Abstract
Espresso cipher is designed targeting 5G wireless communication systems. To achieve high efficiency, a maximum period Galois NLFSR is used as the only building block. The Galois NLFSR is constructed by a scalable method which converts a maximum LFSR to a Galois NLFSR. Based on this method, a new class of stream ciphers, namely maximum period Galois NLFSR-based stream ciphers can be designed. However, we identify a conditional equivalence problem in the design method and adopt the Type-II-to-Fibonacci transformation algorithm. We apply the algorithm to the Espresso cipher and successfully transform the Galois NLFSR to a Fibonacci LFSR with a nonlinear output function. The Espresso cipher is transformed to an LFSR filter generator. We break it by the fast algebraic attack and the Rønjom-Helleseth attack with complexity of 268.50 and 248.59 logical operations respectively. Moreover, we show that the entire class of maximum period Galois NLFSR-based stream ciphers can be transformed to LFSRs. Therefore, this kind of cipher is always equivalent to an LFSR filter generator. We discuss other related attacks and give suggestions for future design.
Similar content being viewed by others
References
Biryukov, A., Shamir, A.: Cryptanalytic time/memory/data tradeoffs for stream ciphers. In: International Conference on the Theory and Application of Cryptology and Information Security, pp. 1–13. Springer, Berlin (2000)
Dubrova, E., Hell, M.: Espresso: A stream cipher for 5G wireless communication systems. Cryptogr. Commun. 9(2), 273–289 (2017)
Dubrova, E.: A Scalable Method for Constructing Galois NLFSRs With Period 2n − 1 Using Cross-Join Pairs. IEEE Trans. Inf. Theory 59(1), 703–709 (2012)
Dubrova, E.: A transformation from the Fibonacci to the Galois NLFSRs. IEEE Trans. Inf. Theory 55(11), 5263–5271 (2009)
Courtois, N.T: Fast algebraic attacks on stream ciphers with linear feedback. In: Annual International Cryptology Conference, pp. 176–194. Springer, Berlin (2003)
Hawkes, P., Rose, G.G.: Rewriting variables: The complexity of fast algebraic attacks on stream ciphers. In: Annual International Cryptology Conference, pp. 390–406. Springer, Berlin (2004)
Ronjom, S., Helleseth, T.: A new attack on the filter generator. IEEE Trans Inf Theory 53(5), 1752–1758 (2007)
Golomb, SW.: Shift register sequences. Aegean Park Press (1967)
Dubrova, E.: An equivalence-preserving transformation of shift registers. In: International Conference on Sequences and Their Applications, pp. 187–199. Springer, Cham (2014)
Wang, L., Shen, B., Qiao, T.: Searching short recurrences of nonlinear shift registers via directed acyclic graphs. In: International Conference on Information Security and Cryptology, pp. 44–56. Springer, Berlin (2011)
Zhiqiang, L.: The transformation from the Galois NLFSR to the Fibonacci configuration. In: Fourth International Conference on Emerging Intelligent Data and Web Technologies, pp. 335–339. IEEE (2013)
Lu, J., Li, M., Huang, T., Liu, Y., Cao, J.: The transformation between the Galois NLFSRs and the Fibonacci NLFSRs via semi-tensor product of matrices. Automatica 96, 393–397 (2018)
Courtois, N.T., Meier, W.: Algebraic attacks on stream ciphers with linear feedback. In: International Conference on the Theory and Applications of Cryptographic Techniques, pp. 345–359. Springer, Berlin (2003)
Key, E.: An analysis of the structure and complexity of nonlinear binary sequence generators. IEEE Trans. Inf. Theory 22(6), 732–736 (1976)
Zhang, J., Qi, W.: Cryptanalysis of an equivalent model of stream cipher espresso. J. Cryptol. Res. 3(1), 91–100 (2016)
Wang, M.X., Lin, D.D.: Related Key Chosen IV Attack on Stream Cipher Espresso Variant. In: IEEE International Conference on Computational Science and Engineering (CSE) and IEEE International Conference on Embedded and Ubiquitous Computing (EUC), vol. 1, pp. 580–587. IEEE (2017)
Strassen, V.: Gaussian elimination is not optimal. Numer. Math. 13(4), 354–356 (1969)
Ge, Y., Udaya, P.: Improved Transformation Algorithms for Generalized Galois NLFSRs Submitted to Cryptography and Communications (2020)
Author information
Authors and Affiliations
Corresponding author
Additional information
Publisher’s note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Appendix 1
Appendix 1
The pseudocode for the Type-II-to-Fibonacci transformation algorithm is in Algorithm 1.
We implement the Type-II-to-Fibonacci and Fibonacci-to-Type-II algorithms in python. The scripts of implementing examples in this paper and the Galois NLFSRs in Section 7.3 can be found using link https://github.com/RebuTemp/transformation-Espresso
Fibonacci-to-Type-II
is the reversed algorithm of the Type-II-to- Fibonacci transformation algorithm. The process is:
Given an n-bit Fibonacci NLFSR with a output function fz and an initial state X0, the process of transforming it to a Type-II Galois NLFSR is:
Step 1: For each monomial mj, j ∈ [1,r], calculate the lowest possible shifting position pj according to Algorithm 2 and choose a position τj, pj ≤ τj ≤ n − 1;
Step 2: Shift the r monomials from the feedback function fn− 1 to \(f_{\tau _{1}}, f_{\tau _{2}},\\ \ldots , f_{\tau _{r}}, 0 \leq \tau _{1} \leq \tau _{2} \leq {\ldots } \leq \tau _{r} \leq n-1\) respectively according to Definition 3;
Step 3: For each monomial mj, j ∈ [1,r], construct a compensation list \(C_{m_{j}} = [0, \ldots , 0, m_{j}|_{-(n-1-\tau _{j})}, \ldots , m_{j}|_{-1}]\). Xor all the lists to get a combined compensation list \(C = C_{m_{1}} \oplus C_{m_{2}} \oplus {\ldots } \oplus C_{m_{r}}\);
Step 4: Compensate the output function fz by C iteratively in descending order to get the output function \(\overline {f_{z}}\) for the transformed NLFSR;
Step 5: The initial state is computed as \(\hat {x}_{i}^{0} = {x_{i}^{0}} \oplus c_{i}(X^{0}), i \in [0, n-1]\).
Since the transformed NLFSR must be uniform, the positions to which monomials can be shifted is limited. An algorithm to calculate the lowest position is given in [4], we present it in Algorithm 2. Suppose the feedback function of the Fibonacci NLFSR is \(f_{n-1} = x_{0} \sum \limits _{j = 1}^{J} m_{j}\) and r < J monomials mj, j ∈ [1,r] are shifted, then for each monomial, the lowest position is pj.
Rights and permissions
About this article
Cite this article
Yao, G., Parampalli, U. Cryptanalysis of the class of maximum period galois NLFSR-based stream ciphers. Cryptogr. Commun. 13, 847–864 (2021). https://doi.org/10.1007/s12095-021-00511-0
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s12095-021-00511-0