Fast Linear Subspace Attacks on Stream Ciphers Guang Gong Department of Electrical and Computer Engineering University of Waterloo CANADA <http://comsec.uwaterloo.ca/∼ggong> Joint work with Sondre Rønjom, Tor Helleseth, and Honggang Hu G. Gong (University of Waterloo) Fast DFT Attacks 2009 1 / 47
47
Embed
Fast Linear Subspace Attacks on Stream Cipherscomsec.uwaterloo.ca/download/seletiveDFT09-v1.pdf · Fast Linear Subspace Attacks on Stream Ciphers ... The inverse DFT (IDFT) ... DFT
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Fast Linear Subspace Attacks on Stream Ciphers
Guang Gong
Department of Electrical and Computer EngineeringUniversity of Waterloo
CANADA<http://comsec.uwaterloo.ca/∼ggong>
Joint work with Sondre Rønjom, Tor Helleseth, and Honggang Hu
G. Gong (University of Waterloo) Fast DFT Attacks 2009 1 / 47
Outline
Basic Concepts and Properties of Sequences(Discrete) Fourier Transform (DFT) of Shifts and Convolution ofDFTFast Selective DFT Attacks on Filtering GeneratorsComparisons with Fast Algebraic AttacksNew Security Criteria: Spectral Immunity
G. Gong (University of Waterloo) Fast DFT Attacks 2009 2 / 47
Introduction
A General Model of PSGs
G. Gong (University of Waterloo) Fast DFT Attacks 2009 3 / 47
a polynomial over F2.An output sequence of the LFSR satisfies the following recursive relation
an+k =n−1Xi=0
ciak+i , k = 0, 1, · · · , (1)
(a0, · · · , an−1) is an initial state of a.t(x) is called a characteristic polynomial of a (the reciprocal of t(x) is referredto as a feedback polynomial of a, and we also say that a is generated by t(x).a is an m-sequences is t(x) is primitive (Golomb, 1954).
G. Gong (University of Waterloo) Fast DFT Attacks 2009 4 / 47
Introduction
Example
The sequence a = 1001011 is an m-sequence of period 7 generatedby an LFSR with t(x) = x3 + x + 1.
G. Gong (University of Waterloo) Fast DFT Attacks 2009 5 / 47
Introduction
Minimal Polynomials and Linear Span
A minimal polynomial of a is a polynomial with smallest degreewhich generates a. Let m(x) be the minimal polynomial of a, thenm(x) | t(x).Linear span of a is the degree of m(x), denoted as LS(a), andm(x) can be found using the Berlekamp-Massey algorithm fromany 2LS(a) consecutive bits of a.Linear span of a is the degree of m(x), denoted as LS(a), andm(x) can be found using the Berlekamp-Massey algorithm fromany 2LS(a) consecutive bits of a.
G. Gong (University of Waterloo) Fast DFT Attacks 2009 6 / 47
Introduction
The Shift Operator
The (Left cyclically) shift operator L:
La = a1, a2, · · · ,
Lr a = ar , ar+1, · · · .
If b = Lr a, then we say that they are shift equivalent. Otherwise,they are shift distinct.
Example: leta = 1001011
b = 1011100
c = 1110100
then a and b are shift equivalent, and a and c are shiftdistinct.
G. Gong (University of Waterloo) Fast DFT Attacks 2009 7 / 47
Introduction
DFT and Inverse DFT of Binary Sequences
Notation: N|2n − 1, Fq = GF (q), {at}: a binary sequence withperiod N; α: an element in F2n with order N.The (discrete) Fourier Transform (DFT) of {at } is defined by
Ak =N−1∑t=0
atα−tk , k = 0, 1, . . . , N − 1.
The inverse DFT (IDFT) is given by
at =N−1∑k=0
Akαkt , t = 0, 1, . . . , N − 1.
{Ak} is called the DFT spectral sequence of a (with respect to α).
G. Gong (University of Waterloo) Fast DFT Attacks 2009 8 / 47
Introduction
Trace Representation
Let A(x) =∑N−1
k=0 Akxk . Then at = A(αt) and A(x) can be writtenas
A(x) =∑
k
Trmk1 (Akxk ) (2)
where the k ’s are (cyclotomic) coset leaders modulo N, mk |n isthe length of the coset which contains k , and Trmk
1 (x) is a tracefunction from F2mk to F2. This is called a trace representation of{at}.Some times, for simplicity, we may use Tr(x) for all terms in A(x)where Tr(x) represents from which field to F2 depends on the sizeof the coset containing k .The linear span of a is equal to the number of nonzero spectra ofa.
