Algebraic attacks on clock controlled stream ciphers

In this thesis, algebraic attacks are first applied to keystream generators using stop-and go clocking.Four ciphers belonging to this group are investigated: the Beth-Piper stop-and-go g

Stream Ciphers

by

Sultan Zayid Mohammed Al-Hinai

Bachelor of Science (In Physics) (Strathclyde University- Glasgow -Scotland) – 2000 Master of Science (In Information Security) (Royal Holloway University of London ) – 2002

Thesis submitted in accordance with the regulations for the Degree of

Doctor of Philosophy

Information Security Institute Faculty of Information Technology Queensland University of Technology

November 6, 2007

Stream Ciphers, Linear Feedback Shift Registers, Non Linear Feedback Shift Registers, Regular ing, Irregular Clocking, Clock-Controlled, Algebraic Attacks, Fast Algebraic Attacks.

Clock-i

Stream ciphers are encryption algorithms used for ensuring the privacy of digital telecommunications.They have been widely used for encrypting military communications, satellite communications, pay TVencryption and for voice encryption of both fixed lined and wireless networks The current multi yearEuropean project eSTREAM, which aims to select stream ciphers suitable for widespread adoptation,reflects the importance of this area of research.

Stream ciphers consist of a keystream generator and an output function Keystream generatorsproduce a sequence that appears to be random, which is combined with the plaintext message using theoutput function Most commonly, the output function is binary addition modulo two Cryptanalysis ofthese ciphers focuses largely on analysis of the keystream generators and of relationships between thegenerator and the keystream it produces Linear feedback shift registers are widely used components

in building keystream generators, as the sequences they produce are well understood

Many types of attack have been proposed for breaking various LFSR based stream ciphers A recentattack type is known as an algebraic attack Algebraic attacks transform the problem of recovering thekey into a problem of solving multivariate system of equations, which eventually recover the internalstate bits or the key bits This type of attack has been shown to be effective on a number of regularlyclocked LFSR based stream ciphers In this thesis, algebraic attacks are extended to a number of wellknown stream ciphers where at least one LFSR in the system is irregularly clocked Applying algebriacattacks to these ciphers has only been discussed previously in the open literature for LILI-128

In this thesis, algebraic attacks are first applied to keystream generators using stop-and go clocking.Four ciphers belonging to this group are investigated: the Beth-Piper stop-and-go generator, the alter-nating step generator, the Gollmann cascade generator and the eSTREAM candidate: the Pomaranchcipher It is shown that algebraic attacks are very effective on the first three of these ciphers Although

no effective algebraic attack was found for Pomaranch, the algebraic analysis lead to some interestingfindings including weaknesses that may be exploited in future attacks

Algebraic attacks are then applied to keystream generators using(p, q) clocking Two well known

examples of such ciphers, the step1/step2 generator and the self decimated generator are investigated.Algebraic attacks are shown to be very powerful attack in recovering the internal state of these genera-tors

A more complex clocking mechanism than either stop-and-go or the (p, q) clocking keystream

generators is known as mutual clock control In mutual clock control generators, the LFSRs controlthe clocking of each other Four well known stream ciphers belonging to this group are investigatedwith respect to algebraic attacks: the Bilateral-stop-and-go generator, A5/1 stream cipher, Alpha 1stream cipher, and the more recent eSTREAM proposal, the MICKEY stream ciphers Some theoretical

iii

for an algebraic attack on these ciphers As the algebraic attack could not be applied directly on theseciphers, a different approach was used, namely guessing some bits of the internal state, in order toreduce the degree of the equations Finally, an algebraic attack on Alpha 1 that requires only 128 bits

of keystream to recover the 128 internal state bits is presented

An essential process associated with stream cipher proposals is key initialization Many recentlyproposed stream ciphers use an algorithm to initialize the large internal state with a smaller key andpossibly publicly known initialization vectors The effect of key initialization on the performance ofalgebraic attacks is also investigated in this thesis The relationships between the two have not beeninvestigated before in the open literature The investigation is conducted on Trivium and Grain-128,two eSTREAM ciphers It is shown that the key initialization process has an effect on the success

of algebraic attacks, unlike other conventional attacks In particular, the key initialization processallows an attacker to firstly generate a small number of equations of low degree and then perform analgebraic attack using multiple keystreams The effect of the number of iterations performed during keyinitialization is investigated It is shown that both the number of iterations and the maximum number

of initialization vectors to be used with one key should be carefully chosen Some experimental results

on Trivium and Grain-128 are then presented

Finally, the security with respect to algebraic attacks of the well known LILI family of stream phers, including the unbroken LILI-II, is investigated These are irregularly clock- controlled nonlinearfiltered generators While the structure is defined for the LILI family, a particular paramater choicedefines a specific instance Two well known such instances are LILI-128 and LILI-II The security ofthese and other instances is investigated to identify which instances are vulnerable to algebraic attacks.The feasibility of recovering the key bits using algebraic attacks is then investigated for both LILI-

ci-128 and LILI-II Algebraic attacks which recover the internal state with less effort than exhaustive keysearch are possible for LILI-128 but not for LILI-II Given the internal state at some point in time, thefeasibility of recovering the key bits is also investigated, showing that the parameters used in the keyinitialization process, if poorly chosen, can lead to a key recovery using algebraic attacks

