Cryptanalysis of Achterbahn-128/80

HAL Id: inria-00111964

https://hal.inria.fr/inria-00111964v2

Submitted on 13 Nov 2006

HAL is a multi-disciplinary open access

archive for the deposit and dissemination of

sci-entific research documents, whether they are

pub-lished or not. The documents may come from

teaching and research institutions in France or

abroad, or from public or private research centers.

L’archive ouverte pluridisciplinaire HAL, est

destinée au dépôt et à la diffusion de documents

scientifiques de niveau recherche, publiés ou non,

émanant des établissements d’enseignement et de

recherche français ou étrangers, des laboratoires

publics ou privés.

Cryptanalysis of Achterbahn-128/80

Maria Naya Plasencia

To cite this version:

Maria Naya Plasencia. Cryptanalysis of Achterbahn-128/80. [Research Report] RR-6014, INRIA.

2006, pp.14. �inria-00111964v2�

inria-00111964, version 2 - 13 Nov 2006

a p p o r t

d e r e c h e r c h e

IS

S

N

0

2

4

9

-6

3

9

9

IS

R

N

IN

R

IA

/R

R

--6

0

1

4

--F

R

+

E

N

G

Thème SYM

INSTITUT NATIONAL DE RECHERCHE EN INFORMATIQUE ET EN AUTOMATIQUE

Cryptanalysis of Achterbahn-128/80

María Naya Plasencia

N° 6014

Unité de recherche INRIA Rocquencourt

Domaine de Voluceau, Rocquencourt, BP 105, 78153 Le Chesnay Cedex (France)

Téléphone : +33 1 39 63 55 11 — Télécopie : +33 1 39 63 53 30

MaríaNaya Plasen ia

ThèmeSYMSystèmessymboliques ProjetCODES

Rapportdere her he n°6014November200614pages

Abstra t: Thispaperpresentstwoatta ksagainstA hterbahn-128/80,thelastversionof oneofthestream ipherproposalsin theeSTREAMproje t. Theatta kagainstthe80-bit variant,A hterbahn-80,has omplexity

2

56.32

. Theatta kagainstA hterbahn-128requires

2

75.4

operationsand

2

61

keystreambits. Theseatta ksarebasedonanimprovementofthe atta kdue to Hell andJohansson against A hterbahnversion 2and also onan algorithm thatmakesprotoftheshortlengthsofthe onstituentregisters.

Key-words: eSTREAM, stream iphers, A hterbahn, orrelationatta ks,parity he ks, ryptanalysis

Résumé : Ce papierprésente deuxattaques sur A hterbahn-128/80,ladernièreversion d'undes algorithmesproposésdans le adre deeSTREAM.L'attaque surla versionde80 bits, A hterbahn-80, est en

2

56.32

. L'attaquesur A hterbahn-128 abesoinde

2

75.4

al uls et

2

61

bits de suite hirante. Ces attaques sontbasées sur une améliorationdel'attaque proposéeparHelletJohanssonsurlaversion2d'A hterbahnetaussisurunalgorithmequi tireprotdespetiteslongueursdesregistres.

Mots- lés: eSTREAM, hirementàot,A hterbahn,attaquespar orrélation,relations deparité, ryptanalyse

1 Introdu tion

A hterbahn[4,6℄isastream ipherproposalsubmittedtotheeSTREAMproje t. Afterthe ryptanalysisofthersttwoversions[8,7℄,ithasmovedontoanewone alled A hterbahn-128/80[5℄published in June2006. A hterbahn-128/80 orrespondsto twokeystream gen-eratorswithkeysizesof128bitsand80bits,respe tively. Theirmaximalkeystreamlength islimitedto

2

63

.

We present here two atta ks against both generators. The atta k against the 80 bit variant,A hterbahn-80,has omplexity

2

56.32

. Theatta kagainstA hterbahn-128requires

2

75.4

operationsand

2

61

keystreambits. Theseatta ksarebasedonanimprovementofthe atta kagainstA hterbahnversion2andalsoonanalgorithmthatmakesprotoftheshort lengthsofthe onstituentregisters.

Thepaperisorganizedasfollows. Se tion2presentsthemainspe i ationsof A hterbahn-128/80. Se tion 3 thendes ribes thegeneralprin ipleof theatta k proposed byHell and Johansson[7℄againstthepreviousversionofthe ipherA hterbahnv2,sin eouratta ksrely onasimilarte hnique. Wealsoexhibitanewatta kagainstA hterbahnv2with omplexity

2

49.8

, while thebest previouslyknownatta k had omplexity

2

59

. Se tion 4thenpresents twoatta ksagainstA hterbahn-80andA hterbahn-128respe tively.

