Professional Documents
Culture Documents
Design of
Block and Stream Ciphers
Nicolas T. Courtois
- University College London
A New Frontier in Symmetric Cryptanalysis
2 Small Remarks
Winston Churchill used to say:
“the truth is so precious that she should always be
attended by a bodyguard of lies”
0. Intro…
5 2001-2015
Algebraic Attacks on Block, Stream Ciphers
Instead of a Summary
• How to design secure ciphers ?
Nobody knows, a complex question.
Remark: There exist provably secure stream ciphers:QUAD, NO good candidates for secure block ciphers…
6 2001-2015
Algebraic Attacks on Block, Stream Ciphers
7 2001-2015
Algebraic Attacks on Block, Stream Ciphers
Provable prevents
correlation/differential/linear/
GLC attacks….
A “Good” Boolean function…
Avoiding Simple
Boolean Functions…
Not enough !
9 2001-2015
Algebraic Attacks on Block, Stream Ciphers
10 2001-2015
Algebraic Attacks on Block, Stream Ciphers
Claim / Proposal
This criterion is proposed (can be
necessary) for the security of:
• S-boxes in Block Ciphers
• Combiners in Stream Ciphers
• Trapdoor Functions (PK crypto,
HFE).
12 2001-2015
Algebraic Attacks on Block, Stream Ciphers
Why ?
• no proof
• some devastating attacks on some ciphers
• many ciphers not broken in the slightest
13 2001-2015
Algebraic Attacks on Block, Stream Ciphers
14 2001-2015
Algebraic Attacks on Block, Stream Ciphers
Multivariate Cryptography:
Cryptosystems using polynomials with
several variables over a finite field…
Multivariate Cryptanalysis
or Algebraic Cryptanalysis:
Cryptographic attacks using polynomials
with several variables
over a finite field…
15 2001-2015
A New Frontier in Symmetric Cryptanalysis
other
combination tools
attacks Truncated
Differentials (DC)
Higher Order Differentials
”every cipher of low degree poly can be broken”
multiple points DC
16 Courtois, Indocrypt 2008
Higher Order DC
GOST, Self-Similarity and Cryptanalysis of Block Ciphers
- My Favourite Groups
Exact/Algebraic/Multivariate Cryptanalysis:
**However…
However, what makes the problem hard is
not the number of variables,
but the balance between
the number of equations
and the number of monomials:
– The XL algorithm and Gröbner bases techniques:
[Shamir, Patarin, Courtois, Klimov, Eurocrypt’2000], [Courtois, ICISC 2002], [Courtois, Patarin, CT-
RSA 2003], [F5/2 by Jean-Charles Faugère], [Old papers by Lazard]…
21 2001-2015
Algebraic Attacks on Block, Stream Ciphers
22 2001-2015
Algebraic Attacks on Block, Stream Ciphers
23 2001-2015
A New Frontier in Symmetric Cryptanalysis
MC = Definition
• Every function can be represented as a
number of multiplications + linear functions
over a finite field/ring.
• We call MC (Multiplicative Complexity)
the minimum number of multiplications
needed.
Home reading: set of slides multcomp.pdf Moodle.
Algebraization:
Theorem:
Every function over finite fields is a polynomial
function.
[can be proven as a corollary of Lagrange’s
interpolation formula]
28 2001-2015
Algebraic Attacks on Block, Stream Ciphers
Bottom line:
“Every cipher which can be expressed by low degree polynomials is broken.”
29 2001-2015
Algebraic Attacks on Block, Stream Ciphers
30 2001-2015
Algebraic Attacks on Block, Stream Ciphers
Cube Attacks
[Vielhaber, Dinur,Shamir’08]
31 2001-2015
Algebraic Attacks on Block, Stream Ciphers
” Trivial – ε Attacks ”
Cube attack are highly sophisticated highly
technical attack BUT they achieve NOTHING
more than breaking XX – ε rounds of a cipher
where XX – ε rounds is already broken by an
attack which crypto community considers as
excessively trivial.
