Guess-and-Determine Algebraic Attack on the Self-Shrinking Generator

  • Blandine Debraize
  • Louis Goubin
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5086)


The self-shrinking Generator (SSG) was proposed by Meier and Staffelbach at Eurocrypt’94. Two similar guess-and-determine attacks were independently proposed by Hell-Johansson and Zhang-Feng in 2006, and give the best time/data tradeoff on this cipher so far. These attacks do not depend on the Hamming weight of the feedback polynomial (defining the LFSR in SSG).

In this paper we propose a new attack strategy against SSG, when the Hamming weight is at most 5. For this case we obtain a better tradeoff than all previously known attacks (including Hell-Johansson and Zhang-Feng). Our main idea consists in guessing some information about the internal bitstream of the SSG, and expressing this information by a system of polynomial equations in the still unknown key bits. From a practical point of view, we show that using a SAT solver, such as MiniSAT, is the best way of solving this polynomial system.

Since Meier and Staffelbach original paper, avoiding low Hamming weight feedback polynomials has been a widely believed principle. However this rule did not materialize in previous recent attacks. With the new attacks described in this paper, we show explicitly that this principle remains true.


stream cipher guess-and-determine attacks multivariate quadratic equations SAT solver self-shrinking generator algebraic cryptanalysis 


  1. 1.
    Bard, G.: Algorithms for Solving Linear and Polynomial Systems of Equations over Finite Fields, with Applications to Cryptanalysis. Ph.D. Dissertation, University of Maryland (2007)Google Scholar
  2. 2.
    Bard, G.V., Courtois, N.T., Jefferson, C.: Efficient Methods for Conversion and Solution of Sparse Systems of Low-Degree Multivariate Polynomials over GF(2) via SAT-Solvers (2007),
  3. 3.
    Bard, G.V., Courtois, N.T.: Algebraic and Slide Attacks on KeeLoq. In: Preproceedings of FSE 2008, pp. 89-104 (2008)Google Scholar
  4. 4.
    Coppersmith, D., Krawczyk, H., Mansour, Y.: The Shrinking Generator. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 22–39. Springer, Heidelberg (1994)Google Scholar
  5. 5.
    Courtois, N., Shamir, A., Patarin, J., Klimov, A.: Efficient Algorithms for solving Overdefined Systems of Multivariate Polynomial Equations. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 392–407. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  6. 6.
    Faugère, J.-C.: A new efficient algorithm for computing Gröbner bases (F4). Journal of Pure and Applied Algebra 139, 61–88 (1999), zbMATHCrossRefMathSciNetGoogle Scholar
  7. 7.
    Faugère, J.-C.: A new efficient algorithm for computing Gröbner bases without reduction to zero (F5). In: Workshop on Applications of Commutative Algebra, Catania, Italy. ACM Press, New York (2002)Google Scholar
  8. 8.
    Hell, M., Johansson, T.: Two New Attacks on the Self-Shrinking Generator. IEEE Transactions on Information Theory 52(8), 3837–3843 (2006)CrossRefMathSciNetGoogle Scholar
  9. 9.
    Krause, M.: BBD-based Cryptanalysis of Keystream Generators. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 222–237. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  10. 10.
    Krawczyk, H.: Practical Aspects of the Shrinking Generator. In: Anderson, R. (ed.) FSE 1993. LNCS, vol. 809, pp. 45–46. Springer, Heidelberg (1994)Google Scholar
  11. 11.
    McDonald, C., Charnes, C., Pieprzyk, J.: Attacking Bivium with MiniS, AT (2007),
  12. 12.
    Meier, W., Staffelbach, O.: The Self-Shrinking Generator. In: De Santis, A. (ed.) EUROCRYPT 1994. LNCS, vol. 950, pp. 205–214. Springer, Heidelberg (1995)CrossRefGoogle Scholar
  13. 13.
    Mihaljević, M.J.: A faster cryptanalysis of the self-shrinking generator. In: Pieprzyk, J.P., Seberry, J. (eds.) ACISP 1996. LNCS, vol. 1172, pp. 182–189. Springer, Heidelberg (1996)CrossRefGoogle Scholar
  14. 14.
    Zhang, B., Feng, D.: New Guess-and-determine Attack on the Self-Shrinking Generator. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, pp. 54–68. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  15. 15.
    Zenner, E., Krause, M., Lucks, S.: Improved Cryptanalysis of the Self-Shrinking Generator. In: Varadharajan, V., Mu, Y. (eds.) ACISP 2001. LNCS, vol. 2119, pp. 21–35. Springer, Heidelberg (2001)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2008

Authors and Affiliations

  • Blandine Debraize
    • 1
    • 2
  • Louis Goubin
    • 2
  1. 1.Gemalto, MeudonFrance
  2. 2.Versailles Saint-Quentin-en-Yvelines UniversityFrance

Personalised recommendations