iv

Front Matter i

Keywords i

Abstract iii

Table of Contents v

List of Figures xi

List of Tables xiii

Notation xiv

Declaration xv

Previously Published Material xvii

Acknowledgements xix

1 Introduction 1 1.1 Overview of Stream Ciphers 2

1.1.1 Measuring the Security Provided by Stream Ciphers 2

1.1.2 The One Time Pad 2

1.1.3 Keystream Generators for Stream Ciphers 3

1.1.4 Background on LFSR Based Stream Ciphers 4

1.1.5 Clock-Controlled Generators 4

1.2 Introduction to Cryptanalysis 7

1.3 Algebraic Attacks 8

1.4 Key Initialization 8

1.5 Aims and Objectives of Thesis 10

1.6 Contributions and Achievements 10

1.7 Outline of the Thesis 10

2 Overview of Algebraic Attacks on LFSR based Stream Ciphers 13 2.1 Framework for Algebraic Attacks 14

2.1.1 Equation Generation 15

Linearly Updated Internal States 15

Nonlinearly Updated Internal States 18

2.1.2 Reducing the Degree of the Equations 19

2.1.3 Methods for Solving Nonlinear Equations 24

Linearization 24

v

2.2 Fast Algebraic Attacks 31

2.2.1 Precomputation Phase 31

2.2.2 Realtime Phase 32

2.3 Summary 35

3 Keystream Generators using Stop-and-Go Clocking 37 3.1 Introduction 37

3.2 Equation Generation for Stop-and-Go Generators 38

3.3 Beth-Piper Stop-and-Go Generator 39

3.3.1 Description of the Basic Beth-Piper Stop-and-Go Generator 39

3.3.2 Algebraic Attack of the Basic Beth-Piper Stop-and-Go Generator 39

3.3.3 The Strengthened Beth-Piper Stop-and-Go Generator 41

3.3.4 Algebraic Attack on the Strengthened Beth-Piper Stop-and-Go Generator 41

Reducing the Degree of the Equations 41

3.3.5 Experimental Results 42

3.3.6 Comparison with Previous Cryptanalysis 43

3.3.7 Fast Algebraic Attack on Strengthened Beth-Piper Stop-and-Go Generator 46

3.4 Alternating Step Generator 47

3.4.1 Description 47

3.4.2 Algebraic Attack on the Alternating Step Generator 47

3.4.3 Experimental Results 48

3.4.4 Comparison with Previous Cryptanalysis 49

3.4.5 Modified Alternating Step Generator 51

3.4.6 Alternative Algebraic Attacks on the Alternating Step Generator 51

3.5 Cascade Generators 52

3.6 Gollmann Cascade Generator 53

3.6.1 Description 53

3.6.2 Algebraic Attack on the Gollmann Cascade Generator 53

Recovering the Initial State 54

3.6.3 Experimental Results 56

3.6.4 Comparison with Previous Cryptanalysis 56

3.6.5 An Alternative Algebraic Attack 58

3.6.6 Clock-Controlled Cascade Generator with Output Bits Taken from All Registers 59 3.7 Pomaranch 60

3.7.1 Pomaranch Description 60

3.7.2 Algebraic Analysis of Pomaranch 62

Overcoming the Problem of the Degree Accumulation 63

Algebraic Analysis of the Filter Function 65

3.8 Summary 65

vi

4.2 Step1/Step2 Generator 68

4.2.1 Description 68

4.2.2 Algebraic Attack on the Step1/Step2 Generator 68

4.2.3 Experimental Results 69

4.2.4 Comparison with Previous Cryptanalysis 70

4.2.5 Alternative Algebraic Attack on the Step1/Step2 Generator 72

4.3 Self-Decimated Generator 73

4.3.1 Description 73

4.3.2 Algebraic Attack on the Self-Decimated Generator 73

4.3.3 Experimental Results 74

4.3.4 Strengthening the(p, q) Self-Decimated Generator 75

4.4 Summary 75

5 Keystream Generators using Mutual Clock Control 77 5.1 Introduction 77

5.2 Equation Generation for Mutually Clock-Controlled Keystream Generators 78

5.3 The Bilateral Stop-and-Go Generator 81

5.3.1 Description of the Bilateral Stop and Go Generator 81

5.3.2 Algebraic Analysis of the Bilateral Stop and Go Generator 81

Reducing the Overall Degree of the Equations 82

5.4 A5/1 83

5.4.1 Description of A5/1 84

5.4.2 Algebraic Analysis of A5/1 84

Reducing the Overall Degree of the Equations 85

5.5 Alpha 1 86

5.5.1 Description of Alpha 1 87

5.5.2 Algebraic Attacks on Alpha 1 88

5.5.3 Reducing the Overall Degree of the Equations 88

5.5.4 Experimental Results 89

5.6 MICKEY 90

5.6.1 Description 90

5.6.2 Algebraic Analysis of MICKEY-80 v1 91

5.6.3 Algebraic Analysis of MICKEY-80 v2 92

5.6.4 Algebraic Analysis of MICKEY-128 v2 93

5.7 An Alternative Algebraic Attack on Mutually Clock Control Stream Ciphers 94

5.8 Summary 96

6 Initialization and Algebraic Attacks 97 6.1 Introduction 97

6.2 Algebraic Attacks using Multiple Keystreams 98

6.2.1 Facilitating the Linearization Approach 99

vii

6.4 Trivium 102

6.4.1 Facilitating the Linearization Approach on Trivium 103

6.4.2 Experimental Results 103

6.4.3 Observation on Trivium Initialization 105

6.5 Grain-128 105

6.5.1 Facilitating the Linearization Approach 106

6.5.2 Experimental Results 106

6.6 Summary 110

7 Algebraic Analysis of the LILI Keystream Generators 111 7.1 Introduction 111

7.2 Description 112

7.2.1 LILI-128 Keystream Generator 113

7.2.2 LILI-II Keystream Generator 113

7.3 Algebraic Analysis of the LILI Family of Stream Ciphers 113

7.3.1 Attack 1 : Guessing the Controlling Register 114

7.3.2 Attack 2 : Keystream Decimation 115

7.4 Algebraic Analysis of the LILI-II Stream Cipher 117

7.4.1 Algebraic Representation for the LILI Family of Stream Ciphers 117

7.4.2 Algebraic Attacks on LILI-II 117

Standard Algebraic Attacks of Section 7.3.1 118

Standard Algebraic Attacks of Section 7.3.2 118

7.4.3 Fast Algebraic Attacks on LILI-II 118

7.5 Initialization and Algebraic Attacks 119

7.5.1 Direct Recovery of Key Bits 120

7.5.2 Recovering the Key Bits Given the Internal State Bits 121

7.6 Investigating the Resistance of Other Instances of the LILI Family Ciphers to Algebraic Attacks 122

7.7 Summary 125

8 Conclusion and Future Research 127 8.1 Review of Contributions 127

8.1.1 Chapter 3: Keystream Generators using Stop-and-Go Clocking 128

8.1.2 Chapter 4: Keystream Generators using(p, q) Clocking 129

8.1.3 Chapter 5: Keystream Generators using Mutual Clock Control 129

8.1.4 Chapter 6: Initialization and Algebraic Attacks 130

8.1.5 Chapter 7: Algebraic Analysis of the LILI Keystream Generators 130

8.2 Future Directions 131

viii

ix

1.1 Binary additive stream cipher 3

1.2 Basic Clock-Controlled Generator 5

1.3 The Step1/Step2 Generator 5

1.4 Mutually clock-controlled stream ciphers 6

1.5 Clock-controlled nonlinear filter generators 6

2.1 Algebraic attacks algorithm 18

2.2 Algorithm for finding low degree multiples 21

2.3 Algorithm for the linearization approach 25

2.4 Algorithm for the F4 approach 28

2.5 Algorithm for the XL approach 30

2.6 Precomputation step algorithm due to [60] 32

2.7 Algorithm for precomputation and realtime phases of the fast algebraic attack based on LFSR based keystream generators 33

3.1 The Beth-Piper Stop-and-Go Generator - Basic Version 39

3.2 Algorithm for algebraic attack for recovering the state of the Basic Beth-Piper Stop-and-Go Generator 40

3.3 The Beth-Piper Stop-and-Go Generator - Strengthened Version 41

3.4 Algorithm for algebraic attack for recovering the state of the strengthened Beth-Piper stop-and-go generator 42

3.5 The Alternating Step Generator 47

3.6 The Gollmann Cascade Generator 53

3.7 Algorithm for algebraic attack for recovering the state of the Gollmann cascade generator 55 3.8 Pomaranch Version 3 61

