Willi Meier

Fast correlation attacks on certain stream ciphers

Suppose that the output of a running key generator employed in a stream cipher is correlated to a linear feedback shift register sequence (LFSR sequence) a with correlation probabilityp>0.5. Then two new correlation attacks (Algorithms A and B) are presented to determine the initial digits of a, provided that the numbert of feedback taps is small (t<10 ifp≤0.75). The computational complexity of Algorithm A is of orderO(2ck), wherek denotes the length of the LFSR andc<1 depends on the input parameters of the attack, and Algorithm B is polynomial (in fact, even linear) in the lengthk of the LFSR. These algorithms are much faster than an exhaustive search over all phases of the LFSR, and are demonstrated to be successful against shift registers of considerable lengthk (typically,k=1000). On the other hand, for correlation probabilitiesp≤0.75 the attacks are proven to be infeasible against long LFSRs if they have a greater number of taps (roughlyk≥100 andt≥10).

Algebraic Attacks and Decomposition of Boolean Functions

Algebraic attacks on LFSR-based stream ciphers recover the secret key by solving an overdefined system of multivariate algebraic equations. They exploit multivariate relations involving key bits and output bits and become very efficient if such relations of low degrees may be found. Low degree relations have been shown to exist for several well known constructions of stream ciphers immune to all previously known attacks. Such relations may be derived by multiplying the output function of a stream cipher by a well chosen low degree function such that the product function is again of low degree. In view of algebraic attacks, low degree multiples of Boolean functions are a basic concern in the design of stream ciphers as well as of block ciphers.

Grain: a stream cipher for constrained environments

A new stream cipher, Grain, is proposed. The design targets hardware environments where gate count, power consumption and memory is very limited. It is based on two shift registers and a non-linear output function. The cipher has the additional feature that the speed can be increased at the expense of extra hardware. The key size is 80 bits and no attack faster than exhaustive key search has been identified. The hardware complexity and throughput compares favourably to other hardware oriented stream ciphers like E0 and A5/1.

Nonlinearity criteria for cryptographic functions

Nonlinearity criteria for Boolean functions are classified in view of their suitability for cryptographic design. The classification is set up in terms of the largest transformation group leaving a criterion invariant. In this respect two criteria turn out to be of special interest, the distance to linear structures and the distance to affine functions, which are shown to be invariant under all affine transformations. With regard to these criteria an optimum class of functions is considered. These functions simultaneously have maximum distance to affine functions and maximum distance to linear structures, as well as minimum correlation to affine functions. The functions with these properties are proved to coincide with certain functions known in combinatorial theory, where they are called bent functions. They are shown to have practical applications for block ciphers as well as stream ciphers. In particular they give rise to a new solution of the correlation problem.

Fast correlation attacks on stream ciphers

A common type of running key generator employed in stream cipher systems consists of n (mostly maximum-length) binary linear feedback shift registers (LFSRs) whose output sequences are combined by a nonlinear Boolean function f. The output of several combining functions previously proposed in the literature is known to be correlated to some input variables with probabilities p up to 0.75 (this holds, e.g. for the generators of Geffe, Pless, or Bruer). These generators have been broken in [2] for LFSR-lengths k < 50 (roughly), according to the computational complexity of the attack (based on an exhaustive search over all phases of the LFSR). But also other generators, e.g. certain types of multiplexed sequence generators, are known to be correlated to LFSR-components. In fact any generator having such correlations may be vulnerable to a correlation attack.

The Self-Shrinking Generator

A construction of a pseudo random generator based on a single linear feedback shift register is investigated. The construction is related to the so-called shrinking generator and is attractive by its conceptual simplicity. The lower bounds that are provided for period, linear complexity, and known cryptanalytic attacks allow for efficient practical implementations at a reasonable scale.

A Stream Cipher Proposal: Grain-128

A new stream cipher, Grain-128, is proposed. The design is very small in hardware and it targets environments with very limited resources in gate count, power consumption, and chip area. Grain-128 supports key size of 128 bits and IV size of 96 bits. The design is very simple and based on two shift registers, one linear and one nonlinear, and an output function

Cube Testers and Key Recovery Attacks on Reduced-Round MD6 and Trivium

CRYPTO 2008 saw the introduction of the hash function MD6 and of cube attacks, a type of algebraic attack applicable to cryptographic functions having a low-degree algebraic normal form over GF(2). This paper applies cube attacks to reduced round MD6, finding the full 128-bit key of a 14-round MD6 with complexity 2\^22 (which takes less than a minute on a single PC). This is the best key recovery attack announced so far for MD6. We then introduce a new class of attacks called cube testers, based on efficient property-testing algorithms, and apply them to MD6 and to the stream cipher Trivium. Unlike the standard cube attacks, cube testers detect nonrandom behavior rather than performing key extraction, but they can also attack cryptographic schemes described by nonrandom polynomials of relatively high degree. Applied to MD6, cube testers detect nonrandomness over 18 rounds in 2\^17 complexity; applied to a slightly modified version of the MD6 compression function, they can distinguish 66 rounds from random in 2\^24 complexity. Cube testers give distinguishers on Trivium reduced to 790 rounds from random with 2^30 complexity and detect nonrandomness over 885 rounds in 2\^27, improving on the original 767-round cube attack.

The Grain Family of Stream Ciphers

A new family of stream ciphers, Grain, is proposed. Two variants, a 80-bit and a 128-bit variant are specified, denoted Grain and Grain-128 respectively. The designs target hardware environments where gate count, power consumption and memory are very limited. Both variants are based on two shift registers and a nonlinear output function. The ciphers also have the additional feature that the speed can be easily increased at the expense of extra hardware.

Correlation properties of combiners with memory in stream ciphers

For pseudo-random generators where one or several LFSRs are combined by a memoryless function, it is known that the output sequences are correlated to certain LFSR-sequences whose correlation coefficients ct satisfy the equation ∑ic2i= 1. In this paper it is proved that a corresponding result also holds for generators whose LFSRs are connected to a combiner with memory.If correlation probabilities are conditioned on side information, e.g., on known output digits, it is shown that new or stronger correlations may occur. This is exemplified for the summation cipher with only two LFSRs where such correlations can be exploited in a known plaintext attack. A cryptanalytic algorithm is given which is shown to be successful for LFSRs of considerable length and with arbitrary feedback connection.