HAL Id: inria-00111964
https://hal.inria.fr/inria-00111964v2
Submitted on 13 Nov 2006
HAL is a multi-disciplinary open access
archive for the deposit and dissemination of
sci-entific research documents, whether they are
pub-lished or not. The documents may come from
teaching and research institutions in France or
abroad, or from public or private research centers.
L’archive ouverte pluridisciplinaire HAL, est
destinée au dépôt et à la diffusion de documents
scientifiques de niveau recherche, publiés ou non,
émanant des établissements d’enseignement et de
recherche français ou étrangers, des laboratoires
publics ou privés.
Cryptanalysis of Achterbahn-128/80
Maria Naya Plasencia
To cite this version:
Maria Naya Plasencia. Cryptanalysis of Achterbahn-128/80. [Research Report] RR-6014, INRIA.
2006, pp.14. �inria-00111964v2�
inria-00111964, version 2 - 13 Nov 2006
a p p o r t
d e r e c h e r c h e
IS
S
N
0
2
4
9
-6
3
9
9
IS
R
N
IN
R
IA
/R
R
--6
0
1
4
--F
R
+
E
N
G
Thème SYM
INSTITUT NATIONAL DE RECHERCHE EN INFORMATIQUE ET EN AUTOMATIQUE
Cryptanalysis of Achterbahn-128/80
María Naya Plasencia
N° 6014
Unité de recherche INRIA Rocquencourt
Domaine de Voluceau, Rocquencourt, BP 105, 78153 Le Chesnay Cedex (France)
Téléphone : +33 1 39 63 55 11 — Télécopie : +33 1 39 63 53 30
MaríaNaya Plasen ia
ThèmeSYMSystèmessymboliques ProjetCODES
Rapportdere her he n°6014November200614pages
Abstra t: Thispaperpresentstwoatta ksagainstA hterbahn-128/80,thelastversionof oneofthestream ipherproposalsin theeSTREAMproje t. Theatta kagainstthe80-bit variant,A hterbahn-80,has omplexity
2
56.32
. Theatta kagainstA hterbahn-128requires
2
75.4
operationsand
2
61
keystreambits. Theseatta ksarebasedonanimprovementofthe atta kdue to Hell andJohansson against A hterbahnversion 2and also onan algorithm thatmakesprotoftheshortlengthsofthe onstituentregisters.
Key-words: eSTREAM, stream iphers, A hterbahn, orrelationatta ks,parity he ks, ryptanalysis
Résumé : Ce papierprésente deuxattaques sur A hterbahn-128/80,ladernièreversion d'undes algorithmesproposésdans le adre deeSTREAM.L'attaque surla versionde80 bits, A hterbahn-80, est en
2
56.32
. L'attaquesur A hterbahn-128 abesoinde
2
75.4
al uls et
2
61
bits de suite hirante. Ces attaques sontbasées sur une améliorationdel'attaque proposéeparHelletJohanssonsurlaversion2d'A hterbahnetaussisurunalgorithmequi tireprotdespetiteslongueursdesregistres.
Mots- lés: eSTREAM, hirementàot,A hterbahn,attaquespar orrélation,relations deparité, ryptanalyse
1 Introdu tion
A hterbahn[4,6℄isastream ipherproposalsubmittedtotheeSTREAMproje t. Afterthe ryptanalysisofthersttwoversions[8,7℄,ithasmovedontoanewone alled A hterbahn-128/80[5℄published in June2006. A hterbahn-128/80 orrespondsto twokeystream gen-eratorswithkeysizesof128bitsand80bits,respe tively. Theirmaximalkeystreamlength islimitedto
2
63
.We present here two atta ks against both generators. The atta k against the 80 bit variant,A hterbahn-80,has omplexity
2
56.32
. Theatta kagainstA hterbahn-128requires
2
75.4
operationsand
2
61
keystreambits. Theseatta ksarebasedonanimprovementofthe atta kagainstA hterbahnversion2andalsoonanalgorithmthatmakesprotoftheshort lengthsofthe onstituentregisters.
Thepaperisorganizedasfollows. Se tion2presentsthemainspe i ationsof A hterbahn-128/80. Se tion 3 thendes ribes thegeneralprin ipleof theatta k proposed byHell and Johansson[7℄againstthepreviousversionofthe ipherA hterbahnv2,sin eouratta ksrely onasimilarte hnique. Wealsoexhibitanewatta kagainstA hterbahnv2with omplexity
2
49.8
, while thebest previouslyknownatta k had omplexity
2
59
. Se tion 4thenpresents twoatta ksagainstA hterbahn-80andA hterbahn-128respe tively.
