Journal of Applied Mathematics

Volume 2014, Article ID 457275, 7 pages

http://dx.doi.org/10.1155/2014/457275

## Cryptanalysis of Loiss Stream Cipher-Revisited

Information Science and Technology Institute, Zhengzhou 450000, China

Received 15 November 2013; Revised 5 May 2014; Accepted 5 May 2014; Published 27 May 2014

Academic Editor: Renat Zhdanov

Copyright © 2014 Lin Ding et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

#### Abstract

Loiss is a novel byte-oriented stream cipher proposed in 2011. In this paper, based on solving systems of linear equations, we propose an improved Guess and Determine attack on Loiss with a time complexity of 2^{231} and a data complexity of 2^{68}, which reduces the time complexity of the Guess and Determine attack proposed by the designers by a factor of 2^{16}. Furthermore, a related key chosen *IV* attack on a scaled-down version of Loiss is presented. The attack recovers the 128-bit secret key of the scaled-down Loiss with a time complexity of 2^{80}, requiring 2^{64} chosen *IV*s. The related key attack is minimal in the sense that it only requires one related key. The result shows that our key recovery attack on the scaled-down Loiss is much better than an exhaustive key search in the related key setting.

#### 1. Introduction

Many stream ciphers have been proposed over the past 20 years. Most of them are constructed using a linear feedback shift register (LFSR), which is easily implemented in hardware, but the software implementations are mostly slow. In recent years, several word-oriented stream ciphers have been proposed and standardized, such as ZUC [1], proposed for use in the 4G mobile networks, SNOW3G [2] deployed in the 3GPP networks, and also four software-oriented finalists of eSTREAM project (i.e., SOSEMANUK [3], HC-128 [4], Rabbit [5], and Salsa 20/12 [6]).

In 2011, the Loiss stream cipher [7] was proposed by a team from the State Key Laboratory of Information Security in China. Loiss is a novel byte-oriented stream cipher, which takes a 128-bit secret key and a 128-bit initial vector as inputs and outputs a keystream of bytes. Loiss is based on a linear feedback shift register and utilizes a structure called byte-oriented mixer with memory (BOMM) in the filter generator, which aims to improve the resistance against algebraic attacks, linear distinguishing attacks, and fast correlation attacks. The designers hope Loiss can enrich applications of orthomorphic permutations in cryptography and motivate the research on cryptographic properties of orthomorphic permutations. By exploiting some differential properties of the BOMM structure during the cipher initialization phase, two related key attacks on Loiss were independently proposed in [8, 9]. These results show that the additional design complication, that is, the addition of the BOMM mechanism, weakens the cipher instead of strengthening it. Naturally, an open problem was left for future research, that is, whether the scaled-down Loiss, obtained by getting rid of the BOMM from Loiss and keeping other parts same as Loiss, is resistant against related key attack.

No attack on Loiss has been published except for the two related key attacks showed in [8, 9]. In the specification of Loiss stream cipher, the designers present a Guess and Determine attack on Loiss, which has a time complexity of with a data complexity of . In fact, the time complexity can be reduced at the cost of increased data complexity. In this paper, based on solving systems of linear equations, we propose an improved Guess and Determine attack on Loiss, which has a time complexity of with a data complexity of . Furthermore, by exploiting the weakness of a scaled-down version of Loiss during its initialization phase, a related key chosen* IV* attack on the scaled-down Loiss is given. The attack recovers the 128-bit secret key of the scaled-down Loiss with time complexity of , requiring one related key and chosen* IV*s. The related key attack is minimal in the sense that it only requires one related key. The result shows that our key recovery attack on the scaled-down Loiss is much better than an exhaustive key search in the related key setting.

The rest of the paper is organized as follows. A brief description of Loiss stream cipher is given in Section 2. In Section 3, an improved Guess and Determine attack on full Loiss is presented. Section 4 gives a related key chosen* IV* attack on scaled-down Loiss. Concluding remarks are given in Section 5.

