# State convergence and the effectiveness of time-memory-data tradeoffs.

**ABSTRACT** Various time-memory tradeoffs attacks for stream ciphers have been proposed over the years. However, the claimed success of these attacks assumes the initialisation process of the stream cipher is one-to-one. Some stream cipher proposals do not have a one-to-one initialisation process. In this paper, we examine the impact of this on the success of time-memory-data tradeoff attacks. Under the circumstances, some attacks are more successful than previously claimed while others are less. The conditions for both cases are established.

**0**Bookmarks

**·**

**65**Views

- Citations (10)
- Cited In (0)

- [Show abstract] [Hide abstract]

**ABSTRACT:**A probabilistic method is presented which cryptanalyzes any N key cryptosystem in N^{2/3} operational with N^{2/3} words of memory (average values) after a precomputation which requires N operations. If the precomputation can be performed in a reasonable time period (e.g, several years), the additional computation required to recover each key compares very favorably with the N operations required by an exhaustive search and the N words of memory required by table lookup. When applied to the Data Encryption Standard (DES) used in block mode, it indicates that solutions should cost between 1 and 100 each. The method works in a chosen plaintext attack and, if cipher block chaining is not used, can also be used in a ciphertext-only attack.IEEE Transactions on Information Theory 08/1980; · 2.62 Impact Factor - SourceAvailable from: math.huji.ac.il[Show abstract] [Hide abstract]

**ABSTRACT:**Time-Memory Tradeoff (TMTO) attacks on stream ciphers are a serious security threat and the resistance to this class of attacks is an important criterion in the design of a modern stream cipher. TMTO attacks are especially effective against stream ciphers where a variant of the TMTO attack can make use of multiple data to reduce the off-line and the on-line time complexities of the attack (given a fixed amount of memory). In this paper we present a new approach to TMTO attacks against stream ciphers using a publicly known initial value (IV): We suggest not to treat the IV as part of the secret key material (as done in current attacks), but rather to choose in advance some IVs and apply a TMTO attack to streams produced using these IVs. We show that while the obtained tradeoff curve is identical to the curve obtained by the current approach, the new technique allows to mount the TMTO attack in a larger variety of settings. For example, if both the secret key and the IV are of length n, it is possible to mount an attack with data, time, and memory complex- ities of 24n/5, while in the current approach, either the time complexity or the memory complexity is not less than 2n. We conclude that if the IV length of a stream cipher is less than 1.5 times the key length, there exists an attack on the cipher with data, time, and memory complexities less than the complexity of exhaustive key search.Information Processing Letters 01/2008; 107:133-137. · 0.49 Impact Factor -
##### Article: Mixer – a new stream cipher

[Show abstract] [Hide abstract]

**ABSTRACT:**We propose a new keystream generator, intended for hardware implementation, called Mixer. The proposed generator is a combination of the filtering model and the control model. The design is simple and scalable, based on two binary feedback shift registers (FSRs) interconnected such that one FSR filtered by a nonlinear Boolean function controls the clocking and the output of the other FSR. Mixer takes a 128-bit secret key and a 64-bit public initialization vector IV as an input to produce a keystream. It has been designed to produce keystream sequences with guaranteed randomness properties such as large period, high linear complexity, good statistical properties, and is resistant to well known types of attacks. No attack faster than exhaustive key search has been found.Journal of Discrete Mathematical Sciences & Cryptography. 01/2008; 2(2).

Page 1

This is the author’s version of a work that was submitted/accepted for pub-

lication in the following source:

Teo, Sui-Guan, Simpson, Leonie R., Wong, Kenneth Koon-Ho, & Dawson,

Edward (2011) State convergence and the effectiveness of time-memory-

data tradeoffs. In Abraham, Ajith, Zheng, Daniel, Agrawal, Dharma, Ab-

dollah, Mohd Faizal, Corchado, Emilio, Casola, Valentina, et al. (Eds.)

Proceedings of the 7th International Conference on Information Assur-

ance and Security, IEEE, Universiti Teknikal Malaysia Melaka , Malacca,

Malaysia, pp. 92-97.

