PingPong-128, A New Stream Cipher for Ubiquitous Application

Similar documents
Contents TRIGONOMETRIC METHODS PROBABILITY DISTRIBUTIONS

Open Access Regression Analysis-based Chinese Olympic Games Competitive Sports Strength Evaluation Model Research

INVESTIGATION 2. What s the Angle?

Performance Comparison of Dynamic Voltage Scaling Algorithms for Hard Real-Time Systems

The Pythagorean Theorem and Its Converse Is That Right?

CS 188: Artificial Intelligence Spring Announcements

Data Compression. Reduces storage space and hence storage cost. Compression ratio = original data size /

Working Paper: Reversal Patterns

A Measurement Framework for National Key Performance Measures

2014 WHEAT PROTEIN RESPONSE TO NITROGEN

Fino Installation Instructions

Renewable Energy xxx (2011) 1e10. Contents lists available at SciVerse ScienceDirect. Renewable Energy

APPLICATION OF POLISH CALCIUM SORBENTS IN CARBONATE LOOPING

An Indian Journal FULL PAPER ABSTRACT KEYWORDS. Trade Science Inc. The tennis serve technology based on the AHP evaluation of consistency check

AHP-based tennis service technical evaluation consistency test

Announcements. CS 188: Artificial Intelligence Spring Today. P4: Ghostbusters. Exact Inference in DBNs. Dynamic Bayes Nets (DBNs)

Data Compression. Lossless And Lossy Compression. Text Compression. Lossless And Lossy Compression. Lossless compression is essential.

TECHNICAL BULLETINApril 2016

Grade 6. Mathematics. Student Booklet SPRING 2011 RELEASED ASSESSMENT QUESTIONS. Record your answers on the Multiple-Choice Answer Sheet.

Chp. 3_4 Trigonometry.notebook. October 01, Warm Up. Pythagorean Triples. Verifying a Pythagorean Triple... Pythagorean Theorem

PRESSURE LOSSES DUE TO THE LEAKAGE IN THE AIR DUCTS - A SAFETY PROBLEM FOR TUNNEL USERS?

Data Compression. Reduce the size of data. Reduces time to retrieve and transmit data. Compression ratio = original data size/compressed data size

CS 253: Algorithms. LZW Data Compression

CHAPTER 4. Surface Root-zone Water Content and Bentgrass Water Stress. During Drydown for Selected Putting Green Construction.

First Aid in School Policy

The development of a truck concept to allow improved direct vision of vulnerable road users by drivers

IGF Research Project N Safer High Heels

Apply the Law of Sines. You solved right triangles. You will solve triangles that have no right angle.

Flow Divider / Combiner Cartridge Valves

Chapter 5. Triangles and Vectors

Bicycle wheel and swivel chair

Integration of modelling and monitoring to optimize network control: two case studies from Lisbon

ERRATA for Guide for the Development of Bicycle Facilities, 4th Edition (GBF-4)

UNCORRECTED PROOF. Materials and methods

S. FURDEAN, D. LALESCU, Sandra Antonia MIHAILOV, A. GROZEA*

Small Game Hunter Lead Shot Communication Study. Executive Summary. A cooperative study conducted by:

Apply the Pythagorean Theorem

United States Patent (19)

Workrite Sierra HX & HXL Assembly Instructions for 3-leg Electric Workcenters

Exploring Impacts of Countdown Timers on Queue Discharge Characteristics of Through Movement at Signalized Intersections

OFFSHORE USE OF FLOATING SHEERLEGS

Hot-Air Blowers 12 / / Hot-Air Blowers

Department of Animal and Aquacultural Sciences, Norwegian University of life Science, PO-Box N-1432 Ås, Norway.

BASKETBALL SPEED AND AGILITY

In any right-angle triangle the side opposite to the right angle is called the Label the Hypotenuse in each diagram above.

Lesson 12.1 Right Triangle Trigonometry

ABSTRACT EXPERIMENTAL METHOD AND MODEL

Chapter 4 Group of Volunteers

PILOT PROGRAM FOR THE EVALUATION OF NANOFILTRATION MEMBRANES PREPARED BY: WILMINGTON, MA ON UF PERMEATE

1985 BFS CLINICS. BFS Clinic-Assembly in Kamloops, British Columbia. Westsyde High School. Bob Bridges is the Football Coach.

SUMMER ASSIGNMENT FOR FUNCTIONS/TRIGONOMETRY Bring to school the 1 st day of class!

