论文信息 - A Chosen IV Attack Against Turing

A Chosen IV Attack Against Turing

In this paper, we show that the key scheduling algorithm of the recently proposed stream cipher Turing suffers from important flaws. These weaknesses allow an attacker that chooses the initialization vector (IV) to recover some partial information about the secret key. In particular, when using Turing with a 256-bit secret key and a 128-bit IV, we present an attack that requires the ability to choose 237 IV and then recovers the key with complexity 272, requiring 236 bytes of memory.

Antoine Joux | Frédéric Muller

[1] Philip Hawkes,et al. Turing: A Fast Stream Cipher , 2002, FSE.

[2] Willi Meier,et al. Fast correlation attacks on certain stream ciphers , 1989, Journal of Cryptology.

[3] Adi Shamir,et al. Weaknesses in the Key Scheduling Algorithm of RC4 , 2001, Selected Areas in Cryptography.

[4] Thomas Johansson,et al. A New Version of the Stream Cipher SNOW , 2002, Selected Areas in Cryptography.

[5] Philip Hawkes,et al. Guess-and-Determine Attacks on SNOW , 2002, Selected Areas in Cryptography.

[6] Thomas Siegenthaler,et al. Correlation-immunity of nonlinear combining functions for cryptographic applications , 1984, IEEE Trans. Inf. Theory.

[7] John Ioannidis,et al. Using the Fluhrer, Mantin, and Shamir Attack to Break WEP , 2002, NDSS.

[8] Shai Halevi,et al. Scream: A Software-Efficient Stream Cipher , 2002, FSE.

[9] Shai Halevi,et al. Cryptanalysis of Stream Ciphers with Linear Masking , 2002, CRYPTO.

[10] Philip Hawkes,et al. On the Applicability of Distinguishing Attacks Against Stream Ciphers , 2002, IACR Cryptol. ePrint Arch..

[11] Jovan Dj. Golic,et al. Linear Cryptanalysis of Bluetooth Stream Cipher , 2002, EUROCRYPT.

[12] Thomas Johansson,et al. SNOW - A new stream cipher , 2000 .

[13] Thomas Johansson,et al. Distinguishing Attacks on SOBER-t16 and t32 , 2002, FSE.