1.1 Main spe i ations of A hterbahn-128

A hterbahn-128 is akeystream generator, onsisting of13 binary nonlinear feedba kshift registers (NLFSRs). The length of register

i

is

L

i

= 21 + i

for

i = 0, 1, . . . , 12

. These NLFSRsareprimitiveinthesensethattheirperiods

T

i

areequalto

2

L

i

_{− 1}

. Thesequen e whi h isusedasaninputtotheBoolean ombiningfun tion isnottheoutputsequen eof theNLFSRdire tly,butashiftedversionofitself. Theshiftamountdependsontheregister number, but it is xed for ea h register. In the following,

x

i

= (x

i

(t))

t≥0

for

0 ≤ i ≤ 12

denotestheshiftedversionoftheoutputoftheregister

i

attime

t

.

The output of the keystream generator at time

t

, denoted by

S(t)

, is the one of the Boolean ombiningfun tion

F

withtheinputs orrespondingtotheoutputsequen esofthe NLFSRs orre tlyshifted,i.e.

S(t) = F (x

0

(t), . . . , x

12

(t))

. TheBoolean ombiningfun tion

F

is givenby:

F (x

0

, x

1

, ..., x

12

) = x

0

+ x

1

+ x

2

+ x

3

+ x

4

+ x

5

+ x

7

+ x

9

+ x

11

+ x

12

+ x

0

x

5

+ x

2

x

10

+

x

2

x

11

+ x

4

x

8

+ x

4

x

12

+ x

5

x

6

+ x

6

x

8

+ x

6

x

10

+ x

6

x

11

+ x

6

x

12

+ x

7

x

8

+ x

7

x

12

+ x

8

x

9

+ x

8

x

10

+

x

9

x

10

+ x

9

x

11

+ x

9

x

12

+ x

10

x

12

+ x

0

x

5

x

8

+ x

0

x

5

x

10

+ x

0

x

5

x

11

+ x

0

x

5

x

12

+ x

1

x

2

x

8

+ x

1

x

2

x

12

+

x

1

x

4

x

10

+ x

1

x

4

x

11

+ x

1

x

8

x

9

+ x

1

x

9

x

10

+ x

1

x

9

x

11

+ x

1

x

9

x

12

+ x

2

x

3

x

8

+ x

2

x

3

x

12

+ x

2

x

4

x

8

+

x

2

x

4

x

10

+ x

2

x

4

x

11

+ x

2

x

4

x

12

+ x

2

x

7

x

8

+ x

2

x

7

x

12

+ x

2

x

8

x

10

+ x

2

x

8

x

11

+ x

2

x

9

x

10

+ x

2

x

9

x

11

+

x

2

x

10

x

12

+ x

2

x

11

x

12

+ x

3

x

4

x

8

+ x

3

x

4

x

12

+ x

3

x

8

x

9

+ x

3

x

9

x

12

+ x

4

x

7

x

8

+ x

4

x

7

x

12

+ x

4

x

8

x

9

+

x

4

x

9

x

12

+x

5

x

6

x

8

+x

5

x

6

x

10

+x

5

x

6

x

11

+x

5

x

6

x

12

+x

6

x

8

x

10

+x

6

x

8

x

11

+x

6

x

10

x

12

+x

6

x

11

x

12

+

x

7

x

8

x

9

+ x

7

x

9

x

12

+ x

8

x

9

x

10

+ x

8

x

9

x

11

+ x

9

x

10

x

12

+ x

9

x

11

x

12

+ x

0

x

5

x

8

x

10

+ x

0

x

5

x

8

x

11

+

x

0

x

5

x

10

x

12

+ x

0

x

5

x

11

x

12

+ x

1

x

2

x

3

x

8

+ x

1

x

2

x

3

x

12

+ x

1

x

2

x

7

x

8

+ x

1

x

2

x

7

x

12

+ x

1

x

3

x

5

x

8

+

x

1

x

3

x

5

x

12

+ x

1

x

3

x

8

x

9

+ x

1

x

3

x

9

x

12

+ x

1

x

4

x

8

x

10

+ x

1

x

4

x

8

x

11

+ x

1

x

4

x

10

x

12

+ x

1

x

4

x

11

x

12

+

RR n°6014

x

1

x

5

x

7

x

8

+ x

1

x

5

x

7

x

12

+ x

1

x

7

x

8

x

9

+ x

1

x

7

x

9

x

12

+ x

1

x

8

x

9

x

10

+ x

1

x

8

x

9

x

11

+ x

1

x

9

x

10

x

12

+

x

1

x

9

x

11

x

12

+ x

2

x

3

x

4

x

8

+ x

2

x

3

x

4

x

12

+ x

2

x

3

x

5

x

8

+ x

2

x

3

x

5

x

12

+ x

2

x

4

x

7

x

8

+ x

2

x

4

x

7

x

12

+

x

2

x

4

x

8

x

10

+ x

2

x

4

x

8

x

11

+ x

2

x

4

x

10

x

12

+ x

2

x

4

x

11

x

12

+ x

2

x

5

x

7

x

8

+ x

2

x

5

x

7