Rules of Hockey including explanations. Effective from 1 January 2017

2014 Victorian Shooting Championship

SUMMER ASSIGNMENT FOR FUNCTIONS/TRIGONOMETRY Due September 7 th

Trial Rules for Schutzhund (RSVSchH) and Tracking Trials (RSVFH)

bark bark bat bat Multiple Meaning Words: Kindergarten to Grade 2 More Teaching Tools at harsh sound made by a dog

REQUEST FOR COMMENTS

A Step, Stride and Heading Determination for the Pedestrian Navigation System

Response by anglers to a differential harvest regulation on three black bass species at Skiatook Lake, Oklahoma

Rules of Hockey including explanations. Effective from 1 January 2015

Lesson 2 PRACTICE PROBLEMS Using Trigonometry in Any Triangle

Coroutines in Propeller Assembly Language

1 Measurement. What you will learn. World s largest cylindrical aquarium. Australian Curriculum Measurement and Geometry Using units of measurement

Name Class Date SAMPLE. Complete the missing numbers in the sequences below. 753, ,982. The area of the shape is approximately cm 2

PROTECTION FROM HAND-ARM TRANSMITTED VIBRATION USING ANTIVIBRATON GLOVES

Announcements. CS 188: Artificial Intelligence Spring Announcements II. P4: Ghostbusters 2.0. Today. Dynamic Bayes Nets (DBNs)

CS 188: Artificial Intelligence Spring Announcements

A control strategy for steering an autonomous surface sailing vehicle in a tacking maneuver

Inertial Sensor-Based Methods in Walking Speed Estimation: A Systematic Review

Numerical simulations of rip currents off arc-shaped coastlines

COMPARISON OF CORIOLIS AND TURBINE TYPE FLOW METERS FOR FUEL MEASUREMENT IN GAS TURBINE TESTING

The infection of tench (Tinca tinca) with Ligula intestinalis plerocercoids in Lake Beysehir (Turkey)

Turbulence characteristics in offshore wind farms from LES simulations of Lillgrund wind farm Fruh, Wolf-Gerrit; Creech, Angus C.W.; Maguire, A Eoghan

The Discussion of this exercise covers the following points: The open-loop Ziegler-Nichols method. The open-loop Ziegler-Nichols method

Ruth Foster, M.Ed. Author

MTH 112: Elementary Functions

Small-scale observations of atypical fire spread caused by the interaction of wind, terrain and fire

Availability of Binaural Cues for Bilateral Implant Recipients and Bimodal Listeners with and without Preserved Hearing in the Implanted Ear

Why? DF = 1_ EF = _ AC

Hook-up Checklist for the Ranger PM7000 (EU)

Available online at ScienceDirect. Procedia Materials Science 8 (2015 )

Lateral Earth Pressure on Lagging in Soldier Pile Wall Systems

PCT MINIMUM DOCUMENTATION

Report. Social Facilitation of Long-Lasting Memory Retrieval in Drosophila

PRACTICAL EXPERIENCE WITH THE INTRODUCTION OF HONEYCOMB SHROUD SEALS ON MW SUPERCRITICAL PRESSURE UNITS

EVOLVING GOALKEEPER BEHAVIOURS FOR SIMULATED SOCCER COMPETITION

USA Field Hockey s Modifications to the 2017 FIH Rules of Hockey

Available online at ScienceDirect. Energy Procedia 59 (2014 )

Unit 6 - Quiz 1. Look at the pictures and write the missing letters. (5x2=10)

Quantifying Efficacy and Avoidance Behavior by Tawny Mole Crickets (Orthoptera: Gryllotalpidae: Scapteriscus vicinus) to Three Synthetic Insecticides

Acoustic measurements of bubbles in the wake of ship model in tank

Chance. PARAMOUNT LDS 1st & 3rd Ward

Characteristics, Expenditures, and Economic Impact of Resident and Nonresident Hunters and Anglers in North Dakota, , Season and Trends

Dorridge & District Residents Association A Walk From Dorridge to Blythe Valley Nature Reserve

ANATOMY OF A TRIPOD: Friction Lock (column) 8 Boots / Footwear. Friction Lock (Leg)

Design and Calibration of Submerged Open Channel Flow Measurement Structures: Part 3 - Cutthroat Flumes

STATISTICAL ANALYSIS OF VISUAL WAVE OBSERVATIONS AND GAGE/RADAR MEASUREMENTS. w : :. 4 Ill. Marc Perlin

Skills Practice Skills Practice for Lesson 4.1

Recall that the area of a triangle can be found using the sine of one of the angles.

