Abstract
Many stream ciphers are built of a linear sequence generator and a non-linear output function f. There is an abundant literature on (fast) correlation attacks, that use linear approximations of f to attack the cipher. In this paper we explore higher degree approximations, much less studied. We reduce the cryptanalysis of a stream cipher to solving a system of multivariate equations that is overdefined (much more equations than unknowns). We adapt the XL method, introduced at Eurocrypt 2000 for overdefined quadratic systems, to solving equations of higher degree. Though the exact complexity of XL remains an open problem, there is no doubt that it works perfectly well for such largely overdefined systems as ours, and we confirm this by computer simulations. We show that using XL, it is possible to break stream ciphers that were known to be immune to all previously known attacks. For example, we cryptanalyse the stream cipher Toyocrypt accepted to the second phase of the Japanese government Cryptrec program. Our best attack on Toyocrypt takes 292 CPU clocks for a 128-bit cipher. The interesting feature of our XL-based higher order correlation attacks is, their very loose requirements on the known keystream needed. For example they may work knowing ONLY that the ciphertext is in English.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Ross Anderson: Searching for the Optimum Correlation Attack, FSE’94, LNCS 1008, Springer, pp 137–143. 183, 189, 190
Steve Babbage: Cryptanalysis of LILI-128; Nessie project internal report, available at http://www.cosic.esat.kuleuven.ac.be/nessie/reports/. 188
Paul Camion, Claude Carlet, Pascale Charpin and Nicolas Sendrier, On Correlation-immune Functions; In Crypto’91, LNCS 576, Springer, pp. 86–100. 188
Don Coppersmith, Shmuel Winograd: “Matrix multiplication via arithmetic progressions”; J. Symbolic Computation (1990), 9, pp. 251–280. 186
Nicolas Courtois and Willi Meier: Algebraic Attacks on Stream Ciphers with Linear Feedback, preprint, available on demand from courtois@minrank.org. 186, 194
Nicolas Courtois and Jacques Patarin,About the XL Algorithm over GF(2); Cryptographers’ Track RSA 2003, San Francisco, April 13-17 2003, LNCS, Springer. 184, 185, 199
Nicolas Courtois and Josef Pieprzyk, Cryptanalysis of Block Ciphers with Overde-fined Systems of Equations, to be presented at Asiacrypt 2002, a preprint with a different version of the attack is available at http://eprint.iacr.org/2002/044/. 183
Jean-Charles Faugère: Computing Gröbner basis without reduction to 0, Workshop on Applications of Commutative Algebra, Catania, Italy, 3-6 April 2002. 193
Oded Goldreich, Ronitt Rubinfeld and Madhu Sudan: Learning polynomials with queries: The highly noisy case, preprint September 13, 1998. A preliminary version appeared in 36th Annual Symposium on Foundations of Computer Science, pages 294–303, Milwaukee, Wisconsin, 23-25 October 1995. IEEE. 188
Michael Garey, David Johnson: Computers and Intractability, a guide to the theory of NP-completeness, Freeman, p. 251.
Jovan Dj. Golic: On the Security of Nonlinear Filter Generators, FSE’96, LNCS 1039, Springer, pp. 173–188. 183
Jovan Dj. Golic: approximation of cryptographic functions, Eurocrypt’ 96, LNCS 1070, Springer, pp. 268–282. 188
James L. Massey, Rainer A. Rueppel: Linear ciphers and random sequence generators with multiple clocks, in Eurocrypt’84, LNCS 209, Springer.
Willi Meier and Othmar Staffelbach: Fast correlation attacks on certain stream ciphers; Journal of Cryptology, 1(3):159–176, 1989. 183
Willi Meier and Othmar Staffelbach:: Nonlinearity Criteria for Cryptographic Functions; Eurocrypt’89, LNCS 4234, Springer, pp.549–562. 189
Alfred J. Menezes, Paul C. van Oorshot, Scott A. Vanstone: Handbook of Applied Cryptography; CRC Press. 186, 187
M. Mihaljevic, H. Imai: Cryptanalysis of Toyocrypt-HS1 stream cipher, IEICE Transactions on Fundamentals, vol. E85-A, pp. 66–73, Jan. 2002. Available at http://www.csl.sony.co.jp/ATL/papers/IEICEjan02.pdf. 187, 190, 193, 194
T. T. Moh: On The Method of XL and Its Inefficiency Against TTM, available at http://eprint.iacr.org/2001/047/. 185
Jacques Patarin: Hidden Fields Equations (HFE) and Isomorphisms of Polynomials (IP): two new families of Asymmetric Algorithms; Eurocrypt’96, pp. 33–48.
Rainer A. Rueppel: Analysis and Design of Stream Ciphers, Springer Verlag, New York, 1986. 194
O. S. Rothaus: On “bent” functions; Journal of Combinatorial Theory, Ser. A, Vol. 20, pp. 300–305, 1976. 189, 190
Adi Shamir, Alex Biryukov: Cryptanalytic Time/Memory/Data Tradeoffs for Stream Ciphers; Asiacrypt 2000, LNCS 2248, Springer, pp. 1–13. 193
Adi Shamir, Jacques Patarin, Nicolas Courtois, Alexander Klimov, Efficient Algorithms for solving Overde.ned Systems of Multivariate Polynomial Equations, Eurocrypt’2000, LNCS 1807, Springer, pp. 392–407. 183, 184, 185, 194
Volker Strassen: Gaussian Elimination is Not Optimal; Numerische Mathematik, vol 13, pp 354–356, 1969.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2003 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Courtois, N.T. (2003). Higher Order Correlation Attacks, XL Algorithm and Cryptanalysis of Toyocrypt. In: Lee, P.J., Lim, C.H. (eds) Information Security and Cryptology — ICISC 2002. ICISC 2002. Lecture Notes in Computer Science, vol 2587. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3-540-36552-4_13
Download citation
DOI: https://doi.org/10.1007/3-540-36552-4_13
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-00716-6
Online ISBN: 978-3-540-36552-5
eBook Packages: Springer Book Archive