Content uploaded by Olivier Ruatta
Author content
All content in this area was uploaded by Olivier Ruatta
Content may be subject to copyright.
,
Boolean Functions: Cryptography and Applications BFCA’07
Fonctions Bool´eennes : Cryptographie & Applications
IMPROVED ALGORITHM TO FIND EQUATIONS
FOR ALGEBRAIC ATTACKS FOR COMBINERS
WITH MEMORY
Frederik Armknecht1, Pierre-Louis Cayrel2, Philippe Gaborit2
and Olivier Ruatta2
1NEC Europe Ltd. Network Laboratories
Kurfrsten-Anlage 36
D-69115 Heidelberg
phone +49 6221 4342 169
fax +49 6221 4342 155
email: Frederik.Armknecht@netlab.nec.de
2Universit´e de Limoges, XLIM-DMI,
123, Av. Albert Thomas
87000 Limoges, France
phone (33) 05 55 45 73 10
phone (33) 05 55 45 72 25
fax (33) 05 55 45 73 22
email: {pierre-louis.cayrel,philippe.gaborit,olivier.ruatta}@xlim.fr
J-F. Michon, P. Valarcher, J-B. Yun`es (Eds.): BFCA’07
2
Abstract. Algebraic attacks have established as an impor-
tant tool for cryptanalyzing LFSR-based keystream genera-
tors. Crucial for an efficient attack is to find appropriate
equations of a degree as low as possible. Hereby, lower
degrees are possible if many keystream bits are involved
in one equation. An example is the keystream generator
E0employed in Bluetooth, where equations of degree 4 ex-
ist for r= 4 and 5 clocks but equations of degree 3 for
r≈8,822,188. The existence of degree 3 equations with
5< r 8,822,188 clocks remained an open question.
It is known that valid equations correspond to annihila-
tors of certain sets. The effort to compute the sets and to
find annihilators on them are exponential in r, making effi-
cient algorithms desirable. Most algorithms proposed so far
used normal Gaussian elimination which has a cubic com-
plexity. The only exception is the algorithm proposed re-
cently in [3] which is quadratic.
The results of this paper are as follows. First, we describe
several improvements for computing the sets and their anni-
hilators (the intersection method). Second, we use our new
improvements to exclude the existence of degree 3 equations
for E0with 5 < r ≤9, which are the best results so far on
the non-existence of low degree equations for E0. We also
find new degree 4 annihilators which permit to reduce the
number of bits of stream needed for the attack from 223 to
221.
Keywords: Algebraic attacks, low degree equations, an-
nihilators, algorithm
1. Introduction
Shortly speaking, an algebraic attacks consists in generating and solv-
ing a system of (non-)linear equations which describe implicitly the secret
key in dependence on known values. In the case of keystream genera-
tors, this involves the known keystream bits. Stream ciphers are designed
for online encryption of secret plaintext bitstreams which have to pass
an insecure channel. Widely used in practice are stream ciphers are
keystream generators based on linear feedback shift registers (LFSR), a
prominent example being the E0keystream generator used in the Blue-
tooth standard for wireless communications [4]. Before exchanging data,
the keystream generator is initialized with some secret value S0∈ {0,1}n
on which both sender and receiver have to agree on. To encrypt a stream
J-F. Michon, P. Valarcher, J-B. Yun`es (Eds.): BFCA’07
3
of plaintext bits p0, p1, . . ., the keystream generator is used to generate a
bitstream z0, z1, . . . of the same length. Both streams are XORed bit by
bit, giving the cipher text bits ct:= pt⊕zt. The bits ctare send to the
receiver, who knows the secret initialization value of the keystream gen-
erator and therefore can produce the same keystream bits ztto decrypt
the message by pt=ct⊕zt.
To evaluate the security, it is assumed that a potential adversary
knows the specifications of the keystream generator and some of the
keystream bits zt. An attack is to recover the value of S0using the
given information. Over the last years, several kind of attacks have
been invented (e.g., fast correlation attacks [6,14,15, 21], backtracking
attacks [12,13,24,25], time-memory tradeoffs [5], BDD-based attacks [16]
etc.). All have in common that the attack complexity is exponential in
the key size n.
Recently, a new kind of attack was proposed: algebraic attack. For
some ciphers, algebraic attacks outmatched all previously known attacks
(e.g. [1,9]). The basic idea is to generate a system of equations with its so-
lution being the secret key. Although solving system of non-linear equa-
tions over finite fields is a NP-hard problem, in this case the equations
have some particular properties. Each equation provides some informa-
tion on the secret key depending on rsuccessive known keystream bits
zt, . . . , zt+r−1and the degree is upper bounded by some value dwhich is
independent of n. If the number of linearly independent equations is high
enough, an attack can be performed within O(n3d) operations. Observe
that, despite to the other attacks, the complexity is only polynomial in
nbut exponential in d.