1.1 Main spe i ations of A hterbahn-128
A hterbahn-128 is akeystream generator, onsisting of13 binary nonlinear feedba kshift registers (NLFSRs). The length of register
i
isL
i
= 21 + i
fori = 0, 1, . . . , 12
. These NLFSRsareprimitiveinthesensethattheirperiodsT
i
areequalto2
L
i
− 1
. Thesequen e whi h isusedasaninputtotheBoolean ombiningfun tion isnottheoutputsequen eof theNLFSRdire tly,butashiftedversionofitself. Theshiftamountdependsontheregister number, but it is xed for ea h register. In the following,
x
i
= (x
i
(t))
t≥0
for0 ≤ i ≤ 12
denotestheshiftedversionoftheoutputoftheregisteri
attimet
.The output of the keystream generator at time
t
, denoted byS(t)
, is the one of the Boolean ombiningfun tionF
withtheinputs orrespondingtotheoutputsequen esofthe NLFSRs orre tlyshifted,i.e.S(t) = F (x
0
(t), . . . , x
12
(t))
. TheBoolean ombiningfun tionF
is givenby:F (x
0
, x
1
, ..., x
12
) = x
0
+ x
1
+ x
2
+ x
3
+ x
4
+ x
5
+ x
7
+ x
9
+ x
11
+ x
12
+ x
0
x
5
+ x
2
x
10
+
x
2
x
11
+ x
4
x
8
+ x
4
x
12
+ x
5
x
6
+ x
6
x
8
+ x
6
x
10
+ x
6
x
11
+ x
6
x
12
+ x
7
x
8
+ x
7
x
12
+ x
8
x
9
+ x
8
x
10
+
x
9
x
10
+ x
9
x
11
+ x
9
x
12
+ x
10
x
12
+ x
0
x
5
x
8
+ x
0
x
5
x
10
+ x
0
x
5
x
11
+ x
0
x
5
x
12
+ x
1
x
2
x
8
+ x
1
x
2
x
12
+
x
1
x
4
x
10
+ x
1
x
4
x
11
+ x
1
x
8
x
9
+ x
1
x
9
x
10
+ x
1
x
9
x
11
+ x
1
x
9
x
12
+ x
2
x
3
x
8
+ x
2
x
3
x
12
+ x
2
x
4
x
8
+
x
2
x
4
x
10
+ x
2
x
4
x
11
+ x
2
x
4
x
12
+ x
2
x
7
x
8
+ x
2
x
7
x
12
+ x
2
x
8
x
10
+ x
2
x
8
x
11
+ x
2
x
9
x
10
+ x
2
x
9
x
11
+
x
2
x
10
x
12
+ x
2
x
11
x
12
+ x
3
x
4
x
8
+ x
3
x
4
x
12
+ x
3
x
8
x
9
+ x
3
x
9
x
12
+ x
4
x
7
x
8
+ x
4
x
7
x
12
+ x
4
x
8
x
9
+
x
4
x
9
x
12
+x
5
x
6
x
8
+x
5
x
6
x
10
+x
5
x
6
x
11
+x
5
x
6
x
12
+x
6
x
8
x
10
+x
6
x
8
x
11
+x
6
x
10
x
12
+x
6
x
11
x
12
+
x
7
x
8
x
9
+ x
7
x
9
x
12
+ x
8
x
9
x
10
+ x
8
x
9
x
11
+ x
9
x
10
x
12
+ x
9
x
11
x
12
+ x
0
x
5
x
8
x
10
+ x
0
x
5
x
8
x
11
+
x
0
x
5
x
10
x
12
+ x
0
x
5
x
11
x
12
+ x
1
x
2
x
3
x
8
+ x
1
x
2
x
3
x
12
+ x
1
x
2
x
7
x
8
+ x
1
x
2
x
7
x
12
+ x
1
x
3
x
5
x
8
+
x
1
x
3
x
5
x
12
+ x
1
x
3
x
8
x
9
+ x
1
x
3
x
9
x
12
+ x
1
x
4
x
8
x
10
+ x
1
x
4
x
8
x
11
+ x
1
x
4
x
10
x
12
+ x
1
x
4
x
11
x
12
+
RR n°6014x
1
x
5
x
7
x
8
+ x
1
x
5
x
7
x
12
+ x
1
x
7
x
8
x
9
+ x
1
x
7
x
9
x
12
+ x
1
x
8
x
9
x
10
+ x
1
x
8
x
9
x
11
+ x
1
x
9
x
10
x
12
+
x
1
x
9
x
11
x
12
+ x
2
x
3
x
4
x
8
+ x
2
x
3
x
4
x
12
+ x
2
x
3
x
5
x
8
+ x
2
x
3
x
5
x
12
+ x
2
x
4
x
7
x
8
+ x
2
x
4
x
7
x
12
+
x
2
x
4
x
8
x
10
+ x
2
x
4
x
8
x
11
+ x
2
x
4
x
10
x
12
+ x
2
x
4
x
11
x
12
+ x
2
x
5
x
7
x
8
+ x
2
x
5
x
7
x
12
+ x
2
x
8
x
9
x
10
+
x
2
x
8
x
9
x
11
+ x
2
x
9
x
10
x
12
+ x
2
x
9
x
11
x
12
+ x
3
x
4
x
8
x
9
+ x
3
x
4
x
9
x
12
+ x
4
x
7
x
8
x
9
+ x
4
x
7
x
9
x
12
+
x
5
x
6
x
8
x
10
+ x
5
x
6
x
8
x
11
+ x
5
x
6
x
10
x
12
+ x
5
x
6
x
11
x
12
.
