An algebraic attack on stream ciphers with application to nonlinear filter generators and WG-PRNG

In this paper, we propose a new algebraic attack on stream ciphers. Starting from the well-known attack due to Courtois and Meier, we design an attack especially effective against nonlinear filter generators. We test it on two toy stream ciphers and we show that the level of security of one of stream ciphers submitted to the NIST competition on Lightweight Cryptography, WG-PRNG, is less than that stated before now.

READ FULL TEXT VIEW PDF
POST COMMENT

Comments

There are no comments yet.

Authors

page 1

page 2

page 3

page 4

07/03/2018

Design of a New Stream Cipher: PARS

In this paper, a new stream cipher is designed as a clock-controlled one...
11/04/2019

Generalized NLFSR Transformation Algorithms and Cryptanalysis of the Class of Espresso-like Stream Ciphers

Lightweight stream ciphers are highly demanded in IoT applications. In o...
01/04/2022

An algebraic attack to the Bluetooth stream cipher E0

In this paper we study the security of the Bluetooth stream cipher E0 fr...
07/26/2019

Lazy Stream Programming in Prolog

In recent years, stream processing has become a prominent approach for i...
06/10/2021

Stream processors and comodels

In 2009, Ghani, Hancock and Pattinson gave a coalgebraic characterisatio...
03/20/2020

The application of σ-LFSR in Key-Dependent Feedback Configuration for Word-Oriented Stream Ciphers

In this paper, we propose and evaluate a method for using σ-LFSRs with k...
01/17/2019

New family of Stream Ciphers and their applications for Physical Security

In this paper, we propose a new family of stream ciphers based on combin...
This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

1 Introduction

Stream ciphers[16] are one of the main cryptographic primitives used in symmetric cryptography. Historically, the first stream ciphers were built with “linear” registers, where linearity is meant both in the register update function (which sends one state to the next) and in the output function, which computes the keystream as a function of the current state. Purely linear registers are not used any longer because their state can be quickly recovered from a small portion of their produced keystream, e.g. by the Berlekamp-Massey algorithms [5, Chapter 7]. Since the use of linear structures translates into hardware implementations based on only a few XOR gates, which is highly desirable for practical applications, most modern stream ciphers retain some part of this original structure. Among the many competing stream designs, one has recently attracted some interest: the so-called nonlinear filter generators [11]. Indeed, they preserve a linear update for their state, composed of one or several linear registers, but they output their keystream via a nonlinear function of their state: this function is called filter. The most notable example of these ciphers is the WG-PRNG, which was submitted to the NIST competition on Lightweight Cryptography [1].

Traditionally, stream ciphers are attacked with two approaches: correlation attacks, that exploit possible correlations between some part of the keystream and a portion of the initial state, and approximation attacks, where the nonlinear part is approximated by a linear component. The design defenses against these types of attacks rely on choosing nonlinear components with specific properties, such as high nonlinearity [7] and high correlation immunity[17]. In recent years, a new family of attacks have emerged, the so-called algebraic attacks. Some interesting works in this direction are [4, 15, 14]

. In this paper, we propose a new form of algebraic attack, which is especially effective against nonlinear filter generators. We show with two toy examples how the attack can be performed in practice. We also apply our attack to WG-PRNG and we provide a complexity estimate that shows a fatal weakness of this cipher. We also report previous attempts at breaking WG-PRNG with algebraic attacks and we discuss their shortcomings.


The paper is structured as follows:

  • In Chapter 2, we collect all the notations, definitions and known facts needed in the remainder of the paper. We briefly illustrate the XL-Algorithm to solve Boolean equations systems and the algebraic attack to nonlinear filter generators presented in [10].

  • In Chapter 3, we explain our improved algebraic attack in detail.

  • In Chapter 4, to validate our algebraic attack, first we apply it to two toy stream ciphers and then we show that it is feasible to perform it on WG-PRNG. We conclude showing that the security of WG-PRNG is less that claimed until now. For the sake of presentation, we will first describe the part regarding WG-PRNG, and then the one on the two toy ciphers.

2 Preliminaries

In this section, we fix some notations and recall some known results. We denote by the field with two elements, and by the polynomial ring in variables over . Given a monomial of , the degree of is . For , denote by the set of all the square-free monomials in of degree at most , that is

Let and be two distinct monomials of . The degree reverse lexicographic order (DLR) on is defined as if either or

and the rightmost nonzero component of the vector

is positive. Let , we denote by the support of , that is the set of all the non-zero terms of .

