Security and Implementation Properties of ABC v.2 Vladimir Anashin - - PowerPoint PPT Presentation

Outline ABC v.2 Security Scalability Performance Summary

Security and Implementation Properties of ABC v.2

Vladimir Anashin† Andrey Bogdanov‡1 Ilya Kizhvatov†2

†Russian State University for the Humanities, Moscow, Russia ‡escrypt GmbH – Embedded Security, Bochum, Germany

SASC 2006, Leuven, Belgium

1Partially supported by Ruhr-Universität Bochum 2Partially supported by the ECRYPT stipend

• V. Anashin, A. Bogdanov, I. Kizhvatov

http://crypto.rsuh.ru ABC v.2 Security and Implementation 1/15

Outline ABC v.2 Security Scalability Performance Summary

Outline

ABC v.2 Status Tweaks Security Keystream Properties Attacks and Remedies Scalability Performance

• V. Anashin, A. Bogdanov, I. Kizhvatov

http://crypto.rsuh.ru ABC v.2 Security and Implementation 2/15

Outline ABC v.2 Security Scalability Performance Summary Status

ABC v.2

The status of the cipher

◮ Originally submitted to eSTREAM ◮ Attacked (Berbain, Gilbert, Khazaei; July 2005) ◮ Tweaks −

→ ABC v.2

• V. Anashin, A. Bogdanov, I. Kizhvatov

http://crypto.rsuh.ru ABC v.2 Security and Implementation 3/15

Outline ABC v.2 Security Scalability Performance Summary Status

ABC v.2

The status of the cipher

◮ Originally submitted to eSTREAM ◮ Attacked (Berbain, Gilbert, Khazaei; July 2005) ◮ Tweaks −

→ ABC v.2

• V. Anashin, A. Bogdanov, I. Kizhvatov

http://crypto.rsuh.ru ABC v.2 Security and Implementation 3/15

Outline ABC v.2 Security Scalability Performance Summary Status

ABC v.2

The status of the cipher

◮ Originally submitted to eSTREAM −

→ ABC v.1

◮ Attacked (Berbain, Gilbert, Khazaei; July 2005) ◮ Tweaks −

→ ABC v.2

• V. Anashin, A. Bogdanov, I. Kizhvatov

http://crypto.rsuh.ru ABC v.2 Security and Implementation 3/15

Outline ABC v.2 Security Scalability Performance Summary Tweaks

ABC v.2

Tweaks

◮ 128-bit LFSR A ◮ Faster transform B ◮ Adjusted setup

procedures

B

B(x) B(x) + ¯ z3 x x x

C

C(x) y = C(x) + ¯ z0

plain text stream cipher text stream

¯ z3 ¯ z0

z = (¯ z3, ¯ z2, ¯ z1, ¯ z0)

z A(z)

A

Result: Elimination of the known attacks

• V. Anashin, A. Bogdanov, I. Kizhvatov

http://crypto.rsuh.ru ABC v.2 Security and Implementation 4/15

Outline ABC v.2 Security Scalability Performance Summary Tweaks

ABC v.2

Tweaks

◮ 128-bit LFSR A ◮ Faster transform B ◮ Adjusted setup

procedures

64 128 B

B(x) B(x) + ¯ z3 x x x

C

C(x) y = C(x) + ¯ z0

plain text stream cipher text stream

¯ z3 ¯ z0

z = (¯ z3, ¯ z2, ¯ z1, ¯ z0)

z A(z)

A

Result: Elimination of the known attacks

• V. Anashin, A. Bogdanov, I. Kizhvatov

http://crypto.rsuh.ru ABC v.2 Security and Implementation 4/15

Outline ABC v.2 Security Scalability Performance Summary Tweaks

ABC v.2

Tweaks

◮ 128-bit LFSR A ◮ Faster transform B ◮ Adjusted setup

procedures

64 128 B

B(x) B(x) + ¯ z3 x x x

C

C(x) y = C(x) + ¯ z0

plain text stream cipher text stream

¯ z3 ¯ z0

z = (¯ z3, ¯ z2, ¯ z1, ¯ z0)

z A(z)

A

Result: Elimination of the known attacks

• V. Anashin, A. Bogdanov, I. Kizhvatov

http://crypto.rsuh.ru ABC v.2 Security and Implementation 4/15

Outline ABC v.2 Security Scalability Performance Summary Tweaks

ABC v.2

Tweaks

◮ 128-bit LFSR A ◮ Faster transform B ◮ Adjusted setup

procedures

64 128

Key IV

B

B(x) B(x) + ¯ z3 x x x

C

C(x) y = C(x) + ¯ z0

plain text stream cipher text stream

¯ z3 ¯ z0

z = (¯ z3, ¯ z2, ¯ z1, ¯ z0)

z A(z)

A

Result: Elimination of the known attacks

• V. Anashin, A. Bogdanov, I. Kizhvatov

http://crypto.rsuh.ru ABC v.2 Security and Implementation 4/15

Outline ABC v.2 Security Scalability Performance Summary Tweaks

ABC v.2

Effects

◮ Longer keystream

period

◮ Larger secret state ◮ Negligible

performance overhead

64 128

Key IV

B

B(x) B(x) + ¯ z3 x x x

C

C(x) y = C(x) + ¯ z0

plain text stream cipher text stream

¯ z3 ¯ z0

z = (¯ z3, ¯ z2, ¯ z1, ¯ z0)

z A(z)

A

Result: Elimination of the known attacks

• V. Anashin, A. Bogdanov, I. Kizhvatov

http://crypto.rsuh.ru ABC v.2 Security and Implementation 4/15

Outline ABC v.2 Security Scalability Performance Summary Tweaks

ABC v.2

Effects

◮ Longer keystream

period

◮ Larger secret state ◮ Negligible

performance overhead

64 128

Key IV

B

B(x) B(x) + ¯ z3 x x x

C

C(x) y = C(x) + ¯ z0

plain text stream cipher text stream

¯ z3 ¯ z0

z = (¯ z3, ¯ z2, ¯ z1, ¯ z0)

z A(z)

A

Result: Elimination of the known attacks

• V. Anashin, A. Bogdanov, I. Kizhvatov

http://crypto.rsuh.ru ABC v.2 Security and Implementation 4/15

Outline ABC v.2 Security Scalability Performance Summary Tweaks

ABC v.2

Effects

◮ Longer keystream

period

◮ Larger secret state ◮ Negligible

performance overhead

64 128

Key IV

B

B(x) B(x) + ¯ z3 x x x

C

C(x) y = C(x) + ¯ z0

plain text stream cipher text stream

¯ z3 ¯ z0

z = (¯ z3, ¯ z2, ¯ z1, ¯ z0)

z A(z)

A

Result: Elimination of the known attacks

• V. Anashin, A. Bogdanov, I. Kizhvatov

http://crypto.rsuh.ru ABC v.2 Security and Implementation 4/15

Outline ABC v.2 Security Scalability Performance Summary Tweaks

ABC v.2

Effects

◮ Longer keystream

period

◮ Larger secret state ◮ Negligible

performance overhead

64 128

Key IV

B

B(x) B(x) + ¯ z3 x x x

C

C(x) y = C(x) + ¯ z0

plain text stream cipher text stream

¯ z3 ¯ z0

z = (¯ z3, ¯ z2, ¯ z1, ¯ z0)

z A(z)

A

Result: Elimination of the known attacks

• V. Anashin, A. Bogdanov, I. Kizhvatov

http://crypto.rsuh.ru ABC v.2 Security and Implementation 4/15

Outline ABC v.2 Security Scalability Performance Summary Keystream Properties

ABC v.2 Proven Keystream Properties

◮ The length P of the shortest period of 32-bit words

P = 232 · (2127 − 1)

◮ Uniform distribution of 32-bit words

• {number of word occurrences}

P − 1 232

• <

1 √ P

◮ High linear complexity λ

231 · (2127 − 1) + 1 λ 231 + 1

• V. Anashin, A. Bogdanov, I. Kizhvatov

http://crypto.rsuh.ru ABC v.2 Security and Implementation 5/15

Outline ABC v.2 Security Scalability Performance Summary Keystream Properties

ABC v.2 Proven Keystream Properties

◮ The length P of the shortest period of 32-bit words

P = 232 · (2127 − 1)

◮ Uniform distribution of 32-bit words

• {number of word occurrences}

P − 1 232

• <

1 √ P

◮ High linear complexity λ

231 · (2127 − 1) + 1 λ 231 + 1

• V. Anashin, A. Bogdanov, I. Kizhvatov

http://crypto.rsuh.ru ABC v.2 Security and Implementation 5/15

Outline ABC v.2 Security Scalability Performance Summary Keystream Properties

ABC v.2 Proven Keystream Properties

◮ The length P of the shortest period of 32-bit words

P = 232 · (2127 − 1)

◮ Uniform distribution of 32-bit words

• {number of word occurrences}

P − 1 232

• <

1 √ P

◮ High linear complexity λ

231 · (2127 − 1) + 1 λ 231 + 1

• V. Anashin, A. Bogdanov, I. Kizhvatov

http://crypto.rsuh.ru ABC v.2 Security and Implementation 5/15

Outline ABC v.2 Security Scalability Performance Summary Attacks and Remedies

Attacks and Remedies

Attack on ABC v.1

◮ Divide and conquer (Berbain, Gilber; Khazaei)

Non-bijective C → biased output → guessing the LFSR state

Remedies

◮ Bijective C

Distinguishing the right guess becomes impossible

◮ 128-bit LFSR

Attack complexity exceeds 2128

• V. Anashin, A. Bogdanov, I. Kizhvatov

http://crypto.rsuh.ru ABC v.2 Security and Implementation 6/15

Outline ABC v.2 Security Scalability Performance Summary Attacks and Remedies

Attacks and Remedies

Attack on ABC v.1

◮ Divide and conquer (Berbain, Gilber; Khazaei)

Non-bijective C → biased output → guessing the LFSR state

Remedies

◮ Bijective C

Distinguishing the right guess becomes impossible

◮ 128-bit LFSR

Attack complexity exceeds 2128

• V. Anashin, A. Bogdanov, I. Kizhvatov

http://crypto.rsuh.ru ABC v.2 Security and Implementation 6/15

Outline ABC v.2 Security Scalability Performance Summary Attacks and Remedies

Attacks and Remedies

Attack on ABC v.1

◮ Divide and conquer (Berbain, Gilber; Khazaei)

Non-bijective C → biased output → guessing the LFSR state

Remedies

◮ Bijective C

Distinguishing the right guess becomes impossible

◮ 128-bit LFSR

Attack complexity exceeds 2128

• V. Anashin, A. Bogdanov, I. Kizhvatov

http://crypto.rsuh.ru ABC v.2 Security and Implementation 6/15

Outline ABC v.2 Security Scalability Performance Summary Attacks and Remedies

Attacks and Remedies

Attack on ABC v.1

◮ Divide and conquer (Berbain, Gilber; Khazaei)

Non-bijective C → biased output → guessing the LFSR state

Remedies

◮ Bijective C −

→ attack possibility Distinguishing the right guess becomes impossible

◮ 128-bit LFSR

Attack complexity exceeds 2128

• V. Anashin, A. Bogdanov, I. Kizhvatov

http://crypto.rsuh.ru ABC v.2 Security and Implementation 6/15

Outline ABC v.2 Security Scalability Performance Summary

Scalability of the ABC Architecture

Main property: exchange of A, B and C transforms without worsening the cryptographical properties of the entire scheme

Capabilities

◮ Scaling to 64-bit platforms, e.g Intel Itanium, PowerPC G5 ◮ Extending the digit capacity of A, B or C

ABC-256

◮ 256-bit LFSR ◮ 256-bit security ◮ 4% slower than ABC-128

• V. Anashin, A. Bogdanov, I. Kizhvatov

http://crypto.rsuh.ru ABC v.2 Security and Implementation 7/15

Outline ABC v.2 Security Scalability Performance Summary

Scalability of the ABC Architecture

Main property: exchange of A, B and C transforms without worsening the cryptographical properties of the entire scheme

Capabilities

◮ Scaling to 64-bit platforms, e.g Intel Itanium, PowerPC G5 ◮ Extending the digit capacity of A, B or C

ABC-256

◮ 256-bit LFSR ◮ 256-bit security ◮ 4% slower than ABC-128

• V. Anashin, A. Bogdanov, I. Kizhvatov

http://crypto.rsuh.ru ABC v.2 Security and Implementation 7/15

Outline ABC v.2 Security Scalability Performance Summary

Scalability of the ABC Architecture

Main property: exchange of A, B and C transforms without worsening the cryptographical properties of the entire scheme

Capabilities

◮ Scaling to 64-bit platforms, e.g Intel Itanium, PowerPC G5 ◮ Extending the digit capacity of A, B or C

ABC-256

◮ 256-bit LFSR ◮ 256-bit security ◮ 4% slower than ABC-128

• V. Anashin, A. Bogdanov, I. Kizhvatov

http://crypto.rsuh.ru ABC v.2 Security and Implementation 7/15

Outline ABC v.2 Security Scalability Performance Summary

Scalability of the ABC Architecture

Main property: exchange of A, B and C transforms without worsening the cryptographical properties of the entire scheme

Capabilities

◮ Scaling to 64-bit platforms, e.g Intel Itanium, PowerPC G5 ◮ Extending the digit capacity of A, B or C

ABC-256

◮ 256-bit LFSR ◮ 256-bit security ◮ 4% slower than ABC-128

128 256 z

z A(z)

• V. Anashin, A. Bogdanov, I. Kizhvatov

http://crypto.rsuh.ru ABC v.2 Security and Implementation 7/15

Outline ABC v.2 Security Scalability Performance Summary

ABC v.2 Performance

Features

◮ Leading position on the half

• f the architectures

◮ Extremely fast packet

encryption

◮ ANSI C implementation 1 2 3 4 5 6 7

Pentium 4

Gbps

Py6 ABC Py NLS Rabbit AES

Encryption

Profile SW

• V. Anashin, A. Bogdanov, I. Kizhvatov

http://crypto.rsuh.ru ABC v.2 Security and Implementation 8/15

Outline ABC v.2 Security Scalability Performance Summary

ABC v.2 Performance

Features

◮ Leading position on the half

• f the architectures

◮ Extremely fast packet

encryption

◮ ANSI C implementation 1 2 3 4 5 6

Pentium M

Gbps

Py6 ABC Py NLS Rabbit AES

Encryption

Profile SW

• V. Anashin, A. Bogdanov, I. Kizhvatov

http://crypto.rsuh.ru ABC v.2 Security and Implementation 8/15

Outline ABC v.2 Security Scalability Performance Summary

ABC v.2 Performance

Features

◮ Leading position on the half

• f the architectures

◮ Extremely fast packet

encryption

◮ ANSI C implementation 1 2 3 4 5 6

AMD 64

Gbps

Py6 ABC Py NLS Rabbit AES

Encryption

Profile SW

• V. Anashin, A. Bogdanov, I. Kizhvatov

http://crypto.rsuh.ru ABC v.2 Security and Implementation 8/15

Outline ABC v.2 Security Scalability Performance Summary

ABC v.2 Performance

Features

◮ Leading position on the half

• f the architectures

◮ Extremely fast packet

encryption

◮ ANSI C implementation 1 2 3 4

PowerPC G4

Gbps

Py6 ABC Py NLS Salsa20 AES

Encryption

Profile SW

• V. Anashin, A. Bogdanov, I. Kizhvatov

http://crypto.rsuh.ru ABC v.2 Security and Implementation 8/15

Outline ABC v.2 Security Scalability Performance Summary

ABC v.2 Performance

Features

◮ Leading position on the half

• f the architectures

◮ Extremely fast packet

encryption

◮ ANSI C implementation 1 2

UltraSPARC-III

Gbps

Py6 ABC Py NLS Dragon AES

Encryption

Profile SW

• V. Anashin, A. Bogdanov, I. Kizhvatov

http://crypto.rsuh.ru ABC v.2 Security and Implementation 8/15

Outline ABC v.2 Security Scalability Performance Summary

ABC v.2 Performance

Features

◮ Leading position on the half

• f the architectures

◮ Extremely fast packet

encryption

◮ ANSI C implementation 1 2

HP 9000/785

Gbps

Py6 ABC Py LEX Dragon AES

Encryption

Profile SW

• V. Anashin, A. Bogdanov, I. Kizhvatov

http://crypto.rsuh.ru ABC v.2 Security and Implementation 8/15

Outline ABC v.2 Security Scalability Performance Summary

ABC v.2 Performance

Features

◮ Leading position on the half

• f the architectures

◮ Extremely fast packet

encryption

◮ ANSI C implementation 0,5 1 1,5 2

Pentium 4

Gbps

Phelix ABC LEX NLS Rabbit AES

Encryption of 40-byte packets

Profile SW

• V. Anashin, A. Bogdanov, I. Kizhvatov

http://crypto.rsuh.ru ABC v.2 Security and Implementation 8/15

Outline ABC v.2 Security Scalability Performance Summary

ABC v.2 Performance

Features

◮ Leading position on the half

• f the architectures

◮ Extremely fast packet

encryption

◮ ANSI C implementation 0,5 1 1,5

Pentium M

Gbps

Phelix ABC LEX

Salsa20

Rabbit AES

Encryption of 40-byte packets

Profile SW

• V. Anashin, A. Bogdanov, I. Kizhvatov

http://crypto.rsuh.ru ABC v.2 Security and Implementation 8/15

Outline ABC v.2 Security Scalability Performance Summary

ABC v.2 Performance

Features

◮ Leading position on the half

• f the architectures

◮ Extremely fast packet

encryption

◮ ANSI C implementation 0,5 1 1,5

AMD 64

Gbps

SOSEMANUK

ABC LEX NLS Rabbit AES

Encryption of 40-byte packets

Profile SW

• V. Anashin, A. Bogdanov, I. Kizhvatov

http://crypto.rsuh.ru ABC v.2 Security and Implementation 8/15

Outline ABC v.2 Security Scalability Performance Summary

ABC v.2 Performance

Features

◮ Leading position on the half

• f the architectures

◮ Extremely fast packet

encryption

◮ ANSI C implementation 0,5 1 1,5

PowerPC G4

Gbps

SOSEMANUK

ABC LEX NLS Salsa20 AES

Encryption of 40-byte packets

Profile SW

• V. Anashin, A. Bogdanov, I. Kizhvatov

http://crypto.rsuh.ru ABC v.2 Security and Implementation 8/15

Outline ABC v.2 Security Scalability Performance Summary

ABC v.2 Performance

Features

◮ Leading position on the half

• f the architectures

◮ Extremely fast packet

encryption

◮ ANSI C implementation 0,5

UltraSPARC-III

Gbps

LEX ABC Rabbit

SOSEMANUK

Salsa20 AES

Encryption of 40-byte packets

Profile SW

• V. Anashin, A. Bogdanov, I. Kizhvatov

http://crypto.rsuh.ru ABC v.2 Security and Implementation 8/15

Outline ABC v.2 Security Scalability Performance Summary

ABC v.2 Performance

Features

◮ Leading position on the half

• f the architectures

◮ Extremely fast packet

encryption

◮ ANSI C implementation 0,5 1

HP 9000/785

Gbps

LEX ABC

Rabbit

SOSEMANUK

Salsa20 AES

Encryption of 40-byte packets

Profile SW

• V. Anashin, A. Bogdanov, I. Kizhvatov

http://crypto.rsuh.ru ABC v.2 Security and Implementation 8/15

Outline ABC v.2 Security Scalability Performance Summary

ABC v.2 Performance

Features

◮ Leading position on the half

• f the architectures

◮ Extremely fast packet

encryption

◮ ANSI C implementation 0,5 1

HP 9000/785

Gbps

LEX ABC

Rabbit

SOSEMANUK

Salsa20 AES

Encryption of 40-byte packets

Profile SW

• V. Anashin, A. Bogdanov, I. Kizhvatov

http://crypto.rsuh.ru ABC v.2 Security and Implementation 8/15

Outline ABC v.2 Security Scalability Performance Summary

Generic performance

Features

◮ low cost of implementation as an industrial process ◮ no dedicated optimizations ◮ code includes different implementation variants

Tradeoffs

Speeding up ABC v.2 keystream generation at the cost of initial precomputation

◮ initialization ←

→ bulk encryption throughput

◮ memory ←

→ bulk encryption throughput Optimization: choice of the appropriate tradeoff point

• V. Anashin, A. Bogdanov, I. Kizhvatov

http://crypto.rsuh.ru ABC v.2 Security and Implementation 9/15

Outline ABC v.2 Security Scalability Performance Summary

Generic performance

Features

◮ low cost of implementation as an industrial process ◮ no dedicated optimizations ◮ code includes different implementation variants

Tradeoffs

Speeding up ABC v.2 keystream generation at the cost of initial precomputation

◮ initialization ←

→ bulk encryption throughput

◮ memory ←

→ bulk encryption throughput Optimization: choice of the appropriate tradeoff point

• V. Anashin, A. Bogdanov, I. Kizhvatov

http://crypto.rsuh.ru ABC v.2 Security and Implementation 9/15

Outline ABC v.2 Security Scalability Performance Summary

Generic performance

Features

◮ low cost of implementation as an industrial process ◮ no dedicated optimizations ◮ code includes different implementation variants

Tradeoffs

Speeding up ABC v.2 keystream generation at the cost of initial precomputation

◮ initialization ←

→ bulk encryption throughput

◮ memory ←

→ bulk encryption throughput Optimization: choice of the appropriate tradeoff point

• V. Anashin, A. Bogdanov, I. Kizhvatov

http://crypto.rsuh.ru ABC v.2 Security and Implementation 9/15

Outline ABC v.2 Security Scalability Performance Summary

Generic performance

Features

◮ low cost of implementation as an industrial process ◮ no dedicated optimizations ◮ code includes different implementation variants

Tradeoffs

Speeding up ABC v.2 keystream generation at the cost of initial precomputation

◮ initialization ←

→ bulk encryption throughput

◮ memory ←

→ bulk encryption throughput Optimization: choice of the appropriate tradeoff point

• V. Anashin, A. Bogdanov, I. Kizhvatov

http://crypto.rsuh.ru ABC v.2 Security and Implementation 9/15

Outline ABC v.2 Security Scalability Performance Summary

Generic performance

Features

◮ low cost of implementation as an industrial process ◮ no dedicated optimizations ◮ code includes different implementation variants

Tradeoffs

Speeding up ABC v.2 keystream generation at the cost of initial precomputation

◮ initialization ←

→ bulk encryption throughput

◮ memory ←

→ bulk encryption throughput Optimization: choice of the appropriate tradeoff point

• V. Anashin, A. Bogdanov, I. Kizhvatov

http://crypto.rsuh.ru ABC v.2 Security and Implementation 9/15

Outline ABC v.2 Security Scalability Performance Summary

Generic performance

Features

◮ low cost of implementation as an industrial process ◮ no dedicated optimizations ◮ code includes different implementation variants

Tradeoffs

Speeding up ABC v.2 keystream generation at the cost of initial precomputation

◮ initialization ←

→ bulk encryption throughput

◮ memory ←

→ bulk encryption throughput Optimization: choice of the appropriate tradeoff point

• V. Anashin, A. Bogdanov, I. Kizhvatov

http://crypto.rsuh.ru ABC v.2 Security and Implementation 9/15

Outline ABC v.2 Security Scalability Performance Summary

Initialization/Speed Tradeoff

Pakcet Encryption with Key and IV Setup

4 8 16 32 64 128 256 512 1K 2K 4K 8K 16K 32K 64K 128K 512K 1M 2M 4M 8M 16M

1 10 100 1000 10000 100000

12 8 4 2 1

Packet size, bytes Performance, clock per byte

2 4 8 12

• V. Anashin, A. Bogdanov, I. Kizhvatov

http://crypto.rsuh.ru ABC v.2 Security and Implementation 10/15

Outline ABC v.2 Security Scalability Performance Summary

Summary

ABC v.2

◮ Elimination of the attacks ◮ Easy scaling to 256-bit security ◮ High generic performance

ABC homepage: http://crypto.rsuh.ru

• V. Anashin, A. Bogdanov, I. Kizhvatov

http://crypto.rsuh.ru ABC v.2 Security and Implementation 11/15

Outline ABC v.2 Security Scalability Performance Summary

Summary

ABC v.2

◮ Elimination of the attacks ◮ Easy scaling to 256-bit security ◮ High generic performance

ABC homepage: http://crypto.rsuh.ru

• V. Anashin, A. Bogdanov, I. Kizhvatov

http://crypto.rsuh.ru ABC v.2 Security and Implementation 11/15

Outline ABC v.2 Security Scalability Performance Summary

• V. Anashin, A. Bogdanov, I. Kizhvatov

http://crypto.rsuh.ru ABC v.2 Security and Implementation 12/15

Architecture Supposed Distinguisher Performance

ABC v.2 Architecture

B

B(x) B(x) + ¯ z3 x x x

C

C(x) y = C(x) + ¯ z0

plain text stream cipher text stream

¯ z3 ¯ z0

z = (¯ z3, ¯ z2, ¯ z1, ¯ z0)

z A(z)

A

• V. Anashin, A. Bogdanov, I. Kizhvatov

http://crypto.rsuh.ru ABC v.2 Security and Implementation 13/15

Architecture Supposed Distinguisher Performance

Attacks and Remedies

Supposed distinguisher Keystream → LFSR annihilator → biased sequence Computer experiment

◮ Pe estimated for m-bit

ABC versions

◮ Pe still rather high for

24m keystream words

◮ 24m = {key space}

Conjecture: the supposed distinguisher is impractical

• V. Anashin, A. Bogdanov, I. Kizhvatov

http://crypto.rsuh.ru ABC v.2 Security and Implementation 14/15

Architecture Supposed Distinguisher Performance

Attacks and Remedies

Supposed distinguisher Keystream → LFSR annihilator → biased sequence Computer experiment

◮ Pe estimated for m-bit

ABC versions

◮ Pe still rather high for

24m keystream words

◮ 24m = {key space}

3m 3.2m 3.4m 3.6m 3.8m 4m 0,1 0,2 0,3 0,4 0,5 m = 8 m = 10 m = 12 Keystream length, words (log) Distinguishing error probability

Conjecture: the supposed distinguisher is impractical

• V. Anashin, A. Bogdanov, I. Kizhvatov

http://crypto.rsuh.ru ABC v.2 Security and Implementation 14/15

Architecture Supposed Distinguisher Performance

Attacks and Remedies

Supposed distinguisher Keystream → LFSR annihilator → biased sequence Computer experiment

◮ Pe estimated for m-bit

ABC versions

◮ Pe still rather high for

24m keystream words

◮ 24m = {key space}

3m 3.2m 3.4m 3.6m 3.8m 4m 0,1 0,2 0,3 0,4 0,5 m = 8 m = 10 m = 12 Keystream length, words (log) Distinguishing error probability

Conjecture: the supposed distinguisher is impractical

• V. Anashin, A. Bogdanov, I. Kizhvatov

http://crypto.rsuh.ru ABC v.2 Security and Implementation 14/15

Architecture Supposed Distinguisher Performance

Attacks and Remedies

Supposed distinguisher Keystream → LFSR annihilator → biased sequence Computer experiment

◮ Pe estimated for m-bit

ABC versions

◮ Pe still rather high for

24m keystream words

◮ 24m = {key space}

3m 3.2m 3.4m 3.6m 3.8m 4m 0,1 0,2 0,3 0,4 0,5 m = 8 m = 10 m = 12 Keystream length, words (log) Distinguishing error probability

Conjecture: the supposed distinguisher is impractical

• V. Anashin, A. Bogdanov, I. Kizhvatov

http://crypto.rsuh.ru ABC v.2 Security and Implementation 14/15

Architecture Supposed Distinguisher Performance

Attacks and Remedies

Supposed distinguisher Keystream → LFSR annihilator → biased sequence Computer experiment

◮ Pe estimated for m-bit

ABC versions

◮ Pe still rather high for

24m keystream words

◮ 24m = {key space}

3m 3.2m 3.4m 3.6m 3.8m 4m 0,1 0,2 0,3 0,4 0,5 m = 8 m = 10 m = 12 Keystream length, words (log) Distinguishing error probability

Conjecture: the supposed distinguisher is impractical

• V. Anashin, A. Bogdanov, I. Kizhvatov

http://crypto.rsuh.ru ABC v.2 Security and Implementation 14/15

Architecture Supposed Distinguisher Performance

Packet Encryption Including IV Setup

For various optimization window size

4 8 16 32 64 128 256 512 1024 2048 4096 8192 20 40 60 80 100 120 140 160 180 200

12 8 4 2 1

Packet size, bytes Performance, clock per byte

• V. Anashin, A. Bogdanov, I. Kizhvatov

http://crypto.rsuh.ru ABC v.2 Security and Implementation 15/15