Itsmain ryptographi propertiesare: balan edness
algebrai degree=4
orrelationimmunityorder=8
nonlinearity=3584
algebrai immunity=4
1.2 Main spe i ations of A hterbahn-80
A hterbahn-80 onsistsof11registers,whi harethesameonesasin theabove ase,ex ept fortherstandthelastones. TheBoolean ombiningfun tion,
G
,isasub-fun tionofF
:G(x
1
, . . . , x
11
) = F (0, x
1
, . . . , x
11
, 0).
Itsmain ryptographi propertiesare: balan edness
algebrai degree=4
orrelationimmunityorder=6
nonlinearity=896
algebrai immunity=4
Aswe ansee,A hterbahn-128 ontainsA hterbahn-80asasubstru ture.
1.3 The key-loading algorithm
Thekey-loadingalgorithmusesthekey
K
and aninitialvalueIV
. Themethodfor initial-izing the registersis the following one: rst of all, all registersare lled with the bits ofK||IV
. Afterthat,registeri
is lo keda − L
i
timeswherea
isthenumberofbitsofK||IV
, andtheremainingbitsofK||IV
areaddedtothefeedba kbit. Then,ea hregisteroutputs onebit. Those bitsare takenasinput onthe Boolean ombiningfun tion, whi h outputsa new bit. This bit is now added to the feedba ks for
32
additional lo kings. Then we overwritethelast ellofea hregisterwitha1,inordertoavoidtheallzerostate.This algorithm hasbeen modiedin relationto the previousversions. Theaimof this modi ationistopreventtheatta kerfromre overingthekey
K
fromtheknowledgeofthe initialstatesofsomeregisters.2 Atta k against A hterbahn version 2 with omplexity of
2
49
.
8
2.1 Prin iple of Hell and Johansson atta k against A hterbahn v2
A hterbahnversion2wasthepreviousversionofA hterbahn. Themainandmostimportant dieren estothislastone,whi h areusedbytheatta karethat:
ithad10registers,withlengthsbetween19and32bits,
theBooleanfun tion,
f
,had orrelationimmunityorder5.ThisversionhasbeenbrokenbyJohanssonandHell[7℄. Theiratta kisadistinguishing atta kthat relies onthefollowingwell-known lemma, whi h isaparti ular aseof[1, Th. 6℄.
Lemma1 Let
X
be arandom variable that takes itsvalues intoF
2
with adistributionD
losetothe uniformdistributionthat isPr
D
[X = 1] =
1
2
(1 + ε)
with|ε| ≪ 1.
Then,for anumberof samplesN =
d
ε
2
where
d
isarealnumber,the errorprobability ofthe optimal distinguisher isapproximatelyΦ(−
√
d/2)
,whereΦ
isthe distributionfun tion ofthe standardnormal distribution:Φ(x) =
1
2π
Z
x
−∞
exp
−
t
2
2
dt.
In the following, we will onsider
d = 1
whi h orresponds to an error probability of about0.3. Thepreviousquantityε
thatmeasuresthedistan ebetweenD
andtheuniform distributionis alled thebias ofD
.Theatta kproposedbyHellandJohanssonexploitsaquadrati approximation
q
ofthe ombiningfun tionf
:q(y
1
, . . . , y
n
) =
s
X
j=1
y
i
j
+
m
X
i=1
(y
j
i
y
k
i
)
RR n°6014with
m
quadrati termsandwhi hsatisesPr
[f (y
1
, . . . , y
n
) = q(y
1
, . . . , y
n
)] =
1
2
(1 + ε).
