## Algebraic Attacks on Stream Ciphers with Linear Feedback (2003)

### Cached

### Download Links

- [www.minrank.org]
- [ntcourtois.free.fr]
- [www.nicolascourtois.me.uk]
- [www.iacr.org]
- [www.iacr.org]
- [www.iacr.org]
- [www.mathmagic.cn]
- [www.fdi.ucm.es]
- DBLP

### Other Repositories/Bibliography

Citations: | 217 - 22 self |

### BibTeX

@INPROCEEDINGS{Courtois03algebraicattacks,

author = {Nicolas T. Courtois and Willi Meier},

title = {Algebraic Attacks on Stream Ciphers with Linear Feedback},

booktitle = {},

year = {2003},

pages = {345--359},

publisher = {Springer-Verlag}

}

### Years of Citing Articles

### OpenURL

### Abstract

A classical construction of stream ciphers is to combine several LFSRs and a highly non-linear Boolean function f . Their security is usually studied in terms of correlation attacks, that can be seen as solving a system of multivariate linear equations, true with some probability. At ICISC'02 this approach is extended to systems of higher-degree multivariate equations, and gives an attack in 2 for Toyocrypt, a Cryptrec submission.

### Citations

853 |
Communication Theory of Secrecy Systems
- Shannon
- 1949
(Show Context)
Citation Context ... paper from 1949, Claude E. Shannon states that breaking a good cipher should require ”as much work as solving a system of simultaneous equations in a large number of unknowns of a complex type”, =-=see [29]-=-. Extension to Stateful Combiners It is important to see that our generalized attack scenario S5 applies potentially to all ciphers with linear feedback, even for filters with memory (and not only to ... |

392 |
Gaussian elimination is not optimal
- Strassen
- 1969
(Show Context)
Citation Context ...theory it is at most ω ≤ 2.376, see [6]. However the (neglected) constant factor in this algorithm is expected to be very big. The fastest practical algorithm we are aware of, is Strassen’s algorithm =-=[25]-=- that requires about 7 · T log27 operations. Since our basic operations are over GF (2), we expect that a careful bitslice implementation of this algorithm on a moderns350 N.T. Courtois and W. Meier C... |

295 |
Shift-register synthesis and BCH decoding
- Massey
- 1969
(Show Context)
Citation Context ...ations can be obtained from some LFSR of length at most S and defined by α. We can also do the reverse: recover α from the sequence (LFSR synthesis). It can be done given 2S bits of the sequence, see =-=[19, 21]-=-. For this we choose a random key k ′ , (α does not depend on k), and we will compute 2S output bits of this LFSR ct = Left (L t (k ′ )) for t = 0 . . . 2S − 1. Then we apply the well known Berlekamp-... |

212 | Cryptanalysis of block ciphers with overdefined systems of equations
- Courtois, Pieprzyk
- 2002
(Show Context)
Citation Context ... can be seen that we obtain a design criterion that is basically identical to the notion of non-trivial equations defined in Section 2 of [8]. It is also very similar to the design criterion given in =-=[10] f-=-or the S-boxes of block ciphers. Finally, it can also be seen as an interpretation of Shannon’s prescription: In the famous paper from 1949, Claude E. Shannon states that breaking a good cipher shou... |

133 | Fast solution of Toeplitz systems of equations and computation of Pade approximants
- Brent, Gustavson, et al.
- 1980
(Show Context)
Citation Context ...o recover α takes O(S2 ) computations using Berlekamp-Massey Algorithm, but it will take only O(S log(S)) operations using improved asymptotically fast versions of the Berlekamp-Massey Algorithm, see =-=[5, 14, 7]-=-. However we do not know how fast are these algorithms for the concrete values of S used in this paper. How to Use α: We recall that the same linear dependency will be used ( ) n e times: 4 A quadrati... |

