Improved distinguishers for HC-128

Authors:
Paul Stankovski;Sushmita Ruj;Martin Hell;Thomas Johansson
Affiliations:
Department of Electrical and Information Technology, Lund University, Lund, Sweden 221 00;School of Electrical Engineering and Computer Science, University of Ottawa, Ottawa, Canada K1N 6N5;Department of Electrical and Information Technology, Lund University, Lund, Sweden 221 00;Department of Electrical and Information Technology, Lund University, Lund, Sweden 221 00
Venue:
Designs, Codes and Cryptography
Year:
2012

Citing 6
Cited 3

Elements of information theory

Elements of information theory
Cryptographic Significance of the Carry for Ciphers Based on Integer Addition

CRYPTO '90 Proceedings of the 10th Annual International Cryptology Conference on Advances in Cryptology
The Stream Cipher HC-128

New Stream Cipher Designs
The Key and IV Setup of the Stream Ciphers HC-256 and HC-128

NSWCTC '09 Proceedings of the 2009 International Conference on Networks Security, Wireless Communications and Trusted Computing - Volume 02
Some observations on HC-128

Designs, Codes and Cryptography
Differential fault analysis of HC-128

AFRICACRYPT'10 Proceedings of the Third international conference on Cryptology in Africa

Analysis of xorrotation with application to an HC-128 variant

ACISP'12 Proceedings of the 17th Australasian conference on Information Security and Privacy
Impact of extending side channel attack on cipher variants: a case study with the HC series of stream ciphers

SPACE'12 Proceedings of the Second international conference on Security, Privacy, and Applied Cryptography Engineering
Optimized GPU implementation and performance analysis of HC series of stream ciphers

ICISC'12 Proceedings of the 15th international conference on Information Security and Cryptology

Quantified Score

Hi-index	0.00

Visualization

Abstract

HC-128 is an eSTREAM final portfolio stream cipher. Several authors have investigated its security and, in particular, distinguishing attacks have been considered. Still, no one has been able to provide a distinguisher stronger than the one presented by Wu in the original HC-128 paper. In this paper we first argue that the keystream requirement in Wu's original attack is underestimated by a factor of almost 28. Our revised analysis shows that the keystream complexity of Wu's original attack is 2160.471 32-bit keystream blocks. We then go on to investigate two new types of distinguishers on HC-128. One of them, a distinguisher counting the number of zeros in created blocks of bits, gives a biased distribution that requires 2143.537 such constructed block samples (2152.537 32-bit keystream blocks). For fairness, the same metric is used to compare our attack to Wu's, and our improvement is significant compared to Wu's original result. Furthermore, the vector-based methodology used is general and can be applied to any cryptographic primitive that reveals a suitable probability distribution.