A Chosen-IV Key Recovery Attack on Py and Pypy
Summary :
In this paper, we propose an effective key recovery attack on stream ciphers Py and Pypy with chosen IVs. Our method uses an internal-state correlation based on the vulnerability that the randomization of the internal state in the KSA is inadequate, and it improves two previous attacks proposed by Wu and Preneel (a WP-1 attack and a WP-2 attack). For a 128-bit key and a 128-bit IV, the WP-1 attack can recover a key with 223 chosen IVs and time complexity 272. First, we improve the WP-1 attack by using the internal-state correlation (called a P-1 attack). For a 128-bit key and a 128-bit IV, the P-1 attack can recover a key with 223 chosen IVs and time complexity 248, which is 1/224 of that of the WP-1 attack. The WP-2 attack is another improvement on the WP-1 attack, and it has been known as the best previous attack against Py and Pypy. For a 128-bit key and a 128-bit IV, the WP-2 attack can recover a key with 223 chosen IVs and time complexity 224. Second, we improve the WP-2 attack by using the internal-state correlation as well as the P-1 attack (called a P-2 attack). For a 128-bit key and a 128-bit IV, the P-2 attack can recover a key with 223 chosen IVs and time complexity 224, which is the same capability as that of the WP-2 attack. However, when the IV size is from 64 bits to 120 bits, the P-2 attack is more effective than the WP-2 attack. Thus, the P-2 attack is the known best attack against Py and Pypy.
- Publication
- IEICE TRANSACTIONS on Information Vol.E92-D No.1 pp.32-40
- Publication Date
- 2009/01/01
- Publicized
- Online ISSN
- 1745-1361
- DOI
- 10.1587/transinf.E92.D.32
- Type of Manuscript
- PAPER
- Category
- Application Information Security
Authors
Keyword
Latest Issue
Copyrights notice of machine-translated contents
The copyright of the original papers published on this site belongs to IEICE. Unauthorized use of the original or translated papers is prohibited. See IEICE Provisions on Copyright for details.
Cite this
Copy
Takanori ISOBE, Toshihiro OHIGASHI, Hidenori KUWAKADO, Masakatu MORII, "A Chosen-IV Key Recovery Attack on Py and Pypy" in IEICE TRANSACTIONS on Information,
vol. E92-D, no. 1, pp. 32-40, January 2009, doi: 10.1587/transinf.E92.D.32.
Abstract: In this paper, we propose an effective key recovery attack on stream ciphers Py and Pypy with chosen IVs. Our method uses an internal-state correlation based on the vulnerability that the randomization of the internal state in the KSA is inadequate, and it improves two previous attacks proposed by Wu and Preneel (a WP-1 attack and a WP-2 attack). For a 128-bit key and a 128-bit IV, the WP-1 attack can recover a key with 223 chosen IVs and time complexity 272. First, we improve the WP-1 attack by using the internal-state correlation (called a P-1 attack). For a 128-bit key and a 128-bit IV, the P-1 attack can recover a key with 223 chosen IVs and time complexity 248, which is 1/224 of that of the WP-1 attack. The WP-2 attack is another improvement on the WP-1 attack, and it has been known as the best previous attack against Py and Pypy. For a 128-bit key and a 128-bit IV, the WP-2 attack can recover a key with 223 chosen IVs and time complexity 224. Second, we improve the WP-2 attack by using the internal-state correlation as well as the P-1 attack (called a P-2 attack). For a 128-bit key and a 128-bit IV, the P-2 attack can recover a key with 223 chosen IVs and time complexity 224, which is the same capability as that of the WP-2 attack. However, when the IV size is from 64 bits to 120 bits, the P-2 attack is more effective than the WP-2 attack. Thus, the P-2 attack is the known best attack against Py and Pypy.
URL: https://global.ieice.org/en_transactions/information/10.1587/transinf.E92.D.32/_p
Copy
@ARTICLE{e92-d_1_32,
author={Takanori ISOBE, Toshihiro OHIGASHI, Hidenori KUWAKADO, Masakatu MORII, },
journal={IEICE TRANSACTIONS on Information},
title={A Chosen-IV Key Recovery Attack on Py and Pypy},
year={2009},
volume={E92-D},
number={1},
pages={32-40},
abstract={In this paper, we propose an effective key recovery attack on stream ciphers Py and Pypy with chosen IVs. Our method uses an internal-state correlation based on the vulnerability that the randomization of the internal state in the KSA is inadequate, and it improves two previous attacks proposed by Wu and Preneel (a WP-1 attack and a WP-2 attack). For a 128-bit key and a 128-bit IV, the WP-1 attack can recover a key with 223 chosen IVs and time complexity 272. First, we improve the WP-1 attack by using the internal-state correlation (called a P-1 attack). For a 128-bit key and a 128-bit IV, the P-1 attack can recover a key with 223 chosen IVs and time complexity 248, which is 1/224 of that of the WP-1 attack. The WP-2 attack is another improvement on the WP-1 attack, and it has been known as the best previous attack against Py and Pypy. For a 128-bit key and a 128-bit IV, the WP-2 attack can recover a key with 223 chosen IVs and time complexity 224. Second, we improve the WP-2 attack by using the internal-state correlation as well as the P-1 attack (called a P-2 attack). For a 128-bit key and a 128-bit IV, the P-2 attack can recover a key with 223 chosen IVs and time complexity 224, which is the same capability as that of the WP-2 attack. However, when the IV size is from 64 bits to 120 bits, the P-2 attack is more effective than the WP-2 attack. Thus, the P-2 attack is the known best attack against Py and Pypy.},
keywords={},
doi={10.1587/transinf.E92.D.32},
ISSN={1745-1361},
month={January},}
Copy
TY - JOUR
TI - A Chosen-IV Key Recovery Attack on Py and Pypy
T2 - IEICE TRANSACTIONS on Information
SP - 32
EP - 40
AU - Takanori ISOBE
AU - Toshihiro OHIGASHI
AU - Hidenori KUWAKADO
AU - Masakatu MORII
PY - 2009
DO - 10.1587/transinf.E92.D.32
JO - IEICE TRANSACTIONS on Information
SN - 1745-1361
VL - E92-D
IS - 1
JA - IEICE TRANSACTIONS on Information
Y1 - January 2009
AB - In this paper, we propose an effective key recovery attack on stream ciphers Py and Pypy with chosen IVs. Our method uses an internal-state correlation based on the vulnerability that the randomization of the internal state in the KSA is inadequate, and it improves two previous attacks proposed by Wu and Preneel (a WP-1 attack and a WP-2 attack). For a 128-bit key and a 128-bit IV, the WP-1 attack can recover a key with 223 chosen IVs and time complexity 272. First, we improve the WP-1 attack by using the internal-state correlation (called a P-1 attack). For a 128-bit key and a 128-bit IV, the P-1 attack can recover a key with 223 chosen IVs and time complexity 248, which is 1/224 of that of the WP-1 attack. The WP-2 attack is another improvement on the WP-1 attack, and it has been known as the best previous attack against Py and Pypy. For a 128-bit key and a 128-bit IV, the WP-2 attack can recover a key with 223 chosen IVs and time complexity 224. Second, we improve the WP-2 attack by using the internal-state correlation as well as the P-1 attack (called a P-2 attack). For a 128-bit key and a 128-bit IV, the P-2 attack can recover a key with 223 chosen IVs and time complexity 224, which is the same capability as that of the WP-2 attack. However, when the IV size is from 64 bits to 120 bits, the P-2 attack is more effective than the WP-2 attack. Thus, the P-2 attack is the known best attack against Py and Pypy.
ER -
English
