Fast Algebraic Attacks on Stream Ciphers with Linear Feedback

  • Nicolas T. Courtois
Conference paper

DOI: 10.1007/978-3-540-45146-4_11

Part of the Lecture Notes in Computer Science book series (LNCS, volume 2729)
Cite this paper as:
Courtois N.T. (2003) Fast Algebraic Attacks on Stream Ciphers with Linear Feedback. In: Boneh D. (eds) Advances in Cryptology - CRYPTO 2003. CRYPTO 2003. Lecture Notes in Computer Science, vol 2729. Springer, Berlin, Heidelberg


Many popular stream ciphers apply a filter/combiner to the state of one or several LFSRs. Algebraic attacks on such ciphers [10,11] are possible, if there is a multivariate relation involving the key/state bits and the output bits. [1,2,10,11] show that such relations exist for several well known constructions of stream ciphers immune to all previously known attacks. In particular, they allow to break two ciphers using LFSRs and completely “well designed” Boolean functions: Toyocrypt and LILI-128, see [10,11]. similar algebraic attacks exist also for the stateful combiner construction used in Bluetooth keystream generator E0 [1]. More generally, in [2] it is proven that they can break in polynomial time, any combiner with a fixed number of inputs and a fixed number of memory bits.

In this paper we present a method that allows to substantially reduce the complexity of all these attacks. We show that when the known keystream bits are consecutive, an important part of the equations will have a recursive structure, and this allows to partially replace the usual sub-cubic Gaussian algorithms for eliminating the monomials, by a much faster, essentially linear, version of the Berlekamp-Massey algorithm. The new method gives the fastest attack proposed so far for Toyocrypt, LILI-128 and the keystream generator that is used in E0 cipher. Moreover we present two new fast general algebraic attacks for stream ciphers using Boolean functions, applicable when the degree and/or the number of inputs is not too big.


Algebraic attacks stream ciphers multivariate equations nonlinear filters Boolean functions combiners with memory LFSR synthesis Berlekamp-Massey algorithm Toyocrypt Cryptrec LILI-128 Nessie E0 Bluetooth 
Download to read the full conference paper text

Copyright information

© Springer-Verlag Berlin Heidelberg 2003

Authors and Affiliations

  • Nicolas T. Courtois
    • 1
  1. 1.Cryptography Research, Schlumberger Smart CardsLouveciennesFrance

Personalised recommendations