x

12

+ x

2

x

8

x

9

x

10

+

x

2

x

8

x

9

x

11

+ x

2

x

9

x

10

x

12

+ x

2

x

9

x

11

x

12

+ x

3

x

4

x

8

x

9

+ x

3

x

4

x

9

x

12

+ x

4

x

7

x

8

x

9

+ x

4

x

7

x

9

x

12

+

x

5

x

6

x

8

x

10

+ x

5

x

6

x

8

x

11

+ x

5

x

6

x

10

x

12

+ x

5

x

6

x

11

x

12

.

Itsmain ryptographi propertiesare:

ˆ balan edness

ˆ algebrai degree=4

ˆ orrelationimmunityorder=8

ˆ nonlinearity=3584

ˆ algebrai immunity=4

1.2 Main spe i ations of A hterbahn-80

A hterbahn-80 onsistsof11registers,whi harethesameonesasin theabove ase,ex ept fortherstandthelastones. TheBoolean ombiningfun tion,

G

,isasub-fun tionof

F

:

G(x

1

, . . . , x

11

) = F (0, x

1

, . . . , x

11

, 0).

Itsmain ryptographi propertiesare:

ˆ balan edness

ˆ algebrai degree=4

ˆ orrelationimmunityorder=6

ˆ nonlinearity=896

ˆ algebrai immunity=4

Aswe ansee,A hterbahn-128 ontainsA hterbahn-80asasubstru ture.

1.3 The key-loading algorithm

Thekey-loadingalgorithmusesthekey

K

and aninitialvalue

IV

. Themethodfor initial-izing the registersis the following one: rst of all, all registersare lled with the bits of

K||IV

. Afterthat,register

i

is lo ked

a − L

i

timeswhere

a

isthenumberofbitsof

K||IV

, andtheremainingbitsof

K||IV

areaddedtothefeedba kbit. Then,ea hregisteroutputs onebit. Those bitsare takenasinput onthe Boolean ombiningfun tion, whi h outputs

a new bit. This bit is now added to the feedba ks for

32

additional lo kings. Then we overwritethelast ellofea hregisterwitha1,inordertoavoidtheallzerostate.

This algorithm hasbeen modiedin relationto the previousversions. Theaimof this modi ationistopreventtheatta kerfromre overingthekey

K

fromtheknowledgeofthe initialstatesofsomeregisters.

2 Atta k against A hterbahn version 2 with omplexity of

2

49

.

8

2.1 Prin iple of Hell and Johansson atta k against A hterbahn v2

A hterbahnversion2wasthepreviousversionofA hterbahn. Themainandmostimportant dieren estothislastone,whi h areusedbytheatta karethat:

ˆ ithad10registers,withlengthsbetween19and32bits,

ˆ theBooleanfun tion,

f

,had orrelationimmunityorder5.

ThisversionhasbeenbrokenbyJohanssonandHell[7℄. Theiratta kisadistinguishing atta kthat relies onthefollowingwell-known lemma, whi h isaparti ular aseof[1, Th. 6℄.

Lemma1 Let

X

be arandom variable that takes itsvalues into

F

2

with adistribution

D

losetothe uniformdistributionthat is

Pr

D

[X = 1] =

1

2

(1 + ε)

with

|ε| ≪ 1.

Then,for anumberof samples

N =

d

ε

2

where

d

isarealnumber,the errorprobability ofthe optimal distinguisher isapproximately

Φ(−

√

d/2)

,where

Φ

isthe distributionfun tion ofthe standardnormal distribution:

Φ(x) =

1

2π

Z

x

−∞

exp



−

t

2

2



dt.

In the following, we will onsider

d = 1

whi h orresponds to an error probability of about0.3. Thepreviousquantity

ε

thatmeasuresthedistan ebetween

D

andtheuniform distributionis alled thebias of

D

.

Theatta kproposedbyHellandJohanssonexploitsaquadrati approximation

q

ofthe ombiningfun tion

f

:

q(y

1

, . . . , y

n

) =

s

X

j=1

y

i

j

+

m

X

i=1

(y

j

i

y

k

i

)

RR n°6014

with

m

quadrati termsandwhi hsatises

Pr

[f (y

1

, . . . , y

n

) = q(y

1

, . . . , y

n

)] =

1

2

(1 + ε).