G. Gong (University of Waterloo) Fast DFT Attacks 2009 9 / 47
Introduction
Example 1α: a primitive element in F24 with α4 + α + 1 = 0:
Sequences in Time Domain DFT Spectral Sequences in Frequency Domain
a =00010 01101 01111 A =011010001000000
b =111011000101001 B =011α 1 0 α2α61α80α3α4α9α12
G. Gong (University of Waterloo) Fast DFT Attacks 2009 10 / 47
Introduction
Example 1 (cont.)
Trace Representation Linear Span
A(x) = Tr(x) 4
at = Tr(αt), 0 ≤ t < 15
B(x) = Tr(x + αx3 + α6x7) 12
bt = B(αt), 0 ≤ t < 15
G. Gong (University of Waterloo) Fast DFT Attacks 2009 11 / 47
Introduction
DFT of Shifts
A sequence b = {bt} is a shift of a if and only in the DFT of b isgiven by
Bk = βkAk , 0 ≤ k < N, β ∈ F2n .
In this case,bt = A(βαt), t = 0, 1, · · · ,
i.e., B(x) = A(βx).The shift operator does not change the minimal polynomial ofa, nor the linear span.
G. Gong (University of Waterloo) Fast DFT Attacks 2009 12 / 47
Introduction
Example 2
For α, a primitive root of x4 + x + 1 which defines F24 , let
a =00010 01101 01111 A(x) = Tr(x), and
b = 01101 01111 00010 B(x) = Tr(α5x)
In this case b = L5a, a shift of a.
G. Gong (University of Waterloo) Fast DFT Attacks 2009 13 / 47
Introduction
DFT Convolution and Product Sequences
Let a and b be two sequences of period N with their respectiveDFTs A = {Ak} and B = {Bk}.For the term-by-term product c = a · b where ct = atbt ,0 ≤ t < N, let the DFT of {ct} be C = {Ck}. Then C is aconvolution of A and B, denoted as C = A ∗ B where
Ck =∑
i+j=k( mod N)
AiBj , 0 ≤ k < N.
G. Gong (University of Waterloo) Fast DFT Attacks 2009 14 / 47
Introduction
Example 3
Let b be the sequence in Example 1, i.e.,
b = 111011000101001 ↔ B(x) = Tr(x + αx3 + α6x7)
a = 000110001100011 ↔ A(x) = Tr(α2x3)
=⇒c = a · b = 000010000100001 ↔ C = B ∗ A
=⇒ C(x) = B(x)A(x) = Tr(α3x3) + 1
G. Gong (University of Waterloo) Fast DFT Attacks 2009 15 / 47
Introduction
Selective or Fast Selective DFT Attacks
Selective Filters in DFT Domain
LetNa = {k |Ak 6= 0, k is a coset leader mod N},
pk (x) be the minimal polynomial (MP) of αk over F2, and letq(x) =
∑ri=0 cix i be a polynomial over F2 of degree r .
The MP p(x) of a is equal to the product of pk for all k ∈ Na.Applying q(L) to a, we have
vt =r∑
i=0
ciai+t , t = 0, 1, · · · ,
which is a linear filtered sequence from a.
G. Gong (University of Waterloo) Fast DFT Attacks 2009 16 / 47
Introduction
DFT of {vt}
Proposition 1. The DFT of {vt} is given by
Vk = Akq(αk ), 0 ≤ k < N.
G. Gong (University of Waterloo) Fast DFT Attacks 2009 17 / 47
Case 2. gcd(p(x), q(x)) = 1 . Then q(αk ) 6= 0,∀k ∈ Na.
(Vk = 0 ⇐⇒ Ak = 0)
{v} has the same minimal polynomial as s, so does a, and v is ashift of a when α is a primitive element in F2n (in this case a hasperiod 2n − 1).
G. Gong (University of Waterloo) Fast DFT Attacks 2009 18 / 47
Introduction
Selective Case
Let c(x) = gcd(p(x), q(x)), c(x) 6= 1 and c(x) 6= p(x). Then
c(x) =∏k∈T
pk (x)
where T ⊂ Na, and
Vk = q(αk )Ak 6= 0 ⇐⇒ q(αk ) 6= 0 ⇐⇒ k ∈ Na \ T .