#### 2. Brief Description of the Loiss Stream Cipher

In this section, we recall the Loiss stream cipher briefly; for more details, refer to [7]. Loiss consists of three parts: linear feedback shift register (LFSR), the nonlinear function , and a structure called byte-oriented mixer with memories (BOMM) as a part of the nonlinear filter generator; see Figure 1 [7].

##### 2.1. Keystream Generator of Loiss

The LFSR contains 32-byte registers. Denote by the state of LFSR at time (). Then the state at time satisfies where is a root of the primitive polynomial in .

The nonlinear function (the dotted rectangle in Figure 1) is a compressing function from 32 bits to 8 bits, which contains a 32-bit memory unit . Denote by and the values of the memory unit at times and , respectively. Let be the output of . The output of the nonlinear function is obtained as , where is a truncation function which truncates the leftmost 8 bits from as output. Then, the state of the memory unit is updated by
where . is obtained by paralleling 4 -box of size ; that is,
where () is a byte. is a linear transformation on 32-bit strings defined as
where denotes the left cyclic shift on 32-bit strings. As for the BOMM structure, it utilizes 16-byte memory units, denoted by . Let and be the input and the output of BOMM at time* t,* respectively. BOMM works as follows:
where the symbol denotes the right shift operator and is an -box of size .

##### 2.2. Initialization and Keystream Generation

###### 2.2.1. Initialization

The initialization process of Loiss consists of two stages.

In the first stage, it initializes LFSR using a 128-bit secret key and a 128-bit initial vector and then sets .

Set where both and are bytes, .

Denote the initial states of LFSR by . Then, for ,

After that, Loiss runs 64 times without the keystream generated and the output of BOMM takes part in the feedback calculation of LFSR.

###### 2.2.2. Keystream Generation

After the initialization process, Loiss starts to generate keystream. Loiss generates one byte of keystream when it runs one time. Let be the output of Loiss at time . Then, where and are the value of the register of LFSR and the output of BOMM, respectively, at time .

##### 2.3. Scaled-Down Loiss

The scaled-down Loiss is obtained by getting rid of the BOMM from Loiss and keeping other parts same as Loiss. For convenience, the scaled-down Loiss is denoted by SD-Loiss in the paper. SD-Loiss consists of two parts: LFSR and the nonlinear function ; see Figure 2.

#### 3. Improved Guess and Determine Attack on Full Loiss

Guess and Determine attack is a common attack on stream ciphers. Guess and Determine attacks exploit the relationship between internal and the keystream values. In Guess and Determine attacks, some internal values are guessed, and then other internal values are determined using keystream values. Guess and Determine attacks generally consist of three phases, that is, guessing, determining, and the test phase. The efficiency of Guess and Determine attacks can be discussed in terms of two complexities, namely, a time and a data complexity. Guess and Determine attack is one of the general attacks which have been effective on some stream ciphers, for example, A5/1 [10], SNOW 1.0 [11], Sober-t32 [12], SOSEMANUK [13], Rabbit [14], ZUC [15], and so forth.

In the specification of Loiss stream cipher [7], the designers present a Guess and Determine attack on Loiss which has a time complexity of with a data complexity of . In fact, the time complexity can be reduced at the cost of increased data complexity.

Here, we assume that the attacker has observed a portion of keystream words , , where is large enough for the attack to succeed. For convenience, we denote by the deduction of from by equation .

For convenience, we denote by the state of LFSR in Loiss at time . Then the state at time is . The recurrence function of LFSR is redefined as follows:

Before the description of our attack, we make an assumption as follows.

*Assumption 1. *The following conditions occur at nine successive times starting from time :(1), where , ;(2).

In the attack, the attacker guesses the values of , , , , , , , and the values of the rightmost three bytes of each (). The whole description of our Guess and Determine attack on Loiss can be divided into three phases as follows.

*Phase One*. For a given guess, all the bits of the following components can be immediately determined by exploiting the relationships in the cipher:(i);(ii);(iii);(iv);(v).

The last three steps above can be repeated for to determine more components:(i);(ii);(iii).

After that, we deduce more components as follows:(i);(ii);(iii).

*Phase Two.* Then, we can determine more components as follows.

We know that where are divided into four bytes as .

Thus,(i);(ii).

Since has been recovered, then(i),(ii),(iii),(iv).

