The search functionality is under construction.

The search functionality is under construction.

In this paper, we propose an effective key recovery attack on stream ciphers Py and Pypy with chosen IVs. Our method uses an internal-state correlation based on the vulnerability that the randomization of the internal state in the KSA is inadequate, and it improves two previous attacks proposed by Wu and Preneel (a WP-1 attack and a WP-2 attack). For a 128-bit key and a 128-bit IV, the WP-1 attack can recover a key with 2^{23} chosen IVs and time complexity 2^{72}. First, we improve the WP-1 attack by using the internal-state correlation (called a P-1 attack). For a 128-bit key and a 128-bit IV, the P-1 attack can recover a key with 2^{23} chosen IVs and time complexity 2^{48}, which is 1/2^{24} of that of the WP-1 attack. The WP-2 attack is another improvement on the WP-1 attack, and it has been known as the best previous attack against Py and Pypy. For a 128-bit key and a 128-bit IV, the WP-2 attack can recover a key with 2^{23} chosen IVs and time complexity 2^{24}. Second, we improve the WP-2 attack by using the internal-state correlation as well as the P-1 attack (called a P-2 attack). For a 128-bit key and a 128-bit IV, the P-2 attack can recover a key with 2^{23} chosen IVs and time complexity 2^{24}, which is the same capability as that of the WP-2 attack. However, when the IV size is from 64 bits to 120 bits, the P-2 attack is more effective than the WP-2 attack. Thus, the P-2 attack is the known best attack against Py and Pypy.

- Publication
- IEICE TRANSACTIONS on Information Vol.E92-D No.1 pp.32-40

- Publication Date
- 2009/01/01

- Publicized

- Online ISSN
- 1745-1361

- DOI
- 10.1587/transinf.E92.D.32

- Type of Manuscript
- PAPER

- Category
- Application Information Security

The copyright of the original papers published on this site belongs to IEICE. Unauthorized use of the original or translated papers is prohibited. See IEICE Provisions on Copyright for details.

Copy

Takanori ISOBE, Toshihiro OHIGASHI, Hidenori KUWAKADO, Masakatu MORII, "A Chosen-IV Key Recovery Attack on Py and Pypy" in IEICE TRANSACTIONS on Information,
vol. E92-D, no. 1, pp. 32-40, January 2009, doi: 10.1587/transinf.E92.D.32.

Abstract: In this paper, we propose an effective key recovery attack on stream ciphers Py and Pypy with chosen IVs. Our method uses an internal-state correlation based on the vulnerability that the randomization of the internal state in the KSA is inadequate, and it improves two previous attacks proposed by Wu and Preneel (a WP-1 attack and a WP-2 attack). For a 128-bit key and a 128-bit IV, the WP-1 attack can recover a key with 2^{23} chosen IVs and time complexity 2^{72}. First, we improve the WP-1 attack by using the internal-state correlation (called a P-1 attack). For a 128-bit key and a 128-bit IV, the P-1 attack can recover a key with 2^{23} chosen IVs and time complexity 2^{48}, which is 1/2^{24} of that of the WP-1 attack. The WP-2 attack is another improvement on the WP-1 attack, and it has been known as the best previous attack against Py and Pypy. For a 128-bit key and a 128-bit IV, the WP-2 attack can recover a key with 2^{23} chosen IVs and time complexity 2^{24}. Second, we improve the WP-2 attack by using the internal-state correlation as well as the P-1 attack (called a P-2 attack). For a 128-bit key and a 128-bit IV, the P-2 attack can recover a key with 2^{23} chosen IVs and time complexity 2^{24}, which is the same capability as that of the WP-2 attack. However, when the IV size is from 64 bits to 120 bits, the P-2 attack is more effective than the WP-2 attack. Thus, the P-2 attack is the known best attack against Py and Pypy.

