Results 1  10
of
157
Higher Order Correlation Attacks, XL algorithm and Cryptanalysis of Toyocrypt
, 2002
"... Abstract. A popular technique to construct stream ciphers is to use a linear sequence generator with a very large period and good statistical properties and a nonlinear filter. There is abundant literature on how to use linear approximations of this nonlinear function to attack the cipher, which i ..."
Abstract

Cited by 57 (8 self)
 Add to MetaCart
Abstract. A popular technique to construct stream ciphers is to use a linear sequence generator with a very large period and good statistical properties and a nonlinear filter. There is abundant literature on how to use linear approximations of this nonlinear function to attack the cipher, which is known as (fast) correlation attacks. In this paper we explore nonlinear approximations, much less well known. We will reduce the cryptanalysis of a stream cipher to solving an overdefined system of multivariate equations. At Eurocrypt 2000, Courtois, Klimov, Patarin and Shamir have introduced the XL algorithm for solving systems of overdefined multivariate quadratic equations over finite fields. The exact complexity of the XL algorithm remains an open problem. and some authors such as T.T.Moh have expressed serious doubts whether it actually works very well. However there is no doubt that such methods work very well for largely overdefined systems (much more equations than variables), and we confirm this by computer simulations. Luckily systems we obtain in cryptanalysis of stream ciphers are precisely very overdefined. In this paper we will show how to break efficiently stream ciphers that are known to be immune to all the previously known attacks. For example, we will be able to break the stream
Cube Attacks on Tweakable Black Box Polynomials
"... Abstract. Almost any cryptographic scheme can be described by tweakable polynomials over GF (2), which contain both secret variables (e.g., key bits) and public variables (e.g., plaintext bits or IV bits). The cryptanalyst is allowed to tweak the polynomials by choosing arbitrary values for the publ ..."
Abstract

Cited by 46 (4 self)
 Add to MetaCart
Abstract. Almost any cryptographic scheme can be described by tweakable polynomials over GF (2), which contain both secret variables (e.g., key bits) and public variables (e.g., plaintext bits or IV bits). The cryptanalyst is allowed to tweak the polynomials by choosing arbitrary values for the public variables, and his goal is to solve the resultant system of polynomial equations in terms of their common secret variables. In this paper we develop a new technique (called a cube attack) for solving such tweakable polynomials, which is a major improvement over several previously published attacks of the same type. For example, on the stream cipher Trivium with a reduced number of initialization rounds, the best previous attack (due to Fischer, Khazaei, and Meier) requires a barely practical complexity of 2 55 to attack 672 initialization rounds, whereas a cube attack can find the complete key of the same variant in 2 19 bit operations (which take less than a second on a single PC). Trivium with 735 initialization rounds (which could not be attacked by any previous technique) can now be broken with 2 30 bit operations, and by extrapolating our experimentally verified complexities for various sizes, we have reasons to believe that cube attacks will remain faster than exhaustive search even for 1024 initialization rounds. Whereas previous attacks were heuristic, had to be adapted to each cryptosystem, had no general complexity bounds,
Algebraic attacks on combiners with memory
 Advances in Cryptology  Crypto 2003, LNCS 2729
, 2003
"... Abstract. Recently, algebraic attacks were proposed to attack several cryptosystems, e.g. AES, LILI128 and Toyocrypt. This paper extends the use of algebraic attacks to combiners with memory. A (k, l)combiner consists of k parallel linear feedback shift registers (LFSRs), and the nonlinear filteri ..."
Abstract

Cited by 45 (6 self)
 Add to MetaCart
Abstract. Recently, algebraic attacks were proposed to attack several cryptosystems, e.g. AES, LILI128 and Toyocrypt. This paper extends the use of algebraic attacks to combiners with memory. A (k, l)combiner consists of k parallel linear feedback shift registers (LFSRs), and the nonlinear filtering is done via a finite automaton with k input bits and l memory bits. It is shown that for (k, l)combiners, nontrivial canceling relations of degree at most ⌈k(l+1)/2 ⌉ exist. This makes algebraic attacks possible. Also, a general method is presented to check for such relations with an even lower degree. This allows to show the invulnerability of certain (k, l)combiners against this kind of algebraic attacks. On the other hand, this can also be used as a tool to find improved algebraic attacks. Inspired by this method, the E0 keystream generator from the Bluetooth standard is analyzed. As it turns out, a secret key can be recovered by solving a system of linear equations with 2 23.07 unknowns. To our knowledge, this is the best published attack on the E0 keystream generator yet. 1
Algebraic Attacks and Decomposition of Boolean Functions
 In Advances in Cryptology  EUROCRYPT 2004
, 2004
"... Abstract. Algebraic attacks on LFSRbased stream ciphers recover the secret key by solving an overdefined system of multivariate algebraic equations. They exploit multivariate relations involving key bits and output bits and become very efficient if such relations of low degrees may be found. Low de ..."
Abstract