89 |
Oorschot and S. A Vanstone, Handbook of Applied Cryptography
- Menezes, van
- 1996
(Show Context)
Citation Context ...ions. 2.1 The Stream Ciphers that May be Attacked We consider only synchronous stream ciphers, in which each state is generated from the previous state independently of the plaintext, see for example =-=[18]-=- for precise definitions. In principle also, we consider only regularly clocked stream ciphers, and also (it makes no difference) stream ciphers that are clocked in a known way. However this condition... |

61 | Higher order correlation attacks, XL algorithm and cryptanalysis of toyocrypt
- Courtois
- 2003
(Show Context)
Citation Context ...proximation and that will be correlation immune with regard to a subset of several input bits, see for example [6]. Recently the scope of application of the correlation attacks have been extended. In =-=[11]-=-, the author exploits rather correlation properties with regard to a non-linear low degree multivariate function that uses all of the variables, or in other words, non-linear low degree approximations... |

29 | Searching for the Optimum Correlation Attack
- Anderson
- 1995
(Show Context)
Citation Context ... that should be satisfied in order to resist to the known attacks on stream ciphers. For example, a stream cipher should resist to the fast correlation attack [16], the conditional correlation attack =-=[1]-=- and the inversion attack [14]. In order to resist different types of correlation attacks, many authors focused on proposing Boolean functions that will have no good linear approximation and that will... |

29 |
Gaussian Elimination is not
- Strassen
- 1969
(Show Context)
Citation Context ...]. However the (neglected) constant factor in this algorithm is unknown to the authors of [7], and is expected to be very big. The fastest practical algorithm we are aware of, is Strassen’s algorith=-=m [30] -=-that requires about 7·T log27 operations. Since our basic operations are over GF (2), we expect that a careful bitslice implementation of this algorithm on a modern CPU can handle 64 such operations ... |

27 |
On the equivalence between Berlekamp’s and Euclid’s algorithms
- Kaltofen, DORNSTETTER, et al.
- 1987
(Show Context)
Citation Context ...o recover α takes O(S2 ) computations using Berlekamp-Massey Algorithm, but it will take only O(S log(S)) operations using improved asymptotically fast versions of the Berlekamp-Massey Algorithm, see =-=[5, 14, 7]-=-. However we do not know how fast are these algorithms for the concrete values of S used in this paper. How to Use α: We recall that the same linear dependency will be used ( ) n e times: 4 A quadrati... |

25 |
The security of Hidden Field Equations
- Courtois
(Show Context)
Citation Context ... this paper will be possible. We may call this Scenario S5. It can be seen that we obtain a design criterion that is basically identical to the notion of non-trivial equations defined in Section 2 of =-=[8]. -=-It is also very similar to the design criterion given in [10] for the S-boxes of block ciphers. Finally, it can also be seen as an interpretation of Shannon’s prescription: In the famous paper from ... |

15 |
Patarin: Cryptanalysis of the Matsumoto and Imai Public Key Scheme
- Jacques
- 1995
(Show Context)
Citation Context ...roximations. The method to reduce the degree of the equations, is analogous to the method proposed by Courtois and Pieprzyk to attack some block ciphers [13], and the basic idea goes back to [12] and =-=[23]-=-. Instead of considering outputs as functions of inputs, one should rather study multivariate relations between the input and output bits. They turn out to have a substantially lower degree. In this p... |

14 |
Staffelbach O.: 'Fast Correlations Attacks on Certain Stream Ciphers
- Meier
- 1989
(Show Context)
Citation Context ...n. In [14], Golic gives a set of criteria that should be satisfied in order to resist to the known attacks on stream ciphers. For example, a stream cipher should resist to the fast correlation attack =-=[16]-=-, the conditional correlation attack [1] and the inversion attack [14]. In order to resist different types of correlation attacks, many authors focused on proposing Boolean functions that will have no... |

13 |
Shmuel Winograd: Matrix multiplication via arithmetic progressions
- Coppersmith
- 1990
(Show Context)
Citation Context ... About the Complexity of Gaussian Reduction Let ω be the exponent of the Gaussian reduction. , i.e. a linear system with T variables can be solved in time T ω . In theory it is at most ω ≤ 2.376,=-= see [7]. -=-However the (neglected) constant factor in this algorithm is unknown to the authors of [7], and is expected to be very big. The fastest practical algorithm we are aware of, is Strassen’s algorithm [... |