Webuildtheparity- he kequations,astheonesintrodu edby[8℄,thatmakedisappear thequadrati termsbysummingup:
q(t) =
s
X
j=1
x
i
j
(t) +
m
X
i=1
x
j
i
(t)x
k
i
(t)
at2
m
dierentmoments
(t+τ )
moments,whereτ
variesinthesetofthelinear ombinations with0 − 1
oe ientsofT
j
1
T
k
1
, T
j
2
T
k
2
, . . . , T
j
m
T
k
m
. Inthefollowing,thissetisdenotedbyhT
j
1
T
k
1
, . . . , T
j
m
T
k
m
i
,i.e:hT
j
1
T
k
1
, . . . , T
j
m
T
k
m
i =
(
n
X
i=1
c
i
T
j
i
k
i
, c
1
, . . . , c
m
∈ {0, 1}
)
.
Thisleadstopc(t) =
X
τ∈hT
j1
T
k1
,...,T
jm
T
km
i
q(t + τ )
=
X
τ∈hT
j1
T
k1
,...,T
jm
T
km
i
(x
i
1
(t + τ ) + . . . + x
i
s
(t + τ )) .
Wethende imatethesequen e
(pc(t))
t≥0
bytheperiodsofp
sequen esamong(x
i
1
(t))
t≥0
, . . . , (x
i
s
(t))
t≥0
. We ansupposeherewithoutlossofgeneralitythattheperiodsoftherstp
sequen eshavebeen hosen.
Nowanewparity- he k,
pc
p
, anbedenedby:pc
p
(t) = pc(tT
i
1
. . . T
i
p
).
This way, the inuen e of those
p
registerson the parity- he kpc
p
(t)
orresponds to the additionofa onstantforallt ≥ 0
,soitwill be0
or1
foralltheparity- he ks.Now,theatta k onsists inperforminganexhaustivesear hfortheinitialstatesofthe
(s − p)
remaining registers, i.e. those of indi esi
p+1
, . . . , i
s
. Forea h possible valuesfor theseinitialstates,we ompute:σ(t) =
X
τ∈hT
j1
T
k1
,...,T
jm
T
km
i
S(tT
i
1
. . . T
i
p
+ τ ) +
s
X
j=p+1
x
i
j
(tT
i
1
. . . T
i
p
+ τ )
(1) Wehave Pr[σ(t) = 0] =
1
2
(1 + ε
2
m
).
Using this bias, we andistinguish the keystream
(S(t))
t≥0
from arandom sequen e and alsore overtheinitialstatesof(s − p)
onstituentregisters.2.2 Complexity
We will have
2
m
termsin ea h parity- he k. That means that weneed to ompute
ε
−2
m+1
= 2
n
b
2
m+1
values of
σ(t)
formountingthedistinguishing atta k,wheren
b
=
log
2
ε
−1
. Besides,σ(t)
isdenedby(1
),implyingthattheatta krequires2
n
b
2
m+1
+
P
p
j=1
L
ij
+
m
X
i=1
2
L
ji
+L
ki
keystreambits,
whereL
i
j
arethelengthsoftheregistersasso iatedtotheperiods bywhi hwehave de imated, and thelast term orrespondsto the maximal distan e betweenthe bits involvedinea hparity- he k. Time omplexitywillbe
2
m
2
n
b
2
m+1
+
P
s
j=p+1
L
ij
where
i
p+1
, . . . , i
s
are the indi es of the registers by whi h period we have not de -imated, so the registers over whom we have made an exhaustivesear h and whose initialstatewearegoingtond.2.3 Example with A hterbahn version 2
HellandJohansson[7℄haveusedthisatta kagainstA hterbahnversion2withthefollowing quadrati approximation:
Q(x
1
, . . . , x
10
) = x
1
+ x
2
+ x
3
x
8
+ x
4
x
6
.
Then,theyde imatebytheperiodofthese ondregister,whoselengthis
22
. Afterthat,they makeanexhaustivesear hovertherstregister,whose lengthis19
. Time omplexitywill be2
62
anddata omplexity
2
59.02
. Usingthesmalllengthsoftheregisters,time omplexity anberedu edbelowdata omplexity,sothenal omplexityoftheatta kwillbe
2
59.02
.2.4 Improvement of the Atta k against A hterbahn version 2
We are going to improve the previously des ribed atta k against A hterbahn v2 and we redu ethe omplexityto
2
49.8
.Forthisatta k,weusetheideaofasso iatingthevariablesinordertoredu ethenumber oftermsthatwewillhaveintheparity- he ks. Theonlyee t thatthis ouldhaveonthe nal omplexityoftheatta kistoenlargethenumberofrequiredkeystreambits;butbeing areful,wemakeitstaythesamewhileredu ingthetime omplexity.