Right Triangle Trigonometry

Transcription:

2007 Interntionl Conference on Convergence Informtion Technology PingPong-128, A New Strem Cipher for Uiquitous Appliction HoonJe Lee, Kevin Chen Dept. Informtion Network Eng., Dongseo University, Busn, Kore ISI, Queensln Univ. of Technology, Brisne, Austrli E-mil: hlee@ongseo.c.kr, chenk@isrc.qut.eu.u Astrct The PingPong fmily of keystrem genertor is se on the LM-type summtion genertor. A mutulclock-control mechnism is e to the LM-type summtion genertor to provie security enhncement. PingPong-128, specific cipher from the PingPong fmily, is propose. It tkes 128-it key n 128-it initilistion vector, hs 257 its of internl stte, n chieves security level of 128 its. In this pper, we present the security nlysis of PingPong-128, incluing the resistnce to known ttcks ginst the summtion genertor n other clock-controlle genertors. 1. Introuction The two sic methos for encrypting text into ciphertext re strem n lock ciphers. Strem ciphers (s the nme suggests) encrypt text it-y-it n re firly rre with only few exmples in commercil pplictions such s RC4 [1]. The vntge of strem cipher is tht it is fster n much more efficient thn lock ciphers. For exmple, RC4 is close to twice s fst s the nerest lock cipher n cn e written in 30 lines of coe wheres the typicl lock cipher lgorithm tkes severl hunre lines of coe, mking them iel for Internet pplictions like SSL were spee n efficiency is more vlule [2]. The summtion genertor [3] ws propose in 1985, n correltion ttcks on it were pulishe in [4, 5]. In [6], fst correltion ttck on the summtion genertor is escrie. The LM genertor [7] ws propose in 2000 s n improvement to the summtion genertor. The propose improvement is the ition of n extr memory it to the comining function. The summtion genertor succums to rnge of ivie n conquer ttcks, from the strightforwr ivie n conquer ttck escrie in [5, 8], to correltion n fst correltion ttck in [4, 5] n [6], respectively. In this pper, we propose new genertor, PingPong, se on the summtion genertor, with the ition of mutul clock control structure. The purpose of the mutul clock control structure is to introuce irregulr clocking of the unerlying LFSRs thus implicitly incresing the nonlinerity of the output keystrem. In other wors, The PingPong genertor is clock controlle genertor. It is se on the LM genertor [7], which is moifiction of summtion genertor [3] se on two liner feeck shift registers (LFSRs). We emonstrte tht the moifiction efets the known ttcks ginst the summtion genertor, n other ttcks such s ttcks on irregulrly clocke keystrem genertors. An initilistion n rekeying process for the PingPong genertor is lso efine. The PingPong genertor extens the LM genertor through the use of irregulrly clocke unerlying shift registers. 2. Summtion-like Genertor 2.1. Description of the Summtion Genertor Fig. 1. Summtion Genertor(r 2) The summtion genertor uses r regulrly clocke inry LFSRs n Log 2 n its of crry. The LM genertor is se on summtion genertor with r 2. Denote the two LFSRs L 1 n L 2, respectively, n the crry it is enote y c. At time, enote the output of L 1 s, the output of L 2 s, n the output of f c s c, s shown in fig. 1. The initil stte of the crry it, 0-7695-3038-9/07 $25.00 2007 IEEE DOI 10.1109/ICCIT.2007.375 1893

