On the Frame Length of Achterbahn-128/80

On the frame length of Achterbahn-128/80

Rainer Göttfert Berndt M. Gammel Infineon Technologies AG Infineon Technologies AG Am Campeon 1–12 Am Campeon 1–12 D-85579 Neubiberg, Germany D-85579 Neubiberg, Germany rainer.goettfert@infineon.com berndt.gammel@infineon.com

Abstract— In this paper we examine a correlation attack in the heuristic method that the sequence g(T )ζ reflects the against combination generators introduced by Meier et al. in 2006 probability distribution Pr(Y =0)= 1 (1 + 32). and extended to a more powerful tool by Naya-Plasencia. The 2 method has been used in the cryptanalysis of the stream ciphers II. THE SIMPLIFIED KEYSTREAM GENERATOR MODEL Achterbahn and Achterbahn-128/80. No mathematical proofs for Instead of working with a true combination generator in the method were given. We show that rigorous proofs can be given in an appropriate model, and that the implications derived which the sequences to be combined are, e.g., shift register from that model are in accordance with experimental results sequences, we shall work in a simplified model. In this model obtained from a true combination generator. We generalize the the input sequences to the Boolean combiner are replaced by new correlation attack and, using that generalization, show that periodic sequences of binary-valued random variables which the internal state of Achterbahn-128 can be recovered with 119 48.54 are assumed to be independent and symmetrically distributed. complexity 2 using 2 consecutive keystream bits. In order to investigate a lower bound for the frame length of Achterbahn- We shall use the following notation. If M is a set, then |M| 128 we consider another application of the generalized correlation denotes the cardinality of M. If D is a subset of the set of 2136 attack. This attack has complexity (higher than brute force) integers Z and n is a nonnegative integer, then Dmod n is the 244.99 and requires keystream bits. Similar results hold for corresponding subset of Z/nZ consisting of the elements of Achterbahn-80. Due to these findings our new recommendation reduced modulo . for the frame length of Achterbahn-128 and Achterbahn-80 is D n 244 bits. Theorem 1: Let F be a balanced Boolean function of n ≥ 1 variables having order of correlation immunity c with 0 ≤ c ≤ I.INTRODUCTION n − 1. Let p1,...,pn be n distinct nonnegative integers. For Consider a keystream generator (KSG) that consists of n each k =1,...,n, let devices producing binary periodic sequences and a Boolean X ∞ ∞ k = (Xki)i = (Xk,0,Xk,1,...,Xk,pk −1) (1) combining function which combines these sequences to gen- =0 erate the keystream. If the input sequences have relatively be a periodic sequence of binary-valued balanced random short periods—in comparison to the keystream—then a certain variables of least period pk such that the random variables correlation attack comes into play. This heuristic correlation Xki, 1 ≤ k ≤ n, 0 ≤ i ≤ pk − 1, are statistically independent. Z ∞ attack was introduced by Johansson, Meier, and Muller [4] Let = (Zi)i=0 be the sequence of binary-valued random and later on generalized by Naya-Plasencia [5]. The method variables defined by is in the spirit of linear cryptanalysis. No proof has been given Zi = F (X1,i,X2,i,...,Xn,i) for i =0, 1,... . for the method. We shall generalize this correlation attack and present a rigorous proof for the attack in a simplified model. Let