The hosen approximation. At rst, we sear hed between all thequadrati s approx-imationsof
f
with one and twoquadrati terms, asthe original atta kpresentedby Hell andJohanssonwasbasedonaquadrati approximation. Finally,afterlookingaftera trade-o betweenthe number ofterms, the number ofvariables, the bias... we foundthat nonequadrati approximation wasbetter for this atta k than linearones. It is worth noti ing that,sin ethe ombiningfun tion
f
is 5-resilient,anyapproximationoff
involvesatleast 6input variables. Moreover,thehighestbias orrespondingtoanapproximationoff
bya 6-variablefun tion isa hievedbyafun tionofdegreeone asprovedin [3℄. Afteranalyzing all linear approximationsof the Boolean ombiningfun tion, we found that the best one was:g(x
1
, . . . , x
10
) = x
8
+ x
6
+ x
4
+ x
3
+ x
2
+ x
1
.
Wehavef (x
1
, . . . , x
10
) = g(x
1
, . . . , x
10
)
withaprobabilityof1
2
(1 + 2
−3
).
Parity- he ks. Letusbuild aparity- he kasfollows:
ggg(t) = g(t) + g(t + T
1
T
8
) + g(t + T
2
T
6
) + g(t + T
1
T
8
+ T
2
T
6
),
withg(t) = x
8
(t) + x
6
(t) + x
4
(t) + x
3
(t) + x
2
(t) + x
1
(t).
Theterms
x
8
,x
6
,x
2
,x
1
willdisappearand,so,ggg(t)
isasequen ethatdependsuniquelyon thesequen esx
3
andx
4
. Addingfourtimestheapproximationhastheee tofmultiplying thebiasfour times,sothebiasofσ(t) = S(t) + S(t + T
1
T
8
) + S(t + T
2
T
6
) + S(t + T
1
T
8
+ T
2
T
6
)
is2
−3×4
= 2
−12
be ause
4
isthenumberoftermsinggg(t)
. That meansthat wewillneed2
3×4×2
= 2
24
valuesoftheparity- he kfordete tingthisbias. Ifwede imate
ggg(t)
bythe periodofregister3
,wewillneed2
24
T
3
+ T
1
T
8
+ T
2
+ T
6
= 2
24+23
+ 2
29+19
+ 2
27+22
= 2
49.8
bitsofkeystream, andtime omplexitywillbe2
24
× 2
L
4
= 2
49
asweonlyguesstheinitialstateofregister4.
We onsider that the total omplexityis given by thedata omplexity, asit is higher than the time omplexity. This omplexity is
2
49.8
while the omplexity of the previous atta kwasequalto
2
59
.3 Cryptanalysis of A hterbahn-128/80
Now, wedes ribeanewatta kagainstA hterbahn-80witha omplexity of
2
56.32
where a linear approximationof the output fun tion is onsidered. The atta k is adistinguishing atta kbutitalsoallowstore overtheinitialstatesof ertain onstituentregisters. Wealso des ribeanatta k againstA hterbahn-128with a omplexityof
2
75.4
wherewe onsider a linearapproximationof theoutputfun tionand wemakeprotoftheshortlengthsofthe registersinvolvedintheproposedstream ipher.
3.1 Cryptanalysis of A hterbahn-80
Thisatta kis verysimilar tothe improvementoftheatta kagainstA hterbahnversion2 whi h hasbeendes ribedinthepreviousse tion.
Ouratta kexploitsthefollowinglinearapproximationofthe ombiningfun tion
G
:ℓ(x
1
, . . . , x
11
) = x
1
+ x
3
+ x
4
+ x
5
+ x
6
+ x
7
+ x
10
.
Sin eG
is 6-resilient,ℓ
is thebestapproximationbya7-variablefun tion.For
ℓ(t) = x
1
(t) + x
3
(t) + x
4
(t) + x
5
(t) + x
6
(t) + x
7
(t) + x
10
(t)
,thekeystream(S(t))
t≥0
satisesPr[S(t) = ℓ(t)] =
1
2
(1 − 2
−3
)
.Parity- he ks. Letusbuildaparity- he kasfollows:
ℓℓ(t) = ℓ(t) + ℓ(t + T
4
T
7
) + ℓ(t + T
6
T
5
) + ℓ(t + T
4
T
7
+ T
6
T
5
).
