Cryptanalysis of the class of maximum period galois NLFSR-based stream ciphers

Abstract

Espresso cipher is designed targeting 5G wireless communication systems. To achieve high efficiency, a maximum period Galois NLFSR is used as the only building block. The Galois NLFSR is constructed by a scalable method which converts a maximum LFSR to a Galois NLFSR. Based on this method, a new class of stream ciphers, namely maximum period Galois NLFSR-based stream ciphers can be designed. However, we identify a conditional equivalence problem in the design method and adopt the Type-II-to-Fibonacci transformation algorithm. We apply the algorithm to the Espresso cipher and successfully transform the Galois NLFSR to a Fibonacci LFSR with a nonlinear output function. The Espresso cipher is transformed to an LFSR filter generator. We break it by the fast algebraic attack and the Rønjom-Helleseth attack with complexity of 2^68.50 and 2^48.59 logical operations respectively. Moreover, we show that the entire class of maximum period Galois NLFSR-based stream ciphers can be transformed to LFSRs. Therefore, this kind of cipher is always equivalent to an LFSR filter generator. We discuss other related attacks and give suggestions for future design.

Appendix 1

The pseudocode for the Type-II-to-Fibonacci transformation algorithm is in Algorithm 1.

We implement the Type-II-to-Fibonacci and Fibonacci-to-Type-II algorithms in python. The scripts of implementing examples in this paper and the Galois NLFSRs in Section 7.3 can be found using link https://github.com/RebuTemp/transformation-Espresso

Fibonacci-to-Type-II

is the reversed algorithm of the Type-II-to- Fibonacci transformation algorithm. The process is:

Given an n-bit Fibonacci NLFSR with a output function f_z and an initial state X⁰, the process of transforming it to a Type-II Galois NLFSR is:

Step 1: For each monomial m_j, j ∈ [1,r], calculate the lowest possible shifting position p_j according to Algorithm 2 and choose a position τ_j, p_j ≤ τ_j ≤ n − 1;

Step 2: Shift the r monomials from the feedback function f_n− 1 to \(f_{\tau _{1}}, f_{\tau _{2}},\\ \ldots , f_{\tau _{r}}, 0 \leq \tau _{1} \leq \tau _{2} \leq {\ldots } \leq \tau _{r} \leq n-1\) respectively according to Definition 3;

Step 3: For each monomial m_j, j ∈ [1,r], construct a compensation list \(C_{m_{j}} = [0, \ldots , 0, m_{j}|_{-(n-1-\tau _{j})}, \ldots , m_{j}|_{-1}]\). Xor all the lists to get a combined compensation list \(C = C_{m_{1}} \oplus C_{m_{2}} \oplus {\ldots } \oplus C_{m_{r}}\);

Step 4: Compensate the output function f_z by C iteratively in descending order to get the output function \(\overline {f_{z}}\) for the transformed NLFSR;

Step 5: The initial state is computed as \(\hat {x}_{i}^{0} = {x_{i}^{0}} \oplus c_{i}(X^{0}), i \in [0, n-1]\).

Since the transformed NLFSR must be uniform, the positions to which monomials can be shifted is limited. An algorithm to calculate the lowest position is given in [4], we present it in Algorithm 2. Suppose the feedback function of the Fibonacci NLFSR is \(f_{n-1} = x_{0} \sum \limits _{j = 1}^{J} m_{j}\) and r < J monomials m_j, j ∈ [1,r] are shifted, then for each monomial, the lowest position is p_j.