c -1, is efine to e 0. At time, the output of the function f is the keystrem it, n is enote y. The outputs of functions f c n f t time re efine s: c f ) c (1) c ( 1 (2) f c 1 2.2. Cryptnlysis of the Summtion Genertor There re severl wys to recover the initil stte of the summtion genertor. A simple pproch is the ivie n conquer ttck [5]. Alterntively, fst correltion ttck [6] coul e performe. 2.3. Description of the LM Genertor recover the initil stte of the LM genertor. The ttcking lgorithm is given elow[14]: 1. Guess the initil stte of L n crry its c 1 n 1 2. Set 0 3. Clculte, it of R, using eqution 2 n the known keystrem it 4. Clculte c using eqution 1 n the clculte 5. Clculte using eqution 3 n the clculte 6. Increment, if < k then goto step 3 7. Initilise the LM genertor with the guesse initil stte of L n the clculte initil sttes L, c n 1, n n 1 8. Prouce cnite keystrem sequence { } k n { } k n n compre with oserve keystrem sequence 9. If { } k n { } k n n re ienticl, then the correct initil sttes of L n L re successfully recovere, else go to step 1 Fig. 2. LM Genertor(r 2) The LM genertor, shown in fig. 2 is very similr to the summtion genertor, in tht L, L n c re efine in exctly the sme wy. Another it of memory,, is e to the comining function, in n ttempt to overcome some of the pulishe ttcks on the summtion genertor. The crry it, c, is efine y eqution 1, ienticl to the summtion genertor. The itionl memory it is clculte y the function f n the output function f is chnge to inclue. The vlue of -1 is efine to e 0. f ) (3) ( 1 (4) f c 1 1 2.4. Cryptnlysis of the LM Genertor Due to the similrity in construction etween the summtion genertor n the LM genertor, similr lgorithms cn e use to ttck oth genertors. These re outline elow[14]. Divie n Conquer Attck The ttck on the summtion genertor given in [5] cn e pte to Fig.3. Fst Correltion Attck Moel for the LM Genertor This ttck requires exhustive serch of m+2 its, tht is, the sie of L n the crry it c n the memory it, to recover the initil sttes of oth registers, tht is, the m+n its of initil stte. Uner this ttck, the ition of offers only one extr it of security over the summtion genertor. Fst Correltion Attck The LM genertor cn e moelle s the moulo-two sum of two LFSRs, plus some inry noise, s shown in fig. 3, where e is the noise n is the output keystrem it. For the LM genertor, the noise is provie y the moulo-two sum of the crry it c n the memory it. The two memory its re highly correlte, with P(c ) 0.75. Therefore, moelling the LM genertor this wy, the noise level is 0.25. This is significnt evition 1894

from 0.5, n mkes the LM genertor vulnerle to fst correltion ttck, similr to the fst correltion ttck on the summtion genertor. Tle 1. Distriution of c n c 1 1 c 0 1 1 0 0 1 0 1 0 1 0 0 0 1 1 0 1 1 1 0 1 0 1 0 0 1 1 0 in the LM Genertor 0 1 1 0 0 1 1 0 The crry it, c, n the memory it,, re ienticl with proility of 0.75, s shown in Tle 1. Recll tht the output of the LM genertor is efine s c 1 1 ( ) ( c 1 1 1 1 Since c 0 is true with proility 0.75, is lso true with proility 0.75. This cn e exploite in fst correltion ttck to recover the initil sttes of the LM genertor [7]. 3. PingPong Genertor 3.1. Description of the PingPong Genertor ) Propose PingPong fmily genertors re simple, esy to implement in hrwre n in softwre, n high secure. PingPong fmily in fig.4 is hyri genertor, comining the LM genertor (improve summtion genertor) with high secure clockcontrolle genertor. LFSR A is clock-controlle y function f, it hs rnom integer output. An LFSR B is clock-controlle y function f, it lso hs rnom output. Two clock-controlle functions give multiple clock to the other LFSR. It mkes tht the output shoul e more unpreictle. Pingpong Fmily genertor outputs, c n c from ech LFSR outputs n, previous crry c -1 n previous memory -1 s in fig.4. f y (5) 1 f f (,, 1 ) ( ) 1 Fig.4. PingPong Fmily Genertor (6) where (y) is the output sequence of summtion genertor, () the output sequence of LFSR 1, () the output sequence of LFSR 2, (c) crry sequence, c -1 0 crry initilition vlue, () memory sequences, -1 0 memory initilition vlue. 3.2. PingPong-128 In this Section, we escrie in etil PingPong-128, n instnce from the PingPong fmily of strem ciphers. It hs two mutully clocking LFSRs n single memory it. The LFSRs re of lengths 127 its n 129 its. Together with the memory it they give PingPong-128 n internl stte of 257 its. PingPong- 128 tkes 128-it key n 128-it initilistion vector to fill the internl stte. Keystrem Genertion The PingPong genertor prouces the output keystrem y comining the LFSR sequences n the memory sequence. PingPong-128 hs two mutully clocking LFSRs L n L, n 1895

