# DST40 Brute Force version CPU

Auteur: [Kaci Amaouche](mailto:amaouchekaci28@gmail.com)

Dans ce [Jupyter](https://jupyter.org/) notebook,nous présentons une implémentation d'une attaque type bruteforce de DST40 sur CPU en utilisant Python. Si vous n'êtes pas familier avec Jupyter, vous pouvez jeter un coup d'œil rapide à la documentation ou aux tutoriels disponibles[Notebook Basics](https://jupyter-notebook.readthedocs.io/en/stable/examples/Notebook/Notebook%20Basics.html) guide (~5min).

Ce notebook comporte:

* [Configuration de l'environnement]
* [Implémentation]

## 1 - Configuration de l'environnement

Pour pouvoir exécuter ces scripts, il va falloir:
1. Ce notebook (the `.ipynb` file)
1. Python >= 3.8


## 2 - Implémentation

In [2]:
import math


On définit le système DST40

In [95]:
def bit(x: int, n: int) -> int:
    """
    Get bit n of value x
    :param x: an integer
    :param n: position of the bit to retrieve
    :return: 0 or 1
    """
    x = ((x >> n) & 1)
    return x

def dst40_round(hash: int, key: int) -> int:
	"""
	Compute 2 bits of dst-40 keystream
	:param hash: 1rst LFSR state (the one initialized with the challenge)
	:param key: 2nd LFSR state (the one initialized with the secret key)
	"""
	fa = [0, 1, 0, 1, 1, 0, 1, 1, 1, 1, 0, 0, 1, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 1, 1, 0, 1, 0, 1, 1, 0, 1] 
	fb = [0, 1, 1, 0, 0, 0, 0, 0, 0, 1, 1, 0, 1, 1, 1, 1, 1, 1, 1, 1, 0, 1, 1, 0, 0, 0, 0, 0, 0, 1, 1, 0]
	fc = [0, 0, 1, 0, 1, 1, 1, 0, 1, 0, 1, 1, 1, 0, 0, 0, 0, 0, 1, 1, 1, 1, 0, 0, 0, 1, 0, 1, 0, 1, 0, 1]
	fd = [0, 1, 0, 1, 1, 1, 0, 0, 0, 0, 1, 1, 1, 0, 1, 0, 0, 0, 1, 1, 1, 0, 1, 0, 0, 1, 0, 1, 1, 1, 0, 0]
	fe = [0, 1, 0, 1, 0, 0, 1, 1, 1, 1, 0, 0, 1, 0, 1, 0]
	fg = [0, 1, 1, 1, 0, 0, 1, 0, 0, 1, 0, 0, 1, 1, 1, 0]
	fh = [0, 0, 2, 3, 3, 1, 2, 1, 1, 2, 1, 3, 3, 2, 0, 0]

	fa1 = fa[(bit(key, 39) << 4) | (bit(key, 31) << 3) | (bit(hash,39) << 2 ) | (bit(hash, 31) << 1) | bit(hash, 23)]
	fb2 = fb[(bit(key, 38) << 4) | (bit(key, 30) << 3) | (bit(hash,38) << 2 ) | (bit(hash, 30) << 1) | bit(hash, 22)]
	fc3 = fc[(bit(key, 23) << 4) | (bit(key, 15) << 3) | (bit(key,7) << 2 ) | (bit(hash, 15) << 1) | bit(hash, 7)]
	fd4 = fd[(bit(key, 22) << 4) | (bit(key, 14) << 3) | (bit(key,6) << 2 ) | (bit(hash, 14) << 1) | bit(hash, 6)]


	fa5 = fa[(bit(key, 37) << 4) | (bit(key,29) << 3) | (bit(hash,37) << 2 ) | (bit(hash, 29) << 1) | bit(hash, 21)]
	fb6 = fb[(bit(key, 36) << 4) | (bit(key, 28) << 3) | (bit(hash,36) << 2 ) | (bit(hash, 28) << 1) | bit(hash, 20)]
	fc7 = fc[(bit(key, 21) << 4) | (bit(key, 13) << 3) | (bit(key,5) << 2 ) | (bit(hash, 13) << 1) | bit(hash, 5)]
	fd8 = fd[(bit(key, 20) << 4) | (bit(key, 12) << 3) | (bit(key,4) << 2 ) | (bit(hash, 12) << 1) | bit(hash, 4)]

