Results 1  10
of
29
A Generalized Birthday Problem
 In CRYPTO
, 2002
"... We study a kdimensional generalization of the birthday problem: given k lists of nbit values, nd some way to choose one element from each list so that the resulting k values xor to zero. For k = 2, this is just the extremely wellknown birthday problem, which has a squareroot time algorithm ..."
Abstract

Cited by 127 (0 self)
 Add to MetaCart
(Show Context)
We study a kdimensional generalization of the birthday problem: given k lists of nbit values, nd some way to choose one element from each list so that the resulting k values xor to zero. For k = 2, this is just the extremely wellknown birthday problem, which has a squareroot time algorithm with many applications in cryptography.
Cube Attacks on Tweakable Black Box Polynomials
 in Proceedings of the 28th Annual International Conference on Advances in Cryptology: The Theory and Applications of Cryptographic Techniques, LNCS 5479
, 2009
"... Abstract. Almost any cryptographic scheme can be described by tweakable polynomials over GF (2), which contain both secret variables (e.g., key bits) and public variables (e.g., plaintext bits or IV bits). The cryptanalyst is allowed to tweak the polynomials by choosing arbitrary values for the publ ..."
Abstract

Cited by 91 (8 self)
 Add to MetaCart
(Show Context)
Abstract. Almost any cryptographic scheme can be described by tweakable polynomials over GF (2), which contain both secret variables (e.g., key bits) and public variables (e.g., plaintext bits or IV bits). The cryptanalyst is allowed to tweak the polynomials by choosing arbitrary values for the public variables, and his goal is to solve the resultant system of polynomial equations in terms of their common secret variables. In this paper we develop a new technique (called a cube attack) for solving such tweakable polynomials, which is a major improvement over several previously published attacks of the same type. For example, on the stream cipher Trivium with a reduced number of initialization rounds, the best previous attack (due to Fischer, Khazaei, and Meier) requires a barely practical complexity of 255 to attack 672 initialization rounds, whereas a cube attack can find the complete key of the same variant in 219 bit operations (which take less than a second on a single PC). Trivium with 735 initialization rounds (which could not be attacked by any previous technique) can now be broken with 230 bit operations. Trivium with 767 initialization rounds can now be broken with 245 bit operations, and the complexity of the attack can almost certainly be further reduced to about 236 bit operations. Whereas previous attacks were heuristic, had to be adapted to each cryptosystem, had no general complexity bounds, and were not expected to succeed on random looking polynomials, cube attacks are provably successful when applied to random polynomials of degree d over n secret variables whenever the number m of public variables exceeds d + logdn. Their complexity is 2 d−1n + n2 bit operations, which is polynomial in n and amazingly low when d is small. Cube attacks can be applied to any block cipher, stream cipher, or MAC which is provided as a black box (even when nothing is known about its internal structure) as long as at least one output bit can be represented by (an unknown) polynomial of relatively low degree in the secret and public variables.
Carle . Algebraic attacks and decomposition of Boolean functions
 In Advances in CryptologyEUROCRYPT 2004. LNCS 3027
, 2004
"... All intext references underlined in blue are linked to publications on ResearchGate, letting you access and read them immediately. ..."
Abstract

Cited by 70 (6 self)
 Add to MetaCart
(Show Context)
All intext references underlined in blue are linked to publications on ResearchGate, letting you access and read them immediately.
Fast Correlation Attacks: an Algorithmic Point of View
 EUROCRYPT 2002, LNCS 2332
, 2002
"... Abstract. In this paper, we present some major algorithmic improvements to fast correlation attacks. In previous articles about fast correlations, algorithmics never was the main topic. Instead, the authors of these articles were usually addressing theoretical issues in order to get better attacks. ..."
Abstract

Cited by 34 (2 self)
 Add to MetaCart
Abstract. In this paper, we present some major algorithmic improvements to fast correlation attacks. In previous articles about fast correlations, algorithmics never was the main topic. Instead, the authors of these articles were usually addressing theoretical issues in order to get better attacks. This viewpoint has produced a long sequence of increasingly successful attacks against stream ciphers, which share a main common point: the need to find and evaluate paritychecks for the underlying linear feedback shift register. In the present work, we deliberately take a different point of view and we focus on the search for efficient algorithms for finding and evaluating paritychecks. We show that the simple algorithmic techniques that are usually used to perform these steps can be replaced by algorithms with better asymptotic complexity using more advanced algorithmic techniques. In practice, these new algorithms yield large improvements on the efficiency of fast correlation attacks.
New Constructions of Resilient and Correlation Immune Boolean Functions Achieving Upper Bound on Nonlinearity
, 2001
"... Recently, weight divisibility results on resilient and correlation immune Boolean functions have received a lot of attention. These results have direct consequences towards the upper bound on nonlinearity of resilient and correlation immune Boolean functions of certain order. Now the clear requireme ..."
Abstract

