Crossword Puzzle Attack on NLS
NLS is one of the stream ciphers submitted to the eSTREAM project. We present a distinguishing attack on NLS by Crossword Puzzle (CP) attack method which is introduced in this paper. We build the distinguisher by using linear approximations of both the non-linear feedback shift register (NFSR) and the nonlinear filter function (NLF). Since the bias of the distinguisher depends on the Konst value, which is a key-dependent word, we present the graph showing how the bias of distinguisher vary with Konst. In result, we estimate the bias of the distinguisher to be around O(2− 30). Therefore, we claim that NLS is distinguishable from truly random cipher after observing O(260) keystream words. The experiments also show that our distinguishing attack is successful on 90.3% of Konst among 232 possible values. We extend the CP attack to NLSv2 which is a tweaked version of NLS. In result, we build a distinguisher which has the bias of around 2− 48. Even though this attack is below the eSTREAM criteria (2− 40), the security margin of NLSv2 seems to be too low.
KeywordsDistinguishing Attacks Crossword Puzzle Attack Stream Ciphers Linear Approximations eSTREAM Modular Addition NLS NLSv2
- 1.eSTREAM project. http://www.ecrypt.eu.org/stream/
- 2.Cho, J.Y., Pieprzyk, J.: Linear distinguishing attack on NLS. In: SASC 2006 workshop (2006)Google Scholar
- 4.Hawkes, P., Paddon, M., Rose, G., de Vries, M.W.: Primitive specification for NLS (April 2005), http://www.ecrypt.eu.org/stream/nls.html
- 5.Hawkes, P., Paddon, M., Rose, G., de Vries, M.W.: Primitive specification for NLSv2 (March 2006), http://www.ecrypt.eu.org/stream/nls.html
- 6.Matsui, M.: Linear cryptanalysis method for DES cipher. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 386–397. Springer, Heidelberg (1994)Google Scholar