Cryptanalysis of Loiss Stream Cipher-Revisited

Loiss is a novel byte-oriented stream cipher proposed in 2011. In this paper, based on solving systems of linear equations, we propose an improved Guess and Determine attack on Loiss with a time complexity of 2 and a data complexity of 2, which reduces the time complexity of the Guess and Determine attack proposed by the designers by a factor of 2. Furthermore, a related key chosen IV attack on a scaled-down version of Loiss is presented. The attack recovers the 128-bit secret key of the scaled-down Loiss with a time complexity of 2, requiring 2 chosen IVs.The related key attack is minimal in the sense that it only requires one related key. The result shows that our key recovery attack on the scaled-down Loiss is much better than an exhaustive key search in the related key setting.


Introduction
Many stream ciphers have been proposed over the past 20 years.Most of them are constructed using a linear feedback shift register (LFSR), which is easily implemented in hardware, but the software implementations are mostly slow.In recent years, several word-oriented stream ciphers have been proposed and standardized, such as ZUC [1], proposed for use in the 4G mobile networks, SNOW3G [2] deployed in the 3GPP networks, and also four software-oriented finalists of eSTREAM project (i.e., SOSEMANUK [3], HC-128 [4], Rabbit [5], and Salsa 20/12 [6]).
In 2011, the Loiss stream cipher [7] was proposed by a team from the State Key Laboratory of Information Security in China.Loiss is a novel byte-oriented stream cipher, which takes a 128-bit secret key and a 128-bit initial vector as inputs and outputs a keystream of bytes.Loiss is based on a linear feedback shift register and utilizes a structure called byteoriented mixer with memory (BOMM) in the filter generator, which aims to improve the resistance against algebraic attacks, linear distinguishing attacks, and fast correlation attacks.The designers hope Loiss can enrich applications of orthomorphic permutations in cryptography and motivate the research on cryptographic properties of orthomorphic permutations.By exploiting some differential properties of the BOMM structure during the cipher initialization phase, two related key attacks on Loiss were independently proposed in [8,9].These results show that the additional design complication, that is, the addition of the BOMM mechanism, weakens the cipher instead of strengthening it.Naturally, an open problem was left for future research, that is, whether the scaled-down Loiss, obtained by getting rid of the BOMM from Loiss and keeping other parts same as Loiss, is resistant against related key attack.
No attack on Loiss has been published except for the two related key attacks showed in [8,9].In the specification of Loiss stream cipher, the designers present a Guess and Determine attack on Loiss, which has a time complexity of 2 247 with a data complexity of 2 52 .In fact, the time complexity can be reduced at the cost of increased data complexity.In this paper, based on solving systems of linear equations, we propose an improved Guess and Determine attack on Loiss, which has a time complexity of 2 231 with a data complexity of 2 68 .Furthermore, by exploiting the weakness of a scaleddown version of Loiss during its initialization phase, a related key chosen IV attack on the scaled-down Loiss is given.The attack recovers the 128-bit secret key of the scaled-down Loiss with time complexity of 2 80 , requiring one related key and 2 64 chosen IVs.The related key attack is minimal in the sense that it only requires one related key.The result shows that our key recovery attack on the scaled-down Loiss is much better than an exhaustive key search in the related key setting.
The rest of the paper is organized as follows.A brief description of Loiss stream cipher is given in Section 2. In Section 3, an improved Guess and Determine attack on full Loiss is presented.Section 4 gives a related key chosen IV attack on scaled-down Loiss.Concluding remarks are given in Section 5.

Brief Description of the Loiss Stream Cipher
In this section, we recall the Loiss stream cipher briefly; for more details, refer to [7].Loiss consists of three parts: linear feedback shift register (LFSR), the nonlinear function , and a structure called byte-oriented mixer with memories (BOMM) as a part of the nonlinear filter generator; see Figure 1 [7].

Keystream Generator of Loiss.
The LFSR contains 32-byte registers.Denote by ( ()  0 ,  () 1 , . . .,  () 31 ) the state of LFSR at time  ( ⩾ 0).Then the state at time  + 1 satisfies where  is a root of the primitive polynomial () =  8 + 7 +  5 +  3 + 1 in  2 8 .The nonlinear function  (the dotted rectangle in Figure 1) is a compressing function from 32 bits to 8 bits, which contains a 32-bit memory unit .Denote by  () and  (+1) the values of the memory unit  at times  and  + 1, respectively.Let  be the output of .The output of the nonlinear function is obtained as  () = ( () ), where (⋅) is a truncation function which truncates the leftmost 8 bits from  () as output.Then, the state of the memory unit  is updated by where  =  () 31 ‖  ()  26 ‖  () 20 ‖  () 7 . is obtained by paralleling 4 -box  1 of size 8 × 8; that is, where   (0 ⩽  ⩽ 3) is a byte. is a linear transformation on 32-bit strings defined as where ⋘ denotes the left cyclic shift on 32-bit strings.As for the BOMM structure, it utilizes 16-byte memory units, denoted by   , 0 ⩽  ⩽ 15.Let  () and V () be the input and the output of BOMM at time t, respectively.BOMM works as follows: where the symbol ≫ denotes the right shift operator and  2 is an -box of size 8 × 8.

