACD
element
DP
checker
CONTROLLER
TMTO
1A56
element
re-randomization
function
generator
timer
1237
start point generator
point register
FIFO
chain memory
(start point,
birthdate)
1235
CONTROL & EVALUATION
TMTO
02BA
element
EXECUTION
re-randomization function
A5/1 TMTO engine – table generation
(in 1 FPGA)
A5/1 core #1
load/run_1
XOR
A5/1 core #2
Evaluation
(DP checking)
load
XOR
load/run_2

TMTO
1A56
element
DP
checker
CONTROLLER
TMTO
1237
element
re-randomization
function
generator
timer
start point generator
chain memory
(start point,
birthdate)
point register
02BA
FIFO
1235
CONTROL & EVALUATION
TMTO
8ACD
element
EXECUTION
re-randomization function
A5/1 TMTO engine – table generation
(in 1 FPGA)
A5/1 core #1
load/run_1
XOR
A5/1 core #2
Evaluation
(DP checking)
load
XOR
load/run_2
TMTO
1237
element
DP
checker
CONTROLLER
TMTO
8ACD
element
re-randomization
function
generator
timer
start point generator
chain memory
(start point,
birthdate)
point register
02BA
FIFO
1235
CONTROL & EVALUATION
TMTO
1A56
element
EXECUTION
re-randomization function
A5/1 TMTO engine – table generation
(in 1 FPGA)
A5/1 core #1
load/run_1
XOR
A5/1 core #2
2nd Rainbow
Sequence …
load
XOR
load/run_2
TMTO
1237
element
DP
checker
CONTROLLER
TMTO
8ACD
element
re-randomization
function
generator
timer
start point generator
chain memory
(start point,
birthdate)
point register
02BA
FIFO
1235
CONTROL & EVALUATION
TMTO
1A56
element
EXECUTION
re-randomization function
Data error detection
Data MUST be correct
A5/1 core #1
load/run_1
XOR
Hamming code (72, 64)
– TED (triple error detection)
– detects 99.19% quadruple errors
– (detects also all errors of 5, 6, 7, 9,
10, 11, … bits)
XOR
load/run_2
TMTO
element
TMTO
element
DP
checker
CONTROLLER
TMTO
element
re-randomization
function
generator
timer
start point generator
chain memory
(start point,
birthdate)
point register
If an error appears, the data are discarded
FIFO
Hamming encoding
COPA bus
EXECUTION
re-randomization function
CONTROL & EVALUATION
Errors may appear during the data transfer
via COPA bus (120 FPGAs sharing the same
bus)
A5/1 core #2
load
Outline
A5/1 cipher
Time-Memory Trade-off Tables
– Original Hellman Approach
– Distinguished points
– TMTO with multiple data
– Rainbow tables
– Thin-rainbow tables
Architecture of the A5/1 TMTO engine – table generation
Implementation results
Implementation results
COPACOBANA is able to perform up to 236 (~69 billion) step-functions fi
per second
– 234 TMTO elements/FPGA
– 120 FPGAs
– maximum frequency fmax = 156 MHz
– one step-function takes 64 clock cycles
234 × 120 × 156106 / 64  236
Parameter choices
# data samples: D = 64
chains
computed
rainbow
sequence
DP
criterion
#seq. in
chain
precomp.
time
m
S
d [bits]
k
241
215
5
[23 , 26]
337.5
7.49
239
215
5
[23 , 27]
95.4
240
214
5
[24 , 27]
240
214
5
239
215
240
237
PT [days]
disk
usage
DU [TB]
table
accesses
online
time
OT [s]
success
ratio
TA
SR
27.8
221
0.86
3.25
36.3
221
0.67
95.4
4.85
10.9
220
0.63
[23 , 26]
84.4
7.04
7.0
220
0.60
5
[23 , 26]
84.4
3.48
27.8
221
0.60
214
5
[24 , 26]
84.4
5.06
8.5
220
0.55
215
6
[24 , 28]
47.7
0.79
73.5
221
0.42