Stream ciphers are one of the main cryptographic primitives used in symmetric cryptography. Historically, the first stream ciphers were built with “linear” registers, where linearity is meant both in the register update function (which sends one state to the next) and in the output function, which computes the keystream as a function of the current state. Purely linear registers are not used any longer because their state can be quickly recovered from a small portion of their produced keystream, e.g. by the Berlekamp-Massey algorithms [5, Chapter 7]. Since the use of linear structures translates into hardware implementations based on only a few XOR gates, which is highly desirable for practical applications, most modern stream ciphers retain some part of this original structure. Among the many competing stream designs, one has recently attracted some interest: the so-called nonlinear filter generators . Indeed, they preserve a linear update for their state, composed of one or several linear registers, but they output their keystream via a nonlinear function of their state: this function is called filter. The most notable example of these ciphers is the WG-PRNG, which was submitted to the NIST competition on Lightweight Cryptography .
Traditionally, stream ciphers are attacked with two approaches: correlation attacks, that exploit possible correlations between some part of the keystream and a portion of the initial state, and approximation attacks, where the nonlinear part is approximated by a linear component. The design defenses against these types of attacks rely on choosing nonlinear components with specific properties, such as high nonlinearity  and high correlation immunity. In recent years, a new family of attacks have emerged, the so-called algebraic attacks. Some interesting works in this direction are [4, 15, 14]
. In this paper, we propose a new form of algebraic attack, which is especially effective against nonlinear filter generators. We show with two toy examples how the attack can be performed in practice. We also apply our attack to WG-PRNG and we provide a complexity estimate that shows a fatal weakness of this cipher. We also report previous attempts at breaking WG-PRNG with algebraic attacks and we discuss their shortcomings.
The paper is structured as follows:
In Chapter 2, we collect all the notations, definitions and known facts needed in the remainder of the paper. We briefly illustrate the XL-Algorithm to solve Boolean equations systems and the algebraic attack to nonlinear filter generators presented in .
In Chapter 3, we explain our improved algebraic attack in detail.
In Chapter 4, to validate our algebraic attack, first we apply it to two toy stream ciphers and then we show that it is feasible to perform it on WG-PRNG. We conclude showing that the security of WG-PRNG is less that claimed until now. For the sake of presentation, we will first describe the part regarding WG-PRNG, and then the one on the two toy ciphers.
In this section, we fix some notations and recall some known results. We denote by the field with two elements, and by the polynomial ring in variables over . Given a monomial of , the degree of is . For , denote by the set of all the square-free monomials in of degree at most , that is
Let and be two distinct monomials of . The degree reverse lexicographic order (DLR) on is defined as if either or
and the rightmost nonzero component of the vectoris positive. Let , we denote by the support of , that is the set of all the non-zero terms of .
For , let denote the set of the Boolean functions in variables. Depending on the context, we represent as a square-free polynomial of or by means of its algebraic normal form (ANF), namely as a polynomial of the quotient ring , where is the ideal generated by the field equations.
Let , then
is called the set of annihilators of . Notice that . Moreover, and are ideals of , and and
Let , then
is called the algebraic immunity of . By , it holds .
When , for some , we say that is an affine Boolean function. When , is said to be linear.
A nonlinear filter generator is the combination of a linear feedback shift register (LFSR) and a nonlinear Boolean function. More precisely,
A nonlinear filter generator is a stream cipher that starts from an initial state and, at each clock , produces a keystream bit , where
is the linear update function;
is the nonlinear output function.
is called filter function.
2.1 Solving a Boolean equations system
Let be nonlinear Boolean equations. Consider the following system
The XL-Algorithm, introduced by Courtois, Klimov, Patarin, and Shamir in , is a computation method for solving a system as the one in (1). Assume that all the , for , have the same positive degree . Fix such that . The idea of the XL-Algorithm is to generate all the possible equations of at most degree that satisfy the system. The algorithm performs the following four steps.
