Abstract:
Abstract. Algebraic attacks on stream ciphers [9] recover the key by solving an overdefined system of multivariate equations. Such attacks can break several interesting cases of LFSR-based stream ciphers, when the output is obtained by a Boolean function, see [9--11]. Recently this approach has been successfully extended also to combiners with memory, provided the number of memory bits is small, see [1, 11, 2]. In [2] it is shown that, for ciphers built with LFSRs and an arbitrary combiner using a subset of k LFSR state bits, and with l state/memory bits, a polynomial attack always do exist when k and l are fixed. Yet this attack becomes very quickly impractical: already when k and l exceed about 4. In this paper we give a much simpler proof of this result from [2], and prove a more general theorem. We show that much better algebraic attacks exist for ciphers that (in order to be fast) output several bits at a time. In practice our result substantially reduces the complexity of the best attack known on three well known constructions of stream ciphers when the number of outputs is increased. We present attacks on modified versions of Snow, E0 and LILI-128 that are apparently the fastest known. Key Words: LFSR-based stream ciphers, algebraic attacks on stream ciphers, pseudorandom generators, multivariate equations, overdefined problems, linearization, XL algorithm,
Citations
|
102
|
Fast Algebraic Attacks on Stream Ciphers with Linear Feedback
– Courtois
- 2003
|
|
31
|
Keller: Instant Ciphertext-Only Cryptanalysis of GSM Encrypted Communication
– Barkan, Biham, et al.
|
|
15
|
a new stream cipher
– Ekdahl, Johansson, et al.
- 2000
|
|
14
|
A new version of the stream cipher SNOW
– Ekdahl, Johansson
- 2002
|
|
14
|
Patarin: ”Cryptanalysis of the Matsumoto and Imai Public Key Scheme
– Jacques
|
|
12
|
Shmuel Winograd: Matrix multiplication via arithmetic progressions
– Coppersmith
- 1990
|
|
10
|
Rewriting variables: the complexity of fast algebraic attacks on stream ciphers
– Hawkes, Rose
- 2004
|
|
8
|
Efficient Algorithms for solving Overdefined
– Shamir, Patarin, et al.
|
|
7
|
Courtois and Josef Pieprzyk, Cryptanalysis of Block Ciphers with Overdefined Systems of Equations, Asiacrypt 2002
– Nicolas
|
|
6
|
Courtois: Higher Order Correlation Attacks, XL algorithm and Cryptanalysis of Toyocrypt
– Nicolas
|
|
6
|
Enes Pasalic, Claude Carlet: Algebraic attacks and decomposition of Boolean functions
– Meier
- 2004
|
|
5
|
On a new notion of nonlinearity relevant to multi-output pseudo-random generators
– Carlet, Prouff
- 2004
|
|
5
|
Golic, “On Security of Nonlinear Filter Generators
– Dj
- 1996
|
|
4
|
Anderson: Searching for the Optimum Correlation Attack
– Ross
|
|
4
|
Shai Halevi and Charanjit Jutla, Cryptanalysis of stream ciphers with linear masking, Crypto 2002, LNCS 2442
– Coppersmith
- 2002
|
|
4
|
Courtois: The security of Hidden Field Equations (HFE); Cryptographers
– Nicolas
- 2001
|
|
4
|
Armknecht: Improving Fast Algebraic Attacks
– Frederik
- 2004
|
|
4
|
Courtois: General Principles of Algebraic Attacks and New Design Criteria for Components of Symmetric Ciphers
– Nicolas
- 2005
|
|
3
|
Armknecht: A Linearization Attack on the Bluetooth Key Stream Generator, Available on http://eprint.iacr.org/2002/191
– Frederik
- 2003
|
|
3
|
Courtois: The security of Hidden Field Equations
– Nicolas
|
|
3
|
Golic: Correlation Properties of a General Binary Combiner with Memory
– Dj
- 1996
|
|
3
|
Courtois: The Inverse S-box, Non-linear Polynomial Relations and Cryptanalysis of Block Ciphers
– Nicolas
- 2005
|
|
2
|
Guess-and-determine attacks on
– Hawkes, Rose
- 1998
|
|
2
|
A Low cost high speed encryption system and method
– Mayhew
- 1994
|
|
2
|
Jakobsen: Cryptanalysis of Block Ciphers with Probabilistic Non-Linear
– Thomas
- 1998
|
|
1
|
De Canniere, Guess and Determine Attack on SNOW, Nessie public report, 12/11/2001, NES/DOC/KUL/WP5/011/a, available from www.cryptonessie.org
– Christophe
- 1989
|
|
1
|
Morgari: Linear Cryptanalysis
– Golic, Guglielmo
|
|
1
|
Othmar Staffelbach: Correlation Properties of Combiners with Memory in Stream Ciphers, Journal of Cryptology 5(1
– Meier
- 1992
|
|
1
|
Turing: a Fast Stream
– Rose, Hawkes
- 2003
|
|
1
|
Othmar Sta#elbach: Correlation Properties of Combiners with Memory in Stream Ciphers, Journal of Cryptology 5(1
– Meier
- 1992
|
|
1
|
CIG, Specification of the Bluetooth system, Version 1.1, February 22 2001, available from www.bluetooth.com
– Bluetooth
|
|
1
|
Agnes Chan: Maximum Correlation Analysis of Nonlinear S-boxes in Stream Ciphers
– Zhang
- 2000
|
|
