Cryptography Reference
In-Depth Information
The update functions g
1
and g
2
also need to be modified with the twin
motivation of preserving the internal state as well as making sure that the
randomness of the keystream is ensured. The following modifications are
proposed in [137].
g
N1
(x,y,z)
=
(x 10)⊕(z 23)
+ Q[(y ≫ 7)∧1FF].
(10.20)
g
N2
(x,y,z)
=
(x 10)⊕(z 23)
+ P[(y ≫ 7)∧1FF].
f
1
and f
2
are kept the same as in original HC-128.
A randomly chosen word from the Q array is included in the update of
the P array elements and a randomly chosen word from the P array while
updating the Q array elements. This would ensure that each new block of the
P (or Q) array is dependent on the previous block of Q(or P) array. Thus,
the analysis of Section 10.5 would not apply and the internal state would be
preserved, even if half the internal state elements are known.
Likewise, in the equation of the distinguisher proposed by the de-
signer [187, Section 4], the term P[i⊟ 10] would get replaced by some random
term of Q array. With this replacement, it is not obvious how a similar dis-
tinguishing attack can be mounted. The similar situation will happen for the
distinguishers proposed in [105].
Now consider the fault attack of [84]. It assumes that if a fault occurs
at Q[f] in the block in which P is updated, then Q[f] is not referenced until
step f−1 of the next block (in which Q would be updated). This assumption
does not hold for the new design due to the nesting use of P and Q in the
updates of one another (equation (10.20)). Thus, on the modified design, the
fault position recovery algorithm given in [84, Section 4.2] would not work
immediately. In particular, Lemma 1 and Lemma 2 of [84] would not hold on
the modified cipher. However, the security claim of the modified HC-128, as
in any stream cipher, is always a conjecture.
10.6.1 Performance Evaluation
The performance of the new design has been evaluated using the eS-
TREAM testing framework [26]. The C-implementation of the testing frame-
work was installed in a machine with Intel(R) Pentium(R) D CPU, 2.8 GHz
Processor Clock, 2048 KB Cache Size, 1 GB DDR RAM on Ubuntu 7.04
(Linux 2.6.20-17-generic) OS. A benchmark implementation of HC-128 and
HC-256 [188] is available within the test suite. The modified version of HC-
128 was implemented, maintaining the API compliance of the suite. Test
vectors were generated in the NESSIE [127] format. The results presented
below correspond to tests with null IV using the gcc-3.4 prescott O3-ofp com-
piler.
HC-128
New Proposal
HC-256
Stream Encryption
4.13
4.29
4.88
(cycles/byte)
