Improved Algorithm to Find Equations for Algebraic Attacks for Combiners with Memory

Algebraic attacks have established as an important tool for cryptanalyzing LFSR-based keystream generators. Crucial for an efficient attack is to find appropriate equations of a degree as low as possible. Hereby, lower degrees are possible if many keystream bits are involved in one equation. An example is the keystream generator E0 employed in Bluetooth, where equations of degree 4 exist for r = 4 and 5 clocks but equations of degree 3 for r ≈ 8, 822, 188. The existence of degree 3 equations with 5 < r 8, 822, 188 clocks remained an open question. It is known that valid equations correspond to annihilators of certain sets. The effort to compute the sets and to find annihilators on them are exponential in r, making efficient algorithms desirable. Most algorithms proposed so far used normal Gaussian elimination which has a cubic complexity. The only exception is the algorithm proposed recently in [3] which is quadratic. The results of this paper are as follows. First, we describe several improvements for computing the sets and their annihilators (the intersection method). Second, we use our new improvements to exclude the existence of degree 3 equations for E0 with 5 < r ≤ 9, which are the best results so far on the non-existence of low degree equations for E0. We also find new degree 4 annihilators which permit to reduce the number of bits of stream needed for the attack from 2 to 2.