Thus, one of the major topics in the context of algebraic attacks is
the search for low degree equations. Whereas the general existence of
such equations has been proven in [1], only few is known on how to
find (or avoid) equations of a degree d. For example, in the case of E0,
an equation of degree 4 over r= 4 clocks has been developed in [1],
what led to fastest attack at this time. Later, in [7], these equations
were combined to derive a new equation of degree 3 over r≈8,882,198
clocks, what reduced the time effort by several magnitudes. As far as
we know, algebraic attacks are still the fastest attacks on stand-alone
E0.1Furthermore, these results show the possibility that for r > 4,
equations with an degree <3 may exist. This is particulary interesting
as equations of degree 2 or 1 would lead to practical attacks. Whereas
it has been confirmed that no equations of degree <4 exist for E0for
r≤5, to the best of our knowledge, no results exist for r≥6.
So far, all methods published to find all (or exclude the existence
of) degree dequations are based on computing annihilators of certain
1Faster attacks on Bluetooth have been described in [17–19] but they rely on the
linearity of the key schedule of the Bluetooth encryption system.
J-F. Michon, P. Valarcher, J-B. Yun`es (Eds.): BFCA’07
4ARMKNECHT, CAYREL, GABORIT AND RUATTA
sets (see [1,20] and for a general framework [2]). However, as the genera-
tion of these sets and thus the effort for computing the annihilators grow
exponentially with r, efficient algorithms for both steps are crucial. Nor-
mally, finding annihilators is done by Gaussian elimination. Recently, an
improved algorithm was proposed in [3] which reduced the complexity
of the Gaussian elimination in these cases from cubic to quadratic, al-
lowing the computation of the algebraic immunity for Boolean functions
with more variables than it was possible before. Unfortunately, it is dif-
ficult to achieve this complexity in practice and requires a sophisticated
memory management.
Our results are the following. First, we describe how to compute
a basis of all low degree equations over rclocks and present several
improvements on the way to construct the set XZintroduced in [2] and
on the way to prove the non existence of certain low degree annihilators.
Then, we give some experimental results on the non existence of low
degree equations of degree three for E0for a number of cloks between 5
and 9.
The paper is structured as follows. After explaining algebraic attacks
and the connection betweem equations and annihilators in Section 2, we
describe how to compute the corresponding sets and some improvements
in Sections 3 and 4. Depending on a given secret information x∗∈
{0,1}n, the stream cipher produces a keystream Z(x∗) = (z1, z2,· · · )
which is bitwise XORed with E. Knowing x∗, the decryption can be
performed by using the same rule. It is common to evaluate the security
of a stream cipher relative to the pessimistic scenario that an attacker
has access not only to the encrypted bitstream, but even to a sufficiently
long piece of keystream. Thus, the cryptanalysis problem of a given
stream cipher consists in computing the secret information x∗from a
sufficiently long prefix of Z(x∗).
We call a stream cipher LFSR-based, if it consists of a certain num-
ber kof linear feedback shift registers (LFSRs) and an additional device,
called the nonlinear combiner, which transforms the internal linear bit-
stream, produced by the LFSRs, into a nonlinear output keystream.
Because of the simplicity of LFSRs and the excellent statistical proper-
ties of bitstreams produced by well-chosen LFSRs, LFSR-based stream
ciphers are widely used in practice. A lot of different nontrivial ap-
proaches to the cryptanalysis of LFSR-based stream ciphers (fast cor-
relation attacks, backtracking attacks, time-space tradeoffs, BDD-based
attacks etc.) were discussed in the relevant literature, and a lot of corre-
sponding design criterions (correlation immunity, large period and linear
complexity, good local statistics etc.) for such stream ciphers were de-
veloped.
A (k, l)-combiner consists of kLFSRs and a finite Mealy automaton
with kinput bits, one output bit and lmemory bits. Let nbe the sum
J-F. Michon, P. Valarcher, J-B. Yun`es (Eds.): BFCA’07
5
—————————————————
-
-
6
-
7
SSS
Sw
-
--
-
Memory
LFSRs
C
Xtzt
(Z, C)
Ct+1
Ct
Z
—————————————————
Figure 1. A (k, l)-combiner
of the lengths of the kLFSRs. Starting from a secret initial assignment
x∗∈ {0,1}n, the LFSRs produce an internal linear bitstream L(x∗),
built by blocks xtof kparallel bits for each clock t. Starting from a
secret initial assignment c1∈ {0,1}lto the memory bits, in each clock
tthe automaton produces the t-th keystream bit ztcorresponding to xt
and ctand changes the inner state to ct+1 (see figure 1). The secret
information is given by x∗and c1. Numerous ciphers of this type are
used in practice. Note, e.g., that the E0keystream generator used in
the Bluetooth wireless LAN system (see Bluetooth SIG (2001) [4]) is a
(4,4)-combiner.
The aim of this paper is to analyze the security of (k, l)-combiners
with respect to algebraic attacks, a new method for attacking stream and
block ciphers. Algebraic attacks exist against AES and Serpent (Courtois
and Pieprzyk (2002) [8]) and Toyocrypt (Courtois (2003) [9]). Related
algebraic attacks were used to attack the HFE public key cryptosystem
(Courtois (2002) [8]).