32 2001-2015
Algebraic Attacks on Block, Stream Ciphers
Step By Step
Cube attack is about summing
COMPLEX multivariate polynomials.
– most polynomials never written.
• Online phase CPA => several concrete
values added 0+1+…
• Their sum polynomial depends on the key
in a very simple way.
=>Gives simple equations on the key.
33 2001-2015
Algebraic Attacks on Block, Stream Ciphers
34 2001-2015
Algebraic Attacks on Block, Stream Ciphers
35 2001-2015
Algebraic Attacks on Block, Stream Ciphers
36 2001-2015
Algebraic Attacks on Block, Stream Ciphers
37 2001-2015
Algebraic Attacks on Block, Stream Ciphers
38 2001-2015
Algebraic Attacks on Block, Stream Ciphers
39 2001-2015
Algebraic Attacks on Block, Stream Ciphers
YES !
Q: Do these polynomial relations
MATTER AT ALL for Block
Ciphers ?
YES,
(at least for some of them…)
40 2001-2015
Algebraic Attacks on Block, Stream Ciphers
F: Inverse in GF(2n).
41 2001-2015
Algebraic Attacks on Block, Stream Ciphers
42 2001-2015
Algebraic Attacks on Block, Stream Ciphers
Round function:
43 2001-2015
Algebraic Attacks on Block, Stream Ciphers
46 October 2006
Algebraic Attacks on Block, Stream Ciphers
47 2001-2015
Algebraic Attacks on Block, Stream Ciphers
48 2001-2015
Algebraic Attacks on Block, Stream Ciphers
49 2001-2015
Algebraic Attacks on Block, Stream Ciphers
50 2001-2015
Algebraic Attacks on Block, Stream Ciphers
51 2001-2015
Algebraic Attacks on Block, Stream Ciphers
52 2001-2015
Algebraic Attacks on Block, Stream Ciphers
53 2001-2015
Algebraic Attacks on Block, Stream Ciphers
XSL Ciphers
K_i
X S L
54 2001-2015
A New Frontier in Symmetric Cryptanalysis
The so-called
“XSL Attack” and AES
not a very efficient attack, a sort of scientific research programme…
**Reinvent it in 2015:
Algebraic attacks on block ciphers today:
1. Write good equations – overdefined, sparse or both.
• LESS TRIVIAL than expected [new tricks: higher degree, add
variables, etc.].
2. Expand - avoid / minimise impact of…
3. Final "in place" deduction / inference / elimination method.
• ElimLin alone and T’ method. Amazingly powerful.
• New tools [SAT solvers]. Amazingly powerful.
Part 1.
1. Find good equations: such that:
equations
__________ = 1/4 or so..
monomials
58 2001-2015
Algebraic Attacks on Block, Stream Ciphers
Part 2.
2. Expand to a very overdefined
system, close to saturation:
free eqs.
__________ = close to 1
monomials
59 2001-2015
Algebraic Attacks on Block, Stream Ciphers
Part 3.
3. Final step – achieve complete
saturation giving the key bits.
free eqs.
__________ = exactly 1
monomials
60 2001-2015
Algebraic Attacks on Block, Stream Ciphers
AES
61 2001-2015
Algebraic Attacks on Block, Stream Ciphers
Unbelievable Security
Most people think: It is easy to achieve 2256,
Just mix sufficiently
many strange functions….
Security grows exponentially
in the number of rounds..
Moore’s Law
The computing power of 2256
will not be available
before year 2200.
Until then, so much higher mathematics and
so much better methods of cryptanalysis will
be found…
Part 1.
1. Find good equations: such that:
equations
__________ = 1/4 or so..
monomials
64 2001-2015
Algebraic Attacks on Block, Stream Ciphers
MQ Problem
65 2001-2015
Algebraic Attacks on Block, Stream Ciphers
MQ Problem
Find a solution (at least one),
i.e. find (x0, ...,xn-1) such that:
66 2001-2015
Algebraic Attacks on Block, Stream Ciphers
Known applications of MQ
Multivariate schemes such as UOV, HFE, Quartz and
Sflash are based on MQ.
