Stream ciphers are widely used for online-encryption of arbitrarily long data. An important class... more Stream ciphers are widely used for online-encryption of arbitrarily long data. An important class of stream ciphers are combiners with memory, with the E0 generator from the Bluetooth standard for wireless communication [2] being their most prominent example. E0 consists of 4 driving devices, a finite state machine (FSM) C with a 4 bit state, an output function f and a memory update function δ. At each clock, one keystream bit zt is produced from the output Xt ∈ {0, 1}4 of the driving devices and the current state Ct ∈ {0, 1}4 of the FSM according to zt = f(Ct, Xt), and the state of the FSM is updated to Ct+1 := δ(Ct, Xt). So far, the best publicly known attacks against combiners with memory are correlation attacks [4] and algebraic attacks [1]. Correlation attacks exploit linear equations L(Xt, . . . , Xt+r−1, zt, . . . , zt+r−1) = 0 that are true with some probability 12 + λ with λ 6= 0. Algebraic attacks use valid nonlinear equations of preferably low degree to describe the secret key by a system of equations. We show how to avert a special class of correlation attacks [3] that is currently the most effective against E0 and introduce a general design principle which guarantees that all valid equations have a degree not smaller than a certain lower bound. Combining these results, we construct a slightly modified version of E0 with significantly improved resistance against correlation attacks and algebraic attacks.
We propose a new attack on the self-shrinking generator [8]. The attack is based on a backtrackin... more We propose a new attack on the self-shrinking generator [8]. The attack is based on a backtracking algorithm and will reconstruct the key from a short sequence of known keystream bits. We give both mathematical and empirical evidence for the effectiveness of this attack. The algorithm takes at most O(20.694L) steps, where L is the key length. Thus, our attack
We present a new lower bound argument for oblivious parity-branching programs which allows to pro... more We present a new lower bound argument for oblivious parity-branching programs which allows to prove exponential lower bounds on the width if the length is restricted to be linear or at most o(n · log(n)). This solves an open problem because "Cut & Paste" arguments which provided bounds of the same quality in the case of determinism, nondeterminism, and co-nondeterminism [AM86] [KMW89] do not work in the case of parity-acceptation. Our technique is applicable to some well-known decision problems such as the graph-accessibility-problem of directed graphs, and the word problems of free groups of finite rank. Using well-known results on the simulation of logspace-bounded Turing machines by sequences of branching programs we give at least the complete separation of the complexity classes L, NL, co-NL, L, and AL=P for oblivious Turing machines of linear access time.
Combinational circuits or shortly circuits are a model of the lowest level of computer hardware w... more Combinational circuits or shortly circuits are a model of the lowest level of computer hardware which is of interest from the point of view of computer science. Circuit complexity has a longer history than complexity theory. Complexity measures like circuit size and depth model sequential time, hardware cost, parallel time, and even storage space. This chapter contains an overview on the research area called complexity of boolean functions. The complexity measures of circuits are discussed and compared with other complexity measures. As an example, the design of efficient circuits is discussed for arithmetic functions. The limits of known lower-bound techniques are discussed. Exponential lower bounds can be proved for monotone circuits and some constant-depth unbounded-fan-in circuits, but even the case of threshold circuits of depth 3 is open. The frontier between solved and open problems is marked out.
ABSTRACT An exponential lower bound for depth-two circuits with arbitrary nearly symmetric gates ... more ABSTRACT An exponential lower bound for depth-two circuits with arbitrary nearly symmetric gates in the bottom level and with a MOD(m)-gate in the top level is proved. This solves a problem posed by Smolensky in 1990 [17]. The method uses what we call the variation rank of communication matrices. A variant of this method is used for deriving lower bounds for the size of depth-two circuits having a threshold gate at the top. This generalizes a result due to Hajnal et al. [7].
... For proving Theorem 1 let us fix a boolean function f : (0,l)" - (0,1) and a polynomial ... more ... For proving Theorem 1 let us fix a boolean function f : (0,l)" - (0,1) and a polynomial p of length d which realizes f with advantage E over (0, l), where d, 6-l E We construct a polynomial p' of length d' realizing f with advantage 5 over (1,-1}, where d' E (nE-l)O(l). This, obviously ...
The limited computational resources available on RFID tags imply a need for specially designed au... more The limited computational resources available on RFID tags imply a need for specially designed authentication protocols. The light weight authentication protocol $extsf{HB}^+$ proposed by Juels and Weis seems currently secure for several RFID applications, but is too slow for many practical settings. As a possible alternative, authentication protocols based on choosing random elements from $L$ secret linear $n$-dimensional subspaces of $GF(2)^{n+k}$ (so called linear $(n,k,L)$-protocols), have been considered. We show that to a certain extent, these protocols are vulnerable to algebraic attacks. Particularly, our approach allows to break Cicho'{n}, Klonowski and Kutyl owski's $ extsf{CKK}^2$-protocol, a special linear $(n,k,2)$-protocol, for practically recommended parameters in less than a second on a standard PC. Moreover, we show that even unrestricted $(n,k,L)$-protocols can be efficiently broken if $L$ is too small.
