A Chosen-IV Key Recovery Attack on Py and Pypy
スポンサーリンク
概要
- 論文の詳細を見る
In this paper, we propose an effective key recovery attack on stream ciphers Py and Pypy with chosen IVs. Our method uses an internal-state correlation based on the vulnerability that the randomization of the internal state in the KSA is inadequate, and it improves two previous attacks proposed by Wu and Preneel (a WP-1 attack and a WP-2 attack). For a 128-bit key and a 128-bit IV, the WP-1 attack can recover a key with 223 chosen IVs and time complexity 272. First, we improve the WP-1 attack by using the internal-state correlation (called a P-1 attack). For a 128-bit key and a 128-bit IV, the P-1 attack can recover a key with 223 chosen IVs and time complexity 248, which is 1/224 of that of the WP-1 attack. The WP-2 attack is another improvement on the WP-1 attack, and it has been known as the best previous attack against Py and Pypy. For a 128-bit key and a 128-bit IV, the WP-2 attack can recover a key with 223 chosen IVs and time complexity 224. Second, we improve the WP-2 attack by using the internal-state correlation as well as the P-1 attack (called a P-2 attack). For a 128-bit key and a 128-bit IV, the P-2 attack can recover a key with 223 chosen IVs and time complexity 224, which is the same capability as that of the WP-2 attack. However, when the IV size is from 64bits to 120bits, the P-2 attack is more effective than the WP-2 attack. Thus, the P-2 attack is the known best attack against Py and Pypy.
著者
-
ISOBE Takanori
Graduate School of Science and Technology, Kobe University
-
OHIGASHI Toshihiro
Graduate School of Science and Technology, Kobe University
-
KUWAKADO Hidenori
Graduate School of Engineering, Kobe University
-
MORII Masakatu
Graduate School of Engineering, Kobe University
関連論文
- Differentiability of four prefix-free PGV hash functions
- A Chosen-IV Key Recovery Attack on Py and Pypy
- A Chosen-IV Key Recovery Attack on Py and Pypy
- Efficient Pseudorandom-Function Modes of a Block-Cipher-Based Hash Function
- A-6-8 Improved Bitslice Network for Computing the TIB3 S-Box
- Fast WEP-Key Recovery Attack Using Only Encrypted IP Packets
- Reversible Watermark with Large Capacity Based on the Prediction Error Expansion
- Fingerprinting Protocol Based on Distributed Providers Using Oblivious Transfer(Cryptography,Information Theory and Its Applications)
- Reversible Watermark with Large Capacity Based on the Prediction Error
- S-Box Bitslice Networks as Network Computing
- New Weakness in the Key-Scheduling Algorithm of RC4
- Internal-State Reconstruction of a Stream Cipher RC4(Information Security)(Information Theory and Its Applications)
- Compression Functions Suitable for the Multi-Property-Preserving Transform
- Systematic Generation of Tardos's Fingerprint Codes
- On the Condition for Detecting (t+μ)-error by Reed-Solomon Decoder Based on the Welch-Berlekamp Algorithm
- Generalized Classes of Weak Keys on RC4 Using Predictive State
- Comprehensive Analysis of Initial Keystream Biases of RC4