This file was downloaded from: http://eprints.qut.edu.au/47843/

c ? Copyright 2011 IEEE

Personal use of this material is permitted.

reprint/republish this material for advertising or promotional purposes or

for creating new collective works for resale or redistribution to servers or

lists, or to reuse any copyrighted component of this work in other works

must be obtained from the IEEE.

However, permission to

Notice: Changes introduced as a result of publishing processes such as

copy-editing and formatting may not be reflected in this document. For a

definitive version of this work, please refer to the published source:

Page 2

State Convergence and the effectiveness of

Time-Memory-Data Tradeoffs

Sui-Guan Teo, Kenneth Koon-Ho Wong, Ed Dawson

Information Security Institute

Queensland University of Technology

Brisbane Qld 4001, Australia

{sg.teo, kk.wong, e.dawson}@qut.edu.au

Leonie Simpson

Faculty of Science and Technology

Queensland University of Technology

GPO Box 2434, Brisbane Qld 4001, Australia

lr.simpson@qut.edu.au

Abstract—Various time-memory tradeoffs attacks for stream

ciphers have been proposed over the years. However, the claimed

success of these attacks assumes the initialisation process of the

stream cipher is one-to-one. Some stream cipher proposals do

not have a one-to-one initialisation process. In this paper, we

examine the impact of this on the success of time-memory-data

tradeoff attacks. Under the circumstances, some attacks are more

successful than previously claimed while others are less. The

conditions for both cases are established.

Index Terms—Stream cipher, Time-Memory-Data Tradeoffs,

state convergence, A5/1, Mixer, ZUC

I. INTRODUCTION

Modern stream cipher applications use a secret key and a

publicly known initialisation vector (IV) to form an initial

internal state before keystream generation begins. This is

commonly used in secure communications, where a single

communication in frame-based applications can consist of

multiple frames. A communication will use a single master

key and each frame in the communication will be encrypted

using that key and a distinct IV. For example, a mobile phone

conversation is divided into many frames. Each frame in the

communication is encrypted separately using the same master

key and using the frame number as the IV. The initial state for

each frame formed from the master key and IV is referred to as

a session key. Given a suitable state size (at least equal to the

sum of the key and IV lengths), a good initialisation process

should ensure that each key-IV pair generates a session key

and hence a distinct keystream.

State convergence in a keystream generator occurs when

two distinct internal states generate the same next state.

State convergence can occur either during initialisation, during

keystream generation, or both. For the stream ciphers A5/1 [8],

Mixer [9] and ZUC [10], analysis reveals that the keystream

generators of each of these stream ciphers experience state

convergence [11]–[14]. This occurs only during initialisa-

tion for Mixer but during both initialisation and keystream

generation for A5/1 [13]. Where state convergence occurs

during initialisation, the same keystream will be produced

from different key-IV pairs.

A generic technique in stream cipher cryptanalysis is the

time-memory-data tradeoff (TMDT) attack. TMDT attacks

were first used to attack block ciphers by Hellman [1] and

later adapted for stream cipher cryptanalysis by Babbage [2]

and Goli´ c [3]. Additional TMDT attacks on stream ciphers are

proposed by Biryukov and Shamir [4], Hong and Sarkar [5],

[6], and Dunkelman and Keller [7]. n this paper, we discuss

the effectiveness of TMDT attacks when applied to keystream

generators for which state convergence occurs, particularly

with respect to the type of state convergence that occurs.

This paper is organised as follows. Section II gives a brief

introduction to the initialisation and keystream generation

process of keystream generators and reviews common TMDT

on stream ciphers. Section III discusses the effect state conver-

gence has on TMDT master and session key recovery attacks.

Section IV concludes this paper and proposes possible areas

for future research.

II. BACKGROUND

A. Initialisation and keystream generation process

Keystream generators for stream ciphers operate by main-

taining an internal state and applying update and output

functions to the state. The state of a keystream generator is of

size s bits. Modern keystream generators take two inputs: a

master key and an IV, of size k and v bits, respectively. Thus,

a key-IV pair has a total length of k+v bits. Before keystream

generation commences, a key-IV pair is used to form an initial

internal state value. This process is referred to as initialisation

and can be considered as a mapping from binary vectors of

length k + v to those of length s.

