Abstract
A classical construction of stream ciphers is to combine several LFSRs and a highly non-linear Boolean function f. Their security is usually analysed in terms of correlation attacks, that can be seen as solving a system of multivariate linear equations, true with some probability. At ICISC’02 this approach is extended to systems of higher-degree multivariate equations, and gives an attack in 292 for Toyocrypt, a Cryptrec submission. In this attack the key is found by solving an overdefined system of algebraic equations. In this paper we show how to substantially lower the degree of these equations by multiplying them by well-chosen multivariate polynomials. Thus we are able to break Toyocrypt in 249 CPU clocks, with only 20 Kbytes of keystream, the fastest attack proposed so far. We also successfully attack the Nessie submission LILI-128, within 257 CPU clocks (not the fastest attack known). In general, we show that if the Boolean function uses only a small subset (e.g. 10) of state/LFSR bits, the cipher can be broken, whatever is the Boolean function used (worst case). Our new general algebraic attack breaks stream ciphers satisfying all the previously known design criteria in at most the square root of the complexity of the previously known generic attack.
Chapter PDF
Similar content being viewed by others
Keywords
References
Ross Anderson: Searching for the Optimum Correlation Attack, FSE’94, LNCS 1008, Springer, pp. 137–143, 1994.
Frederik Armknecht: A Linearization Attack on the Bluetooth Key Stream Generator, Available on http://eprint.iacr.org/2002/191/. 13 December 2002
Steve Babbage: Cryptanalysis of LILI-128, Nessie project internal report, available at https://www.cosic.esat.kuleuven.ac.be/nessie/reports/, 22 January 2001.
Eli Biham: A Fast New DES Implementation in Software, FSE’97, Springer, LNCS 1267, pp. 260–272, 1997.
Paul Camion, Claude Carlet, Pascale Charpin and Nicolas Sendrier: On Correlation-immune Functions, In Crypto’91, LNCS 576, Springer, pp. 86–100, 1992.
Don Coppersmith, Shmuel Winograd: Matrix multiplication via arithmetic progressions, J. Symbolic Computation (1990), 9, pp. 251–280, March 1990.
Nicolas Courtois: The security of Hidden Field Equations (HFE), Cryptographers’ Track Rsa Conference 2001, San Francisco 8–12 April 2001, LNCS 2020, Springer, pp. 266–281, 2001.
Nicolas Courtois and Jacques Patarin: About the XL Algorithm over GF(2), Cryptographers’ Track RSA 2003, San Francisco, April 13–17 2003, LNCS, Springer.
Nicolas Courtois and Josef Pieprzyk: Cryptanalysis of Block Ciphers with Overdefined Systems of Equations, Asiacrypt 2002, LNCS 2501, Springer, 2002. A preprint with a different version of the attack is available at http://eprint.iacr.org/2002/044/.
Nicolas Courtois: Higher Order Correlation Attacks, XL algorithm and Cryptanalysis of Toyocrypt, ICISC 2002, November 2002, Seoul, Korea, LNCS 2587, Springer, 2002. An updated version is available at http://eprint.iacr.org/2002/087/.
Nicolas Courtois: Fast Algebraic Attacks on Stream Ciphers with Linear Feedback, Preprint, January 2003, available from the author.
Eric Filiol: Decimation Attack of Stream Ciphers, Indocrypt 2000, LNCS 1977, pp. 31–42, 2000. Available on eprint.iacr.org/2000/040.
Jovan Dj. Golic: On the Security of Nonlinear Filter Generators, FSE’96, LNCS 1039, Springer, pp. 173–188.
Jovan Dj. Golic: Fast low order approximation of cryptographic functions, Eurocrypt’96, LNCS 1070, Springer, pp. 268–282, 1996.
Willi Meier and Othmar Staffelbach: Fast correlation attacks on certain stream ciphers, Journal of Cryptology, 1(3):159–176, 1989.
Willi Meier and Othmar Staffelbach: Nonlinearity Criteria for Cryptographic Functions, Eurocrypt’ 89, LNCS 434, Springer, pp. 549–562, 1990.
Alfred J. Menezes, Paul C. van Oorschot, Scott A. Vanstone: Handbook of Applied Cryptography, CRC Press, 1997.
M. Mihaljevic, H. Imai: Cryptanalysis of Toyocrypt-HS1 stream cipher, IEICE Transactions on Fundamentals, vol. E85-A, pp. 66–73, Jan. 2002. Available at http://www.csl.sony.co.jp/ATL/papers/IEICEjan02.pdf.
Rainer A. Rueppel: Analysis and Design of Stream Ciphers, Springer, New York, 1986.
Palash Sarkar, Subhamoy Maitra: Nonlinearity Bounds and Constructions of Resilient Boolean Functions, In Crypto 2000, LNCS 1880, Springer, pp. 515–532, 2000.
Adi Shamir, Jacques Patarin, Nicolas Courtois and Alexander Klimov: Efficient Algorithms for solving Overdefined Systems of Multivariate Polynomial Equations, Eurocrypt’2000, LNCS 1807, Springer, pp. 392–407, 2000.
L. Simpson, E. Dawson, J. Golic and W. Millan: LILI Keystream Generator, SAC’2000, LNCS 2012, Springer, pp. 248–261, 2000. Available at www.isrc.qut.edu.au/lili/.
Markku-Juhani Olavi Saarinen: A Time-Memory Tradeoff Attack Against LILI-128, FSE 2002, LNCS 2365, Springer, pp. 231–236, 2002. Available at http://eprint.iacr.org/2001/077/.
Claude Elwood Shannon: Communication theory of secrecy systems, Bell System Technical Journal 28 (1949), see in patricular page 704.
Volker Strassen: Gaussian Elimination is Not Optimal, Numerische Mathematik, vol 13, pp. 354–356, 1969.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2003 International Association for Cryptologic Research
About this paper
Cite this paper
Courtois, N.T., Meier, W. (2003). Algebraic Attacks on Stream Ciphers with Linear Feedback. In: Biham, E. (eds) Advances in Cryptology — EUROCRYPT 2003. EUROCRYPT 2003. Lecture Notes in Computer Science, vol 2656. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3-540-39200-9_21
Download citation
DOI: https://doi.org/10.1007/3-540-39200-9_21
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-14039-9
Online ISBN: 978-3-540-39200-2
eBook Packages: Springer Book Archive