We know that

In this equation, the values of , , and have been obtained and the values of , and have been guessed, and is also known. Thus, we can easily recover the value of by solving a system of eight bitwise linear equations. After that, we can recover the value of , since is known. At last, we can recover the value of .

Similarly, we can recover the values of and .

*Phase Three.* Then, we can determine the remaining components as follows. In this phase, we have to solve two systems of three byte-wise linear equations.

The first system is described as follows:

In this system, only three variables are unknown, that is, , , and . Obviously, this system can be easily solved. Thus, we can recover the values of , , and by solving this system.

Then, we deduce as follows:(i).

We know that

In this equation, the values of , and have been obtained and the value of has been determined, and is also known. Thus, we can easily recover the value of by solving a system of eight bitwise linear equations. After that, we can recover the value of , since is known. At last, we can recover the value of .

Then, we should solve another system of three linear equations, which is described as follows:

In this system, only three variables are unknown, that is, , and . Obviously, this system can be easily solved. Thus, we can recover the values of , and by solving this system.

Finally, we deduce as follows, since the value of has been recovered:(i).

Thus, all internal states of LFSR and , that is, , have been recovered. After all the internal states of LFSR and are recovered, the attacker runs Loiss for about another 128 times and then can recover the values of all memory units of BOMM.

Up to now, all internal states of LFSR, , and BOMM have been recovered. And then the attacker has to check the correctness of those values by producing a keystream using the above recovered values and comparing it with the observed keystream. If the keystreams agree, it shows that the recovered states are correct. If the keystreams do not agree, then we will repeat the above process until the correct internal state is found. Since the probability that the assumption satisfies is and the attacker has to guess 156-bit internal state in the guessing stage, so the time complexity of our Guess and Determine attack on Loiss is with a data complexity of . Compared with the Guess and Determine attack proposed by the designers, the time complexity of our attack on Loiss has been reduced by a factor of .

#### 4. Related Key Chosen* IV* Attack on Scaled-Down Loiss

By exploiting some differential properties of the BOMM structure during the cipher initialization phase, two related key attacks on Loiss were independently proposed in [8, 9]. These results show that the additional design complication, that is, the addition of the BOMM mechanism, weakens the cipher instead of strengthening it. Naturally, an open problem was left for future research, that is, whether the scaled-down Loiss, obtained by getting rid of the BOMM from Loiss and keeping other parts same as Loiss, is resistant against related key attack. In this section, based on the idea of slide (key,* IV*) pairs, a related key chosen* IV* attack on scaled-down Loiss is presented.

##### 4.1. Some Properties of SD-Loiss

In this subsection, we will present some properties of SD-Loiss. Let be the internal state of SD-Loiss at time . Denote by and the internal state of SD-Loiss just after the first stage of initialization and the full initialization, respectively. Let and be the 128-bit secret key and a 128-bit initial vector into the memory units of LFSR. Let pair be the related pair of . The relation between them is defined as follows:

Let be the internal state of SD-Loiss at time using pair. Then, we can get the following proposition which discusses the probability that holds.

Proposition 2. *For the fixed key IK and 2 ^{48} chosen IVs where , are all 48-bit values and the remaining bytes are fixed to ; there exactly exists one IV satisfying .*

*Proof. *According to the structure of SD-Loiss, we know can be written as the following system of 33 equations:

Since there are 29 equations which always hold in system (20), we can simplify the system (20) as follows:
where and .

Since is a linear transformation on 32-bit strings, we can simplify the equation as

That is,

Let be a 32-bit string, where is a byte. According to the -box in Loiss, we know that .

Then, we know

Thus, when we try all 32-bit values of , there exists exactly one* IV* satisfying the system (24). Considering the second and third equations of system (21), when we try chosen* IV*s where , are all 48-bit values and the remaining bytes are fixed to ; there exactly exists one* IV* satisfying .

If holds, we easily know always holds for . Similarly, if* IV* satisfies , we say that the* IV *is* valid*. Otherwise, we say that the* IV* is* invalid*.