G. Gong (University of Waterloo) Fast DFT Attacks 2009 19 / 47
Introduction
Figure: Selective DFT Spectra
G. Gong (University of Waterloo) Fast DFT Attacks 2009 20 / 47
Introduction
Selective DFT (Cont.)
For the selective case, when q(x) is applied to a, the nonzeroDFT spectra of the resulting sequence is equal to a subset of thenonzero DFT spectra of a. Thus the linear span of v is less thanthe linear span of a.The functionality of q(x) here is analog to filters used incommunication systems for selecting frequency band forincreasing or reducing bandwidth of transmitted signals.
Thus q(x) is referred to as a selective DFT filter of a.
G. Gong (University of Waterloo) Fast DFT Attacks 2009 21 / 47
Introduction
Computing DFT of Shifted Sequences
Question. Given {Ak} and j (consecutive) bits of s, a shift of a,without loss in generality, we could assume that (s0, s1, · · · , sj−1)is known, find the DFT of s.Since Sk = βkAk , β ∈ F2n , it is enough to find β.A Very Old Naive Method: Directly solving a system of the linearequations in variables {βk} where j = LS(a).Selective DFT when j = LS(a).Fast Selective DFT when j < LS(a).
G. Gong (University of Waterloo) Fast DFT Attacks 2009 22 / 47
Introduction
A Very Old Naive Method
If a set P is a subset consisting of coset leaders modulo N, thenwe use P to represent the set ∪k∈PCk where Ck is the cosetmodulo N containing k as the coset leader.We write N a = {k0, k1, · · · , kLS(a)−1} (note that LS(a) is equal tothe cardinality of N a. ) Then
bt =∑
k∈Na
Tr(Akβkαtk ) =
j−1∑i=0
Aki βki αtki , t = 0, 1, · · · , j − 1.
Let xi = βki , i = 0, 1, · · · , LS(a)− 1. Then the above is a systemof m linear equations in LS(a) unknowns {xi}.
G. Gong (University of Waterloo) Fast DFT Attacks 2009 23 / 47
Introduction
Naive Method (Cont.)
Put m = LS(a). The matrix form is given by
b = Mx
where s = (s0, s1, · · · , sj−1)T where vT means the transpose of
the vector v , x = (x0, x1, · · · , xm−1)T , and
M =l−1∏i=0
Aki
1 1 1 · · · 1
αk0 αk1 αk2 · · · αkm−1
α2k0 α2k1 α2k2 · · · α2km−1
...
α(j−1)k0 α(j−1)k1 α(j−1)k2 · · · α(j−1)km−1
M is a j ×m Vandermonde matrix over F2n .
G. Gong (University of Waterloo) Fast DFT Attacks 2009 24 / 47
Introduction
Naive Method (Cont.)
Thus it has the unique solution if and only if m = j = LS(a).Hence from known m bits of s (not necessarily consecutive),the DFT of s can be uniquely determined by solving a system of mlinear equations over F2n with computational complexityO(m2.37η(n)) where η(n) = n log n log log n.
G. Gong (University of Waterloo) Fast DFT Attacks 2009 25 / 47
Introduction
Selective DFT Attack
Input: Given (a0, · · · , aj−1) and {Ak} where j = LS(a) with spectral sequenceβk Ak , k = 0, · · · , N − 1.Output: β.Procedure
Randomly select k ∈ Na with coset size n (not necessary gcd(k , N) = 1), andset q(x) = p(x)/pk (x) with r = deg(q) = m − n.
Applying q(L) to (s0, s1, · · · ), compute
vt =rX
i=0
cisi+t , t = 0, 1, · · · , n − 1.
Fromvt = Tr(γαtk ), t = 0, 1, · · · , n − 1
solve for γ in a system of n linear equations over F2n with the complexityO(n2.37η(n)). (Compared with the naive method O(m2.37η(n)) where m >> n.)
G. Gong (University of Waterloo) Fast DFT Attacks 2009 26 / 47
Introduction
Selective DFT Attack (Cont.)
Note that γ = Akq(αk )βk . If gcd(k , N) = 1, we obtain
β = γk ′ [Akq(αk )]−k ′ , k ′ = k−1.
