A known plaintext attack on the ISAAC keystream generator

A known plinex ck on he ISAAC keysrem generor Mrin Pudovkin mrip@online.ru Moscow Engineering Physics Insiue (Technicl Universiy) Deprmen of Crypology nd Discree Mhemics Absrc. Srem ciphers re ofen used in pplicions where high speed nd low dely re requiremen. The ISAAC keysrem generor is fs sofwre-oriened encrypion lgorihm. In his ppers he securiy of he ISAAC keysrem generor is invesiged. Crypnlyic lgorihm is developed for known plinex ck where only smll segmen of plinex is ssumed o be known. Keywords. ISAAC. Keysrem generor. Crypnlysis. 1 Inroducion Srem ciphers re n imporn clss of encrypion lgorihms. They encryp individul chrcers of plinex messge one ime, using n encrypion rnsformion, which vries wih ime. By conrs, block ciphers end o simulneously encryp groups of chrcers of plinex messge using fixed encrypion rnsformion. Srem ciphers re generlly fser hn block ciphers in hrdwre, nd hve less complex hrdwre circuiry. There is vs body of heoreicl knowledge on srem ciphers, nd vrious design principles for srem ciphers hve been proposed nd exensively nlyzed. The mos of srem ciphers proposed in open lierure re bsed on LFSRs (liner feedbck shif regisers). For sofwre implemenion, few keysrem generors hve been designed which re no bsed on shif regisers. One of hese generors is ISAAC. The ISAAC (Indirecion, Shif, Accumule, Add, nd Coun) keysrem generor ws inroduced in [1] by R. Jenkins s fs sofwre-oriened encrypion lgorihm. The im of his pper is o derive some crypnlyic lgorihm h find he correc iniil se of he ISAAC srem cipher using only smll segmen of oupu srem, nd o give precise esimes for he complexiy of he ck. Our resuls re inrinsic o he design principles of ISAAC nd re independen of he size of he key. The pper is orgnized s follows. In secion 2 we give generl descripion of ISAAC. In secion 3 we discuss some properies of ISAAC. Secion 4 describes ck on ISAAC. We conclude in secion 5. 2 Descripion of ISAAC ISAAC is in fc fmily of lgorihms indexed by prmeer m, which is posiive ineger. The inernl se of ISAAC ime consiss of ble S ={s [0],.,s [m-1]} of m=2 n K-bi words nd of wo K-bi words nd i. Le z denoe he oupu K-bi word of ISAAC ime. Le iniilly i 0 = 0 =0. K=2n+, >0. The key of ISAAC is he iniil ble S 0. 1