Theterms ontainingthesequen es
x
4
,x
5
,x
6
,x
7
vanishinℓℓ(t)
,soℓℓ(t)
dependsex lusively onthesequen esx
1
,x
3
andx
10
.Addingfour times theapproximationhas theee t of multiplyingthe biasfour times, sothebiasof
σ(t) = S(t) + S(t + T
7
T
4
) + S(t + T
6
T
5
) + S(t + T
7
T
4
+ T
6
T
5
)
where(S(t))
t≥0
isthekeystream, is2
−4×3
. Thismeansthat weneed
2
3×4×2
= 2
24
parity- he ksσ(t)
todete tthisbias.Wenowde imate
σ(t)
by theperiod oftheregister10
,whi h isinvolvedin the parity- he k,sowe reatelikethisanewparity- he k:σ
′
(t) = σ(t(2
31
− 1)).
Then,theatta kperformsanexhaustivesear hfortheinitialstatesofregisters
1
and3
. Its time omplexityis2
24
× 2
L
1
+L
3
= 2
70
.
Thenumberofkeystreambitsthatweneedis
2
24
× T
10
+ T
4
T
7
+ T
6
T
5
= 2
56.32
.3.2 Cryptanalysis of A hterbahn-128
Now, we present a distinguishing atta k againstthe 128-bit versionof A hterbahnwhi h alsore overstheinitialstatesoftworegisters.
We onsiderthefollowingapproximationofthe ombiningfun tion
F
:ℓ(x
0
, . . . , x
12
) = x
0
+ x
3
+ x
7
+ x
4
+ x
10
+ x
8
+ x
9
+ x
1
+ x
2
.
Then,for
ℓ(t) = x
0
(t) + x
3
(t) + x
7
(t) + x
4
(t) + x
10
(t) + x
8
(t) + x
9
(t) + x
1
(t) + x
2
(t)
,wehave Pr[S(t) = ℓ(t)] =
1
2
(1 + 2
−3
).
Parity- he ks. Theperiodofanysequen eobtainedby ombiningtheregisters
0
,3
and7
isequaltol m(T
0
, T
3
, T
7
)
,i.e.2
59.3
as
T
0
T
3
andT
7
have ommondivisors. Wearegoing todenotethisvaluebyT
0,3,7
.Ifwebuildaparity he kasfollows:
ℓℓℓ(t) =
X
τ∈hT
0,3,7
,T
4,10
,T
8,9
i
ℓ(t + τ ),
theterms ontainingthesequen es
x
0
,x
3
,x
7
,x
4
,x
10
,x
8
,x
9
willdisappearfromℓℓℓ(t)
,soℓℓℓ(t)
dependsex lusivelyonthesequen esx
1
andx
2
:ℓℓℓ(t) =
X
τ∈hT
0,3,7
,T
4,10
,T
8,9
i
ℓ(t + τ )
=
X
τ∈hT
0,3,7
,T
4,10
,T
8,9
i
x
1
(t + τ ) + x
2
(t + τ )
=
σ
1
(t) + σ
2
(t),
where
σ
1
(t)
andσ
2
(t)
aretheparity- he ks al ulatedonthesequen esgeneratedbyNLFSRs 1and2.Addingeighttimestheapproximationhastheee tofmultiplyingthebiaseighttimes, sothebiasof
σ(t) =
X
τ∈hT
0,3,7
,T
4,10
,T
8,9
i
S(t + τ )
where
(S(t))
t≥0
isthekeystream,is2
−8×3
. So: Pr[σ(t) + σ
1
(t) + σ
2
(t) = 1] =
1
2
(1 − ε
8
).
Thismeansthatweneed
2
3×8×2
= 2
48
valuesof
σ(t) + σ
1
(t) + σ
2
(t)
to dete tthis bias. Wenowdes ribeanalgorithmfor omputingthesumσ(t) + σ
1
(t) + σ
2
(t)
overallvalues oft
. Thisalgorithmhasalower omplexitythananexhaustivesear h fortheinitial states oftheregisters1
and2
simultaneously. Here weuse(2
48
− 2)
valuesof
t
sin e(2
48
− 2) =
T
2
× (2
25
+ 2).