If gcd(k , N) 6= 1, using the multiplexing method to reconstruct β(omitted there for the multiplexing method).
G. Gong (University of Waterloo) Fast DFT Attacks 2009 27 / 47
Introduction
Fast Selective DFT Attack
Input: Given (a0, · · · , aj−1) and {Ak} where j < LS(a) with spectral sequenceβk Ak , k = 0, · · · , N − 1.Output: β.Procedure
Select b = {bt} to compute the term-by-term product u = {ut} (i.e., ut = stbt )where bt = B(βαt), t ≥ 0 and ut = U(βαt) with |N b ∪N u| < LS(s).
Compute mu(x), the minimal polynomial of u, and q(x) =Q
k∈T pk (x) where
T =
(Nu \ Nb ∅⊂Nu ∩Nb ⊂ Nu Type 1
⊂ N ∗u N ∗
b = N ∗u Type 2
where T contains at least one k with coset size n for the type 2 and N ∗x denotes
the set of nonzero coset leaders in Nx.
G. Gong (University of Waterloo) Fast DFT Attacks 2009 28 / 47
Introduction
Fast Selective DFT Attack (Cont.)
=⇒ degree of q(x) is r = |T |, and n ≤ r < LS(u).
For q(L) =Pr
i=0 ciLi , compute
γk,t = Uk q(αk )αtk , k ∈ J ,
(J = Nb ∩Nu for q(x) of type 1
J = Nb \ T for q(x) of type 2
t = 0, 1, · · · , LS(b)− 1.
where J⊂Nb.
Computeηk,t = Bk ft(αk )αtk , t = 0, 1, · · · , LS(b)− 1, k ∈ N b
ft(x) =Pr
i=0 cisi+tx i
Form a system of LS(b) equations:Xk∈J
γk,tβk =
Xk∈Nb
ηk,tβk , t = 0, 1, · · · , LS(b)− 1.
which are in LS(b) unknowns βk ( N b = LS(b)), and solve for βk =⇒ β.
G. Gong (University of Waterloo) Fast DFT Attacks 2009 29 / 47
Introduction
Applications to Attacks on Stream Ciphers
Figure: A General Model of Stream Cipher
G. Gong (University of Waterloo) Fast DFT Attacks 2009 30 / 47
Introduction
Example: Filtering Sequence Generators
Let w = {wt} be an m-sequence of period 2n − 1, and0 ≤ d0 < d1 < · · · < dm−1 < n. A sequence s = {st} is referred to as a filteringsequence if
st = f (wd0+t , wd1+t , · · · , wdm−1+t) =, t = 0, 1, · · · (3)where f (x0, x1, · · · , xm−1) is a boolean function in m variables. The booleanfunction f is referred to as a filtering function.
Figure: A Diagram of Filtering Sequence GeneratorG. Gong (University of Waterloo) Fast DFT Attacks 2009 31 / 47
Introduction
Known Plaintext Attack
An initial state of the LFSR is a key when {st} is served as a keystream generator, denoted by K = (k0, · · · , kn−1), ki ∈ F2.Then
st = f (Lt(k0, k1, · · · , kn−1)) = ft(k0, · · · , kn−1), t = 0, 1, · · ·
Known plaintext attack: if a certain plaintext is known, thensome bits of {st} can be recovered. If the key can be recoveredfrom those known bits of {st}, then the rest of bits of the keystream can be reconstructed.
G. Gong (University of Waterloo) Fast DFT Attacks 2009 32 / 47
Introduction
Properties of Filtering Sequence Generators
We denote the degree of f (x0, · · · , xm−1) by deg(f ). The DFT of{st} has the following structure:
Sk = 0, for H(k) ≥ deg(f )
where H(k) is the Hamming weight of k .w has the trace representation Tr(βx) for some β ∈ F2n . Thusthose β’s and initial states of the LFSR are in one-to-onecorrespondence.Let {at} be a filtering sequence corresponds to an initial state withβ = 1. Then any filtering sequence s is a shift of a.
G. Gong (University of Waterloo) Fast DFT Attacks 2009 33 / 47
Introduction
Shifts and Keys
Recovering a key in the filtering sequence is to recover an initialstate in the LFSR, which is equal to recover β.The initial state of the LFSR can be recovered
by either the selective DFT if the number of known consecutive bitsof {st} is equal to the linear span of {st},or by the fast selective DFT if it is less than its linear span, aspresented before.