Jenkins kes m=256, n=8, K=32, p0=13, p1=6, p2=2, p3=16, θ 1 =θ 2 =2. Le θ 1,θ 2 <n. (( -1 <<p0) -1 ) if =0 (mod 4 ). G( -1,, p())= (( -1 >>p1) -1 ) if =1 (mod 4 ). (( -1 <<p2) -1 ) if =2 (mod 4 ). (( -1 >>p3) -1 ) if =3 (mod 4 ). where >> nd << indice roion o he righ nd lef, nd p0 if =0 (mod 4). p()= p1 if =1 (mod 4). p2 if =2 (mod 4). p3 if =3 (mod 4). The nex-se funcion F ) i = i -1 +1 (mod m ). b) = (G( -1,, p())+ s [(+ m/2 )(mod m )]) (mod 2 K ). c) s [i ]= (s -1 [(s -1 [i ]>>θ 1 ) (mod m )]+ + z -1 )(mod 2 K ). The oupu funcion f Oupu: z =(s [(s [i ]>>(n+θ 2 ))(mod m)]+s -1 [i ]) (mod 2 K ). 3 Properies of ISAAC In his secion we describe some properies of ISAAC h re used in he descripion of our ck. We will ssume h he oupu sequence z1, z2,, zm+1 is known. Le =(,K-1,,K-2,,,i,,,1,,0 ) be binry represenion of Z K, {, j } Z 2. Proposiion 1 1. The rnsformion F<< (,p)=((<<p) )= (K-1 K-p-1, K-2 K-p-2,, p+i i,, p 0, p-1, p-2,, 1, 0). 2. The rnsformion F >> (,p)=((>>p) )=( K-1, K-2,, p, K-1 K-p-1, K-2 K-p-2,, p+i i,, p 0 ). Proof Noe h (<<p)= ( K-p-1, K-p-2,, i,, 1, 0,0,,0 ). Thus, F<<(,p)=( (<<p) )= (K-1 K-p-1, K-2 K-p-2,, p+i i,, p 0, p-1, p-2,, 1, 0). Noe h (>>p)= (0,, 0, K-1, K-2,, p+1, p ). Therefore, F >> (,p)=( (>>p) )= ( K-1, K-2,, p, K-1 K-p-1, K-2 K-p-2,, p+i i,, p 0 ) The proposiion is proved. Denoe by q =s [s [i ] >>(n+θ 2 ) (mod m)]) (mod m) nd α = (s -1 []>> θ 1 )(mod m), =1,2.. 2

In proposiions given below we will ssume h j, α re known. Proposiion 2 If we know s m [0] (mod 2 ), s 1 [1] (mod 2 ),, s m-1 [m-1] (mod 2 ) nd z 1, z 2,, z m+1, hen s 0 [0] (mod 2 ), s0[1] (mod 2 ),, s0[m-1] (mod 2 ), cn be found for =m, m-1, m-2,, 2, 1 s follows. If j =0, m-1,,+1, hen [ s 0 ](mod 2 ) = ( z (mod 2 ) s0[ j ](mod 2 ))(mod 2 ). If 0<j<+1, hen s 0[ ](mod 2 ) = ( z (mod 2 ) s j [ j ](mod 2 ))(mod 2 ), Proof. Noe h nd Then z (mod 2 )=(s [j ] (mod 2 )+s -1 [i ] (mod 2 )) (mod 2 ), (s m [j m ] (mod 2 )+ s 0 [0] (mod 2 )) (mod 2 )= z m (mod 2 ), s j ] = s [ j ]. m[ m j m m s 0[0](mod 2 ) = ( zm (mod 2 ) s j [ jm ](mod 2 ))(mod 2 ). m Le us consider =m-1. If j m =0 (mod m), hen we ge s0[ m 1](mod 2 ) = ( zm 1 (mod 2 ) s0[0](mod 2 ))(mod 2 ). If 0<j m-1 <m, hen s m 1](mod 2 ) = ( z (mod 2 ) s [ j ](mod 2 ))(mod 2 ). 