Webuildtheparity- he kequations,astheonesintrodu edby[8℄,thatmakedisappear thequadrati termsbysummingup:

q(t) =

s

X

j=1

x

i

j

(t) +

m

X

i=1

x

j

i

(t)x

k

i

(t)

at

2

m

dierentmoments

(t+τ )

moments,where

τ

variesinthesetofthelinear ombinations with

0 − 1

oe ientsof

T

j

1

T

k

1

, T

j

2

T

k

2

, . . . , T

j

m

T

k

m

. Inthefollowing,thissetisdenotedby

hT

j

1

T

k

1

, . . . , T

j

m

T

k

m

i

,i.e:

hT

j

1

T

k

1

, . . . , T

j

m

T

k

m

i =

(

_n

X

i=1

c

i

T

j

i

k

i

, c

1

, . . . , c

m

∈ {0, 1}

)

.

Thisleadsto

pc(t) =

X

τ∈hT

_j1

T

_k1

,...,T

_jm

T

_km

i

q(t + τ )

=

X

τ∈hT

_j1

T

_k1

,...,T

jm

T

km

i

(x

i

1

(t + τ ) + . . . + x

i

s

(t + τ )) .

Wethende imatethesequen e

(pc(t))

t≥0

bytheperiodsof

p

sequen esamong

(x

i

1

(t))

t≥0

, . . . , (x

i

s

(t))

t≥0

. We ansupposeherewithoutlossofgeneralitythattheperiodsoftherst

p

sequen eshave

been hosen.

Nowanewparity- he k,

pc

p

, anbedenedby:

pc

p

(t) = pc(tT

i

1

. . . T

i

p

).

This way, the inuen e of those

p

registerson the parity- he k

pc

p

(t)

orresponds to the additionofa onstantforall

t ≥ 0

,soitwill be

0

or

1

foralltheparity- he ks.

Now,theatta k onsists inperforminganexhaustivesear hfortheinitialstatesofthe

(s − p)

remaining registers, i.e. those of indi es

i

p+1

, . . . , i

s

. Forea h possible valuesfor theseinitialstates,we ompute:

σ(t) =

X

τ∈hT

_j1

T

_k1

,...,T

_jm

T

_km

i



S(tT

i

1

. . . T

i

p

+ τ ) +

s

X

j=p+1

x

i

j

(tT

i

1

. . . T

i

p

+ τ )





(1) Wehave Pr

[σ(t) = 0] =

1

2

(1 + ε

2

m

).

Using this bias, we andistinguish the keystream

(S(t))

t≥0

from arandom sequen e and alsore overtheinitialstatesof

(s − p)

onstituentregisters.

2.2 Complexity

ˆ We will have

2

m

termsin ea h parity- he k. That means that weneed to ompute

ε

−2

m+1

= 2

n

b

2

m+1

values of

σ(t)

formountingthedistinguishing atta k,where

n

b

=

log

2

ε

−1

. Besides,

σ(t)

isdenedby(

1

),implyingthattheatta krequires

2

n

b

2

m+1

+

P

p

j=1

L

ij

₊

m

X

i=1

2

L

_ji

+L

_ki

keystreambits

,

where

L

i

j

arethelengthsoftheregistersasso iatedtotheperiods bywhi hwehave de imated, and thelast term orrespondsto the maximal distan e betweenthe bits involvedinea hparity- he k.

ˆ Time omplexitywillbe

2

m

₂

n

b

2

m+1

+

P

s

j=p+1

L

ij

where

i

p+1

, . . . , i

s

are the indi es of the registers by whi h period we have not de -imated, so the registers over whom we have made an exhaustivesear h and whose initialstatewearegoingtond.

2.3 Example with A hterbahn version 2

HellandJohansson[7℄haveusedthisatta kagainstA hterbahnversion2withthefollowing quadrati approximation:

Q(x

1

, . . . , x

10

) = x

1

+ x

2

+ x

3

x

8

+ x

4

x

6

.

Then,theyde imatebytheperiodofthese ondregister,whoselengthis

22

. Afterthat,they makeanexhaustivesear hovertherstregister,whose lengthis

19

. Time omplexitywill be

2

62

anddata omplexity

2

59.02

. Usingthesmalllengthsoftheregisters,time omplexity anberedu edbelowdata omplexity,sothenal omplexityoftheatta kwillbe

2

59.02

.

2.4 Improvement of the Atta k against A hterbahn version 2

We are going to improve the previously des ribed atta k against A hterbahn v2 and we redu ethe omplexityto

2

49.8

.

Forthisatta k,weusetheideaofasso iatingthevariablesinordertoredu ethenumber oftermsthatwewillhaveintheparity- he ks. Theonlyee t thatthis ouldhaveonthe nal omplexityoftheatta kistoenlargethenumberofrequiredkeystreambits;butbeing areful,wemakeitstaythesamewhileredu ingthetime omplexity.