Courtois and Meier (2003) discussed algebraic attacks on general
LFSR-based stream ciphers and presented the best known attacks on
Toyocrypt and LILI-128 so far [9]. Very recently, Courtois introduced
fast algebraic attacks on LFSR-based stream ciphers, an improved ver-
sion of the algebraic attacks (Courtois (2003) [7]).
An algebraic attack is based on a nontrivial low degree relation pfor
rclocks, i.e. a relation which holds for any sequence of rconsecutive
bits of the keystream and the corresponding kr internal bits. Given such
a relation pof small degree dand a sufficiently long piece of a keystream
Z(x∗, c1), pcan be used to produce an overdefined system of Tnonlinear
equations in the initial bits of the LFSRs, which can be thought of as
system of linear equations in the monomials of length at most d. If Tis
large enough then we get a unique solution which is induced by x∗, and
from which x∗can be derived in a straightforward way.
J-F. Michon, P. Valarcher, J-B. Yun`es (Eds.): BFCA’07
6ARMKNECHT, CAYREL, GABORIT AND RUATTA
2. Algebraic attacks and annihilators
In this section, we describe basic ideas of algebraic attacks on keystream
generators and the connection between valid equations and annihilators
of given sets. Hereby, an annihilator of a set X⊆Fn
2with F2being the
finite field with two elements is defined to be a function g:Fn
2→F2with
g(x) = 0 for all x∈X. First of all, we define (k , `)-combiners which is
the class of keystream generators we are dealing with:
Definition 2.1. A (k , `)-combiner with k≥1 and `≥0 consists of an
internal state S ∈ F`
2×Fn
2, a regular matrix Lover F2of size n×n,
called the LFSR feedback matrix, a (projection) matrix Pover F2of size
n×ka non-linear next memory state function Ψ : F`
2×Fk
2→F`
2and an
output function f:F`
2×Fk
2→F2.
One example for a practically used (k, `)-combiner is the E0keystream
generator from the Bluetooth standard, which is a (4,4)-combiner with
n= 128.
The generation of the keystream works as follows. First, the internal
state Sis initialized to S0:= (Q0, K)∈F`
2×Fn
2where K∈Fn
2is the
LFSRs initial state and the register of Q0∈F`
2is called the memory.
The content of the LFSRs is updated by a linear function, here denoted
by the matrix L. In many cases, only some of the LFSRs’ outputs are
used for the computation of the actual keystream bit and the next state
of the memory register. This is expressed by the projection matrix P
and means that only the values in Kt:= K·Lt·Pare involved in the
computations at clock t. The memory is updated via Qt+1 := Ψ(Qt, Kt),
whereas the keystream bit ztis computed by zt=f(Qt, Kt).
Obviously, the values of the keystream bits zt, . . . , zt+idepend only
on Qtand Kt, . . . , Kt+i. We express this fact by defining the extended
output function fr(Qt, Kt, . . . , Kt+r−1) = (zt, . . . , zt+i). More formally,
it holds that
fr(Qt, Kt, . . . , Kt+i)=(f(Qt, Kt), f (Qt+1, Kt+1), . . . ,
f(Qt+r−1, Kt+r−1))
with Qi+1 = Ψ(Qi, Ki). An algebraic attack is based on finding
functions F1, . . . , Fs:Fk·r
2×Fr
2→F2such that
Fi(Kt, . . . , Kt+r−1, zt, . . . , zt+r−1) = 0 (1)
is true for all clocks t≥0 and 1 ≤i≤s. Given such functions, a system
of equation can be generated by
F(Kti, . . . , Kti+r−1, zti, . . . , zti+r−1) = 0
J-F. Michon, P. Valarcher, J-B. Yun`es (Eds.): BFCA’07
7
where zti, . . . , zti+r−1denote rsuccessive known keystream bits. If
enough equations are given, the LFSRs initial state Kis uniquely de-
termined and can be found by solving the system of equation. Once
Kis known, Q0can usually be reconstructed quite easily or found by
exhaustive search. Thus, we refer to Kas the secret key and call nthe
key size.
To compute the solution, the so-called linearization method is pos-
sible. Given that each of the equations has a degree ≤dwith d=
maxi{degKt,...,Kt+r−1(Fi)}being independent of n, the number of in-
volved monomials is upper bounded by µ(n, d) := n
0+. . . +n
d. If
the number of linearly independent equations equals the number of oc-
curring monomials, a solution can be computed by Gaussian elimina-
tion where each monomial is treated like an independent variable. As
µ(n, d)∈O(nd), the overall complexity is in O(n3d), that is polynomial
in the key size nbut exponential in d.
Thus, it is preferable to compose the system of equations with lin-
early independent equations of a degree as low as possible. In par-
ticular, for known zt+r−1
t:= (zt, . . . , zt+r−1) and corresponding un-
known Kt+r−1
t:= (Kt, . . . , Kt+r−1), one would like avoid the case that
F1(Kt+r−1
t, zt+r−1
t), . . . , Fs(Kt+r−1
t, zt+r−1
t) are linearly dependent and
to exclude those expressions Fi(Kt+r−1
t, zt+r−1
t) which have not the min-
imal degree. Therefore, to be sure that one uses only linearly indepen-
dent equations of the minimal degree for any choice of zt+r−1
t, it is advis-
able to derive equations for each possible value of zt+r−1
tindependently.