0[ m 1 j m 1 m 1 Now we consider =m-2 1. Assume h s 0 [0] (mod 2 ), s 0 [m-1] (mod 2 ),, s 0 [+1] (mod 2 ) hve been deermined. Then for j m =0, m-1,,+1 we hve [ s 0 ](mod 2 ) = ( z (mod 2 ) s0[ j ](mod 2 ))(mod 2 ). If 0<j <+1, hen we obin s 0[ ](mod 2 ) = ( z (mod 2 ) s j [ j ](mod 2 ))(mod 2 ). The proposiion is proved. Proposiion 3 If we know s m [0](mod 2 ), s 1 [1](mod 2 ),,s m-1 [m-1](mod 2 ) nd z 1, z 2,, z m+1, hen 1 (mod 2 ), 2 (mod 2 ),., m+1 (mod 2 ), cn be found s follows. If j >, hen (mod 2 )=( s [] (mod 2 )- s 0 [α ](mod 2 ) - z -1 (mod 2 )) (mod 2 ). If j, hen (mod 2 ) = (s [](mod 2 ) s [ α ](mod 2 ) z (mod 2 ))(mod2 ), α 1 where =1 m+1. Proof. Noe h for =1, 2,. we hve Whence, s [i ]= s -1 [α ]+ +z -1 (mod 2 K ). (mod 2 )=( s [i ] (mod 2 )- s -1 [α ](mod 2 ) - z -1 (mod 2 )) (mod 2 ). 3

Using proposiion 2 we cn find s 0 [0] (mod 2 ), s 0 [1] (mod 2 ),, s 0 [m-1] (mod 2 ). Le us remrk h for ny, d if d>, hen s [d]= s 0 [d] nd if d, hen s [d]= s d [d]. This implies h if α>, hen we ge (mod 2 )=( s [] (mod 2 )- s 0 [α ](mod 2 ) - z -1 (mod 2 )) (mod 2 ), if α, hen The proposiion is proved. α 1 (mod 2 ) = (s [](mod 2 ) s [ α ](mod 2 ) z (mod 2 ))(mod 2 ). Le q be he smlles number of p1, p3, i.e. q=min(p1, p3). Proposiion 4 Le τ 2n+θ2. If we know 1 (mod 2 τ ), 2 (mod 2 τ ),, i (mod 2 τ ),, m (mod 2 τ ) è s 2 [2+m/2] (mod 2 τ ), s 4 [4+m/2] (mod 2 τ ),., s 2i [(m/2+2i)(mod m)](mod 2 τ ),,s m [m](mod 2 τ ), hen 1 (mod 2 τ+q ), 3 (mod 2 τ+q ),, 2i+1 (mod 2 τ+q ),. m-1 (mod 2 τ+q ) cn be deermined s follows.,q-1+τ = b +1,τ-1,τ-1,,q+τ-j = b +1,τ-j,τ-j,.,τ = b +1,τ-q,τ-q. where =1 (mod 2), b +1 =( +1 (mod 2 τ )-s +1 [+1+m/2] (mod 2 τ )) (mod 2 τ ). Proof. By proposiion 1 F >> (,p)=((>>p) )=( K-1, K-2,, p, K-1 K-p-1, K-2 K-p-2,, p+i i,, p 0 ). From (mod 2 τ )=( F << ( -1,p()) (mod 2 τ )+s [+m/2] (mod 2 τ )) (mod 2 τ ), where =0 (mod 2), i follows h F >> ( -1,p()) (mod 2 τ )= b = ( (mod 2 τ )- s [+m/2] (mod 2 τ )) (mod 2 τ ). Hence, b,τ-1 = -1,p()-1+τ -1, τ-1,,b,τ-p() = -1,τ -1,τ-p(). Thus, we hve found unknown p() bis -1,p()-1+τ = b,τ-1-1,τ-1, -1,τ=b,τ-p() -1,τ-p(). Therefore, we hve compued 1 (mod 2 τ+p1 ), 3 (mod 2 τ+p3 ),, 4i+1 (mod 2 τ+p1 ), 4i+3 (mod 2 τ+p3 ),, m-1 (mod 2 τ+p3 ). This shows h 1 (mod 2 τ+q ),, 2i+1 (mod 2 τ+q ),. m-1 (mod 2 τ+q ) re found. The proposiion is proved. Le σ (j) be crry bi in j h -bi of he sum (G( -1,, p())+ s [(+ m/2 ) (mod m )]) (mod 2 K ), σ z (j) be crry bi in j h -bi of he sum (s [(s []>>(n+θ 2 ))(mod m)]+s -1 []) (mod 2 K ) nd σ s (j) be crry bi in j h -bi of he sum (s -1 [(s -1 []>>θ 1 ) (mod m )]+ + z -1 ) (mod 2 K ). Le 4

