Reducing the Space Complexity of BDD-Based Attacks on Keystream Generators

Krause, Matthias; Stegemann, Dirk

doi:10.1007/11799313_11

Cited by 12 publications

(12 citation statements)

References 16 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Later research [19,33] showed the effectiveness of BDD-based attacks on stream ciphers (albeit, they generally require a large amount of memory). Krause notes that one of the effective ways to disrupt BDD-based attacks is for the Boolean function combiner of the stream cipher is to have a robust BDD.…”

Section: Two Particular Cases Based On the Hwbf And Carlet-feng Funcmentioning

confidence: 99%

A construction of Boolean functions with good cryptographic properties

Chung

Stănică

Tan

et al. 2014

International Journal of Computer Mathematics

View full text Add to dashboard Cite

Abstract.The two important qualities of a cipher is security and speed. Frequently, to satisfy the security of a Boolean function primitive, speed may be traded-off. In this paper we present a general construction that addresses both qualities. The idea of our construction is to manipulate a cryptographically strong base function and one of its affine equivalent functions, using concatenation and negation. We achieve security from the inherent qualities of the base function, which are preserved (or increased) and obtain speed by the simple Boolean operations. We present two applications of the construction to demonstrate the flexibility and efficiency of the construction.

show abstract

Section: Two Particular Cases Based On the Hwbf And Carlet-feng Funcmentioning

confidence: 99%

A construction of Boolean functions with good cryptographic properties

Chung

Stănică

Tan

et al. 2014

International Journal of Computer Mathematics

View full text Add to dashboard Cite

show abstract

“…If 2 37 bits keystream and 2 28 bytes memory are available, our attack on one-level Bluetooth E0 has a time complexity 2 35.1 operations after a pre-computation of 2 49 operations. Compared with the previous attacks in [8,[19][20][21][22][23][24][25][26], this is the best attack against one-level Bluetooth E0 known so far. Our attack on LILI-128 works in 2 70.6 operations after a pre-computation of 2 36.9 operations, given only 2 24 -bit keystream and 2 24.5 -byte memory, which is also among the best known attack against LILI-128 [21,25,[27][28][29][30][31].…”

mentioning

confidence: 91%

Improved multi-pass fast correlation attacks with applications

Zhang

Feng

2011

Sci. China Inf. Sci.

View full text Add to dashboard Cite

In this paper we propose two new algorithms for multi-pass fast correlation attacks on stream ciphers. The first algorithm aims at fast symbol-wise decoding in the circumstances that the noise is not very high and we have little resource for pre-computation. The second algorithm deals with the practical decoding problem in the high noise and limited keystream cases. The new algorithms are applicable to arbitrary form LFSR and compare favorably to the previously known algorithms in the scenarios under consideration. As applications, we demonstrate new key recovery attacks on one-level Bluetooth E0 and LILI-128, respectively. Given 2 37 -bit keystream and 2 28 -byte memory, our attack against one-level E0 needs 2 35.1 operations. Given 2 24 -bit keystream and 2 24.5 -byte memory, our attack on LILI-128 has time complexity 2 70.6 operations.Correlation attacks are a classical class of attacks against the LFSR-based stream ciphers [1][2][3][4][5][6][7][8][9][10][11][12][13][14]. Given a proper correlation, such an attack aims at restoring the initial state of the underlying LFSR with complexity as low as possible. The original idea was proposed by Siegenthaler [13] in 1984. Then Meier and Staffelbach [9] found an interesting way to efficiently explore the correlation, provided that the feedback polynomial of the LFSR has a very low weight. A recent improvement of fast correlation attacks was made in [14] by the authors. The idea is to combine the divide-and-conquer strategy with fast correlation attack, resulting in a multi-pass attack. Though sometimes requiring more keystream bits, such an attack gets a large gain on the efficiency compared with the best previous results [3,12]. However, in real cryptanalysis, the length of the available keystream is often very limited either due to the constraints imposed by the designer of the corresponding cipher or due to the decreasing correlation probability with the keystream length increasing. Neither case can be efficiently decoded by the current fast correlation attacks.In this paper, we propose two new algorithms for fast correlation attacks based on the multi-pass approach and apply the second algorithm to further analyze the security of one-level Bluetooth

show abstract

“…They might be efficient against LFSR-based generators [20,21,34,35]. To resist BDD-based attacks, a Boolean function should have a high BDD size.…”

Section: Introductionmentioning

confidence: 99%

Cryptographic properties of the hidden weighted bit function

Wang

Carlet

Stănică

et al. 2014

Discrete Applied Mathematics

View full text Add to dashboard Cite

The hidden weighted bit function (HWBF), introduced by R. Bryant in IEEE Trans. Comp. 40 and revisited by D. Knuth in Vol. 4 of The Art of Computer Programming, is a function that seems to be the simplest one with exponential Binary Decision Diagram (BDD) size. This property is interesting from a cryptographic viewpoint since BDDbased attacks are receiving more attention in the cryptographic community. But, to be usable in stream ciphers, the functions must also satisfy all the other main criteria. In this paper, we investigate the cryptographic properties of the HWBF and prove that it is balanced, with optimum algebraic degree and satisfies the strict avalanche criterion. We calculate its exact nonlinearity and give a lower bound on its algebraic immunity. Moreover, we investigate its normality and its resistance against fast algebraic attacks. The HWBF is simple, can be implemented efficiently, has a high BDD size and rather good cryptographic properties, if we take into account that its number of variables can be much larger than for other functions with the same implementation efficiency. Therefore, the HWBF is a good candidate for being used in real ciphers. Indeed, contrary to the case of symmetric functions, which allow such fast implementation but also offer to the attacker some specific possibilities due to their symmetry, its structure is not suspected to be related to such dedicated attacks.

show abstract

Reducing the Space Complexity of BDD-Based Attacks on Keystream Generators

Cited by 12 publications

References 16 publications

A construction of Boolean functions with good cryptographic properties

A construction of Boolean functions with good cryptographic properties

Improved multi-pass fast correlation attacks with applications

Cryptographic properties of the hidden weighted bit function

Contact Info

Product

Resources

About