Abstract
Time-Memory Tradeoff (TMTO) attacks on stream ciphers
are a serious security threat and the resistance to this class of attacks is
an important criterion in the design of a modern stream cipher. TMTO
attacks are especially effective against stream ciphers where a variant of
the TMTO attack can make use of multiple data to reduce the off-line
and the on-line time complexities of the attack (given a fixed amount of
memory).
In this paper we present a new approach to TMTO attacks against stream
ciphers using a publicly known initial value (IV):We suggest not to treat
the IV as part of the secret key material (as done in current attacks),
but rather to choose in advance some IVs and apply a TMTO attack
to streams produced using these IVs. We show that while the obtained
tradeoff curve is identical to the curve obtained by the current approach,
the new technique allows to mount the TMTO attack in a larger variety
of settings. For example, if both the secret key and the IV are of length n,
it is possible to mount an attack with data, time, and memory complex-
ities of 24n/5, while in the current approach, either the time complexity
or the memory complexity is not less than 2n.
are a serious security threat and the resistance to this class of attacks is
an important criterion in the design of a modern stream cipher. TMTO
attacks are especially effective against stream ciphers where a variant of
the TMTO attack can make use of multiple data to reduce the off-line
and the on-line time complexities of the attack (given a fixed amount of
memory).
In this paper we present a new approach to TMTO attacks against stream
ciphers using a publicly known initial value (IV):We suggest not to treat
the IV as part of the secret key material (as done in current attacks),
but rather to choose in advance some IVs and apply a TMTO attack
to streams produced using these IVs. We show that while the obtained
tradeoff curve is identical to the curve obtained by the current approach,
the new technique allows to mount the TMTO attack in a larger variety
of settings. For example, if both the secret key and the IV are of length n,
it is possible to mount an attack with data, time, and memory complex-
ities of 24n/5, while in the current approach, either the time complexity
or the memory complexity is not less than 2n.
Original language | English |
---|---|
Number of pages | 10 |
State | Published - 2008 |
Externally published | Yes |