Multiply: For each , generate the equations
Linearize: Consider each monomial in as an independent variable and perform Gaussian elimination on the equations obtained in Step 1. The ordering on the monomials must be such that all the terms containing one (fixed) variable (say ) are eliminated last.
Solve: If Step 2 yields at least one univariate equation in the powers of , solve this equation over . If not, algorithm fails.
Repeat: Simplify the equations and repeat the process to find the values of the other variables.
Other versions of the XL-algorithm can be found in . If is big enough, we expect to find one solution for the system. In this case, the complexity of XL will be essentially the complexity of one single Gaussian reduction in Step 2.
Let be the number of equations generated in XL, and be the number of monomials in . Then
Let be the number of linearly independent equations in XL. Clearly, . In practice,
. The main heuristic behind XL is that for some, we have always . Then we expect that if , it is possible, by Gaussian elimination, to obtain one equation in only one variable, and XL will work. Otherwise, we need a bigger or .
2.2 Algebraic Attack
An algebraic attack to a nonlinear filter generator with nonlinear output function , if we know keystream bits, consists in solving a nonlinear Boolean equations system, namely
in order to recover the initial state.
In the following, we will report the generic algebraic attack designed by Courtois and Meier, and we refer to the original work  for more detail.
The main idea behind this attack is to decrease the degree of the original system by multiplying each equation in (3), that are usually of high degree, by a well chosen . The resulting equations are
which are of substantially lower degree. Then, if (resp. ), we can choose (resp. ), and we get an equation of low degree on the initial state bits, that is . The smaller the algebraic immunity of is, the lower degree the resulting equation has. If we get one such equation for each of sufficiently many keystream bits, we obtain a very overdefined system of multivariate equations that can be solved efficiently.
3 An improved algebraic attack
The core idea of our new algebraic attack is to use many annihilators simultaneously, instead of only one, and provide a good estimate of the number of keystream bits needed to perform the attack, which is strictly related to the number of linearly independent equations after the multiply phase in the XL-Algorithm. Indeed, by increasing the number of linearly independent equations, we need fewer keystream bits than the ones required in the Courtois and Meier’s attack.
Before presenting our attack, we need some preliminary results.
Let be a polynomial ring over any field and let , with , be a set of linearly independent polynomials. Let , with . If is equal to , for some , then either or, for all , divides .
We prove the statement by induction on the degree of .
Let . Since is not a constant polynomial, therefore . By hypothesis, divides , but . It follows that .
Let . For any , we write , with and . Note that at least one has to be nonzero, otherwise all the have degree less than , and then can not divide . We have
Therefore, divides . As , by induction hypothesis, either or, for all , divides . The latter can not happen, as , for all . Then . Since is a set of linearly independent polynomials and , it holds that , for all . Therefore, , for all and the statement is proved. ∎
Let be a polynomial ring over any field and let be such that, for any , , with . Let , where for and , are nonzero monomials in , for all and . If is a set of linearly independent polynomials in , then is a set of linearly independent polynomials in .
We prove the statement by induction on the number of polynomials in .
Let . Suppose there exist , not all zero, such that
Therefore, we have . Since and are polynomial rings in two disjoint sets of variables, , whereas , it follows that and , for some , that is a contradiction, as are supposed linearly independent.
Let , and suppose there exist , for and , not all zero, such that
We may assume, without loss of generality, , and then , since for each and , by hypothesis. Therefore,
Let and . Then,
divides the term on the left in Equation , then it must divide the one on the right, as well. By Lemma 3.1, either or, for all , divides . Assume the latter is true, then
It should hold , then , that is , for some , but this is a contradiction since . It follows that . The set has cardinality smaller than , then, by applying the induction hypothesis, , for all and . Hence, we obtain
As , should be zero. But this is a contradiction for the linearly independence of the ’s. ∎
Consider a nonlinear filter generator with an -bit inner state. Denote by its nonlinear output function. It takes in input bits of the inner state. Therefore, up to rename the variables, we may consider as a square-free polynomial of .
