[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
MIT talk on Cipher breaking
[As usual I have no more information than presented here. Contact
[email protected] for more information. --AW]
> MIT TOC SEMINAR
>
> Thursday, May 12, 1994
>
> Refreshments at 4:00pm, Talk at 4:15pm in NE43-518
>
> ``How to Break Gifford's Cipher''
>
> by Alan T. Sherman*
> University of Maryland Baltimore County
>
>(* Joint work with Thomas R. Cain. Part of this work was carried out
>while Sherman was a member of the Institute for Advanced Computer
>Studies, University of Maryland College Park.)
>
> ABSTRACT
>
>We present and implement a ciphertext-only algorithm to break
>Gifford's cipher, a stream cipher designed in 1984 by David Gifford of
>MIT and used to encrypt New York Times and Associated Press wire
>reports. Applying linear algebra over finite fields, we exploit a
>time-space tradeoff to separately determine key segments derived from
>the primary rational canonical decomposition of the feedback function
>This work, the first proposed attack on Gifford's cipher, illustrates
>a powerful attack on stream ciphers and shows that Gifford's cipher is
>ill-suited for encrypting broadcast data in the MIT-based {\it Boston
>Community Information System (BCIS)}.
>
>Gifford's cipher is a {\it filter generator}---a linear feedback shift
>register with nonlinear output. Our cryptanalytic problem is to
>determine the secret 64-bit initial fill, which is changed for each
>news article. Our attack runs in $2^{27}$ steps and $2^{18}$ bytes of
>memory, which is a significant shortcut over the $2^{64}$ steps
>required for a straightforward exhaustive search of all initial fills.
>Given ciphertext only from one encrypted article, our prototype
>implementation running on a loosely-coupled network of eight
>Sparcstations finds the article key within approximately four hours on
>average. Exploiting a key-management flaw of the BCIS, we also
>compute at no additional cost the corresponding master key, used for
>one month to encrypt all article keys in the same news section. In
>addition, from the decomposition of $f$, we compute the exact
>probability distribution of the leader and cycle lengths of all state
>sequences generated by Gifford's cipher.
>
>Host: Shang Hua-Teng