We give a brief description of the correlation attack as L = xi1 + xi2 + · · · + xim + a (2) introduced in [4]. Let F (x1,...,xn) be a balanced Boolean be an affine Boolean function of m variables, 1 ≤ m ≤ n. combining function that is correlation immune of order 4, say. Select an integer h with 1 ≤ h ≤ m and decompose the Let L = x1 + x2 + x3 + x4 + x5 be a linear approximation to set M = {i1,i2,...,im} into h mutually disjoint subsets F , so that Pr(F = L)= 1 (1 + ) with a nonzero correlation 2 M1,...,Mh. Compute the least common multiples coefficient . Let σ1,...,σn be the input sequences to F ∞ and let ζ = (zi)i=0 be the keystream. Since F and L are qj = lcm(pi : i ∈ Mj ), 1 ≤ j ≤ h. correlated, the sequences ζ and σ = σ1 +σ2 +σ3 +σ4 +σ5 are Choose nonnegative integers t1,...,th, and set rj = tj qj for correlated. Let pj be the least period of σj , 1 ≤ j ≤ 5, and let ∞ ∞ 1 ≤ j ≤ h. Consider the binary polynomial T : (bi)i=0 → (bi+1)i=0 be the shift operator, defined on the vector space of all binary sequences under termwise operations h rj d 5 pj g(x)= (x − 1) = x . on sequences. The polynomial g(x) = j=1(x − 1) is a j=1 d D characteristic polynomial of σ, so that g(T )σ = 0. Since Y X∈ Q Z ∞ the polynomial g(x) has 32 terms, g(T )[ζ + σ] = g(T )ζ The linear operator g(T ) and the sequence = (Zi)i=0 define Y Z is the termwise sum of 32 sequences. It has been assumed a new sequence = g(T ) with terms Yi = d∈D Zi+d. P h If m ≤ c +1 and |Dmod pj | = 2 for all 1 ≤ j ≤ n with and similar subsets of V : j∈ / M, then V0 ={x ∈ V : G(x)=0} = {x ∈ V : F (x)=1}, 1 h x x x x Pr(Y =0)= 1+ 2 for i =0, 1,..., (3) V1 ={ ∈ V : G( )=1} = { ∈ V : F ( )=0}. i 2 It suffices to show that Pr(G = 0|x = 0) = Pr(G = 0|x = where is the correlation coefficient between F and L, that 1 1 1). Equivalently, that |U | = |V |. Since F is balanced, is, = 2 Pr(F = L) − 1. 0 0 n−1 The special case m = c +1 and tj = 1 for 1 ≤ j ≤ h |U0| + |V1| =2 . corresponds to the method of Naya-Plasencia suggested in [5, n−1 We trivially have |V0| + |V1| = |V | = 2 . Hence, |U0| = page 5]. The special case m = c +1, h = m, and tj = 1 n−1 n−1 n−1 . for 1 ≤ j ≤ m, corresponds to the method of Meier et al. 2 − |V1| =2 − (2 − |V0|)= |V0| described in [4, page 10]. Lemma 3: Let the Boolean function F (x1,...,xn) be bal- Formula (3) need not hold if the stated assumptions in anced and correlation immune of order c. For 1 ≤ k ≤ c +1 Theorem 1 are not fulfilled. and 1 ≤ j1 < · · · < jk ≤ n, consider the Boolean function G(x1,...,xn)= F (x1,...,xn)+ xj1 + · · · + xjk . Then Example 1. The Boolean Function F (x1, x2, x3)= x1x2 + x1x3 + x2x3 is balanced and correlation immune of order Pr(G = e|xj1 = e1,...,xjk = ek) = Pr(G = e) c = 0. The linear function L = x1 + x2 is uncorrelated to k F , that is = 0. We have m = 2, so that the assumption for all e ∈{0, 1} and (ej1 ,...,ejk ) ∈{0, 1} . m ≤ c +1 is not fulfilled. Let g(x) = (xp1 − 1)(xp2 − 1) and Proof: It suffices to proof the assertion for

D = {0,p1,p2,p1 + p2}. Assume that |Dmod p3 | = 4. One G(x1,...,xn)= F (x1,...,xn)+ x1 + · · · + xc+1. readily checks that the random variable Y0 satisﬁes Pr(Y0 = 0)=9/16. This result clearly contradicts formula (3). Since F is balanced and correlation immune of order c, any Example 2. Let F be the Boolean function from Exam- subfunction of F obtained by replacing arbitrary c variables ple 1. We use the linear approximation L = x1. We have of F with arbitrary binary constants is balanced. It follows Pr(F = L)=3/4 so that = 1/2. Assume that the periods (compare the proof of Lemma 2) that p1 p1,p2,p3 are distinct with p3 dividing p1. Let g(x)= x −1.

