RESYNCHRONIZATION ATTACK ON STREAM CIPHERS
FILTERED BY MAIORANA-MCFARLAND FUNCTIONS
Guanhan Chew, Aileen Zhang and Khoongming Khoo
DSO National Laboratories, 20 Science Park Drive, Singapore 118230, Singapore
Keywords:
Stream ciphers, Resynchronization attacks, Maiorana-McFarland functions, Cube attack.
Abstract:
In this paper, we present an extension to the resynchronization attack on stream ciphers of (Daemen et al.,
1993). The most general attack in (Daemen et al., 1993) on a nonlinearly filtered register with linear resync
has attack complexity ⌈
n
φ
⌉ × 2
φ
, where n is the key length and φ the input size of the filter function. It was
further shown specifically that the attack complexity can be reduced in the case when the filter function is
a multiplexer. The attack of (Daemen et al., 1993) is most efficient when the input size is small. We shall
show that a large input size may not necessarily guard against this attack, even when a function with good
cryptographic properties is used. It may decrease the attack complexity, in the example illustrated in this
paper. Boolean functions from the Maiorana-McFarland class make good choices for these filter functions
due to their good cryptographic properties such as balance, high nonlinearity and high order of resiliency.
However, these functions can become linear when certain input bits are fixed. We shall demonstrate this
weakness and use it to achieve lower attack complexities for the general resynchronization attack of (Daemen
et al., 1993).
1 INTRODUCTION
Resynchronization mechanisms are used to prevent
the loss of synchronization in stream ciphers deployed
in synchronous communication contexts. The scheme
allows multiple parties to dynamically join or leave
a secure network by encrypting the communication
channel using different key streams generated by dif-
ferent initial states of the cipher. The internal state is
repeatedly reinitialized using publicy-known initial-
ization vectors (IV). Since resynchronization is per-
formed multiple times over the duration of communi-
cation, the mechanism should be fast. By using pub-
licly known information (e.g. time) to generate the
IVs, no additional information (apart from the shared
secret key) required for cipher operations need to be
transmitted. For efficiency, the internal state of the ci-
pher at the start of each resynchronization is typically
linearly generated from the IV and secret key. Non-
linear functions are used to map internal state bits to
keystream bits.
While the scheme may appear to enhance secu-
rity by generating keystream bits from multiple initial
states, it was shown in (Daemen et al., 1993) that the
cipher becomes vulnerable to the paper’s proposed at-
tack when the input size of the filter function is suffi-
ciently small and we have enough keystreambits from
different resyncs. As a natural countermeasure, a ci-
pher designer can use a nonlinear function with large
input size. We shall demonstrate in this paper that
this measure may not guard against the resynchro-
nization attack, even when the nonlinear function is
known to have good cryptographic properties. Fur-
thermore, it may improve the efficiency of a resyn-
chronization attack. This can happen when the non-
linear function belongs to Maiorana-McFarland class
of Boolean functions, which are known have good
trade-offs between various desirable cryptographic
properties such as correlation immunity and nonlin-
earity (Carlet, 2002; Canteaut et al., 2000; Seberry
et al., 1993; Sarkar and Maitra, 2000). Maiorana-
McFarland functions are used in ciphers such as Toy-
ocrypt (as described in (Mihaljevic and Imai, 2002))
and Grain-128 (Hell et al.).
In this paper, we shall first briefly recount the
original resynchronization attack of (Daemen et al.,
1993). In Section 2.3, we shall present the resynchro-
nization attack based on Maiorana-McFarland func-
tions. In Section 3, we compare our attack with other
known resynchronization attacks before concluding
this paper.
159
Chew G., Zhang A. and Khoo K. (2009).
RESYNCHRONIZATION ATTACK ON STREAM CIPHERS FILTERED BY MAIORANA-MCFARLAND FUNCTIONS.
In Proceedings of the International Conference on Security and Cryptography, pages 159-162
DOI: 10.5220/0002261301590162
Copyright
c
SciTePress
2 RESYNCHRONIZATION
ATTACK ON FILTER
FUNCTION
2.1 Attack Setup
In this paper, we assume the attack model and no-
tation of (Daemen et al., 1993). Resynchronization
is achieved by initializing the internal state by an
affine transformation on the key K ∈ {0,1}
n
. If we
let s
0
i
∈ {0,1}
n
be the initial internal state of the i-th
resync, then
s
0
i
= L(K, IV
i
)
= A(K) ⊕ B(IV
i
)
= A(K) ⊕ R
i
,
where L denotes a linear mixing of the secret key
K and known initialization vector IV
i
. A and B
are known affine transformations. R
i
, defined to be
B(IV
i
), is therefore publicly known.
