On the frame length of Achterbahn-128/80

2007 IEEE Information Theory Workshop on Information Theory for Wireless Networks Pub Date : 2007-07-01 DOI:10.1109/ITWITWN.2007.4318039

R. Göttfert, B. Gammel

{"title":"On the frame length of Achterbahn-128/80","authors":"R. Göttfert, B. Gammel","doi":"10.1109/ITWITWN.2007.4318039","DOIUrl":null,"url":null,"abstract":"In this paper we examine a correlation attack against combination generators introduced by Meier et al. in 2006 and extended to a more powerful tool by Naya-Plasencia. The method has been used in the cryptanalysis of the stream ciphers Achterbahn and Achterbahn-128/80. No mathematical proofs for the method were given. We show that rigorous proofs can be given in an appropriate model, and that the implications derived from that model are in accordance with experimental results obtained from a true combination generator. We generalize the new correlation attack and, using that generalization, show that the internal state of Achterbahn-128 can be recovered with complexity 2119 using 248.54 consecutive keystream bits. In order to investigate a lower bound for the frame length of Achterbahn-128 we consider another application of the generalized correlation attack. This attack has complexity 2136 (higher than brute force) and requires 244.99 keystream bits. Similar results hold for Achterbahn-128. Due to these findings our new recommendation for the frame length of Achterbahn-128 and Achterbahn-80 is 244 bits.","PeriodicalId":257392,"journal":{"name":"2007 IEEE Information Theory Workshop on Information Theory for Wireless Networks","volume":"1 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2007-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"6","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2007 IEEE Information Theory Workshop on Information Theory for Wireless Networks","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/ITWITWN.2007.4318039","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 6

Abstract

In this paper we examine a correlation attack against combination generators introduced by Meier et al. in 2006 and extended to a more powerful tool by Naya-Plasencia. The method has been used in the cryptanalysis of the stream ciphers Achterbahn and Achterbahn-128/80. No mathematical proofs for the method were given. We show that rigorous proofs can be given in an appropriate model, and that the implications derived from that model are in accordance with experimental results obtained from a true combination generator. We generalize the new correlation attack and, using that generalization, show that the internal state of Achterbahn-128 can be recovered with complexity 2119 using 248.54 consecutive keystream bits. In order to investigate a lower bound for the frame length of Achterbahn-128 we consider another application of the generalized correlation attack. This attack has complexity 2136 (higher than brute force) and requires 244.99 keystream bits. Similar results hold for Achterbahn-128. Due to these findings our new recommendation for the frame length of Achterbahn-128 and Achterbahn-80 is 244 bits.

查看原文本刊更多论文

关于Achterbahn-128/80的框架长度

在本文中，我们研究了Meier等人在2006年引入的针对组合生成器的相关攻击，并由Naya-Plasencia扩展为更强大的工具。该方法已用于流密码Achterbahn和Achterbahn-128/80的密码分析。没有给出该方法的数学证明。我们表明，严格的证明可以在适当的模型中给出，并且从该模型中得出的含义与从真正的组合发生器获得的实验结果一致。我们推广了新的相关攻击，并使用该推广，表明可以使用248.54个连续密钥流位以2119的复杂度恢复Achterbahn-128的内部状态。为了研究Achterbahn-128帧长度的下界，我们考虑了广义相关攻击的另一种应用。这种攻击的复杂度为2136(高于暴力破解)，需要244.99密钥流位。Achterbahn-128也有类似的结果。基于这些发现，我们建议Achterbahn-128和Achterbahn-80的帧长度为244位。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2007 IEEE Information Theory Workshop on Information Theory for Wireless Networks

自引率

0.00%

发文量