nd 0 δ (, k) = if if > k k 0 if > k ρ (, k) =. 1 if k Proposiion 5 If j<p(), hen 2i+1,j=2i,j sδ(2i+1,2i+1+m/2),j[2i+1+m/2] σ2i +1(j). If j p(), hen 2i+1,j = 2i,j 2i,j - p(2i+1) s δ(2i+1,2i+1+m/2),j [2i+1+m/2] σ 2i +1 (j). This proposiion cn esily be proved if noe h (mod 2 j )= (G( -1,, p()) (mod 2 j )+ s [(+ m/2 )(mod m )] (mod 2 j )) (mod 2 j ) nd j h -bi of G(2i,, p(2i+1)) is 2i,j if j<p(), G( 2i,, p(2i+1)) j = 2i,j 2i,j - p(2i+1) if j p(). Proposiion 6 If we know s [] (mod 2 j-1 ), s 0 [] (mod 2 j-1 ), α, j (mod 2 j-1 ), z -1 (mod 2 j-1 ), -1 (mod 2 j-1 ), hen σ s (j), σ z (j) nd σ 2i +1 (j) cn be compued s follows. σ s (j)= 1 if (s δ(, á )[α ](mod 2 j-1 )+z -1 (mod 2 j-1 )+,j-1 (mod 2 j-1 )) (mod 2 j+1 ) 2 j, 0 oherwise. σ z (j)= 1 if (s δ(, j ),j-1[j ] (mod 2 j-1 )+ s 0,j -1 [] (mod 2 j-1 )) (mod 2 j+1 ) 2 j, 0 oherwise. If j<p() nd =1 (mod 2), hen σ2i +1(j)= 1 if ( 2i(mod 2 j-1 )+s2i+1[2i+1+m/2](mod 2 j-1 )) (mod 2 j+1 ) 2 j, 0 oherwise. If j p() nd =1 (mod 2), hen σ j (j)= 1, if 1 ( 2 k + -1(mod 2 p()-1 )+sδ(,+m/2),j[+m/2] (mod 2 j-1 )) (mod 2 j+1 ) 2 j k= p() -1,k -1 p(),k ) 0, oherwise. Proof. Noe h σ s (j), σ (j) nd σ z (j) re equl o 1 if nd only if (G( -1,, p())+ s [(+ m/2 )(mod m)]) (mod 2 j+1 ) 2 j, (s [(s []>>(n+θ 2 ))(mod m)]+s -1 []) (mod 2 j+1 ) 2 j, (s -1 [(s -1 []>>θ 1 ) (mod m) ] + + z -1 ) (mod 2 j+1 ) 2 j. Thus, σ (j)= 1 if (G(-1,, p()) (mod 2 j-1 )+s[+m/2](mod 2 j-1 )) (mod 2 j+1 ) 2 j, 0 oherwise. 5

nd G( -1,, p() (mod 2 j-1 )= 2i (mod 2 j-1 ) j 1 k= p() -1,k -1 p(),k ) By he bove noes we obin he proof of he proposiion. if j<p(), ( 2 k + -1 (mod 2 p()-1 ) oherwise. Theorem 1 If we know α, j, 2i+1(mod 2 j ), 2i(mod 2 j-1 ), σ s (j), σ (j), σ z (j), z,j, =1,,m, i=0 m/2-1 nd j mx(p(1), p(3)), hen s,j [], s 0,j [], =1,,m, cn be found by solving he following sysem of equions. s0,j[0] sδ(m, j ),j[jm] = zm,j σm z (j), m s 0,j [1] s δ(1, j 1 ),j [j 1 ]= z 1,j σ z 1 (j), s0,j[] sδ(, j ),j[j]=z,j σ z (j), s 0,j [1+m/2]= 1,j σ 1 (j), s 0,j [] s δ(, j ),j[j ]=z,j σ z (j), s0,j[m-1] sδ(m-1, j ),j[jm-1]= zm-1,j σm z -1(j), m-1 s 1,j [1] s δ(1, α 1 ),j[α 1 ] = 1,j σ s 1 (j), s 2,j [2] s δ(2, α 2 ),j[α 2 ] s 0,j [3+m/2]= z 1,j 3,j 2,j - p(3) σ 3 (j) σ s 2 (j), s 3,j [3] s δ(3, α3 ),j[α 3 ] = z 2,j 3,j σ s 3 (j), (1) s 2i,j [2i] s δ(2i+1,2i+1+m/2),j [2i+1+m/2] s δ(2i, α2 i ),j[α 2i ]=z 2i-1,j 2i+1,j 2i,j - p(2i+1) σ 2i +1 (j) σ s 2i (j), s 2i+1,j [2i+1] s δ(2i+1, α 2 i+ 1 ),j s [α 2i+1 ] = z 2i,j 2i+1,j σ 2i +1 (j), s m-2,j [m-2] s δ(m-2, α m - 2 s m-1,j [m-1] s δ(m-1,m/2-1),j [m/2-1] s δ(m-1, α 1 ),j [α m-2 ]= z m-3,j m-2,j σ m s -2 (j), m ),j [α m-1 ]= z m,j m-1,j m-2,j - p(3) σ m -1 (j) σ m s -1 (j), s m,j [m] s δ(m, α m ),j[αm] = z m-1,j m,j σm s (j). 