This leads to the notion of Z-functions:
Definition 2.2. Fix a (k, `)-combiner and Z∈Fr
2. A function F:
Fr·k
2→F2is called a Z-function if whenever a part zt+r−1
t:= (zt, . . . , zt+r−1)
of the keystream is equal to Z, then F(Kt, . . . , Kt+r−1) = 0 is valid.
More formally, it must hold:
∀t:zt+r−1
t=Z⇒F(Kt, . . . , Kt+r−1) = 0.
If an adversary knows (for a fixed integer r), Z-functions
FZ,1, . . . , FZ,sZfor each Z∈Fr
2, then we can set up the following system
of equations:
0 = F(zti+r−1
ti,j)(Kti, . . . , Kti+r−1),1≤j≤sZ
where zti+r−1
tidenote as usual a sequence of rknown keystream bits
starting from clock ti. More on Z-functions and a concrete example can
be found in the appendix, Section A.
Of course, this arises the question on how to find a basis of Z-
functions of minimal degree for any Z∈Fr
2for a given (k, `)-combiner
J-F. Michon, P. Valarcher, J-B. Yun`es (Eds.): BFCA’07
8ARMKNECHT, CAYREL, GABORIT AND RUATTA
and a fixed value of r. For this purpose, the following theorem comes in
handy. The proof is rather easy and can be found for example in [2].
Theorem 2.3. Let a (k, `)-combiner be given and frits extended output
function. Then, a function F:Fr·k
2→F2is a Z-function with Z∈Fr
2
if and only if Fis an annihilator of the set
XZ:= {(X1, . . . , Xr)∈Fr·k
2| ∃Q∈F`
2:fr(Q, X1, . . . , Xr) = Z}.(2)
If an adversary observes the values zt+r−1
t= (zt, . . . , zt+r−1) of rsuc-
cessive keystream bits, then he knows that (Kt, . . . , Kt+r−1)∈Xzt+r−1
t
what can be expressed by Fzt+r−1
t(Kt, . . . , Kt+r−1) = 0.
Summing up, a general method to find a basis of linearly independent
Z-functions for a given (k, `)-combiners is to first generate the sets XZ
and then to compute a basis of annihilators on them with the minimum
degree.2In the next section, we will first examine the step of computing
the sets XZand propose several improvements. Afterwards, we will turn
our attention to the task of computing annihilators of a given set and
discuss several enhancements, including a new quadratic time algorithm
that replaces the Gaussian elimination step in previous algorithms and
can be implemented easily.
Before we proceed, we want to point out that a similar approach is
possible to derive implicit equations for S-boxes used in block ciphers.
Such equations were important in the still controversial but nontheless
influential attacks on AES presented in [8]. Thus, any improvements in
computing annihilators are of independent interest in this area and may
help to check S-boxes with larger input/output-sizes.
3. Computing the sets XZ
In this section, we consider the question how to compute the set
XZfor a given (k, `)-combiner and a fixed value Z∈Fr
2. One possi-
bility is to do exhaustive search. That is, compute for all possibilities
(Q, X1, . . . , Xr)∈F`+r·k
2the value Z0=f(Q, X1, . . . , Xr) and keep those
values (X1, . . . , Xr) with Z0=Z. The main effort here is O(2k·r+`) eval-
uations of fr. Of course, if Z06=Z, it is not necessary to waste this in-
formation as it implies that (X1, . . . , Xr)∈XZ0. Thus, one can compute
all 2rpossible sets XZat the same time by computing the outputs of
fr(Q, X1, . . . , Xr) and sorting (X1, . . . , Xr) regarding the output. How-
ever, as 2rdifferent sets XZexist, handling these sets simultanously resp.
storing them into memory or on hard disk causes additional problems
2Actually, in some cases more direct methods exist to find valid equations (e.g.,
[1, 7, 9]) but these are not applicable in general and do not guarantee that one has
found all equations with the lowest possible degree.
J-F. Michon, P. Valarcher, J-B. Yun`es (Eds.): BFCA’07
9
with increasing r. Thus, for large values of r, e.g. r≥10, one might
prefer to generate the sets XZindependently, meaning that only those
values are stored with the correct output, or even to compute these in
the same time the annihilators are computed.
In some cases, the effort can be reduced somewhat by exploiting the
structure of the (k, `)-combiner. For example, the functions fand Ψ of
E0depend only on the hamming weight of the inputs Xtbut not the con-
crete values. More precisely, it holds that for all X1, . . . , Xr, Y1, . . . , Yr∈
F4
2with |Xi|=|Yi|, where |.|is the Hamming weight, that fr(Q, X1, . . . , Xr) =
fr(Q, Y1, . . . , Yr) for all Q∈F4
2.
Thus, it suffices to consider only the Hamming weights of the inputs,
reducing the number of possible inputs from 16 ·16rpossible values
(Q, X1, . . . , Xr)∈F4
2×F4·r
2to 16·5rpossible values (Q, |X1|, . . . , |Xr|)∈
F4
2× {0, . . . , 4}r, reducing the number of invocations of fraccordingly.