• In usual applications, nobody is using these new
schemes. But:
• About the only solutions known for specific
applications: very short signatures with Quartz,
fastest signatures in the world with Sflash [Cf. PKC
2003].
67 2001-2015
Algebraic Attacks on Block, Stream Ciphers
Surprising applications of MQ
Claim: 90 % of all applied cryptography
is based on MQ.
2. Rijndael is based on MQ ?
68 2001-2015
Algebraic Attacks on Block, Stream Ciphers
Rijndael S-boxes
(y1, …,y8) = S (x1, ...,x8) .
23 x0 1 =x y 7
bi-linear x x = x2 y 8
x y = y2 x 8
x x3 = x4 y 8
quadratic
x y3 = y4 x 8
39
70 2001-2015
Algebraic Attacks on Block, Stream Ciphers
Optimal S-boxes ?
[Anne Canteaut, Marion Videau, Eurocrypt 2002]:
Optimal for linear, differential and high-order differential
attacks.
71 2001-2015
Algebraic Attacks on Block, Stream Ciphers
Reduction Rijndael MQ
Rijndael 128 bit: to recover the secret key can
be rewritten as MQ:
72 2001-2015
Algebraic Attacks on Block, Stream Ciphers
Part 2.
2. Expand to a very overdefined
system, close to saturation:
free eqs.
__________ = close to 1
monomials
73 2001-2015
A New Frontier in Symmetric Cryptanalysis
Part 2.
2. Expand to a very overdefined
system, close to saturation:
free eqs.
__________ = close to 1
monomials
75 2001-2015
Algebraic Attacks on Block, Stream Ciphers
Multiplying the
equations
by one or several
variables.
76 2001-2015
Algebraic Attacks on Block, Stream Ciphers
X L means…
• eXtended Linerisation
• Multiply (X) and Linearise
• eXpansion in the ideaL
spanned by the equations..
• doing things like x_1 * l_3
• etc…
77 2001-2015
Algebraic Attacks on Block, Stream Ciphers
becomes:
(degreee 3 now).
79 2001-2015
Algebraic Attacks on Block, Stream Ciphers
How XL works:
Initial system: m equations and n2/2 terms.
Multiply each equation by
a product of any D-2 variables:
• Equations
• Terms
Idea: One term can be obtained in many different ways,
T grows more slowly than R.
Necessary condition: R/T > 1
gives and thus D
If sufficient, the complexity of XL would be about
Sub-exponential ?
Not true !
81 2001-2015
Algebraic Attacks on Block, Stream Ciphers
82 2001-2015
Algebraic Attacks on Block, Stream Ciphers
83 2001-2015
Algebraic Attacks on Block, Stream Ciphers
The behaviour of XL
It is possible to predict the exact number
of linearly independent equations in XL.
84 2001-2015
Algebraic Attacks on Block, Stream Ciphers
Applying XL to Rijndael
1. Make little sense, XL is a tool for dense
systems of equations…
Except if there are “degree falls”: some combinations of unusually low degree, cf. HFE attacks…
85 2001-2015
Algebraic Attacks on Block, Stream Ciphers
86 2001-2015
A New Frontier in Symmetric Cryptanalysis
From XL to “XSL”
Pure theory ?
XL: astronomical complexity
88 2001-2015
Algebraic Attacks on Block, Stream Ciphers
The XL idea:
Multiplying the
equations
by one or several
variables.
89 2001-2015
Algebraic Attacks on Block, Stream Ciphers
XSL Algorithm
Main idea:
In a sparse system R/T at the beginning is already much
bigger than in a random system.
91 2001-2015
Algebraic Attacks on Block, Stream Ciphers
Result: R / T P * r/t
R/T1 P t/r
92 2001-2015
Algebraic Attacks on Block, Stream Ciphers
Saturation Problem:
Simulations show that the number Free
of linearly independent equations
is never very close to T, and
for P=2 when the number of rounds Nr ,
we have Free 96.59 % T.
