Cryptanalysis of RAKAPOSHI Stream Cipher

Transcription

1 Crypanalysis of RAKAPOSHI Sream Cipher Lin Ding, Jie Guan Zhengzhou Informaion Science and Technology Insiue, China Absrac. RAKAPOSHI is a hardware oriened sream cipher designed by Carlos Cid e al. in 9. The sream cipher is based on Dynamic Linear Feedback Shif Regisers, wih a simple and poenially scalable design, and is paricularly suiable for hardware applicaions wih resriced resources. The RAKAPOSHI sream cipher offers 8-bi securiy. In his paper, we poin ou some weaknesses in he cipher. Firsly, i shows ha here are weak (key, IV) pairs in RAKAPOSHI sream cipher. Secondly, for weak (key, IV) pairs of RAKAPOSHI, hey are vulnerable o linear disinguishing aack and algebraic aack. Finally, we propose a real ime relaed key chosen IV aack on RAKAPOSHI. The aack on RAKAPOSHI recovers he bi secre key of wih a compuaional complexiy of, requiring 47 relaed keys, chosen IVs and keysream bis. The success probabiliy of his aack is.999, which is quie close o. The experimenal resuls corroborae our asserion. Keywords: Crypanalysis; linear disinguishing aack; algebraic aack; relaed key chosen IV aack; RAKAPOSHI; sream cipher. Inroducion Sream ciphers are symmeric encrypion algorihms based on he concep of pseudorandom keysream generaor. Alhough i seems raher difficul o consruc a very fas and secure sream cipher, some effors o achieve his have recenly been deployed. The NESSIE proec [] launched in 999 by he European Union did no succeed in selecing a secure enough sream cipher. In 5, he European proec ECRYPT decided o launch a compeiion o idenify new sream ciphers ha migh be suiable for widespread adopion. This proec is called estream [] and received 35 submissions. Those candidaes are divided ino sofware oriened and hardware oriened sream ciphers. Hardware oriened sream ciphers should be suiable for deploymen on passive RFID ags or low-cos devices such as migh be used in sensor neworks. Such devices are excepionally consrained in compuing poenial because of he number of logic gaes available or he amoun of power ha migh realisically be available. In 9, Carlos Cid e al. [3] proposed a new hardware-oriened sream cipher called RAKAPOSHI, which aims o complemen he curren estream porfolio of hardware-oriened sream ciphers. The RAKAPOSHI sream cipher offers 8-bi securiy. The designers claimed ha he cipher design and The paper had been submied and is under review now. The paper was done independenly of wo similar works, i.e., [8] and [9].

2 securiy evaluaion incorporaes lessons learned during he several years of exensive analysis in he estream process, and hus RAKAPOSHI is less likely o be suscepible o more recen aacks, such as iniializaion aacks. RAKAPOSHI is based on Dynamic Linear Feedback Shif Regisers (DLFSR), wih a simple and poenially scalable design, and is paricularly suiable for hardware applicaions wih resriced resources. A Dynamic Linear Feedback Shif Regiser scheme is a general consrucion consising usually of wo regisers: he firs subregiser A, is clocked regularly and updaed using a fixed mapping. Subregiser B, is updaed using a linear mapping, which varies wih ime and depends of he sae in regiser A. The design can be seem as a generalizaion of consrucions found in early designs, including he sop-and-go generaor [4], LILI [5], dynamic feedback polynomial swich [6], and K [7]. In fac, he RAKAPOSHI sream cipher is in fac a successor of he K sream cipher, bu aiming a low-cos hardware implemenaions. In his paper, we poin ou some weaknesses in he cipher. Firsly, he resul shows ha here are weak (key, IV) pairs in RAKAPOSHI sream cipher. Secondly, for weak (key, IV) pairs of RAKAPOSHI, hey are vulnerable o linear disinguishing aack and algebraic aack. Finally, we proposed a real ime relaed key chosen IV aack on RAKAPOSHI. The ime complexiy of our relaed key chosen IV aack on RAKAPOSHI is abou 34, requiring 39 relaed keys on average. The resuls show ha here exis some weaknesses in he cipher. See also [8] and [9] for wo works ha were done independenly of our resuls. This paper is organized as follows. In Secion, we briefly describe RAKAPOSHI sream cipher. We discuss he exisence of weak (key, IV) pairs, and presen linear disinguishing aack and algebraic aack agains he weak (key, IV) pairs of RAKAPOSHI in Secion 3. Secion 4 proposes a real ime relaed key chosen IV aack on RAKAPOSHI. The Secion 5 concludes his paper. 9 Brief Descripion of RAKAPOSHI The RAKAPOSHI sream cipher consiss of hree main building blocks, namely a 8-bi Non-Linear Feedback Shif Regiser (denoed as regiser A), a 9-bi Linear Feedback Shif Regiser (denoed as 8 regiser B), and a non-linear filer funcion over GF. I uses wo bis from he sae of he NLFSR o selec and dynamically modify he linear feedback funcion of he LFSR. The keysream is produced by combining he oupu of boh regisers wih he oupu of he non-linear filer funcion. An overview of he differen blocks used in he sream cipher can be found in Fig..

