Loiss is a novel byte-oriented stream cipher proposed in 2011. In this paper, based on solving systems of linear equations, we propose an improved Guess and Determine attack on Loiss with a time complexity of 2^{231} and a data complexity of 2^{68}, which reduces the time complexity of the Guess and Determine attack proposed by the designers by a factor of 2^{16}. Furthermore, a related key chosen ^{80}, requiring 2^{64} chosen

Many stream ciphers have been proposed over the past 20 years. Most of them are constructed using a linear feedback shift register (LFSR), which is easily implemented in hardware, but the software implementations are mostly slow. In recent years, several word-oriented stream ciphers have been proposed and standardized, such as ZUC [

In 2011, the Loiss stream cipher [

No attack on Loiss has been published except for the two related key attacks showed in [

The rest of the paper is organized as follows. A brief description of Loiss stream cipher is given in Section

In this section, we recall the Loiss stream cipher briefly; for more details, refer to [

The structure of Loiss stream cipher.

The LFSR contains 32-byte registers. Denote by

The nonlinear function

The initialization process of Loiss consists of two stages.

In the first stage, it initializes LFSR using a 128-bit secret key and a 128-bit initial vector and then sets

Set

Denote the initial states of LFSR by

After that, Loiss runs 64 times without the keystream generated and the output of BOMM takes part in the feedback calculation of LFSR.

After the initialization process, Loiss starts to generate keystream. Loiss generates one byte of keystream when it runs one time. Let

The scaled-down Loiss is obtained by getting rid of the BOMM from Loiss and keeping other parts same as Loiss. For convenience, the scaled-down Loiss is denoted by SD-Loiss in the paper. SD-Loiss consists of two parts: LFSR and the nonlinear function

The structure of SD-Loiss stream cipher.

Guess and Determine attack is a common attack on stream ciphers. Guess and Determine attacks exploit the relationship between internal and the keystream values. In Guess and Determine attacks, some internal values are guessed, and then other internal values are determined using keystream values. Guess and Determine attacks generally consist of three phases, that is, guessing, determining, and the test phase. The efficiency of Guess and Determine attacks can be discussed in terms of two complexities, namely, a time and a data complexity. Guess and Determine attack is one of the general attacks which have been effective on some stream ciphers, for example, A5/1 [

In the specification of Loiss stream cipher [

Here, we assume that the attacker has observed a portion of keystream words

For convenience, we denote by

Before the description of our attack, we make an assumption as follows.

The following conditions occur at nine successive times starting from time

In the attack, the attacker guesses the values of

The last three steps above can be repeated for

After that, we deduce more components as follows:

We know that

Thus,

Since

We know that

In this equation, the values of

Similarly, we can recover the values of

The first system is described as follows:

In this system, only three variables are unknown, that is,

Then, we deduce

We know that

In this equation, the values of

Then, we should solve another system of three linear equations, which is described as follows:

In this system, only three variables are unknown, that is,

Finally, we deduce

Thus, all internal states of LFSR and

Up to now, all internal states of LFSR,

By exploiting some differential properties of the BOMM structure during the cipher initialization phase, two related key attacks on Loiss were independently proposed in [

In this subsection, we will present some properties of SD-Loiss. Let

Let

For the fixed key IK and 2^{48} chosen

According to the structure of SD-Loiss, we know

Since there are 29 equations which always hold in system (

Since

That is,

Let

Then, we know

Thus, when we try all 32-bit values of

If

Let

Theoretically, the probability that a valid

Our attack on SD-Loiss can be divided into two phases. In the first phase, we should find a valid

We choose

For each IV in these

generate

generate

check

Return Valid

This algorithm requires

In the second phase, using the Finding Valid

Recall the two phases of our attack on SD-Loiss. The time complexity of our attack on SD-Loiss is

In this paper, an improved Guess and Determine attack on Loiss is proposed, which reduces the time complexity of the attack proposed by the designers by a factor of

The authors declare that there is no conflict of interests regarding the publication of this paper.

The authors would like to thank the anonymous reviewers for their valuable comments and suggestions. This work is supported in part by the National Natural Science Foundation of China (Grant nos. 61202491, 61272041, and 61272488), the Foundation of Science and Technology on Information Assurance Laboratory (Grant no. KJ-13-007), and the Science and Technology on Communication Security Laboratory Foundation of China under Grant no. 9140C110303140C11003.