The hosen approximation. At rst, we sear hed between all thequadrati s approx-imationsof

f

with one and twoquadrati terms, asthe original atta kpresentedby Hell andJohanssonwasbasedonaquadrati approximation. Finally,afterlookingaftera trade-o betweenthe number ofterms, the number ofvariables, the bias... we foundthat none

quadrati approximation wasbetter for this atta k than linearones. It is worth noti ing that,sin ethe ombiningfun tion

f

is 5-resilient,anyapproximationof

f

involvesatleast 6input variables. Moreover,thehighestbias orrespondingtoanapproximationof

f

bya 6-variablefun tion isa hievedbyafun tionofdegreeone asprovedin [3℄. Afteranalyzing all linear approximationsof the Boolean ombiningfun tion, we found that the best one was:

g(x

1

, . . . , x

10

) = x

8

+ x

6

+ x

4

+ x

3

+ x

2

+ x

1

.

Wehave

f (x

1

, . . . , x

10

) = g(x

1

, . . . , x

10

)

withaprobabilityof

1

2

(1 + 2

−3

_).

Parity- he ks. Letusbuild aparity- he kasfollows:

ggg(t) = g(t) + g(t + T

1

T

8

) + g(t + T

2

T

6

) + g(t + T

1

T

8

+ T

2

T

6

),

with

g(t) = x

8

(t) + x

6

(t) + x

4

(t) + x

3

(t) + x

2

(t) + x

1

(t).

Theterms

x

8

,

x

6

,

x

2

,

x

1

willdisappearand,so,

ggg(t)

isasequen ethatdependsuniquelyon thesequen es

x

3

and

x

4

. Addingfourtimestheapproximationhastheee tofmultiplying thebiasfour times,sothebiasof

σ(t) = S(t) + S(t + T

1

T

8

) + S(t + T

2

T

6

) + S(t + T

1

T

8

+ T

2

T

6

)

is

2

−3×4

_{= 2}

−12

be ause

4

isthenumberoftermsin

ggg(t)

. That meansthat wewillneed

2

3×4×2

_{= 2}

24

valuesoftheparity- he kfordete tingthisbias. Ifwede imate

ggg(t)

bythe periodofregister

3

,wewillneed

2

24

_T

3

+ T

1

T

8

+ T

2

+ T

6

= 2

24+23

+ 2

29+19

+ 2

27+22

= 2

49.8

bitsofkeystream, andtime omplexitywillbe

2

24

× 2

L

4

_{= 2}

49

asweonlyguesstheinitialstateofregister4.

We onsider that the total omplexityis given by thedata omplexity, asit is higher than the time omplexity. This omplexity is

2

49.8

while the omplexity of the previous atta kwasequalto

2

59

.

3 Cryptanalysis of A hterbahn-128/80

Now, wedes ribeanewatta kagainstA hterbahn-80witha omplexity of

2

56.32

where a linear approximationof the output fun tion is onsidered. The atta k is adistinguishing atta kbutitalsoallowstore overtheinitialstatesof ertain onstituentregisters. Wealso des ribeanatta k againstA hterbahn-128with a omplexityof

2

75.4

wherewe onsider a linearapproximationof theoutputfun tionand wemakeprotoftheshortlengthsofthe registersinvolvedintheproposedstream ipher.

3.1 Cryptanalysis of A hterbahn-80

Thisatta kis verysimilar tothe improvementoftheatta kagainstA hterbahnversion2 whi h hasbeendes ribedinthepreviousse tion.

Ouratta kexploitsthefollowinglinearapproximationofthe ombiningfun tion

G

:

ℓ(x

1

, . . . , x

11

) = x

1

+ x

3

+ x

4

+ x

5

+ x

6

+ x

7

+ x

10

.

Sin e

G

is 6-resilient,

ℓ

is thebestapproximationbya7-variablefun tion.

For

ℓ(t) = x

1

(t) + x

3

(t) + x

4

(t) + x

5

(t) + x

6

(t) + x

7

(t) + x

10

(t)

,thekeystream

(S(t))

t≥0

satisesPr

[S(t) = ℓ(t)] =

1

2

(1 − 2

−3

)

.

Parity- he ks. Letusbuildaparity- he kasfollows:

ℓℓ(t) = ℓ(t) + ℓ(t + T

4

T

7

) + ℓ(t + T

6

T

5

) + ℓ(t + T

4

T

7

+ T

6

T

5

).

Theterms ontainingthesequen es

x

4

,

x

5

,

x

6

,

x

7

vanishin

ℓℓ(t)

,so

ℓℓ(t)

dependsex lusively onthesequen es

x

1

,

x

3

and

x

10

.