Part 3.
3. Final step – achieve complete
saturation giving the key bits.
free eqs.
__________ = exactly 1
monomials
95 2001-2015
Algebraic Attacks on Block, Stream Ciphers
96 2001-2015
Algebraic Attacks on Block, Stream Ciphers
97 2001-2015
Algebraic Attacks on Block, Stream Ciphers
T’ Method contd.
Here is the same system in which T' is defined for x2:
98 2001-2015
Algebraic Attacks on Block, Stream Ciphers
T’ Method contd.
Back to the first system in which T' is defined for x1:
We have rank=8.
Multiply the 2 “exceeding” equations of the first version by x1.
99 2001-2015
Algebraic Attacks on Block, Stream Ciphers
T’ Method contd.
Now we have 4 “exceeding” equations (two old and two new).
Transfer them to the second system.
T’ Method contd.
We rewrite the 3 new equations with terms that can be multiplied by x1.
101 2001-2015
Algebraic Attacks on Block, Stream Ciphers
T’ Method contd.
We have still rank=14.
Then we multiply the new equation by x2.
102 2001-2015
Algebraic Attacks on Block, Stream Ciphers
*
103 2001-2015
Algebraic Attacks on Block, Stream Ciphers
105 2001-2015
Algebraic Attacks on Block, Stream Ciphers
• 3-bit S-boxes.
• Diffusion: permuting wires (as DES P-box !).
• 1,2,4,8,… S-boxes per round.
• 1,2,3,…,10,…,30,… rounds.
• Key size == Block size.
• Simple key schedule: bit permutation (as in DES !)
106 2001-2015
Algebraic Attacks on Block, Stream Ciphers
Equations – From a Real Example
X[0][1]*X[0][2]+Z[0][1]+X[0][3]+X[0][2]+X[0][1]+1
1+X[0][1]=k_0
X[0][2]*Z[0][2]+X[0][1]*Z[0][3]+X[0][1]
X[0][2]*Z[0][3]+X[0][1]*Z[0][3]+Z[0][1]+X[0][3]+X[0][2]+1 1+X[1][2]=k_4
X[0][3]*Z[0][1]+X[0][1]*Z[0][3]+Z[0][3]+Z[0][1]
X[0][3]*Z[0][2]+Z[0][3]+Z[0][1]+X[0][3]+X[0][1]
1+X[1][3]=k_5
X[0][3]*Z[0][3]+X[0][1]*Z[0][3]+Z[0][2]+X[0][2]+X[0][1]+1 Z[0][3]+X[2][1]=k_1
Z[0][1]*Z[0][2]+Z[0][3]+X[0][1]
Z[0][1]*Z[0][3]+Z[0][3]+Z[0][2]+X[0][2]+X[0][1]+1
Z[1][1]+X[2][2]=k_2
Z[0][2]*Z[0][3]+Z[0][3]+Z[0][2]+Z[0][1]+X[0][3]+X[0][1] Z[1][2]+X[2][3]=k_3
X[1][1]*X[1][2]+Z[1][1]+X[1][3]+X[1][2]+X[1][1]+1
Z[1][3]+X[3][1]=k_4
X[1][1]*X[1][3]+Z[1][2]+X[1][2]+1 Z[0][1]+X[3][2]=k_5
X[1][1]*Z[1][1]+Z[1][2]+X[1][2]+1
X[1][1]*Z[1][2]+Z[1][2]+Z[1][1]+X[1][3] Z[0][2]+X[3][3]=k_0
X[1][2]*X[1][3]+Z[1][3]+Z[1][2]+Z[1][1]+X[1][2]+X[1][1] Z[2][3]+1=k_2
X[1][2]*Z[1][1]+Z[1][3]+Z[1][2]+Z[1][1]+X[1][2]+X[1][1]
X[1][2]*Z[1][2]+X[1][1]*Z[1][3]+X[1][1] Z[3][1]+1=k_3
X[1][2]*Z[1][3]+X[1][1]*Z[1][3]+Z[1][1]+X[1][3]+X[1][2] Z[3][2]+1=k_4
X[1][3]*Z[1][1]+X[1][1]*Z[1][3]+Z[1][3]+Z[1][1]
X[1][3]*Z[1][2]+Z[1][3]+Z[1][1]+X[1][3]+X[1][1] Z[3][3]+1=k_5
X[1][3]*Z[1][3]+X[1][1]*Z[1][3]+Z[1][2]+X[1][2]+X[1][1] Z[2][1]+0=k_0
Z[1][1]*Z[1][2]+Z[1][3]+X[1][1]
Z[1][1]*Z[1][3]+Z[1][3]+Z[1][2]+X[1][2]+X[1][1]+1 Z[2][2]+1=k_1
Z[1][2]*Z[1][3]+Z[1][3]+Z[1][2]+Z[1][1]+X[1][3]+X[1][1]
•
•
107 2001-2015
Algebraic Attacks on Block, Stream Ciphers
How to finish ?
