Linear Cryptanalysis of the TSC Family of Stream Ciphers

Abstract. TSC-4 is a T-function based stream cipher with 80-bit key, and proposed as a candidate for ECRYPT eStream project. In this paper, we introduce a differential method to analyze TSC-4. Our attack is based on the vulnerable differential characteristics in the state initialization of TSC-4, and for the chosen IV pairs, the differential probability is up to 2 −15.40 in the case of weak keys. We show that there are about 2 72 weak keys among the total 2 80 keys. To recover 8 bits of a weak key needs about 2 40.53 chosen IV pairs. After that, we can search the other 72 key bits by an exhaustive attack.

show abstract

“…Because Pr(K ∈ A , IV ∈ B) = 2 −14 , by the conditional probability formula with (10) and (11), we get…”

Section: Weak Keys Resulting In the High Occurrence Probability Of DImentioning

confidence: 99%

“…In 2005 and 2006, Muller and Peyrin [10,11] introduced a linear cryptanalysis attack on the TSC family TSC-1, TSC-2, TSC-3 together with Klimov and Shamir's ciphers. This linear correlation attack can recover the full secret keys of these stream ciphers.…”

Section: Introductionmentioning

confidence: 99%

Differential Cryptanalysis of T-Function Based Stream Cipher TSC-4

Zhang

Wang

2007

Lecture Notes in Computer Science

View full text Add to dashboard Cite

show abstract

“…The new structure has become little complex but it can produce key-streams faster than original ZUC. Attacks related to LFSR are reported in [6][7][8] which implies that it can lead to breakdown of algorithm. Reports and theoretical work discuss the strength of LFSR and suggest that LFSR is susceptible to attacks due to its linearity.…”

Section: Proposed Workmentioning

confidence: 99%

Modifying LFSR of ZUC to Reduce Time for Key-Stream Generation

Muthalagu

Jain

2017

JCSM

View full text Add to dashboard Cite

ZUC is stream-cipher which generates 32-bit key-stream by using 128-bit initial key and 123-bit initial vector. It encrypts the plaintext data to produce cipher-text data. The 128-EEA3 encryption and 128-EIA3 authentication algorithms are based on ZUC which are specified for use in 3GPP cellular communications systems. The algorithm is divided in three stages: LFSR (Linear Feedback Shift Register), Bit Reorganization (BR) and, Non-Linear Function. In this paper, we are going to discuss about our modifications proposed for LFSR along with small change in operation of Non-linear Function which can reduce time for generating key-stream. Many attacks based on weakness of LFSR due to its linearity are proposed which in turn makes ZUC susceptible to various attacks based on LFSR. As we know in the structure of LFSR, non-linearity is provided in last block of LFSR by feedback operation while all other being clocked with previous value of LFSR, so we have introduced bit-shifting and circular shift operations on few blocks of LFSR output of which will be taken as input to other blocks of LFSR.

show abstract

“…In [10,11], predecessors of TSC-4 have been attacked by exploiting a bit-flip bias for multiple applications of the state update function f. This bias still exists for regular updates of TSC-4, but the strong filter function g prevents from an attack. In this section, we disregard the details of the filter function and investigate the statistical properties of multiple warm-up updates of TSC-4: While the regular updates have some guaranteed properties, the warm-up updates use additional ad hoc operations that are designed to accelerate diffusion.…”

Section: Analysis Of Tsc-4mentioning

confidence: 99%

Non-randomness in eSTREAM Candidates Salsa20 and TSC-4

Fischer

Meier

Berbain³

et al. 2006

Progress in Cryptology - INDOCRYPT 2006

View full text Add to dashboard Cite

Abstract. Stream cipher initialisation should ensure that the initial state or keystream is not detectably related to the key and initialisation vector. In this paper we analyse the key/IV setup of the eSTREAM Phase 2 candidates Salsa20 and TSC-4. In the case of Salsa20 we demonstrate a key recovery attack on six rounds and observe non-randomness after seven. For TSC-4, non-randomness over the full eight-round initialisation phase is detected, but would also persist for more rounds.

show abstract

Linear Cryptanalysis of the TSC Family of Stream Ciphers

Cited by 10 publications

References 18 publications

Differential Cryptanalysis of T-Function Based Stream Cipher TSC-4

Differential Cryptanalysis of T-Function Based Stream Cipher TSC-4

Modifying LFSR of ZUC to Reduce Time for Key-Stream Generation

Non-randomness in eSTREAM Candidates Salsa20 and TSC-4

Contact Info

Product

Resources

About