Independent of this, one can reduce the number of invocations of f
by a kind of divide-and-conquer approach. Herefore, exploit the simple
observation that if an input (X1, . . . , Xr)∈Fk·r
2cannot lead to a specific
out Z∈Fr
2, i.e. (X1, . . . , Xr)6∈ XZ, then none of the possible extensions
(X1, . . . , Xr, Xr+1, . . . , Xs) can lead to any of the outputs Z||Z0∈Fs
2
with Z0∈Fs−r
2and Z||Z0being the concatenation of Zand Z0.
To formalize this, we introduce some more identifiers. The extended
update functions Ψr:F`
2×Fr·k
2→F`
2is defined by Qr+1 := Ψr(Q1, X1, . . . , Xr)
where Qt+1 := Ψ(Qt, Xt). That is Ψrcan be seen as the r-times ap-
plication of Ψ on the inputs Q1, X1, . . . , Xr. For example, for r= 2, it
holds that
ˆ
Ψ(Q1, X1, X2) = Ψ(Ψ(Q1, X1), X2).
Definition 3.1. Let a (k, `)-combiner be given and Z∈Fr
2and Q∈F`
2
be fixed. We introduce the three following sets:
XQ,Z := {(X1, . . . , Xr)|fr(Q, X1, . . . , Xr) = Z}(3)
XZ,Q0:= {(X1, . . . , Xr)| ∃Q:fr(Q, X1, . . . , Xr) = Z
and Ψr(Q, X1, . . . , Xr) = Q0}(4)
XQ,Z,Q0:= {(X1, . . . , Xr)|f(Q, X1, . . . , Xr) = Z
and Ψr(Q, X1, . . . , Xr) = Q0}(5)
These three sets specify again a (sub-)set of all inputs which can
lead to the fixed output Z. The difference to XZis that additional
conditions are imposed. For example, for the elements in XQ,Z it is
required that they lead to the output Zif the memory register is set
to Qat the beginning of the computations. Similarly, for XQ,Z,Q0it is
recommended that the memory state is equal to Qat the beginning and
equal to Q0after the computations and that the output is Z.
J-F. Michon, P. Valarcher, J-B. Yun`es (Eds.): BFCA’07
10 ARMKNECHT, CAYREL, GABORIT AND RUATTA
The sets XQ,Z ,XZ,Q0and XQ,Z,Q0can be used to compute the sets
XZiteratively:
Theorem 3.2. Consider an arbitrary (k, `)-combiner. Then, it holds
for all values Q, Q0∈F`
2,Z∈Fr
2and Z0∈Fs
2:
XZ=[
Q
XQ,Z =[
Q
XZ,Q, XQ,Z ||Z0=[
Q0
XQ,Z,Q0×XQ0,Z0,
XZ||Z0=[
Q
XZ,Q ×XQ,Z0, XZ||Z0,Q0=[
Q
XZ,Q ×XQ,Z0,Q0.
The last equation is important as it implies an iterative way to com-
pute XZfor Z∈Fr
2for big values of r. Let for example Z∈Fr
2and
Z0∈Fr0
2, then instead of computing XZ||Z0directly with 2k·(r+r0)invoc-
tations of fr+r0, one can compute the sets XZ,Q and XQ,Z0independetly
with 2k·rexecutions of frand 2k·r0executions of fr0, respectively. Thus,
if r=r0, we reduced the effort from 2k·2rinvocations of f2rto 2 ·2k·rin-
vocations of fr. Of course, one can reduce the effort further by dividing
Zinto smaller parts.
4. Computing annihilators - the intersection method
Whereas the computations of the sets XZis still doable for average
values of r, the calculation of annihilators with a minimum degree is far
more time-consuming. This section is on several ways on how to perform
this task.
First of all, we need to mention that computing annihilators of de-
gree ≤dfor a given set Scan be reduced to a problem in linear al-
gebra. Let S={x1, . . . , xs} ⊂ Fn
2and m1, . . . , mµ(n,d)be all mono-
mials in nvariables of degree ≤d. We define a matrix Mover F2
of size s×µ(n, d) by setting Mi,j := mj(xi). Then, it holds that
any annihilator Lµ(n,d)
j=1 cj·mjof Swith a degree ≤dgives a vector
V:= (c1, . . . , cµ(n,d))Tsuch that M·V=~
0 and vice versa. Thus, a
natural way to address this problem is to compute the kernel space of
M. This has a time effort in O(s·µ(n, d)2). However, in our particular
case, it may hold that sµ(n, d). For example, the sets XZfor E0with
Z∈F7
2have all a size ≥1,200,000 whereas µ(4 ·7,3) = 3683. Thus,
checking if annihilators of degree ≤3 exist over r= 7 clocks would need
about 1.200,000 ·36832≈243.67 operations.