The initialisation process is often performed in three phases:

key-loading, IV-loading and the diffusion phase. In the key-

loading and IV-loading phases, the master key and IV are

transferred to the keystream generator’s state. When both the

master key and IV have been transferred, the stream cipher is

in its “loaded state”. If s < k +v, key and IV loading results

in state compression and consequently, the total number of

distinct keystreams is less than the total number of key-IV

pairs. If s ≥ k + v, the loading process potentially provides

2k+vdistinct loaded states.

Following this, the diffusion phase begins. This is generally

the most complex phase of the initialisation process and it is

important, as using the loaded state directly to begin keystream

generation could make the stream cipher vulnerable to corre-

lation or algebraic attacks. The diffusion phase consists of a

Page 3

number of iterations of the initialisation state-update function.

Each iteration of the initialisation state-update function can be

considered as a function which maps the state space to itself.

This mapping should be one-to-one and nonlinear in nature.

After the initialisation process is complete, the keystream

generator is said to be in an initial state. Let I be the

total number of distinct initial states. If s ≥ k + v and the

initialisation process is well-designed, I = 2k+v. If I < 2k+v,

state convergence has occurred during initialisation.

Once the keystream generator is in its initial state, the

keystream generation phase begins. To generate keystream,

a state-update function is applied to the internal state of

the stream cipher and an output function is applied to this

internal state. This state-update function can be either be the

same function used in the initialisation phase or a different

function. An example of a stream cipher which uses the same

state-update function for both initialisation and keystream

generation is A5/1 [8], while Mixer [9] is an example of a

stream cipher which uses a different state-update function for

initialisation and keystream generation.

To prevent TMDT attacks, it is recommended that modern

stream ciphers have an internal state size which is greater or

equal to k + v, where v ≥ 1.5k [7]. Since the state space

is at least the size of the space spanned by a key-IV pair, it

is reasonable to expect that the initialisation process will be

one-to-one, that is, each distinct key-IV pair should map to a

distinct state at the end of initialisation.

B. Review of some time-memory-data tradeoff attacks

The goal of TMDT attacks is to recover either the session

key, the internal state at a known point in time or the master

key. If the attacker manages to recover the session key of a

keystream generator, they can use it to generate keystream to

decrypt the entire frame. However, the attacker will not be

able to use this session key to decrypt other frames in the

conversation, since these will have been encrypted using the

same master key but a different IV. Master key recovery is

stronger as this allows an attacker to decrypt all other frames

in a conversation.

TMDT attacks are performed in two phases: the pre-

computation phase and the online phase. In the pre-

computation phase, a lookup table is constructed. This table

has two columns. For state recovery, the first column consists

of selected session keys (initial internal states) of the stream

cipher. For master key recovery, the first column consists

of selected master keys (and might also include the IV). In

both scenarios, the second column consists of a segment of

keystream generated using either the corresponding key-IV

pair, session key or internal state. In the online-phase of the

attack, the attacker compares the captured keystream to the

second column of the lookup table. If a match is detected, the

attacker assumes that the obtained session key, internal state

or key-IV pair is correct.

The complexity of a TMDT attack can be described using

a series of variables. D is the amount of data the attacker

needs in the online-phase of the attack to recover the master

key. P is the pre-computation time needed to construct the

lookup table. M is the memory needed to construct and store

the table. During the online phase, the attacker attempts to

recover the session or master key by searching through the

lookup table. The time taken to do the search is denoted by

T. The success of the attack depends on T or M or the sum

of T +M being less than 2kor 2s, depending on the particular

TMDT attack being used. Since P is a one-off operation,

it is assumed that the attacker has already pre-computed the

lookup table beforehand and the time taken for this operation is

not considered when measuring the complexity of the TMDT

attack. In this section, we review the major TMDT attacks on

stream ciphers.

