Paper 2022/1349

Invertibility of multiple random functions and its application to symmetric ciphers

Xiutao Feng, Key Laboratory of Mathematics Mechanization, Academy of Mathematics and System Science, Chinese Academy of Sciences
Xiaoshan GAO, Key Laboratory of Mathematics Mechanization, Academy of Mathematics and System Science, Chinese Academy of Sciences
Zhangyi WANG, School of Cyber Science and Engineering, Wuhan University
Xiangyong ZENG, Faculty of Mathematics and Statistics, Hubei Key Laboratory of Applied Mathematics, Hubei University
Abstract

The invertibility of a random function (IRF, in short) is an important problem and has wide applications in cryptography. For ex- ample, searching a preimage of Hash functions, recovering a key of block ciphers under the known-plaintext-attack model, solving discrete loga- rithms over a prime field with large prime, and so on, can be viewed as its instances. In this work we describe the invertibility of multiple random functions (IMRF, in short), which is a generalization of the IRF. In order to solve the IMRF, we generalize the birthday theorem. Based on the generalized birthday theorem and time-memory tradeoff (TMTO, in short) method, we present an efficient TMTO method of solving an IMRF, which can be viewed as a generalization of three main TMTO attacks, that is, Hellman’s attack, Biryukov and Shamir’s attack with BSW sampling, and Biryukov, Mukhopadhyay and Sarkar’s time- memory-key tradeoff attack. Our method is highly parallel and suitable for distributed computing environments. As a generalization of Hellman’s attack, our method overcomes its shortcoming of using only one pair of known plaintext and ciphertext and first admits more than one datum in a TMTO on block ciphers at the single key scenario. As a generaliza- tion of Biryukov and Shamir’s attack with BSW sampling, our method overcomes its shortcoming of using only a few data with specific prefix in stream ciphers and can utilize all data without any waste. As appli- cations, we get two new tradeoff curves: N2 = TM2D3, N = PD and D=τforblockciphers,andN2 =τ3TM2D2,N=τPDandD≥τ for stream ciphers, where τ is the number of random functions, that is, the number of independent computing units available to an attacker, N is the size of key space (for block ciphers) or state (for stream ci- phers) space, D the number of data captured by the attacker, and T, M, P the time/memory/precomputation cost consumed at each computing unit respectively. As examples, assume that 4096 computing units can be available for the attacker. Denote by 5-tuple (τ, T, M, D, P ) the costof our method. Then the cost of breaking DES, AES-128 and A5/1 is (212, 225.3, 225.3, 212, 244), (212, 273.3, 273.3, 212, 2116) and (212, 222.7, 217.3,217.3, 234.7) respectively

Metadata
Available format(s)
PDF
Category
Foundations
Publication info
Preprint.
Keywords
Random functionTMTO block cipher stream cipher guess-and-determine attac
Contact author(s)
fengxt @ amss ac cn
xgao @ mmrc iss ac cn
wzy @ whu edu cn
xzeng @ hubu edu cn
History
2022-10-14: approved
2022-10-10: received
See all versions
Short URL
https://ia.cr/2022/1349
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2022/1349,
      author = {Xiutao Feng and Xiaoshan GAO and Zhangyi WANG and Xiangyong ZENG},
      title = {Invertibility of multiple random functions and its application to symmetric ciphers},
      howpublished = {Cryptology {ePrint} Archive, Paper 2022/1349},
      year = {2022},
      url = {https://eprint.iacr.org/2022/1349}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.