Then D = {0,p1} and Dmod p3 = {0}, so that the second Pr(F =0|x1 = e1,...,xc+1 = ec+1) assumption in Theorem 1 is not fulfilled. In fact, we find for a/b if e1 + · · · + ec+1 =0 Y = F (X ,X ,X )+ F (X ,X ,X ) that Pr(Y = = 0 10 20 30 10 2p1 30 0 (b − a)/b if e + · · · + e =1 0)=3/4. This again contradicts formula (3). ( 1 c+1 For the proof of Theorem 1 we need some auxiliary results. with b = 2n−c−1, for some a ∈ {0, 1,...,b}, and for all The proof of the next lemma is straightforward and can be c+1 (e1,...,ec+1) ∈{0, 1} . It follows that skipped. Lemma 1: Let Rij , 1 ≤ i ≤ k, 1 ≤ j ≤ n, be a Pr(G =0|x1 = e1,...,xc+1 = ec+1)= a/b collection of k × n statistically independent binary-valued for all (e ,...,e ) ∈{0, 1}c+1. random variables, and let F be an arbitrary Boolean function 1 c+1 We are now ready for the proof of Theorem 1. of n variables. Then the k random variables S ,...,S defined 1 k Proof: All random variables of the sequence ∞ by (Yi)i=0 = g(T )(Z )∞ have the same probability distribution. It there- S = F (R , R ,...,R ) for 1 ≤ i ≤ k i i=0 i i1 i2 in fore suffices to examine one of those random variables, say are statistically independent. Y0. Let us denote Y0 by Y . Thus, Y = d∈D Zd. Lemma 2: Let F be a balanced Boolean function of The case m = n is trivial. Because in this case the P n variables. For j ∈ {1,...,n}, let Gj (x1,...,xn) = assumption m ≤ c+1 together with c+1 ≤ n implies that F is Y F (x1,...,xn)+ xj . Then affine. It follows that is the zero sequence. Since Pr(F = L) is either 1 or 0, the correlation coefficient is either 1 or −1. Pr(Gj = e|xj = 0) = Pr(Gj = e|xj = 1)= Pr(Gj = e) Formula (3) holds in both cases. We shall assume in the rest of the proof that . for e ∈{0, 1} and 1 ≤ j ≤ n. m

Consider the following subsets of U: Mj = {cj,cj +1,...,nj }, 1 ≤ j ≤ h, x x x x U0 ={ ∈ U : G( )=0} = { ∈ U : F ( )=0}, with integers nj satisfying 1 < n1 < · · · < nh = m, and U1 ={x ∈ U : G(x)=1} = {x ∈ U : F (x)=1}, integers cj deﬁned by c1 =1 and cj = nj−1+1 for 2 ≤ j ≤ h. k Because of the periodicity properties, the random variables for all (e1,...,ek) ∈{0, 1} . Zd, d ∈ D, have the form We shall carry out the details of the proof only for the largest such subset, i.e., for the set {Wd : d ∈ D}. The proofs Z0 = F (X1,0,...,Xn1,0,...,Xch,0,...,Xm,0,...,Xn,0), for the other subsets are similar and somewhat simpler. For

Zr1 = F (X1,0,...,Xn1,0,...,Xch,r1 ,...,Xm,r1 ,...,Xn,r1 ), convenience, let us rename the elements of the set {Wd : d ∈ h . D} by W1, W2,...,Wt with t = |D| =2 . Let us denote the . u = m2h−1 random variables that appear twice in the above