1) Babbage and Goli´ c.: Babbage [2] and Goli´ c [3] inde-

pendently applied the TMDT attacks to stream ciphers. Their

session key recovery attack is referred to as the BG attack in

the remainder of this paper.

In the pre-computation phase, an attacker selects either M

different session keys or internal states. For each of these, the

attacker produces some keystream of length s. The attacker

then stores the session key-keystream pair in a lookup table,

sorted according to the keystream.

In the real-time phase of the attack, the attacker takes a

segment of keystream of length D + log s − 1 they have

captured and uses a sliding-window to produce all D possible

keystream sub-strings of length s. The attacker then searches

the lookup table to see if any of these substrings match. If there

is a match, the session key corresponding to the keystream

sub-string is considered to be the session key which generated

the captured keystream. If the TMDT satisfies the following

equations

T · M = 2swith P = M

(1)

the attack complexity is less than that of exhaustive keysearch.

To provide resistance to this attack, both Babbage and Goli´ c

recommend that the size of the internal state of the stream

cipher should be at least twice the key size.

2) Biryukov and Shamir.: Biryukov and Shamir [4] com-

bine the concepts of Hellman’s TMDT attack on block ci-

phers [1] and the BG attack to provide a more efficient TMDT

attack on stream ciphers. Their session key recovery attack is

referred to as the BS attack for the remainder of this paper.

The pre-computation phase of the BS attack is similar to

Hellman’s pre-computation phase. The attacker defines a func-

tion f, which generates the keystream in the stream cipher. The

attacker also chooses random permutations to take place of the

function h. h is a function which maps the s-bit state to another

s-bit state. The attacker defines g = h ◦ f and creates lookup

tables using Hellman’s lookup table construction method. In

the online phase, the attacker uses any instance c in the D

keystreams obtained and iteratively applies g to h(c) until the

s-bit value h(c) matches a entry in the second column of the

lookup table. Once a match is found, the session key which

generated the keystream is recovered using the method used

in Hellman’s online phase attack. The tradeoff curve of the

Page 4

BS attack is given by:

T · M2· D2= 22swith P =22s

The BS attack reiterates the importance that the size of the

internal state of a keystream generator needed to be at least

twice the master key size so that TMD tradeoffs are worse

than exhaustive keysearch.

3) Hong and Sarkar.: Hong and Sarkar’s TMDT attack [5],

[6] aims to recover the master key, as opposed to recovering

the internal state or session key in the earlier attacks. Their

master key recovery attack will be referred to as the HS attack

for the remainder of this paper.

In the pre-computation phase of the HS attack, the attacker

first chooses random key-IV pairs, storing the master key and

the IV in the first column of the lookup table. For each key-

IV pair, the attacker generates a keystream of length k + v

bits. The tradeoff curve from the HS attack is the same as BS

curve, but instead of it being an internal-state to keystream

mapping, the HS attack uses a key-IV to keystream mapping:

D

and 1 ≤ D2≤ T

(2)

T = M = 22(k+v)with D = 2

1

4(k+v)

(3)

Thus, if the attacker has access to D = 2

keystream, the attacker can recover the master key with a time

and memory complexity of T = M = 2

complexity of the attack is less than exhaustive key search.

In order to resist the HS attack, Hong and Sarkar recommend

that the IV size is at least as long as that of the master key.

4) Dunkelman and Keller.: The TMDT attack by Dunkel-

man and Keller [7], referred hereafter as the DK attack is

a master key recovery attack. In the DK attack, an attacker

constructs lookup tables for chosen IVs. This approach is

different from the HS attack, where each lookup table would

consist of arbitrary IVs. Constructing lookup tables for each

IV allows the attacker to take advantage of the fact the IV is

a publicly known value.

By constructing tables for specific IVs, the following trade-

off curve is obtained.

