Revisit two memoryless state-recovery cryptanalysis methods on A5/1

IF 1.3 4区计算机科学 Q3 COMPUTER SCIENCE, INFORMATION SYSTEMS

IET Information Security Pub Date : 2023-06-18 DOI:10.1049/ise2.12120

Yanbin Xu, Yonglin Hao, Mingxing Wang

{"title":"Revisit two memoryless state-recovery cryptanalysis methods on A5/1","authors":"Yanbin Xu, Yonglin Hao, Mingxing Wang","doi":"10.1049/ise2.12120","DOIUrl":null,"url":null,"abstract":"At ASIACRYPT 2019, Zhang proposed a near collision attack on A5/1 claiming to recover the 64-bit A5/1 state with a time complexity around 232 cipher ticks with negligible memory requirements. Soon after its proposal, Zhang's near collision attack was severely challenged by Derbez et al. who claimed that Zhang's attack cannot have a time complexity lower than Golic's memoryless guess-and-determine attack dating back to EUROCRYPT 1997. In this article, both the guess-and-determine and the near collision attacks for recovering A5/1 states with negligible memory complexities are studied. Firstly, a new guessing technique called the move guessing technique that can construct linear equation filters in a more efficient manner is proposed. Such a technique can be applied to both guess-and-determine and collision attacks for efficiency improvements. Secondly, the filtering strength of the linear equation systems is taken into account for complexity analysis. Such filtering strength are evaluated with practical experiments making the complexities more convincing. Based on such new techniques, the authors are able to give 2 new guess-and-determine attacks on A5/1: the 1st attack recovers the internal state <math>\n <semantics>\n <mrow>\n <msup>\n <mi>s</mi>\n <mn>0</mn>\n </msup>\n </mrow>\n <annotation> ${\\boldsymbol{s}}^{0}$</annotation>\n </semantics></math> with time complexity 243.92; the 2nd one recovers a different state <math>\n <semantics>\n <mrow>\n <msup>\n <mi>s</mi>\n <mn>1</mn>\n </msup>\n </mrow>\n <annotation> ${\\boldsymbol{s}}^{1}$</annotation>\n </semantics></math> with complexity 243.25. Golic's guess-and-determine attack and Zhang's near collision attacks are revisited. According to our detailed analysis, the complexity of Golic's <math>\n <semantics>\n <mrow>\n <msup>\n <mi>s</mi>\n <mn>1</mn>\n </msup>\n </mrow>\n <annotation> ${\\boldsymbol{s}}^{1}$</annotation>\n </semantics></math> recovery attack is no lower than 246.04, higher than the previously believed 243. On the other hand, Zhang's near collision attack recovers <math>\n <semantics>\n <mrow>\n <msup>\n <mi>s</mi>\n <mn>0</mn>\n </msup>\n </mrow>\n <annotation> ${\\boldsymbol{s}}^{0}$</annotation>\n </semantics></math> with the time complexity 253.19: such a complexity can be further lowered to 250.78 with our move guessing technique.","PeriodicalId":50380,"journal":{"name":"IET Information Security","volume":"17 4","pages":"626-638"},"PeriodicalIF":1.3000,"publicationDate":"2023-06-18","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://onlinelibrary.wiley.com/doi/epdf/10.1049/ise2.12120","citationCount":"2","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"IET Information Security","FirstCategoryId":"94","ListUrlMain":"https://onlinelibrary.wiley.com/doi/10.1049/ise2.12120","RegionNum":4,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q3","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 2

