Guess-and-Determine Algebraic Attack on the Self-Shrinking Generator

Authors:
Blandine Debraize;Louis Goubin
Affiliations:
Gemalto, Meudon, France and Versailles Saint-Quentin-en-Yvelines University, France;Versailles Saint-Quentin-en-Yvelines University, France
Venue:
Fast Software Encryption
Year:
2008

Citing 10
Cited 0

A faster cryptanalysis of the self-shrinking generator

ACISP '96 Proceedings of the First Australasian Conference on Information Security and Privacy
Improved Cryptanalysis of the Self-Shrinking Generator

ACISP '01 Proceedings of the 6th Australasian Conference on Information Security and Privacy
The Shrinking Generator

CRYPTO '93 Proceedings of the 13th Annual International Cryptology Conference on Advances in Cryptology
BDD-Based Cryptanalysis of Keystream Generators

EUROCRYPT '02 Proceedings of the International Conference on the Theory and Applications of Cryptographic Techniques: Advances in Cryptology
The Shrinking Generator: Some Practical Considerations

Fast Software Encryption, Cambridge Security Workshop
A new efficient algorithm for computing Gröbner bases without reduction to zero (F5)

Proceedings of the 2002 international symposium on Symbolic and algebraic computation
Algorithms for solving linear and polynomial systems of equations over finite fields, with applications to cryptanalysis

Algorithms for solving linear and polynomial systems of equations over finite fields, with applications to cryptanalysis
Efficient algorithms for solving overdefined systems of multivariate polynomial equations

EUROCRYPT'00 Proceedings of the 19th international conference on Theory and application of cryptographic techniques
New guess-and-determine attack on the self-shrinking generator

ASIACRYPT'06 Proceedings of the 12th international conference on Theory and Application of Cryptology and Information Security
Two New Attacks on the Self-Shrinking Generator

IEEE Transactions on Information Theory

Quantified Score

Hi-index	0.00

Visualization

Abstract

The self-shrinking Generator (SSG) was proposed by Meier and Staffelbach at Eurocrypt'94. Two similar guess-and-determine attacks were independently proposed by Hell-Johansson and Zhang-Feng in 2006, and give the best time/data tradeoff on this cipher so far. These attacks do not depend on the Hamming weight of the feedback polynomial (defining the LFSR in SSG).In this paper we propose a new attack strategy against SSG, when the Hamming weight is at most 5. For this case we obtain a better tradeoff than all previously known attacks (including Hell-Johansson and Zhang-Feng). Our main idea consists in guessing some information about the internal bitstream of the SSG, and expressing this information by a system of polynomial equations in the still unknown key bits. From a practical point of view, we show that using a SAT solver, such as MiniSAT, is the best way of solving this polynomial system.Since Meier and Staffelbach original paper, avoiding low Hamming weight feedback polynomials has been a widely believed principle. However this rule did not materialize in previous recent attacks. With the new attacks described in this paper, we show explicitly that this principle remains true.