11 |
Cryptanalysis of toyocrypt-hs1 stream cipher
- Mihaljevic, Imai
- 2002
(Show Context)
Citation Context ...Toyocrypt 1 is proposed, that requires only some 2 19 bits of the keystream. With more keystream, and if at least some 32 bits are consecutive, a better attack is possible, due to Mihaljevic and Imai =-=[19]-=-. In this paper we show that algebraic attacks on stream ciphers will apply even if there is no good low degree approximation. We propose a new method of generating low degree equations, basically by ... |

10 | A fast correlation attack on LILI-128 - Jönsson, Johansson - 2002 |

10 |
Blahut: Theory and Practice of Error Control Codes
- E
- 1983
(Show Context)
Citation Context ...o recover α takes O(S2 ) computations using Berlekamp-Massey Algorithm, but it will take only O(S log(S)) operations using improved asymptotically fast versions of the Berlekamp-Massey Algorithm, see =-=[5, 14, 7]-=-. However we do not know how fast are these algorithms for the concrete values of S used in this paper. How to Use α: We recall that the same linear dependency will be used ( ) n e times: 4 A quadrati... |

9 | Staffelbach O. Nonlinearity criteria for cryptographic functions - Meier |

9 |
Efficient Algorithms for solving Overdefined
- Shamir, Patarin, et al.
- 2000
(Show Context)
Citation Context ...remains also linear with respect to any other state, and given many keystream bits, we inevitably obtain a very overdefined system of equations. Then we may apply the XL algorithm from Eurocrypt 2000 =-=[25]-=-, adapted for this purpose in [10], or the simple linearization as in [11], to efficiently solve the system. In the paper [11], the scope of algebraic attacks is substantially extended, by showing new... |

7 | The Filter-Combiner Model for Memoryless Synchronous Stream Ciphers
- Sarkar
- 2002
(Show Context)
Citation Context ...3]. Algebraic attacks open multiple avenues for further research (see also the generalisations below). Recently, a filter combiner model for memoryless synchronous stream ciphers has been proposed in =-=[23]-=-. This model allows for more freedom to simultaneously satisfy various design criteria (e.g., correlation attacks and inversion attacks can be avoided by a suitable choice of parameters). However, thi... |

5 |
Krause: Algebraic Atacks on
- Armknecht, Matthias
(Show Context)
Citation Context ...at such attacks should not exist, and in fact they do exist for some real stream ciphers with a stateful combiner, for example for the Bluetooth keystream generator E0, as shown by Frederik Armknecht =-=[2, 3]-=-. Probabilistic Version. Our general attack S5 will also have a probabilistic version: S5 There exists a non-trivial multivariate relation of low degree that relates (only) the key bits and several ou... |

5 |
Golic: On the Security of Nonlinear Filter
- Dj
(Show Context)
Citation Context ...eriod, usually composed of one or several LFSRs, and a nonlinear combiner that produces the output, given the state of the linear part. The security of such stream ciphers received much attention. In =-=[14]-=-, Golic gives a set of criteria that should be satisfied in order to resist to the known attacks on stream ciphers. For example, a stream cipher should resist to the fast correlation attack [16], the ... |

5 |
Adi Shamir: Cryptanalytic Time/Memory/Data Tradeos for Stream Ciphers
- Biryukov
- 1976
(Show Context)
Citation Context ...er the key. Details are given in the Appendix A. Comparison with Other Attacks This attack is much better than the general purpose time/memory/data tradeoff attack described by Shamir and Biryukov in =-=[24]-=-, that given the same number of keystream bits, about 2 17 , will require about 2 111 computations (in precomputation phase). Our attack is also always better than the Mihaljevic and Imai attack from ... |