2i,j, i=0 m/2 cn be found s follows 2i,j = 2i+1,j 2i,j - p(2i+1) s δ(2i+1,2i+1+m/2),j [2i+1+m/2] σ 2i +1 (j). Proof Consider j h -bi of = (G( -1,, p())+ s [(+ m/2 )(mod m )]) (mod 2 K ), =1 (mod 2) s []= (s -1 [α ]+ + z -1 )(mod 2 K ), =1 m. z = (s [j ]+s 0 []) (mod 2 K ), =1 m. Thus, we obin he following sysem of equions. 1,j=s0,j[1+m/2] σ1 (j), s 1,j [1]= s δ(1, α 1 ),j[α 1 ] 1,j σ 1 s (j), 6

z 1,j = s δ(1, j 1 ),j[j 1 ] s 0,j [1] σ z 1 (j), s 2,j [2]= s δ(2, α 2 ),j[α 2 ] z 1,j 2,j σ s 2 (j), z 2,j = s δ(2, j 2 ),j [j 2 ] s 0,j [2] σ z 2 (j), 3,j = 2,j 2,j - p(3) s 0,j [3+m/2] σ 3 (j), s 3,j [3]= s δ(3, α3 ),j[α 3 ] z 2,j 3,j σ s 3 (j), z 3,j = s δ(3, j 3 ),j [j 3 ] s 0,j [3] σ z 3 (j), (2) s 2i,j [2i]= s δ(2i, α 2 i ),j[α 2i ] z 2i-1,j 2i,j σ s 2i (j), z 2i,j = s δ(2i, j 2i),j[j 2i ] s 0,j [2i] σ z 2i (j), 2i+1,j=2i,j 2i,j - p(2i+1) sδ(2i+1,2i+1+m/2),j[2i+1+m/2] σ2i +1(j), s 2i+1,j [2i+1]= s δ(2i+1, α 2 i+ 1 ),j s [α 2i+1 ] z 2i,j 2i+1,j σ 2i +1 (j), z 2i+1,j = s δ(2i+1, j 2i+ 1 ),j z [j 2i+1 ] s 0,j [2i+1] σ 2i +1 (j), s m-2,j [m-2]= s δ(m-2, α m - 2 ),j s [α m-2 ] z m-3,j m-2,j σ m -2 (j), z z m-2,j = s δ(m-2, j m-2 ),j[j m-2 ] s 0,j [m-2] σ m -2 (j), m-1,j=m-2,j m-2,j - p(m-1) sδ(m-1,m/2-1),j[m/2-1] σm -1(j), s m-1,j [m-1]= s δ(m-1, α m 1 ),j s [α m-1 ] z m,j m-1,j σ m -1 (j), z z m-1,j = s δ(m-1, j m-1),j[j m-1 ] s 0,j [m-1] σ m -1 (j), s m,j [m]= s δ(m, α m ),j[α m ] z m-1,j m,j σ s m (j), zm,j= sδ(m, j ),j[jm] s0,j[0] σm z (j). m Noe h s,j [], s 0,j [], 2i,j, =1,, m, i=0 m/2, re unknown nd he number of unknown vlues in (2) is 5m/2. By proposiion 6 we hve 2i,j = 2i+1,j 2i,j - p(2i+1) s δ(2i+1,2i+1+m/2),j [2i+1+m/2] σ 2i +1 (j), where i=1 m/2-1. If we replce 2i,j by 2i+1,j 2i,j - p(2i+1) s δ(2i+1,2i+1+m/2),j [2i+1+m/2] σ 2i +1 (j) in (2), we ge 1,j =s 0,j [1+m/2] σ 1 (j), s 1,j [1]= s δ(1, α 1 ),j[α 1 ] 1,j σ s 1 (j), z 1,j = s δ(1, j 1 ),j[j 1 ] s 0,j [1] σ1 z (j), s 2,j [2]= s δ(2, α 2 ),j[α 2 ] z 1,j 3,j 2,j - p(3) s 0,j [3+m/2] σ 3 (j) σ s 2 (j), z 2,j = s δ(2, j 2 ),j [j 2 ] s 0,j [2] σ z 2 (j), s 3,j [3]= s δ(3, α3 ),j[α 3 ] z 2,j 3,j σ s 3 (j), z3,j= sδ(3, j ),j[j3] s0,j[3] σ3 z (j), 3 (3) s 2i,j [2i]= s δ(2i, α 2 i ),j[α 2i ] z 2i-1,j 2i+1,j 2i,j - p(2i+1) s δ(2i+1,2i+1+m/2),j [2i+1+m/2] σ 2i +1 (j) σ s 2i (j), z 2i,j = s δ(2i, j ),j[j 2i 2i ] s 0,j [2i] σ2i z (j), s 2i+1,j [2i+1]= s δ(2i+1, α 2 i+ 1 ),j s [α 2i+1 ] z 2i,j 2i+1,j σ 2i +1 (j), z 2i+1,j = s δ(2i+1, j 2i+ 1 ),j z [j 2i+1 ] s 0,j [2i+1] σ 2i +1 (j), 7