The state gets updated at every clocking time-step
via a linear function F. If s
t
i
denotes the internal state
at clock t during the i-th resync, we have
s
t+1
i
= F(s
t
i
). (1)
Keystream bits z
t
i
∈ {0, 1} are generated at each
clock via a nonlinear filter function f, acting on some
subset u
t
i
of internal state bits s
t
i
:
z
t
i
= f(u
t
i
), (2)
where
u
t
i
= G(s
t
i
), (3)
for some known linear transformation G which
projects the internal state vector s
t
i
onto u
t
i
.
2.2 Basic Resynchronization Attack
If we suppose that u
t
i
∈ {0,1}
φ
and that u
t
i
is known,
then we can form φ linear equations involving the key
bits of K. We can solve for the key K when enough
bits from the internal state s
t
i
are known. If all linear
relations formed are independent, we would need to
collect ⌈
n
φ
⌉ u
t
i
vectors.
To reconstruct u
t
i
, we make use of the easily veri-
fiable result u
t
i
= u
t
j
⊕ G◦ F
t
(R
i
⊕ R
j
), for any j. Sub-
stituting this into f(u
t
i
) = z
t
i
, we get
z
t
j
= f(u
t
i
⊕ G◦ F
t
(R
i
⊕ R
j
)). (4)
When multiple keystream bits z
t
j
at the same clock
t across different resyncs are known, we can solve for
u
t
i
by performing 2
φ
evaluations of f, thus forming a
set of φ linear equations in the key bits. Since we need
a total of n equations, the total number of f evalua-
tions is about
l
n
φ
m
× 2
φ
. (5)
For this attack, we need a total of ⌈
n
φ
⌉ × φ keystream
bits. Each group of φ bits has to come from the same
clock.
2.3 Extension to Maiorana-McFarland
Filter Function
If we suppose f : {0,1}
φ
→ {0,1} is of the form:
f(x
1
,x
2
,...,x
φ
) = g(x
1
,x
2
,. ..,x
r
)
⊕ h(x
1
,. ..,x
r
) · (x
r+1
,. ..,x
φ
), (6)
where h : {0,1}
r
→ {0,1}
φ−r
and g : {0,1}
r
→ {0,1},
the attack complexity can be improved, in spite of
the desirable cryptographic properties functions of
this form exhibit (Sarkar and Maitra, 2000). This is
mainly brought about by a reduction in search com-
plexity from 2
φ
to about 2
r
.
Instead of guessing all φ bits in u
t
i
, we guess the r
bits in u
t
i
that correspond to the inputs to the functions
g and h. Each such guess linearizes (6) and produces
one linear equation in terms of the (φ − r) unknown
bits in u
t
i
that are input to (x
r+1
,. ..,x
φ
). We collect
(φ− r) resyncs at the same clock t and form a system
of (φ − r) equations in terms of these unknown bits.
We then solve this system of equations.
We check for consistency by substituting all bits,
both guessed and solved, of u
t
i
, into the function f for
the r additional resyncs at the same clock and com-
pare our result with the actual keystream bits. If they
agree, we keep the vector u
t
i
. Since we have made 2
r
guesses in u
t
i
and we are verifying r keystream bits,
we should end up with about one guess out of 2
r
that
passes the consistency check. With this correct solu-
tion for u
t
i
, we form φ linear equations in terms of the
n key bits of K.
The steps in the two preceding paragraphs are re-
peated as necessary to solve for more u
t
′
i
s. A total of
⌈
n
φ
⌉ u
t
′
i
s need to be formed from distinct clocks. When
we have formed enough linear equations, we solve for
the key bits by Gaussian elimination.
In the guess and verification steps, we require a
total of about
l
n
φ
m
× φ× 2
r
. (7)
f-function evaluations.