URL: https://global.ieice.org/en_transactions/information/10.1587/transinf.E92.D.32/_p

Copy

@ARTICLE{e92-d_1_32,

author={Takanori ISOBE, Toshihiro OHIGASHI, Hidenori KUWAKADO, Masakatu MORII, },

journal={IEICE TRANSACTIONS on Information},

title={A Chosen-IV Key Recovery Attack on Py and Pypy},

year={2009},

volume={E92-D},

number={1},

pages={32-40},

abstract={In this paper, we propose an effective key recovery attack on stream ciphers Py and Pypy with chosen IVs. Our method uses an internal-state correlation based on the vulnerability that the randomization of the internal state in the KSA is inadequate, and it improves two previous attacks proposed by Wu and Preneel (a WP-1 attack and a WP-2 attack). For a 128-bit key and a 128-bit IV, the WP-1 attack can recover a key with 2^{23} chosen IVs and time complexity 2^{72}. First, we improve the WP-1 attack by using the internal-state correlation (called a P-1 attack). For a 128-bit key and a 128-bit IV, the P-1 attack can recover a key with 2^{23} chosen IVs and time complexity 2^{48}, which is 1/2^{24} of that of the WP-1 attack. The WP-2 attack is another improvement on the WP-1 attack, and it has been known as the best previous attack against Py and Pypy. For a 128-bit key and a 128-bit IV, the WP-2 attack can recover a key with 2^{23} chosen IVs and time complexity 2^{24}. Second, we improve the WP-2 attack by using the internal-state correlation as well as the P-1 attack (called a P-2 attack). For a 128-bit key and a 128-bit IV, the P-2 attack can recover a key with 2^{23} chosen IVs and time complexity 2^{24}, which is the same capability as that of the WP-2 attack. However, when the IV size is from 64 bits to 120 bits, the P-2 attack is more effective than the WP-2 attack. Thus, the P-2 attack is the known best attack against Py and Pypy.},

keywords={},

doi={10.1587/transinf.E92.D.32},

ISSN={1745-1361},

month={January},}

Copy

TY - JOUR

TI - A Chosen-IV Key Recovery Attack on Py and Pypy

T2 - IEICE TRANSACTIONS on Information

SP - 32

EP - 40

AU - Takanori ISOBE

AU - Toshihiro OHIGASHI

AU - Hidenori KUWAKADO

AU - Masakatu MORII

PY - 2009

DO - 10.1587/transinf.E92.D.32

JO - IEICE TRANSACTIONS on Information

SN - 1745-1361

VL - E92-D

IS - 1

JA - IEICE TRANSACTIONS on Information

Y1 - January 2009

AB - In this paper, we propose an effective key recovery attack on stream ciphers Py and Pypy with chosen IVs. Our method uses an internal-state correlation based on the vulnerability that the randomization of the internal state in the KSA is inadequate, and it improves two previous attacks proposed by Wu and Preneel (a WP-1 attack and a WP-2 attack). For a 128-bit key and a 128-bit IV, the WP-1 attack can recover a key with 2^{23} chosen IVs and time complexity 2^{72}. First, we improve the WP-1 attack by using the internal-state correlation (called a P-1 attack). For a 128-bit key and a 128-bit IV, the P-1 attack can recover a key with 2^{23} chosen IVs and time complexity 2^{48}, which is 1/2^{24} of that of the WP-1 attack. The WP-2 attack is another improvement on the WP-1 attack, and it has been known as the best previous attack against Py and Pypy. For a 128-bit key and a 128-bit IV, the WP-2 attack can recover a key with 2^{23} chosen IVs and time complexity 2^{24}. Second, we improve the WP-2 attack by using the internal-state correlation as well as the P-1 attack (called a P-2 attack). For a 128-bit key and a 128-bit IV, the P-2 attack can recover a key with 2^{23} chosen IVs and time complexity 2^{24}, which is the same capability as that of the WP-2 attack. However, when the IV size is from 64 bits to 120 bits, the P-2 attack is more effective than the WP-2 attack. Thus, the P-2 attack is the known best attack against Py and Pypy.

ER -