Distinguishing Attack on SN3 Stream Cipher

Orumiehchi, M.A.; Mohebbipoor, S. Fahimeh

doi:10.1109/iih-msp.2008.198

Cited by 3 publications

(6 citation statements)

References 0 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In this appendix we examine the attacks on sn3 and mv3 presented in [14] and [15], respectively, and show that their correct data complexities are 2 …”

Section: A Appendixmentioning

confidence: 99%

“…The security claim made in [9] is that no attack on the cipher should be faster than exhaustive key search for 256-bit keys. As mentioned in the 2 We note that another distinguishing attack on sn3 was presented in [14]. The attack uses part of the observations used in our attack, along with different techniques.…”

mentioning

confidence: 99%

“…The attack uses part of the observations used in our attack, along with different techniques. The authors of [14] claim that the attack requires 2 28.2 words of key-stream. However, a careful examination of the attack, presented in the appendix, shows that it requires about 2 38 words of key-stream, while our attack requires less than 2 30 words.…”

mentioning

confidence: 99%

“…In Section 4 we present the attack on mv3. In the appendix we discuss the flaws in the attacks presented in [14] and [15].…”

mentioning

confidence: 99%

See 3 more Smart Citations

Distinguishing attacks on stream ciphers based on arrays of pseudo-random words

Keller

Miller

2010

Information Processing Letters

View full text Add to dashboard Cite

In numerous modern stream ciphers, the internal state consists of a large array of pseudo-random words, and the output key-stream is a relatively simple function of the state. In [16], it was heuristically shown that in various cases this structure may lead to distinguishing attacks on the cipher. In this paper we further investigate this structural attack. We present a rigorous proof of the main probabilistic claim used in the attack in the basic cases, and demonstrate by examining a concrete example (the cipher sn3 [11]) that the heuristic assumptions of the attack are remarkably precise in more complicated cases. Furthermore, we use the general technique to devise a distinguishing attack on the stream cipher mv3 [9] requiring 2 82 words of key-stream. Unlike the attacks in [16], our attack does not concentrate on the least significant bits of the words, thus allowing to handle the combination of more operations (xors, modular additions and multiplications, and rotations by a fixed number of bits) in the update and output rules of the cipher. * This is the full version of a paper submitted for publication in a journal, which contains only Sections 1, 2, and 3. The material in Section 4 concerns an attack on the mv3 stream cipher. After writing up a description of our results, we learned that essentially identical arguments -but with important miscalculations -had simultaneously been published in [15]. For the sake of completeness we include an appendix reconciling the two attacks. See footnote 2 for similar comments on the sn3 stream cipher.

show abstract

“…In this appendix we examine the attacks on sn3 and mv3 presented in [14] and [15], respectively, and show that their correct data complexities are 2 …”

Section: A Appendixmentioning

confidence: 99%

mentioning

confidence: 99%

mentioning

confidence: 99%

“…In Section 4 we present the attack on mv3. In the appendix we discuss the flaws in the attacks presented in [14] and [15].…”

mentioning

confidence: 99%

See 2 more Smart Citations

Distinguishing attacks on stream ciphers based on arrays of pseudo-random words

Keller

Miller

2010

Information Processing Letters

View full text Add to dashboard Cite

show abstract

“…On the other hand, according to the declaration of the designers, COSvd(2,128) was adopted by at least one commercial standard (the core algorithm in file system encryption software TURENEE). So far, there is only one literature [6] …”

mentioning

confidence: 99%

Security analysis of a new stream cipher

Zhang

Feng

2006

SCI CHINA SER F

View full text Add to dashboard Cite

In this paper, we analyze the security of a new stream cipher-COSvd(2,128). This cipher was proposed by E. Filiol et al. at the ECRYPT SASC'2004 (The State of the Art of Stream Ciphers). It uses clock-controlled non-linear feedback registers together with an S-box controlled by a chaotic sequence and was claimed to prevent any existing attacks. However, our analysis shows that there are some serious security flaws in the design of the S-box, resulting in heavy biased byte distribution in the keystream. In some broadcast applications, this flaw will cause a ciphertext-only attack with high success rate. Besides, there are also many security flaws in other parts of the cipher. We point out these flaws one by one and develop a divide-and-conquer attack to recover the secret keys from O(2 26 )-byte known plaintext with success rate 93.4597% and complexity O(2 113 ), which is much lower than 2 512 , the complexity of exhaustive search.Keywords: stream cipher, divide-and-conquer attack, non-linear feedback shift registers (NLFSR), chaotic sequence.From 1 st February of 2004, Europe launches the ECRYPT project, which collects lots of stream ciphers from all over the world. These new stream ciphers are unlike the traditional stream ciphers that use LFSRs as basic building blocks; instead they use more fashionable building blocks such as T-functions, non-linear feedback shift registers and random arrays. The aim of such a design is to frustrate the fast correlation attacks and algebraic attacks against LFSR-based stream ciphers, COSvd(2,128) [1] is such an example. It uses two NLFSRs and generates the driving sequence by clock-controlled method together with the so-called cross over mechanism, thus frustrating the direct applications of all kinds of general attacks on stream ciphers. Further, the attachment of a highly non-linear S-box conceals the driving sequence and makes the attacks [2][3][4] on lower version [5] invalid. On the other hand, according to the declaration of the designers, COSvd(2,128) was adopted by at least one commercial standard (the core algorithm in file system encryption software TURENEE). So far, there is only one literature [6]

show abstract