3 Figure. The srucure of RAKAPOSHI sream cipher We denoe by A ( a, a,, a ) he conens of he LFSR a ime. Similarly, he conen of he 7 NFSR is denoed by B ( b, b,, b ) a ime. a 4 c a 89 7 Non-Linear Feedback Shif Regiser A. The regiser A is a 8-bi NLSFR, defined using he following recurrence relaion. a g( a, a, a, a, a, a, a, a, a, a ) a a a a a a a a a a a a a a a a a a a a a a a a Linear Feedback Shif Regiser B. The regiser B is a 9-bi dynamic LFSR. Regiser A is used o selec and dynamically modify he feedback funcion of LFSR B using wo bis from he sae of regiser A, and as a resul, Regiser B, which can use four differen linear recursive funcions, presens an irregular updaing mechanism. Le and c be he 4 nd and 9 h bis of regiser A a ime, respecively (ha is, c and c ). Then LFSR B a ime is defined by he following recurrence relaion. b f( c, c, b, b, b, b, b, b, b, b, b, b, b, b, b, b ) b b b b b b b c c b c c b c c b c c b c b 55 c b 58 b Where c c represens he negaion of. i i c i Non-Linear Filer. The 8-o- non-linear filer funcion is he same funcion used as he non-affine componen of he AES S-Box. This funcion is a balanced Boolean funcion, wih polynomial represenaion (ANF) of degree 7. In he RAKAPOSHI sream cipher, he inpu bis for his funcion are exraced from boh regisers A and B, as s v( a, a, b, b, b, b, b, b ) The explici polynomial expression of he funcion v() is given in he Appendix A.

4 Iniializaion Process. The RAKAPOSHI sream cipher suppors key size of 8 bis and IV size of 9 bis. Before he generaion of he cipher keysream, he cipher is iniialized wih he secre key and a seleced IV. The iniializaion process of RAKAPOSHI is done as follows. Firsly, he secre key K ( k,, k7) and IV ( iv,, iv9) are loaded ino he NLFSR and DLFSR, respecively, as follows. ( a,, a7 ) ( k,, k7 ) ( b,, b9) ( iv,, iv9 ) Secondly, he cipher hen clocks imes wih he oupu of he filer funcion back ino he cipher sae. This process is divided ino wo sages: v() (i.e., s ) being fed In he firs sage of he iniializaion, he cipher runs for 3 cycles, wih he oupu of he non-linear filer funcion v() being fed back ino he regiser B. In he second sage of he iniializaion, he cipher runs for furher 8 cycles, wih he oupu of he non-linear filer funcion v() being fed back ino he regiser A. A he end of he iniializaion, he cipher inernal sae is S ( A, B ), and i is ready o produce he firs keysream bi z. Keysream Generaion. The cipher oupus one keysream bi a each cycle. Given he cipher sae S ( A, B ) a ime, he cipher operaes as follows: The keysream bi z is compued as z a c, c A are used o updae he regiser B. Regisers A and B are updaed o obain A b s and B and is oupu., respecively. 3 Weak (key, IV) Pairs of RAKAPOSHI 3. The Exisence of he Weak (key, IV) Pairs RAKAPOSHI uses a dynamic linear feedback shif regiser o ensure good crypographic properies. However, here is an lock-up sae for he regiser A Tha is, if he iniializaion process leaves A in he all ones sae, hen i will remain permanenly in ha sae, and regiser B will become a simple linear feedback shif regiser, which is he only acive block of he cipher. As well known, keysream sequences generaed by a single LFSR and a non-linear filer funcion are vulnerable o disinguishing aack and algebraic aack. Consequenly, if he key and IV pair resuls in his lock-up sae for he regiser A, we define he key and IV pair as a weak (key, IV) pair. Now we reveal he exisence of he weak (key, IV) pairs in RAKAPOSHI sream cipher. For a weak (key, IV) pair, he sae A is he all one sae (,,,). Then our following purpose is o obain an available S from known algorihm o compue he weak (key, IV) pairs. S in reverse. According o he srucure of RAKAPOSHI, we presen an Finding Weak (key, IV) pairs Algorihm for RAKAPOSHI