single it of memory c. Two primitive polynomils, P (x) n P (x) re following: p p 127 ( x) x 55 x 23 x 1 x 1 ( x) x x x x 129 93 53 13 9 109 52 21 125 89 49 91 48 20 1 Fig. 5. PingPong-128 Genertor Two clock-control functions, f (L ) n f (L ), n the output keystrem it n memory it c t time re efine to e ienticl to the summtion genertor: f ( L ) 2L 42 ( t) + L85( t) (7) f ( L ) 2L 43 ( t) + L86( t) (8) (9) y 1 5 85 45 121 84 45 19 81 41 117 (10) f (,, 1 ) ( ) 1 16 77 37 Clock Control For PingPong-128, oth LFSRs re irregulrly clocke, with ech register controlling the clocking of the other. Two tps re tken from L to clculte vlue in the rnge 1... 4, n L is clocke 1 to 4 times ccoring to this vlue. Similrly, vlue is clculte from two tps tken from L to clock L. The clock control is clculte y ove two functions, f A n f B. This clocking scheme cn e pplie to the PingPong fmily of keystrem genertors with n unerlying LFSRs, where L is use to clock L +1 n L 1 is clocke y L n. Key Loing n Rekeying In some communiction systems, errors occur which require tht the entire messge e resent. When synchronous strem cipher is use, then security requires tht ifferent keystrem sequence e use. To chieve this, the rekeying of strem cipher shoul inclue metho 73 42 113 41 13 73 33 67 109 37 12 69 29 66 105 7 63 34 65 25 6 101 56 30 61 21 2 97 27 57 17 for reinitilistion using oth the secret key n n itionl initilistion vector which is sent in the cler, or otherwise pulicly known. We now escrie propose metho for the initil key loing n for the rekeying of PingPong-128. For PingPong-128, oth k n iv hve length of 128 its, n together they fill 257 its of internl stte. The initilistion process cn lso e use for rekeying. The process to generte the initil stte for the keystrem genertor uses the genertor itself twice. The strting stte of L is otine simply y XORing the two 128-it inry strings of the key, k, n iv, tht is, L (k iv)mo 2 127. The strting stte of 129 its for L is otine y consiering the 128-it key, emee in 129-it wor n shifte 1 it to the left, n XORing tht with the initilistion vector emee in 129-it wor with leing ero, tht is, L (k<<1) (0 iv). Now the cipher is run to prouce n output string of length 257 its. For the secon itertion of the cipher, the first 128 its of this output string re use to form the initil stte of L, n the remining 129 its re use to form the initil stte of L. The cipher is run secon time to prouce n output string of length 257 its. The output from this secon ppliction is use to form the initil stte of the keystrem genertor when we egin keystrem prouction. As previously, the first 128 its form the initil stte of L, n the remining 129 its form the initil stte of L. It is very unlikely tht either LFSR will e initilise with the ll ero stte. By employing the PingPong lgorithm itself, we tke vntge of oth the known security properties of the lgorithm n lso its fst implementtion. Due to the high security of PingPong we conclue tht the est ttck in the rekeying scenrio is exhustive key serch. Implementtion Issue Both LFSRs in PingPong-128 use the Glois implementtion rther thn the Fioncci implementtion. This is esign ecision se on the softwre performnce of the implementtion. It is oserve tht the Glois implementtion is much more efficient in softwre thn the Fioncci, lthough oth implementtions re eqully efficient in hrwre. It is worth noting tht these two implementtions give ifferent output sequences with the sme initil LFSR sttes, therefore it is essentil to specify the style of implementtion. 4. Anlysis of the PingPong Genertor In this Section, we present the keystrem properties of the PingPong genertor se on empiricl results.we lso show the resistnce of the PingPong genertor to known ttcks. 1896

