Another question is whether it is possible to convert an illegal state that produces the correct keystream to a legal state that produces the same keystream. When i generated some chains with a simple increment function generating the start values i got 92% chain merges in a 10M chains table which suggests that those states that produce the same keystream are only a few bit flips apart.
On Sat, Jan 09, 2010 at 11:16:49PM +0100, Frank A. Stevenson wrote: > On Sat, 2010-01-09 at 19:30 +0100, sascha wrote: > > > Also note that the great majority of values in a table are never looked up > > but exist only as a link between the state we are interested in and the > > end value that is looked up in the data base. A false positive that does > > not pass the backclocking test is a rare case and does not influence the > > attack time very much. (is this true? how long does it take to to the > > backclocking?). Still we would need 2 times the storage if we use the old > > method. > > I have gotten false positives, that can't bee clocked back during > testing of my table lookup code. Because of the very low current success > rate, it is hard to give empirical evidence of the probability of such > false misses, but I think we should be prepared for 50% false hit rate > of this nature. Meaning ~50% of all key states recovered from the tables > have no valid predecessor states at generation 100+. > > This would be in line with overall frequency of valid states in the > table, and should not come as no surprise. > > f > _______________________________________________ A51 mailing list A51@lists.reflextor.com http://lists.lists.reflextor.com/cgi-bin/mailman/listinfo/a51