4.1 The Step1/Step2 Generator 68

4.2 The Self-Decimated Generator 73

5.1 The Bilateral-stop-and-go-generator 81

5.2 A5/1 84

5.3 Alpha 1 stream cipher 87

5.4 The MICKEY family of stream ciphers 90

6.1 Algorithm for facilitating the linearization approach using multiple keystreams 100

xi

6.3 Keystream generation and initialization processes of Trivium 103

6.4 The Grain family of stream cipher 106

7.1 The LILI family of keystream generators 112

7.2 Algorithm for algebraic attack based on guessing the controlling register 114

7.3 Algorithm for precomputation and realtime phases of the algebraic attack based on keystream decimation 116

xii

2.1 LFSR internal state values in terms of initial state values 16

3.1 Attack Times for Beth-Piper Stop-and-Go Generator 43

3.2 Comparing algebraic attack and the linear syndrome attack on the strengthened Beth-Piper stop-and-go 45

3.3 Algebraic attack times on Alternating Step Generator 48

3.4 Best known attacks on the Alternating Step Generator 50

3.5 Recovering the internal state bits of a Gollmann cascade withK = 4 56

3.6 Best known attacks on Gollmann cascade generator 57

4.1 Algebraic attack times for step1/step2 generator 69

4.2 Best known attacks on Step1/Step2 Generator 71

4.3 Algebraic attack on the Self-Decimated Generator 74

4.4 Algebraic attack times for Self-Decimated Generator 75

5.1 Description of clocking 79

5.2 Low degree multiples for the output function for the Bilateral Stop and Go Generator 83 5.3 Standard algebraic attacks on A5/1 with the guessing approach 86

5.4 Standard algebraic attacks on Alpha 1 with the guessing approach 89

5.5 Best known attacks on the Alpha 1 stream cipher 89

5.6 Data obtained for the alternative algebraic attack 96

6.1 Number ofIV needed for an algebraic attack for various given numbers of outputs and degrees of the equations 100

6.2 Experimental results for Trivium :X = 288 iterations and Y = 21 104

6.3 Experimental results for Trivium :X = 335 iterations and Y = 21 104

6.4 Experimental results for Grain-128:X = 64 and Y = 12 108

6.5 Experimental results for Grain-128:X = 82 and Y = 12 108

6.6 Experimental results for Grain-128:X = 94 and Y = 12 109

7.1 Parameters for two specific generators from the LILI family 112

7.2 Summary of the algebraic attacks of Sections 7.3.1 and 7.3.2 on both LILI-128 and LILI-II 118

7.3 Attack of Section 7.3.1 using fast algebraic attacks on both LILI-128 and LILI-II 119

7.4 Attack of Section 7.3.2 using fast algebraic attacks on both LILI-128 and LILI-II 119

xiii

7.7 Results of attack of Section 7.3.2 1227.8 Results of attack of Section 7.3.1 using fast algebraic attacks 1237.9 Results of attack of Section 7.3.2 using fast algebraic attacks 124

Notation

The keystream generators examined in this thesis are based on shift registers Capital letters are used

to denote registers and subscript to refer to a specific stage of a register, soAirefers to theithstage ofregisterA To indicate the contents of the register at a specific time instance we use the superscript t

The lengths (in bits) of these registers are denotedl, m, n, r etc The ithbit of registerA at time t is

denoted byAt

iand so the output bit isAt

l The keystream is denotedz, so ztis used to denote the outputfrom the entire system at timet M denotes the number of monomials occurring in a given system of

equations andd the degree of the equations

xiv

The work contained in this thesis has not been previously submitted for a degree or diploma at anyhigher education institution To the best of my knowledge and belief, the thesis contains no materialpreviously published or written by another person except where due reference is made.

Signed: Date:

xv

The following papers have been published or presented, and contain material based on the content ofthis thesis.

• [1] Sultan Zayid Al-Hinai, Lynn Batten, Bernard Colbert and Kenneth Wong Algebraic attacks

on clock-controlled stream ciphers In L M Batten and R Safavi-Naini, editors, Proceedings of Information Security and Privacy - 11th Australasian Conference, ACISP 2006, volume 4058 of Lecture Notes in Computer Science, pages 1–16 Springer-Verlag, 2006.

• [2] Kenneth Wong, Bernard Colbert, Lynn Batten and Sultan Zayid Al-Hinai Algebraic attacks

on clock-controlled cascade ciphers In Rana Barua, Tanja Lange, editors, Proceedings of the 7th International Conference on Cryptology in India, INDOCRYPT - 2006, volume of Lecture Notes

in Computer Science, pages 32–47 Springer-Verlag, 2006.

• [3] Sultan Zayid Al-Hinai, Ed Dawson, Matt Henricksen and Leonie Simpson On the Security

of the LILI Family of Stream Ciphers Against Algebraic Attacks In J Pieprzyk and H Ghodosi

and E Dawson, editors, Proceedings of Information Security and Privacy - 12th Australasian Conference, ACISP 2007, volume 4586 of Lecture Notes in Computer Science, pages 11–28.

Springer-Verlag, 2007

xvii

In the name of Allah, the most gracious, the most merciful Alhamdulliah without your blessing Allah Icould not have finished this thesis First of all I wish to thank all my supervisors Professor Ed Dawson,

Dr Leonie Simpson and Dr Matt Henricksen Professor Dawson is a very knowledgeable and caringperson, he is always there when needed Professor Dawson provided with the guidance, encouragementand enthusiastic support over the course of this work

Dr Simpson is very patient and provided me a lot of encouragement, support and guidance so that

I could finish the thesis In addition, thanks to Dr Henricksen who I came to know more closely in

my last two years of my PhD for the useful discussion and moral support To my former principalsupervisor, Dr Bill Millan, thank you

To my wife and children your sacrifices are great, and without your support this thesis would nothave been completed

My mother, brothers, sisters and family many thanks Special thanks go to my mother who alwaysprovided advice when needed and always prayed for me to complete this thesis I cannot forget mymother in law who gave us a great help with the children during the write up phase of the thesis

To the Omani government that provided the scholarship and gave me this opportunity to complete

my PhD degree, many thanks also I also would like to thank the support of Said Faraj Al-Rabia, DrHamed Al-Rawahi, and Yahya Al-Rawahi

To all of my friends in Oman and in Brisbane especially Yusof Banihamad, Saleh, Riza, Housainand all ISI staff and students your help and friendship have made study in Brisbane very enjoyable

I also would like to thank Dr Hovard Molland who visited our institute during the final year of PhDcourse, with whom I had useful discussions I thank him for his initial advice and help in using theMagma mathematical software as a useful tool for my research

