Distinguishing Attacks on T-Functions

Künzli, Simon; Junod, Pascal; Meier, Willi

doi:10.1007/11554868_2

Cited by 9 publications

(8 citation statements)

References 10 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…A notable example is i = 8 (and with other parameters as in Ex. 6), which results in an average value of χ 2 = 45 for N = 2 10 . This is a consequence of the specific setup in Ex.…”

Section: Resultsmentioning

confidence: 99%

“…In [10,11], predecessors of TSC-4 have been attacked by exploiting a bit-flip bias for multiple applications of the state update function f. This bias still exists for regular updates of TSC-4, but the strong filter function g prevents from an attack. In this section, we disregard the details of the filter function and investigate the statistical properties of multiple warm-up updates of TSC-4: While the regular updates have some guaranteed properties, the warm-up updates use additional ad hoc operations that are designed to accelerate diffusion.…”

Section: Analysis Of Tsc-4mentioning

confidence: 99%

See 1 more Smart Citation

Non-randomness in eSTREAM Candidates Salsa20 and TSC-4

Fischer

Meier

Berbain³

et al. 2006

Progress in Cryptology - INDOCRYPT 2006

Self Cite

View full text Add to dashboard Cite

Abstract. Stream cipher initialisation should ensure that the initial state or keystream is not detectably related to the key and initialisation vector. In this paper we analyse the key/IV setup of the eSTREAM Phase 2 candidates Salsa20 and TSC-4. In the case of Salsa20 we demonstrate a key recovery attack on six rounds and observe non-randomness after seven. For TSC-4, non-randomness over the full eight-round initialisation phase is detected, but would also persist for more rounds.

show abstract

“…A notable example is i = 8 (and with other parameters as in Ex. 6), which results in an average value of χ 2 = 45 for N = 2 10 . This is a consequence of the specific setup in Ex.…”

Section: Resultsmentioning

confidence: 99%

Section: Analysis Of Tsc-4mentioning

confidence: 99%

Non-randomness in eSTREAM Candidates Salsa20 and TSC-4

Fischer

Meier

Berbain³

et al. 2006

Progress in Cryptology - INDOCRYPT 2006

Self Cite

View full text Add to dashboard Cite

show abstract

“…This observation can be extended to a key-recovery attack with time complexity of 2 66 and data complexity of about 2 34 keystream bits. These attacks are the first key recovery attacks against the TSC family (distinguishing attacks have already been pointed out in [18,19]). Table 1 summarizes all these results.…”

Section: Contribution Of the Papermentioning

confidence: 99%

“…At Asiacrypt 2004, Mitra and Sarkar [22] described a time-memory trade-off attack which breaks some of the algorithms proposed by Klimov and Shamir. Kün-zli, Junod and Meier recently found distinguishing attacks applicable to many TFBSC's [19]. Taking into account these results, Hong et al proposed a new algorithm, called TSC-3 at the ECRYPT competition for stream cipher [7].…”

Section: Introductionmentioning

confidence: 99%

Linear Cryptanalysis of the TSC Family of Stream Ciphers

Muller¹,

Peyrin²

2005

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. In this paper, we introduce a new cryptanalysis method for stream ciphers based on T-functions and apply it to the TSC family which was proposed by Hong et al.. Our attack are based on linear approximations of the algorithms (in particular of the T-function). Hence, it is related to correlation attack, a popular technique to break stream ciphers with a linear update, like those using LFSR's.We show a key-recovery attack for the two algorithms proposed at FSE 2005 : TSC-1 in 2 25.4 computation steps, and TSC-2 in 2 48.1 steps. The first attack has been implemented and takes about 4 minutes to recover the whole key on an average PC. Another algorithm in the family, called TSC-3, was proposed at the ECRYPT call for stream ciphers. Despite some differences with its predecessors, it can be broken by similar techniques. Our attack has complexity of 2 42 known keystream bits to distinguish it from random, and about 2 66 steps of computation to recover the full secret key.An extended version of this paper can be found on the ECRYPT website [23].

show abstract

“…At Asiacrypt 2004, Mitra and Sarkar described a time-memory trade-off attack [8] to break some stream ciphers proposed by Klimov and Shamir. Recently, Kunzli, Junod and Meier proposed the distinguishing attacks [7] applicable to several Tfunction based stream ciphers (TSC). Based on the above researches, Hong et al proposed a new TSC version called TSC-3 [2], as a candidate to eStream project.…”

Section: Introductionmentioning

confidence: 99%

Differential Cryptanalysis of T-Function Based Stream Cipher TSC-4

Zhang

Wang

2007

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. TSC-4 is a T-function based stream cipher with 80-bit key, and proposed as a candidate for ECRYPT eStream project. In this paper, we introduce a differential method to analyze TSC-4. Our attack is based on the vulnerable differential characteristics in the state initialization of TSC-4, and for the chosen IV pairs, the differential probability is up to 2 −15.40 in the case of weak keys. We show that there are about 2 72 weak keys among the total 2 80 keys. To recover 8 bits of a weak key needs about 2 40.53 chosen IV pairs. After that, we can search the other 72 key bits by an exhaustive attack.

show abstract

Distinguishing Attacks on T-Functions

Cited by 9 publications

References 10 publications

Non-randomness in eSTREAM Candidates Salsa20 and TSC-4

Non-randomness in eSTREAM Candidates Salsa20 and TSC-4

Linear Cryptanalysis of the TSC Family of Stream Ciphers

Differential Cryptanalysis of T-Function Based Stream Cipher TSC-4

Contact Info

Product

Resources

About