Abstract. A popular technique to construct stream ciphers is to use a linear sequence generator with a very large period and good statistical properties and a non-linear filter. There is abundant literature on how to use linear approximations of this non-linear function to attack the cipher, which is known as (fast) correlation attacks. In this paper we explore non-linear approximations, much less well known. We will reduce the cryptanalysis of a stream cipher to solving an overdefined system of multivariate equations. At Eurocrypt 2000, Courtois, Klimov, Patarin and Shamir have introduced the XL algorithm for solving systems of overdefined multivariate quadratic equations over finite fields. The exact complexity of the XL algorithm remains an open problem. and some authors such as T.T.Moh have expressed serious doubts whether it actually works very well. However there is no doubt that such methods work very well for largely overdefined systems (much more equations than variables), and we confirm this by computer simulations. Luckily systems we obtain in cryptanalysis of stream ciphers are precisely very overdefined. In this paper we will show how to break efficiently stream ciphers that are known to be immune to all the previously known attacks. For example, we will be able to break the stream

Abstract. Algebraic attacks on LFSR-based stream ciphers recover the secret key by solving an overdefined system of multivariate algebraic equations. They exploit multivariate relations involving key bits and output bits and become very efficient if such relations of low degrees may be found. Low degree relations have been shown to exist for several well known constructions of stream ciphers immune to all previously known attacks. Such relations may be derived by multiplying the output function of a stream cipher by a well chosen low degree function such that the product function is again of low degree. In view of algebraic attacks, low degree multiples of Boolean functions are a basic concern in the design of stream ciphers as well as of block ciphers. This paper investigates the existence of low degree multiples of Boolean functions in several directions: The known scenarios under which low degree multiples exist are reduced and simplified to two scenarios, that are treated differently in algebraic attacks. A new algorithm is proposed that allows to successfully decide whether a Boolean function has low degree multiples. This represents a significant step towards provable security against algebraic attacks. Furthermore, it is shown that a recently introduced class of degree optimized Maiorana-McFarland functions immanently has low degree multiples. Finally, the probability that a random Boolean function has a low degree multiple is estimated.

Abstract. Algebraic attacks on stream ciphers [9] recover the key by solving an overdefined system of multivariate equations. Such attacks can break several interesting cases of LFSR-based stream ciphers, when the output is obtained by a Boolean function, see [9– 11]. Recently this approach has been successfully extended also to combiners with memory, provided the number of memory bits is small, see [1, 11, 2]. In [2] it is shown that, for ciphers built with LFSRs and an arbitrary combiner using a subset of k LFSR state bits, and with l state/memory bits, a polynomial attack always do exist when k and l are fixed. Yet this attack becomes very quickly impractical: already when k and l exceed about 4. In this paper we give a much simpler proof of this result from [2], and prove a more general theorem. We show that much better algebraic attacks exist for ciphers that (in order to be fast) output several bits at a time. In practice our result substantially reduces the complexity of the best attack known on three well known constructions of stream ciphers when the number of outputs is increased. We present attacks on modified versions of Snow, E0 and LILI-128 that are apparently the fastest known. Key Words: LFSR-based stream ciphers, algebraic attacks on stream ciphers, pseudorandom generators, multivariate equations, overdefined problems, linearization, XL algorithm,

In this paper, we analyse the algebraic immunity of symmetric Boolean functions.

Abstract. KeeLoq is a block cipher used in wireless devices that unlock the doors and alarms in cars manufactured by Chrysler, Daewoo, Fiat,

Abstract. Almost any cryptographic scheme can be described by tweakable polynomials over GF (2), which contain both secret variables (e.g., key bits) and public variables (e.g., plaintext bits or IV bits). The cryptanalyst is allowed to tweak the polynomials by choosing arbitrary values for the public variables, and his goal is to solve the resultant system of polynomial equations in terms of their common secret variables. In this paper we develop a new technique (called a cube attack) for solving such tweakable polynomials, which is a major improvement over several previously published attacks of the same type. For example, on the stream cipher Trivium with a reduced number of initialization rounds, the best previous attack (due to Fischer, Khazaei, and Meier) requires a barely practical complexity of 2 55 to attack 672 initialization rounds, whereas a cube attack can find the complete key of the same variant in 2 19 bit operations (which take less than a second on a single PC). Trivium with 735 initialization rounds (which could not be attacked by any previous technique) can now be broken with 2 30 bit operations, and by extrapolating our experimentally verified complexities for various sizes, we have reasons to believe that cube attacks will remain faster than exhaustive search even for 1024 initialization rounds. Whereas previous attacks were heuristic, had to be adapted to each cryptosystem, had no general complexity bounds,

this paper, see [27]

In spite of growing importance of AES, the Data Encryption Standard is by no means obsolete. DES has never been broken from the practical point of view. The triple

Abstract. In this paper we propose several efficient algorithms for assessing the resistance of Boolean functions against algebraic and fast algebraic attacks when implemented in LFSRbased stream ciphers. An algorithm is described which permits to compute the algebraic immunity d of a Boolean function with n variables in O(D 2) operations, for D ≈ � � n, rather d than in O(D 3) operations necessary in all previous algorithms. Our algorithm is based on multivariate polynomial interpolation. For assessing the vulnerability of arbitrary Boolean functions with respect to fast algebraic attacks, an efficient generic algorithm is presented that is not based on interpolation. This algorithm is demonstrated to be particularly efficient for symmetric Boolean functions. As an application it is shown that large classes of symmetric functions are very vulnerable to fast algebraic attacks despite their proven resistance against conventional algebraic attacks.

Abstract. We study both distinguishing and key-recovery attacks against E0, the keystream generator used in Bluetooth by means of correlation. First, a powerful computation method of correlations is formulated by a recursive expression, which makes it easier to calculate correlations of the finite state machine output sequences up to 26 bits for E0 and allows us to verify the two known correlations to be the largest for the first time. Second, we apply the concept of convolution to the analysis of the distinguisher based on all correlations, and propose an efficient distinguisher due to the linear dependency of the largest correlations. Last, we propose a novel maximum likelihood decoding algorithm based on fast Walsh transform to recover the closest codeword for any linear code of dimension L and length n. It requires time O(n + L · 2 L) and memory min(n, 2 L). This can speed up many attacks such as fast correlation attacks. We apply it to E0, and our best key-recovery attack works in 2 39 time given 2 39 consecutive bits after O(2 37) precomputation. This is the best known attack against E0 so far. 1