Therefore, we propose a different approach. First, µ(n, d) random
points in Sare chosen and a matrix M0be calculated, similar to the
matrix Mdescribed above. More precisely, M0consists of exactly those
rows of Mwhich corresponds to the µ(n, d) chosen points from S. Then,
J-F. Michon, P. Valarcher, J-B. Yun`es (Eds.): BFCA’07
11
the kernel K0of M0is computed, taking about µ(n, d)3operations. In
the case of E0, this value of ≈235.54. If this kernel consist only the
all-zero vector, one knows immediately that no non-trivial annihilators
of degree ≤dexist. If the kernel contains other vectors, then each of
these vectors defines one function of degree ≤dwhich is zero on the
chosen µ(n, d) elements. We call them potential annihilators. If there
are not too many of them, one can check for each potential annihilator
if it cancels the remaining s−µ(n, d) elements in Stoo. If yes, one has
found an annihilator of degree ≤dfor the whole set S. If not, one has
proven that no such annihilators exist.
Assuming that the number of potential annihilators is too big to be
exhaustively checked, then one can pursue as follows. First, one choses
another random µ(n, d) points in S, giving another matrix M00 of size
µ(n, d)×µ(n, d). Also here, the kernel K00 is computed, causing an effort
of additional µ(n, d)3operations. Then, the intersection of both kernels
K0and K00 is computed, taking about µ(n, d)·(dim(K0) + dim(K00))2
operations which should be significantly less than µ(n, d)3in most cases.
As the intersection gives now all annihilators for the chosen 2 ·µ(n, d)
elements, it displays a new set of potential annihilators. From this point,
one can proceed as explained above.
Thus, we have seen that the effort is mainly dominated by comput-
ing annihilators for sets with µ(n, d) elements. Using Gaussian elimi-
nation here is quite straightforward, but has two disadvantages: First,
one has to guess the value of daforehand, and second, the effort is cu-
bic in µ(n, d). Thus, one should preferably replace this step by a better
method. One candidate is the quadratic time algorithm introduced in [3].
But this algorithm, although very efficient, also needs sophisticated pro-
gramming methods and careful memory handling.
The intersection method we proposed here permits to avoid its use
and permits to take advantage of the fact that the dimension of the
monomial basis is far smaller that the dimension of the sets XZ. In the
next Section we will handle the cases of 7,8 and 9 clocks with annihilators
of degree 3.
5. Experimental results - 7,8and 9clocks
The case of 6 clocks can be handled easily. Hence in the following
we focus on the case of on 7,8 and 9 clocks for which we apply the
intersection method of the previous section:
•Research for degree 3annihilators
Searching for annihilators of degree 3 we obtain 4 ×rvariables and
a basis of µ(4 ×r, d) monomials. We construct the 2rsets XZwith
J-F. Michon, P. Valarcher, J-B. Yun`es (Eds.): BFCA’07
12 ARMKNECHT, CAYREL, GABORIT AND RUATTA
size ≈2r×3. We do a gaussian elimination in order to find polynomial
annihilators of the µ(4 ×r, d) points, here is 2 cases :
•either the matrix is inversible and there is no annihilator.
•or it isn’t and we have a basis of potential annihilators, so we
keep this basis in memory and by choosing another set of µ(4 ×
r, d) points we compute a new basis of potential annihilators and
we do the intersection method described in Section 4.
clocks #variables #monomials #sets attempts(average)
7 28 3683 128 2
8 32 5489 256 2
9 36 7807 512 3
clocks time(1 attempt) time(total)
7 3 min 12 hours
8 3 min 30 29 hours
9 4 min 102 hours
Applying the method of Section 4 we were able to construct sets of
random points which associated matrices had kernels with a null inter-
section, which proves that no annihilator of degree 3 exist with 7,8,9
clocks. The implementation was made on a PC at 1 Ghz with a program
in C.
•Research for degree 4annihilators
In that case it is known that there exists at least one annihilator
valid for each set. For each set we searched for all possible annihilators.
We applied a linear algebra method similar to the previous case but
adapted for all points of a set, and we found 4 annihilators for each
set we considered: one annihilator common to all the sets and 3 other
different annihilators for each set. Our computation was done only for 21
sets but we can conjecture that it is the same for all the sets. Eventually
finding 4 annihilators for each set permits to reduce the number of bits
of streams needed for the attack from 223 to 221.
clocks #variables #monomials #annihilators #sets time(for a set)
7 28 24150 4 128 18 hours
References
[1] Frederik Armknecht, Matthias Krause: Algebraic attacks on Combiners with
Memory, Proceedings of Crypto 2003, LNCS 2729, pp. 162-176, Springer, 2003.
[2] Frederik Armknecht: Algebraic Attacks and Annihilators, Proceedings of WE-
WORC 2005, LNI P-74, pp. 13-21, 2005.
[3] Frederik Armknecht, Claude Carlet, Philippe Gaborit, Simon Knzli, Willi Meier,
Olivier Ruatta: Efficient computation of algebraic immunity for algebraic and
fast algebraic attacks, accepted to Eurocrypt ’06.