Cited by 19 (4 self)
 Add to MetaCart
(Show Context)
Recently, weight divisibility results on resilient and correlation immune Boolean functions have received a lot of attention. These results have direct consequences towards the upper bound on nonlinearity of resilient and correlation immune Boolean functions of certain order. Now the clear requirement in the design of resilient Boolean functions (which optimizes Siegenthaler's inequality) is to provide results which attain the upper bound on nonlinearity. Here we construct a 7variable, 2resilient Boolean function with nonlinearity 56. This solves the maximum nonlinearity issue for 7variable functions with any order of resiliency. Using this 7variable function, we also construct a 10variable, 4resilient Boolean function with nonlinearity 480. Construction of these two functions was posed as important open questions in Crypto 2000. Also, we provide methods to generate an infinite sequence of Boolean functions on n = 7+3i variables (i 0) with order of resiliency m = 2+2i, algebraic degree 4 + i and nonlinearity 2 n 1 2 m+1 , which were not known earlier. We conclude with constructions of some unbalanced correlation immune functions of 5 and 6 variables which attain the upper bound on nonlinearity.
New covering radius of ReedMuller codes for tresilient functions
, 2002
"... From a view point of cryptography, we de ne a new covering radius of ReedMuller codes as the maximum distance between tresilient functions and the rth order ReedMuller code RM (r; n). We next derive its lower and upper bounds. We also present a table of numerical data of our bounds. Keywords: N ..."
Abstract

Cited by 11 (0 self)
 Add to MetaCart
From a view point of cryptography, we de ne a new covering radius of ReedMuller codes as the maximum distance between tresilient functions and the rth order ReedMuller code RM (r; n). We next derive its lower and upper bounds. We also present a table of numerical data of our bounds. Keywords: Nonlinearity, tresilient function, ReedMuller code, covering radius, stream cipher. 1
A Generalized Birthday Problem (extended abstract)
 In Advances in Cryptology – CRYPTO 2002
, 2002
"... We study a kdimensional generalization of the birthday problem: given k lists of nbit values, and some way to choose one element from each list so that the resulting k values xor to zero. For k = 2, this is just the extremely wellknown birthday problem, which has a squareroot time algorithm with ..."
Abstract

Cited by 10 (0 self)
 Add to MetaCart
(Show Context)
We study a kdimensional generalization of the birthday problem: given k lists of nbit values, and some way to choose one element from each list so that the resulting k values xor to zero. For k = 2, this is just the extremely wellknown birthday problem, which has a squareroot time algorithm with many applications in cryptography. In this paper, we show new algorithms for the case k > 2: we show a cuberoot time algorithm for the case of k = 4 lists, and we give an algorithm with subexponential running time when k is unrestricted.
Predicting the Shrinking Generator with Fixed Connections
 In Advances in Cryptology  EUROCRYPT 2003
, 2003
"... Abstract. We propose a novel distinguishing attack on the shrinking generator with known feedback polynomial for the generating LFSR. The attack can e.g. reliably distinguish a shrinking generator with a weight 4 polynomial of degree as large as 10000, using 2 32 output bits. As the feedback polynom ..."
Abstract

Cited by 8 (1 self)
 Add to MetaCart
(Show Context)
Abstract. We propose a novel distinguishing attack on the shrinking generator with known feedback polynomial for the generating LFSR. The attack can e.g. reliably distinguish a shrinking generator with a weight 4 polynomial of degree as large as 10000, using 2 32 output bits. As the feedback polynomial of an arbitrary LFSR is known to have a polynomial multiple of low weight, our distinguisher applies to arbitrary shrunken LFSR’s of moderate length. The analysis can also be used to predict the distribution of blocks in the generated keystream. 1
The Stream Cipher HC128
"... Statement 1. HC128 supports 128bit key and 128bit initialization vector. Statement 2. 2 64 keystream bits can be generated from each key/IV pair. Statement 3. There is no hidden flaw in HC128. Statement 4. The smallest period is expected to be much larger than 2 128. Statement 5. Recovering the ..."
Abstract

Cited by 8 (0 self)
 Add to MetaCart
(Show Context)
Statement 1. HC128 supports 128bit key and 128bit initialization vector. Statement 2. 2 64 keystream bits can be generated from each key/IV pair. Statement 3. There is no hidden flaw in HC128. Statement 4. The smallest period is expected to be much larger than 2 128. Statement 5. Recovering the secret key is as difficult as exhaustive key search. Statement 6. Distinguishing attack requires more than 2 64 keystream bits. Statement 7. There is no weak key in HC128. Statement 8. Encryption speed is 3.05 cycles/byte on Pentium M processor. Statement 9. The key and IV setup takes about 27,300 clock cycles Statement 10. HC128 is not covered by any patent and it is freely available. Remarks. When more than 2 64 keystream bits are generated from each key/IV pair, the effect on the security of the message/key is negligible. Thus there is no need to implement any mechanism to restrict the keystream length in practice. 1