1

4(k+v)bits of

1

2(k+v). If v < k, the

T · M2· D2= 22(k+v)

(4)

Note that this is the same tradeoff curve as the HS and BS

attack. However, because of the IV table-based approach, this

approach does not use multiple keystreams and hence, imposes

no restrictions on the parameters. Therefore, even for T =

M = D, the complexity of the attack is less than exhaustive

key search as long as 22v< 23k. That is, a stream cipher

would be resistant to the DK attack if the v ≥ 1.5k.

III. STATE CONVERGENCE AND THE EFFECTIVENESS ON

TMD TRADEOFF ATTACKS

Recent analysis of several stream ciphers, namely A5/1 [8],

Mixer [9] and ZUC [10], revealed that the initialisation pro-

cesses are not one-to-one. For A5/1 and Mixer, the choice of

state-update functions means that the number of distinct initial

states decreases as the number of iterations of the state-update

function increases [3], [11], [13]. There are three possible

scenarios for state convergence in keystream generators. They

are:

Scenario 1. The same master key used with different

IVs generates the same initial state.

Scenario 2. The same IV used with different master

keys generates the same initial state.

Scenario 3. Distinct key-IV pairs generate the same

initial state.

We now analyse the effect state convergence has on the success

of session key recovery and master key recovery TMDT

attacks. A summary of our findings can be found in Table I.

Table entries are either a ? or ?, where a ? means an attacker

can be confident that the session key or master key they

recovered is correct, while a ? means there is the possibility

that the attacker has not recovered the correct master key.

A. Effect on TMDT attacks on stream ciphers.

1) Session key recovery.: The lookup tables for session key

TMDT attacks are constructed so that an attacker can recover

the session key for a particular keystream. If the captured

keystream can be found in the lookup table, the attacker

can use the corresponding session key to generate sufficient

keystream to decrypt the entire encrypted frame.

An alternative to session key recovery is the internal state

recovery TMDT attack. An internal state TMDT attack re-

covers the internal state of a keystream generator at a known

point in time during keystream generation. The process used

in internal state recovery TMDT attacks is similar to session

key recovery. Note that although the process is the same,

there is the possibility that internal state recovery attacks can

only recover a portion of the frame, compared to session

key recovery’s ability to decrypt the entire frame. We only

consider session key recovery in this section, although in some

cases it might actually be the internal state that the attacker is

recovering.

State convergence has a positive impact on the success of

attacks aimed at session key recovery. If an attacker recovers

the session key, they will be able to correctly decrypt the entire

frame. It does not matter which key-IV pair generated the

session key, since the definition of state convergence, multiple

key-IV pairs can generate the same session key. Hence, the

three different scenarios described have the same outcome

with respect to the success or failure of TMDT attacks which

recover session keys. However, since the attacker does not

know the master key that was used, they will not be able to

decrypt other frames in the communication and will need to

perform the online phase of the TMDT attack again in order to

decrypt these. If the number of distinct session keys I is such

that I < 2k+v, the tradeoff equation in Equation 2 will result

in reduced time, memory and data requirements if the attacker

is aware of this and constructs the lookup table accordingly.

We now present an example of how this reduced session key

size may have a positive effect on session key recovery on an

actual cipher which has the state convergence problem. Mixer

is an example of stream cipher which uses different state-

update functions for initialisation and keystream generation.

Page 5

Key recoveryScenario 1 Scenario 2Scenario 3

Session key recovery

???

Master key recovery

HS:

DK:

?

?

?

HS:

DK:

?

?

TABLE I

SUMMARY TABLE ON THE EFFECTIVENESS OF TMDT ATTACKS.

Original tradeoffs

192 bits

New tradeoffs

191 bits109 bits

T

M

D

296

296

248

295.50

295.50

247.75

254.50

254.50

227.25

TABLE II

ORIGINAL AND NEW TRADEOFFS FOR MIXER USING BIRYUKOV AND

SHAMIR’S TRADEOFF EQUATION

Mixer uses a 128-bit master key and a 64-bit IV to initialise

a 217-bit internal state. Teo et al. [13] estimate that the total

number of distinct session keys after all possible key-IV pairs

undergoes the initialisation phase to be bounded by 2191and

2108.99.