Our algebraic attack consists of the following steps:
Define two ideals of , and , as
where is the ideal generated by the field equations. Compute the reduced Gröbner bases, and , with respect to , of and , respectively.
Select from (resp. ) the maximal set (resp. ) of square-free polynomials such that the degree of all the polynomials is not greater than and (resp. ) generates (resp. ).
Denote by . Fix . Multiply each in (resp. ) by all the square-free monomials such that . Reduce all the polynomials by and denote by (resp. ) the resulting set of distinct polynomials.
Select from (resp. ) the maximal set of linearly independent polynomials. Denote it by (resp. ).
Compute the number of required keystream bits as
If is greater than the maximum number of consecutive keystream bits fixed for the stream cipher, then the attack is infeasible.
Solve, by using the XL-Algorithm with the fixed , the system
where, for , the polynomials are all the square-free polynomials in .
First of all, note that in all the polynomials of (resp. ) are annihilators of (resp. ), and then (resp. ). Moreover, by Step 2., all the polynomials in have degree at most . Therefore, the system (7) is obtained from system (3) by multiplying each equation for more than one annihilator, and we have decreased the degree of the equations in the system.
The delicate part is to determine , that is the number of needed keystream bits to solve the system and hence to perform the attack. In fact, the XL-Algorithm successfully finishes if there are enough linearly independent equations after multiply phase. In our situation, it is not simple to estimate the linear dependencies that arise from the linear update function . To be more precise, there could exist and monomials of degree at most such that
is not a linearly independent set.
If we suppose that after the multiply phase all the equations are linearly independent, except for a negligible part of them, then we bump into an underestimation of the needed keystream bits, and then of the security of the nonlinear filter generator. Steps from 2. to 5. are aimed at providing a fair . Up to Step 4., we compute a maximal set of square-free polynomials in that are linearly independent. In Step 5, we exploit Proposition 3.2 to estimate the number of linearly independent polynomials in , and then, the value . In detail, at each clock , every polynomial is multiplied by monomials. Since the polynomials in are linearly independent, by Proposition 3.2 the number of linearly independent equations, at each clock , is given by
where either or , depending on the value of . We can approximate the number of linearly independent equations, which we obtain after the multiply phase of XL, with . To guarantee that the system can be solved by Gaussian elimination, we impose the condition
and we get the estimation for .
4 Applications of our attack
In this section, first we describe the stream cipher WG-PRNG, we show how to apply it on WG-PRNG. Moreover, we effectively perform our algebraic attack on two toy stream ciphers.
4.1 Testing our attack on WG-PRNG
4.1.1 Specifications of WG-PRNG
WG-PRNG, which was submitted to the NIST competition on Lightweight Cryptography , is a nonlinear filter generator that operates over the finite field , defined using the primitive polynomial . Let be a root of . By using the polynomial basis , any can be written as , for .
The function defined as
is called the WG permutation over . The function defined as
is called the WG transformation over , where denotes the trace function defined by . A decimated WG permutation and decimated WG transformation over are defined as and , respectively, with . The filter function of WG-PRNG is the decimated WG transformation with . We have computed its algebraic normal form and it is given by
Henceforth, we will write and , even if we refer to their decimated versions with . The inner state of WG-PRNG consists of words , each of bits, for a total of bits. The WG-PRNG has two phases: an initialization phase and a running phase. The output is produced only in the running phase.
Initialization phase: Let denote the initial state. A random seed is loaded into the internal state and then the state update function is applied 74 times. For , the state update function is given by
Running phase: In this phase, the inner state is updated according to the following LFSR feedback function:
At each clock cycle , a pseudorandom bit is produced by applying WGT on the last word of the register. A pseudorandom bit sequence is produced by WG-PRNG as
4.1.2 The previous algebraic attack on WG-PRNG
We observe that the Courtois and Meier’s attack is not feasible.
