1: \documentclass[12pt]{amsart}

2: %\usepackage{amssymb}

3: 

4: \newcommand{\ed}{

5: 

6: \begin{thebibliography}{10}

7: 

8: \bibitem{BeRe}

9: V.\ Benony, F.\ Recher, E.\ Wegrzynoski, and C.\ Fontaine,

10: \emph{Cryptanalysis of a particular case of Klimov-Shamir

11: pseudo-random generator}, in: SETA 2004, LNCS \textbf{3486}

12: (2005), 313--322.

13: 

14: \bibitem{KS04}

15: A.\ Klimov and A.\ Shamir,

16: \emph{New cryptographic primitives based on multiword T-functions},

17: Fast Software Encryption: 11th International Workshop,

18: Lecture Notes in Computer Science \textbf{3017} (2004),

19: 1--15.

20: 

21: \bibitem{KSHand}

22: A.\ Klimov and A.\ Shamir,

23: \emph{The TF-i family of stream ciphers},

24: handout distributed at: The State of the Art of Stream Ciphers -- SASC 2004.

25: 

26: \bibitem{MiSa}

27: J.\ Mitra and P.\ Sarkar,

28: \emph{Time-memory trade-off attacks on multiplication and T-functions},

29: in: ASIACRYPT 2004, LNCS \textbf{3329} (2004), 468--482.

30: 

31: \end{thebibliography}

32: 

33: \end{document}

34: }

35: 

36: \newcommand{\x}{\times}

37: \newcommand{\xor}{\oplus}

38: %\newcommand{\land}{\wedge}

39: %\newcommand{\lor}{\vee}

40: \newcommand{\mx}[1]{\left(\begin{matrix}#1\end{matrix}\right)}

41: 

42: \newtheorem{thm}{Theorem}

43: \newtheorem{lem}[thm]{Lemma}

44: \theoremstyle{definition}

45: \newtheorem{defn}[thm]{Definition}

46: \theoremstyle{remark}

47: \newtheorem{rem}[thm]{Remark}

48: \newtheorem{exam}[thm]{Example}

49: 

50: \author{Boaz Tsaban}

51: \thanks{Supported by the Koshland Center for Basic Research.}

52: \email{boaz.tsaban@weizmann.ac.il}

53: \address{Department of Mathematics,

54: Weizmann Institute of Science, Rehovot 76100, Israel}

55: 

56: \title[Cryptanalysis of TF-1]{\textsf{NOTE}\\[0.5cm]Theoretical cryptanalysis of the Klimov-Shamir number generator TF-1}

57: 

58: \begin{document}

59: \begin{abstract}

60: The internal state of the Klimov-Shamir number generator TF-1 consists of

61: four words of size $w$ bits each,

62: whereas its intended strength is $2^{2w}$.

63: We exploit an asymmetry in its output function to show that

64: the internal state can be recovered after having $2^w$ outputs,

65: using $2^{1.5w}$ operations. For $w=32$ the attack is practical,

66: but for their recommended $w=64$ it is only of theoretical interest.

67: \end{abstract}

68: 

69: \maketitle

70: 

71: \section{Generalized TF-1 generators}

72: 

73: The \emph{Klimov-Shamir number generator TF-1} was introduced in \cite{KSHand}

74: and is based on the methods developed in \cite{KS04} and references therein.

75: This is an iterative pseudorandom number generator.

76: Its internal state consists of four words $a,b,c,d$, of size $w$ bits each.

77: $C_1,C_2,C_3,C$ are fixed constants chosen to optimize several properties (which

78: are not relevant for our analysis).

