Introducing a New Variant of Fast Algebraic Attacks and Minimizing Their Successive Data Complexity

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3715)


Algebraic attacks have established themselves as a powerful method for the cryptanalysis of LFSR-based keystream generators (e.g., E 0 used in Bluetooth). The attack is based on solving an overdetermined system of low-degree equations R t =0, where R t is an expression in the state of the LFSRs at clock t and one or several successive keystream bits z t ,...,z t + δ .

In fast algebraic attacks, new equations of a lower degree are constructed in a precomputation step. This is done by computing appropriate linear combinations of T successive initial equations R t =0. The successive data complexity of the attack is the number T of successive equations.

We propose a new variant of fast algebraic attacks where the same approach is employed to eliminate some unknowns, making a divide-and-conquer attack possible. In some cases, our variant is applicable whereas the first one is not.

Both variants can have a high successive data complexity (e.g., T≥ 8.822.188 for E 0). We describe how to keep it to a minimum and introduce suitable efficient algorithms for the precomputation step.


fast algebraic attacks stream ciphers linear feedback shift registers Bluetooth 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Aho, A.V., Hopcroft, J.E., Ullman, J.D.: The design and Analysis of Computer Algorithms. Addison-Wesley, Reading (1974)zbMATHGoogle Scholar
  2. 2.
    Armknecht, F., Krause, M.: Algebraic attacks on Combiners with Memory. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 162–175. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  3. 3.
    Armknecht, F.: Improving Fast Algebraic Attacks. In: Roy, B., Meier, W. (eds.) FSE 2004. LNCS, vol. 3017, pp. 65–82. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  4. 4.
    Armknecht, F.: On the existence of low-degree equations, Cryptology ePrint Archive: Report 2004/185Google Scholar
  5. 5.
    Biryukov, A., Shamir, A.: Cryptanalytic Time/Memory/Data tradeoffs for Stream Ciphers. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 1–13. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  6. 6.
    Bluetooth SIG, Specification of the Bluetooth system, Version 1.1, February 22 (2001), Available at
  7. 7.
    Courtois, N.: Higher Order Correlation Attacks, XL Algorithm and Cryptanalysis of Toyocrypt. In: Lee, P.J., Lim, C.H. (eds.) ICISC 2002. LNCS, vol. 2587, pp. 182–199. Springer, Heidelberg (2003), is available at CrossRefGoogle Scholar
  8. 8.
    Courtois, N., Meier, W.: Algebraic attacks on Stream Ciphers with Linear Feedback. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 345–359. Springer, Heidelberg (2003), An extended version is available at CrossRefGoogle Scholar
  9. 9.
    Courtois, N.: Fast Algebraic Attacks on Stream Ciphers with Linear Feedback. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 176–194. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  10. 10.
    Faugère, J.-C., Ars, G.: An algebraic cryptanalysis of nonlinear filter generators using Gröbner bases (2003), Available at
  11. 11.
    Dj, J.: Golic: Vectorial Boolean functions and induced algebraic equations. Cryptology ePrint Archive: Report 2004/225Google Scholar
  12. 12.
    Hawkes, P., Rose, G.G.: Rewriting Variables: the Complexity of Fast Algebraic Attacks on Stream Ciphers. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 390–406. Springer, Heidelberg (2004), Available at Google Scholar
  13. 13.
    Krause, M.: BDD-Based Cryptanalysis of Keystream Generators. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 222–237. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  14. 14.
    Lidl, R., Niederreiter, H.: Introduction to finite fields an their applications. Cambridge University Press, Cambridge (1994)Google Scholar
  15. 15.
    Massey, J.L.: Shift-register synthesis and BCH decoding. IEEE Trans. Information Theory IT-15, 122–127 (1969)CrossRefMathSciNetzbMATHGoogle Scholar
  16. 16.
    Meier, W., Pasalic, E., Carlet, C.: Algebraic attacks and decomposition of Boolean functions. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 474–491. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  17. 17.
    Meier, W., Staffelbach, O.: Fast Correlation Attacks on certain Stream Ciphers. Journal of Cryptology, 159–176 (1989)Google Scholar
  18. 18.
    Schoenhage, A.: Schnelle Multiplikation von Polynomen über Körpern der Charakteristik 2. Acta Informatica 7, 395–398 (1977)CrossRefzbMATHGoogle Scholar
  19. 19.
    Simpson, L., Dawson, E., Golic, J., Millan, W.: LILI Keystream Generator. In: Stinson, D.R., Tavares, S. (eds.) SAC 2000. LNCS, vol. 2012, pp. 248–261. Springer, Heidelberg (2001), See CrossRefGoogle Scholar
  20. 20.
    Strassen, V.: Gaussian Elimination is Not Optimal. Numerische Mathematik 13, 354–356 (1969)CrossRefMathSciNetzbMATHGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2005

Authors and Affiliations

  1. 1.Theoretische InformatikUniversität MannheimMannheimGermany
  2. 2.IRMARUniversity of RennesRennesFrance

Personalised recommendations