5 . Se A be he all one sae (,,,), and selec B. From = 447 o = 3 do (.a) Compue c and c a 4 a 89 (.b) Compue s v( a67, a 7, b3, b53, b77, b8, b 3, b 8). (.c) Compue 9 c c b c b c b b. randomly. b b b b b b b b c c b c c b c c b (.d) Compue a a a a a a a a a a a a a a a 55 a7a8 a8a55 a6a45a6 a6a a6 s 3. From = 39 o = do (3.a) Compu c and c. e a 4 a 89 (3.b) Compue s v( a67, a 7, b, b, b, b, b, b (3.c) Compue b b b 9 b 4 b37 b4 b49 b5 b93 c c 7 c c b c c b 34 c c b c b c b b s (3.d) Compue a a a a a a a a a a a a a a a a a a a a a a a a a Oupu he iniial sae S ( A, B ). According he algorihm above, i is easy o see ha for each value of B )., here exiss a unique weak 9 (key, IV) pair. Since B can be randomly seleced in his algorihm, here are cerainly weak (key, IV) pairs in RAKAPOSHI sream cipher. One example is illusraed in Table. Table. Weak (key, IV) pair of RAKAPOSHI Key IV A B x894ef5d4b47934d5b58e5b8fa x4f9fe37b7c5a87f59ede8975ef6d6634eada64eaf3 xffffffffffffffffffffffffffffffff x7a7bd7c eba7c56fb69adfc865f4aada 3. Linear Disinguishing Aack and Algebraic Aack on Weak (key, IV) Pairs In disinguishing aacks, one aemps o disinguish he keysream sequence from a purely random sequence. For weak (key, IV) pairs of RAKAPOSHI, we ried o consruc linear disinguishers, by considering linear approximaions of funcions used in he sream cipher. For each weak (key, IV) pair of RAKAPOSHI, he inernal saes of he regiser A are all ones afer he iniializaion process, he recurrence relaion of LFSR B will remain permanenly as follows. b b b b b b b b b b b Now, he number of erms in he recurrence funcion of LFSR B is. We can consruc a linear disinguisher using keysream bis as follows.

6 D z z z z 4 z 49 z 5 z 93 z 36 z 58 z 76 z 9 : 4 37 Simulaneiy, he 8-o- non-linear filer funcion v() can be simplified as follows since he firs wo inpu bis are se o ones. s v a a b ( 67, 7, 3 b53 b77 b8 b 3 b 8,,,,, ) v(,, b, b, b, b, b, b ) v() The bes affine approximaion of he nonlinear filer v() has bias.4 designers [3]. However, he bes affine approximaion of he nonlinear filer v() has bias. Using he Pilling-up Lemma [], he bias of he linear disinguisher is esimaed as as claimed in sec.5.3 by he So, if he keysream sequence is generaed by RAKAPOSHI wih a weak (key, IV) pair, he linear 6.6 disinguisher D holds wih he probabiliy bias. As a resul, o disinguish he RAKAPOSHI wih a weak (key, IV) pair, i requires / keysream bis. As claimed in sec.5.3 by he designers, RAKAPOSHI sream cipher is secure agains disinguishing aacks. However, for weak (key, IV) pairs of RAKAPOSHI, i is vulnerable o linear disinguishing aacks. A weak Key-IV can be disinguished means ha he regiser A iniial sae of he weak Key-IV is he all ones sae. Consequenly, he nex ask is o recover he regiser B iniial sae. Algebraic aacks agains sream ciphers were originally proposed in 3 by Courois and Meier []. The aack is a powerful crypanalyic echnique agains some LFSR-based sream ciphers. For he RAKAPOSHI sream cipher wih a weak (key, IV) pair, he keysream oupu 7 by means of a Boolean funcion over GF given by z a b s a b v( a, a, b, b, b, b, b, b ) b v This funcion has degree 5 and algebraic immuniy 3 (which is he same of he funcion v ( ) ). For each weak (key, IV) pair of RAKAPOSHI, he inernal saes of he regiser A are all ones afer he iniializaion process. Here we use he XL mehod [] o esimae he ime complexiy of solving he above algebraic equaion sysem, and obain ha is ime complexiy is abou i i 3 z is compued The algebraic aack requires approximaely.7 keysream bis. The ime complexiy of his aack is much smaller han he ime complexiy of a brue force aack. Therefore for weak (key, IV) pairs of RAKAPOSHI, i is weak agains algebraic aack. 4 Relaed Key Chosen IV Aack on RAKAPOSHI In his secion, we will propose a relaed key chosen IV aack on RAKAPOSHI sream cipher. The aack on RAKAPOSHI is done by assuming four condiions as shown in Table. The relaion of ( K, IV ) and