Applying Equation 2 without taking into account state

convergence gives the following tradeoff: T = M = 296, and

D = 248. This constitutes an attack on Mixer. The bounds

when the total number of distinct session keys is 2191–2109

can be seen in Table II. In both cases, the time, memory,

and data complexities may see significant reductions in time,

memory, and data complexities.

2) Master Key Recovery and Scenario 1.: When a single

master key and different IVs generate the same keystream, the

HS attack can recover the correct master key if that key-IV pair

was one of those selected for the construction of the lookup

table. This is the case regardless of whether the state-update

function used during initialisation and keystream generation is

the same function or a different one. After the online phase

of the TMDT attack, an attacker can check that the recovered

IV is the same as that captured along with the keystream. If

it is the same IV, the attacker can be confident that they have

recovered the correct master key and can use that master key

with other IVs to decrypt other frames in the communication.

If the IV does not match the one recorded in the table, the

attacker knows that they have recovered the wrong master key

and would need to perform the online phase of the attack

again.

A similar process happens in the DK attack. In the online

phase, the attacker uses the appropriate IV-based lookup table

and checks if there is a match on the captured keystream.

If there is a match, the corresponding master key is the

correct master key which generated the captured keystream.

The attacker can then use that same master key with other

IVs to decrypt other encrypted frames in the communication.

We now present an example of how this reduced master

key size may have a positive effect on master key TMDT

attacks on an actual cipher which has the state convergence

problem. The ZUC stream cipher uses a 128-bit master key

and a 128-bit IV. The keystream generator has a total state

space of s = 560 bits. Since k = v = 128 bits and k+v <s

ZUC is resistant to most forms of TMDT attack except the

DK attack, if state convergence is not taken into account. The

tradeoffs for the HS and DK attack without taking into account

the state convergence issue are T = M = 2128and D = 264

; and T = M = D = 2102.4respectively. Wu et al. [14] note

that ZUC had Scenario 1 state convergence. Consequently, the

effective master key size is potentially reduced to 66 or 100

bits, depending on which differential attack was used. As Wu

et al. made no mention of the effective IV size as a result of

the state convergence, we assume that the effective IV size is

still 128 bits. The new tradeoffs can be seen in Table III.

As can be seen from the new tradeoff equations, consid-

ering the state convergence, the ZUC stream cipher is now

vulnerable to the HS attack. Furthermore, both the HS and

DK attack now have significant reductions in time, memory

and data requirements.

3) Master Key Recovery and Scenario 2.: Where the same

keystream is generated by different master keys for any given

IVs, the attacker does not have the confidence that master key

they recovered is the correct one.

Let us assume that three master keys, K1, K2 and K3,

with the same IV, V 1, produce the same keystream and two

master keys, K2 and K3 were used for the construction of

the lookup table. The original frame was encrypted with the

K1-V 1 key-IV pair. During the online phase of the attack, the

attacker recovers the two keys K2 and K3, that with IV V 1

will produce the same keystream. If an attacker, incorrectly

assuming that K2 was the actual master key, tries to use K2

to decrypt other frames, it should not be successful, since K2

with a different IV V 2 will most likely not generate the same

keystream as would have been generated by the K1-V 2 pair.

Since K1 was not selected during the construction of the

lookup table, the master key recovery TMDT attack in this

scenario is equivalent to session key recovery. For the attack

to succeed, the attacker has to hope that the correct master key

was selected during the construction of the lookup table. If the

correct master key was not used, the attacker will not be able

to decrypt other encrypted frames in a single conversation.

2,

Page 6

HS

128 bits

New HS DK

128 bits

New DK

100 bits100 bits 66 bits66 bits

T

M

D

2128

2128

264

2114

2114

257

297

297

248.5

2102.4

2102.4

2102.4

291.2

291.2

291.2

277.6

277.6

277.6

TABLE III

ORIGINAL AND NEW TRADEOFFS FOR ZUC V1.4

If γ is the number of master keys an attacker obtains at

the end of the online phase of the attack and ?, with ? < V ,

being the effective IV size of the stream cipher, the HS and

DK tradeoff curve would be

(T + γ) · M2· D2= 22(k+?)

