Advances in Cryptology — EUROCRYPT 2003

Volume 2656 of the series Lecture Notes in Computer Science pp 345-359


Algebraic Attacks on Stream Ciphers with Linear Feedback

  • Nicolas T. CourtoisAffiliated withCryptography Research, Schlumberger Smart Cards
  • , Willi MeierAffiliated withFH Aargau


A classical construction of stream ciphers is to combine several LFSRs and a highly non-linear Boolean function f. Their security is usually analysed in terms of correlation attacks, that can be seen as solving a system of multivariate linear equations, true with some probability. At ICISC’02 this approach is extended to systems of higher-degree multivariate equations, and gives an attack in 292 for Toyocrypt, a Cryptrec submission. In this attack the key is found by solving an overdefined system of algebraic equations. In this paper we show how to substantially lower the degree of these equations by multiplying them by well-chosen multivariate polynomials. Thus we are able to break Toyocrypt in 249 CPU clocks, with only 20 Kbytes of keystream, the fastest attack proposed so far. We also successfully attack the Nessie submission LILI-128, within 257 CPU clocks (not the fastest attack known). In general, we show that if the Boolean function uses only a small subset (e.g. 10) of state/LFSR bits, the cipher can be broken, whatever is the Boolean function used (worst case). Our new general algebraic attack breaks stream ciphers satisfying all the previously known design criteria in at most the square root of the complexity of the previously known generic attack.


Algebraic attacks on stream ciphers pseudo-random generators nonlinear filtering Boolean functions factoring multivariate polynomials multivariate equations overdefined problems XL algorithm ciphertext-only attacks Toyocrypt Cryptrec LILI-128 Nessie