G. Gong (University of Waterloo) Fast DFT Attacks 2009 34 / 47
Introduction
Figure: (Fast) Select DFT Attacks on a Filtering Generator
G. Gong (University of Waterloo) Fast DFT Attacks 2009 35 / 47
Introduction
How Good the Selective DFT Attack?
Case 1: # required consecutive bits = LS(s)
Rønjom-Helleseth (06): q(x) is the quotient of the minimalpolynomial of s and the minimal polynomial of α. So, q(L)removes all DFT spectra except for A1. It works if A1 6= 0.Rønjom-Gong-Helleseth (07): q(x) is the quotient of the minimalpolynomial of s and the minimal polynomial of αk . So, q(L)removes all DFT spectra except for Ak for some k with Ak 6= 0and gcd(k , N) = 1.Selective DFT (new case): In Rønjom-Gong-Helleseth (07)’swork, k does not need to be relatively coprime with N, it is enoughthat the coset size of k is equal to n.
G. Gong (University of Waterloo) Fast DFT Attacks 2009 36 / 47
Introduction
Selective DFT and Rønjom et al. Attacks
Rønjom-Helleseth (06)
# required # unknowns deg(q) solvable
consecutive bits in equations
solving a system of
LS(s) n LS(s)− n homogeneous
not applicable equations over F2
if A1 = 0 in n unknowns
solve for all
n unknowns
G. Gong (University of Waterloo) Fast DFT Attacks 2009 37 / 47
Introduction
Selective DFT and Rønjom et al. Attacks (Cont.)
Rønjom-Gong-Helleseth (07)
# required # unknowns deg(q) solvable
consecutive in equations
bits
solving a system of
LS(s) n LS(s)− n homogeneous
not applicable equations over F2n
if gcd(k , N) 6= 1 in n unknowns
obtaining one
unknown is enough
New Case of Selective DFT
Replace the condition gcd(k , N) = 1 by |Ck | = n
G. Gong (University of Waterloo) Fast DFT Attacks 2009 38 / 47
Introduction
Compared with Fast Algebraic Attack
Case 2: # required consecutive bits < LS(s)
Summary of the time complexity and required known bits of the linearization, algebraicattack, and fast algebraic attacks.
Methods and The Number of MinimumEquations Unknowns Required Known Bits
Linearization (folk sense): ft (K ) = st Tµ Tµ
µ = deg(f )
Algebraic Attack : Tτ Tτ
(Paratin’96, Courtois et al.’03) τ = deg(g)
Find g such that fg = 0st gt (K ) = 0 The best case:
τ=algebraic immunity of f<µ
Fast Algebraic Attacks: Td γ = Td + (Te − δTd )
(Courtois’03 [a], Armknecht-Ars’05 [b]):a) find g such that fg = h 6= 0; d = deg(g), e = deg(h) δ = 0 [a], δ = 1 [b]; d < eb) applying q(x) to st gt (K ) = ht (K ) r = deg(q)Pr
i=0 ci si+t gi+t (K ) =Pr
i=0 ci hi+t (K ) consecutive bits
G. Gong (University of Waterloo) Fast DFT Attacks 2009 39 / 47
Introduction
Fast Algebraic Attack
The case of Courtois’03: q(x) is the product of the minimalpolynomials of αk for all k with H(k) ≤ d (= deg(g)), so {vt} is azero sequence.The case of Armknecht-Ars’05: q(x) is equal to pe(x)/pd(x)where pk (x) is the product of the minimal polynomials of αi for all iwith H(i) ≤ k . So nonzero spectra of the DFT of {vt} is a subsetof that of b.In order to get Td equations from applying q(L) to{stgt(k0, k1, · · · , kn−1)}, it needs to know (s0, s1, · · · , sTd+deg(q)−1)for creating a system of homogeneous equations in linearizedvariables of boolean function gt(k0, k1, · · · , kn−1).
