Theoretical cryptanalysis of the Klimov-Shamir number generator TF-1
Boaz Tsaban
TL;DR
This paper presents a cryptanalysis of the Klimov-Shamir number generator TF-1, demonstrating that its internal state can be recovered with fewer outputs than its intended security level, especially for smaller word sizes.
Contribution
The paper introduces a novel cryptanalytic attack exploiting output asymmetry to recover the internal state of TF-1 with significantly fewer outputs than its security parameter.
Findings
For w=32, the attack is practical.
For w=64, the attack remains theoretical.
The attack reduces the complexity of recovering the internal state.
Abstract
The internal state of the Klimov-Shamir number generator TF-1 consists of four words of size w bits each, whereas its intended strength is 2^{2w}. We exploit an asymmetry in its output function to show that the internal state can be recovered after having 2^w outputs, using 2^{1.5w} operations. For w=32 the attack is practical, but for their recommended w=64 it is only of theoretical interest.
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsChaos-based Image/Signal Encryption · Coding theory and cryptography · Cryptography and Residue Arithmetic