Gregory G. Rose

Rewriting Variables: The Complexity of Fast Algebraic Attacks on Stream Ciphers

Recently proposed algebraic attacks [2,6] and fast algebraic attacks [1,5] have provided the best analyses against some deployed LFSR-based ciphers. The process complexity is exponential in the degree of the equations. Fast algebraic attacks were introduced [5] as a way of reducing run-time complexity by reducing the degree of the system of equations. Previous reports on fast algebraic attacks [1,5] have underestimated the complexity of substituting the keystream into the system of equations, which in some cases dominates the attack. We also show how the Fast Fourier Transform (FFT) [4] can be applied to decrease the complexity of the substitution step. Finally, it is shown that all functions of degree d satisfy a common, function-independent linear combination that may be used in the pre-computation step of the fast algebraic attack. An explicit factorization of the corresponding characteristic polynomial yields the fastest known method for performing the pre-computation step.

Guess-and-Determine Attacks on SNOW

This paper describes guess-and-determine attacks on the stream cipher SNOW. The first attack has a data complexity of O(264) and a process complexity of O(2256). The second attack has process complexity of O(2224), and a data complexity of O(295).

Exploiting Multiples of the Connection Polynomial in Word-Oriented Stream Ciphers

This paper describes some attacks on word-oriented stream ciphers that use a linear feedback shift register (LFSR) and a non-linear filter. These attacks rely on exploiting linear relationships corresponding to multiples of the connection polynomial that define the LFSR.

A Stream Cipher Based on Linear Feedback over GF(28)

Embedded applications such as voice encryption in wireless telephones can place severe constraints on the amount of processing power, program space and memory available for software encryption algorithms. Additionally, some protocols require some form of two-level keying which must be reasonably fast. This paper introduces a mechanism for creating a family of stream ciphers based on Linear Feedback Shift Registers over the Galois Finite Field of order 2n, where n is chosen to be convenient for software implementation. A particular stream cipher based on this methodology, SOBER, is presented and analysed.

Turing: A Fast Stream Cipher

This paper proposes the Turing stream cipher. Turing offers up to 256-bit key strength, and is designed for extremely efficient software implementation.It combines an LFSR generator based on that of SOBER [21] with a keyed mixing function reminiscent of a block cipher round. Aspects of the block mixer round have been derived from Rijndael [6], Twofish [23], tc24 [24] and SAFER++ [17].

Specification for NLSv2

NLSv2 is a synchronous stream cipher with message authentication functionality, submitted to the ECrypt Network of Excellence call for stream cipher primitives, profile 1A. NLSv2 is an updated version of NLS [19]. The minor change between NLS and NLSv2 increases resistance to attacks utilizing large amounts of keystream. NLS stands for Non-Linear SOBER, and the NLS ciphers are members of the SOBER family of stream ciphers [12],[16],[23] and [24].

Attacks on a lightweight cipher based on a multiple recursive generator

At IEEE GLOBECOM 2008, a lightweight cipher based on a Multiple Recursive Generator (MRG) was proposed for use in resource limited environment such as sensor nodes and RFID tags. This paper proposes two efficient attacks on this MRG cipher. A distinguishing attack is firstly introduced to identify the use of an MRG cipher that has a modulus suggested by its designers. It requires 218 words of ciphertext and the most significant bit of each corresponding plaintext word. Then an efficient known plaintext attack is proposed to construct the ciphers current state and generate subkeys used for all subsequent encryption. The known plaintext attack, when targeted at the MRG ciphers optimized for efficiency, only requires 2k words of known plaintext and trivial computation where k is the MRG order. Even the ciphers based on complicated and inefficient MRGs can be attacked with low complexity, e.g. in the magnitude of 212 words of known plaintext for all MRG ciphers with order 47, regardless of which MRG modulus is used. These two attacks indicate that the examined MRG cipher structure is seriously flawed. Copyright