{"title":"对A5/1上两种无记忆状态恢复密码分析方法的再认识","authors":"Yanbin Xu, Yonglin Hao, Mingxing Wang","doi":"10.1049/ise2.12120","DOIUrl":null,"url":null,"abstract":"<p>At ASIACRYPT 2019, Zhang proposed a near collision attack on A5/1 claiming to recover the 64-bit A5/1 state with a time complexity around 2<sup>32</sup> cipher ticks with negligible memory requirements. Soon after its proposal, Zhang's near collision attack was severely challenged by Derbez et al. who claimed that Zhang's attack cannot have a time complexity lower than Golic's memoryless guess-and-determine attack dating back to EUROCRYPT 1997. In this article, both the guess-and-determine and the near collision attacks for recovering A5/1 states with negligible memory complexities are studied. Firstly, a new guessing technique called the <i>move guessing technique</i> that can construct linear equation filters in a more efficient manner is proposed. Such a technique can be applied to both guess-and-determine and collision attacks for efficiency improvements. Secondly, the filtering strength of the linear equation systems is taken into account for complexity analysis. Such filtering strength are evaluated with practical experiments making the complexities more convincing. Based on such new techniques, the authors are able to give 2 new guess-and-determine attacks on A5/1: the 1st attack recovers the internal state <math>\n <semantics>\n <mrow>\n <msup>\n <mi>s</mi>\n <mn>0</mn>\n </msup>\n </mrow>\n <annotation> ${\\boldsymbol{s}}^{0}$</annotation>\n </semantics></math> with time complexity 2<sup>43.92</sup>; the 2nd one recovers a different state <math>\n <semantics>\n <mrow>\n <msup>\n <mi>s</mi>\n <mn>1</mn>\n </msup>\n </mrow>\n <annotation> ${\\boldsymbol{s}}^{1}$</annotation>\n </semantics></math> with complexity 2<sup>43.25</sup>. Golic's guess-and-determine attack and Zhang's near collision attacks are revisited. According to our detailed analysis, the complexity of Golic's <math>\n <semantics>\n <mrow>\n <msup>\n <mi>s</mi>\n <mn>1</mn>\n </msup>\n </mrow>\n <annotation> ${\\boldsymbol{s}}^{1}$</annotation>\n </semantics></math> recovery attack is no lower than 2<sup>46.04</sup>, higher than the previously believed 2<sup>43</sup>. On the other hand, Zhang's near collision attack recovers <math>\n <semantics>\n <mrow>\n <msup>\n <mi>s</mi>\n <mn>0</mn>\n </msup>\n </mrow>\n <annotation> ${\\boldsymbol{s}}^{0}$</annotation>\n </semantics></math> with the time complexity 2<sup>53.19</sup>: such a complexity can be further lowered to 2<sup>50.78</sup> with our move guessing technique.</p>","PeriodicalId":50380,"journal":{"name":"IET Information Security","volume":"17 4","pages":"626-638"},"PeriodicalIF":1.3000,"publicationDate":"2023-06-18","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://onlinelibrary.wiley.com/doi/epdf/10.1049/ise2.12120","citationCount":"2","resultStr":"{\"title\":\"Revisit two memoryless state-recovery cryptanalysis methods on A5/1\",\"authors\":\"Yanbin Xu, Yonglin Hao, Mingxing Wang\",\"doi\":\"10.1049/ise2.12120\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"<p>At ASIACRYPT 2019, Zhang proposed a near collision attack on A5/1 claiming to recover the 64-bit A5/1 state with a time complexity around 2<sup>32</sup> cipher ticks with negligible memory requirements. Soon after its proposal, Zhang's near collision attack was severely challenged by Derbez et al. who claimed that Zhang's attack cannot have a time complexity lower than Golic's memoryless guess-and-determine attack dating back to EUROCRYPT 1997. In this article, both the guess-and-determine and the near collision attacks for recovering A5/1 states with negligible memory complexities are studied. Firstly, a new guessing technique called the <i>move guessing technique</i> that can construct linear equation filters in a more efficient manner is proposed. Such a technique can be applied to both guess-and-determine and collision attacks for efficiency improvements. Secondly, the filtering strength of the linear equation systems is taken into account for complexity analysis. Such filtering strength are evaluated with practical experiments making the complexities more convincing. Based on such new techniques, the authors are able to give 2 new guess-and-determine attacks on A5/1: the 1st attack recovers the internal state <math>\\n <semantics>\\n <mrow>\\n <msup>\\n <mi>s</mi>\\n <mn>0</mn>\\n </msup>\\n </mrow>\\n <annotation> ${\\\\boldsymbol{s}}^{0}$</annotation>\\n </semantics></math> with time complexity 2<sup>43.92</sup>; the 2nd one recovers a different state <math>\\n <semantics>\\n <mrow>\\n <msup>\\n <mi>s</mi>\\n <mn>1</mn>\\n </msup>\\n </mrow>\\n <annotation> ${\\\\boldsymbol{s}}^{1}$</annotation>\\n </semantics></math> with complexity 2<sup>43.25</sup>. Golic's guess-and-determine attack and Zhang's near collision attacks are revisited. According to our detailed analysis, the complexity of Golic's <math>\\n <semantics>\\n <mrow>\\n <msup>\\n <mi>s</mi>\\n <mn>1</mn>\\n </msup>\\n </mrow>\\n <annotation> ${\\\\boldsymbol{s}}^{1}$</annotation>\\n </semantics></math> recovery attack is no lower than 2<sup>46.04</sup>, higher than the previously believed 2<sup>43</sup>. On the other hand, Zhang's near collision attack recovers <math>\\n <semantics>\\n <mrow>\\n <msup>\\n <mi>s</mi>\\n <mn>0</mn>\\n </msup>\\n </mrow>\\n <annotation> ${\\\\boldsymbol{s}}^{0}$</annotation>\\n </semantics></math> with the time complexity 2<sup>53.19</sup>: such a complexity can be further lowered to 2<sup>50.78</sup> with our move guessing technique.