Conference Paper

State convergence and the effectiveness of time-memory-data tradeoffs.

DOI: 10.1109/ISIAS.2011.6122801 Conference: 7th International Conference on Information Assurance and Security, IAS 2011, Melacca, Malaysia, December 5-8, 2011
Source: DBLP

ABSTRACT Various time-memory tradeoffs attacks for stream ciphers have been proposed over the years. However, the claimed success of these attacks assumes the initialisation process of the stream cipher is one-to-one. Some stream cipher proposals do not have a one-to-one initialisation process. In this paper, we examine the impact of this on the success of time-memory-data tradeoff attacks. Under the circumstances, some attacks are more successful than previously claimed while others are less. The conditions for both cases are established.

  • Source
    [Show abstract] [Hide abstract]
    ABSTRACT: Time-Memory Tradeoff (TMTO) attacks on stream ciphers are a serious security threat and the resistance to this class of attacks is an important criterion in the design of a modern stream cipher. TMTO attacks are especially effective against stream ciphers where a variant of the TMTO attack can make use of multiple data to reduce the off-line and the on-line time complexities of the attack (given a fixed amount of memory). In this paper we present a new approach to TMTO attacks against stream ciphers using a publicly known initial value (IV): We suggest not to treat the IV as part of the secret key material (as done in current attacks), but rather to choose in advance some IVs and apply a TMTO attack to streams produced using these IVs. We show that while the obtained tradeoff curve is identical to the curve obtained by the current approach, the new technique allows to mount the TMTO attack in a larger variety of settings. For example, if both the secret key and the IV are of length n, it is possible to mount an attack with data, time, and memory complex- ities of 24n/5, while in the current approach, either the time complexity or the memory complexity is not less than 2n. We conclude that if the IV length of a stream cipher is less than 1.5 times the key length, there exists an attack on the cipher with data, time, and memory complexities less than the complexity of exhaustive key search.
    Information Processing Letters 08/2008; 107(5):133-137. DOI:10.1016/j.ipl.2008.01.011 · 0.48 Impact Factor
  • Source
    [Show abstract] [Hide abstract]
    ABSTRACT: An initialisation process is a key component in modern stream cipher design. A well-designed initialisation process should ensure that each key-IV pair generates a different keystream. In this paper, we analyse two ciphers, A5/1 and Mixer, for which this does not happen due to state convergence. We show how the state convergence problem occurs and estimate the effective key-space in each case.
    Information Security and Privacy - 16th Australasian Conference, ACISP 2011, Melbourne, Australia, July 11-13, 2011. Proceedings; 01/2011
  • [Show abstract] [Hide abstract]
    ABSTRACT: Given a certain amount of known keystream from a keystream generator (KG), the most obvious way to determine the state of the generator is to search through all possible states, checking for a match between the resulting and observed keystream. In this paper, we draw attention to two attacks on stream cipher systems which, although their complexity grows exponentially with the size of the KG state, are more efficient than a simple-minded search through all possible KG states. Indeed, given sufficient storage and sufficient known keystream, each attack can almost halve the effective entropy of the state to be searched
    Security and Detection, 1995., European Convention on; 06/1995

Full-text (2 Sources)

Available from
May 19, 2014