Principles and practice of information theory
Principles and practice of information theory
The art of computer programming, volume 3: (2nd ed.) sorting and searching
The art of computer programming, volume 3: (2nd ed.) sorting and searching
Probable Plaintext Cryptanalysis of the IP Security Protocols
SNDSS '97 Proceedings of the 1997 Symposium on Network and Distributed System Security
Hi-index | 0.01 |
We present and analyze attacks on additive stream ciphers that rely on linear equations that hold with non-trivial probability in plaintexts that are encrypted using distinct keys. These attacks extend Biham's key collision attack and Hellman's time memory tradeoff attack, and can be applied to any additive stream cipher. We define linear redundancy to characterize the vulnerability of a plaintext source to these attacks. We show that an additive stream cipher with an n-bit key has an effective key size of n-min(l, lgM) against the key collision attack, and of 2n/3+ lg(n/3) + max(n - l, 0) against the time memory tradeoff attack, when the the attacker knows l linear equations over the plaintext and has M ciphertexts encrypted with M distinct unknown secret keys. Lastly, we analyze the IP, TCP, and UDP protocols and some typical protocol constructs, and show that they contain significant linear redundancy. We conclude with observations on the use of stream ciphers for Internet security.