G. Gong (University of Waterloo) Fast DFT Attacks 2009 40 / 47
Introduction
Compared with Fast Algebraic Attack
# required # unknowns deg(q) solvable
consecutive bits in equations
FastAlgebraicAttack
Td + (Te − δTd) Td Te − δTd solving a system ofhomogeneous equa-tions over F2 in Td un-knowns
FastSelectiveDFTAttack
LS(b) + deg(q) LS(b) < Td < LS(u)< Te − Td
solving a systemof homogeneousequations over F2n inLS(b) unknowns,
G. Gong (University of Waterloo) Fast DFT Attacks 2009 41 / 47
Introduction
Difference between the Fast Algebraic Attacks andSelective DFT Attacks
Coefficients of monomial terms in bt = gt(x0, x1, · · · , xn−1) invariables x0, x1, · · · , xn−1 are changed for each t , but the DFT of{bt} are only changed by a scalar multiple of βk where βcorresponds to the desired initial state.The number of nonzero coefficients of variables (linearized case)in gt(x0, x1, · · · , xn−1) are dynamically changed which isbounded by Td , but the number of nonzero DFT spectral of {bt}remains as a constant which is LS(b), the linear span of b.This phenomenon is not astonished, since it is an analogue to acosine function cos x which is hard to predict the values in reals.But the Fourier transform of cos x has only two pulses (i.e., twovalues), which is a simplest case in spectral analysis.
G. Gong (University of Waterloo) Fast DFT Attacks 2009 42 / 47
Introduction
Spectral Immunity
Resistant to Fast Selective DFT AttackThe sequence s is said to be resistant to the fast selective DFT attackif |Ns| = 1 (i.e., the minimal polynomial of s is irreducible) orLS(u + b) ≥ LS(s) for any sequence b ∈ ZN
2 with LS(b) < LS(s) andu 6= 0, where u is the term-by-term product sequence of s and b.
Spectral ImmunityLet
Ps = minb∈ZN
0
{LS(b) |s · b = 0 or (s + 1)b = 0}.
Then Ps is referred to as the spectral immunity of s.
G. Gong (University of Waterloo) Fast DFT Attacks 2009 43 / 47
Introduction
Example: Filtering Generator
Let w be a sequence generated by the primitive polynomial x4 + x + 1, and s bea filtering sequence generated by st = f (wt , wt+1, wt+2, wt+3), wheref (x0, x1, x2, x3) = x1 + x0x2 + x0x3 + x0x1x2.
LS(s) =P3
i=1
`4i
´= 14 which is the maximal achievable linear complexity for a
filtering function of degree 3.
The algebraic immunity of f , AI(f ), is equal to 2.
Then Ps is not bigger than the linear complexity of a sequencebt = g(wt , wt+1, wt+2, wt+3), where g is in a function in the set consisting of theannihilators of f , i.e., g ∈ ANN(f ) = {g | fg = 0 or (f + 1)g = 0}.
It is easily verified that Ps ≤PAI(f )
i=1
`4i
´= 10.
Let bt = wt + wt+2 + wtwt+1 + wt+1wt+2 + wtwt+3, then LS(b) = 4 with theminimal polynomial x4 + x3 + x2 + x + 1. Thus Ps = 4.
G. Gong (University of Waterloo) Fast DFT Attacks 2009 44 / 47
Introduction
Example: Filtering Generator (Cont.)
This means that there exist an annihilator which yields a systemcontaining linear equations in at most 4 unknowns, whileapplying a fast algebraic attack one ends up with a quadraticequation system with 10 unknowns.
G. Gong (University of Waterloo) Fast DFT Attacks 2009 45 / 47
Introduction
Open Questions
How to construction functions which are resistant to the fastselective DFT attack ?(Note that stop-and-go generatedsequences resist this attack, why?)What is the bounds of spectral immunity?The method introduced here is of only theoretical interests, if theDFT spectra is unknown. In general, the degree of the filteringfunction or combiner functions are relatively easier to obtain thanthe DFT of the key stream sequences, which leads to the followingproblem.How to estimate the DFT spectrum of the product sequence?
G. Gong (University of Waterloo) Fast DFT Attacks 2009 46 / 47
Introduction
Reference
Guang Gong, Sondre Rønjom, Tor Helleseth, and Honggang Hu,Fast Linear Subspace Attacks on Stream Ciphers, TechnicalReport, CACR 2009-04, 2009, University of Waterloo, Canada.Submitted to IEEE Transactions on Information Theory.
G. Gong (University of Waterloo) Fast DFT Attacks 2009 47 / 47