Algebraic Attacks on Combiners with Memory
Recently, algebraic attacks were proposed to attack several cryptosystems, e.g. AES, LILI-128 and Toyocrypt. This paper extends the use of algebraic attacks to combiners with memory. A (k,l)-combiner consists of k parallel linear feedback shift registers (LFSRs), and the nonlinear filtering is done via a finite automaton with k input bits and l memory bits. It is shown that for (k,l)-combiners, nontrivial canceling relations of degree at most ⌈k(l+1)/2⌉ exist. This makes algebraic attacks possible. Also, a general method is presented to check for such relations with an even lower degree. This allows to show the invulnerability of certain (k,l)-combiners against this kind of algebraic attacks. On the other hand, this can also be used as a tool to find improved algebraic attacks.
Inspired by this method, the E 0 keystream generator from the Bluetooth standard is analyzed. As it turns out, a secret key can be recovered by solving a system of linear equations with 223.07 unknowns. To our knowledge, this is the best published attack on the E 0 keystream generator yet.
KeywordsBoolean Function Block Cipher Stream Cipher Algebraic Attack Ordered Binary Decision Diagram
- 1.Bluetooth SIG, Specification of the Bluetooth system, Version 1.1, 1 February 22 (2001), available at http://www.bluetooth.com/
- 2.Courtois, N.: Higher Order Correlation Attacks, XL Algorithm and Cryptanalysis of Toyocrypt. In: Lee, P.J., Lim, C.H. (eds.) ICISC 2002. LNCS, vol. 2587, pp. 182–199. Springer, Heidelberg (2003), An updated version is available at http://eprint.iacr.org/2002/087
- 4.Courtois, N.: Fast Algebraic Attacks on Stream Ciphers with Linear Feedback, these proceedingsGoogle Scholar
- 6.Courtois, N.: Personal communication (2003)Google Scholar
- 9.Rueppel, R.A.: Stream Ciphers. In: Simmons, G. (ed.) Contemporary Cryptology: The Science of Information Integrity. IEEE Press, New York (1991)Google Scholar
- 10.Shamir, A., Kipnis, A.: Cryptanalysis of the HFE Public Key Cryptosystem. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 19–30. Springer, Heidelberg (1999)Google Scholar