79: The update function of the generator is defined as follows.\footnote{In the following description,

80: $\land,\lor,\xor$ denote bitwise logical \emph{and}, \emph{or}, and \emph{xor}, respectively, and

81: addition and multiplication are always carried modulo $2^w$.}

82: $$\mx{a\\ b\\ c\\ d}\mapsto

83: \mx{

84: a & \xor & s & \xor & 2c\cdot (b\lor C_1)\\

85: b & \xor & s\land a & \xor & 2c\cdot (d\lor C_3)\\

86: c & \xor & s\land a\land b & \xor & 2a\cdot (d\lor C_3)\\

87: d & \xor & s\land a\land b\land c & \xor & 2a\cdot (b\lor C_1)

88: }$$

89: where

90: $$s = (C+(a\land b\land c\land d))\xor (a\land b\land c\land d).$$

91: After each update, an output value

92: $$S(a+c)\cdot (S(b+d)\lor 1)$$

93: is extracted, where $S$ is the function swapping the upper and lower halves of its input,

94: i.e., $S(x)=x/2^{w/2} + x\cdot 2^{w/2}$ for each $x=0,\dots,2^w-1$

95: where ``$/$'' denotes integer division.

96: 

97: Earlier variants of this generator were cryptanalyzed in several works,

98: see for example \cite{MiSa, BeRe}.

99: None of the earlier attacks applies to the present generator, though,

100: since the present output function is more complicated.

101: We will present an attack on a generalized family of TF-1

102: generators, containing the Klimov-Shamir generator as a particular

103: case.

104: 

105: \begin{defn}[Klimov-Shamir \cite{KS04}]

106: $T:\{0,1\}^{m\x w}\to\{0,1\}^{n\x w}$ is a

107: \emph{T-function} if,

108: for each $k=1,\dots,w$,

109: the first $k$ columns of $T(X)$ depend only on the first $k$ columns of $X$.

110: \end{defn}

111: 

112: Note that, using the convention that words from $\{0,1\}^w$ are

113: written such that the leftmost bit is the least significant one,

114: the update function of a TF-1 generator is a T-function.

115: 

116: Following is a generalization of the family of TF-1 generators.

117: The fact that we pose no restriction on its function $F$ (and still

118: are able to cryptanalyze it as shown below) seems to be of special interest.

119: 

120: \begin{defn}

121: A \emph{generalized TF-1} generator

122: consists of an update function $T_1:\{0,1\}^{4\x w}\to \{0,1\}^{4\x w}$

123: and output auxiliary functions $T_2,F: \{0,1\}^{4\x w}\to \{0,1\}^w$.

124: $T_1$ and $T_2$ are T-functions,

125: but $F$ can be any efficiently computable function.

126: Its internal state is a matrix $A\in\{0,1\}^{4\x w}$,

127: The update function is

128: $$A\mapsto T_1(A).$$

129: After each update, an output value

130: $$S(T_2(A))\cdot (F(A)\lor 1)$$

131: is extracted.

132: \end{defn}

133: 

134: \section{Cryptanalysis}

135: 

136: Generators with poor statistical properties are

137: not suitable for cryptographic usage. We therefore restrict

138: attention to the nondegenerate cases.

139: 

140: \begin{lem}\label{enumerate}

141: Assume that $T: \{0,1\}^{4\x w}\to \{0,1\}^w$ is a (mildly) random-looking T-function,

142: $k,l\in\{1,\dots,w\}$, and $l\le k$.

143: If the first $l-1$ columns of $X$ are known and $T(X)=0$,

144: then the list of all possibilities for columns $l,\dots,k$ of $X$

145: can be enumerated in (roughly) $2^{3(k-l)}$ operations.

146: \end{lem}

147: \begin{proof}

148: First check all $2^4$ possibilities for the $l$th column of $X$.

149: Only about $2^3$ should give $0$ at the $l$th bit of $T(A)$.

150: For each of them, check all $2^4$ possibilities for the $l+1$th bit.

151: Again about $2^3$ of which will survive. Continue in this manner.

