Published in IET Information Security Received on 14th January 2008 Revised on 20th January 2009 doi: 10.1049/iet-ifs.2008.0013 ISSN 1751-8709 Heuristic guess-and-determine attacks on stream ciphers H. Ahmadi * T. Eghlidos Electronics Research Center, Sharif University of Technology,Tehran, Iran E-mail: hahmadi@alum.sharif.edu * This author has moved to Department of Computer Science, University of Calgary, Calgary, AB, Canada E-mail: hahmadi@ucalgary.ca; Abstract: Guess-and-determine (GD) attacks are general attacks on stream ciphers, which have often been implemented in an ad hoc manner. The authors introduce a heuristic approach to the design of GD attacks, that is a dynamic programming method using a Viterbi-like algorithm which is a well-known decoding algorithm for convolutional codes. The authors also show that with this method, the resulting GD attacks, named heuristic GD (HGD) attacks, on TIPSY, SNOW1 and SNOW2 lead to less computational complexity than the previously known GD attacks. The main advantage of HGD attacks, over ad hoc GD attacks, is that while being powerful, they can be designed algorithmically for classes of stream ciphers, holding a certain condition. Using this method, the authors examine the resistance of SOSEMANUK, a word-oriented stream cipher proposed for the Ecrypt Stream Cipher Project. The complexity of the designed GD attack, O (2 224 ), is much less than the complexity of exhaustive search attack on the internal state, O(2 384 ), but larger than the claimed security level, that is O(2 128 ). 1 Introduction Stream ciphers are a group of symmetric key ciphers where plaintext symbols are combined with a pseudorandom key stream, typically by a simple mixing operation. In a stream cipher the plaintext symbols are encrypted one at a time and the transformation of successive symbols varies during the encryption. They are divided into bit-oriented and word- oriented stream ciphers. In word-oriented stream ciphers, operations are performed on w-bit blocks, called words. The main advantage of these ciphers is their efficiency due to the generation of words instead of bits per time unit. Guess-and-determine (GD) attacks are a class of general attacks which have been effective on some stream ciphers. In GD attacks, the attacker first guesses (the values of) a set of state elements of the cryptosystem, called a basis; hence, the name. The basis can correspond to different elements of different states (multiple times). Next, she determines the remaining state elements and running key sequence, and compares the resulting key sequence with the observed key sequence. If these two sequences are equal, then the guessed values are true and the cryptosystem has been broken, otherwise the attacker should repeat the above scenario with other guessed values. Thus, the attack complexity is roughly equal to the computation needed for repeating the above scenario for all possible guesses (in this paper the term ‘complexity’, unless otherwise mentioned, yields the worst-case computational complexity). It follows that the smaller the basis size, the less the attack complexity. In spite of a long-time devotion to the improvement of GD attacks on stream ciphers, they have often been designed based on the experience of cryptanalysts. Golic ´ [1] proposed a GD attack on the alleged A5/1. Canniere [2] introduced a GD attack on SOBER [3]. Other types of GD attacks against SNOW [4] have been introduced in [5–7]. More recently, Mattsson [8] introduced a GD attack on the Polar Bear stream cipher [9]. However, all these attacks have relied on different ad hoc approaches and there is no common method of designing GD attacks. The problem is whether we can find an algorithmic way of designing a convenient GD attack for a given stream cipher. In this paper we introduce a dynamic programming method as a heuristic approach to the design of GD attacks 66 IET Inf. Secur., 2009, Vol. 3, Iss. 2, pp. 66–73 & The Institution of Engineering and Technology 2009 doi: 10.1049/iet-ifs.2008.0013 www.ietdl.org