7 ( K, IV ) is as follows. K ( k,, k7 ) K ( k,, k7, k ). IV ( iv,, iv ) IV ( iv,, iv,) 9 9 Where {,}, is a binary consan. Table. Condiions used in he aack on RAKAPOSHI K ( k,, k7), IV ( iv,, iv9) K ( k,, k7, kd), IV ( iv,, iv9,) Condiion a 7 9 k 7 iv9 b a 7 b 9 g( A ) f S s k g( A ) k f S s g( A ) f S s g( A ) f S s g A 39 g( A ) 3 g A 3 s s 3 3 f S s f( S ) 3 3 f( S ) 3 g A f S 38 g( A ) 39 g( A ) s f S 38 f S s 38 s s ( s s ) g A 447 s f( S ) 447 g A s f( S ) 449 g A f( S ) g A 447 s f( S ) 447 s ( s s ) Le Z and Z be keysream sequences generaed from ( K, IV ) and ( K, IV ). According o able, we can ge Proper y as follows. Propery. The sysem S a) g( A ) k ; b) f S s. S holds when he following wo condiions are simulaneously saisfied. Recall he iniializaion of RAKAPOSHI sream cipher. I consiss of wo sages, which differ from each oher in he feedback of s. According o able and Propery, we can ge Propery as follows. Propery. If he sysem S S holds, he sysem S condiions are simulaneously saisfied. z i c) s3 ; d) s. I is easy o see ha if he sysem S z for i. i 449 i i S holds for i when he following wo S holds, here exiss a clear relaion beween Z and Z, i.e., Le Z[ m] ( z,, z m ) be he m-bi keysream sequence saring from he second keyseam bi generaed by ( K, IV ) and Z[ m] ( z,, z m ) be m-bi keysream sequence saring from he firs keyseam bi generaed