Addingfour times theapproximationhas theee t of multiplyingthe biasfour times, sothebiasof

σ(t) = S(t) + S(t + T

7

T

4

) + S(t + T

6

T

5

) + S(t + T

7

T

4

+ T

6

T

5

)

where

(S(t))

t≥0

isthekeystream, is

2

−4×3

. Thismeansthat weneed

2

3×4×2

_{= 2}

24

parity- he ks

σ(t)

todete tthisbias.

Wenowde imate

σ(t)

by theperiod oftheregister

10

,whi h isinvolvedin the parity- he k,sowe reatelikethisanewparity- he k:

σ

′

(t) = σ(t(2

31

− 1)).

Then,theatta kperformsanexhaustivesear hfortheinitialstatesofregisters

1

and

3

. Its time omplexityis

2

24

× 2

L

1

+L

3

_{= 2}

70

.

Thenumberofkeystreambitsthatweneedis

2

24

× T

10

+ T

4

T

7

+ T

6

T

5

= 2

56.32

.

3.2 Cryptanalysis of A hterbahn-128

Now, we present a distinguishing atta k againstthe 128-bit versionof A hterbahnwhi h alsore overstheinitialstatesoftworegisters.

We onsiderthefollowingapproximationofthe ombiningfun tion

F

:

ℓ(x

0

, . . . , x

12

) = x

0

+ x

3

+ x

7

+ x

4

+ x

10

+ x

8

+ x

9

+ x

1

+ x

2

.

Then,for

ℓ(t) = x

0

(t) + x

3

(t) + x

7

(t) + x

4

(t) + x

10

(t) + x

8

(t) + x

9

(t) + x

1

(t) + x

2

(t)

,wehave Pr

[S(t) = ℓ(t)] =

1

2

(1 + 2

−3

).

Parity- he ks. Theperiodofanysequen eobtainedby ombiningtheregisters

0

,

3

and

7

isequaltol m

(T

0

, T

3

, T

7

)

,i.e.

2

59.3

as

T

0

T

3

and

T

7

have ommondivisors. Wearegoing todenotethisvalueby

T

0,3,7

.

Ifwebuildaparity he kasfollows:

ℓℓℓ(t) =

X

τ∈hT

0,3,7

,T

4,10

,T

8,9

i

ℓ(t + τ ),

theterms ontainingthesequen es

x

0

,

x

3

,

x

7

,

x

4

,

x

10

,

x

8

,

x

9

willdisappearfrom

ℓℓℓ(t)

,so

ℓℓℓ(t)

dependsex lusivelyonthesequen es

x

1

and

x

2

:

ℓℓℓ(t) =

X

τ∈hT

0,3,7

,T

4,10

,T

8,9

i

ℓ(t + τ )

=

X

τ∈hT

0,3,7

,T

4,10

,T

8,9

i

x

1

(t + τ ) + x

2

(t + τ )

=

σ

1

(t) + σ

2

(t),

where

σ

1

(t)

and

σ

2

(t)

aretheparity- he ks al ulatedonthesequen esgeneratedbyNLFSRs 1and2.

Addingeighttimestheapproximationhastheee tofmultiplyingthebiaseighttimes, sothebiasof

σ(t) =

X

τ∈hT

0,3,7

,T

4,10

,T

8,9

i

S(t + τ )

where

(S(t))

t≥0

isthekeystream,is

2

−8×3

. So: Pr

[σ(t) + σ

1

(t) + σ

2

(t) = 1] =

1

2

(1 − ε

8

_).

Thismeansthatweneed

2

3×8×2

_{= 2}

48

valuesof

σ(t) + σ

1

(t) + σ

2

(t)

to dete tthis bias. Wenowdes ribeanalgorithmfor omputingthesum

σ(t) + σ

1

(t) + σ

2

(t)

overallvalues of

t

. Thisalgorithmhasalower omplexitythananexhaustivesear h fortheinitial states oftheregisters

1

and

2

simultaneously. Here weuse

(2

48

_{− 2)}

valuesof

t

sin e

(2

48

_{− 2) =}

T

2

× (2

25

+ 2).

We anwrite itdownasfollows:

2

48

−3

X

t

′

=0

σ(t

′

_{) ⊕ ℓℓℓ(t}

′

₎

₌

T

2

−1

X

k=0

2

25

+1

X

t=0

σ(T

2

t + k) ⊕ ℓℓℓ(T

2

t + k)

=

T

2

−1

X

k=0

2

25

+1

X

t=0

σ(T

2

t + k) ⊕ σ

1

(T

2

t + k) ⊕ σ

2

(T

2

t + k)

=

T

2

−1

X

k=0



(σ

2

(k) ⊕ 1)





2

25

+1

X

t=0

σ(T

2

t + k) ⊕ σ

1

(T

2

t + k)





+

σ

2

(k)



(2

25

+ 2) −

2

25

+1

X

t=0

σ(T

2

t + k) ⊕ σ

1

(T

2

t + k)









,

sin e

σ

2

(T

2

t + k)

is onstantforaxedvalueof

k

.