Let be the inner state of WG-PRNG after the initialization phase. Denote by the update function of WG-PRNG that maps a state into the next one (see Equation (9)). Let be the filter function of WG-PRNG and consider the natural extension of in . Suppose we retrieved keystream bits. Without loss of generality, we may assume that they are the first keystream bits, namely . Therefore, we have the following equations:
Hence, we get the system (1), with , for .
According to the algebraic attack of Courtois and Meier, to decrease the degree of the system equations, we can multiply any equation in (10) by an annihilator of and the one of , depending on whether the keystream bit is 1 or 0. Since , let and be such that . Then, for , if , we get otherwise As reported in , the XL-Algorithm works if
To avoid this attack, the designers conveniently restricted the number of consecutive output bits up to .
4.1.3 Applying our attack on WG-PRNG
The main aim of our work is not to perform effectively the attack described in Section 3 on WG-PRNG, but to estimate how many keystream bits one needs to perform successfully the attack on WG-PRNG. We will show that knowing less than keystream bits, it is possible to recover the initial state, that is the security of the WG-PRNG is less than the one stated by the designer.
We will describe in detail the steps from 1. to 5. in order to compute .
We first consider as a square-free polynomial in , indeed its algebraic normal form involves only the variables (see Equation (8)). We set the two ideals of , and , as
where is the ideal generated by the field equations. The reduced Gröbner bases with respect to of and are
respectively, where and , for all .
We set and , since all the polynomials are square-free and of degree 3 or 4, that is smaller than .
Let , and we fix . We multiply each in (resp. ) by all the square-free monomials such that . After reducing all the polynomials by , we get the sets .
We select from (resp. ) the maximal set of linearly independent polynomials, and we obtain (resp. ). Both and consists of 64 polynomials. In particular, let , for . Then,
|D||Keystream Bits Collected ()||Time Complexity|
As shown in Table 1, the attack is not feasible if , as it needs more than keystream bits. However, for both and , it is possible to carry out the attack knowing and , respectively, and so the security level is less than 128 bits, contradicting the claim in . Finally, for , the time complexity is worse than brute force.
4.2 Testing our attack on two toy stream ciphers
To validate our algebraic attack, we will define a general construction of a scaled version of WG-PRNG, and we will test our attack on two instances.
We consider nonlinear filter generators that operate over the finite field , defined using the primitive polynomial , as in WG-PRNG. Moreover, at each clock , it produces a keystream , where is the initial state of length (for WG-PRNG, ), is the nonlinear output function of WG-PRNG, i.e. WGT, and is a linear update function satisfying the following properties:
it is a primitive polynomial,
it has an odd number of terms,
the constant term is , where is a root of ,
the coefficients of the terms of degree nonzero are in .
We have tested our algebraic attack on two nonlinear filter generators, as defined above. We set and , respectively, and the linear update functions are and , respectively.
We have studied only the case .
Note that, since the filter function is the same of WG-PRNG, the first four steps of the attack returns the same results of the first four steps performed on WG-PRNG.
First we consider the toy that has as linear update function. We compute and . For , we have . According to our estimates, we need to collect keystream bits to perform an attack. We run computations to determine how much is close to the number of linearly independent equations obtained at the end of the algorithm. The number of linearly independent equations is , while .
Now we consider the toy that has as linear update function. We compute and . For , . According to our estimates, we need to collect keystream bits to perform an attack. We run computations to determine how much is close to the number of linearly independent equations obtained at the end of the algorithm. The number of linearly independent equations is , while .
The relevant result of these two experiments is that in both cases, by knowing only the number of keystream bits we supposed was sufficient, we completely recover the initial state (which was chosen randomly).