(5)

The memory and data requirements however, remain the same

as would have been obtained in Equation 2. However, since

γ possible master keys can now appear in the lookup table,

an attacker needs to try, on average,

before they can be certain if the master key they are currently

trying is correct.

If a keystream generator uses the same state-update function

for initialisation and keystream generation, it can be viewed

as a keystream generator which performs an extended version

of the initialisation process to generate keystream. Hence, if

the segment of keystream used during the construction of

the lookup table matched a segment of keystream which was

capture not from the beginning of keystream generation, the

number of possible master keys which could have generated

the keystream with the particular IV can increase. Therefore, a

successful TMDT master key recovery attack with keystream

generator which use the same state-update function for both

initialisation and keystream generation can be less likely than

an attack on a keystream generator which uses a different state-

update function for initialisation and keystream generation.

4) Master Key Recovery and Scenario 3.: Where the

keystream is generated by different key-IV pairs, during the

online phase an attacker will know if they have recovered the

correct master key based on the publicly known IV. If τ and

?, with τ < 2kand ? < 2v, are the effective master key and

IV size respectively, the tradeoff curve would be

γ

2keys with other IVs

T · M2· D2= 22(τ+?)

(6)

Similar to Scenario 1, since the attacker knows the IV used to

generate the captured keystream and assuming the master key

used to generate the captured keystream was used during the

construction of the lookup table, the attacker can be confident

that the master key they recover during the online phase of the

TMDT attack is the correct one. Furthermore, since τ < 2k

and ? < 2v, the HS and DK attacks will be less than exhaustive

master key search.

Biryukov et al.’s [12] TMDT attack on A5/1 describes an

attack which is able to recover the master key in a few minutes

at most. The most expensive cost of this attack is the pre-

computation complexity, which they calculated to be

√T = 248

P = M ·

where M = 236, T = 224, and 248is the total number of initial

states which will produce a certain 16-bit output prefix (264×

2−16). The estimates provided by Teo et al.’s [13] indicates

the possibility that the number of distinct initial states at the

end of A5/1’s diffusion phase to be 19.2/100 × 264≈ 261.62

due to state convergence. Using this new estimate, the pre-

computation complexity of Biryukov et al’s attack is reduced

to 261.62× 2−16= 245.62. This in turn, potentially reduces

the time and memory requirements to be M = 235and T =

221.24.

IV. DISCUSSION AND CONCLUSION.

This paper has analysed how state convergence could affect

the effectiveness of TMDT attacks. In the case of session key

TMDT attacks, an attacker potentially needs to guess a smaller

set of session keys than what was originally intended by the

designers of the stream cipher, since not all distinct key-IV

pairs generate a distinct initial state. This could result in less

time, data and memory requirements needed for the session

key TMDT attacks to succeed than previously estimated by the

designers of the stream cipher. The disadvantage of session key

recovery TMDT attacks is if the attacker wanted to decrypt

other encrypted frames in the communication, they would need

to re-run the TMDT attack for each frame. If the attacker

were to repeatedly use session key recovery TMDT attacks to

decrypt multiple frames, it can be less efficient than master

key recovery TMDT attacks.

For master key recovery TMDT attacks, the success of

the attacks depend on the type of scenario, as outlined in

Section III. Unless the convergence is such that different

master keys with the same IV produce the same session key, an

attacker who recovers a master key can check if the associated

IV value matches that which was observed along with the

keystream. If the IV value is the same, the attacker can be

confident that they have recovered the correct key. However,

if state convergence was such that it was possible that multiple

distinct master keys with the same IV generate the same

keystream, there is a possibility that the master key recovered

by the attacker during the online phase of the TMDT attack

is not the correct master key. In this case, it is likely that

Page 7

the attacker can only decrypt a single frame and master key

TMDT attacks maybe less effective than claimed. The attacker

can only be confident that they have actually recovered the

correct master key if they can use it to decrypt the contents

of all the frames in the communication.

