Distinguishing attacks on ISAAC
نویسنده
چکیده
This paper presents two strong distinguishers for the deterministic random bit generator ISAAC, requiring 2 and 2 samples of respectively 64 and 32 bits, based on the observation that more than 2 167 initial states among the 2 192 ones induce a strongly non-uniform distribution of the bits produced at the first round of the algorithm. A previous attack on ISAAC presented at Asiacrypt’06 by Paul and Preneel is demonstrated to be non relevant, since relies on an erroneous algorithm. The results of this paper stress the unsecurity of ISAAC, both as a pseudo-random generator and as a stream cipher. A modification of the algorithm is proposed to fix the weaknesses discovered. ISAAC [3] is a deterministic random bits generator presented at FSE’96 by Jenkins, who claims that it has “no bad initial states, not even the state of all zeros”. We contradict this affirmation, presenting more than 28 167 weak states, in Section 2, after a short description of ISAAC and the observation of some minor weaknesses, in Section 1. Recall that, as a source of non-uniform randomness, weak states might distort simulations, and harm cryptographic applications, and so generators with many such states should not be used. In Section 3, we exploit some weak states to construct two strong distinguishers, requiring respectively 248 64-bit samples and 264 32-bit samples. Sections 4 and 5 respectively propose a modification of ISAAC’s algorithm to avoid the design flaws presented, and point out an error in a previous analysis of ISAAC. Section 6 is our conclusion.
منابع مشابه
Cryptanalysis of some first round CAESAR candidates
ΑΕS _ CMCCv₁, ΑVΑLΑNCHEv₁, CLΟCv₁, and SILCv₁ are four candidates of the first round of CAESAR. CLΟCv₁ is presented in FSE 2014 and SILCv₁ is designed upon it with the aim of optimizing the hardware implementation cost. In this paper, structural weaknesses of these candidates are studied. We present distinguishing attacks against ΑES _ CMCCv₁ with the complexity of two queries and the success ...
متن کاملOn the (In)security of Stream Ciphers Based on Arrays and Modular Addition
Stream ciphers play an important role in symmetric cryptology because of their suitability in high speed applications where block ciphers fall short. A large number of fast stream ciphers or pseudorandom bit generators (PRBGs) can be found in the literature that are based on arrays and simple operations such as modular additions, rotations and memory accesses (e.g. RC4, RC4A, Py, Py6, ISAAC etc...
متن کاملOn the multi _ chi-square tests and their data complexity
Chi-square tests are generally used for distinguishing purposes; however when they are combined to simultaneously test several independent variables, extra notation is required. In this study, the chi-square statistics in some previous works is revealed to be computed half of its real value. Therefore, the notion of Multi _ Chi-square tests is formulated to avoid possible future confusions. In ...
متن کاملDistinguishing Attacks on SOBER-t16 and t32
Two ways of mounting distinguishing attacks on two similar stream ciphers, SOBER-t16 and SOBER-t32, are proposed. It results in distinguishing attacks faster than exhaustive key search on full SOBERt16 and on SOBER-t32 without stuttering.
متن کاملSuccess probability in chi - square attacks
Knudsen and Meier applied the χ-attack to RC6. This attack is one of the most effective attacks for RC6. The χ-attack can be used for both distinguishing attacks and for key recovery attacks. Up to the present, theoretical analysis of χ-attacks, especially the relation between a distinguishing attack and a key recovery attack, has not been discussed. In this paper, we investigate the theoretica...
متن کامل