I wish to acknowledge the efforts of co-researchers, who worked with me on certain areas of thisthesis They are: Professor Lynn Batten, Dr Bernard Colbert and Kenneth Wong who worked with me

on most of Chapters 3 and 4 except for Sections 3.3.7, 3.4.6, 3.6.6 and 4.2.5 Professor Lynn Battenand Dr Bernard Colbert also worked with me on parts of Chapter 5

xix

Stream ciphers have been widely used for providing data confidentiality for real time applicationssuch as mobile telephony (as in the Global System for Mobile Communications (GSM) networks),satellite communications, pay-TV, secure online transactions and sensitive military communications.For these telecommunication applications, information needs to be encrypted and decrypted at highspeed For example decryption of high resolution streaming video data needs to occur in real time Inaddition, these telecommunication applications often require the use of encryption algorithms with lowimplementation footprint (gates/memory), and which are cost effective Stream ciphers can be designed

to provide both security and meet these speed and efficiency requirements In many telecommunicationapplications, error propagation can occur There is a need for encryption algorithms that have limited

or no error propagation Stream ciphers can be designed to overcome the error propagation problems.Various methods have been proposed for analysing and attacking stream ciphers Some of theproposed methods are generic and can be applied to any stream cipher regardless of the structure Othermethods are more specialized and structure dependent Generally, the aim of an attack is to recover theinternal state at some point in time, or recover the secret key bits One specialized structure dependentattack method is known as algebraic attacks

Algebraic attacks are new methods for attacking and analyzing stream ciphers They have drawnmuch attention from the cryptographic community Although the effectiveness of these attacks on blockciphers has been questioned by members of the cryptographic community, many stream ciphers havebeen broken by algebraic attacks This thesis investigates the security of a number of well known streamciphers against algebraic attacks, and shows that certain stream ciphers are vulnerable to algebraicattacks

In this chapter, the major concepts and terms used in defining the topic are explained This includesstream ciphers, keystream generators, and types of attacks on stream ciphers, including algebraic at-tacks Secondly, an overview of the thesis is outlined, highlighting the main results

1

1.1 Overview of Stream Ciphers

Stream ciphers have been widely used for providing data confidentiality for real time applications

as they have the potential to provide fast efficient encryption and decryption Good introductions tomodern stream ciphers and associated analysis are provided by Rueppel [170] and Menezes [150].This section outlines the principle behind the design of modern stream ciphers and their components

1.1.1 Measuring the Security Provided by Stream Ciphers

Taking an information theoretic approach, Shannon [178] classified ciphers according to the securityprovided as follows:

Definition 1.1 Unconditionally secure: A cipher is unconditionally secure or information theoretic

secure if the attacker is unable to determine the plaintext with any probability greater than randomly guessing given unlimited ciphertext, time and computational power.

Definition 1.2 Computationally secure: a cipher is computationally secure if an attacker is unable to

determine the plaintext given the ciphertext and polynomial computing resources.

1.1.2 The One Time Pad

The one-time pad is an encryption algorithm that combines a secret key and a message to generatethe ciphertext The key, plaintext message and the ciphertext are all of equal length The one time-pad is the only known unconditionally secure cipher A one time-pad is regarded as perfectly secureand unbreakable if the secret key is a uniformly random stream, the lengths of the secret key and theplaintext are the same and the key is never reused for a second encryption

The Vernam cipher is a binary one-time pad [189] The plaintext message, the secret key and theciphertext are all binary streams That is, the plaintext message characters, the secret key characters andthe ciphertext characters are binary digits (bits) Only the sender and receiver know the key Vernamintroduced simple encryption and decryption functions The encryption operation is the bitwise modulo

2 addition of the plaintext with the key Similarly, the decryption operation is the bitwise modulo 2addition of the ciphertext with the keystream This operation is also known as XOR, and in this thesisdenoted by⊕ The XOR function is defined a follows 1 ⊕ 0 = 1, 1 ⊕ 1 = 0, 0 ⊕ 1 = 1 and 0 ⊕ 0 = 0

Although it is fast and secure, the one-time pad has significant key management problems Therequirements for uncondition security (that the key is a truly random sequence the same length as themessage and may not be reused) result in significant issues with respect to the random generation ofthe key, the secure distribution of the key and finally the secure elimination of the key In spite of this,many countries still use the one-time pad for very sensitive military information For example, a one-time pad is used for the hot line between the United States and Russia where the security requirementjustifies the cost For most applications, a less expensive and more practical scheme is required.Stream ciphers solve some of the problems of key management (the major disadvantage of the onetime pad) by taking a short key, and possibly also a publicly known initialization vector(IV ), as input

to a keystream generator, and expand it into a long keystream Stream ciphers aim to emulate a time pad by producing a keystream that appears unpredictable and random, although it is completelydeterministic Given the algorithm for keystream generation and the initial state of a generator then the

one-same keystream will be produced each time Although many modern stream ciphers try to adapt theidea of the one-time pad, none of these pseudorandom generators are unconditionally secure Instead,they aim to be computationally secure The aim is to produce a cipher for which an attacker, givenreasonable resources and time, cannot recover the plaintext A naive attack is to try every possible key.

A stream cipher is known as secure if breaking it requires more computing power than exhaustive keysearch attack

1.1.3 Keystream Generators for Stream Ciphers

Definition 1.3 Stream Cipher : An encryption algorithm which divides the plaintext into successive

characters and encrypts each character under a time varying function of the key [170].

For the last three decades, most of the proposed stream ciphers were based on one-bit tics However, many recently proposed stream ciphers are based on characters consisting of a group

characteris-of bits called words Common word sizes are 8, 16, 32, or 64 bits Most bit-based stream ciphers arefast in hardware but less efficient in software Word based stream ciphers are intended to achieve ade-quate security, high speed and efficiency when implemented in software as well as hardware Bit-basedstream ciphers are widely used, and have been well studied and analyzed The properties of sequencesproduced by ciphers based on bit-based linear feedback shift registers (LFSRs) in particular are wellknown The ciphers examined in this thesis are all bit-based

Modern stream ciphers are divided into two classes: synchronous and self-synchronous streamciphers A synchronous stream cipher is a cipher in which the keystream is generated as a function ofthe key, and possibly anIV , and is produced independently from the ciphertext In contrast, in self-

synchronizing stream ciphers, the keystream is generated as a function of the key, and possibly anIV ,

and a fixed number of ciphertext characters All of the ciphers examined in this thesis are synchronousstream ciphers

Binary additive stream ciphers are the most common form of stream cipher In binary additivestream ciphers, the output function is the bitwise modulo two addition (XOR) Figure 1.1 illustratesthe encryption and decryption operations using a binary additive synchronous stream cipher Letpt,ztandctdenote the plaintext, keystream and ciphertext bits, respectively, at time, for somet≥ 0 Under

encryption, thetthbit in the ciphertext stream is formed asct= zt⊕pt, where⊕ is the output function

For decryption, the plaintext bitstream is recovered by adding, bitwise modulo 2, the keystream to theciphertext bitstream Thetthbit in the plaintext stream is given bypt = zt⊕ ct The stream ciphersexamined in this thesis are assumed to be binary additive stream ciphers

Sender

GeneratorKeystream

PseudorandomSecret Key -

Figure 1.1: Binary additive stream cipher

For binary additive stream ciphers, the security of the cipher depends on the keystream generator.Most stream cipher proposals are actually keystream generators and the cryptanalysis in this thesisfocuses on keystream generators.