The total number of row operations needed is
l
n
φ
m
× (φ− r)
2
× 2
r
+ n
2
. (8)
SECRYPT 2009 - International Conference on Security and Cryptography
160
The above expression can be refined to represent
the complexity more accurately. If (φ − r) > 64 and
we are performing Gaussian elimination on a 64-bit
machine, then the number of row operations needed
to solve the (φ− r) × (φ − r) matrix is
(φ−r)
3
64
, assum-
ing that matrix coefficients are stored in 64-bit words.
The same goes for the n
2
term, which should be
n
3
64
when n > 64.
We need a total of ⌈
n
φ
⌉ × φ keystream bits. Each
group of φ keystream bits has to come from the same
clock.
3 COMPARISON WITH OTHER
RESYNCHRONIZATION
ATTACKS
3.1 Comparison with the Original
Resynchronization Attack
Suppose we have a 256-bit LFSR and a 128-bit IV. We
let the key size n = 128, φ = 50 and r = 25. To guard
against the Time-Memory-Data Trade-Off Attack, we
have chosen the size of the LFSR to be twice the size
of the key.
The basic resync attack of (Daemen et al., 1993)
requires ⌈128/50⌉ ×2
50
≈ 2
51
f-function evaluations
and
128
3
64
= 2
15
row operations.
In comparison, our attack in Section 2.3 requires
⌈128/50⌉ × 50 × 2
25
≈ 2
32
f-function evaluations
⌈128/50⌉ × (50− 25)
2
× 2
25
+
128
3
64
≈ 2
36
row opera-
tions.
The attack of (Daemen et al., 1993) has a factor
of 2
21
less row operations than the attack of Section
2.3, while the latter has a factor of 2
19
less function
evaluations. These factors are comparable. However,
since function evaluation is a more computationally
complex task (more so when the function is of high
degree) compared to row operations, we can expect
the overall complexity for the attack of Section 2.3
to be less than that for (Daemen et al., 1993). The
resource requirements for both attacks are tabulated
in Tables 1 and 2.
Table 1: Basic Attack.
f-function evaluations 2
51
Row operations 2
15
Number of resyncs 50
Number of clocks 3
Table 2: Our Attack.
f-function evaluations 2
32
Row operations 2
36
Number of resyncs 50
Number of clocks 3
3.2 Comparison with Cube Attack
The cube attack is an algebraic attack recently intro-
duced by Dinur and Shamir at Crypto 2008 (Dinur
and Shamir, 2009). Given a function f : {0,1}
φ
→
{0,1} of degree r + 1, we attempt to find maxterms,
monomials t = x
i
1
.. . x
i
r
of degree r. They have the
property that f
0
can be expressed as
f(x) = t · P(x) + Q(x)
where Q(x) does not have any terms that are divisi-
ble by t, and P(x) is nonzero. Then, by summing f
over the cube where the x
i
j
are varied over all possi-
ble values, and varying the values of the other x
k
, we
can solve for P(x). Since P(x) is linear, by taking φ
maxterms, we get a system of linear equations which
we can solve for the x
i
.
When applied to a LFSR filtered by a Maiorana-
McFarland function of degree r+ 1, we get a precom-
putation complexity of
l
n
φ
m
× φ(φ+ 1) × 2
r
+ n
2
, (9)
and online complexity of
l
n
φ
m
× φ× 2
r
+ n, (10)
where n is the key size and φ the input size of the fil-
ter function. In Equations (9) and (10), the n
2
and
n terms account for complexities of matrix inversion
and matrix multiplication respectively. These terms
should be changed to n
3
/64 and n
2
/64 when n > 64
for reasons mentioned in Section 2.3. The online at-
tack complexity is comparable with that of our resync
attack above.
However, our resync attack has several advantages
over the cube attack. Firstly, it requires only known
IVs, whereas the cube attack needs chosen IVs so as
to be able to sum over the cube. Furthermore, the cube
attack requires φ×2
r
resyncs, while our resync attack
only needs φ − r resyncs. (Both methods need ⌈
n
φ
⌉
clocks per resync.) These much weaker conditions
make our resync attack more suitable than the cube at-
tack for Maiorana-McFarland functions. Finally, the
operations used in the resync attack are matrix row
operations, which are computationally less demand-
ing than the large number of function evaluations for
the cube attack.