Zrh = F (X1,rh ,...,Xn1,rh ,...,Xch,0,...,Xm,0,...,Xn,rh ), system of equations by A1, A2,...,Au. . Using the formula for the total probability, we get . Pr(W = e ,...,W = e )= Z = F (X ,...,X ,...,X ,...,X ,...,X ), 1 1 t t s 1,s1 n1,s1 ch,sh m,sh n,s 1 Pr(W1 = e1,...,Wt = et|A1 = a1,...,Au = au) u . u 2 (a1,...,au)∈{0,1} where and for . X s = r1 + · · · + rh sj = s − rj 1 ≤ j ≤ h By Lemma 1, the sum is equal to Notice that each random variable Xkd, 1 ≤ k ≤ m, d ∈ t D, appears exactly twice in the above system of equations, 1 Pr(Wi = ei |A1 = a1,...,Au = au). whereas each random variable Xkd, with m +1 ≤ k ≤ n, 2u u i=1 d ∈ D, appears exactly once. It follows that Y depends on (a1,...,aXu)∈{0,1} Y Each Wi depends only on m random variables of the set m|D| + (n − m)|D| = (2n − m)2h−1 {A1,...,Au}. Therefore, Lemma 3 implies that 2 Pr(W = e |A = a ,...,A = a ) = Pr(W = e ) independent symmetrically distributed random variables. i i 1 1 u u i i u The random variables Zd, d ∈ D, are not statistically inde- for 1 ≤ i ≤ t and for all (a1,...,au) ∈ {0, 1} . It follows pendent. The idea of our proof is to alter the random variables that Z in such a way that the modiﬁed random variables will be d Pr(W1 = e1,...,Wt = et) statistically independent. The modiﬁed random variables are: t 1 = u Pr(Wi = ei) W0 = Z0 + X1,0 + · · · + Xn1,0 +· · ·+ Xch,0 + · · · + Xm,0, 2 1 u i=1 (a ,...,aXu)∈{0,1} Y Wr1 = Zr1 + X1,0 +· · ·+ Xn1,0 +· · ·+ Xch,r1 +· · ·+ Xm,r1 , t . . = Pr(Wi = ei). i=1 Y Wrh = Zrh + X1,rh +· · ·+ Xn1,rh +· · ·+ Xch,0 +· · ·+ Xm,0, . . III. THE COIN TOSSING MODEL

Ws = Zs + X1,s1 +· · ·+ Xn1,s1 +· · ·+ Xch,sh +· · ·+ Xm,sh . In preparation for the subsequent sections we discuss a problem in the simplest of all probabilistic models, the coin tossing model. We have Consider a collection of S coins. One coin is biased. All Wd = Zd = Y. other coins are fair. Identify head with 0 and tail with 1. The d∈D d∈D biased coin falls head, i.e., shows 0, with probability p> 1/2. X X Furthermore, The value of p is known, but the coin that is biased is not. To distinguish the biased coin from the fair coins we toss each 1 Pr(Wd = 0) = Pr(F = L)= 1+ for all d ∈ D. coin n times recording the number of observed zeros for each 2 coin. Since the random variables Wd, d ∈ D, are statistically Theorem 2: Toss each of the S coins n0 times where independent, the piling-up lemma can be applied to them. This log S n = 2 . (4) yields 0 1+ p log p + (1 − p)log (1 − p) 2 2 1 1 h Pr(Y =0)= 1+ |D| = 1+ 2 . Then, the probability that the biased coin shows at least bpn0c 2 2 zeros is greater than 1/2. The probability that each fair coin It remains to show that the random variables Wd are indeed shows less than bpn0c zeros is also greater than 1/2. statistically independent. That is, we have to verify that any We omit the proof. Problems of this kind are typically nonempty subset {V1,...,Vk} of the set {Wd : d ∈ D} investigated in the framework of hypothesis testing. (Notice satisﬁes that the denominator of the above fraction is the relative k entropy—or Kullback-Leibler distance—between a symmet-

Pr(V1 = e1,...,Vk = ek)= Pr(Vj = ej ) rically distributed Bernoulli random variable and a Bernoulli j=1 random variable with parameter p.) Y 48.54 Y ∞ IV. CRYPTANALYSIS OF ACHTERBAHN-128 USING 2 conclude that the terms of the sequence = (Yn)n=0 are KEYSTREAM BITS identically distributed with

