Algebraic Attacks on Combiners with Memory and Several Outputs
نویسنده
چکیده
Algebraic attacks on stream ciphers [9] recover the key by solving an overdefined system of multivariate equations. Such attacks can break several interesting cases of LFSR-based stream ciphers, when the output is obtained by a Boolean function, see [9– 11]. Recently this approach has been successfully extended also to combiners with memory, provided the number of memory bits is small, see [1, 11, 2]. In [2] it is shown that, for ciphers built with LFSRs and an arbitrary combiner using a subset of k LFSR state bits, and with l state/memory bits, a polynomial attack always do exist when k and l are fixed. Yet this attack becomes very quickly impractical: already when k and l exceed about 4. In this paper we give a much simpler proof of this result from [2], and prove a more general theorem. We show that much better algebraic attacks exist for ciphers that (in order to be fast) output several bits at a time. In practice our result substantially reduces the complexity of the best attack known on three well known constructions of stream ciphers when the number of outputs is increased. We present attacks on modified versions of Snow, E0 and LILI-128 that are apparently the fastest known.
منابع مشابه
Algebraic Attacks on Combiners with Memory
Recently, algebraic attacks were proposed to attack several cryptosystems, e.g. AES, LILI-128 and Toyocrypt. This paper extends the use of algebraic attacks to combiners with memory. A (k, l)-combiner consists of k parallel linear feedback shift registers (LFSRs), and the nonlinear filtering is done via a finite automaton with k input bits and l memory bits. It is shown that for (k, l)-combiner...
متن کاملAlgebraic attacks on certain stream ciphers
To encrypt data streams of arbitrary lengths, keystream generators are used in modern cryptography which transform a secret initial value, called the key, into a long sequence of seemingly random bits. Many designs are based on linear feedback shift registers (LFSRs), which can be constructed in such a way that the output stream has optimal statistical and periodical properties and which can be...
متن کاملDesign Principles for Combiners with Memory
Stream ciphers are widely used for online-encryption of arbitrarily long data, for example when transmitting speech-data between a mobile phone and a base station. An important class of stream ciphers are combiners with memory, with the E0 generator from the Bluetooth standard for wireless communication being their most prominent example. In this paper, we develop design principles for increasi...
متن کاملStrengthening the E0 Keystream Generator against Correlation Attacks and Algebraic Attacks
Stream ciphers are widely used for online-encryption of arbitrarily long data. An important class of stream ciphers are combiners with memory, with the E0 generator from the Bluetooth standard for wireless communication [2] being their most prominent example. E0 consists of 4 driving devices, a finite state machine (FSM) C with a 4 bit state, an output function f and a memory update function δ....
متن کاملAlgebraic Attacks and Annihilators
Algebraic attacks on block ciphers and stream ciphers have gained more and more attention in cryptography. Their idea is to express a cipher by a system of equations whose solution reveals the secret key. The complexity of an algebraic attack generally increases with the degree of the equations. Hence, low-degree equations are crucial for the efficiency of algebraic attacks. In the case of simp...
متن کامل