For , let denote the set of the Boolean functions in variables. Depending on the context, we represent as a square-free polynomial of or by means of its algebraic normal form (ANF), namely as a polynomial of the quotient ring , where is the ideal generated by the field equations.

Let , then

is called the set of annihilators of . Notice that . Moreover, and are ideals of , and and

Let , then

is called the algebraic immunity of . By [10], it holds .

When , for some , we say that is an affine Boolean function. When , is said to be linear.

A nonlinear filter generator is the combination of a linear feedback shift register (LFSR) and a nonlinear Boolean function. More precisely,

Definition 2.1.

A nonlinear filter generator is a stream cipher that starts from an initial state and, at each clock , produces a keystream bit , where

  • is the linear update function;

  • is the nonlinear output function.

is called filter function.

2.1 Solving a Boolean equations system

Let be nonlinear Boolean equations. Consider the following system

(1)

Several methods have been developed for solving such a system, such as the XL-Algorithm [8] and Gröbner basis techniques [12, 13].

XL-Algorithm

The XL-Algorithm, introduced by Courtois, Klimov, Patarin, and Shamir in [8], is a computation method for solving a system as the one in (1). Assume that all the , for , have the same positive degree . Fix such that . The idea of the XL-Algorithm is to generate all the possible equations of at most degree that satisfy the system. The algorithm performs the following four steps.

  1. Multiply: For each , generate the equations

  2. Linearize: Consider each monomial in as an independent variable and perform Gaussian elimination on the equations obtained in Step 1. The ordering on the monomials must be such that all the terms containing one (fixed) variable (say ) are eliminated last.

  3. Solve: If Step 2 yields at least one univariate equation in the powers of , solve this equation over . If not, algorithm fails.

  4. Repeat: Simplify the equations and repeat the process to find the values of the other variables.

Other versions of the XL-algorithm can be found in [9]. If is big enough, we expect to find one solution for the system. In this case, the complexity of XL will be essentially the complexity of one single Gaussian reduction in Step 2.
Let be the number of equations generated in XL, and be the number of monomials in . Then

(2)

Let be the number of linearly independent equations in XL. Clearly, . In practice,

. The main heuristic behind XL is that for some

, we have always . Then we expect that if , it is possible, by Gaussian elimination, to obtain one equation in only one variable, and XL will work. Otherwise, we need a bigger or .

In conclusion, if the algorithm works, the time complexity is approximately , where depends on the implementation of the matrix multiplication algorithm. The minimum known value for is (see [2]). But in real implementations, (see [18]), and in our estimates we will consider this last approximation.

2.2 Algebraic Attack

An algebraic attack to a nonlinear filter generator with nonlinear output function , if we know keystream bits, consists in solving a nonlinear Boolean equations system, namely

(3)

in order to recover the initial state.

In the following, we will report the generic algebraic attack designed by Courtois and Meier, and we refer to the original work [10] for more detail.
The main idea behind this attack is to decrease the degree of the original system by multiplying each equation in (3), that are usually of high degree, by a well chosen . The resulting equations are

(4)

which are of substantially lower degree. Then, if (resp. ), we can choose (resp. ), and we get an equation of low degree on the initial state bits, that is . The smaller the algebraic immunity of is, the lower degree the resulting equation has. If we get one such equation for each of sufficiently many keystream bits, we obtain a very overdefined system of multivariate equations that can be solved efficiently.

3 An improved algebraic attack

The core idea of our new algebraic attack is to use many annihilators simultaneously, instead of only one, and provide a good estimate of the number of keystream bits needed to perform the attack, which is strictly related to the number of linearly independent equations after the multiply phase in the XL-Algorithm. Indeed, by increasing the number of linearly independent equations, we need fewer keystream bits than the ones required in the Courtois and Meier’s attack.

Before presenting our attack, we need some preliminary results.

Lemma 3.1.

Let be a polynomial ring over any field and let , with , be a set of linearly independent polynomials. Let , with . If is equal to , for some , then either or, for all , divides .

Proof.

We prove the statement by induction on the degree of .

Let . Since is not a constant polynomial, therefore . By hypothesis, divides , but . It follows that .

Let . For any , we write , with and . Note that at least one has to be nonzero, otherwise all the have degree less than , and then can not divide . We have

Therefore, divides . As , by induction hypothesis, either or, for all , divides . The latter can not happen, as , for all . Then . Since is a set of linearly independent polynomials and , it holds that , for all . Therefore, , for all and the statement is proved. ∎

Proposition 3.2.