• Initial proposal: T’ method.
– Works very well in practice, but requires to be run many
times (each time the rank increases).
• Alternatives:
– use Gröbner bases.
– better alternatives:
• SAT solvers,
• ElimLin.
109 2001-2015
Algebraic Attacks on Block, Stream Ciphers
7329 + 28
7329 + 52
7329 + 56
7329 + 96
7329 + 147
7329 + 165
7329 + 172
7329 + 173
7329 + 174
110 2001-2015
Algebraic Attacks on Block, Stream Ciphers
Maybe…
111 2001-2015
Algebraic Attacks on Block, Stream Ciphers
• Saturation Problem:
Use the T’ method.
112 2001-2015
Algebraic Attacks on Block, Stream Ciphers
113 2001-2015
Algebraic Attacks on Block, Stream Ciphers
Summary:
XSL takes advantage of the fact that the
equations are overdefined and sparse.
Expected (at least) to work better than XL.
114 2001-2015
Algebraic Attacks on Block, Stream Ciphers
Not proven,
based on heuristic assumptions:
115 2001-2015
Algebraic Attacks on Block, Stream Ciphers
Remark 1
116 2001-2015
Algebraic Attacks on Block, Stream Ciphers
Remark 2:
117 2001-2015
Algebraic Attacks on Block, Stream Ciphers
119 2001-2015
Algebraic Attacks on Block, Stream Ciphers
Solving Methods
Solver Software
Fact
What’s New
The biggest discoveries in
Science are the simplest.
Also
Principle 2:
Handling XORs – Not obvious. Long XORs
known to be hard problems for SAT solvers.
ANF-to-CNF
This description is enough to produce a
working version.
Ready Software
Several ready programs to perform this
conversion are made available on this web
page:
www.cryptosystem.net/aes/tools.html
Solving SAT
What are SAT solvers?
Heuristic algorithms for solving SAT problems.
• Guess some variables.
• Examine consequences.
• If a contradiction found, I can add a new clause saying “In
this set of constraints one is false”.
MiniSat 2.0.
Winner of SAT-Race 2006 competition.
www.cryptosystem.net/aes/tools.html
Jump from 0 to .
Paradoxes:
• If you guess some variables, can become much slower .
• Great variability in results (hard to compute an average
running time, better to look at 20 % faster timings).
• Memory:
– For many cases tiny: 9 Mbytes while Magma hangs at > 2Gbytes
for the same system.
– For some working cases: 1.5 Gbytes and substantial time. Then
terminates with the solution as well.
***Toy Ciphers…
• 3-bit S-boxes.
• Diffusion D: permuting wires (as DES P-box !).
• 1,2,4,8,… S-boxes per round.
• 1,2,3,…,10,…,30,… rounds.
• Key size == Block size.
• Simple key schedule: bit permutation (as in DES !)
