Re: Self-shrinking MT19937 as stream cipher
- From: "Cristiano" <cristiano.pi@xxxxxxxxxx>
- Date: 28 Sep 2006 19:43:20 +0200
Peter Pearson wrote:
On 28 Sep 2006 12:38:48 +0200, Cristiano <cristiano.pi@xxxxxxxxxx>
wrote:
The Berlekamp-Massey algorithm shows that the linear complexity of
any bit of the MT19937 is 19937, this means that taking the LSB of
MT19937 is equivalent to use a 19937-bit LFSR (also see a recent
post on sci.crypt.random-numbers).
In the paper "The Self-Shrinking Generator", Meier and Staffelbach
showed that the complexity of the attack for an N-bit self-shrinking
LFSR is O(2^(0.69*N)).
Using the LSB of MT19937 to get a self-shrinking generator, we get
an attack complexity of O(2^13757) which seems much bigger than the
one of any stream cipher.
Why don't use an MT19937 based self-shrinking generator as a stream
cipher?
Although a low linear complexity is proof of insecurity, a high linear
complexity is *not* proof of security. It's similar to period length.
Agreed, but what that has to do with my message?
Cristiano
.
- References:
- Self-shrinking MT19937 as stream cipher
- From: Cristiano
- Re: Self-shrinking MT19937 as stream cipher
- From: Peter Pearson
- Self-shrinking MT19937 as stream cipher
- Prev by Date: Re: Self-shrinking MT19937 as stream cipher
- Next by Date: Re: Self-shrinking MT19937 as stream cipher
- Previous by thread: Re: Self-shrinking MT19937 as stream cipher
- Next by thread: Re: Self-shrinking MT19937 as stream cipher
- Index(es):
Relevant Pages
|
|