At this point, we anobtain

σ(t)

from thekeystreamand we anmakean exhaustive sear hfortheinitialstateofregister1. Morepre isely:

ˆ We hooseaninitialstateforregister2,e.g. thealloneinitialstate. We omputeand saveabinaryve tor

V

2

oflength

T

2

:

V

2

[k] = σ

2

(k),

wherethesequen e

x

2

isgeneratedfrom the hoosen initialstate. The omplexityof thisstateis

T

2

× 2

3

operations.

ˆ Forea h possibleinitialstateofregister1:

 we omputeandsaveave tor

V

1

omposedof

T

2

integersof26bits.

V

1

[k] =

2

25

+1

X

t=0

σ(T

2

t + k) ⊕ σ

1

(T

2

t + k).

The omplexityofthisstateis:

2

48

× (2

4

+ 2

4.7

) = 2

53.4

forea h possible initialstate ofregister1,where

2

4

orrespondsto the number of operationsrequired for omputing ea h

(σ(t) + σ

1

(t))

and

(2

25

_{+ 2) × 2}

4.7

₌

(2

25

_{+ 2) × 26}

isthe ostofsummingup

2

25

_{+ 2}

integersof26bits.  Forea h possible

i

from

0

to

T

2

− 1

:

* wedene

V

′

2

oflength

T

2

:

V

2

′

[k] = V

2

[k + i

mod T

2

].

A tually,

(V

′

2

[k])

k<T

2

orresponds to

(σ

2

(k))

k<T

2

when the initial state of register2 orrespondstointernalstateafter lo king

R2 i

timesfromtheall oneinitial state.

* With thetwove torsthat wehaveobtained,we ompute:

T

2

−1

X

k=0

(V

′

2

[k] ⊕ 1) V

1

[k] + V

2

′

[k] 2

25

+ 2 − V

1

[k]
 .

(2) When we do this with the orre t initial states of registers1 and 2, we will nd the expe tedbias.

forea h possibleinitialstateof

R1

do for

k = 0

to

T

2

− 1

do

V

1

[k] =

P

2

25

₊₁

t=0

σ(T

2

t + k) ⊕ σ

1

(T

2

t + k)

endfor

forea h possibleinitial

i

stateof

R2

do for

k = 0

to

T

2

− 1

do

V

′

2

[k] = V

2

[k + i mod T

2

]

endfor

P

T

2

−1

k=0

(V

2

′

[k] ⊕ 1) V

1

[k] + V

2

′

[k] 2

25

+ 2 − V

1

[k]



if wendthebiasthen

returntheinitial statesof

R1

and

R2

endif

endfor endfor

Table1: Algorithmforndingtheinitialstatesof registers1and2

Thetotaltime omplexityoftheatta kisgoingtobe:

T

1

×

2

48

× 2

4

+ 2

4.7

+ T

2

× 2 × T

2

× 2

4.7

 + T

2

× 2

3

= 2

75.4

,

where

2 × T

2

× 2

4.7

isthetimeittakesto omputethesumdes ribedby(2). A tually,we anspeedupthepro essbyrewriting thesum(2)inthefollowingway

T

2

−1

X

k=0

(−1)

V

2

[k+i]



V

1

[k] −

2

25

_{+ 2}

2



+ T

2

2

25

_{+ 2}

2

Theissueis nowto ndthe

i

that maximizesthis sum,this isthesameas omputingthe maximumofthe ross orrelationof twosequen esof length

T

2

. We andothat e iently

usingafastFouriertransformasexplainedin[2,pages306-312℄. Thenal omplexitywill bein

O(T

2

log T

2

)

. Anyway,thisdoesnot hangeourtotal omplexityasthehighertermis therstone.

The omplexityisgoingtobe,nally:

T

1

×

2

48

× 2

4

+ 2

4.7

+ O(T

2

log T

2

) + T

2

× 2

3

= 2

75.4

.

Thelengthofkeystreamneededis:

T

0,3,7

+ T

4,10

+ T

8,9

+ 2

48

< 2

61

bits.