Let be a polynomial ring over any field and let be such that, for any , , with . Let , where for and , are nonzero monomials in , for all and . If is a set of linearly independent polynomials in , then is a set of linearly independent polynomials in .

Proof.

We prove the statement by induction on the number of polynomials in .

Let . Suppose there exist , not all zero, such that

Let

Therefore, we have . Since and are polynomial rings in two disjoint sets of variables, , whereas , it follows that and , for some , that is a contradiction, as are supposed linearly independent.

Let , and suppose there exist , for and , not all zero, such that

Let

We may assume, without loss of generality, , and then , since for each and , by hypothesis. Therefore,

Let and . Then,

(5)

divides the term on the left in Equation , then it must divide the one on the right, as well. By Lemma 3.1, either or, for all , divides . Assume the latter is true, then

It should hold , then , that is , for some , but this is a contradiction since . It follows that . The set has cardinality smaller than , then, by applying the induction hypothesis, , for all and . Hence, we obtain

As , should be zero. But this is a contradiction for the linearly independence of the ’s. ∎

Consider a nonlinear filter generator with an -bit inner state. Denote by its nonlinear output function. It takes in input bits of the inner state. Therefore, up to rename the variables, we may consider as a square-free polynomial of .

Our algebraic attack consists of the following steps:

  1. Define two ideals of , and , as

    where is the ideal generated by the field equations. Compute the reduced Gröbner bases, and , with respect to , of and , respectively.

  2. Select from (resp. ) the maximal set (resp. ) of square-free polynomials such that the degree of all the polynomials is not greater than and (resp. ) generates (resp. ).

  3. Denote by . Fix . Multiply each in (resp. ) by all the square-free monomials such that . Reduce all the polynomials by and denote by (resp. ) the resulting set of distinct polynomials.

  4. Select from (resp. ) the maximal set of linearly independent polynomials. Denote it by (resp. ).

  5. Compute the number of required keystream bits as

    (6)

    If is greater than the maximum number of consecutive keystream bits fixed for the stream cipher, then the attack is infeasible.

  6. Solve, by using the XL-Algorithm with the fixed , the system

    (7)

    where, for , the polynomials are all the square-free polynomials in .

First of all, note that in all the polynomials of (resp. ) are annihilators of (resp. ), and then (resp. ). Moreover, by Step 2., all the polynomials in have degree at most . Therefore, the system (7) is obtained from system (3) by multiplying each equation for more than one annihilator, and we have decreased the degree of the equations in the system.

The delicate part is to determine , that is the number of needed keystream bits to solve the system and hence to perform the attack. In fact, the XL-Algorithm successfully finishes if there are enough linearly independent equations after multiply phase. In our situation, it is not simple to estimate the linear dependencies that arise from the linear update function . To be more precise, there could exist and monomials of degree at most such that

is not a linearly independent set.

If we suppose that after the multiply phase all the equations are linearly independent, except for a negligible part of them, then we bump into an underestimation of the needed keystream bits, and then of the security of the nonlinear filter generator. Steps from 2. to 5. are aimed at providing a fair . Up to Step 4., we compute a maximal set of square-free polynomials in that are linearly independent. In Step 5, we exploit Proposition 3.2 to estimate the number of linearly independent polynomials in , and then, the value . In detail, at each clock , every polynomial is multiplied by monomials. Since the polynomials in are linearly independent, by Proposition 3.2 the number of linearly independent equations, at each clock , is given by

where either or , depending on the value of . We can approximate the number of linearly independent equations, which we obtain after the multiply phase of XL, with . To guarantee that the system can be solved by Gaussian elimination, we impose the condition

and we get the estimation for .

4 Applications of our attack

In this section, first we describe the stream cipher WG-PRNG, we show how to apply it on WG-PRNG. Moreover, we effectively perform our algebraic attack on two toy stream ciphers.

4.1 Testing our attack on WG-PRNG

4.1.1 Specifications of WG-PRNG

WG-PRNG, which was submitted to the NIST competition on Lightweight Cryptography [1], is a nonlinear filter generator that operates over the finite field , defined using the primitive polynomial . Let be a root of . By using the polynomial basis , any can be written as , for .
The function defined as

is called the WG permutation over . The function defined as

is called the WG transformation over , where denotes the trace function defined by . A decimated WG permutation and decimated WG transformation over are defined as and , respectively, with . The filter function of WG-PRNG is the decimated WG transformation with . We have computed its algebraic normal form and it is given by

(8)

Henceforth, we will write and , even if we refer to their decimated versions with . The inner state of WG-PRNG consists of words , each of bits, for a total of bits. The WG-PRNG has two phases: an initialization phase and a running phase. The output is produced only in the running phase.

