Conference Paper

State convergence and the effectiveness of time-memory-data tradeoffs.

DOI: 10.1109/ISIAS.2011.6122801 Conference: 7th International Conference on Information Assurance and Security, IAS 2011, Melacca, Malaysia, December 5-8, 2011
Source: DBLP


Various time-memory tradeoffs attacks for stream ciphers have been proposed over the years. However, the claimed success of these attacks assumes the initialisation process of the stream cipher is one-to-one. Some stream cipher proposals do not have a one-to-one initialisation process. In this paper, we examine the impact of this on the success of time-memory-data tradeoff attacks. Under the circumstances, some attacks are more successful than previously claimed while others are less. The conditions for both cases are established.

Download full-text


Available from: Ed Dawson, Oct 03, 2015
2 Reads
  • Source
    [Show abstract] [Hide abstract]
    ABSTRACT: Time-Memory Tradeoff (TMTO) attacks on stream ciphers are a serious security threat and the resistance to this class of attacks is an important criterion in the design of a modern stream cipher. TMTO attacks are especially effective against stream ciphers where a variant of the TMTO attack can make use of multiple data to reduce the off-line and the on-line time complexities of the attack (given a fixed amount of memory). In this paper we present a new approach to TMTO attacks against stream ciphers using a publicly known initial value (IV): We suggest not to treat the IV as part of the secret key material (as done in current attacks), but rather to choose in advance some IVs and apply a TMTO attack to streams produced using these IVs. We show that while the obtained tradeoff curve is identical to the curve obtained by the current approach, the new technique allows to mount the TMTO attack in a larger variety of settings. For example, if both the secret key and the IV are of length n, it is possible to mount an attack with data, time, and memory complex- ities of 24n/5, while in the current approach, either the time complexity or the memory complexity is not less than 2n. We conclude that if the IV length of a stream cipher is less than 1.5 times the key length, there exists an attack on the cipher with data, time, and memory complexities less than the complexity of exhaustive key search.
    Information Processing Letters 08/2008; 107(5):133-137. DOI:10.1016/j.ipl.2008.01.011 · 0.55 Impact Factor
  • [Show abstract] [Hide abstract]
    ABSTRACT: A binary stream cipher consisting of three short linear-feedback shift registers (LFSRs) of total length 64 that are mutually clocked in the stop/go manner is cryptanalyzed in the known keystream sequence scenario. To reconstruct the internal state candidates at a known time from about 64 known keystream bits, two algorithms are developed. One is based on guessing a number of elements of the clock-control sequence and has a computational complexity of about 2<sup>40</sup> steps, where the average step complexity is comparable to the step complexity of the exhaustive search method. The other exploits a time-memory tradeoff based on the well-known birthday paradox and is successful if approximately T·M&ges;2<sup>64</sup>, where T is the required computational time in table lookups and M is the memory in 64-bit words. As the state-transition function is not one-to-one, to recover the initial state from the internal state candidates, two algorithms are introduced. One consists in guessing the number of clocks for each of the LFSRs. The other consists in the reversion of the internal states and is based on the theory of critical and subcritical branching processes
    IEEE Transactions on Information Theory 06/2000; DOI:10.1109/18.841189 · 2.33 Impact Factor
  • Source
    [Show abstract] [Hide abstract]
    ABSTRACT: An initialisation process is a key component in modern stream cipher design. A well-designed initialisation process should ensure that each key-IV pair generates a different keystream. In this paper, we analyse two ciphers, A5/1 and Mixer, for which this does not happen due to state convergence. We show how the state convergence problem occurs and estimate the effective key-space in each case.
    Information Security and Privacy - 16th Australasian Conference, ACISP 2011, Melbourne, Australia, July 11-13, 2011. Proceedings; 01/2011
Show more