Security Enhancement for Attack 2—EXIT Charts

In the case of Attack 1, the bit realizations of the random vector ˆKn _{remain constant}

throughout the attack. The information about An _{imbedded in ˆK}n _{is extracted and}

combined with knowledge of the structure of An _{to find the secret key. However, in}

Attack 2 the values of bits in ˆKn _{are modified at the end of each round, thus altering}

the density on ˆKn _{as the attack progresses. Let ( ˆK}n₎[l] _{be the ˆK}n _{sequence after}

the bit flipping in round l of Attack 2. Say the attack takes J rounds for ( ˆKn₎[l] _to either stagnate or converge to An_{. Then an information-theoretic analysis of Attack}

2 requires knowledge of _I(An_{; ( ˆK}n₎[l]_{) for l = 0,1, . . . , J. Since sequences are binary,} we expect the per-letter mutual information between An _{and ( ˆK}n₎[l] _{to go to one as}

l goes to J in a successful attack, and to converge to a value less than one when an

0 0.05 0.1 0.15 0.2 0.25 0.3 0.35 0.4 0 0.5 1 1.5 2 2.5 3 3.5x 10 4 Num b er of T rials ¯ I_AKˆ ¯ φ(ν,¯r) Simulation Results

Figure 18: Number of trials required for a successful attack versus ¯I_AKˆ, an upper bound on the per-letter mutual information between An _{and ˆK}n_{. The order of g(x)}

is ν = 15, the number of nonzero coefficients in g(x) is t = 4, and the amount of known plaintext bits n= 1500.

attack fails.

Actual calculations of _I(An_{; ( ˆK}n₎[l]_{) prove to be difficult, therefore, we will ap-} proximate these values by assuming that bits in An _{are i.i.d and uniformly dis-}

tributed over{0,1}. We call the mutual information calculated under this assumption ˜_I(An_{; ( ˆK}n₎[l]_{), and define the per-letter mutual information under this assumption as}

˜ I[l] AKˆ = 1 n ˜_I(An_{; ( ˆK}n₎[l]_{). (79)} We will use EXIT charts to show the expected progression of ˜I[l]

AKˆ as l ranges

from zero up to J. EXIT analysis provides intuition on the decoding threshold in terms of BER in the ciphertext by noting the lowest error rate that first introduces a cross in the plotted intrinsic versus extrinsic information curves. The intrinsic information can be defined as the information available at the input of a decoding iteration. The extrinsic information is then defined as the information available at the output of a decoding iteration. Prior to building EXIT charts, however, we should note that another technique for anticipating success in Attack 2 was given in [48], by

determining the expected result of the first iteration of the algorithm. It was observed that if the first iteration obtains additional information about the keystream, then eventually the iterative attack converges on the correct data sequence. In other words, the first step’s outcome seems to be sufficient to estimate the algorithm’s result. We now calculate the threshold pthr to maximize the probability that ˆKj 6= Aj given

that P_j∗ < pthr. Let Nw be the expected number of bits such that both ˆKj 6= Aj

and P_j∗ < pthr, and let Nv be the expected number of bits such that ˆKj = Aj and

P_j∗ < pthr, for j = 1,2, . . . , n. Also, let Ni = Nw −Nv. If Nc0 represents the total

number of bits such that ˆKj =Aj prior to any iterations, then the toggling of all bits

with P_j∗ < pthr will result in an expected (Nc0 +Ni) correct bits. Obviously if Ni is

negative, then the expected outcome of the first iteration will leave more bits in error than were originally so, and therefore, according to [48] will cause the attack to fail. To ensure that the algorithm does not eventually converge on the correct sequence, it must be guaranteed that Attack 2 has no correction capability. Strictly speaking, this is a difficult guarantee; however, we will adopt the nomenclature of [48] and say that Attack 2 has correction capability zero if Ni ≤0. The correction ratio

F = Ni

Nw+Nv

= Nw−Nv

Nw +Nv

(80) is used to scale the value of Ni to a real number within the range of [−1,1] while

maintaining its sign. Figure 19 shows the value of F for several BSC parametersp2, over a range of p1 values. Simulations of Attack 2 give some evidence that F ≤ 0 is sufficient to predict attack failure; however, results also show that F > 0 is not sufficient to guarantee attack success.

Example 2. Let the primitive connection polynomial for the ith LFSR be g(x) = 1 +x+x2+x3+x12+x21+x31, andp1 = Pr(Aj 6=Kj) = 0.2. In the first of two cases,

p2 = 0, i.e., the error rate in the wiretap channel is zero. Therefore, p0 = p1 = 0.2 and F is calculated using (80) to be 0.826. Case two sets p2 = 0.1, meaning the

0 0.1 0.2 0.3 0.4 0.5 −0.4 −0.2 0 0.2 0.4 0.6 0.8 1 F p1 p2= 0 p2= 0.05 p2= 0.1 p2= 0.15

Figure 19: Correction ratioF of Attack 2 forν = 32,N0 =ν×106_{, andt = 6. F ≤0} indicates that an attack will likely fail.

BER in ˆKn _{is 0.1. Using (69) we calculate p}0 _{= 0.26, and using (80) we find that}

F = −0.034. These values of F imply that Attack 2 will succeed in case one and fail in case two. Actual outcomes of these attacks are shown in Table 1. Case one does indeed converge to An _{in 16 rounds, while case two requires 34 rounds before}

the algorithm stagnates and fails. Note that in the failed case, most rounds result in fewer correct bits than the previous round.