	fa9 = fa[(bit(key, 35) << 4) | (bit(key,27) << 3) | (bit(hash,35) << 2 ) | (bit(hash, 27) << 1) | bit(hash, 19)]
	fb10 = fb[(bit(key, 34) << 4) | (bit(key, 26) << 3) | (bit(hash,34) << 2 ) | (bit(hash, 26) << 1) | bit(hash, 18)]
	fc11 = fc[(bit(key, 19) << 4) | (bit(key, 11) << 3) | (bit(key,3) << 2 ) | (bit(hash, 11) << 1) | bit(hash, 3)]
	fd12 = fd[(bit(key, 18) << 4) | (bit(key, 10) << 3) | (bit(key,2) << 2 ) | (bit(hash, 10) << 1) | bit(hash, 2)]

	fa13 = fa[(bit(key, 33) << 4) | (bit(key,25) << 3) | (bit(hash,33) << 2 ) | (bit(hash, 25) << 1) | bit(hash, 17)]
	fb14 = fb[(bit(key, 32) << 4) | (bit(key, 24) << 3) | (bit(hash,32) << 2 ) | (bit(hash, 24) << 1) | bit(hash, 16)]
	fe15 = fe[(bit(key, 17) << 3) | (bit(key, 9) << 2) | (bit(key,1) << 1 ) | bit(hash, 9)]
	fe16 = fe[(bit(key, 16) << 3) | (bit(key, 8) << 2) | (bit(key,0) << 1 ) | bit(hash, 8)]

	fg1 = fg[ (fa1 << 3) | (fb2 << 2) | (fc3 << 1) | fd4]
	fg2 = fg[ (fa5 << 3) | (fb6 << 2) | (fc7 << 1) | fd8]
	fg3 = fg[ (fa9 << 3) | (fb10 << 2) | (fc11 << 1) | fd12]
	fg4 = fg[ (fa13 << 3) | (fb14 << 2) | (fe15 << 1) | fe16]


	fh1 = fh[(fg1 <<3) | (fg2 << 2) | (fg3 << 1) | fg4]

	res = fh1 ^((bit(hash, 1) << 1) | bit(hash, 0))

	return res



def dst40_encode(challenge: int, key: int) -> int:
	"""
	DST-40 encryption
	:param challenge: 40-bits challenge
	:param key: 40-bits key
	:return: keystream in int
	"""
	if type(challenge) != int or type(key) != int:
		logger.error("Challenge and key must be int values")
		return 0

	hash40 = challenge
	key40 = key

	cnt = 0
	for _ in range(192):
		tmp = 0
		hash40 = (dst40_round(hash40, key40) << 38) | (hash40 >> 2)

		if cnt == 1: # every three cycles (counter begin at 2) we shift the register (the one initialized with the secret key)
			tmp = key40
			key40  = ((bit(tmp, 0) ^bit(tmp, 2) ^bit(tmp, 19) ^ bit(tmp, 21)) << 39) | (key40 >> 1)

		cnt += 1
		if cnt == 3 :
			cnt = 0

	return hash40 >> 16


Voici un exemple d'exécution

In [141]:
P1,P2=2**37-1235478,2**38-14257531
key=2**15
C1,C2=dst40_encode(P1,key),dst40_encode(P2,key)
print(C1,C2)

5187416 6679828


Pour la brute force, il n'y a pas de plus simple, il suffit de faire une recherche exaustive sur toutes les valeurs possibles (de 0 à 2^40)

In [139]:
def BruteForce(P1,P2,C1,C2):
    for key_found in range(2**40):
        if dst40_encode(P1,key_found)==C1:
            if dst40_encode(P2,key_found)==C2:
                return key_found

On peut tester la validité de l'algorithme ainsi 

In [140]:
P1,P2=2**12-15,2**13-5
key=2**10
C1,C2=dst40_encode(P1,key),dst40_encode(P2,key)
BruteForce(P1,P2,C1,C2)

1024

Cet algo est très lent mais une il s'exécute beaucoup plus rapidement sur GPU