Chapter 3 Cryptanalysis on Stream Ciphers
3.3 The algebraic attack
−1 max ( ) 2 1 2 1
2 2 1
2
From the above equation we know the smaller a is, the bigger Nf is. Therefore, seeking the Boolean function possessing minimum a is equal to seeking one possessing the maximal nonlinearity and this one can be used as the combining function in the stream cipher to resist the BAA attack. The filter function also possesses the maximal nonlinearity to resist the BAA attack.
3.3 The algebraic attack
The algebraic attack was presented in 2003 [33, 34]. Before discussing the algebraic attack, we first introduce the XL algorithm. In [35] the XL algorithm was first presented to solve overdefined quadratic systems. Instead of solving a system of m multivariate quadratic equations with n variables of degree d = 2 as in [35], we consider also higher degree equations, i.e. study the general case d ≥ 2 [36]. Let D be the parameter of the XL algorithm. Let li(x0, …, xn-1) = 0 be the initial m equations, i = 1…m with n variables xi ∈ GF(2). The XL algorithm consists of multiplying both sides of these equations by products of variables:
1. Multiply: Generate all the products k i
j xi l
j •
∏
=1 with k ≤ D – d, so that the total degree in the xi of these equations is ≤ D.2. Linearize: Consider each monomial in the xi of degree ≤ D as a new variable and perform Gaussian elimination on the equations obtained in 1. The ordering on the monomials must be such that all the terms containing one variable (say x1) are eliminated last.
3. Get a Simpler Equation: Assume that step 2 yields at least one univariate equation in the power of x1. Solve this equation over the finite field.
4. Final step: It should not be necessary to repeat the whole process. Once the value of x1 is known, we expect that all the other variables will be obtained from the same linear system.
The XL algorithm consists of multiplying the initial m equations li by all possible monomials of degree up to D – d, so that the total degree of resulting equations is D.
Let R be the number of equations generated in XL, and T be the number of all monomials. We have
The main problem in the XL algorithm is that in practice not all the equations generated are independent. Let Free be the exact number of equations that are linearly independent in XL. When Free ≥ T – D, it is possible by Gaussian elimination, to obtain one equation in only one variable, and XL will work.
Otherwise, we need a bigger D, or an improved algorithm. [36] has several tables to show the relation between all parameters (d, n, m, D, R, T, Free) in XL.
The complexity of XL is mainly in the Gaussian reduction. The fastest practical
algorithm we are aware of is Strassen’s algorithm that requires about operations.
7 log2
7 T•
Then we introduce the higher order correlation attack [36] that can affect both a filter generator and a combination generator. We assume the connection function L is public and only the state is secret. We also assume that function f that computes the output bit from the state is public and does not depend on the secret key of the cipher.
We take the filter generator as in Figure 2.7 as an example and f is the filter function.
Let (k0, …, kn-1) be the initial state, then the output of the cipher (i.e. the keystream) is given by:
b0 = f (k0, …, kn-1) b1 = f( L(k0, …, kn-1)) b2 = f( L2(k0, …, kn-1)) ……….
The problem we consider is to recover (k0, …, kn-1) given some bi. In this attack we assume that we have some m bits of the keystream at some known positions: {(t1, bt1), …, (tm, btm)} and want to solve a system of multivariate equations that is overdefined (much more equations than unknowns). This attack works in two cases:
S1 When the Boolean function f has a low algebraic degree d.
S2 When f can be approximated with good probability by a function g that has a low algebraic degree d.
More precisely, we assume that:
f(x0,…, xn-1) = g(x0,…, xn-1) holds: 1. with probability ≥ 1 - ε
2. and with g of degree d.
In the first scenario S1, when f has just a low algebraic degree, it is known that
the system can be easily broken given keystream bits. So if f has a high algebraic degree, this stream cipher will be hard to break. Since in S2, we do not need for the function to have a low algebraic degree (S1), successful attacks can be mounted given much less keystream bits, and with much smaller complexities. If we choose m such that (1 - ε)
m ≥ 1/2, we may assume that all these equations are true and we have to find a solution to our system of m multivariate equations of degree d with n variables. We take the Boolean function in Toyocrypt [37] as an example The Boolean function is as follows:
+
Then f(x) = g(x) holds with probability very close to 1 – 2
42 for a different subset of m keystream bits until it succeeds. This complexity is as
follows: m d m
the attack is basically the complexity of solving a linear system T×T. With Strassen’s algorithm, we get
128 7
log 2
7• 2 =
= T
WF
In conclusion, we can reduce the cryptanalysis of a stream cipher to solving a system of multivariate equations that is overdefined. In order to resist the higher order correlation attack, we must find the Boolean function which possesses the very high algebraic degree and is approximated with very low probability by a function that has a low algebraic degree.