The main building blocks of keystream generators are Boolean functions and feedback shift ters (both linear and nonlinear) More recently S-boxes have also been used in stream ciphers Theseare generally considered to be the main building blocks of block ciphers (another symmetric encryptionalgorithm) All of the stream ciphers examined in this thesis are based on LFSRs, with the exception

regis-of the MICKEY ciphers

For modern stream ciphers, the key and an initialization vector (IV) are used as a seed for theinitial state of the pseudorandom keystream generator Each secret key and IV used as input to thepseudorandom keystream generator corresponds to a longer pseudorandom output sequence, known

as the keystream If the same key and IV are used for the keystream generators both on the sendingand receiving ends of the transmission, both will produce the same keystream Many stream cipherproposals employ the cipher algorithm itself for the key initialization process; to take advantage ofboth the known claimed security properties of the algorithm and also to avoid using extra hardwarecomponent (in hardware based stream ciphers)

1.1.4 Background on LFSR Based Stream Ciphers

LFSRs are easy to implement in hardware, and the sequences they produce can be readily analyzedusing algebraic techniques It is well known that LFSRs can produce sequences of long period withgood statistical properties A single LFSR should not be used because the sequence it produces is linear[143] Therefore, methods have been proposed to disguise the linearity of LFSRs nonlinearity can beintroduced into the keystream implicitly or explicitly Three common methods for using LFSRs outputsequences for forming nonlinear keystreams are [150]

1 Using multiple LFSR’s and a nonlinear combining function(either memoryless or with memory),

2 Using a single LFSR and nonlinear filter function,

3 Using irregular clocking of the LFSR’s ( Clock-Controlled generators)

A combination of these methods may also be used For example, the LILI ciphers discussed in Chapter

7 use both the second and the third approaches Note that most of the work presented in this thesis is onclock-controlled generators Moreover, the security properties of generators that use the combination ofLFSRs and nonlinear Boolean functions are well understood and analyzed [95, 166, 169] An overview

of methods of analysis of these ciphers is given in [150]

1.1.5 Clock-Controlled Generators

Keystream generators may be constructed using irregularly clocked LFSRs Irregular clocking inLFSRs is used to enhance their complexity and consequently security These are known as clock-controlled generators

Clock-controlled ciphers assume the existence of an underlying clock that maintains a consistentset of basic time intervals against which a register and its output can be compared A bit-based LFSR

system can then be established in a number of ways A register can be stepped in synchrony with theunderlying clock; it may move more slowly than the underlying clock, taking more than one basic unit

to shift the registers; but it can be assumed that it will never shift faster than the clock as otherwise wecan adjust the basic clocking time to the step time of the register Similarly, the output from a system

of clock-controlled LFSRs can be synchronized with the clock time or can be slowed down or varied

against the clock time If a register shifts with the basic time interval, it is referred to as regularly clocked If the output is delivered with the basic time interval, it is referred to as regular output.

In this thesis, clock controlled LFSR based stream ciphers are divided into four groups The firstgroup is known as keystream generators using stop-and-go clocking The simplest designs of suchgroup uses only two LFSRs; one of these is a control register,LF SRA of length l and the other is the

controlled register,LF SRB of length m as illustrated in Figure 1.2

LFSR A

Output bitLFSR B

Figure 1.2: Basic Clock-Controlled Generator

Usually the control register is regularly clocked, and the output of this register controls the clocking

of the second register The output ofB, that is the controlled register usually forms the keystream

sequence,z A well known example of this simple design is the stop-and-go generator due to Beth and

Piper [26] In this cipher, LFSR A is regularly clocked and LFSR B is clocked once if the output ofLFSR A is 1 but not clocked if the output is 0

Alternatively, one register can be used to control the clocking of more than one stop-and-go LFSRswhere the outputs of stop-and-go LFSRs are combined to form the keystream, as occurs in the alternat-ing step generator [115] An extension of the above can be seen in the Gollmann cascade generator andPomaranch cipher, another eSTREAM cipher This group of stream ciphers are thoroughly discussedwith regards to algebraic attacks in Chapter 3

The second group is known as keystream generators using(p, q) clocking as shown in Figure 1.3

0 : clock p time

1 : clock q times

Figure 1.3: The Step1/Step2 Generator

The clocking mechanism used in such group is more complex than the first group Keystreamgenerators using(p, q) were proposed to resist attacks that utilizes the repetition of the clock controlled

register output in the keystream This system is an improvement on that proposal, as stop-and-goclocking is avoided In(p, q) clocking, the controlled register/registers are clocked at least p times

and at mostq times Well known examples of this group ciphers are the self-decimated generator due

to Rueppel and the step1/step2 generator due to Chambers and Gollmann The security of this groupciphers against algebraic attacks are outlined in Chapter 4

The third group of clock controlled keystreams generators this thesis deals with is known as keystreamgenerators using mutual clock control as shown in Figure 1.4

The clocking mechanism used in this group is more complex than the other two groups The LFSR

of ciphers belonging to this group mutually clock control each other Well known example of ciphers

Figure 1.4: Mutually clock-controlled stream ciphers

of this group is the A5 stream ciphers used in the GSM networks An in depth analysis of the resistance

of such groups along with some theoretical results are given in Chapter 5

The fourth group of clock controlled stream cipher is a combination of the first and second groups.Ciphers belongs to this group are known as irregularly clocked nonlinear filter generators as shown inFigure 1.5

LFSR B

m l

Output bit

LFSR A

f

Figure 1.5: Clock-controlled nonlinear filter generators

In these ciphers, one regularly clocked LFSR is used to control the clocking of another LFSR in

a(p, q) style clocking Filtering some stages of the second LFSR by a chosen cryptographic filter

function generates the output of the cipher A well known example of ciphers of this group is the LILIfamily of stream ciphers [182] The security provided by these ciphers against algebraic attacks ispresented in Chapter 7

Note that there are other types of clock controlled stream ciphers that are not discussed in thisthesis This includes the shrinking, self-shrinking generators and the bit search generator [56,114,149]

In these ciphers the output bits are chosen in a selective way For example, in the shrinking generator,two LFSRs are used where both are regularly clocked However, the output of the cipher is taken to bethe output of the second LFSR whenever the output of the first LFSR is 1

Clock controlled stream ciphers can be designed to combine any of the four groups design proaches Recently, new types of clock controlled stream ciphers have been proposed that falls intoone or more of the above groups However, the way the registers are clocked is quite new and novel

ap-In the new approach termed jump registers, registers can move to a state that is more than one stepahead without having to step through all the intermediate states This was first introduced in [129] asalternative to traditional clock-controlled registers to provide LFSR based stream ciphers protectionagainst side channel attacks while preserving the advantages of irregular clocking Examples of suchstream ciphers are the one that have been submitted to the eSTREAM ciphers The MICKEY streamciphers as investigated in Chapters 5 and 6 and the Pomaranch family of stream ciphers are analyzed inChapter 3

1.2 Introduction to Cryptanalysis

In the past, most encryption algorithm were kept secret (many are still secret) However, this strategyhas never been regarded as a good basis for security Many algorithms were broken even when theywere hidden, such as the well known World War Two German Enigma machine, and the more recentGSM encryption algorithm A5/1 Therefore, modern cryptology uses Kerchoff’s principle [135] whichstates that ”The security of the encryption scheme must depend only on the secrecy of the key, and not

on the secrecy of the algorithm.” Modern cryptanalysis of a cryptosystem begins with the assumptionthat the encryption algorithm is known

