Talk:Common Scrambling Algorithm

Does anyone actually know how brute-force can be improved on, or if it can be improved on? topynate 23:39, 20 Sep 2004 (UTC)

I haven't heard of anything, but it wouldn't be surprising — it certainly wouldn't be the first time that a reverse-engineered proprietary encryption algorithm had been found to be weak! — Matt 12:02, 21 Sep 2004 (UTC)

Can anybody reference where to find the information about bytes 3 and 7 being checksums or if you could explain how to calculate them. - Aldebarn42

Byte form AA BB CC xx DD EE FF yy -- xx and yy are checksums, xx=AA+BB+CC, yy=DD+EE+FF. I suspect this is in the BISS specification somewhere. So that's bytes 3 and 7 when starting count at 0. —Preceding unsigned comment added by 87.194.114.122 (talk) 00:36, 23 March 2008 (UTC)[reply]

The entry says:

This fact allows practical space-time tradeoff attack where 32 bits are brute-forced, 16 bits are calculated with memory tables built from ciphertext, and 16 bits calculated as checksum with a running time of O(216)+O(232), which can be less than a second if implemented in FPGA hardware or on scalable architecture like cell processor.

Is there any reference to this affirmations? —Preceding unsigned comment added by 85.152.200.43 (talk) 18:36, 9 July 2009 (UTC)[reply]

Check http://www.cdc.informatik.tu-darmstadt.de/~kwirt/csa.pdf Implementation in a fpga would consist of a number of parallel engines that would try to decrypt and check if the content is valid. (looking for known things like mpeg-headers etc). With 42 parallel hw-threads, that each test one key per clock-cycle, for this @ 50Mhz this would allow for a bruteforce attempt in ~1 second since on average we would expect to find the key after 2^31 tries for a 2^32 bit key.—Preceding unsigned comment added by 85.228.203.183 (talk) 09:24, 20 October 2009 (UTC)[reply]

The text says "This fact allows" and that's not true for a start. What would allow this is a major weakness in the alg that allows 16 bits of key to be calculated from ciphertext independently of the other 32 bits. The mere use of the numbers 32 and 16 lead me to think that this choice is arbitrary and the result of unfounded speculation. As an example double DES is susceptable to the Meet-in-the-middle_attack because it consists of two short key ciphers used sequentially. There is the potential to split this into a 2^56 key store leaving a bruteforce space of 57bits. Note though single DES cannot be broken down the same way. The pdf linked does not support the claim either but does say "Cryptanalyzing both stream and block cipher at the same time seems to be a task too daunting to attempt.". A search reveals successful fault analysis attacks against the complete system but these rely on introducing errors into hardware to reveal the key it has been supplied with. Does anyone have a good reason why the bruteforce in 1 second claims should not be removed from the article? Ambix (talk) 14:49, 20 May 2010 (UTC)[reply]

I've removed the 1 sec claim, changing as little else as possible. Please remember also that this cipher is a combination of a block and stream cipher and as such well known block cipher/hash breaking methods like rainbow tables do not help. I'd be happy to be corrected on that with explanation, but the lack of any such method in nearly 10 years of published research leads me to think that it cannot be that trivial. Ambix (talk) 13:29, 2 December 2010 (UTC)[reply]

Hello,

there seems to be an error in the external link pdf named "Analysis of the DVB Common Scrambling Algorithm". At page 6 (200) in "Table 1" S5 is marked as a4,2;a3,2;... instead it should be a4,2;a3,3;... in my opinion. Can anyone confirm this or am I wrong? Here some references that also show this as being wrong: 1. In the libdvbcsa in file "dvbcsa_stream.c" at line 124 2. http://www.emsec.rub.de/media/crypto/attachments/files/2010/04/da_diett.pdf (page 28)

Fabermundi (talk) 08:51, 9 November 2012 (UTC)[reply]