Abstract
Although there are many different approaches used in cryptanalysis of nonlinear filter generators, the selection of tap positions in connection to guess and determine cryptanalysis has not received enough attention yet. In a recent article [18], it was shown that the so-called filter state guessing attack (FSGA) introduced in [15], which applies to LFSR based schemes that use (vectorial) Boolean filtering functions, performs much better if the placement of tap positions is taken into account. In this article, for a given LFSR of length L, we analyze the problem of selecting n (where \(n \ll L\)) tap positions of the driving LFSR (used as binary inputs to a filtering function) optimally so that the complexity of FSGA like attacks is maximized. An algorithm which provides a suboptimal solution to this problem is developed and it can be used for real-life applications when the choice of tap positions is to be made.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Biryukov, A., Shamir, A.: Cryptanalytic time/memory/data tradeoffs for stream ciphers. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 1–13. Springer, Heidelberg (2000)
Braeken, A., Preneel, B.: Probabilistic algebraic attacks. In: Smart, N.P. (ed.) Cryptography and Coding 2005. LNCS, vol. 3796, pp. 290–303. Springer, Heidelberg (2005)
Carlet, C.: A larger class of cryptographic boolean functions via a study of the Maiorana-McFarland construction. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 549–564. Springer, Heidelberg (2002)
Courtois, N., Meier, W.: Algebraic attacks on stream ciphers with linear feedback. In: Boneh, D. (ed.) Advances in Cryptology-EUROCRYPT 2003. LNCS, vol. 2656, pp. 346–359. Springer, Heidelberg (2003)
Golić, J.D.: Intrinsic statistical weakness of keystream generators. In: Pieprzyk, J., Safavi-Naini, R. (eds.) Advances in Cryptology-ASIACRYPT 1994. LNCS, vol. 917, pp. 91–103. Springer, Heidelberg (1995)
Golić, J.D.: On the security of nonlinear filter generators. In: Gollmann, D. (ed.) Fast Software Encryption 1996. LNCS, vol. 1039, pp. 173–188. Springer, Heidelberg (1996)
Golic, J.D., Clark, A., Dawson, E.: Generalized inversion attack on nonlinear filter generators. IEEE Trans. Comput. 49(10), 1100–1109 (2000)
Hellman, M.: A cryptanalytic time-memory tradeoff. IEEE Trans. on Inform. Theor. 26(4), 401–406 (1980)
Hong, J., Sarkar, P.: New applications of time memory data tradeoffs. In: Roy, B. (ed.) ASIACRYPT 2005. LNCS, vol. 3788, pp. 353–372. Springer, Heidelberg (2005)
Massey, J.L.: Shift-register synthesis and BCH decoding. IEEE Trans. Inform. Theor. 15(1), 122–127 (1969)
Meier, W., Pasalic, E., Carlet, C.: Algebraic attacks and decomposition of Boolean functions. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 474–491. Springer, Heidelberg (2004)
Mihaljević, M.J., Fossorier, M.P.C., Imai, H.: A general formulation of algebraic and fast correlation attacks based on dedicated sample decimation. In: Fossorier, M.P.C., Imai, H., Lin, S., Poli, A. (eds.) AAECC 2006. LNCS, vol. 3857, pp. 203–214. Springer, Heidelberg (2006)
Mihaljević, M.J., Gangopadhyay, S., Paul, G., Imai, H.: Internal state recovery of Grain-v1 employing normality order of the filter function. IET Inform. Secur. 6(2), 55–64 (2006)
Nyberg, K.: On the construction of highly nonlinear permutations. In: Rueppel, R.A. (ed.) EUROCRYPT 1992. LNCS, vol. 658, pp. 92–98. Springer, Heidelberg (1993)
Pasalic, E.: On guess and determine cryptanalysis of LFSR-based stream ciphers. IEEE Trans. Inform. Theor. 55(7), 3398–3406 (2009)
Hawkes, P., Rose, G.: Primitive specification and supporting documentation for SOBER-t16 submission to NESSIE. In: Proceedings of the First Open NESSIE Workshop, KU-Leuven (2000)
Pasalic, E.: Probabilistic versus deterministic algebraic cryptanalysisa performance comparison. IEEE Trans. Inform. Theor. 55(11), 2182–2191 (2009)
Wei, Y., Pasalic, E., Hu, Y.: Guess and determinate attacks on filter generators-revisited. IEEE Trans. Inform. Theor. 58(4), 2530–2539 (2012)
Braeken, A., Lano, J., Mentens, N., Preneel, B., Verbauwhede, I.: SFINKS: A Synchronous Stream Cipher for Restricted Hardware Environments. eSTREAM, ECRYPT Stream Cipher Project, Report 2005/026 (2005)
Acknowledgments
Enes Pasalic was supported in part by the Slovenian Research Agency research program (P3-0384) and research project (J1-6720). Samir Hodžić was supported in part by the Slovenian Research Agency (research program P3-0384 and Young Researchers Grant). Yongzhuang Wei was supported in part by the Natural Science Foundation of China (61100185,61201250), in part by the National Basic Research Program of China (2013CB338002), in part by the project of Outstanding Young Teachers’ Training in Higher Education Institutions of Guangxi.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendix
Appendix
In Table 5 we give several instances for determining suboptimal tap positions of LFSRs of different length. The following parameters are used:
-
L is the length of LFSR;
-
n and m are parameters related to vectorial Boolean function \(F:GF(2)^n\rightarrow GF(2)^m;\)
-
D is a set of differences between tap positions;
-
c is the minimal number of observed outputs needed for an overdefined system
-
R is the number of repeated equations for given c outputs;
-
\(\sigma \) is an optimal step of the GFSGA attack;
-
\(T_{Comp.}\) is the time complexity of GFSGA.
Remark 7
From the difference sets D in Table 5 we easily obtain the tap positions.
Remark 8
Note that the time required to create some particular set of differences depends on the cardinality of parts. It means that the smaller cardinalities implies the lower time complexity, though such an approach may provide the solutions that are “far” from optimal. Table 6 presents the following:
-
Cardinality of parts refers to the modified algorithm on Page 10, bottom. For instance, (6, 6, 4) means that we take \(\#X=6\) elements and finding its optimal permutation requires 137 sec with our permutation algorithm. Then, we take another \(\#Y_{p}=6\) elements and determine its best order which fits to the set X, which requires 198 seconds (modified algorithm). Finally, the same procedure is applied to the set \(Y_{p}X\) by adding \(Z_{p}=4\) elements using again our modified algorithm (requiring 8.5 sec). The resulting set of differences is given as \(D=Z_{p}Y_{p}X.\)
-
Complexity refers to the complexity of the permutation algorithms Step B and its modification used to construct the set D.
-
The constant K regards the procedure described in the permutation algorithm (Step B): creating the list, searching, etc.
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
Pasalic, E., Hodžić, S., Bajrić, S., Wei, Y. (2015). Optimizing the Placement of Tap Positions. In: Ors, B., Preneel, B. (eds) Cryptography and Information Security in the Balkans. BalkanCryptSec 2014. Lecture Notes in Computer Science(), vol 9024. Springer, Cham. https://doi.org/10.1007/978-3-319-21356-9_2
Download citation
DOI: https://doi.org/10.1007/978-3-319-21356-9_2
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-21355-2
Online ISBN: 978-3-319-21356-9
eBook Packages: Computer ScienceComputer Science (R0)