141 © Nicolas T. Courtois, 2006-2011
Algebraic Attacks on Block Ciphers
• Virtually no difference
– Different D-box but difference only at 1 bit position (!).
– Changes everything w.r.t. linear cryptanalysis.
– Changes nothing w.r.t. algebraic cryptanalysis.
• In both cases 6 rounds are broken, 7 rounds maybe this year…
CTC2 S-box:
Random on 3 bits without linear equations.
Theorem [Courtois]: 14 MQ Equations:
Bad news for the idea (IOH) that I/O degree implies the
existence of algebraic attacks.
• For some equations – good attacks [for 5 rounds].
• For some equations – little hope.
0-few more
P1 C1
rounds rounds
0-few more
P2 C2
rounds rounds
0-few more
P3 C3
rounds rounds
150 © Nicolas T. Courtois, 2006-2011
Algebraic Attacks on Block Ciphers
Combinatorial Explosion
Nb. of new linear equations grows FASTER than LINEAR!!!
Nb. of variables grows linearly in K.
What About…
Real Life Ciphers?
DES
At a first glance,
DES seems to be a very poor target:
there is (apparently)
no strong algebraic structure
of any kind in DES
What’s Left ?
Idea 1: (IOH)
Algebraic I/O relations.
Theorem [Courtois-Pieprzyk]:
Every S-box has a low I/O degree.
=>3 for DES.
Idea 2: (VSH)
DES has been designed to be implemented in
hardware.
=> Very-sparse quadratic equations at the price of
adding some 40 new variables per S-box.
156 © Nicolas T. Courtois, 2006-2011
Algebraic Attacks on Block Ciphers
Results ?
Both Idea 1 (IOH) and Idea 2 (VSH)
(and some 20 other I have tried…)
can be exploited in working
key recovery attacks.
I / O Degree
Theorem
Corollary
Cubic Equations and DES
5. Selected Results:
Some Successful Attacks
Results on CTC
Nicolas T. Courtois:
“How Fast can be Algebraic Attacks on Block
Ciphers ?”. eprint.iacr.org/2006/168/
Results on CTC2
Much more resistant to LC
[cf. Orr Dunkelman and Nathan Keller :
Linear Cryptanalysis of CTC,
eprint.iacr.org/2006/250/].
Results on ToySerpent
ToySerpent, 5 rounds, 32 S-boxes * 4 bits.
84 first key bits guessed, 44 remain unknown.
4 CP => broken in 32 hours by ElimLin.
Results on ToyRijndael
Unexpectedly strong,
the only difference is the S-box:
0/21 “Linear+X2“ equations...
Results on DES
See also:
eprint.iacr.org/2006/402/
Example:
Looking for another special property of DES.
An attack with a known key (glass-box).
Motivation:
educational, study differential cryptanalysis.
Conclusion:
Algebraic attacks with SAT are easier when there
are many solutions.
=> Algebraic cryptanalysis should be a very good tool
for breaking hash functions [as shown by
Mironov-Zhang, Crypto 2006 Rump Session].
Conclusion:
176 2001-2015
Algebraic Attacks on Block, Stream Ciphers
177 2001-2015
Algebraic Attacks on Block, Stream Ciphers
Claim
This criterion is necessary for
the security of all these ciphers.
No proof.
A precaution.
Many ciphers still secure.
179 2001-2015
Algebraic Attacks on Block, Stream Ciphers
2. Algebraic Attacks
on HFE
and Other PKCs
Based on Multivariate
Polynomials
180 2001-2015
Algebraic Attacks on Block, Stream Ciphers
Security of HFE
Special case: Matsumoto-Imai
cryptosystem [Eurocrypt'88]
A power function
(as in Rijndael S-box)
x->x 3
181 2001-2015
Algebraic Attacks on Block, Stream Ciphers
Attack on Matsumoto-Imai
x->x 3
Inverse function gives Boolean functions of
very high degree
Attack on HFE
x->Polynomial of degree d
Again multivariate relations,
attack in
n3/2 log d.
