Philip Michael Hawkes

Rewriting Variables: The Complexity of Fast Algebraic Attacks on Stream Ciphers

Recently proposed algebraic attacks [2,6] and fast algebraic attacks [1,5] have provided the best analyses against some deployed LFSR-based ciphers. The process complexity is exponential in the degree of the equations. Fast algebraic attacks were introduced [5] as a way of reducing run-time complexity by reducing the degree of the system of equations. Previous reports on fast algebraic attacks [1,5] have underestimated the complexity of substituting the keystream into the system of equations, which in some cases dominates the attack. We also show how the Fast Fourier Transform (FFT) [4] can be applied to decrease the complexity of the substitution step. Finally, it is shown that all functions of degree d satisfy a common, function-independent linear combination that may be used in the pre-computation step of the fast algebraic attack. An explicit factorization of the corresponding characteristic polynomial yields the fastest known method for performing the pre-computation step.

Guess-and-Determine Attacks on SNOW

This paper describes guess-and-determine attacks on the stream cipher SNOW. The first attack has a data complexity of O(264) and a process complexity of O(2256). The second attack has process complexity of O(2224), and a data complexity of O(295).

Exploiting Multiples of the Connection Polynomial in Word-Oriented Stream Ciphers

This paper describes some attacks on word-oriented stream ciphers that use a linear feedback shift register (LFSR) and a non-linear filter. These attacks rely on exploiting linear relationships corresponding to multiples of the connection polynomial that define the LFSR.

Turing: A Fast Stream Cipher

This paper proposes the Turing stream cipher. Turing offers up to 256-bit key strength, and is designed for extremely efficient software implementation.It combines an LFSR generator based on that of SOBER [21] with a keyed mixing function reminiscent of a block cipher round. Aspects of the block mixer round have been derived from Rijndael [6], Twofish [23], tc24 [24] and SAFER++ [17].

Cache Timing Analysis of LFSR-Based Stream Ciphers

Cache timing attacks are a class of side-channel attacks that is applicable against certain software implementations. They have generated significant interest when demonstrated against the Advanced Encryption Standard (AES), but have more recently also been applied against other cryptographic primitives. In this paper, we give a cache timing cryptanalysis of stream ciphers using word-based linear feedback shift registers (LFSRs), such as Snow, Sober, Turing, or Sosemanuk. Fast implementations of such ciphers use tables that can be the target for a cache timing attack. Assuming that a small number of noise-free cache timing measurements are possible, we describe a general framework showing how the LFSR state for any such cipher can be recovered using very little computational effort. For the ciphers mentioned above, we show how this knowledge can be turned into efficient cache-timing attacks against the full ciphers.

Vectorial Approach to Fast Correlation Attacks

Abstract.A new, vectorial approach to fast correlation attacks on binary memoryless combiners is proposed. Instead of individual input sequences or their linear combinations, the new attack is targeting subsets of input sequences as a whole thus exploiting the full correlation between the chosen subset and the output sequence. In particular, the set of all the input sequences can be chosen as the target. The attack is based on a novel iterative probabilistic algorithm which is also applicable to general memoryless combiners over finite fields or finite rings. To illustrate the effectiveness of the introduced approach, experimental results obtained for random balanced combining functions are presented

XOR and non-XOR differential probabilities

Differential cryptanalysis is a well-known attack on iterated ciphers whose success is determined by the probability of predicting sequences of differences from one round of the cipher to the next. The notion of difference is typically defined with respect to the group operation (s) used to combine the subkey in the round function F. For a given round operation π of F, such as an S-box, let DP⊗(π) denote the probability of the most likely non-trivial difference for π when differences are defined with respect to ⊗. In this paper we investigate how the distribution of DP⊗(π) varies as the group operation ⊗ is varied when π is a uniformly selected permutation. We prove that DP⊗(π) is maximised with high probability when differences are defined with respect to XOR.

Specification for NLSv2

NLSv2 is a synchronous stream cipher with message authentication functionality, submitted to the ECrypt Network of Excellence call for stream cipher primitives, profile 1A. NLSv2 is an updated version of NLS [19]. The minor change between NLS and NLSv2 increases resistance to attacks utilizing large amounts of keystream. NLS stands for Non-Linear SOBER, and the NLS ciphers are members of the SOBER family of stream ciphers [12],[16],[23] and [24].