J-F. Michon, P. Valarcher, J-B. Yun`es (Eds.): BFCA’07
13
[4] Bluetooth SIG, Specification of the Bluetooth system, Version 1.1, 1 February 22,
2001, available at http://www.bluetooth.com
[5] Alex Biryukov, Adi Shamir: Cryptanalytic Time/Memory/Data tradeoffs for
Stream Ciphers, Proceedings of Asiacrypt 2000, LNCS 1976, pp. 1-13, Springer,
2000.
[6] Vladimor V. Chepyzhov, Ben Smeets: On A Fast Correlation Attack on Certain
Stream Ciphers, Proceedings of Eurocrypt 1991, LNCS 547 pp. 176-185, Springer,
1991.
[7] Nicolas Courtois: Fast Algebraic Attacks on Stream Ciphers with Linear Feedback,
Proceedings of Crypto ’03, LNCS 2729, pp. 177-194, Springer, 2003.
[8] Courtois, Pieprzyk: Cryptanalysis of block ciphers with overdefined systems of
equations, Asiacrypt 2002, LNCS 2501, pp. 267-287, Springer, 2002.
[9] Nicolas Courtois, Willi Meier: Algebraic attacks on Stream Ciphers with Linear
Feedback, Proceedings of Eurocrypt 2003, LNCS 2656, pp. 345-359, Springer,
2003. An extended version is available at http://www.cryptosystem.net/stream/
[10] Jean-Charles Faug`ere: A new efficient algorithm for computing Gr¨obner bases
(F4), Journal of Pure and Applied Algebra 139, 1-3 (1999), 61–68.
[11] Jean-Charles Faug`ere, Gw´enol´e Ars: An algebraic cryptanalysis of
nonlinear filter generators using Gr¨obner bases, 2003. Available at
http://www.inria.fr/rrrt/rr-4739.html.
[12] Scott R. Fluhrer, Stefan Lucks: Analysis of the E0Encryption System, Pro-
ceedings of Selected Areas of Cryptography ’01, LNCS 2259, pp. 38-48, Springer,
2001.
[13] Jovan Dj. Golic: Cryptanalysis of Alleged A5 Stream Cipher, Proceedings of
Eurocrypt 1997, LNCS 1233, pp. 239-255, Springer, 1997.
[14] Thomas Johansson, Fredrik Joensson: Fast Correlation Attacks Based on Turbo
Code Techniques, Proceedings of Crypto 1999, LNCS 1666, pp. 181-197, Springer,
1999.
[15] Thomas Johansson, Fredrik Joensson: Improved Fast Correlation Attacks on
Stream Ciphers via Convolutional Codes, Proceedings of Eurocrypt 1999, pp.
347-362, Springer, 1999.
[16] Matthias Krause: BDD-Based Cryptanalysis of Key stream Generators; Pro-
ceedings of Eurocrypt 2002, pp. 222-237, LNCS 2332, Springer, 2002.
[17] Yi Lu, Serge Vaudenay: Faster Correlation Attack on Bluetooth Keystream Gen-
erator E0, Proceedings of Crypto 2004, pp. 407-425, LNCS 3152, Springer, 2004.
[18] Yi Lu, Serge Vaudenay: Cryptanalysis of Bluetooth Keystream Generator Two-
Level E0, Proceedings of Asiacrypt 2004, pp. 483-499, LNCS 3329, Springer, 2004.
[19] Yi Lu, Willi Meier, Serge Vaudenay: The Conditional Correlation Attack: A
Practical Attack on Bluetooth Encryption, Proceedings of Crypto 2005, pp. 97-
117, LNCS 3621, Springer, 2005.
[20] Willi Meier, Enes Pasalic, Claude Carlet: Algebraic attacks and decomposition
of Boolean functions, Eurocrypt 2004, LNCS 3027, pp. 474-491, Springer, 2004.
[21] Willi Meier, Othmar Staffelbach: Fast Correlation Attacks on certain Stream
Ciphers, Journal of Cryptology, pp. 159-176, 1989.
[22] Rainer A Rueppel: Correlation immunity and the summation genera-
tor,Proceedings of Crypto 1985, pp. 260–272, LNCS 218, Springer, 1986.
[23] Adi Shamir, Jacques Patarin, Nicolas Courtois, Alexander Klimov: Efficient Al-
gorithms for Solving Overdefined Systems of Multivariate Polynomial Equations,
Proceedings of Eurocrypt ’00, Springer LNCS 1807, pp. 392-407.
[24] Erik Zenner: On the Efficiency of the Clock Control Guessing Attack, Proceed-
ings of ICISC 2002, LNCS 2587, Springer, 2002.
[25] Erik Zenner, Matthias Krause, Stefan Lucks: Improved Cryptanalysis of the
Self-Shrinking Generator ACISP 2001, LNCS 2119, Springer, 2001.
J-F. Michon, P. Valarcher, J-B. Yun`es (Eds.): BFCA’07
14 ARMKNECHT, CAYREL, GABORIT AND RUATTA
Appendix A. Z-functions and the set XZ
In this section, we illustrate the concept of Z-functions and the sets
XZ. Herefore, we take a look at the summation generator [22] which
is a (k, dlog2ke)-combiner, based on the integer addition. This means
that both the input bits and the memory state are treated as integers
and added together. The result forms the output and the next memory
state.