Abstract

At ASIACRYPT 2019, Zhang proposed a near collision attack on A5/1 claiming to recover the 64-bit A5/1 state with a time complexity around 2³² cipher ticks with negligible memory requirements. Soon after its proposal, Zhang's near collision attack was severely challenged by Derbez et al. who claimed that Zhang's attack cannot have a time complexity lower than Golic's memoryless guess-and-determine attack dating back to EUROCRYPT 1997. In this article, both the guess-and-determine and the near collision attacks for recovering A5/1 states with negligible memory complexities are studied. Firstly, a new guessing technique called the move guessing technique that can construct linear equation filters in a more efficient manner is proposed. Such a technique can be applied to both guess-and-determine and collision attacks for efficiency improvements. Secondly, the filtering strength of the linear equation systems is taken into account for complexity analysis. Such filtering strength are evaluated with practical experiments making the complexities more convincing. Based on such new techniques, the authors are able to give 2 new guess-and-determine attacks on A5/1: the 1st attack recovers the internal state $s^{0}$ with time complexity 2^43.92; the 2nd one recovers a different state $s^{1}$ with complexity 2^43.25. Golic's guess-and-determine attack and Zhang's near collision attacks are revisited. According to our detailed analysis, the complexity of Golic's $s^{1}$ recovery attack is no lower than 2^46.04, higher than the previously believed 2⁴³. On the other hand, Zhang's near collision attack recovers $s^{0}$ with the time complexity 2^53.19: such a complexity can be further lowered to 2^50.78 with our move guessing technique.

Abstract Image

查看原文本刊更多论文

对A5/1上两种无记忆状态恢复密码分析方法的再认识

在ASIACRYPT 2019上，张提出了一种针对A5/1的近碰撞攻击，声称可以恢复64位A5/1状态，时间复杂度约为232个密码周期，对内存的要求可以忽略不计。在其提出后不久，张的近距离碰撞攻击受到了Derbez等人的严厉挑战。他声称张的攻击不可能具有比Golic的无记忆猜测和确定攻击低的时间复杂性，该攻击可以追溯到1997年欧洲杯。在本文中，研究了在可忽略内存复杂性的情况下恢复A5/1状态的猜测和确定以及近碰撞攻击。首先，提出了一种新的猜测技术，称为移动猜测技术，可以更有效地构造线性方程滤波器。这种技术可以应用于猜测和确定以及碰撞攻击，以提高效率。其次，在复杂性分析中考虑了线性方程组的滤波强度。通过实际实验对这种过滤强度进行了评估，使复杂性更具说服力。基于这些新技术，作者能够给出两个新的猜测并确定对A5/1的攻击：第一次攻击恢复内部状态s0$｛\boldsymbol｛s｝｝^｛0｝$，时间复杂度为243.92；第二个恢复了不同的状态s1$｛\boldsymbol｛s｝｝^｛1｝$，复杂度为243.25。戈利克的猜测定位球进攻和张的近距离冲撞进攻被重新审视。根据我们的详细分析，Golic的s1$恢复攻击的复杂性不低于246.04，高于之前认为的243。另一方面，张的近碰撞攻击恢复了s0$｛\boldsymbol｛s｝｝^｛0｝$，时间复杂度为253.19：通过我们的猜测技巧，这种复杂度可以进一步降低到250.78。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

IET Information Security 工程技术-计算机：理论方法

CiteScore

3.80

自引率

7.10%

发文量

审稿时长

8.6 months

期刊介绍： IET Information Security publishes original research papers in the following areas of information security and cryptography. Submitting authors should specify clearly in their covering statement the area into which their paper falls. Scope: Access Control and Database Security Ad-Hoc Network Aspects Anonymity and E-Voting Authentication Block Ciphers and Hash Functions Blockchain, Bitcoin (Technical aspects only) Broadcast Encryption and Traitor Tracing Combinatorial Aspects Covert Channels and Information Flow Critical Infrastructures Cryptanalysis Dependability Digital Rights Management Digital Signature Schemes Digital Steganography Economic Aspects of Information Security Elliptic Curve Cryptography and Number Theory Embedded Systems Aspects Embedded Systems Security and Forensics Financial Cryptography Firewall Security Formal Methods and Security Verification Human Aspects Information Warfare and Survivability Intrusion Detection Java and XML Security Key Distribution Key Management Malware Multi-Party Computation and Threshold Cryptography Peer-to-peer Security PKIs Public-Key and Hybrid Encryption Quantum Cryptography Risks of using Computers Robust Networks Secret Sharing Secure Electronic Commerce Software Obfuscation Stream Ciphers Trust Models Watermarking and Fingerprinting Special Issues. Current Call for Papers: Security on Mobile and IoT devices - https://digital-library.theiet.org/files/IET_IFS_SMID_CFP.pdf