vulcan-cryptanalysis
vulcan-cryptanalysis
vulcan-cryptanalysis
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
process the ciphertext, creating a single linear equation relating SRAM contents<br />
to keystream bits for each bit of ciphertext. For each such equation, we update<br />
our partially completed solution matrix until one of the following occurs: we<br />
found an inconsistent solution, we ran out of ciphertext bits, or we completely<br />
filled the solution matrix, which is now in row echelon form.<br />
When we guess the CV shift register bits incorrectly, we will eventually<br />
encounter an inconsistent equation (i.e. 0=1) and thus know that our guess<br />
was incorrect. Should this happen, we simply move on to the next value in the<br />
second lookup table, load that entry as the eight CV shift register bits, and<br />
start processing ciphertext bits from the beginning once again.<br />
When we guess the CV shift register bits correctly, our solution matrix<br />
will eventually be completely filled and will also be in row echelon form. At<br />
this point all we have to do is put the solution matrix in reduced row echelon<br />
form and read the solved cryptovariable bits from the rightmost column. Our<br />
final solution consists of our correct guess of the CV shift register bits and the<br />
rightmost column of the consistently completed solution matrix.<br />
The precise details of our procedure are evident in our commented source<br />
code listing of Appendix D, but here we offer a few additional remarks to aid<br />
understanding. From (1) of Section 3 we can compute a keystream bit from<br />
delayed ciphertext bits and cryptovariable bits. This equation is central to our<br />
<strong>cryptanalysis</strong> routine.<br />
For each bit of ciphertext, our <strong>cryptanalysis</strong> routine forms a linear equation<br />
based on (1) such that we have a linear (on GF (2)) combination of 64 unknown<br />
variables (cryptovariable bits) equal to a single known value (the keystream bit).<br />
We place this linear equation in our solution matrix and perform elementary<br />
row operations on it to ensure that our solution matrix is in row echelon form<br />
at all times.<br />
As we continue to process ciphertext bits (assuming we have an adequate<br />
supply), we will eventually reach one of two possible outcomes: a correct solution<br />
or an inconsistent solution. An inconsistent solution occurs when, after<br />
performing elementary row operations on a candidate equation, we obtain the<br />
impossible result that 0=1. A correct solution occurs when we have completely<br />
filled our solution matrix with 64 linearly independent equations, none of which<br />
resulted in an inconsistency.<br />
Once we have 64 linearly independent consistent equations in our solution<br />
matrix, we again use elementary row operations to fully reduce the matrix into<br />
reduced row echelon form. This simply places the 64 solved cryptovariable bits<br />
in the rightmost column of the matrix, thus completing our solution.<br />
Experimentally, we have found that approximately 100 ciphertext bits are<br />
necessary to generate a complete solution for the Vulcan cryptovariable. If our<br />
technique is expanded to allow all 138 bits of the Vulcan cryptovariable to be<br />
independently specified — a situation not permitted by the DVP key loader<br />
— then we can still solve for the 138 bits, but we require about an order of<br />
magnitude (i.e. 1000 bits) more ciphertext to obtain a full solution. Either way,<br />
our <strong>cryptanalysis</strong> routine runs in real time and does not require any significant<br />
computational resources. We are fully confident in our ability to recover a DVP<br />
24