152: The total number of operations is roughly

153: $$2^4+2^3\cdot 2^4+(2^3)^2\cdot 2^4 + \dots + (2^3)^{k-l-1}\cdot 2^4 \approx 2\cdot 2^{3(k-l)}.$$

154: Note that there is no need to store the resulting tree in memory, since

155: the search in the tree could be of ``depth first'' type, i.e., follow each

156: branch up to its end before moving to the next branch.

157: \end{proof}

158: 

159: \begin{rem}

160: For the function $T((a,b,c,d)^t)=a+c$ used in TF-1,

161: the enumeration as in Lemma \ref{enumerate} is trivial:

162: Just enumerate $(a,b,-a,d)^t$ where $a,b,d\in\{0,1\}^k$.

163: Note further that $0$ plays no special role in the proof of Lemma \ref{enumerate}

164: and it can be replaced by any constant.

165: \end{rem}

166: 

167: \begin{thm}\label{attack}

168: Assume that $G$ is a generalized TF-1 generator which is (mildly) random-looking.

169: Then the internal state of $G$ can be recovered from roughly $2^w$ output words,

170: using roughly $2^{1.5w}$ operations.

171: \end{thm}

172: \begin{proof}

173: Scan the output sequence until an output word $0$ is found (this requires

174: roughly $2^w$ output words). Denote the internal state at this point by $A$.

175: Then

176: $$S(T_2(A))\cdot (F(A)\lor 1) = 0.$$

177: As $F(A)\lor 1$ is relatively prime to $2^w$,

178: we have that $S(T_2(A))=0$, and therefore $T_2(A)=0$.

179: 

180: Use Lemma \ref{enumerate} with $l=1$ and $k=w/2+1$ to enumerate

181: the $2^{3k}$ possibilities for the first $k$ columns of $A$.

182: During the enumeration, compute for each possibility

183: the first $k$ columns of $A'=T_1(A)$ and of $T_2(A')$.

184: The $k$th bit of $T_2(A')$ should be equal to

185: the least significant bit of the next output word.

186: This rules out about half of the suggested solutions.

187: Checking about one more step will rule out about half of the remaining solutions, etc.

188: Algorithmically, continue updating and checking until a contradiction

189: is found (or until a solution survives more than $3k$ steps)

190: and then move to the next suggested solution. On average

191: this requires two steps per suggested solution.

192: 

193: Having completed the above $2^{3k+1}$ operations, the first $k$ columns of $A$ are known.

194: Use Lemma \ref{enumerate} again to go over all possibilities for columns $k+1,\dots,w$ of $A$.

195: Now there are only $2^{3k-6}$ possibilities, and each of them gives a complete

196: knowledge of the internal state and can thus be checked by computation of

197: one or two output words. The total amount of operations is roughly

198: $$2^{3k+1}+2^{3k-6}\approx 2^{3k+1}=2^{1.5w+4}=16\cdot 2^{1.5w}.\qedhere$$

199: \end{proof}

200: 

201: \section{Examples}

202: 

203: %\begin{exam}

204: Any generalized TF-1 generator for words of $32$ bits has an internal state

205: of size $128$ bits and intended strength $2^{64}$. By Theorem \ref{attack},

206: the whole internal state can be recovered

207: from $2^{32}$ output words (i.e., $16$ gigabytes) using

208: $16\cdot 2^{1.5\cdot 32}=2^{52}$ operations.

209: These parameters are practical.

210: %\end{exam}

211: 

212: %\begin{exam}

213: Any generalized TF-1 generator for words of $64$ bits has an internal state

214: of size $256$ bits and intended strength $2^{128}$. By Theorem \ref{attack},

215: the internal state can be recovered

216: from $2^{64}$ output words using $16\cdot 2^{1.5\cdot 64}=2^{100}$ operations.

217: In this setting, our attack is only of theoretical interest.

218: %\end{exam}

219: 

220: \subsection*{Acknowledgments}

221: We thank Alexander Klimov and the referees for their comments.

222: 

223: \ed

224: