Improved distinguishers for HC-128

Paul Stankovski,Thomas Johansson,Sushmita Ruj,Martin Hell

doi:10.1007/s10623-011-9550-9

Paul Stankovski, Thomas Johansson + Show 2 more

Open Access

https://doi.org/10.1007/s10623-011-9550-9

Copy DOI

Abstract

HC-128 is an eSTREAM final portfolio stream cipher. Several authors have investigated its security and, in particular, distinguishing attacks have been considered. Still, no one has been able to provide a distinguisher stronger than the one presented by Wu in the original HC-128 paper. In this paper we first argue that the keystream requirement in Wu's original attack is underestimated by a factor of almost 28. Our revised analysis shows that the keystream complexity of Wu's original attack is 2160.471 32-bit keystream blocks. We then go on to investigate two new types of distinguishers on HC-128. One of them, a distinguisher counting the number of zeros in created blocks of bits, gives a biased distribution that requires 2143.537 such constructed block samples (2152.537 32-bit keystream blocks). For fairness, the same metric is used to compare our attack to Wu's, and our improvement is significant compared to Wu's original result. Furthermore, the vector-based methodology used is general and can be applied to any cryptographic primitive that reveals a suitable probability distribution.

Full Text