In analysing the security of stream ciphers, the following assumptions will be made:

• Assumption 1: an attacker has a complete knowledge of the structure of the cipher,

• Assumption 2: an attacker has a considerable amount of ciphertext and

• Assumption 3: an attacker knows a segment of plaintext and the corresponding segment of

ciphertext

Based on these three assumptions, the aim of the cryptanalysis is to recover either the internal state atsome instantt or the secret key bits used to generate the keystream Due to the deterministic nature of

the algorithm, this will allow the attacker to recover the rest of the plaintext

Various methods have been proposed for attacking stream ciphers Some of these are generic andcan be applied to any stream cipher Others are more specialized and are based on the structure of theciphers In addition, some attacks recover the key bits; others recover the internal state bits and stillothers distinguish the output of the algorithm from a truly random output

The effectiveness and success of the attacks are measured by time, memory and data complexities:

1 Time complexity: is the number of basic operations required to complete the attack If the attack

requires less operations than exhaustive key search, then the attack is considered to be successfuland the cipher is broken (at least from the theoretical point of view),

2 Memory complexity: is the storage memory required to perform the attack and

3 Data complexity: is the amount of data required to run the attack The data can be ciphertext or

known plaintext-ciphertext pairs

The attacker may perform the attack in two phases: the precomputation phase and realtime phase Inthe precomputation phase, the attacker runs the most expensive operations which can have complexity

up to the complexity of an exhaustive key search and unrealistically amount of storage Then in thereal time phase, the attacker runs simpler operations compared to that of the precomputation in order

to recover the secret key, possibly performing this in real time

As far as stream ciphers are concerned, a basic security requirement is that the keystream generatedmust have three properties: large period, high linear complexity and statistical randomness Theseare the minimum security requirements Well known methods have been proposed to satisfy theseproperties in [169] In general, all of the stream ciphers which will be examined in this thesis satisfythese three properties However, these are necessary but not sufficient requirements Many of thesestream ciphers can still be attacked using algebraic techniques

There are many cryptanalytic attacks that can be applied to stream ciphers; these include genericattacks such as exhaustive key search and time/memory/tradeoff attacks Others are more specialized,such as divide and conquer attacks, conditional and unconditional correlation attacks, attacks based onlinear consistency, linear cryptanalysis, inversion attacks, guess and determine attacks and side channelattacks [150] The more recently proposed algebraic attacks are investigated in this thesis and applied tovarious stream ciphers In this thesis, we attack the keystream generators of the stream ciphers analysedusing known keystream bits.

In 1949, Shannon [178] first pointed out two important facts about a symmetric cipher Firstly, acipher can be expressed as a system of nonlinear equations Secondly, breaking a good cipher shouldrequire as much work as solving a system of simultaneous equations in a large number of unknowns of

a complex type It is well known that solving systems of nonlinear equations is difficult in general Todate, no polynomial time algorithms are known for solving systems of nonlinear equations

Representing a cipher as a system of equations and solving the system of equations to recover eitherthe internal state or the key bits is now known as an ”algebraic attack” The phrase algebraic attackswas first used in [65] However, algebraic attacks were first applied to public key cryptosystems byCourtois [58] and then to block ciphers by Courtois and Pieprzyk [67] and then to stream ciphers in[59, 65]

This idea is not new However, the approach was novel in that it included the application of methodsfor reducing the degree of a system of equations before solving them, and proposed newer methodsfor solving cryptographic multivariate system of equations (for example by, relinearization, extendedlinearization) Other approaches for solving multivariate system of equations including the Gr¨obnerbases and Sat-Solver methods were adopted for solving multivariate system of equations describing acryptosystem Improved algorithms for solving nonlinear equations, such asF 4 and F 5, which are

based on the Gr¨obner bases methods, have also been applied to ciphers

For stream ciphers, algebraic attacks have been applied particularly in the cryptanalysis of streamciphers based on linear feedback shift registers (LFSR) They have been shown to be very powerful

in attacking regularly clocked LFSR bit-based stream ciphers and are very important tools for lyzing LFSR based stream ciphers This thesis investigates the security against algebraic attacks of anumber of well known constructions of stream ciphers Chapter 2 discusses in more details standardalgebraic attacks, fast algebraic attacks and the approaches used in the algebraic attacks presented inthe remainder of this thesis

In some telecommunication systems, such as in mobile telephony and the Internet, errors occur whichrequire that the entire message be re-sent When synchronous stream ciphers are used, security requiresthat a different keystream sequence be used Under certain circumstances the same key can be used toproduce a different keystream To achieve this, a re-keying algorithm (known also as a resynchronisa-tion algorithm) is needed to combine the secret key with a publicly known initialization vector to form

the initial state for keystream generation Moreover, the resynchronisation algorithm has to be veryefficient and fast Almost every stream cipher proposed after 2000 has a key initialization algorithm.Therefore, Definition 1.3 of a modern stream cipher should actually be revised as follows

Definition 1.4 Modern Stream Cipher : An encryption algorithm which divides the plaintext into

suc-cessive characters ( bit/bits) and encrypts each character under a time varying function of the internal state, where the internal state is a function of the key and IV.

For many ciphers proposed in the last century, there was no distinction between the size of theinternal state and the key size; the key size was the same as the internal state size, and initialization wasoften simply loading the key into the internal state If an attacker recovered the internal state he/shealso recovered the secret key By 2000, this had changed and key initialization was generally regarded

as a required part of a keystream generator proposal The first public request for key initialization instream cipher proposals was during the attempt to establish stream cipher standard by the NESSIEorganization [1] Some stream ciphers employing a key initialization process before this include thewell known A5, and RC4 ciphers Since then, people started to distinguish between the key size andthe internal state size For most ciphers, the internal state size was chosen to be at least twice as large asthe key size to prevent for example time/memory/tradeoffs attacks [29] Before a secret key is loadedinto the cipher, it goes through some mixing known as key initialization with some publicly knowninitialization vectors The two are used to fill the larger internal state Many modern cryptanalytictechniques recover the internal state bits rather than the key bits It is sometimes claimed that it is aneasy task to recover the key bits given the internal state bits This claim will be investigated through anexamination of key initialization and algebraic attacks on several ciphers in Chapter 6

There are two well known methods for achieving resynchronisation; fixed resynchronisation andrequested resynchronisation In fixed resynchronisation, the message is divided into frames and eachframe is encrypted using the secret key and a unique IV The frame lengths are generally updated by aframe counter in a deterministic way Attacks targeting this type of resynchronisation are termed known