The KSG of Achterbahn-128 consists of 13 binary nonsin- 1 −24 Pr(Yn =0)= p = 1+2 for n =0, 1,... . gular nonlinear feedback shift registers Ak of lengths Nk = 2 k + 21, 0 ≤ k ≤ 12. The shift registers are primitive. For a + b + c> 0 (this corresponds to a wrong guess), the This means that the shift register Ak will output a sequence (k) Y are balanced, that is Pr(Y =0)=1/2. (This too can be σ = (s )∞ of least period p = 2Nk − 1 for every n n k n n=0 k rigorously proved in the simplified KSG model. However, we nonzero initial state. The produced sequences σ ,...,σ are 0 12 omit the proof for lack of space.) then combined by a balanced Boolean combining function We now change from the simplified KSG model to the true F (x ,...,x ) to produce the keystream ζ = (z )∞ . Thus, 0 12 n n=0 KSG. The equivalents of the sequences in (5) are (0) (12) zn = F (sn ,...,sn ) for n =0, 1,... . η = gij (T )[ζ + α + β + γ], (6) Using a more compact notation, we also write ζ = where α, β, and γ are output sequences of the three target F (σ0,...,σ12). The function F is correlation immune of order 8 and has nonlinearity 3584. See [2] for more information shift registers A4, A9, and A10. It is a consequence of the key- N on this stream cipher. loading algorithm of Achterbahn-128/80 that from the 2 k −1 Nk−1 The frame length of a stream cipher defines the maximum nonzero output sequences of the shift register Ak only 2 amount of keystream that can be used before resynchronization are actually used (see Step 5 on page 21 in [2]). It follows 83 or re-keying becomes necessary. The initial frame length that there are 2 possibilities for the triple (α,β,γ). The recommendation for Achterbahn-128 was 264 bits (see [2, sequences α, β, and γ can, of course, be represented by their page 2]). However, Naya-Plasencia [5] found an attack with initial states which are row vectors of lengths N4, N9, and complexity 280 that requires only 260.26 keystream bits. In [6], N10, respectively. she describes an attack of complexity 2104 requiring 255.61 We impose another simplification. We treat the sequences η keystream bits. The following attack with complexity 2119 in (6) as if they were realizations of sequences of independent requires 248.54 keystream bits. and identically distributed Bernoulli random variables. Notice We start our attack in the simplified KSG model. Recall that that even in the simplified KSG model this is not true: The terms of the sequences Y in (5) are statistically dependent. in this model the shift register sequences σk are replaced by the This simplification allows us to invoke Theorem 2. The sequences Xk introduced in (1). The keystream ζ is replaced correct triple (α,β,γ) = (σ , σ , σ ) corresponds to the by Z = F (X0,..., X12). We use the linear approximation 4 9 10 biased coin. Wrong triples correspond to fair coins. Using 83 1 −24 L = x0 + x1 + x2 + x3 + x4 + x7 + x9 + x10 + x12. formula (4) with S = 2 and p = 2 (1 + 2 ), we get 54.847 n0 = 32387195359857782 < 2 . Since F is balanced and correlation immune of order 8, the By applying all 380 linear operators gij (T ) to a segment of function 0 is balanced and correlation F = F + x4 + x9 + x10 the sequence ζ + α + β + γ consisting of 248.54 bits, we gain immune of order 5. Furthermore, the linear function 38 10 0 48.54 54.847 L = x0 + x1 + x2 + x3 + x7 + x12 2 − deg(gij ) > 2 i=1 j=1 approximates F 0. We have Pr(F 0 = L0) = Pr(F = L) = X X 1 −3 42 2 (1 + ) with =2 . Define q1 = lcm(p0,p7) ' 2 , q2 = samples yi. The triple (α,β,γ) producing the greatest number 44 47 lcm(p1,p12) ' 2 , and q3 = lcm(p2,p3) ' 2 . Consider of zeros is the primary candidate for the correct initial states the family of polynomials of the three registers A4, A9, A10. Once we know the initial states of the three registers, the initial states of the remaining iq1 jq2 q3 gij (x) = (x − 1)(x − 1)(x − 1), ten registers can be computed. This task is computationally 1 ≤ i ≤ 38, 1 ≤ j ≤ 10. Let D(ij) be the set less expensive.