More formally, at each clock tthere are kinput bits xt,1, . . . , xt,k
and the memory state Qt∈Fdlog2ke
2. The integer sum of these values is
computed, i.e. St:= xt,1+. . . +xt,k +Qtwhere Qtis taken as a value
in {0, . . . , 2dlog2ke}. Then, the output and the next memory state Qt+1
are computed by
zt:= Stmod 2 = (xt,1+. . . +xt,k +Qt) mod 2 (3)
Qt+1 := Stdiv 2 = (xt,1+. . . +xt,k +Qt)
2(4)
For example, in the case k= 2 and `= 1, it holds that
zt+1 := f(Qt, xt,1, xt,2) = Qt⊕xt,1⊕xt,2and (5)
Qt−1:= Ψ(Qt, xt,1, xt,2) = Qt·(xt,1⊕xt,2)⊕xt,1·xt,2.(6)
We keep now at the example of k= 2 and `= 1. In Table 1, an
overview of all possible inputs (X1, X2)∈F4
2over two clocks and initial
memory state Q∈F2are given, together with the corresponding outputs
Z∈F2
2. For example, if the initial state of the memory bit is 0 and if the
inputs (coming from the LFSRs) are 00 in the first clock and 01 in the
second clock, then the output Zof the summation generator is Z= 01.
Alternatively, one can express this by f2(Q, X1, X2) = f2(0,00,01) =
(0,1).
From Table 1, one can derive directly the four different sets XZ:3
X(0,0) ={(0000),(0011),(1101),(1110),(0101),(0110),(1001),(1010)}
X(0,1) ={(0001),(0010),(1100),(1111),(0100),(0111),(1000),(1011)}
X(1,0) ={(0100),(0111),(1000),(1011),(0000),(0011),(1101),(1110)}
X(1,1) ={(0101),(0110),(1001),(1010),(0001),(0010),(1100),(1111)}
(7)
Assume now that we are interested in a Z-function Ffor Z= (00).
That is, Fhas to be zero on all inputs (X1, X2) which can lead to the
output 00. By definition, this is the set X(0,0). A possible (00)-function
3The commas are removed for the sake of brevity.
J-F. Michon, P. Valarcher, J-B. Yun`es (Eds.): BFCA’07
15
Q0 0 0 0 0 0 0 0
X1(0,0) (0,0) (0,0) (0,0) (0,1) (0,1) (0,1) (0,1)
X2(0,0) (0,1) (1,0) (1,1) (0,0) (0,1) (1,0) (1,1)
Z00 01 01 00 10 11 11 10
Q0 0 0 0 0 0 0 0
X1(1,0) (1,0) (1,0) (1,0) (1,1) (1,1) (1,1) (1,1)
X2(0,0) (0,1) (1,0) (1,1) (0,0) (0,1) (1,0) (1,1)
Z10 11 11 10 01 00 00 01
Q1 1 1 1 1 1 1 1
X1(0,0) (0,0) (0,0) (0,0) (0,1) (0,1) (0,1) (0,1)
X2(0,0) (0,1) (1,0) (1,1) (0,0) (0,1) (1,0) (1,1)
Z10 11 11 10 01 00 00 01
Q1 1 1 1 1 1 1 1
X1(1,0) (1,0) (1,0) (1,0) (1,1) (1,1) (1,1) (1,1)
X2(0,0) (0,1) (1,0) (1,1) (0,0) (0,1) (1,0) (1,1)
Z01 00 00 01 11 10 10 11
Table 1. All possible input-output combinations over
2 clocks for the summation generator with k= 2 inputs
and `= 1 memory bits
therefore is
F(x1,1, x1,2, x2,1, x2,2):=x1,1·x1,2⊕x1,1⊕x1,2⊕x2,1⊕x2,2.
Observe that both fand Ψ depend not on the exact value of Xbut
only on its hamming weight. As explained in Section 3, one can exploit
this to save memory by only storing only the hamming weights of the
elements in XZ. For example, one can rewrite the sets XZin (7) to
X(0,0) ={[00],[02],[21],[11]}
X(0,1) ={[01],[20],[22],[10],[12]}
X(1,0) ={[10],[12],[00],[02],[21]}
X(1,1) ={[11],[01],[20],[22]}
(8)
Hereby, [w1, w2] denotes the set of all inputs (X1, X2) such that the
hamming weight of X1is equal to w1and the same for X2and w2.
We denote this kind of set as blockwise symmetric as the inputs can be
divided into blocks where each block is invariant under permutations.
J-F. Michon, P. Valarcher, J-B. Yun`es (Eds.): BFCA’07
16 ARMKNECHT, CAYREL, GABORIT AND RUATTA
If one is interested to apply the iterated methods explained at the
end of Section 3, one needs to compute the sets XQ,Z and XZ,Q. From
Table 1, one derive immediately the sets XQ,Z . For example, for Q= 1
and Z= 11, it holds that
X1,(11) ={[01],[20],[22]}
which is naturally a subset of X(11).
J-F. Michon, P. Valarcher, J-B. Yun`es (Eds.): BFCA’07
