Multivariate correlation attacks and the cryptanalysis of LFSR-based stream ciphers

Cryptanalysis of modern symmetric ciphers may be done by using linear equation systems with multiple right hand sides, which describe the encryption process. The tool was introduced by Raddum and Semaev (Des Codes Cryptogr 49(1):147–160, 2008) where several solving methods were developed. In this work, the probabilities are ascribed to the right hand sides and a statistical attack is then applied. The new approach is a multivariate generalisation of the correlation attack by Siegenthaler (IEEE Trans Comput C 49(1):81–85, 1985). A fast version of the attack is provided too. It may be viewed as an extension of the fast correlation attack in Meier and Staffelbach (J Cryptol 1(3):159–176, 1989), based on exploiting so called parity-checks for linear recurrences. Parity-checks are a particular case of the relations that we introduce in the present work. The notion of a relation is irrelevant to linear recurrences. We show how to apply the method to some LFSR-based stream ciphers including those from the Grain family. The new method generally requires a lower number of the keystream bits to recover the initial states than other techniques reported in the literature.