{0, iq1, jq2, q3, iq1 + jq2, iq1 + q3, jq2 + q3, iq1 + jq2 + q3}. V. GUESSINGTHE INITIAL STATES OF FOUR REGISTERS

Then |D(ij) | = 8 for 1 ≤ i ≤ 38, 1 ≤ j ≤ 10, and In the above attack we guessed the initial states of three mod pk k =4, 5, 6, 8, 9, 10, 11. Consider shift registers. Any attack against Achterbahn-128 that guesses more than three shift registers has complexity greater than 2128 a b c Y = gij (T )[Z + T X4 + T X9 + T X10] (5) and, therefore, does not make sense. Nonetheless, we consider such an “attack” to get an idea for a secure frame length with 0 ≤ a ≤ p4 − 1, 0 ≤ b ≤ p9 − 1, 0 ≤ c ≤ p10 − 1. recommendation. The complexity of the following “attack” is If a = b = c = 0 (this corresponds to the correct guess), about 2136. We use the linear approximation 0 0 then Y = gij (T )Z , where Z = Z + X4 + X9 + X10 = 0 0 0 0 F (X0,..., X12). Applying Theorem 1 to F , L , and Z , we L = x0 + x1 + x3 + x4 + x5 + x6 + x7 + x10 + x12. The correlation coefﬁcient between F and L is again =1/8. k ∈ K = {1, 2,..., 1030}\{8, 20, 62, 64, 126, 188}. The 98 (k) We guess the registers A3, A4, A5, and A6. There are 2 assumption is fulﬁlled for and |Dmod pj | = 8 2 ≤ j ≤ 6 possibilities for the initial states. Consider the polynomials for all k ∈ K. Let ζ be the keystream and β any nonzero

q1 q2 kp10 output sequence of the target shift register. For each k ∈ K gk(x) = (x − 1)(x − 1)(x − 1) 12 we compute the first 2 terms of the sequence gk(T )[ζ + β]. (k) 12 for 1 ≤ k ≤ 10000. Let D be the corresponding set of Let ηk denote the sequence consisting of those 2 terms. exponents. Then |D(k) | = 8 for all 1 ≤ k ≤ 10000 mod pj We piece together the sequences ηk to create a sequence 22 with k 6= 4098 and for j = 2, 3, 4, 5, 6, 8, 9, 11, whereas η = (η1|η2|···|η1030) of r = 2 terms. Associate with η = (4098) 98 1 −24 r−1 r−1 |Dmod p11 | =6. Using (4) with S =2 and p = 2 (1+2 ), (yi)i=0 the sequence γ = (cn)n=0 whose terms are defined 55.086 1 we obtain n0 < 2 . Let f be the minimum amount of by cn = n |{i :0 ≤ i ≤ n − 1, yi =0}|. In this manner each keystream needed to collect 255.086 samples using the linear nonzero initial state of the target shift register gives rise to a operators gk(T ). We make the Ansatz sequence γ. We plotted the graphs of six of those sequences— t+1 among them the sequence corresponding to the correct initial ∗ 55.086 state—over the interval 216 ≤ n ≤ 222 − 1. See Figure 1. 2 = [f − deg(gk)], 16 k=1 The graphs of all 2 − 1 sequences lie within the colored X envelope. The graph of the sequence that corresponds to the where the asterisk indicates that the sum is extended only over correct initial state leaves the envelope about at n = 220.65. values k 6= 4098. It follows that 1 −8 Using Theorem 1, we find p = 2 (1+2 ) = 257/512. Using (t + 2)(t + 1) 16 255.086 = [f − q − q ] t − p − 4098 . Theorem 2 with S = 2 − 1 and p = 257/512, we get 1 2 10 2 20.47 n0 = 2 . Thus, the theoretically predicted result comes Equivalently, close to the true result. 255.086 − 4097p 1 3 f(t)= 10 + p t + q + q + p . t 2 10 1 2 2 10 Solving f 0(t)=0 for t, we find as the nearest integer solution 0.505 t = 5967. Since the second derivative is positive, f has a local minimum near t = 5967. Therefore, the best strategy is to use the 5967 linear operators gk(T ), 1 ≤ k ≤ 5968 with k 6= 4098 on a keystream segment of length f(5967) ' 244.99. 0.500

