Paper 2022/1349
Invertibility of multiple random functions and its application to symmetric ciphers
Abstract
The invertibility of a random function (IRF, in short) is an important problem and has wide applications in cryptography. For ex- ample, searching a preimage of Hash functions, recovering a key of block ciphers under the known-plaintext-attack model, solving discrete loga- rithms over a prime field with large prime, and so on, can be viewed as its instances. In this work we describe the invertibility of multiple random functions (IMRF, in short), which is a generalization of the IRF. In order to solve the IMRF, we generalize the birthday theorem. Based on the generalized birthday theorem and time-memory tradeoff (TMTO, in short) method, we present an efficient TMTO method of solving an IMRF, which can be viewed as a generalization of three main TMTO attacks, that is, Hellman’s attack, Biryukov and Shamir’s attack with BSW sampling, and Biryukov, Mukhopadhyay and Sarkar’s time- memory-key tradeoff attack. Our method is highly parallel and suitable for distributed computing environments. As a generalization of Hellman’s attack, our method overcomes its shortcoming of using only one pair of known plaintext and ciphertext and first admits more than one datum in a TMTO on block ciphers at the single key scenario. As a generaliza- tion of Biryukov and Shamir’s attack with BSW sampling, our method overcomes its shortcoming of using only a few data with specific prefix in stream ciphers and can utilize all data without any waste. As appli- cations, we get two new tradeoff curves: N2 = TM2D3, N = PD and D=τforblockciphers,andN2 =τ3TM2D2,N=τPDandD≥τ for stream ciphers, where τ is the number of random functions, that is, the number of independent computing units available to an attacker, N is the size of key space (for block ciphers) or state (for stream ci- phers) space, D the number of data captured by the attacker, and T, M, P the time/memory/precomputation cost consumed at each computing unit respectively. As examples, assume that 4096 computing units can be available for the attacker. Denote by 5-tuple (τ, T, M, D, P ) the costof our method. Then the cost of breaking DES, AES-128 and A5/1 is (212, 225.3, 225.3, 212, 244), (212, 273.3, 273.3, 212, 2116) and (212, 222.7, 217.3,217.3, 234.7) respectively
Metadata
- Available format(s)
- Category
- Foundations
- Publication info
- Preprint.
- Keywords
- Random functionTMTO block cipher stream cipher guess-and-determine attac
- Contact author(s)
-
fengxt @ amss ac cn
xgao @ mmrc iss ac cn
wzy @ whu edu cn
xzeng @ hubu edu cn - History
- 2022-10-14: approved
- 2022-10-10: received
- See all versions
- Short URL
- https://ia.cr/2022/1349
- License
-
CC BY
BibTeX
@misc{cryptoeprint:2022/1349, author = {Xiutao Feng and Xiaoshan GAO and Zhangyi WANG and Xiangyong ZENG}, title = {Invertibility of multiple random functions and its application to symmetric ciphers}, howpublished = {Cryptology {ePrint} Archive, Paper 2022/1349}, year = {2022}, url = {https://eprint.iacr.org/2022/1349} }