Algebraic Attacks on Stream Ciphers with Linear Feedback

  • Nicolas T. Courtois
  • Willi Meier
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2656)


A classical construction of stream ciphers is to combine several LFSRs and a highly non-linear Boolean function f. Their security is usually analysed in terms of correlation attacks, that can be seen as solving a system of multivariate linear equations, true with some probability. At ICISC’02 this approach is extended to systems of higher-degree multivariate equations, and gives an attack in 292 for Toyocrypt, a Cryptrec submission. In this attack the key is found by solving an overdefined system of algebraic equations. In this paper we show how to substantially lower the degree of these equations by multiplying them by well-chosen multivariate polynomials. Thus we are able to break Toyocrypt in 249 CPU clocks, with only 20 Kbytes of keystream, the fastest attack proposed so far. We also successfully attack the Nessie submission LILI-128, within 257 CPU clocks (not the fastest attack known). In general, we show that if the Boolean function uses only a small subset (e.g. 10) of state/LFSR bits, the cipher can be broken, whatever is the Boolean function used (worst case). Our new general algebraic attack breaks stream ciphers satisfying all the previously known design criteria in at most the square root of the complexity of the previously known generic attack.


Algebraic attacks on stream ciphers pseudo-random generators nonlinear filtering Boolean functions factoring multivariate polynomials multivariate equations overdefined problems XL algorithm ciphertext-only attacks Toyocrypt Cryptrec LILI-128 Nessie 


  1. 1.
    Ross Anderson: Searching for the Optimum Correlation Attack, FSE’94, LNCS 1008, Springer, pp. 137–143, 1994.Google Scholar
  2. 2.
    Frederik Armknecht: A Linearization Attack on the Bluetooth Key Stream Generator, Available on 13 December 2002
  3. 3.
    Steve Babbage: Cryptanalysis of LILI-128, Nessie project internal report, available at, 22 January 2001.
  4. 4.
    Eli Biham: A Fast New DES Implementation in Software, FSE’97, Springer, LNCS 1267, pp. 260–272, 1997.Google Scholar
  5. 5.
    Paul Camion, Claude Carlet, Pascale Charpin and Nicolas Sendrier: On Correlation-immune Functions, In Crypto’91, LNCS 576, Springer, pp. 86–100, 1992.Google Scholar
  6. 6.
    Don Coppersmith, Shmuel Winograd: Matrix multiplication via arithmetic progressions, J. Symbolic Computation (1990), 9, pp. 251–280, March 1990.zbMATHCrossRefMathSciNetGoogle Scholar
  7. 7.
    Nicolas Courtois: The security of Hidden Field Equations (HFE), Cryptographers’ Track Rsa Conference 2001, San Francisco 8–12 April 2001, LNCS 2020, Springer, pp. 266–281, 2001.Google Scholar
  8. 8.
    Nicolas Courtois and Jacques Patarin: About the XL Algorithm over GF(2), Cryptographers’ Track RSA 2003, San Francisco, April 13–17 2003, LNCS, Springer.Google Scholar
  9. 9.
    Nicolas Courtois and Josef Pieprzyk: Cryptanalysis of Block Ciphers with Overdefined Systems of Equations, Asiacrypt 2002, LNCS 2501, Springer, 2002. A preprint with a different version of the attack is available at Scholar
  10. 10.
    Nicolas Courtois: Higher Order Correlation Attacks, XL algorithm and Cryptanalysis of Toyocrypt, ICISC 2002, November 2002, Seoul, Korea, LNCS 2587, Springer, 2002. An updated version is available at Scholar
  11. 11.
    Nicolas Courtois: Fast Algebraic Attacks on Stream Ciphers with Linear Feedback, Preprint, January 2003, available from the author.Google Scholar
  12. 12.
    Eric Filiol: Decimation Attack of Stream Ciphers, Indocrypt 2000, LNCS 1977, pp. 31–42, 2000. Available on Scholar
  13. 13.
    Jovan Dj. Golic: On the Security of Nonlinear Filter Generators, FSE’96, LNCS 1039, Springer, pp. 173–188.Google Scholar
  14. 14.
    Jovan Dj. Golic: Fast low order approximation of cryptographic functions, Eurocrypt’96, LNCS 1070, Springer, pp. 268–282, 1996.Google Scholar
  15. 15.
    Willi Meier and Othmar Staffelbach: Fast correlation attacks on certain stream ciphers, Journal of Cryptology, 1(3):159–176, 1989.zbMATHCrossRefMathSciNetGoogle Scholar
  16. 16.
    Willi Meier and Othmar Staffelbach: Nonlinearity Criteria for Cryptographic Functions, Eurocrypt’ 89, LNCS 434, Springer, pp. 549–562, 1990.Google Scholar
  17. 17.
    Alfred J. Menezes, Paul C. van Oorschot, Scott A. Vanstone: Handbook of Applied Cryptography, CRC Press, 1997.Google Scholar
  18. 18.
    M. Mihaljevic, H. Imai: Cryptanalysis of Toyocrypt-HS1 stream cipher, IEICE Transactions on Fundamentals, vol. E85-A, pp. 66–73, Jan. 2002. Available at Scholar
  19. 19.
    Rainer A. Rueppel: Analysis and Design of Stream Ciphers, Springer, New York, 1986.zbMATHGoogle Scholar
  20. 20.
    Palash Sarkar, Subhamoy Maitra: Nonlinearity Bounds and Constructions of Resilient Boolean Functions, In Crypto 2000, LNCS 1880, Springer, pp. 515–532, 2000.CrossRefGoogle Scholar
  21. 21.
    Adi Shamir, Jacques Patarin, Nicolas Courtois and Alexander Klimov: Efficient Algorithms for solving Overdefined Systems of Multivariate Polynomial Equations, Eurocrypt’2000, LNCS 1807, Springer, pp. 392–407, 2000.Google Scholar
  22. 22.
    L. Simpson, E. Dawson, J. Golic and W. Millan: LILI Keystream Generator, SAC’2000, LNCS 2012, Springer, pp. 248–261, 2000. Available at Scholar
  23. 23.
    Markku-Juhani Olavi Saarinen: A Time-Memory Tradeoff Attack Against LILI-128, FSE 2002, LNCS 2365, Springer, pp. 231–236, 2002. Available at Scholar
  24. 24.
    Claude Elwood Shannon: Communication theory of secrecy systems, Bell System Technical Journal 28 (1949), see in patricular page 704.Google Scholar
  25. 25.
    Volker Strassen: Gaussian Elimination is Not Optimal, Numerische Mathematik, vol 13, pp. 354–356, 1969.zbMATHCrossRefMathSciNetGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2003

Authors and Affiliations

  • Nicolas T. Courtois
    • 1
  • Willi Meier
    • 2
  1. 1.Cryptography ResearchSchlumberger Smart CardsLouveciennes CedexFrance
  2. 2.FH AargauWindischSwitzerland

Personalised recommendations