Initialization phase: Let denote the initial state. A random seed is loaded into the internal state and then the state update function is applied 74 times. For , the state update function is given by

Running phase: In this phase, the inner state is updated according to the following LFSR feedback function:

(9)

At each clock cycle , a pseudorandom bit is produced by applying WGT on the last word of the register. A pseudorandom bit sequence is produced by WG-PRNG as

4.1.2 The previous algebraic attack on WG-PRNG

We observe that the Courtois and Meier’s attack is not feasible.

Let be the inner state of WG-PRNG after the initialization phase. Denote by the update function of WG-PRNG that maps a state into the next one (see Equation (9)). Let be the filter function of WG-PRNG and consider the natural extension of in . Suppose we retrieved keystream bits. Without loss of generality, we may assume that they are the first keystream bits, namely . Therefore, we have the following equations:

(10)

Hence, we get the system (1), with , for .

According to the algebraic attack of Courtois and Meier, to decrease the degree of the system equations, we can multiply any equation in (10) by an annihilator of and the one of , depending on whether the keystream bit is 1 or 0. Since , let and be such that . Then, for , if , we get otherwise As reported in [9], the XL-Algorithm works if

To avoid this attack, the designers conveniently restricted the number of consecutive output bits up to .

4.1.3 Applying our attack on WG-PRNG

The main aim of our work is not to perform effectively the attack described in Section 3 on WG-PRNG, but to estimate how many keystream bits one needs to perform successfully the attack on WG-PRNG. We will show that knowing less than keystream bits, it is possible to recover the initial state, that is the security of the WG-PRNG is less than the one stated by the designer.

We will describe in detail the steps from 1. to 5. in order to compute .

  1. We first consider as a square-free polynomial in , indeed its algebraic normal form involves only the variables (see Equation (8)). We set the two ideals of , and , as

    where is the ideal generated by the field equations. The reduced Gröbner bases with respect to of and are

    and

    respectively, where and , for all .

  2. We set and , since all the polynomials are square-free and of degree 3 or 4, that is smaller than .

  3. Let , and we fix . We multiply each in (resp. ) by all the square-free monomials such that . After reducing all the polynomials by , we get the sets .

  4. We select from (resp. ) the maximal set of linearly independent polynomials, and we obtain (resp. ). Both and consists of 64 polynomials. In particular, let , for . Then,

  5. In this case, we have , and, by varying , they are equal to:

    By means of the Equation (6), we compute the number of required keystream bits, as summarize in Table 1, together with the time complexity. The latter is computed as , as reported in Subsection 2.1.

D Keystream Bits Collected () Time Complexity
Table 1:

As shown in Table 1, the attack is not feasible if , as it needs more than keystream bits. However, for both and , it is possible to carry out the attack knowing and , respectively, and so the security level is less than 128 bits, contradicting the claim in [3]. Finally, for , the time complexity is worse than brute force.

4.2 Testing our attack on two toy stream ciphers

To validate our algebraic attack, we will define a general construction of a scaled version of WG-PRNG, and we will test our attack on two instances.

We consider nonlinear filter generators that operate over the finite field , defined using the primitive polynomial , as in WG-PRNG. Moreover, at each clock , it produces a keystream , where is the initial state of length (for WG-PRNG, ), is the nonlinear output function of WG-PRNG, i.e. WGT, and is a linear update function satisfying the following properties:

  • it is a primitive polynomial,

  • it has an odd number of terms,

  • the constant term is , where is a root of ,

  • the coefficients of the terms of degree nonzero are in .

We have tested our algebraic attack on two nonlinear filter generators, as defined above. We set and , respectively, and the linear update functions are and , respectively.

We have studied only the case .

Note that, since the filter function is the same of WG-PRNG, the first four steps of the attack returns the same results of the first four steps performed on WG-PRNG.

First we consider the toy that has as linear update function. We compute and . For , we have . According to our estimates, we need to collect keystream bits to perform an attack. We run computations to determine how much is close to the number of linearly independent equations obtained at the end of the algorithm. The number of linearly independent equations is , while .