The algebraic attack is to improve the higher order correlation attack to break a stream cipher. The algebraic attack lowers the degree of these multivariate equations by multiplying them by well-chosen multivariate polynomials.
At the time t, the current keystream bit gives an equation f(x) = bt with x being the current state. The main new idea consists of multiplying f(x), that is usually of high degree, by a well chosen multivariate polynomial g(x), such that fg is of substantially lower degree, denoted by d. Then for example if bt = 0, we get an equation of low degree f(x)g(x) = 0. This in turn gives a multivariate equation of low degree d on the initial state bits ki. If we get one such equation for each of
sufficiently many keystream bits, we obtain a very overdefined system of multivariate equations that can be solved efficiently.
Except S1 and S2 in [36], the algebraic attack [33] presents two new scenarios as follows:
S3 The multivariate polynomial f has some multiple fg of low degree d, with g being some non-zero multivariate polynomial.
S4 It is also possible to imagine attacks in which f has some multiple fg, such that fg can be approximated by a function of low degree with some probability (1 - ε)
In scenarios S3 and S4, for each known keystream bit b = f(x) at position t, we get:
f(x) • g(x) = bt • g(x)
and, since the state at time t is x = Lt(x0,…., xn-1), it boils down to : f(Lt(x0,…., xn-1)) • g(Lt(x0,…., xn-1)) = bt • g(Lt(x0,…., xn-1))
This is the equation we are going to use in our attack. We get one multivariate equation for each keystream bit. This equation may be of very low degree, without f being of low degree, and without f having an approximation of low degree.
In the basic version of this attack S3, we also require that g is of low degree.
There are other possibilities. In the basic version of the attack S3, that may be called S3a, we use the equation written above and we require fg ≠ 0 and fg is of low degree, and also we need g of low degree. There is another variant, in which we may admit that for all x such that f(x)g(x) = 0, and the equation can still be used when bt ≠ 0.
This is called the scenario S3b. Another variant, called S3c, allows to relax the degree condition on g: when bt = 0, we can still use the equation, whatever is the degree of g, provided that fg ≠ 0 and is of low degree. All the 3 sub-cases of the S3 attack scenario are summarized in the following Table 4.
Degree of Attack scenario
considered f g fg
Use the equation Only when
Number of equations
for m keystream
bits
S1 and S2 low g = 1 low f(x) = bt always m
S3a and S4a high low, g≠0 low, fg≠0 f(x)•g(x) = bt •g(x) always m S3b and S4b high low, g≠0 fg = 0 g(x) = 0 bt ≠ 0 m/2 S3c and S4c high high low, fg≠0 f(x)•g(x) = 0 bt = 0 m/2
Table 4: Different methods to obtain low degree equations from keystream bits
In this attack, given m keystream bits, let R be the number of multivariate equations of degree d, and with n variables xi. With one equation, and in scenario S3a, we have R = m, but we may also combine several scenarios and several different g for the same f, and get, for example, R = 14•m. We solve them as follows.
Linearization Method: There are about monomials of degree ≤ d in the n variables x
i (assuming d ≤ n/2). We consider each of these monomials as a new variable Vj. Given equations, we get a system of R ≥ T linear equations
T n i that can be easily solved by Gaussian elimination on a
linear system of size T.
XL Method: When as many as the required keystream bits are not
available, it is still possible to use XL algorithm or solve the system with less keystream bits, but with more computations.
⎟⎟⎠
Therefore the complexity of this algebraic attack is equal to the complexity of the higher order correlation attack, which is 7 T• log27.
The method of this attack is by factoring multivariate polynomials. We consider the terms of high degree in f(x) (regardless the lower degree terms) and look if they are divisible by a common low degree factor g’(x). Then (for polynomials over GF(2)) we observe that f(x)•g(x) with g(x) = g’(x) – 1 is of low degree. Take (32) as an example. We observe that the combination of the parts of degree 4, 17 and 63, is divisible by a common factor x23x42. Let f(x) = bt, and multiply both sides of it by g(x) = (x23 - 1). Then we get f(x)x23 – f(x) = bt(x23 - 1). The monomials divisible by x23 in f will cancel out, and what remains is an equation of degree 3 true with
probability 1. We repeat the same trick for x , i.e. we put g(x) = (x - 1). From this,
we have a simple linearization attack following the scenario S3a. For each keystream bit, we obtain 2 equations of degree 3 in the xi and thus 2 equations of degree 3 in the ki. The linearization will work as soon as R > T. We have
monomials and R = 2m with m = T/2 = 2
4 .
218