4 Con lusion

Wehaveproposedanatta kagainstA hterbahn-80in

2

70

. Tothisatta kwe anapplythe samealgorithm asthe one des ribed in Se tion 3.2 against A hterbahn-128, and its time omplexity will be redu ed to about

2

45

, so we an onsider as the total omplexity the length of the keystream needed, sin e it is bigger. The omplexity of the atta k against A hterbahn-80will then be

2

56.32

. An atta k against A hterbahn-128 is also proposed in

2

75.4

where fewer than

2

61

bits of keystream are required. The omplexities of the best atta ksagainstallversionsofA hterbahnaresummarizedinthefollowingtable:

version data omplexity time omplexity referen es v1 (80-bit)

2

32

₂

55

[8℄ v2 (80-bit)

2

59.02

₂

62

[7℄ v2 (80-bit)

2

49.8

₂

49

v80(80-bit)

2

56.32

₂

46

v128(128-bit)

2

60

₂

75.4

Table2: Atta ks omplexitiesagainstallversionsofA hterbahn

Referen es

[1℄ T.Baignères,P.Junod,and S. Vaudenay. Howfar anwegobeyondlinear ryptanal-ysis? InAdvan es inCryptology - ASIACRYPT2004, volume3329ofLe tureNotesin Computer S ien e,pages432450.Springer-Verlag,2004.

[2℄ R.E.Blahut. FastAlgorithmsfor DigitalSignalPro essing. Addison Wesley,1985.

[3℄ A.CanteautandM.Trabbia. Improvedfast orrelationatta ksusingparity- he k equa-tionsofweight4and5. InAdvan es inCryptology - EUROCRYPT2000, volume1807 ofLe tureNotesin Computer S ien e,pages573588.Springer-Verlag,2000.

[4℄ B.M.Gammel,R.Gottfert,andO.Knier.TheA hterbahnstream ipher.eSTREAM, ECRYPTStreamCipherProje t,Report2005/002,2005.http://www.e rypt.eu.org/ stream/ iphers/a hterbahn/a hterbahn.pdf.

[5℄ B.M.Gammel,R.Gottfert,andO.Knier. A hterbahn-128/80.eSTREAM,ECRYPT StreamCipherProje t,Report 2006/001,2006. http://www.e rypt.eu.org/stream/ p2 iphers/a hterbahn/a hterbahn_p2.pdf.

[6℄ B. M. Gammel, R. Gottfert, and O. Knier. Status of A hterbahn and tweaks. eS-TREAM, ECRYPT Stream Cipher Proje t, Report 2006/027, 2006. http://www. e rypt.eu.org/stream/papersdir/2006/027.pdf.

[7℄ M.HellandT.Johansson.CryptanalysisofA hterbahn-version2.eSTREAM,ECRYPT StreamCipherProje t,Report 2006/042,2006. http://www.e rypt.eu.org/stream/ iphers/a hterbahn/a hterbahn.pdf.

[8℄ T.Johansson, W. Meier, andF. Muller. Cryptanalysisof A hterbahn. InAdvan es in Cryptology- FSE2006,volume4047ofLe tureNotesinComputer S ien e,pages114. Springer,2006.

Contents

1 Introdu tion 3

1.1 Mainspe i ationsofA hterbahn-128 . . . 3

1.2 Mainspe i ationsofA hterbahn-80 . . . 4

1.3 Thekey-loadingalgorithm . . . 4

2 Atta k against A hterbahnversion2 with omplexityof

2

49

_.

8

5 2.1 Prin ipleofHellandJohanssonatta kagainstA hterbahnv2 . . . 5

2.2 Complexity . . . 7

2.3 ExamplewithA hterbahnversion2 . . . 7

2.4 Improvementof theAtta kagainstA hterbahnversion2. . . 7

3 Cryptanalysis of A hterbahn-128/80 8 3.1 Cryptanalysisof A hterbahn-80 . . . 9

3.2 Cryptanalysisof A hterbahn-128 . . . 9

4 Con lusion 13

Unité de recherche INRIA Rocquencourt

Domaine de Voluceau - Rocquencourt - BP 105 - 78153 Le Chesnay Cedex (France)

Unité de recherche INRIA Futurs : Parc Club Orsay Université - ZAC des Vignes

4, rue Jacques Monod - 91893 ORSAY Cedex (France)

Unité de recherche INRIA Lorraine : LORIA, Technopôle de Nancy-Brabois - Campus scientifique

615, rue du Jardin Botanique - BP 101 - 54602 Villers-lès-Nancy Cedex (France)

Unité de recherche INRIA Rennes : IRISA, Campus universitaire de Beaulieu - 35042 Rennes Cedex (France)

Unité de recherche INRIA Rhône-Alpes : 655, avenue de l’Europe - 38334 Montbonnot Saint-Ismier (France)

Unité de recherche INRIA Sophia Antipolis : 2004, route des Lucioles - BP 93 - 06902 Sophia Antipolis Cedex (France)

Éditeur

INRIA - Domaine de Voluceau - Rocquencourt, BP 105 - 78153 Le Chesnay Cedex (France)

http://www.inria.fr