s m-2,j [m-2]= s δ(m-2, α m -2 ),j s [α m-2 ] z m-3,j m-2,j σ m -2 (j), z z m-2,j = s δ(m-2, j m-2 ),j[j m-2 ] s 0,j [m-2] σ m -2 (j), s m-1,j [m-1]= s δ(m-1, α m 1 ),j s [α m-1 ] z m,j m-1,j m-2,j - p(3) s δ(m-1,m/2-1),j [m/2-1] σ m -1 (j) σ m -1 (j), zm-1,j= sδ(m-1, j ),j[jm-1] s0,j[m-1] σm z -1(j), m-1 s m,j [m]= s δ(m, α m ),j[α m ] z m-1,j m,j σ s m (j), z m,j = s δ(m, j m ),j[j m ] s 0,j [0] σ m z (j), We sress h he number of equions nd he number of unknown vlues in (3) re 2m. If we rewrie (3) such h unknown elemens in he equions re on he lef, nd known vlues on he righ, hen we hve s 0,j [0] s δ(m, j m ),j [j m ] = z m,j σ z m (j), s 0,j [1] s δ(1, j 1 ),j [j 1 ]= z 1,j σ z 1 (j), s 0,j [] s δ(, j ),j[j ]=z,j σ z (j), s0,j[1+m/2]= 1,j σ1 (j), s 0,j [] s δ(, j ),j[j ]=z,j σ z (j), z s 0,j [m-1] s δ(m-1, j m-1),j[j m-1 ]= z m-1,j σ m -1 (j), s 1,j [1] s δ(1, α 1 ),j[α 1 ] = 1,j σ s 1 (j), s 2,j [2] s δ(2, α 2 ),j[α 2 ] s 0,j [3+m/2]= z 1,j 3,j 2,j - p(3) σ 3 (j) σ s 2 (j), s3,j[3] sδ(3, α 3 ),j[α3] = z2,j 3,j σ3 s (j), (1) s 2i,j [2i] s δ(2i+1,2i+1+m/2),j [2i+1+m/2] s δ(2i, α 2 i ),j[α 2i ]=z 2i-1,j 2i+1,j 2i,j - p(2i+1) σ 2i +1 (j) σ s 2i (j), s2i+1,j[2i+1] sδ(2i+1, α ),j[α2i+1] = z2i,j 2 i+ 1 2i+1,j σ2is +1(j), s m-2,j [m-2] s δ(m-2, α m - 2 ),j s [α m-2 ]= z m-3,j m-2,j σ m -2 (j), sm-1,j[m-1] sδ(m-1,m/2-1),j[m/2-1] sδ(m-1, α ),j[αm-1]= zm,j m 1 m-1,j m-2,j - p(3) σm -1(j) σm s -1(j), s m,j [m] s δ(m, α m ),j[α m ] = z m-1,j m,j σ s m (j), The heorem is proved. 4 Ack on ISAAC In his secion we describe known plinex ck on he ISAAC keysrem generor. Firs le us crry ou n esimion of he uniciy disnce DISAAC of ISAAC. Recll h he uniciy disnce is he number of keysrem symbols h need o be observed in known plinex ck before he key cn be uniquely deermined. 8

Noe h he number of vrious ses of he ISAAC is equl o m 2 K 2 Km. Then we ge h K D ISAAC K+ Km ( 2 ) = m 2. Therefore, D ISAAC m+2. Le us denoe wih mrk * guessed elemens of S * nd elemens of he oupu sequence {z i * } produced on he guessed iniil se. The mehod consiss of four seps. Sep 1. Guess s m [0] (mod 2 2n+θ2 ),, s [] (mod 2 2n+θ2 ),, s m-1 [m-1] (mod 2 2n+θ2 ). Sep 2 Le =2n+θ2. 1. Use proposiion 2 o compue s 0 [], =0,1,,m-1. 2. Use proposiion 3 o compue (mod 2 2n+θ2 ), =1 m+1. 3. Le τ=. Use proposiion 4 o compue 2j+1(mod 2 τ+q ), j=0 m/2-1. 