New cube distinguishers on NFSR-based stream ciphers

Kesarwani, Abhishek; Roy, Dibyendu; Sarkar, Santanu; Meier, Willi

doi:10.1007/s10623-019-00674-1

Cited by 13 publications

(3 citation statements)

References 14 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Various cryptanalytic techniques have been applied to the proposed stream cipher. It is resistant to several attacks such as distinguisher attacks [19], and correlation attacks, and the keystream generated by it has good statistical properties like large period, high entropy, and high linear complexity [20]. It has been shown that retrieving the key or initial vector given the keystream is extremely difficult based on the correlation tests.…”

Section: Security Analysis Of Proposed Designmentioning

confidence: 99%

See 1 more Smart Citation

Design and Analysis of a new Stream Cipher based on Ring FCSR Automaton

Gundaram¹,

Tentu²,

Guntupalli³

et al. 2023

IJCDS

View full text Add to dashboard Cite

Feedback with Carry Shift Registers (FCSRs) are being most commonly used in the design of new stream ciphers. This is because the FCSRs have resistance to correlation and algebraic attacks because of their quadratic feedback [1], [2]. Two representations of FCSRs, namely, Galois and Fibonacci are quite popular. However, stream cipher designed using any of these representations is vulnerable to many attacks as proposed in [3], [4]. A new representation called the ring representation, which generalizes and avoids the weaknesses of both the representations of FCSRs has been proposed in [5]. Similar to other representations, the ring representations produce sequences that have high periods and entropy. The advantage of ring representation is that it results in faster diffusion and reduced implementation costs when compared to Galois and Fibonacci. This paper presents two designs of stream cipher based on ring representations. In both algorithms, the output is produced by linear filters that pass randomness tests. The ciphers proposed have undergone a thorough security analysis.

show abstract

Section: Security Analysis Of Proposed Designmentioning

confidence: 99%

“…The fact of linear combinations between internal automaton states that occur with a biased probability can be used as a basis for distinguishing attacks [19]. The existence of such relations seems implausible given the presence of carry cells.…”

Section: A Distinguisher Attackmentioning

confidence: 99%

Design and Analysis of a new Stream Cipher based on Ring FCSR Automaton

Gundaram¹,

Tentu²,

Guntupalli³

et al. 2023

IJCDS

View full text Add to dashboard Cite

show abstract

“…We apply our degree evaluation algorithm and superpoly recovery algorithm for Trivium. First we apply our algorithm on three cubes proposed in [KRSM20], which was tested to have zero-sum distinguisher till 842 rounds. We found they do not have zero-sum for some rounds, but two of them still have 841-round zero-sum distinguisher, which is the maximum number of rounds found so far for Trivium.…”

Section: Introductionmentioning

confidence: 99%

Improved Degree Evaluation and Superpoly Recovery methods with Application to Trivium

Wang¹,

Wu²,

Liu³

2022

Preprint

View full text Add to dashboard Cite

Cube attack is one powerful method in the cryptanalysis of NFSR-based ciphers. In this paper, we propose an improved degree evaluation method and a superpoly recovery technique, both of which are important in the cube attack. The algebraic degree of the cryptosystem could be not only used to judge whether the superpoly is zero, but also used to search for good cube indices set, and the estimation of which has always been a topic of concern in algebraic attacks. At CRYPTO 2017, Liu proposed a degree evaluation algorithm for NFSR-based ciphers by introducing the numeric mapping, but it only has good performance on sets of non-adjacent index for Trivium-like ciphers. To improve accuracy of degree evaluation, we introduce the concept of vector degree for a Boolean function and propose the vector numeric mapping technique which aims to describe the propagation of the vector degree. It turns out that the numeric mapping proposed by Liu is the degeneration of our vector numeric mapping, but vector numeric mapping leads to more accurate degree evaluation. Recovering superpoly of the cube is the key step in the preprocessing phase of cube attack. Three-subset division property without unknown subset has been an efficient tool in recovering the exact superpoly by studying the division trails. It is convenient to use off-the-shelf MILP solver to search all division trails by transforming the division property into a MILP model. But when there are too many division trails, it is difficult to find all solutions by a MILP solver. We propose a method to simplify this problem through combining the algebraic representations of the middle-round states in the iterative process of a cipher. Thanks to the introduction of some new variables instead of complex expressions of key bits and elimination of some trails in the middle round, the number of solutions for a MILP model will be greatly reduced. To verify the effectiveness of our methods, we apply them to the Trivium stream cipher. We find three cubes both of which have zero-sum distinguisher till 840 rounds. We also put forward 843 and 844-round key-recovery attacks against Trivium with time complexity at most 2 79.2 and 2 79.4 , respectively.

show abstract