Acknowledgement. The computation of this work has been obtained thanks to Magma  and to the server of the Laboratory of Cryptography of the Department of Mathematics, University of Trento. The results in this paper appear partially in the MSc thesis of the second author, who thanks his supervisors (the other two authors). This work has been partially presented in Cryptography and Coding Theory Conference 2021, organized by the group UMI (Italian Mathematical Union) “Crittografia e Codici” and by De Componendis Cifris, in September 2021.
-  Lightweight cryptography, round 2 candidates. https://csrc.nist.gov/projects/lightweight-cryptography/round-2-candidates.
-  Josh Alman and Virginia V. Williams. A refined laser method and faster matrix multiplication. In Proceedings of the 2021 ACM-SIAM Symposium on Discrete Algorithms (SODA), pages 522–539. SIAM, 2021.
-  Riham AlTawy, Guang Gong, Kalikinkar Mandal, and Raghvendra Rohit. Wage: An authenticated encryption with a twist. IACR Transactions on Symmetric Cryptology, S1:132–159, 2020.
-  Frederik Armknecht and Gwenolé Ars. Algebraic Attacks on Stream Ciphers with Gröbner Bases. In Massimiliano Sala, Shojiro Sakata, Teo Mora, Carlo Traverso, and Ludovic Perret, editors, Gröbner Bases, Coding, and Cryptography, pages 329–348. Springer Berlin Heidelberg, Berlin, Heidelberg, 2009.
-  Elwyn R Berlekamp. Algebraic coding theory (revised edition). World Scientific, 2015.
-  Wieb Bosma, John Cannon, and Catherine Playoust. The magma algebra system I: The user language. Journal of Symbolic Computation, 24(3-4):235–265, 1997.
-  Claude Carlet and Emmanuel Prouff. On a new notion of nonlinearity relevant to multi-output pseudo-random generators. In International Workshop on Selected Areas in Cryptography, pages 291–305. Springer, 2003.
-  Nicolas Courtois, Alexander Klimov, Jacques Patarin, and Adi Shamir. Efficient algorithms for solving overdefined systems of multivariate polynomial equations. In International Conference on the Theory and Applications of Cryptographic Techniques, pages 392–407. Springer, 2000.
-  Nicolas T. Courtois. Higher order correlation attacks, XL algorithm and cryptanalysis of Toyocrypt. In International Conference on Information Security and Cryptology, pages 182–199. Springer, 2002.
-  Nicolas T. Courtois and Willi Meier. Algebraic attacks on stream ciphers with linear feedback. In International Conference on the Theory and Applications of Cryptographic Techniques, pages 345–359. Springer, 2003.
-  Markus Dichtl. On nonlinear filter generators. In International Workshop on Fast Software Encryption, pages 103–106. Springer, 1997.
-  Jean-Charles Faugère. A new efficient algorithm for computing Gröbner bases (F4). Journal of pure and applied algebra, 139(1-3):61–88, 1999.
-  Jean-Charles Faugère. A new efficient algorithm for computing Gröbner bases without reduction to zero (F5). In Proceedings of the 2002 international symposium on Symbolic and algebraic computation, pages 75–83, 2002.
-  Roberto La Scala, Sergio Polese, Sharwan K Tiwari, and Andrea Visconti. An algebraic attack to the bluetooth stream cipher e0. arXiv preprint arXiv:2201.01262, 2022.
-  Roberto La Scala and Sharwan K Tiwari. Stream/block ciphers, difference equations and algebraic attacks. Journal of Symbolic Computation, 109:177–198, 2022.
-  Rainer A Rueppel. Stream ciphers. In Analysis and Design of Stream Ciphers, pages 5–16. Springer, 1986.
-  Thomas Siegenthaler. Correlation-immunity of nonlinear combining functions for cryptographic applications (corresp.). IEEE Transactions on Information theory, 30(5):776–780, 1984.
-  Volker Strassen. Gaussian elimination is not optimal. Numerische mathematik, 13(4):354–356, 1969.