THEORETICAL CRYPTANALYSIS OF THE KLIMOV-SHAMIR NUMBER GENERATOR TF-1

Abstract. The internal state of the Klimov-Shamir number generator TF-1 consists of four words of size w bits each, whereas its intended strength is 2 2w. We exploit an asymmetry in its output function to show that the internal state can be recovered after having 2 w outputs, using 2 1.5w operations. For w = 32 the attack is practical, but for their recommended w = 64 it is only of theoretical interest. The Klimov-Shamir number generator TF-1 was introduced in [2] and is based on the methods developed in [1] and references therein. This is an iterative pseudorandom number generator. Its internal state consists of 4 words a, b, c, d, of size w bits each. Fix constants C1, C2, C. The update function is defined as follows