4 | A Rueppel, Analysis and Design of Stream Ciphers - Rainer - 1986 |

3 |
Armknecht: A Linearization Attack on the Bluetooth Key Stream Generator, Available on http://eprint.iacr.org/2002/191
- Frederik
- 2003
(Show Context)
Citation Context ...at such attacks should not exist, and in fact they do exist for some real stream ciphers with a stateful combiner, for example for the Bluetooth keystream generator E0, as shown by Frederik Armknecht =-=[2, 3]-=-. Probabilistic Version. Our general attack S5 will also have a probabilistic version: S5 There exists a non-trivial multivariate relation of low degree that relates (only) the key bits and several ou... |

3 |
Babbage: Cryptanalysis of LILI-128, Nessie project internal report, available at https://www.cosic.esat.kuleuven.ac.be/nessie/reports
- Steve
- 2001
(Show Context)
Citation Context ... the first LFSR exactly 5·2 38 −1 times, exactly as if the first generator did not exist. Thus instead of guessing the state of the 7 This simple attack has already been described by Steve Babbage =-=in [4].sA-=-lgebraic Attacks on Stream Ciphers with Linear Feedback 9 clock control subsystem we clock it 239 − 1 at a time and apply the simple linearization S1-type attack with D = 6 and ε = 0. Now the compl... |

3 |
Golic: Fast low order approximation of cryptographic functions
- Dj
- 1996
(Show Context)
Citation Context ...gard to a non-linear low degree multivariate function that uses all of the variables, or in other words, non-linear low degree approximations. This kind of correlations is not new, see for example in =-=[15]-=-. However their application to cryptographic attacks did not receive sufficient attention, probably because only recently people became aware of the existence of efficient algorithms for solving syste... |

3 | and Enes Pasalic: Algebraic Attacks and Decomposition of Boolean Functions, Eurocrypt 2004 - Carlet, Meier - 2004 |

2 |
Pascale Charpin and Nicolas Sendrier: On Correlation-immune Functions
- Camion, Carlet
(Show Context)
Citation Context ...cks, many authors focused on proposing Boolean functions that will have no good linear approximation and that will be correlation immune with regard to a subset of several input bits, see for example =-=[6]-=-. Recently the scope of application of the correlation attacks have been extended. In [11], the author exploits rather correlation properties with regard to a non-linear low degree multivariate functi... |

2 |
Courtois and Alexander Klimov: Efficient Algorithms for solving Overdefined
- Shamir, Patarin, et al.
- 2000
(Show Context)
Citation Context ...or many other states, and given many keystream bits, we inevitably obtain a very overdefined system of equations (i.e. many equations). Such systems can be solved efficiently by techniques such as XL =-=[25, 9]-=-, adapted for this purpose in [11] or the simple linearization [25]. In [11], the equations of low degree are obtained by approximating the non-linear component f of the cipher by a function of low de... |

2 |
Armknecht: A Linearization Attack on the
- Frederik
- 2002
(Show Context)
Citation Context ...d in this paper will be possible. It is important to see that this attack scenario (that could be called S5) applies potentially to all ciphers with linear feedback, even for filters with memory, see =-=[2,11]-=-, and not only to ciphers using stateless Boolean functions. We obtain a design criterion, that is basically identical to the notion of nontrivial equations defined in Section 2 of [7]. It is also ver... |

2 |
Specification of the Bluetooth system, Version 1.1, February 22, 2001. Available from www.bluetooth.com
- CIG
(Show Context)
Citation Context ... input bits, see for example [9]. Unfortunately there is a tradeoff between these two properties. One of the proposed remedies is to use a stateful combiner, as for example in the Bluetooth cipher E0 =-=[6]-=-.178 Nicolas T. Courtois Recently the scope of application of the correlation attacks have been extended to consider higher degree correlation attacks with respect to non-linear low degree multivaria... |

