Small-state stream ciphers(SSCs),which violate the principle that the state size should exceed the key size by a factor of two,still demonstrate robust security properties while maintaining a lightweight design.These ...Small-state stream ciphers(SSCs),which violate the principle that the state size should exceed the key size by a factor of two,still demonstrate robust security properties while maintaining a lightweight design.These ciphers can be clas-sifed into several constructions and their basic security requirement is to resist generic attacks,ie.,the time-mem-ory-data tradeoff(TMDTO)attack.In this paper,we investigate the security of small-state constructions in the multi-user setting.Based on it,the TMDTO distinguishing attack and the TMDTO key recovery attack are developed for such a setting.It is shown that SSCs which continuously use the key can not resist the TMDTO distinguishing attack.Moreover,SSCs based on the continuous-IV-key-use construction cannot withstand the TMDTO key recovery attack when the key length is shorter than the IV length,no matter whether the keystream length is limited or not.Finally,We apply these two generic attacks to TinyJAMBU and DRACO in the multi-user setting.The TMDTO distinguish-ing attack on TinyJAMBU with a 128-bit key can be mounted with time,memory,and data complexities of 264,248,and 232,respectively.This attack is comparable with a recent work on ToSC 2022,where partial key bits of TinyJAMBU are recovered with more than 250 users(or keys).As DRACO's IV length is smaller than its key length,itis vulnerable to the TMDTO key recovery attack.The resulting attack has a time and memory complexity of both 2112,which means DRACO does not provide 128-bit security in the multi-user setting.展开更多
基金This work was supported by the National Natural Science Foundation of China[grant number 62022036,62132008,62372213].
文摘Small-state stream ciphers(SSCs),which violate the principle that the state size should exceed the key size by a factor of two,still demonstrate robust security properties while maintaining a lightweight design.These ciphers can be clas-sifed into several constructions and their basic security requirement is to resist generic attacks,ie.,the time-mem-ory-data tradeoff(TMDTO)attack.In this paper,we investigate the security of small-state constructions in the multi-user setting.Based on it,the TMDTO distinguishing attack and the TMDTO key recovery attack are developed for such a setting.It is shown that SSCs which continuously use the key can not resist the TMDTO distinguishing attack.Moreover,SSCs based on the continuous-IV-key-use construction cannot withstand the TMDTO key recovery attack when the key length is shorter than the IV length,no matter whether the keystream length is limited or not.Finally,We apply these two generic attacks to TinyJAMBU and DRACO in the multi-user setting.The TMDTO distinguish-ing attack on TinyJAMBU with a 128-bit key can be mounted with time,memory,and data complexities of 264,248,and 232,respectively.This attack is comparable with a recent work on ToSC 2022,where partial key bits of TinyJAMBU are recovered with more than 250 users(or keys).As DRACO's IV length is smaller than its key length,itis vulnerable to the TMDTO key recovery attack.The resulting attack has a time and memory complexity of both 2112,which means DRACO does not provide 128-bit security in the multi-user setting.
