Algebraic Attacks on Combiners with Memory

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2729)


Recently, algebraic attacks were proposed to attack several cryptosystems, e.g. AES, LILI-128 and Toyocrypt. This paper extends the use of algebraic attacks to combiners with memory. A (k,l)-combiner consists of k parallel linear feedback shift registers (LFSRs), and the nonlinear filtering is done via a finite automaton with k input bits and l memory bits. It is shown that for (k,l)-combiners, nontrivial canceling relations of degree at most ⌈k(l+1)/2⌉ exist. This makes algebraic attacks possible. Also, a general method is presented to check for such relations with an even lower degree. This allows to show the invulnerability of certain (k,l)-combiners against this kind of algebraic attacks. On the other hand, this can also be used as a tool to find improved algebraic attacks.

Inspired by this method, the E 0 keystream generator from the Bluetooth standard is analyzed. As it turns out, a secret key can be recovered by solving a system of linear equations with 223.07 unknowns. To our knowledge, this is the best published attack on the E 0 keystream generator yet.


Boolean Function Block Cipher Stream Cipher Algebraic Attack Ordered Binary Decision Diagram 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Bluetooth SIG, Specification of the Bluetooth system, Version 1.1, 1 February 22 (2001), available at
  2. 2.
    Courtois, N.: Higher Order Correlation Attacks, XL Algorithm and Cryptanalysis of Toyocrypt. In: Lee, P.J., Lim, C.H. (eds.) ICISC 2002. LNCS, vol. 2587, pp. 182–199. Springer, Heidelberg (2003), An updated version is available at
  3. 3.
    Courtois, N., Meier, W.: Algebraic Attacks on Stream Ciphers with Linear Feedback. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, Springer, Heidelberg (2003)CrossRefGoogle Scholar
  4. 4.
    Courtois, N.: Fast Algebraic Attacks on Stream Ciphers with Linear Feedback, these proceedingsGoogle Scholar
  5. 5.
    Courtois, N., Pieprzyk, J.: Cryptanalysis of Block Ciphers with Overdefined Systems of Equations. In: Zheng, Y. (ed.) ASIACRYPT 2002. N. Courtois, J. Pieprzyk, vol. 2501, pp. 267–287. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  6. 6.
    Courtois, N.: Personal communication (2003)Google Scholar
  7. 7.
    Fluhrer, S.R., Lucks, S.: Analysis of the E0 Encryption System. In: Vaudenay, S., Youssef, A.M. (eds.) SAC 2001. LNCS, vol. 2259, pp. 38–48. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  8. 8.
    Krause, M.: BDD-Based Cryptanalysis of Keystream Generators. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 222–237. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  9. 9.
    Rueppel, R.A.: Stream Ciphers. In: Simmons, G. (ed.) Contemporary Cryptology: The Science of Information Integrity. IEEE Press, New York (1991)Google Scholar
  10. 10.
    Shamir, A., Kipnis, A.: Cryptanalysis of the HFE Public Key Cryptosystem. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 19–30. Springer, Heidelberg (1999)Google Scholar
  11. 11.
    Shamir, A., Patarin, J., Courtois, N., Klimov, A.: Efficient Algorithms for Solving Overdefined Systems of Multivariate Polynomial Equations. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 392–407. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  12. 12.
    Strassen, V.: Gaussian Elimination is Not Optimal. Numerische Mathematik 13, 354–356 (1969)zbMATHCrossRefMathSciNetGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2003

Authors and Affiliations

  1. 1.Theoretische InformatikUniversität MannheimMannheimGermany

Personalised recommendations