Now we consider the toy that has as linear update function. We compute and . For , . According to our estimates, we need to collect keystream bits to perform an attack. We run computations to determine how much is close to the number of linearly independent equations obtained at the end of the algorithm. The number of linearly independent equations is , while .

The relevant result of these two experiments is that in both cases, by knowing only the number of keystream bits we supposed was sufficient, we completely recover the initial state (which was chosen randomly).

Acknowledgement. The computation of this work has been obtained thanks to Magma [6] and to the server of the Laboratory of Cryptography of the Department of Mathematics, University of Trento. The results in this paper appear partially in the MSc thesis of the second author, who thanks his supervisors (the other two authors). This work has been partially presented in Cryptography and Coding Theory Conference 2021, organized by the group UMI (Italian Mathematical Union) “Crittografia e Codici” and by De Componendis Cifris, in September 2021.

References

  • [1] Lightweight cryptography, round 2 candidates. https://csrc.nist.gov/projects/lightweight-cryptography/round-2-candidates.
  • [2] Josh Alman and Virginia V. Williams. A refined laser method and faster matrix multiplication. In Proceedings of the 2021 ACM-SIAM Symposium on Discrete Algorithms (SODA), pages 522–539. SIAM, 2021.
  • [3] Riham AlTawy, Guang Gong, Kalikinkar Mandal, and Raghvendra Rohit. Wage: An authenticated encryption with a twist. IACR Transactions on Symmetric Cryptology, S1:132–159, 2020.
  • [4] Frederik Armknecht and Gwenolé Ars. Algebraic Attacks on Stream Ciphers with Gröbner Bases. In Massimiliano Sala, Shojiro Sakata, Teo Mora, Carlo Traverso, and Ludovic Perret, editors, Gröbner Bases, Coding, and Cryptography, pages 329–348. Springer Berlin Heidelberg, Berlin, Heidelberg, 2009.
  • [5] Elwyn R Berlekamp. Algebraic coding theory (revised edition). World Scientific, 2015.
  • [6] Wieb Bosma, John Cannon, and Catherine Playoust. The magma algebra system I: The user language. Journal of Symbolic Computation, 24(3-4):235–265, 1997.
  • [7] Claude Carlet and Emmanuel Prouff. On a new notion of nonlinearity relevant to multi-output pseudo-random generators. In International Workshop on Selected Areas in Cryptography, pages 291–305. Springer, 2003.
  • [8] Nicolas Courtois, Alexander Klimov, Jacques Patarin, and Adi Shamir. Efficient algorithms for solving overdefined systems of multivariate polynomial equations. In International Conference on the Theory and Applications of Cryptographic Techniques, pages 392–407. Springer, 2000.
  • [9] Nicolas T. Courtois. Higher order correlation attacks, XL algorithm and cryptanalysis of Toyocrypt. In International Conference on Information Security and Cryptology, pages 182–199. Springer, 2002.
  • [10] Nicolas T. Courtois and Willi Meier. Algebraic attacks on stream ciphers with linear feedback. In International Conference on the Theory and Applications of Cryptographic Techniques, pages 345–359. Springer, 2003.
  • [11] Markus Dichtl. On nonlinear filter generators. In International Workshop on Fast Software Encryption, pages 103–106. Springer, 1997.
  • [12] Jean-Charles Faugère. A new efficient algorithm for computing Gröbner bases (F4). Journal of pure and applied algebra, 139(1-3):61–88, 1999.
  • [13] Jean-Charles Faugère. A new efficient algorithm for computing Gröbner bases without reduction to zero (F5). In Proceedings of the 2002 international symposium on Symbolic and algebraic computation, pages 75–83, 2002.
  • [14] Roberto La Scala, Sergio Polese, Sharwan K Tiwari, and Andrea Visconti. An algebraic attack to the bluetooth stream cipher e0. arXiv preprint arXiv:2201.01262, 2022.
  • [15] Roberto La Scala and Sharwan K Tiwari. Stream/block ciphers, difference equations and algebraic attacks. Journal of Symbolic Computation, 109:177–198, 2022.
  • [16] Rainer A Rueppel. Stream ciphers. In Analysis and Design of Stream Ciphers, pages 5–16. Springer, 1986.
  • [17] Thomas Siegenthaler. Correlation-immunity of nonlinear combining functions for cryptographic applications (corresp.). IEEE Transactions on Information theory, 30(5):776–780, 1984.
  • [18] Volker Strassen. Gaussian elimination is not optimal. Numerische mathematik, 13(4):354–356, 1969.