We anwrite itdownasfollows:
2
48
−3
X
t
′
=0
σ(t
′
) ⊕ ℓℓℓ(t
′
)
=
T
2
−1
X
k=0
2
25
+1
X
t=0
σ(T
2
t + k) ⊕ ℓℓℓ(T
2
t + k)
=
T
2
−1
X
k=0
2
25
+1
X
t=0
σ(T
2
t + k) ⊕ σ
1
(T
2
t + k) ⊕ σ
2
(T
2
t + k)
=
T
2
−1
X
k=0
(σ
2
(k) ⊕ 1)
2
25
+1
X
t=0
σ(T
2
t + k) ⊕ σ
1
(T
2
t + k)
+
σ
2
(k)
(2
25
+ 2) −
2
25
+1
X
t=0
σ(T
2
t + k) ⊕ σ
1
(T
2
t + k)
,
sin e
σ
2
(T
2
t + k)
is onstantforaxedvalueofk
.At this point, we anobtain
σ(t)
from thekeystreamand we anmakean exhaustive sear hfortheinitialstateofregister1. Morepre isely: We hooseaninitialstateforregister2,e.g. thealloneinitialstate. We omputeand saveabinaryve tor
V
2
oflengthT
2
:V
2
[k] = σ
2
(k),
wherethesequen e
x
2
isgeneratedfrom the hoosen initialstate. The omplexityof thisstateisT
2
× 2
3
operations.
Forea h possibleinitialstateofregister1:
we omputeandsaveave tor
V
1
omposedofT
2
integersof26bits.V
1
[k] =
2
25
+1
X
t=0
σ(T
2
t + k) ⊕ σ
1
(T
2
t + k).
The omplexityofthisstateis:
2
48
× (2
4
+ 2
4.7
) = 2
53.4
forea h possible initialstate ofregister1,where
2
4
orrespondsto the number of operationsrequired for omputing ea h
(σ(t) + σ
1
(t))
and(2
25
+ 2) × 2
4.7
=
(2
25
+ 2) × 26
isthe ostofsummingup
2
25
+ 2
integersof26bits. Forea h possible
i
from0
toT
2
− 1
:* wedene
V
′
2
oflengthT
2
:V
2
′
[k] = V
2
[k + i
mod T
2
].
A tually,(V
′
2
[k])
k<T
2
orresponds to(σ
2
(k))
k<T
2
when the initial state of register2 orrespondstointernalstateafter lo king
R2 i
timesfromtheall oneinitial state.* With thetwove torsthat wehaveobtained,we ompute:
T
2
−1
X
k=0
(V
′
2
[k] ⊕ 1) V
1
[k] + V
2
′
[k] 2
25
+ 2 − V
1
[k] .
(2) When we do this with the orre t initial states of registers1 and 2, we will nd the expe tedbias.forea h possibleinitialstateof
R1
do fork = 0
toT
2
− 1
doV
1
[k] =
P
2
25
+1
t=0
σ(T
2
t + k) ⊕ σ
1
(T
2
t + k)
endforforea h possibleinitial
i
stateofR2
do fork = 0
toT
2
− 1
doV
′
2
[k] = V
2
[k + i mod T
2
]
endforP
T
2
−1
k=0
(V
2
′
[k] ⊕ 1) V
1
[k] + V
2
′
[k] 2
25
+ 2 − V
1
[k]
if wendthebiasthenreturntheinitial statesof
R1
andR2
endifendfor endfor
Table1: Algorithmforndingtheinitialstatesof registers1and2
Thetotaltime omplexityoftheatta kisgoingtobe:
T
1
×
2
48
× 2
4
+ 2
4.7
+ T
2
× 2 × T
2
× 2
4.7
+ T
2
× 2
3
= 2
75.4
,
where2 × T
2
× 2
4.7
isthetimeittakesto omputethesumdes ribedby(2). A tually,we anspeedupthepro essbyrewriting thesum(2)inthefollowingway
T
2
−1
X
k=0
(−1)
V
2
[k+i]
V
1
[k] −
2
25
+ 2
2
+ T
2
2
25
+ 2
2
Theissueis nowto ndthe
i
that maximizesthis sum,this isthesameas omputingthe maximumofthe ross orrelationof twosequen esof lengthT
2
. We andothat e ientlyusingafastFouriertransformasexplainedin[2,pages306-312℄. Thenal omplexitywill bein
O(T
2
log T
2
)
. Anyway,thisdoesnot hangeourtotal omplexityasthehighertermis therstone.The omplexityisgoingtobe,nally:
T
1
×
2
48
× 2
4
+ 2
4.7
+ O(T
2
log T
2
) + T
2
× 2
3
= 2
75.4
.