4. To find s m [0](mod 2 τ+q ), s 1 [1] (mod 2 τ+q ),, s m-1 [m-1] (mod 2 τ+q ), s 0 [0] (mod 2 τ+q ), s 0 [1] (mod 2 τ+q ),,s 0 [m-1] (mod 2 τ+q ), 2i (mod 2 τ+q ), i=0 m/2, we do he following. ) Le j=τ+1. b) While j τ+q do. Use heorem 1 o compue sm[0]( mod 2 j ),,sm-1[m-1] ( mod 2 j ), s0[0] ( mod 2 j ),, s 0 [m-1] ( mod 2 j ), 2i ( mod 2 j ), i=0 m/2. Tke j=j+1. Sep 3 Le τ=2n+θ2+q. While τ<k. 1. Use proposiion 4 o compue 2j+1 (mod 2 τ+q ), j=0 m/2-1. 2. To find s m [0] (mod 2 τ+q ), s 1 [1] (mod 2 τ+q ),, s m-1 [m-1] (mod 2 τ+q ), s 0 [0] (mod 2 τ+q ), s 0 [1] (mod 2 τ+q ),,s 0 [m-1] (mod 2 τ+q ), 2i (mod 2 τ+q ), i=0 m/2, we do he following. ) Le j=τ+1. b) While j τ+q do. Use o heorem 1 o compue s m [0]( mod 2 j ),,s m-1 [m-1] ( mod 2 j ), s 0 [0] ( mod 2 j ),, s 0 [m-1] (mod 2 j ), 2i ( mod 2 j ), i=0 m/2. Tke j=j+1. Sep 4 Compue he firs L = D ISAAC of elemens of he oupu sequence z 1 *, z 2 *, z L *. If z 1 * = z 1, z 2 * = z2, zl * = zl hen we hve found he correc iniil se of he cryposysem, oherwise reurn o sep 1. Le us esime he complexiy of he mehod. We my ssume h he probbiliy P{s * 0 [0] (mod 2 (2n+θ2) )= s 0 [0] (mod 2 (2n+θ2) ),,s * 0 [m-1] (mod 2 (2n+θ2) )= s 0 [m-1] (mod 2 (2n+θ2) )} = 1/ 2 (2n+θ2)m. Then he verge of guessed elemens is equl o 2 (2n+θ2)m-1. The complexiy of soluion of sysems of equions seps 2, 3 cn be esimed (K-2n-θ2) (2m)/3. Therefore, he complexiy of he mehod is equl o T me =2 (2n+θ2)m-1 (K-2n-θ2) (2m)/3. Noe h he complexiy of he brue force ck is equl o T br =2 K m-1. For m=256, n=8, K=32, p0=13, p1=6, p2=2, p3=16, θ 1 =θ 2 =2, we ge T me =4.67 10 1240, T br = 5.91 10 2446. 9

5 Conclusion We hve described crypnlyic lgorihm on he ISAAC srem cipher. The lgorihm ries o deduce he iniil se in known plinex ck. The described mehod depends on difference K-2n. If K-2n-θ2 2n, hen he complexiy of he ck is pproximed o be less hn ime of serching hrough he squre roo of ll possible iniil ses. For vlues used in he cryposysem we ge he complexiy T me =4.67 10 1240. ISAAC remins secure cipher for prcicl pplicions. References. [1] R.J. Jenkins, ISAAC, Fs Sofwre Encrypion Cmbridge 1996, vol. 1039, D. Gollmnn ed., Springer-Verlg. [2] R. J. Jenkins ISAAC hp://ourworld.compuserve.com/homepges/ bob_jenkins/isc.hm [3] Vrfolomeev A.A., Zhukov A.E., Pudovkin M., ''Anlysis of Srem Ciphers '', Moscow, 2000. [4] Pudovkin M. A Cycle Srucure of he Alleged RC4 Keysrem Generor. Journl of "Securiy of informion echnologies", Moscow, 4, 2000. 10