Fast Algebraic Attacks on Stream Ciphers with Linear Feedback

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2729)


Many popular stream ciphers apply a filter/combiner to the state of one or several LFSRs. Algebraic attacks on such ciphers [10,11] are possible, if there is a multivariate relation involving the key/state bits and the output bits. [1,2,10,11] show that such relations exist for several well known constructions of stream ciphers immune to all previously known attacks. In particular, they allow to break two ciphers using LFSRs and completely “well designed” Boolean functions: Toyocrypt and LILI-128, see [10,11]. similar algebraic attacks exist also for the stateful combiner construction used in Bluetooth keystream generator E0 [1]. More generally, in [2] it is proven that they can break in polynomial time, any combiner with a fixed number of inputs and a fixed number of memory bits.

In this paper we present a method that allows to substantially reduce the complexity of all these attacks. We show that when the known keystream bits are consecutive, an important part of the equations will have a recursive structure, and this allows to partially replace the usual sub-cubic Gaussian algorithms for eliminating the monomials, by a much faster, essentially linear, version of the Berlekamp-Massey algorithm. The new method gives the fastest attack proposed so far for Toyocrypt, LILI-128 and the keystream generator that is used in E0 cipher. Moreover we present two new fast general algebraic attacks for stream ciphers using Boolean functions, applicable when the degree and/or the number of inputs is not too big.


Algebraic attacks stream ciphers multivariate equations nonlinear filters Boolean functions combiners with memory LFSR synthesis Berlekamp-Massey algorithm Toyocrypt Cryptrec LILI-128 Nessie E0 Bluetooth 


  1. 1.
    Armknecht, F.: A Linearization Attack on the Bluetooth Key Stream Generator, December 13 (2002), Available on
  2. 2.
    Armknecht, F., Krause, M.: Algebraic Atacks on Combiners with Memory. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 162–175. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  3. 3.
    Anderson, R.: Searching for the Optimum Correlation Attack. In: FSE 1994. LNCS, vol. 1008, pp. 137–143. Springer, Heidelberg (1994)Google Scholar
  4. 4.
    Babbage, S.: Cryptanalysis of LILI-128, Nessie project internal report, January 22 (2001),
  5. 5.
    Blahut, R.E.: Theory and Practice of Error Control Codes. Addison-Wesley, Reading (1983)zbMATHGoogle Scholar
  6. 6.
    Bluetooth, CIG, Specification of the Bluetooth system, Version 1.1, February 22 (2001), available from
  7. 7.
    Brent, R.P., Gustavson, F.G., Yun, D.Y.Y.: Fast solution of Toeplitz systems of equations and computation of Padé approximants. J. Algorithms 1, 259–295 (1980)Google Scholar
  8. 8.
    Coppersmith, D., Winograd, S.: Matrix multiplication via arithmetic progressions. J. Symbolic Computation 9, 251–280 (1990)zbMATHCrossRefMathSciNetGoogle Scholar
  9. 9.
    Camion, P., Carlet, C., Charpin, P., Sendrier, N.: On Correlation-immune Functions. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 86–100. Springer, Heidelberg (1992)Google Scholar
  10. 10.
    Courtois, N.: Higher Order Correlation Attacks, XL algorithm and Cryptanalysis of Toyocrypt. In: Lee, P.J., Lim, C.H. (eds.) ICISC 2002. LNCS, vol. 2587, pp. 182–199. Springer, Heidelberg (2003), An updated version (2002) is available at CrossRefGoogle Scholar
  11. 11.
    Courtois, N., Meier, W.: Algebraic Attacks on Stream Ciphers with Linear Feedback. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 345–359. Springer, Heidelberg (2003), An extended version is available at CrossRefGoogle Scholar
  12. 12.
    Courtois, N.: The security of Hidden Field Equations (HFE). In: Naccache, D. (ed.) CT-RSA 2001. LNCS, vol. 2020, pp. 266–281. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  13. 13.
    Courtois, N., Pieprzyk, J.: Cryptanalysis of Block Ciphers with Overdefined Systems of Equations. In: Zheng, Y. (ed.) ASIACRYPT 2002. LNCS, vol. 2501, pp. 267–287. Springer, Heidelberg (2002), a preprint with a different version of the attack is available at CrossRefGoogle Scholar
  14. 14.
    Dornstetter, J.-L.: On the Equivalence Between Berlekamp’s and Euclid’s Algorithms. IEEE Trans. on Information Theory IT-33(3), 428–431 (1987)CrossRefMathSciNetGoogle Scholar
  15. 15.
    Filiol, E.: Decimation Attack of Stream Ciphers. In: Roy, B., Okamoto, E. (eds.) INDOCRYPT 2000. LNCS, vol. 1977, pp. 31–42. Springer, Heidelberg (2000), Available on Google Scholar
  16. 16.
    Golic, J.D.: On the Security of Nonlinear Filter Generators. In: FSE 1996. LNCS, vol. 1039, pp. 173–188. Springer, Heidelberg (1996)Google Scholar
  17. 17.
    Golic, J.D., Bagini, V., Morgari, G.: Linear Cryptanalysis of Bluetooth Stream Cipher. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 238–255. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  18. 18.
    Löhlein, B.: Attacks based on Conditional Correlations against the Nonlinear Filter Generator, Available at
  19. 19.
    Massey, J.L.: Shift-register synthesis and BCH decoding. IEEE Trans. Information Theory IT-15, 122–127 (1969)CrossRefMathSciNetGoogle Scholar
  20. 20.
    Meier, W., Staffelbach, O.: Fast correlation attacks on certain stream ciphers. Journal of Cryptology 1(3), 159–176 (1989)zbMATHCrossRefMathSciNetGoogle Scholar
  21. 21.
    Menezes, A.J., van Oorschot, P.C., Vanstone, S.A.: Handbook of Applied Cryptography. Ch. 6. CRC Press, Boca RatonGoogle Scholar
  22. 22.
    Mihaljevic, M., Imai, H.: Cryptanalysis of Toyocrypt-HS1 stream cipher. IEICE Transactions on Fundamentals E85-A, 66–73 (2002), Available at Google Scholar
  23. 23.
    Patarin, J.: Cryptanalysis of the Matsumoto and Imai Public Key Scheme of Eurocrypt 1988. In: Coppersmith, D. (ed.) CRYPTO 1995. LNCS, vol. 963, pp. 248–261. Springer, Heidelberg (1995)Google Scholar
  24. 24.
    Rueppel, R.A.: Analysis and Design of Stream Ciphers. Springer, Heidelberg (1986)zbMATHGoogle Scholar
  25. 25.
    Shamir, A., Patarin, J., Courtois, N., Klimov, A.: Efficient Algorithms for solving Overdefined Systems of Multivariate Polynomial Equations. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 392–407. Springer, Heidelberg (2000)Google Scholar
  26. 26.
    Simpson, L., Dawson, E., Golic, J., Millan, W.: LILI Keystream Generator. In: Stinson, D.R., Tavares, S. (eds.) SAC 2000. LNCS, vol. 2012, pp. 248–261. Springer, Heidelberg (2001), See
  27. 27.
    Saarinen, M.-J.O.: A Time-Memory Tradeoff Attack Against LILI- 128. In: Daemen, J., Rijmen, V. (eds.) FSE 2002. LNCS, vol. 2365, pp. 231–236. Springer, Heidelberg (2002), available at

Copyright information

© Springer-Verlag Berlin Heidelberg 2003

Authors and Affiliations

  1. 1.Cryptography Research, Schlumberger Smart CardsLouveciennesFrance

Personalised recommendations