Time-memory trade-off attacks on multiplications and T-functions

Abstract

T-functions are a new class of primitives which have recently been introduced by Klimov and Shamir. The several concrete proposals by the authors have multiplication and squaring as core nonlinear operations. Firstly, we present time-memory trade-off algorithms to solve the problems related to multiplication and squaring. Secondly, we apply these algorithms to two of the proposals of multi-word T-functions. For the proposal based on multiplication we can recover the 128 unknown bits of the state vector in 240 time whereas for the proposal based on squaring the 128 unknown bits can be recovered in 221 time. The required amount of key stream is a few (less than five) 128-bit blocks. Experimental data from implementation suggests that our attacks work well in practice and hence such proposals are not secure enough for stand-alone usage. Finally, we suggest the use of conjugate permutations to possibly improve the security of T-functions while retaining some attractive theoretical properties. © International Association for Cryptologic Research 2004.