Elements of information theory
Elements of information theory
Cryptographic Significance of the Carry for Ciphers Based on Integer Addition
CRYPTO '90 Proceedings of the 10th Annual International Cryptology Conference on Advances in Cryptology
New Stream Cipher Designs
The Key and IV Setup of the Stream Ciphers HC-256 and HC-128
NSWCTC '09 Proceedings of the 2009 International Conference on Networks Security, Wireless Communications and Trusted Computing - Volume 02
Designs, Codes and Cryptography
Differential fault analysis of HC-128
AFRICACRYPT'10 Proceedings of the Third international conference on Cryptology in Africa
Analysis of xorrotation with application to an HC-128 variant
ACISP'12 Proceedings of the 17th Australasian conference on Information Security and Privacy
SPACE'12 Proceedings of the Second international conference on Security, Privacy, and Applied Cryptography Engineering
Optimized GPU implementation and performance analysis of HC series of stream ciphers
ICISC'12 Proceedings of the 15th international conference on Information Security and Cryptology
Hi-index | 0.00 |
HC-128 is an eSTREAM final portfolio stream cipher. Several authors have investigated its security and, in particular, distinguishing attacks have been considered. Still, no one has been able to provide a distinguisher stronger than the one presented by Wu in the original HC-128 paper. In this paper we first argue that the keystream requirement in Wu's original attack is underestimated by a factor of almost 28. Our revised analysis shows that the keystream complexity of Wu's original attack is 2160.471 32-bit keystream blocks. We then go on to investigate two new types of distinguishers on HC-128. One of them, a distinguisher counting the number of zeros in created blocks of bits, gives a biased distribution that requires 2143.537 such constructed block samples (2152.537 32-bit keystream blocks). For fairness, the same metric is used to compare our attack to Wu's, and our improvement is significant compared to Wu's original result. Furthermore, the vector-based methodology used is general and can be applied to any cryptographic primitive that reveals a suitable probability distribution.