IV resynchronisation attacks The frame length of stream ciphers employing this type of tion is typically short, for example, it is 228 bits as in the A51 stream cipher used in GSM cellular voiceand data communication [37] and 2745 bits as in the E0 stream cipher used in Bluetooth [5] wire-less communication It will be shown in Section 5.5 that some proposed attacks on ciphers based onfixed resynchronisation are not practical, as they require much more keystream than the typical framelength In requested resynchronisation, as the name suggests, the receiver sends a resynchronisationrequest to the sender as soon as synchronization loss is detected In this case, the receiver may beallowed to choose the IV used in the frame This may enable a chosen IV resynchronisation attack Agood resynchronisation mechanism should be both fast and resistant against both chosen and known IVattacks

resynchronisa-If only a single segment of keystream is known, (no re-keying occurs) then to break a particularinstance of the cipher, the cryptanalyst must recover the initial internal stateS, using knowledge of the

structure of the keystream generator and some amount of the keystream,z In contrast, with

resynchro-nisation occurring, the cryptanalyst has access to multiple related keystreams produced under the same

k and for different but known IV , where the IV’s are typically sequential or differing in only a few bits

The cryptanalyst’s task is then to recoverk, given a set of (IV, z) pairs For security in this scenario,

it is required that the re-keying process does not leak information about the keyk In this thesis, we

investigate the effect of the initialization process of a cipher on the feasibility of algebraic attacks

The main aim of this thesis is to extend the application of algebraic attacks to clock-controlled streamciphers These types of stream ciphers have not been analysed before from an algebraic attack per-spective The motivation behind this is that some clock-controlled stream ciphers are used in the realworld The thesis will investigate the security of a number of well-known keystream generators such

as those using stop-and-go clocking, keystream generators using(p, q) clocking, keystream generators

using mutual clock control and the LILI family of irregularly clocked nonlinear filter generators

This thesis also aims to determine the effect of the key initialization on algebraic attacks Thisaspect of cipher security with respect to algebraic attacks has not been examined in the open literaturebefore The examination will be conducted on a number of the ciphers in phase three of eSTREAM,the ECRYPT Stream Cipher Project [2] The ECRYPT Stream Cipher Project is a multi-year effort toidentify new stream ciphers that might become suitable for widespread adoption

The final aim of the thesis is to analyze the feasibility of recovering the key bits of a cipher giventhe recovery of the internal state using algebraic attacks Previously, there was little distinction in theopen literature between key recovery and state recovery using algebraic attacks This thesis addressesthis important issue

This thesis has achieved the following :

• Presented the first algebraic attacks and analysis on stop-and-go clock-controlled stream ciphers

(Beth Piper, Alternating step generator), keystream generators using(p, q) clocking (step1/step2,

self-decimated generators), clock-controlled cascade stream ciphers(Gollmann cascade, POMARANCHV1, V2) It also provided a thorough algebraic analysis of mutually clock-controlled stream ci-phers (the bilateral stop and go generator, A5/1, and MICKEY family of stream ciphers) Analgebraic attack on the mutually clock-controlled stream cipher, Alpha 1 is also presented

• Established and provided a better understanding of algebraic attacks on irregularly

clocked-controlled nonlinear filter generators (The LILI family of stream ciphers);

• Investigated the role of the key initialization and algebraic attacks on the eSTREAM cipher

(Triv-ium and Grain-128)

The thesis is composed of eight chapters Chapters 1 and 2 respectively provide the introduction, anoutline of the thesis and techniques for applying algebraic attacks to stream ciphers Chapters 3, 4, 5,

6 and 7 form the main body of the thesis and discuss the application of algebraic attacks on specificstream ciphers, while Chapter 8 is the conclusion

Chapter 2 outlines the various algebraic methods that have been proposed for attacking streamciphers A description will be provided of the algorithms which are used in the later part of the thesis.This includes algorithms for the standard algebraic attacks and fast algebraic attacks.

Chapter 3 describes the investigation into the security of stop-and-go generators and extensions ofthis idea against algebraic attacks Included in this investigations are the Beth-Piper stop-and-go gen-erator, both the basic and strengthened versions, the alternating step generator, the Gollmann cascadegenerator and the Pomaranch family of stream ciphers It will be shown that the stop-and-go generatorsare prone to algebraic attacks

Chapter 4 extends algebraic attack to complex keystreams generators that use a (p, q) clocking

Such generators were proposed to resist attacks that utilize the repetition of the clock-controlled registeroutput in the keystream This system is an improvement on that proposal, as stop-and-go clocking isavoided In(p, q) clocking, the controlled register/registers are clocked at least p times and at most q

times Algebraic attacks and analysis on two well known examples of such generators is given.Chapter 5 presents an algebraic analysis on a more complex clock-controlled stream ciphers In thischapter, the security of keystream generators using mutual clock control is examined against algebraicattacks A number of known ciphers are investigated in this chapter This includes the bilateral-stop-and-go generator, A5/1, Alpha 1 and the MICKEY family of stream ciphers

Chapter 6 considers the effect of initialization on algebraic attacks for two stream ciphers Both ofthese are profile 2 submissions to eSTREAM, the ECRYPT Stream Cipher Project [2], and are currentyfocus ciphers in phase 3 At present, there is nothing in the open literature that investigates the effect ofkey initialization on the security with respect to algebraic attacks This chapter presents a preliminarystep in this direction and presents some experimental results of investigations performed on Triviumand Grain-128

Chapter 7 investigates algebraic attacks on a well known example of irregularly clocked nonlinearfilter generators, the LILI family of stream ciphers The chapter investigates both the feasibility ofrecovering the internal state using algebraic attacks and of recovering the key bits taking into consid-eration the key initialization process The possibility of recovering the key bits given the internal statebits using algebraic attacks is also considered in this chapter

Chapter 8 concludes the thesis by highlighting the main outcomes of the thesis and providing somedirections for future research

Some of the results presented in this thesis have been previously published in the academic ture, or presented, during the course of the work, as indicated in the list of published papers included inthe front-matter of this thesis The research outlined in Sections 3.2, 3.3, 3.4, 4.3 and 4.2 has been pub-lished in paper [1] The research described in Sections 3.5 and 3.7 was published in [2] The researchcontained in Chapter 7 except for Sections 7.6 was published in [3]

litera-Overview of Algebraic Attacks on

LFSR based Stream Ciphers

Cryptanalysis is about analyzing a cryptographic system, with the aim of finding weaknesses that can

be exploited in attacks The aim of the attack may be to recover the internal state of the keystreamgenerator or to recover the key bits or some portion of them In order to design a secure, optimaland efficient encryption algorithm it is important to be able to analyze it with respect to the security itprovides against known attacks In addition, it is desirable, although difficult, to design an encryptionalgorithm that is resistant to all known attacks and also future attacks Many encryption algorithmsdesigned to resist attacks known at the time of the design have later fallen to new attacks

Recently, new types of attacks known as algebraic attacks have been proposed on both block ciphersand on LFSR based stream ciphers Algebraic attacks were first applied to public key cryptosystems

by Courtois [58] and then to block ciphers by Courtois and Pieprzyk [67] and then to stream ciphers

in [59, 65] An algebraic attack is based on solving an overdefined system of multivariate algebraicequations involving secret key bits or internal state bits and keystream bits

Many well known LFSR-based stream ciphers with regular clocking have fallen to algebraic attacks.Examples of these algebraic attacks on stream ciphers include attacks on nonlinear filter generators [65],attacks on combiners with memory [12] where the combiner consists ofK LFSRs and l-bits of memory

and applied to E0, on a summation generator ofK LFSRs and l-bits memory [140], on a number of

modified bit based stream ciphers [61], an attack by Joo Yeon Cho and Josef Pieprzyk [50] on the Soberclass of stream ciphers (modified to remove the stuttering), an algebraic analysis of Snow 2 [27], andrecently, on two of the eSTREAM ciphers, F-FCSRs∗[24] and Sfinks cipher [62]

It should be noted that solving the system of equations will not guarantee the full recovery of thekey or the internal state In addition, in some cases, obtaining these multivariate equations normallyuses other techniques found in the literature For example, in some algebraic attacks, an attacker oftenhas to guess some key bits in order to be able to generate a set of equations describing the ciphers.Further, solving the system of equations might reveal some key or internal state bits; therefore, other

∗ Note that F-FCSRs ciphers are not LFSR based

13

cryptanalytic techniques would have to be used in order to recover the remaining bits.

