Preventing weaknesses on F-FCSR in IV mode and tradeoff attack on F-FCSR 8

Abstract

E. Jaulmes and F. Muller have described some attacks on F-FCSR-8 and F-FCSR-H algorithms [1]. These attacks pointed out three weaknesses on the algorithms. The first one is a bottleneck e#ect due to a big mistake in our design. This can be repaired by only removing one line of code in the F-FCSR-8 algorithm. The second weakness lies in the di#usion of the IV which is not good for both algorithms, due to a too simple Key+IV--setup procedure. The last weakness is that F-FCSR-8 is vulnerable to a TMD-tradeo# attack, using the fact that the number of possible values of each subfilter is relatively small. In this paper, we repair all the weaknesses that were pointed out. We propose a better Key+IV--setup procedure to suppress the bottleneck and have a good di#usion of the IV. To thwart the TMD tradeo# attack on F-FCSR-8, we had to increase the size of the main register up to 256 bits. But we can now extract two pseudorandom bytes at each transition of the automaton instead of one, so the performances remain at least as good as before. 1 Repairing F-FCSR-H : a better Key+IV--setup procedure As in the original version, we put the key and IV bits in the main register, but we then collect the first twenty bytes output by the automaton and feed them back to the main register. Then we wait enough transitions of the automaton, similarly as in the original version, before using the pseudorandom stream. Description of the new procedure "Key+IV Setup" 80. 1. The main register M is initialized with the key and the IV: M := K + 2 80 #IV#K)