Thelengthofkeystreamneededis:T
0,3,7
+ T
4,10
+ T
8,9
+ 2
48
< 2
61
bits.4 Con lusion
Wehaveproposedanatta kagainstA hterbahn-80in
2
70
. Tothisatta kwe anapplythe samealgorithm asthe one des ribed in Se tion 3.2 against A hterbahn-128, and its time omplexity will be redu ed to about
2
45
, so we an onsider as the total omplexity the length of the keystream needed, sin e it is bigger. The omplexity of the atta k against A hterbahn-80will then be
2
56.32
. An atta k against A hterbahn-128 is also proposed in
2
75.4
where fewer than
2
61
bits of keystream are required. The omplexities of the best atta ksagainstallversionsofA hterbahnaresummarizedinthefollowingtable:
version data omplexity time omplexity referen es v1 (80-bit)
2
32
2
55
[8℄ v2 (80-bit)2
59.02
2
62
[7℄ v2 (80-bit)2
49.8
2
49
v80(80-bit)2
56.32
2
46
v128(128-bit)2
60
2
75.4
Table2: Atta ks omplexitiesagainstallversionsofA hterbahn
Referen es
[1℄ T.Baignères,P.Junod,and S. Vaudenay. Howfar anwegobeyondlinear ryptanal-ysis? InAdvan es inCryptology - ASIACRYPT2004, volume3329ofLe tureNotesin Computer S ien e,pages432450.Springer-Verlag,2004.
[2℄ R.E.Blahut. FastAlgorithmsfor DigitalSignalPro essing. Addison Wesley,1985.
[3℄ A.CanteautandM.Trabbia. Improvedfast orrelationatta ksusingparity- he k equa-tionsofweight4and5. InAdvan es inCryptology - EUROCRYPT2000, volume1807 ofLe tureNotesin Computer S ien e,pages573588.Springer-Verlag,2000.
[4℄ B.M.Gammel,R.Gottfert,andO.Knier.TheA hterbahnstream ipher.eSTREAM, ECRYPTStreamCipherProje t,Report2005/002,2005.http://www.e rypt.eu.org/ stream/ iphers/a hterbahn/a hterbahn.pdf.
[5℄ B.M.Gammel,R.Gottfert,andO.Knier. A hterbahn-128/80.eSTREAM,ECRYPT StreamCipherProje t,Report 2006/001,2006. http://www.e rypt.eu.org/stream/ p2 iphers/a hterbahn/a hterbahn_p2.pdf.
[6℄ B. M. Gammel, R. Gottfert, and O. Knier. Status of A hterbahn and tweaks. eS-TREAM, ECRYPT Stream Cipher Proje t, Report 2006/027, 2006. http://www. e rypt.eu.org/stream/papersdir/2006/027.pdf.
[7℄ M.HellandT.Johansson.CryptanalysisofA hterbahn-version2.eSTREAM,ECRYPT StreamCipherProje t,Report 2006/042,2006. http://www.e rypt.eu.org/stream/ iphers/a hterbahn/a hterbahn.pdf.
[8℄ T.Johansson, W. Meier, andF. Muller. Cryptanalysisof A hterbahn. InAdvan es in Cryptology- FSE2006,volume4047ofLe tureNotesinComputer S ien e,pages114. Springer,2006.
Contents
1 Introdu tion 3
1.1 Mainspe i ationsofA hterbahn-128 . . . 3
1.2 Mainspe i ationsofA hterbahn-80 . . . 4
1.3 Thekey-loadingalgorithm . . . 4
2 Atta k against A hterbahnversion2 with omplexityof
2
49
.
8
5 2.1 Prin ipleofHellandJohanssonatta kagainstA hterbahnv2 . . . 52.2 Complexity . . . 7
2.3 ExamplewithA hterbahnversion2 . . . 7
2.4 Improvementof theAtta kagainstA hterbahnversion2. . . 7
3 Cryptanalysis of A hterbahn-128/80 8 3.1 Cryptanalysisof A hterbahn-80 . . . 9
3.2 Cryptanalysisof A hterbahn-128 . . . 9
4 Con lusion 13
Unité de recherche INRIA Rocquencourt
Domaine de Voluceau - Rocquencourt - BP 105 - 78153 Le Chesnay Cedex (France)
Unité de recherche INRIA Futurs : Parc Club Orsay Université - ZAC des Vignes
4, rue Jacques Monod - 91893 ORSAY Cedex (France)
Unité de recherche INRIA Lorraine : LORIA, Technopôle de Nancy-Brabois - Campus scientifique
615, rue du Jardin Botanique - BP 101 - 54602 Villers-lès-Nancy Cedex (France)
Unité de recherche INRIA Rennes : IRISA, Campus universitaire de Beaulieu - 35042 Rennes Cedex (France)
Unité de recherche INRIA Rhône-Alpes : 655, avenue de l’Europe - 38334 Montbonnot Saint-Ismier (France)
Unité de recherche INRIA Sophia Antipolis : 2004, route des Lucioles - BP 93 - 06902 Sophia Antipolis Cedex (France)
Éditeur
INRIA - Domaine de Voluceau - Rocquencourt, BP 105 - 78153 Le Chesnay Cedex (France)
http://www.inria.fr