Top

Designs, Codes and Cryptography

Published in:

01-01-2015

A generalized birthday approach for efficiently finding linear relations in \(\ell \)-sequences

Authors: Hui Wang, Paul Stankovski, Thomas Johansson

Published in: Designs, Codes and Cryptography | Issue 1/2015

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Abstract

Feedback with carry shift registers (FCSRs) have previously been available in two configurations, the Fibonacci and Galois architectures. Recently, a generalized and unifying FCSR structure and theory was presented. The new ring FCSR model repairs some weaknesses of the older architectures. Most notably, the carry cell bias property that was exploited for an attack on the eSTREAM final portfolio cipher F-FCSR-H v2 is no longer possible for the updated (and unbroken) F-FCSR-H v3 stream cipher. In this paper we show how to exploit a particular set of linear relations in ring FCSR sequences. We show what biases can be expected, and we also present a generalized birthday algorithm for actually realizing these relations. As all prerequisites of a distinguishing attack are present, we explicitly show a new such attack on F-FCSR-H v3 with an online time complexity of only \(2^{37.2}\). The offline time complexity (for finding a linear relation) is \(2^{56.2}\). This is the first successful attack on F-FCSR-H v3, the first attack to breach the exhaustive search complexity limit. Note that this attack is completely different from that of F-FCSR-H v2. We focus on this particular application in the paper, but the presented algorithm is actually very general. The algorithm can be applied to any FCSR automaton, so linearly filtered FCSRs and FCSR combiners may be particularly interesting targets for cryptanalysis.

previous article New bounds on -separable codes of length 2

next article On the minimum number of points covered by a set of lines in

From a notational point of view, the reader may think of both \(T_1\) and \(T_2\) as hash tables, where, e.g., \(T_1\left[ k\right] =v\) means insertion of value \(v\) keyed on \(k\). While \(T_1\) can be implemented as linear storage (an array) in practice (this should become clear in Sect. 3.3), \(T_2\) needs to be implemented as a hash table.

Arnault F., Berger T., Lauradoux C.: Update on F-FCSR stream cipher. eSTREAM, ECRYPT Stream Cipher Project, Report 2006/025 (2006). http://www.ecrypt.eu.org/stream/p3ciphers/ffcsr/ffcsr_p3.pdf. Accessed 16 June 2013.

Arnault F., Berger T., Lauradoux C., Minier M., Pousse B.: A new approach for F-FCSRs. In: Jacobson M.J., Jr., Rijmen V., Safavi-Naini R. (eds.) Selected Areas in Cryptography: SAC 2009. Lecture Notes in Computer Science, vol. 5867, pp. 433–448. Springer, Berlin (2009). doi:10.1007/978-3-642-05445-7_27.

Arnault F., Berger T., Pousse B.: A matrix approach for FCSR automata. Cryptogr. Commun. 3, 109–139 (2011). doi:10.1007/s12095-010-0041-z.

Cover T., Thomas J.A.: Elements of Information Theory. Wiley Series in Telecommunication, Wiley (1991). http://eu.wiley.com/WileyCDA/WileyTitle/productCd-0471241954.html. Accessed 16 June 2013.

Goresky M., Klapper A.: Arithmetic cross-correlations of FCSR sequences. IEEE Trans. Inf. Theory 43, 1342–1346 (1997).

Goresky M., Klapper A.: Fibonacci and Galois representations of feedback-with-carry shift registers. IEEE Trans. Inf. Theory 48(11), 2826–2836 (2002). doi:10.1109/TIT.2002.804048.

Hell M., Johansson T.: Breaking the stream ciphers F-FCSR-H and F-FCSR-16 in real time. J. Cryptol. 24(3), 427–445 (2009). doi:10.1007/s00145-009-9053-2.

Hell M., Johansson T., Brynielsson L.: An overview of distinguishing attacks on stream ciphers. Cryptogr. Commun. 1(1), 71–94 (2009). doi:10.1007/s12095-008-0006-7.

Hogg R.V., Tanis E.A.: Probability and Statistical Inference. MacMillan, New York (1993).

10.

Klapper A., Goresky M.: 2-adic shift registers. In: Anderson R.J. (ed.) Fast Software Encryption’93. Lecture Notes in Computer Science, vol. 809, pp. 174–178. Springer, Berlin (1994). doi:10.1007/3-540-58108-1_21.

11.

Klapper A., Goresky M.: Feedback shift registers, 2-adic span, and combiners with memory. J. Cryptol. 10(2), 111–147 (1997). doi:10.1007/s001459900024.

12.

Matsui M.: Linear cryptanalysis method for DES cipher. In: Helleseth T. (ed.) Advances in Cryptology–EUROCRYPT’93. Lecture Notes in Computer Science, vol. 765, pp. 386–397. Springer, Berlin (1994). doi:10.1007/3-540-48285-7_33.

13.

Pagh R., Rodler F.F.: Cuckoo hashing. J. Algorithms 51, 122–144 (2004). doi:10.1016/j.jalgor.2003.12.002.

14.

Tian T., Qi W.F.: Linearity properties of binary FCSR sequences. Des. Codes Cryptogr. 52, 249–262 (2009). doi:10.1007/s10623-009-9280-4.

15.

Wagner D.: A generalized birthday problem. In: Yung M. (ed.) Advances in Cryptology–CRYPTO 2002. Lecture Notes in Computer Science, vol. 2442, pp. 288–304. Springer, Berlin (2002). doi:10.1007/3-540-45708-9_19.

16.

Wikipedia: Birthday problem: Wikipedia, the free encyclopedia. http://en.wikipedia.org/wiki/Birthday_problem. Accessed 17 Feb 2012.

Title: A generalized birthday approach for efficiently finding linear relations in -sequences
Authors: Hui Wang
Paul Stankovski
Thomas Johansson
Publication date: 01-01-2015
Publisher: Springer US
Published in: Designs, Codes and Cryptography / Issue 1/2015
Print ISSN: 0925-1022
Electronic ISSN: 1573-7586
DOI: https://doi.org/10.1007/s10623-013-9845-0

Springer Professional

A generalized birthday approach for efficiently finding linear relations in \(\ell \)-sequences

Abstract

Premium Partner

Springer Professional

Abstract

Please log in to get access to your license.

Other articles of this Issue 1/2015

On the minimum number of points covered by a set of lines in

Erratum to: Intersection of Hamming codes avoiding Hamming subcodes

On cyclic codes over the ring

Group divisible designs with block size four and group type

ETRU: NTRU over the Eisenstein integers

Spectrum of sizes for perfect 2-deletion-correcting codes of length 4

Premium Partner