4.1. Keystrem Properties There re three sic requirements for the pseuornom inry sequences: long perio, high liner complexity, n goo sttisticl properties. Long perio vois the keystrem to e reuse when encrypting long messges. High liner complexity prevents ttcks using the Berlekmp-Mssey lgorithm [12]. Goo sttisticl properties gur ginst ttcks exploiting the ises in the keystrem. Experiments hve een one on severl instnces from the PingPong fmily of keystrem genertors to oserve the keystrem properties of PingPong. Ech instnce of PingPong hs pir of LFSRs of ifferent lengths. For ech pir, we use numer of ifferent feeck polynomils n took clocking tps from vrious stges of the registers. It ws oserve tht the choice of feeck polynomils n clocking tp position i not influence the keystrem properties. For ech pir of LFSR lengths, 50 rnom initil sttes were use to run the experiment. The results of the experiments vrie wiely, for exmple, for register lengths 9 n 10, the liner complexity vrie etween 400 n 822. The lowest resulting liner complexity n shortest perio of the experiments re tulte in Tle 2. Tle 2. PingPong Keystrem Properties Register Lengths Liner Complexity Perio 5, 6 5, 7 6, 7 7, 8 8, 9 9, 10 10, 11 11, 13 13, 15 23 50 43 93 200 400 815 3276 13100 25 50 51 101 200 401 815 3276 13105 From the empiricl results, we erive the following equtions for clculting the minimum liner complexity n perio. Denote the sum of register lengths n, the lower oun of the liner complexity LC cn e expresse s ( n 11) / 2 4.6 ( n 11) / 2 LC 25 2 2 2 Similrly, the perio P cn e expresse s ( n 11) / 2 4.6 ( n 11) / 2 25 2 2 2 P For PingPong-128, n 256, the lower oun of the liner complexity is therefore 4.6 (256 / 2 LC 2 2 11) 4.6 123 2 2 128 2 n the Perio P is 4.6 (256 / 2 4.6 123 P 2 2 2 2 128 2 The esign strength of PingPong-128 is 2 128. It is therefore resistnt ginst ttcks se on sic keystrem properties such s liner complexity n perio. 4.2. Time Memory Treoff Attck The oective of time-memory treoff ttcks is to recover the internl stte t known time. The ttcks re conucte in two stges. During preprocessing phse, the cryptnlyst constructs lookup tle, mpping possile internl sttes to prefixes of the corresponing output keystrems. In the rel time phse of the ttck, the cryptnlyst tkes segment of known keystrem n tries to fin the corresponing internl stte, y serching through the lookup tle. Let S, M, T, P n D enote the crinlity of the internl stte spce, the memory(in inry wors of sie equl to log 2 S), the computtionl time (in tle lookups), the pre-computtion time (in tle lookups), n the mount of t (without re-keying, this is the length of known keystrem), respectively. For the time-memory ttcks escrie in [15] T M S, P M n D T. For exmple, 2 128 2 128 2 256 treoff coul e use. Therefore PingPong-256 with 256-it of internl stte cn only hve 128 its of security. The more generl time-memory-t treoff[16] sserts tht T M2 D2 S2, P S/D, D2 T. This ecreses D t the cost of incresing P. For exmple, one my choose M D S 1/3 n T P S 2/3, ut for PingPong-256, with S 256, this gives M D 2 85.3 n T P 2 170.7, clerly etter thn exhustive key serch. 4.3. Mutul Irregulr Clocking of LFSRs In this section we consier two LFSRs tht clock ech other in n irregulr fshion. Let L n L e the two LFSRs with primitive polynomils n length len n len respectively. When clocke utonomously they prouce m-sequences with perio 2 len 1 n len 2 1 for ny non-ero initil stte. Now consier the cycle structure for the sitution where they clock ech other using two its from ech register to select from 1, 2, 3 or 4 clock cycles for the other register to otin the next stte. This is the generl moel for the PingPong structure. 1897