2 |
Morgari: Linear Cryptanalysis of
- Golic, Guglielmo
- 2002
(Show Context)
Citation Context ...ret key can be computed in about O(2 49 ) CPU clocks and with about 2 37 bits of memory. Note: In the real-life implementation of Bluetooth cipher, at most about 2745 ≈ 2 11 bits can be obtained, see =-=[17, 6]-=-. However this attack shows that the design of E0 is not (cryptographically) very good. It is possible that even a real-life application of E0 will be broken by our attack, if some other equations wit... |

1 | Biham: A Fast New DES Implementation - Eli - 1997 |

1 |
and Jacques Patarin: About the XL Algorithm over
- Courtois
(Show Context)
Citation Context ...or many other states, and given many keystream bits, we inevitably obtain a very overdefined system of equations (i.e. many equations). Such systems can be solved efficiently by techniques such as XL =-=[25, 9]-=-, adapted for this purpose in [11] or the simple linearization [25]. In [11], the equations of low degree are obtained by approximating the non-linear component f of the cipher by a function of low de... |

1 |
Subhamoy Maitra: Nonlinearity Bounds and
- Sarkar
(Show Context)
Citation Context ... Function Used in LILI-128 We call f the output filtering function of LILI-128 (called fd in [26]). It is a highly nonlinear Boolean function of degree 6, with 10 variables, built following the paper =-=[22]-=-. It uses a subset of 10 variables: (x1, x2, x3, x4, x5, x6, x7, x8, x9, x10) def = (s0, s1, s3, s7, s12, s20, s30, s44, s65, s80) . We computed the algebraic normal form (ANF) of this LILI-128 functi... |

1 |
Subhamoy Maitra: Nonlinearity Bounds and Constructions of Resilient Boolean Functions
- Sarkar
(Show Context)
Citation Context ... N.T. Courtois and W. Meier The Boolean Function Used in LILI-128 We call f the output function of LILI-128 (called fd in [22]). It is a highly nonlinear Boolean function of degree 6, built following =-=[20]-=- and specified in [22] or the extended version of this paper. It uses a subset of 10 variables: (x1,x2,x3,x4,x5,x6,x7,x8,x9,x10) def = (s0,s1,s3,s7,s12,s20,s30,s44,s65,s80) . 4.2 First Attacks on LILI... |

1 |
Available at www.isrc.qut.edu.au/lili
- Simpson, Dawson, et al.
- 2000
(Show Context)
Citation Context ...ity would be multiplied by some quantities, being both smaller than 2 39 .s352 N.T. Courtois and W. Meier The Boolean Function Used in LILI-128 We call f the output function of LILI-128 (called fd in =-=[22]-=-). It is a highly nonlinear Boolean function of degree 6, built following [20] and specified in [22] or the extended version of this paper. It uses a subset of 10 variables: (x1,x2,x3,x4,x5,x6,x7,x8,x... |

1 | Eurocrypt 2003, extended version, September 4, 2008, c○IACR A Computer Simulations Algebraic attacks may be controversial, because in most cases, all the equations generated are not linearly independent. In the algebraic attack on block ciphers proposed i - Meier |

1 |
Krause: Algebraic Atacks on Combiners with Memory
- Armknecht, Matthias
- 2003
(Show Context)
Citation Context ... Such an equation of type K 4 ∪ B2K 3 , combining only 4 successive states, and eliminating all the state bits has been found by careful study of the cipher and successive elimination done by hand in =-=[1, 2]-=-. In this equation we have d = 4 and e = 3. Our simulations confirmed that this equation exists, and is always true. We also found that it was unique (when combining only 4 consecutive states). 3.2 Su... |

1 |
Löhlein: Attacks based on Conditional Correlations against the Nonlinear Filter Generator, Available at http://eprint.iacr.org/2003/020
- Bernhard
(Show Context)
Citation Context ...ectedly fast method as in the present paper. The idea itself can be seen as a higher-degree generalisation of the concept of “augmented function” proposed by Anderson in [3] and recently exploited in =-=[18]-=-. It is also, yet another application in cryptography of looking for multivariate relations of low degree, main method for attacking numerous multivariate asymmetric schemes [12, 23], and recently pro... |