Stream ciphers are widely used for online-encryption of arbitrarily long data. An important class... more Stream ciphers are widely used for online-encryption of arbitrarily long data. An important class of stream ciphers are combiners with memory, with the E0 generator from the Bluetooth standard for wireless communication [2] being their most prominent example. E0 consists of 4 driving devices, a finite state machine (FSM) C with a 4 bit state, an output function f and a memory update function δ. At each clock, one keystream bit zt is produced from the output Xt ∈ {0, 1}4 of the driving devices and the current state Ct ∈ {0, 1}4 of the FSM according to zt = f(Ct, Xt), and the state of the FSM is updated to Ct+1 := δ(Ct, Xt). So far, the best publicly known attacks against combiners with memory are correlation attacks [4] and algebraic attacks [1]. Correlation attacks exploit linear equations L(Xt, . . . , Xt+r−1, zt, . . . , zt+r−1) = 0 that are true with some probability 12 + λ with λ 6= 0. Algebraic attacks use valid nonlinear equations of preferably low degree to describe the secret key by a system of equations. We show how to avert a special class of correlation attacks [3] that is currently the most effective against E0 and introduce a general design principle which guarantees that all valid equations have a degree not smaller than a certain lower bound. Combining these results, we construct a slightly modified version of E0 with significantly improved resistance against correlation attacks and algebraic attacks.
We propose a new attack on the self-shrinking generator [8]. The attack is based on a backtrackin... more We propose a new attack on the self-shrinking generator [8]. The attack is based on a backtracking algorithm and will reconstruct the key from a short sequence of known keystream bits. We give both mathematical and empirical evidence for the effectiveness of this attack. The algorithm takes at most O(20.694L) steps, where L is the key length. Thus, our attack
We present a new lower bound argument for oblivious parity-branching programs which allows to pro... more We present a new lower bound argument for oblivious parity-branching programs which allows to prove exponential lower bounds on the width if the length is restricted to be linear or at most o(n · log(n)). This solves an open problem because "Cut & Paste" arguments which provided bounds of the same quality in the case of determinism, nondeterminism, and co-nondeterminism [AM86] [KMW89] do not work in the case of parity-acceptation. Our technique is applicable to some well-known decision problems such as the graph-accessibility-problem of directed graphs, and the word problems of free groups of finite rank. Using well-known results on the simulation of logspace-bounded Turing machines by sequences of branching programs we give at least the complete separation of the complexity classes L, NL, co-NL, L, and AL=P for oblivious Turing machines of linear access time.
Combinational circuits or shortly circuits are a model of the lowest level of computer hardware w... more Combinational circuits or shortly circuits are a model of the lowest level of computer hardware which is of interest from the point of view of computer science. Circuit complexity has a longer history than complexity theory. Complexity measures like circuit size and depth model sequential time, hardware cost, parallel time, and even storage space. This chapter contains an overview on the research area called complexity of boolean functions. The complexity measures of circuits are discussed and compared with other complexity measures. As an example, the design of efficient circuits is discussed for arithmetic functions. The limits of known lower-bound techniques are discussed. Exponential lower bounds can be proved for monotone circuits and some constant-depth unbounded-fan-in circuits, but even the case of threshold circuits of depth 3 is open. The frontier between solved and open problems is marked out.
ABSTRACT An exponential lower bound for depth-two circuits with arbitrary nearly symmetric gates ... more ABSTRACT An exponential lower bound for depth-two circuits with arbitrary nearly symmetric gates in the bottom level and with a MOD(m)-gate in the top level is proved. This solves a problem posed by Smolensky in 1990 [17]. The method uses what we call the variation rank of communication matrices. A variant of this method is used for deriving lower bounds for the size of depth-two circuits having a threshold gate at the top. This generalizes a result due to Hajnal et al. [7].
... For proving Theorem 1 let us fix a boolean function f : (0,l)" - (0,1) and a polynomial ... more ... For proving Theorem 1 let us fix a boolean function f : (0,l)" - (0,1) and a polynomial p of length d which realizes f with advantage E over (0, l), where d, 6-l E We construct a polynomial p' of length d' realizing f with advantage 5 over (1,-1}, where d' E (nE-l)O(l). This, obviously ...
The limited computational resources available on RFID tags imply a need for specially designed au... more The limited computational resources available on RFID tags imply a need for specially designed authentication protocols. The light weight authentication protocol $extsf{HB}^+$ proposed by Juels and Weis seems currently secure for several RFID applications, but is too slow for many practical settings. As a possible alternative, authentication protocols based on choosing random elements from $L$ secret linear $n$-dimensional subspaces of $GF(2)^{n+k}$ (so called linear $(n,k,L)$-protocols), have been considered. We show that to a certain extent, these protocols are vulnerable to algebraic attacks. Particularly, our approach allows to break Cicho'{n}, Klonowski and Kutyl owski's $ extsf{CKK}^2$-protocol, a special linear $(n,k,2)$-protocol, for practically recommended parameters in less than a second on a standard PC. Moreover, we show that even unrestricted $(n,k,L)$-protocols can be efficiently broken if $L$ is too small.
Uploads
Papers by Matthias Krause