The interest in algebraic attacks has opened new avenues of research in cryptography in three majorareas These are:

1 The search for new techniques or the adaptation of existing techniques for solving systems ofequations that describe an encryption algorithm This area will be discussed in Section 2.1.3,

2 The search for algorithms and methods for reducing the overall degree of the equations as cussed in Section 2.1.2 and

dis-3 Designing cryptographic Boolean functions that preserve all the previously known cryptographicproperties along with the newly recognized property, algebraic immunity [146] Many papershave been published in this area, see for example [13, 36, 42, 68, 69, 141] However, as none ofthe ciphers analyzed in this thesis used these newly proposed Boolean functions, this will not

be discussed In this thesis, the only application of an algebraic immune function is the outputfunction used in the Grain family of stream ciphers discussed in Chapter 6

This chapter is organized as follows Section 2.1 presents the framework for algebraic attacks onboth regularly clocked and irregularly clocked LFSR based ciphers Section 2.1.2 discuses methodsused for reducing the overall degree of the equations Section 2.1.3 outlines methods used in alge-braic attacks for solving nonlinear equations Fast algebraic attacks on LFSR based stream ciphers arediscussed in Section 2.2 Section 2.3 present a summary of the chapter

To conduct a successful algebraic attack on a keystream generator, there are three essential ments to meet The attacker must be able to find valid relationships between the internal state with thekeystream output bits, be able to reduce the degree of the formed system of equations prior to solvingthem and be able to solve the equations efficiently

require-Firstly, one has to be able to find valid relations between the internal state of the generator and theoutput that will hold for all time instances This is a simple task for regularly clocked LFSR-basedstream ciphers In some keystream generators, some output bits are discarded, or the registers areclocked in an irregular manner In these cases it is very challenging to find such relations We willdescribe methods to overcome these challenges in Chapters 3, 4, 5, and 7

Secondly, for successful algebraic attacks, an attacker should try to reduce the degree of the formedsystem of equations as far as possible Having a system of equations of low degree will significantlyreduce the complexity of solving the equations and hence recovering the unknowns in the system ofequations Few methods will be shown to achieve low degree equations

The last requirement is the ability to solve the equations efficiently, to obtain an overall attackcomplexity less than brute force Note that although the complexity of solving equations might bemuch less than exhaustive key search, this does not necessarily mean that the cipher can be broken,especially if guessing was involved to obtain the low degree equations necessary to run the attack This

is demonstrated in the analysis of the LILI family of stream ciphers against algebraic attacks presented

in Chapter 7

This section provides the framework for algebraic attacks on LFSR based stream ciphers It willconsider two types of LFSR based stream ciphers; regularly clocked LFSR based stream ciphers andirregularly clocked LFSR based stream ciphers.

For regularly clocked ciphers, an LFSR is stepped in synchrony with the underlying clock If a

reg-ister shifts with the basic time interval, we refer to is as regularly clocked If the output is delivered with the basic time interval, we refer to it as regular output If the internal state of the system goes through

all the possible states sequentially in order, then the internal state of the system can be represented as a

system of linear equations hereby denoted as a linear update internal state.

For irregularly clocked stream ciphers, an LFSR may move more slowly than the underlying clock,taking more than one basic time unit to shift the registers; but it can be assumed that it will never shiftfaster than the clock as otherwise we can adjust the basic clocking time to the step time of the register.The output from a system of irregularly clocked LFSRs can be synchronized with the clock time or can

be slowed down or varied against the clock time

2.1.1 Equation Generation

This section provides the framework for forming a system of equations representing the cipher It willconsider stream ciphers with regularly clocked registers with a linear update of the internal state andirregularly clocked registers with a nonlinear update of the internal state In both cases, we assumethat the output of the system is generated by taking some inputs into an output function or a filteringfunctionf of degree d Denote the size of the internal state of a stream cipher by n and the keystream

bitsztbe generated from a filter functionf such that zt= f (St), whereSt=(s1, , sn)

Linearly Updated Internal States

The framework for algebraic attacks provided in this section is well suited for nonlinear combining

function generator and for nonlinear filter generators Denote the linearly updated internal state over

timet by a functionL by (s1, , sn), wereLt = L ◦ ◦ L The task of an algebraic attack is to

recover(s1, , sn) given T number of output bits z1, , zT For such ciphers, it is clear that

For the purpose of illustration, consider the following example

Example 2.1 Consider a nonlinear filter generator based on an LFSR of size n = 5 Denote the

contents of the LFSR byx , x , , x Suppose r = 5 stages of the LFSR are viewed as input to a

filter function f of degree 3, with the following ANF

z = f (s1, s2, , s5) = s1+ s2s3+ s3s4s5 (2.2)

Let the feedback polynomial of the LFSR bex5+ x2+ 1 Given this, one can easily work out the

contents of the LFSR in each stage of the register for successive clocking as shown in Table 2.1

Using Equation (2.2) and Table 2.1, one can easily form a system of equations relating the internalstate with the keystream as in Equation (2.1) as follows

Nonlinearly Updated Internal States

The framework for algebraic attacks provided in this section is well suited for clock-controlled tor, which is the main scope of the thesis

genera-The internal state at timet denoted st, can be considered as the function of the initial internal state,

s0, where the function transformings0 intost is the repeated application (t times) of the nonlinear

state update functionN L Let the keystream bits ztbe generated from a filter functionf such that

zt = f (st) The task of an algebraic attack is to recover (s1, , sn) given T number of output bits

z1, , zT For such cipher, it is clear that

Algorithm 2.1 represents steps for attacking a keystream generator based on LFSRs ofn internal

state bits and is shown in Figure 2.1

Algorithm 2.1 Algebraic attack on stream ciphers.

Inputs : f , keystream bits, z1, z2, , LFSR length, and feedback

function of the LFSR

Outputs : Internal state ofn bits

• Step 1: Find functions g of low degree e for f such that e < d, in

a precomputation phase if they exist

• Step 2: Set up a system of equations in the unknowns n and zt,

t≥ 0

• Step 3: Insert the observed key stream bits into the variables zt

• Step 4: Recover the n initial internal state bits by solving the

system of equations

Figure 2.1: Algebraic attacks algorithm