nach oben

Designs, Codes and Cryptography

Erschienen in:

01.01.2015

A generalized birthday approach for efficiently finding linear relations in \(\ell \)-sequences

verfasst von: Hui Wang, Paul Stankovski, Thomas Johansson

Erschienen in: Designs, Codes and Cryptography | Ausgabe 1/2015

Einloggen, um Zugang zu erhalten

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

Feedback with carry shift registers (FCSRs) have previously been available in two configurations, the Fibonacci and Galois architectures. Recently, a generalized and unifying FCSR structure and theory was presented. The new ring FCSR model repairs some weaknesses of the older architectures. Most notably, the carry cell bias property that was exploited for an attack on the eSTREAM final portfolio cipher F-FCSR-H v2 is no longer possible for the updated (and unbroken) F-FCSR-H v3 stream cipher. In this paper we show how to exploit a particular set of linear relations in ring FCSR sequences. We show what biases can be expected, and we also present a generalized birthday algorithm for actually realizing these relations. As all prerequisites of a distinguishing attack are present, we explicitly show a new such attack on F-FCSR-H v3 with an online time complexity of only \(2^{37.2}\). The offline time complexity (for finding a linear relation) is \(2^{56.2}\). This is the first successful attack on F-FCSR-H v3, the first attack to breach the exhaustive search complexity limit. Note that this attack is completely different from that of F-FCSR-H v2. We focus on this particular application in the paper, but the presented algorithm is actually very general. The algorithm can be applied to any FCSR automaton, so linearly filtered FCSRs and FCSR combiners may be particularly interesting targets for cryptanalysis.

Vorheriger Artikel New bounds on -separable codes of length 2

Nächster Artikel On the minimum number of points covered by a set of lines in

From a notational point of view, the reader may think of both \(T_1\) and \(T_2\) as hash tables, where, e.g., \(T_1\left[ k\right] =v\) means insertion of value \(v\) keyed on \(k\). While \(T_1\) can be implemented as linear storage (an array) in practice (this should become clear in Sect. 3.3), \(T_2\) needs to be implemented as a hash table.

Arnault F., Berger T., Lauradoux C.: Update on F-FCSR stream cipher. eSTREAM, ECRYPT Stream Cipher Project, Report 2006/025 (2006). http://www.ecrypt.eu.org/stream/p3ciphers/ffcsr/ffcsr_p3.pdf. Accessed 16 June 2013.

Arnault F., Berger T., Lauradoux C., Minier M., Pousse B.: A new approach for F-FCSRs. In: Jacobson M.J., Jr., Rijmen V., Safavi-Naini R. (eds.) Selected Areas in Cryptography: SAC 2009. Lecture Notes in Computer Science, vol. 5867, pp. 433–448. Springer, Berlin (2009). doi:10.1007/978-3-642-05445-7_27.

Arnault F., Berger T., Pousse B.: A matrix approach for FCSR automata. Cryptogr. Commun. 3, 109–139 (2011). doi:10.1007/s12095-010-0041-z.

Cover T., Thomas J.A.: Elements of Information Theory. Wiley Series in Telecommunication, Wiley (1991). http://eu.wiley.com/WileyCDA/WileyTitle/productCd-0471241954.html. Accessed 16 June 2013.

Goresky M., Klapper A.: Arithmetic cross-correlations of FCSR sequences. IEEE Trans. Inf. Theory 43, 1342–1346 (1997).

Goresky M., Klapper A.: Fibonacci and Galois representations of feedback-with-carry shift registers. IEEE Trans. Inf. Theory 48(11), 2826–2836 (2002). doi:10.1109/TIT.2002.804048.

Hell M., Johansson T.: Breaking the stream ciphers F-FCSR-H and F-FCSR-16 in real time. J. Cryptol. 24(3), 427–445 (2009). doi:10.1007/s00145-009-9053-2.

Hell M., Johansson T., Brynielsson L.: An overview of distinguishing attacks on stream ciphers. Cryptogr. Commun. 1(1), 71–94 (2009). doi:10.1007/s12095-008-0006-7.

Hogg R.V., Tanis E.A.: Probability and Statistical Inference. MacMillan, New York (1993).

10.

Klapper A., Goresky M.: 2-adic shift registers. In: Anderson R.J. (ed.) Fast Software Encryption’93. Lecture Notes in Computer Science, vol. 809, pp. 174–178. Springer, Berlin (1994). doi:10.1007/3-540-58108-1_21.

11.

Klapper A., Goresky M.: Feedback shift registers, 2-adic span, and combiners with memory. J. Cryptol. 10(2), 111–147 (1997). doi:10.1007/s001459900024.

12.

Matsui M.: Linear cryptanalysis method for DES cipher. In: Helleseth T. (ed.) Advances in Cryptology–EUROCRYPT’93. Lecture Notes in Computer Science, vol. 765, pp. 386–397. Springer, Berlin (1994). doi:10.1007/3-540-48285-7_33.

13.

Pagh R., Rodler F.F.: Cuckoo hashing. J. Algorithms 51, 122–144 (2004). doi:10.1016/j.jalgor.2003.12.002.

14.

Tian T., Qi W.F.: Linearity properties of binary FCSR sequences. Des. Codes Cryptogr. 52, 249–262 (2009). doi:10.1007/s10623-009-9280-4.

15.

Wagner D.: A generalized birthday problem. In: Yung M. (ed.) Advances in Cryptology–CRYPTO 2002. Lecture Notes in Computer Science, vol. 2442, pp. 288–304. Springer, Berlin (2002). doi:10.1007/3-540-45708-9_19.

16.

Wikipedia: Birthday problem: Wikipedia, the free encyclopedia. http://en.wikipedia.org/wiki/Birthday_problem. Accessed 17 Feb 2012.

Titel: A generalized birthday approach for efficiently finding linear relations in -sequences
verfasst von: Hui Wang
Paul Stankovski
Thomas Johansson
Publikationsdatum: 01.01.2015
Verlag: Springer US
Erschienen in: Designs, Codes and Cryptography / Ausgabe 1/2015
Print ISSN: 0925-1022
Elektronische ISSN: 1573-7586
DOI: https://doi.org/10.1007/s10623-013-9845-0

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Weitere Artikel der Ausgabe 1/2015

Spectrum of sizes for perfect 2-deletion-correcting codes of length 4

False Negative probabilities in Tardos codes

Binary and -ary Tardos codes, revisited

ETRU: NTRU over the Eisenstein integers

On cyclic codes over the ring

Two series of equitable symbol weight codes meeting the Plotkin bound