In this paper, we included examples of ciphers which

experience state convergence. The implementation of TMDT

attacks on these ciphers to verify the expected reductions in

time, memory and data requirements remains future work.

Additionally, we plan to investigate other stream ciphers with

potential state convergence problems.

ACKNOWLEDGMENT

The authors would like to thank the anonymous reviewers

for their helpful comments.

REFERENCES

[1] M. E. Hellman, “A Cryptanalytic Time-Memory Trade-Off,” IEEE

Transactions on Information Theory, vol. 26, no. 4, pp. 401–406, July

1980.

[2] S. Babbage, “Improved ‘Exhaustive Search’ Attacks on Stream Ciphers,”

in European Convention on Security and Detection, 1995, pp. 161–166.

[3] J. D. Goli´ c, “Cryptanalysis of Alleged A5 Stream Cipher,” in Advances

in Cryptology — EUROCRYPT ’97, ser. Lecture Notes in Computer

Science, W. Fumy, Ed., vol. 1233.

[4] A. Biryukov and A. Shamir, “Cryptanalytic Time/Memory/Data Trade-

offs for Stream Ciphers,” in Advances in Cryptology — ASIACRYPT

2000, ser. Lecture Notes in Computer Science, T. Okamoto, Ed., vol.

1976.Springer, 2000, pp. 1–13.

[5] J. Hong and P. Sarkar, “Rediscovery of Time Memory Tradeoffs,”

Cryptology ePrint Archive, Report 2005/090, July 2008, available from

http://eprint.iacr.org/2005/090.pdf.

[6] ——, “New Applications of Time Memory Data Tradeoffs,” in Advances

in Cryptology — ASIACRYPT 2005, ser. Lecture Notes in Computer

Science, B. K. Roy, Ed., vol. 3788.

[7] O. Dunkelman and N. Keller, “Treatment of the Initial Value in Time-

Memory-Data Tradeoff Attacks on Stream Ciphers,” Information Pro-

cessing Letters, vol. 107, no. 5, pp. 133–137, 2008.

[8] M. Briceno, I. Goldberg, and D. Wagner, “A pedagogical implementation

of A5/1.” 1999, available from http://cryptome.org/jya/a51-pi.htm.

[9] A. A. Kanso, “Mixer — A new stream cipher,” Journal of Discrete

Mathematical Sciences and Cryptography, vol. 11, no. 2, pp. 159–179,

2008.

[10] Data Assurance and Communication Security Research Center, “ZUC

Specification,” Available from http://www.gsmworld.com/documents/

EEA3 EIA3 ZUC v1 4.pdf, 2010.

[11] J. Goli´ c, “Cryptanalysis of Three Mutually Clock-Controlled Stop/Go

Shift Registers.” IEEE Transactions on Information Theory, vol. 46,

no. 3, pp. 1081–1090, 2002.

[12] A. Biryukov, A. Shamir, and D. Wagner, “Real Time Cryptanalysis of

A5/1 on a PC.” in Fast Software Encryption (FSE 2000), ser. Lecture

Notes in Computer Science, B. Schneier, Ed., vol. 1978.

Heidelberg, 2001, pp. 1–18.

[13] S.-G. Teo, A. Al-Hamdan, H. Bartlett, L. Simpson, K. K.-H. Wong,

and E. Dawson, “State Convergence in the Initialisation of Stream

Ciphers,” in Information Security and Privacy (ACISP 2011), Lecture

Notes in Computer Science, U. Parampalli and P. Hawkes, Eds., vol.

6812. Springer, 2011, pp. 75–88.

[14] H. Wu, P.-H. Nguyen, H. Wang, and S. Ling, “Cryptanalysis of Stream

Cipher ZUC in the 3GPP Confidentiality & Integrity Algorithms 128-

EEA3 & 128-EIA3,” Presented at the Rump Session of Asiacrypt 2010,

2010.

Springer, 1997, pp. 239–255.

Springer, 2005, pp. 353–372.

Springer

#### View other sources

#### Hide other sources

- Available from Ed Dawson · May 19, 2014
- Available from qut.edu.au