RESYNCHRONIZATION ATTACK ON STREAM CIPHERS FILTERED BY MAIORANA-MCFARLAND
FUNCTIONS
161
To illustrate the complexities of the two attacks,
we consider the following example:
f(x
0
,. ..,x
49
) = x
0
· x
25
+ x
1
· x
26
+ ··· + x
23
· x
48
+S(x
25
,. ..,x
48
) + x
24
+ x
49
where S is a degree 24 function comprising the sum of
many high degree monomials such that it is difficult
to find a low degree multiple.
This is a degree 24, 1-resilient (balanced and 1-
correlation immune) boolean function with a high
nonlinearity of 2
49
− 2
25
, and it is also resistant to al-
gebraic attack due to the lack of a low degreemultiple.
Suppose the key size n = 128. We let the input to f
0
be a linear mixing of key and IV.
Our resync attack requires 3×50×2
24
≈ 2
31
func-
tion evaluations, and 3 × 26
2
× 2
24
+
128
3
64
≈ 2
35
row
operations, as well as approximately 26 resyncs.
The cube attack needs 3 × 50 × 51 × 2
23
≈ 2
36
function evaluations and
128
3
64
= 2
15
row operations
for the precomputation stage, as well as 3×50×2
23
≈
2
30
function evaluations and
128
2
64
= 2
8
multiplications
for the online phase. It also requires approximately
2
29
chosen IV resyncs.
Table 3: Our Attack.
f-function evaluations 2
31
Row operations 2
35
Number of resyncs 26
Number of clocks 3
Table 4: Cube Attack.
f-function evaluations (precomp) 2
36
Row operations (precomp) 2
15
f-function evaluations (online) 2
30
Multiplications (online) 2
8
Number of chosen IV resyncs 2
29
Number of clocks 3
As shown in the Tables 3 and 4, the number of
function evaluations required for our attack is compa-
rable to that for the cube attack. However, our attack
requires a much smaller number of resyncs. Further-
more, the IVs do not need to be of a chosen form.
4 CONCLUSIONS
We have applied the resynchronization attack on
stream ciphers with linearly clocked registers filtered
with Maiorana-McFarland functions. While Boolean
functions with large input sizes, nonlinearities, re-
siliencies and algebraic degrees may be ideal choices
for the cryptographic components in a synchronous
stream cipher we have described, it is not the case
for the class of functions we have studied. Despite
their good trade-off between cryptographically desir-
able properties, their simple algebraic form has made
them prone to guess-and-linearize-likeattacks such as
that we have described. Our study has also affirmed
the common view that the internal state should not be
linearly resynchronized from the key and IV.
REFERENCES
Canteaut, A., Carlet, C., Charpin, P., and Fontaine, C.
(2000). Propagation characterisics and correlation-
immunity of highly nonlinear boolean functions. In
Eurocrypt 2000. LNCS 1807:507-522.
Carlet, C. (2002). A larger class of cryptographic boolean
functions via a study of the Maiorana-McFarland con-
struction. In Crypto 2002. LNCS 2442:549-564.
Daemen, J., Govaerts, R., and Vandewalle, J. (1993).
Resynchronization weakness in synchronous stream
ciphers. In Eurocrypt 1993. LNCS 765:159-167.
Dinur, I. and Shamir, A. (2009). Cube attacks on tweakable
black-box polynomials. In Eurocrypt 2009. LNCS
5479:278-299.
Hell, M., Johansson, T., and Meier, W. Grain
- a stream cipher for constrained environments.
In The eStream Project - eStream Phase 3:
http://www.ecrypt.eu.org/stream/grainp3.html.
Mihaljevic, M. and Imai, H. (2002). Cryptanalysis of
Toyocrypt-HS1 stream cipher. In IEICE Trans. Fun-
damentals, vol. E85-A no. 1, pp. 66-73.
Sarkar, P. and Maitra, S. (2000). Nonlinearity bounds and
constructions of resilient boolean functions. In Crypto
2000. LNCS 1880:515-532.
Seberry, J., Zhang, X., and Zheng, Y. (1993). On construc-
tions and nonlinearity of correlation immune func-
tions (extended abstract). In Eurocrypt 1993. LNCS
765:181-199.
SECRYPT 2009 - International Conference on Security and Cryptography
162