Cited by 44 (6 self)
 Add to MetaCart
Abstract. Algebraic attacks on LFSRbased stream ciphers recover the secret key by solving an overdefined system of multivariate algebraic equations. They exploit multivariate relations involving key bits and output bits and become very efficient if such relations of low degrees may be found. Low degree relations have been shown to exist for several well known constructions of stream ciphers immune to all previously known attacks. Such relations may be derived by multiplying the output function of a stream cipher by a well chosen low degree function such that the product function is again of low degree. In view of algebraic attacks, low degree multiples of Boolean functions are a basic concern in the design of stream ciphers as well as of block ciphers. This paper investigates the existence of low degree multiples of Boolean functions in several directions: The known scenarios under which low degree multiples exist are reduced and simplified to two scenarios, that are treated differently in algebraic attacks. A new algorithm is proposed that allows to successfully decide whether a Boolean function has low degree multiples. This represents a significant step towards provable security against algebraic attacks. Furthermore, it is shown that a recently introduced class of degree optimized MaioranaMcFarland functions immanently has low degree multiples. Finally, the probability that a random Boolean function has a low degree multiple is estimated.
Algebraic Cryptanalysis of the Data Encryption Standard
 IN PREPARATION. SEE IACR EPRINT
, 2006
"... In spite of growing importance of AES, the Data Encryption Standard is by no means obsolete. DES has never been broken from the practical point of view. The triple ..."
Abstract

Cited by 38 (11 self)
 Add to MetaCart
In spite of growing importance of AES, the Data Encryption Standard is by no means obsolete. DES has never been broken from the practical point of view. The triple
Algebraic and Slide Attacks on KeeLoq
"... Abstract. KeeLoq is a block cipher used in wireless devices that unlock the doors and alarms in cars manufactured by Chrysler, Daewoo, Fiat, ..."
Abstract

Cited by 34 (5 self)
 Add to MetaCart
Abstract. KeeLoq is a block cipher used in wireless devices that unlock the doors and alarms in cars manufactured by Chrysler, Daewoo, Fiat,
QUAD: a Practical Stream Cipher with Provable Security
 In EUROCRYPT 2006, volume 4004 of LNCS
, 2006
"... 45 avenue des EtatsUnis, F78035 Versailles cedex, France. Abstract. We introduce a practical synchronous stream cipher with provable security named QUAD. The cipher relies on the iteration of a multivariate quadratic system of m equations in n < m unknowns over a finite field. The security of QUAD ..."
Abstract

Cited by 29 (1 self)
 Add to MetaCart
45 avenue des EtatsUnis, F78035 Versailles cedex, France. Abstract. We introduce a practical synchronous stream cipher with provable security named QUAD. The cipher relies on the iteration of a multivariate quadratic system of m equations in n < m unknowns over a finite field. The security of QUAD is provably reducible to the conjectured intractability of the MQ problem, namely solving a multivariate system of quadratic equations. 1
On the Algebraic Immunity of Symmetric Boolean Functions
 In Indocrypt 2005, number 3797 in LNCS
, 2005
"... In this paper, we analyse the algebraic immunity of symmetric Boolean functions. ..."
Abstract

Cited by 28 (1 self)
 Add to MetaCart
In this paper, we analyse the algebraic immunity of symmetric Boolean functions.
Algebraic Attacks on Combiners with Memory and Several Outputs
 Proc. of ICISC’04
, 2004
"... Abstract. Algebraic attacks on stream ciphers [9] recover the key by solving an overdefined system of multivariate equations. Such attacks can break several interesting cases of LFSRbased stream ciphers, when the output is obtained by a Boolean function, see [9– 11]. Recently this approach has been ..."
Abstract

Cited by 27 (2 self)
 Add to MetaCart
Abstract. Algebraic attacks on stream ciphers [9] recover the key by solving an overdefined system of multivariate equations. Such attacks can break several interesting cases of LFSRbased stream ciphers, when the output is obtained by a Boolean function, see [9– 11]. Recently this approach has been successfully extended also to combiners with memory, provided the number of memory bits is small, see [1, 11, 2]. In [2] it is shown that, for ciphers built with LFSRs and an arbitrary combiner using a subset of k LFSR state bits, and with l state/memory bits, a polynomial attack always do exist when k and l are fixed. Yet this attack becomes very quickly impractical: already when k and l exceed about 4. In this paper we give a much simpler proof of this result from [2], and prove a more general theorem. We show that much better algebraic attacks exist for ciphers that (in order to be fast) output several bits at a time. In practice our result substantially reduces the complexity of the best attack known on three well known constructions of stream ciphers when the number of outputs is increased. We present attacks on modified versions of Snow, E0 and LILI128 that are apparently the fastest known. Key Words: LFSRbased stream ciphers, algebraic attacks on stream ciphers, pseudorandom generators, multivariate equations, overdefined problems, linearization, XL algorithm,
Comparison between XL and Gröbner Basis Algorithms
 ASIACRYPT 2004, LECTURE
, 2004
"... This paper compares the XL algorithm with known Gröbner basis algorithms. We show that to solve a system of algebraic equations via the XL algorithm is equivalent to calculate the reduced Gröbner basis of the ideal associated with the system. Moreover we show that the XL algorithm is also a Gröbner ..."
Abstract

Cited by 27 (10 self)
 Add to MetaCart
This paper compares the XL algorithm with known Gröbner basis algorithms. We show that to solve a system of algebraic equations via the XL algorithm is equivalent to calculate the reduced Gröbner basis of the ideal associated with the system. Moreover we show that the XL algorithm is also a Gröbner basis algorithm which can be represented as a redundant variant of a Gröbner basis algorithm F4. Then we compare these algorithms on semiregular sequences, which correspond, in conjecture, to almost all polynomial systems in two cases: over the fields F2 and Fq with q ≫ n. We show that the size of the matrix constructed by XL is large compared to the ones of the F5 algorithm. Finally, we give an experimental study between XL and the Buchberger algorithm on the cryptosystem HFE and find that the Buchberger algorithm has a better behavior.