Let and be keystream sequences generated from and , respectively. Let be the keystream sequences generated from time to ; that is, . Similarly, let be the keystream sequences generated from time to ; that is, . Then, we know that and are updated by the keystream generation mode, while and are updated by the initialization mode. Thus, both and hold, if and only if both and hold. If , always holds for , and then always holds, for (we call it* IV*-Test).

Theoretically, the probability that a valid* IV* passes the* IV*-Test is equal to , and then there exists one* IV* passing* IV*-Test among valid* IV*s. Thus, we can find at least one* IV* passing* IV*-Test with high probability among chosen* IV*s where ; are all 64-bit values and the remaining bytes are fixed to , while for an invalid* IV*, after the initialization of SD-Loiss, is uniformly distributed for . Thus, an invalid* IV* passes* IV*-Test with probability . Obviously, when is large enough, the probability is much smaller than , which means that we can distinguish valid* IV* and invalid* IV*s with very high probability.

##### 4.2. Related Key Chosen* IV* Attack on Scaled-Down Loiss

Our attack on SD-Loiss can be divided into two phases. In the first phase, we should find a valid* IV*. In the second phase, we will recover the 128-bit secret key* IK*.

We choose * IV*s where ; are all 64-bit values and the remaining bytes are fixed to . Then, we can find a valid* IV* among these chosen* IV*s by the Finding Valid* IV* algorithm for SD-Loiss which is described as follows.

*Finding Valid IV Algorithm for SD-Loiss*(1)For each IV in these chosen IVs, repeat the following:(a)generate bytes of keystream by using ;(b)generate* L* bytes of keystream by using ;(c)check* IV*-Test for and ; if they pass* IV*-Test, go to Step ; otherwise, return to Step and choose another* IV*.(2)Return Valid* IV* and store this* IV*.

This algorithm requires chosen* IV*s and runs the encryption process of SD-Loiss times. Thus, the time complexity of this algorithm is . Then, for each single key and* IV*, this algorithm only requires bytes of keystream at most. To make the probability that an invalid* IV* passes* IV*-Test negligible, we choose* L* to be 15, and then is equal to which is small enough to distinguish valid* IV*s and invalid* IV*s with very high probability. Hence, our attack requires 17 bytes of keystream at most for each single key and* IV*.

In the second phase, using the Finding Valid* IV* algorithm for SD-Loiss above, we can recover the 128-bit secret key* IK* using a simple Guess and Determine attack. We guess the values of , , , , , , , , , and (a total of 80 bits). Then, we can determine the remaining 48 bits of the secret key* IK* by system (21) easily.

Recall the two phases of our attack on SD-Loiss. The time complexity of our attack on SD-Loiss is , requiring chosen* IV*s. The result shows that slide (key,* IV*) pairs can be also used for related key attack.

#### 5. Conclusions

In this paper, an improved Guess and Determine attack on Loiss is proposed, which reduces the time complexity of the attack proposed by the designers by a factor of . Furthermore, by exploiting the weakness of a scaled-down version of Loiss during its initialization phase, a related key chosen* IV* attack on the scaled-down Loiss is given. The attack recovers the 128-bit secret key of the scaled-down Loiss with time complexity of , requiring one related key and chosen* IV*s. We hope our results can be helpful in evaluating the security of the Loiss stream cipher against Guess and Determine attack and related key attack, and we look forward to further works evaluating it against other kinds of cryptanalytic attacks.

#### Conflict of Interests

The authors declare that there is no conflict of interests regarding the publication of this paper.

#### Acknowledgments

The authors would like to thank the anonymous reviewers for their valuable comments and suggestions. This work is supported in part by the National Natural Science Foundation of China (Grant nos. 61202491, 61272041, and 61272488), the Foundation of Science and Technology on Information Assurance Laboratory (Grant no. KJ-13-007), and the Science and Technology on Communication Security Laboratory Foundation of China under Grant no. 9140C110303140C11003.

