Introducing a new variant of fast algebraic attacks and minimizing their successive data complexity

Abstract

Algebraic attacks have established themselves as a powerful method for the cryptanalysis of LFSR-based keystream generators (e.g., E0 used in Bluetooth). The attack is based on solving an overdetermined system of low-degree equations Rt = 0, where Rt is an expression in the state of the LFSRs at clock t and one or several successive keystream bits zt, . . ., zt+δ. In fast algebraic attacks, new equations of a lower degree are constructed in a precomputation step. This is done by computing appropriate linear combinations of T successive initial equations Rt = 0. The successive data complexity of the attack is the number T of successive equations. We propose a new variant of fast algebraic attacks where the same approach is employed to eliminate some unknowns, making a divide-and-conquer attack possible. In some cases, our variant is applicable whereas the first one is not. Both variants can have a high successive data complexity (e.g., T ≥ 8.822.188 for E0). We describe how to keep it to a minimum and introduce suitable efficient algorithms for the precomputation step. © Springer-Verlag Berlin Heidelberg 2005.