Initialization and Keystream Generation
2.2.1.Initialization.The initialization process of Loiss consists of two stages.
In the first stage, it initializes LFSR using a 128-bit secret key and a 128-bit initial vector and then sets  (0) = 0. Set where both   and   are bytes, 0 ⩽  ⩽ 15.

Keystream Generation.
After the initialization process, Loiss starts to generate keystream.Loiss generates one byte of keystream when it runs one time.Let  () be the output of Loiss at time  ( ⩾ 0).Then, where  () 0 and V () are the value of the register  0 of LFSR and the output of BOMM, respectively, at time .  between internal and the keystream values.In Guess and Determine attacks, some internal values are guessed, and then other internal values are determined using keystream values.Guess and Determine attacks generally consist of three phases, that is, guessing, determining, and the test phase.The efficiency of Guess and Determine attacks can be discussed in terms of two complexities, namely, a time and a data complexity.Guess and Determine attack is one of the general attacks which have been effective on some stream ciphers, for example, A5/1 [10], SNOW 1.0 [11], Sober-t32 [12], SOSEMANUK [13], Rabbit [14], ZUC [15], and so forth.

Scaled-Down
In the specification of Loiss stream cipher [7], the designers present a Guess and Determine attack on Loiss which has a time complexity of 2 247 with a data complexity of 2 52 .In fact, the time complexity can be reduced at the cost of increased data complexity.
Here, we assume that the attacker has observed a portion of keystream words {  },  = 1, 2, . . ., , where  is large enough for the attack to succeed.For convenience, we denote by  ( * ) ⇒  the deduction of  from  by equation ( * ).
Phase Two.Then, we can determine more components as follows.

3
) by solving a system of eight bitwise linear equations.After that, we can recover the value of  (+36) , since  (+5) 3 is known.At last, we can recover the value of  (+6) .
Phase Three.Then, we can determine the remaining components as follows.In this phase, we have to solve two systems of three byte-wise linear equations.The first system is described as follows: In this system, only three variables are unknown, that is,  (+19) ,  (+17) , and  (+15) .Obviously, this system can be easily solved.Thus, we can recover the values of  (+19) ,  (+17) , and  (+15) by solving this system.
We know that In this equation, the values of  (+38) ,  (+33) , and  (+27) have been obtained and the value of  (+7) has been determined, and  (+8) 3 is also known.Thus, we can easily recover the value of  1 ( (+14) ⊕  (+7) 0 ) by solving a system of eight bitwise linear equations.After that, we can recover the value of  (+14) , since  (+7) 0 is known.At last, we can recover the value of  (+8) .
Then, we should solve another system of three linear equations, which is described as follows: In this system, only three variables are unknown, that is,  (+20) ,  (+18) , and  (+16) .Obviously, this system can be easily solved.Thus, we can recover the values of  (+20) ,  (+18) , and  (+16) by solving this system.
Up to now, all internal states of LFSR, , and BOMM have been recovered.And then the attacker has to check the correctness of those values by producing a keystream using the above recovered values and comparing it with the observed keystream.If the keystreams agree, it shows that the recovered states are correct.If the keystreams do not agree, then we will repeat the above process until the correct internal state is found.Since the probability that the assumption satisfies is 2 −68 and the attacker has to guess 156-bit internal state in the guessing stage, so the time complexity of our Guess and Determine attack on Loiss is 2 68 ⋅ 2 156 ⋅ 2 7 = 2 231 with a data complexity of 2 68 .Compared with the Guess and Determine attack proposed by the designers, the time complexity of our attack on Loiss has been reduced by a factor of 2 16 .

Related Key Chosen IV Attack on Scaled-Down Loiss
By exploiting some differential properties of the BOMM structure during the cipher initialization phase, two related key attacks on Loiss were independently proposed in [8,9].These results show that the additional design complication, that is, the addition of the BOMM mechanism, weakens the cipher instead of strengthening it.Naturally, an open problem was left for future research, that is, whether the scaled-down Loiss, obtained by getting rid of the BOMM from Loiss and keeping other parts same as Loiss, is resistant against related key attack.In this section, based on the idea of slide (key, IV) pairs, a related key chosen IV attack on scaled-down Loiss is presented.

3 ,
(+27) ,  (+21) ,  (+8) Loiss.The scaled-down Loiss is obtained by getting rid of the BOMM from Loiss and keeping other parts same as Loiss.For convenience, the scaled-down Loiss is denoted by SD-Loiss in the paper.SD-Loiss consists of two parts: LFSR and the nonlinear function ; see Figure2.