Let L e clocke step cycles y the its L [c1] n L [c2] n similrly L is clocke step cycles y L [c3] n L [c4]. The clocking positions c i re fixe y the lgorithm specifiction, n lso step 2 L[ c1] + L [ c2] step 2 L[ c3] + L[ c4] Clerly step n step re in the set {1,2,3,4}. Now efine the cumultive clocking vlues An similrly Then the stte of the system t time t is given y Now consier how Evolves into Any stte coul hve up to four precursor sttes, corresponing to step in {1,2,3,4}. Consier the precursor stte ssocite with setp i, then we hve SUM [ t 1] + i SUM [ t] Clerly there must lso e some vlue for step. Noting tht the vlues for i n re specifie y the its in the registers t time t 1. Clerly, in orer to otin stte from the previous stte with clocking of (i,), we must hve oth i step 2 L[ SUM [ t 1]][ c1] + L[ SUM [ t 1]][ c2] An Where oth An SUM [ t] SUM [ t] t i 0 t i 0 step [ i] Given ny stte, there re 16 its (4 its fter ech of the 4 clocking tps) tht coul hve influence the progression to tht stte. Four checks of the ove expressions gives the mens to etermine how mny precursor sttes exist. Note tht there will e sttes tht step [ i] [ L [ SUM [ t]], L [ SUM [ t]]] [ L [ SUM [ t 1]], L [ SUM [ t 1]]] [ L [ SUM [ t]], L [ SUM [ t]]] [ L [ SUM [ t]], L [ SUM [ t]]] setp 2 L [ SUM L [ SUM [ t 1]][ c3] + [ t 1]][ c4] SUM [ t 1] + i SUM [ t] SUM [ t 1] + SUM [ t] re unrechle (the hve no precursor sttes), n these re the sttes tht exist s the strts of trils leing to cycles. The next-stte igrm is more comprle to tht of rnom functions, rther thn rnom iections. Although more precise work nees to e one in the nlysis n security comprison of the PingPong style structure, it seems cler tht it oes not prouce the sme qulity stte sequences s n LFSR of the sme sie. 5. Conclusion In this pper, we hve propose PingPong, genertor se on the summtion genertor with mutul clock control structure. It efets known ttcks ginst the summtion genertor n other clock controlle keystrem genertors. 6. Acknowlegement This reserch ws supporte y University IT Reserch Center Proect, n y the Progrm for Trining of Grute Stuents in Regionl Innovtion. 7. References [1] A.J. Menees, P.C. Oorschot n S.A. Vnstone, Hnook of Applie Cryptogrphy, CRC Press, 1997. [2] Weush Morgn Securities - Inustril Report, Access Mngement/Internet Security Inustry, on http://www.viksqupt.com, Fe. 28, 2002. [3] R. A. Rueppel, Correltion Immunity n the Summtion Genertor, Avnces in Cryptology, Proceeings of CRYPTO 85, pp. 260-272, 1985. [4] W. Meier n O. Stffelch, Correltion Properties of Cominers with Memory in Strem Ciphers, Avnces in Cryptology, Proceeings of EUROCRYPT90, pp. 204-213, 1991. [5] E. Dwson, Cryptnlysis of Summtion Genertor, Avnces in Cryptology - AUSCRYPT 92, Lecture Notes in Computer Science, Springer-Verlg, pp. 209-215, 1993. [6] J. Golic, n M. Slmsieh n E. Dwson, Fst Correltion Attcks on the Summtion Genertor, Journl of Cryptology, Vol. 13, No. 2, pp.245-262, 2000. [7] Hoone Lee, Snge Moon, On An Improve Summtion Genertor with 2-Bit Memory, Signl Processing, 80(1), pp. 211217, Jn. 2000. [8] T. Siegenthler, Design of Cominers to Prevent Divie n Conquer Attcks, Avnces in Cryptology, Proceeings of CRYPTO 85, pp. 273-279, 1985. [9] R. A. Rueppel, Anlysis n Design of Strem Ciphers, Springer-Verlg, 1986. 1898

[10] W. Meier n O. Stffelch, Correltion Properties of Cominers with Memory in Strem Ciphers, Journl of Cryptology, Vol. 5, pp. 67-86, 1992. [11] A. Clrk, E. Dwson, J. Fuller, J. Golic, Hoon-Je Lee, W. Milln, Sng-Je Moon, L. Simpson, The LILI-II Keystrem Genertor, LNCS 2384, pp.25-39, Jul. 2002 (ACISP 2002). [12] J. L. Mssey, Shift-Register Synthesis n BCH Decoing, IEEE Trns. on Infor. Theo., Vol. IT-15, No. 1, pp. 122-127, Jn. 1969. [13] R. A. Rueppel n O. J. Stfflech, Proucts of Liner Recurring Sequences with Mximum Complexity, IEEE Trns. on Infor. Theo., Vol. IT-33, No. 1, pp. 124-131, Jn. 1987. [14] Kevin Chen, E.Dwson, etc. Security Anlysis of the LM Genertor, Report, Aug. 2004. [15] S. Bge, Improve exhustive serch ttcks on strem ciphers, Europen Convention on Security n Detection, Vol. 408, pp. 161-166, My 1995. [16] A. Biryikov n A. Shmir, Cryptnlytic Time/Memory/Dt Treoffs for Strem Ciphers, Avnces in Cryptology, Proceeings of ASIACRYPT00, LNCS 1976, pp.1-13, 2000. 1899

2024 © sportdocbox.com Privacy Policy | Terms of Service | Feedback