Cryptology ePrint Archive: Report 2002/087

Higher Order Correlation Attacks, XL algorithm and Cryptanalysis of Toyocrypt

Nicolas T. Courtois

Abstract: There is abundant literature on how to use linear approximations to break various stream ciphers. In this paper we show that it is possible to design an efficient attack based on higher degree approximations. We reduce the attack to solving an overdefined system of multivariate equations and use the XL algorithm from Eurocrypt 2000. The complexity of the XL algorithm is sometimes controversial, however in practice and for the cases relevant here (much more equations than variables), we show that the behaviour of XL is predictable with the utmost precision and 100% accuracy. Our new attack allows to break efficiently stream ciphers that are known to be immune to all the previously known attacks. It has also surprisingly small and loose requirements on the keystream needed, giving powerful attack scenarios, leading even to (almost) ciphertext-only attacks. For example, the new attack breaks the stream cipher Toyocrypt submitted to the Japanese government Cryptrec call for cryptographic primitives, and one of only two candidates accepted to the second phase of Cryptrec evaluation process. Toyocrypt is a 128-bit stream cipher and at the time of submission it was claimed to resist to all known attacks. Later, Mihaljevic and Imai showed that the effective key length in Toyocrypt is only 96 bits. Still Toyocrypt may be easily modified to avoid this attack and have full 128 bit key. Our best attack breaks both Toyocrypt and the modified versions taking exactly 2^92 CPU clocks for a 128-bit cipher. Moreover it works in much less restrictive conditions that the previous attack, for example knowing ONLY that the ciphertext is in English.

Category / Keywords: Algebraic cryptanalysis, multivariate equations, overdefined equations, Reed-Muller codes, correlation immunity, XL algorithm, Gröbner bases, stream ciphers, pseudo-random generators, nonlinear filtering, ciphertext-only attacks, Toyocrypt, Cryptrec.

Publication Info: Presented at 5th International Conference on Information Security and Cryptology (ICISC 2002), November 28-29, 2002, Seoul, Korea. This as a full and updated version.

Date: received 2 Jul 2002, last revised 13 Feb 2003

Contact author: courtois at minrank org

Available format(s): Postscript (PS) | Compressed Postscript (PS.GZ) | PDF | BibTeX Citation

Note: Much faster algebraic attacks on Toyocrypt exist and will be described in a separate paper.

Version: 20030213:150659 (All versions of this report)

Discussion forum: Show discussion | Start new discussion


[ Cryptology ePrint archive ]