</p>\",\"PeriodicalId\":50380,\"journal\":{\"name\":\"IET Information Security\",\"volume\":\"17 4\",\"pages\":\"626-638\"},\"PeriodicalIF\":1.3000,\"publicationDate\":\"2023-06-18\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"https://onlinelibrary.wiley.com/doi/epdf/10.1049/ise2.12120\",\"citationCount\":\"2\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"IET Information Security\",\"FirstCategoryId\":\"94\",\"ListUrlMain\":\"https://onlinelibrary.wiley.com/doi/10.1049/ise2.12120\",\"RegionNum\":4,\"RegionCategory\":\"计算机科学\",\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"Q3\",\"JCRName\":\"COMPUTER SCIENCE, INFORMATION SYSTEMS\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"IET Information Security","FirstCategoryId":"94","ListUrlMain":"https://onlinelibrary.wiley.com/doi/10.1049/ise2.12120","RegionNum":4,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q3","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}
Revisit two memoryless state-recovery cryptanalysis methods on A5/1
At ASIACRYPT 2019, Zhang proposed a near collision attack on A5/1 claiming to recover the 64-bit A5/1 state with a time complexity around 232 cipher ticks with negligible memory requirements. Soon after its proposal, Zhang's near collision attack was severely challenged by Derbez et al. who claimed that Zhang's attack cannot have a time complexity lower than Golic's memoryless guess-and-determine attack dating back to EUROCRYPT 1997. In this article, both the guess-and-determine and the near collision attacks for recovering A5/1 states with negligible memory complexities are studied. Firstly, a new guessing technique called the move guessing technique that can construct linear equation filters in a more efficient manner is proposed. Such a technique can be applied to both guess-and-determine and collision attacks for efficiency improvements. Secondly, the filtering strength of the linear equation systems is taken into account for complexity analysis. Such filtering strength are evaluated with practical experiments making the complexities more convincing. Based on such new techniques, the authors are able to give 2 new guess-and-determine attacks on A5/1: the 1st attack recovers the internal state with time complexity 243.92; the 2nd one recovers a different state with complexity 243.25. Golic's guess-and-determine attack and Zhang's near collision attacks are revisited. According to our detailed analysis, the complexity of Golic's recovery attack is no lower than 246.04, higher than the previously believed 243. On the other hand, Zhang's near collision attack recovers with the time complexity 253.19: such a complexity can be further lowered to 250.78 with our move guessing technique.
期刊介绍:
IET Information Security publishes original research papers in the following areas of information security and cryptography. Submitting authors should specify clearly in their covering statement the area into which their paper falls.
Scope:
Access Control and Database Security
Ad-Hoc Network Aspects
Anonymity and E-Voting
Authentication
Block Ciphers and Hash Functions
Blockchain, Bitcoin (Technical aspects only)
Broadcast Encryption and Traitor Tracing
Combinatorial Aspects
Covert Channels and Information Flow
Critical Infrastructures
Cryptanalysis
Dependability
Digital Rights Management
Digital Signature Schemes
Digital Steganography
Economic Aspects of Information Security
Elliptic Curve Cryptography and Number Theory
Embedded Systems Aspects
Embedded Systems Security and Forensics
Financial Cryptography
Firewall Security
Formal Methods and Security Verification
Human Aspects
Information Warfare and Survivability
Intrusion Detection
Java and XML Security
Key Distribution
Key Management
Malware
Multi-Party Computation and Threshold Cryptography
Peer-to-peer Security
PKIs
Public-Key and Hybrid Encryption
Quantum Cryptography
Risks of using Computers
Robust Networks
Secret Sharing
Secure Electronic Commerce
Software Obfuscation
Stream Ciphers
Trust Models
Watermarking and Fingerprinting
Special Issues. Current Call for Papers:
Security on Mobile and IoT devices - https://digital-library.theiet.org/files/IET_IFS_SMID_CFP.pdf
京公网安备 11010802042870号
京ICP备2023020795号-1
分享
求助内容:
应助结果提醒方式:
扫码关注我们