VI. THEORY VERSUS EXPERIMENT wrong guess We need to check whether we are still in touch with wrong guess correct guess reality. We want to know whether the results derived from wrong guess 0.495 wrong guess the simplified KSG model and the coin tossing model are wrong guess 1 (1 + 1 ) in accordance with experimental results obtained from a true 2 256 16 17 18 19 20 21 22 KSG. To this end we consider a combination generator similar 2 2 2 2 2 2 2 to the KSG of Achterbahn but with smaller design parameters so that a guess and determine attack can be simulated on the Fig. 1. Simulation of a guess and determine attack computer. This KSG consists of eight primitive nonlinear shift registers of lengths Nj = j + 14, 1 ≤ j ≤ 8. The periods REFERENCES N are pj = 2 j − 1. The combining function F (x ,...,x ) is 1 8 [1] B. M. Gammel, R. Göttfert, and O. Kniffler: The Achterbahn stream balanced, correlation immune of order 3, and has nonlinearity cipher, eSTREAM, ECRYPT Stream Cipher Project, 29 April 2005. 64. http : //www.ecrypt.eu.org/stream/ciphers/achterbahn/ achterbahn.pdf F (x1,...,x8)= x1 + x3 + x5 + x8 + x1x7 + x1x8 + x2x4 [2] B. M. Gammel, R. Göttfert, and O. Kniffler: Achterbahn-128/80, eSTREAM, ECRYPT Stream Cipher Project, 30 June 2006. + x2x6 + x2x7 + x2x8 + x3x6 + x4x8 + x5x6 + x6x7 http : //www.ecrypt.eu.org/stream/p2ciphers/achterbahn/ + x x x + x x x + x x x + x x x + x x x achterbahn p2.pdf 1 4 7 1 4 8 1 6 7 1 6 8 2 4 6 [3] B. M. Gammel, R. Göttfert, and O. Kniffler: Achterbahn-128/80: Design + x2x4x7 + x2x4x8 + x2x6x7 + x2x6x8 + x4x6x8 and Analysis, SASC 2007—The State of the Art of Stream Ciphers (Bochum, Jan. 31 - Feb. 1, 2007), Workshop Record, pp. 152–165. + x1x4x6x7 + x1x4x6x8 + x2x4x6x7 + x2x4x6x8 [4] T. Johansson, W. Meier, and F. Muller: Cryptanalysis of Achterbahn. FSE 2006, LNCS 4047, pp. 1–14, Springer-Verlag, Berlin-Heidelberg, The best linear approximation to F is L = x1 + x2 + x7 + x8. 2006. We have Pr(F = L)=3/4 so that = 1/2. We guess the [5] M. Naya-Plasencia: Cryptanalysis of Achterbahn-128/80, SASC 2007— The State of the Art of Stream Ciphers (Bochum, Jan. 31 - Feb. 1, 2007), initial state of the second shift register of length N2 = 16 16 Workshop Record, pp. 139–151. considering all 2 − 1 nonzero initial states. We make use of [6] M. Naya-Plasencia: Cryptanalysis of Achterbahn-128/80 with a new the following 1024 polynomials: keystream limitation, eSTREAM, ECRYPT Stream Cipher Project, Report 2007/004, 5 February 2007, kp1 p7 p8 gk(x) = (x − 1)(x − 1)(x − 1), http : //www.ecrypt.eu.org/stream/papersdir/2007/004.pdf