Abstract
Feedback with carry shift registers (FCSRs) have previously been available in two configurations, the Fibonacci and Galois architectures. Recently, a generalized and unifying FCSR structure and theory was presented. The new ring FCSR model repairs some weaknesses of the older architectures. Most notably, the carry cell bias property that was exploited for an attack on the eSTREAM final portfolio cipher F-FCSR-H v2 is no longer possible for the updated (and unbroken) F-FCSR-H v3 stream cipher. In this paper we show how to exploit a particular set of linear relations in ring FCSR sequences. We show what biases can be expected, and we also present a generalized birthday algorithm for actually realizing these relations. As all prerequisites of a distinguishing attack are present, we explicitly show a new such attack on F-FCSR-H v3 with an online time complexity of only \(2^{37.2}\). The offline time complexity (for finding a linear relation) is \(2^{56.2}\). This is the first successful attack on F-FCSR-H v3, the first attack to breach the exhaustive search complexity limit. Note that this attack is completely different from that of F-FCSR-H v2. We focus on this particular application in the paper, but the presented algorithm is actually very general. The algorithm can be applied to any FCSR automaton, so linearly filtered FCSRs and FCSR combiners may be particularly interesting targets for cryptanalysis.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
Notes
From a notational point of view, the reader may think of both \(T_1\) and \(T_2\) as hash tables, where, e.g., \(T_1\left[ k\right] =v\) means insertion of value \(v\) keyed on \(k\). While \(T_1\) can be implemented as linear storage (an array) in practice (this should become clear in Sect. 3.3), \(T_2\) needs to be implemented as a hash table.
References
Arnault F., Berger T., Lauradoux C.: Update on F-FCSR stream cipher. eSTREAM, ECRYPT Stream Cipher Project, Report 2006/025 (2006). http://www.ecrypt.eu.org/stream/p3ciphers/ffcsr/ffcsr_p3.pdf. Accessed 16 June 2013.
Arnault F., Berger T., Lauradoux C., Minier M., Pousse B.: A new approach for F-FCSRs. In: Jacobson M.J., Jr., Rijmen V., Safavi-Naini R. (eds.) Selected Areas in Cryptography: SAC 2009. Lecture Notes in Computer Science, vol. 5867, pp. 433–448. Springer, Berlin (2009). doi:10.1007/978-3-642-05445-7_27.
Arnault F., Berger T., Pousse B.: A matrix approach for FCSR automata. Cryptogr. Commun. 3, 109–139 (2011). doi:10.1007/s12095-010-0041-z.
Cover T., Thomas J.A.: Elements of Information Theory. Wiley Series in Telecommunication, Wiley (1991). http://eu.wiley.com/WileyCDA/WileyTitle/productCd-0471241954.html. Accessed 16 June 2013.
Goresky M., Klapper A.: Arithmetic cross-correlations of FCSR sequences. IEEE Trans. Inf. Theory 43, 1342–1346 (1997).
Goresky M., Klapper A.: Fibonacci and Galois representations of feedback-with-carry shift registers. IEEE Trans. Inf. Theory 48(11), 2826–2836 (2002). doi:10.1109/TIT.2002.804048.
Hell M., Johansson T.: Breaking the stream ciphers F-FCSR-H and F-FCSR-16 in real time. J. Cryptol. 24(3), 427–445 (2009). doi:10.1007/s00145-009-9053-2.
Hell M., Johansson T., Brynielsson L.: An overview of distinguishing attacks on stream ciphers. Cryptogr. Commun. 1(1), 71–94 (2009). doi:10.1007/s12095-008-0006-7.
Hogg R.V., Tanis E.A.: Probability and Statistical Inference. MacMillan, New York (1993).
Klapper A., Goresky M.: 2-adic shift registers. In: Anderson R.J. (ed.) Fast Software Encryption’93. Lecture Notes in Computer Science, vol. 809, pp. 174–178. Springer, Berlin (1994). doi:10.1007/3-540-58108-1_21.
Klapper A., Goresky M.: Feedback shift registers, 2-adic span, and combiners with memory. J. Cryptol. 10(2), 111–147 (1997). doi:10.1007/s001459900024.
Matsui M.: Linear cryptanalysis method for DES cipher. In: Helleseth T. (ed.) Advances in Cryptology–EUROCRYPT’93. Lecture Notes in Computer Science, vol. 765, pp. 386–397. Springer, Berlin (1994). doi:10.1007/3-540-48285-7_33.
Pagh R., Rodler F.F.: Cuckoo hashing. J. Algorithms 51, 122–144 (2004). doi:10.1016/j.jalgor.2003.12.002.
Tian T., Qi W.F.: Linearity properties of binary FCSR sequences. Des. Codes Cryptogr. 52, 249–262 (2009). doi:10.1007/s10623-009-9280-4.
Wagner D.: A generalized birthday problem. In: Yung M. (ed.) Advances in Cryptology–CRYPTO 2002. Lecture Notes in Computer Science, vol. 2442, pp. 288–304. Springer, Berlin (2002). doi:10.1007/3-540-45708-9_19.
Wikipedia: Birthday problem: Wikipedia, the free encyclopedia. http://en.wikipedia.org/wiki/Birthday_problem. Accessed 17 Feb 2012.
Acknowledgments
This work was supported in part by the Swedish Research Council (Vetenskapsrådet) under Grant 621-2006-5249, the National Natural Science Foundations of China under Grant 61170208, the Shanghai Key Program of Basic Research under Grant 12JC1401400, the Shanghai Shuguang Project under Grant 10SG01, the National Defense Pre-Research Project under Grant 2012004.
Author information
Authors and Affiliations
Corresponding author
Additional information
Communicated by V. Rijmen.
Rights and permissions
About this article
Cite this article
Wang, H., Stankovski, P. & Johansson, T. A generalized birthday approach for efficiently finding linear relations in \(\ell \)-sequences. Des. Codes Cryptogr. 74, 41–57 (2015). https://doi.org/10.1007/s10623-013-9845-0
Received:
Revised:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10623-013-9845-0