[Nicolas Courtois PhD thesis 1998,
published in CT-RSA 2001]
New paper about this: [Faugère, Joux, Crypto 2003].
Same attack, but explains the origin of these equations !
Forgot to acknowledge 4 previously published papers.
[Patarin, Courtois, Shamir-Kipnis, Courtois-Daum-Felke].
183 2001-2015
Algebraic Attacks on Block, Stream Ciphers
3. Algebraic Attacks
on Stream Ciphers
with Linear Feedback
(e.g. LFSR-based)
184 2001-2015
Algebraic Attacks on Block, Stream Ciphers
state =
multivariate linear function (prev. state)
So what ?
185 2001-2015
Algebraic Attacks on Block, Stream Ciphers
186 2001-2015
Algebraic Attacks on Block, Stream Ciphers
187 2001-2015
Algebraic Attacks on Block, Stream Ciphers
Common Opinions
on Stream Ciphers
“Most real life designs centre around LFSRs
combined by a non-linear Boolean function.”
“State of the art in generic stream ciphers
cryptanalysis can be summarized as follows:
correlation and fast correlation attacks.“
[Eric Filliol, Decimation Attack of Stream Ciphers,
eprint.iacr.org, 2000]
188 2001-2015
Algebraic Attacks on Block, Stream Ciphers
Common belief:
Ciphers with linear
feedback (LFSR, etc…)
can be made secure using
highly non-linear Boolean
functions.
189 2001-2015
Algebraic Attacks on Block, Stream Ciphers
190 2001-2015
Algebraic Attacks on Block, Stream Ciphers
191 2001-2015
Algebraic Attacks on Block, Stream Ciphers
192 2001-2015
Algebraic Attacks on Block, Stream Ciphers
Example:
Toyocrypt, n=128, d=63.
196 2001-2015
Algebraic Attacks on Block, Stream Ciphers
Problem:
The degree is usually high…
(even AFTER taking a lower degree approximation)
Their degree
turns out to be
much lower !
198 2001-2015
Algebraic Attacks on Block, Stream Ciphers
Toyocrypt
One of the only two stream
ciphers accepted to the
second phase of
CRYPTREC
(for the Japanese
government).
199 2001-2015
Algebraic Attacks on Block, Stream Ciphers
200 2001-2015
Algebraic Attacks on Block, Stream Ciphers
Fact: Toyocrypt
There is a multivariate relation being of degree
3 in the 128 key bits and involving 1
consecutive output bit.
201 2001-2015
Algebraic Attacks on Block, Stream Ciphers
LILI-128
Fact: LILI-128
There is a multivariate relation being of degree
4 in the 89 key bits and involving 1
consecutive output bit.
E0
Fact: E0
There is a multivariate relation being of degree
4 in the 128 key bits and involving 4
consecutive output bits.
So what ?
One equation is enough to break all these !
Due to the
• Recursive structure of the cipher
• Linear feedback (e.g. in LFSRs) preserves
the degree,
We may generate as many equations as we
want.
206 2001-2015
Algebraic Attacks on Block, Stream Ciphers
So what ?
One equation is enough to break all these !
• Given keystream bits -
• Using bits of memory -
• The secret key can be recovered
in .
• Verified experimentally.
207 2001-2015
Algebraic Attacks on Block, Stream Ciphers
Results
Can We Do Better ?
If the keystream bits are consecutive;
Yes, much better !
Improved Results
210 2001-2015
Algebraic Attacks on Block, Stream Ciphers
211 2001-2015
Algebraic Attacks on Block, Stream Ciphers
212 2001-2015
Algebraic Attacks on Block, Stream Ciphers
216 2001-2015
Algebraic Attacks on Block, Stream Ciphers
217 2001-2015
Algebraic Attacks on Block, Stream Ciphers
218 2001-2015
Algebraic Attacks on Block, Stream Ciphers
219 2001-2015
Algebraic Attacks on Block, Stream Ciphers
220 2001-2015