#### References

- ETSI/SAGE Specification, “Specification of the 3GPP Confidentiality and Integrity Algorithms 128-EEA3 & 128-EIA3,” Document 2: ZUC Specification, Version: 1.6, 2011.
- ETSI/SAGE, “Specification of the 3GPP Confidentiality and Integrity Algorithms UEA2 & UIA2,” Document 2: SNOW 3G Specification, version 1.1, 2006.
- C. Berbain, O. Billet, A. Canteaut et al., “Sosemanuk, a fast software-oriented stream cipher,” in
*New Stream Cipher Designs*, vol. 4986 of*Lecture Notes in Computer Science*, pp. 98–118, Springer, Heidelberg, Germany, 2008. View at Google Scholar - H. J. Wu, “The stream cipher HC-128,” in
*New Stream Cipher Designs*, vol. 4986 of*Lecture Notes in Computer Science*, pp. 39–47, Springer, Heidelberg, Germany, 2008. View at Google Scholar - M. Boesgaard, M. Vesterager, and E. Zenner, “The rabbit stream cipher,” in
*New Stream Cipher Designs*, vol. 4986 of*Lecture Notes in Computer Science*, pp. 69–83, Springer, Heidelberg, Germany, 2008. View at Google Scholar - D. J. Bernstein, “The salsa 20 family of stream ciphers,” in
*New Stream Cipher Designs*, vol. 4986 of*Lecture Notes in Computer Science*, pp. 84–97, Springer, Heidelberg, Germany, 2008. View at Google Scholar - D. Feng, X. Feng, W. Zhang, X. Fan, and C. Wu, “Loiss: a byte-oriented stream cipher,” in
*Coding and Cryptology*, vol. 6639 of*Lecture Notes in Computer Science*, pp. 109–125, Springer, Heidelberg, Germany, 2011. View at Publisher · View at Google Scholar · View at Zentralblatt MATH · View at MathSciNet - L. Ding and J. Guan, “Cryptanalysis of Loiss stream cipher,”
*The Computer Journal*, vol. 55, no. 10, pp. 1192–1201, 2012. View at Publisher · View at Google Scholar - A. Biryukov, A. Kircanski, and A. M. Youssef, “Cryptanalysis of the Loiss stream cipher,” in
*Selected Areas in Cryptography 2012*, vol. 7707 of*Lecture Notes in Computer Science*, pp. 119–134, Springer, Heidelberg, Germany, 2012. View at Google Scholar - J. Golić, “Cryptanalysis of alleged A5 stream cipher,” in
*Advances in Cryptology—EUROCRYPT ’97*, vol. 1233 of*Lecture Notes in Computer Science*, pp. 239–255, Springer, Heidelberg, Germany, 1997. View at Google Scholar - P. Hawkes and G. G. Rose, “Guess-and-determine attacks on SNOW,” in
*Selected Areas in Cryptography*, vol. 2595 of*Lecture Notes in Computer Science*, pp. 37–46, Springer, Heidelberg, Germany, 2002. View at Publisher · View at Google Scholar · View at Zentralblatt MATH · View at MathSciNet - S. Babbage, C. de Cannière, J. Lano, B. Preneel, and J. Vandewalle, “Cryptanalysis of SOBER-t32,” in
*Fast Software Encryption*, vol. 2887 of*Lecture Notes in Computer Science*, pp. 111–128, Springer, Heidelberg, Germany. View at Scopus - X. Feng, J. Liu, Z. Zhou, C. Wu, and D. Feng, “A byte-based guess and determine attack on SOSEMANUK,” in
*Advances in Cryptology—ASIACRYPT 2010*, vol. 6477 of*Lecture Notes in Computer Science*, pp. 146–157, Springer, Heidelberg, Germany, 2010. View at Publisher · View at Google Scholar · View at Zentralblatt MATH · View at MathSciNet - X. Feng, Z. Shi, C. Wu, and D. Feng, “On guess and determine analysis of Rabbit,”
*International Journal of Foundations of Computer Science*, vol. 22, no. 6, pp. 1283–1296, 2011. View at Publisher · View at Google Scholar · View at Zentralblatt MATH · View at MathSciNet - L. Ding, S. K. Liu, Z. Y. Zhang, and J. Guan, “Guess and determine attack on ZUC based on solving nonlinear equations,” in
*Proceedings of the 1st International Workshop on ZUC Algorithm*, 2010, report 2010/007.