8 by relaed ( K, IV ) pair. We define h e even Z[ m] Z[ m] (i.e., zi z for i m ) by and is c comple men by. We denoe he even ha he condiions a) and b) are simulaneously saisfied by L and c is co mplemen by L. Since he condiions c) and d) are obained in differen clocks, and hen are assumed o be independen o faciliae calculaion of probabiliy. Hence, when he even L occurs, he even occurs wih probabiliy Pr( L) Pr( c d) Pr( c) Pr( d). c However, when he even L occurs, afer 447 clocks of ieraion, he differenials of inernal saes will be fairly even and unpredicable, he even occurs wih probabiliy m. Tha is, c Pr( L ) In order o recover he some key bis effecively, choose iv 7 iv iv 34 iv 36 iv 55 and iv 58. Thus, he equaion f( S ) s can be simplified as follows. m i we should fix some IV bis. Here, we f ( S ) s iv iv4 iv37 iv4 iv49 iv5 iv93 c iv iv iv iv iv iv iv iv k iv iv s s iv iv iv iv iv iv iv k iv iv s () Where v( a, a b 3 b 53 b 77 b 8 b 3 b 8 v k 67 k7, iv3, iv53, iv77 iv 8 s,,,,,, ) (,, 67 7, iv, iv ). When iv iv Recall he non-linear filer funcion v(). Three funcions can be obained as follows. iv77 iv8 iv8 and iv3, s v( k, k, iv, iv, iv, iv, iv, iv 8 ) () When iv3 iv53 iv77 iv3 iv8 and iv8, s v( k, k, iv, iv, iv, iv, iv, iv ) k (3) When iv77 iv8 iv3 iv8 and iv3 iv53, s vk ( 67, k7, iv3, iv53, iv77, iv8, iv3, iv ) 8 k7 (4) Now, we will inroduce a mehod o recover one key bi wih h chosen IVs, named Algorihm. Algorihm. Under fixed and unknown K and K, choose h IVs where iv7 iv iv34 iv36 iv 55, iv58, ( iv,, ivh )are all h -bi values and he remaining bis are fixed o e ( {,}).. Unil no more chosen IV remain, repea he followings. Generae he keysream sequences Z[ m] ( z,, z ) using ( K, IV ); Generae he keysream sequences Z[ m] ( z,, z m ) using ( K, IV ); m Check Z[ m] Z [ m]. If he wo keysream sequences pass he check, oupu g( A ) k. Oherwise ry oher chosen IVs. 3. If no chosen IVs passes he check, hen oupu g( A ) k. Wih a decision rule of Algorihm, wo ypes of errors denoed as ype I and ype II exis, see Figure.. Le and denoe he probabiliies of ype I and II errors, respecively. Thus,. Hence, m Pr ( ) h and Pr ( ) h we can obain he equaion g( A ) k wih a success probabiliy

9 of Pr if he equaion probabiliy of Pr( ) holds, and obain he equaion g( A ) k wih a success g( A ) k if he equaion g( A ) k does no hold. Thus, he success probabiliy of his algorihm is bounded below bypr Pr. In our paper, we use p Pr Pr as he success probabiliy of our a ack. The acual value of success probabiliy is in fac more, making our aack ma rginally sronger. L: g( A ) k L g A k c : Figure. Two ypes of errors in he decision rule of Algorihm The number of chosen IVs used In Algorihm i s h. For each chosen IV, he algorihm needs o execue he h h encrypion process of RAKAPOSHI wo imes. Thus, he compuaional complexiy of Algorihm is. h h I requires ( m m) (m) keysream bis. In our relaed key aacks on RAKAPOSHI, we use m relaed keys, which are shows as follows. For m, K ( k,, k ) K ( k,, k, k ), K ( k,, k, k ) IV ( iv,, iv ) IV ( iv,, iv,) 9 9 Noe ha K K. Now, we will inroduce a mehod o recover more key bis using hese relaed keys, named Algorihm. For m, do he followings. Algorihm. Under he relaed keys K and K, run Algorihm. If Algorihm oupus g( A ) k, goo sep. Oherwise, goo sep 3.. Under he relaed keys K and K, do he followings. Se iv3 iv53 iv77 iv8 iv 8 and iv 3, and hen run Algorihm. Recover he key bi k4 of K using he equaion () and (). Se iv3 iv53 iv iv iv 8 and iv 8, and hen run Algorihm. Recover he key bi k67 of K 77 3 using he equaion () and (3). Se iv77 iv8 iv3 iv8 and iv 3 iv 53, and hen run Algorihm. Recover he key bi k 7 of using he equaion () and (4). 3. Under he relaed keys K and K, do he followings. Se iv3 iv53 iv77 iv8 iv8 and iv 3, and hen run Algorihm. Recover he key bi k4 of K usin g he equaion () and (). Se iv3 iv53 iv77 iv3 iv8 and iv 8, and hen run Algorihm. Recover he key bi k67 of K K

10 using he equaion () and (3). Se iv77 iv8 iv3 iv8 and iv 3 iv 53, and hen run Algorihm. Recover he key bi k 7 of using he equaion () and (4). Using he Algorihm, we can recover he following key bis. k,, k m k,, k m k,, k m 4mod8 4 mod8 67 mod8 67 mod8 7 mod8 7 mod8 Furhermore, we also can obain m non-linear funcions wih some key bis. In Algorihm, for m, we should run Algorihm four imes under relaed keys. Hence, Algorihm requires h 4 h In order h h3 chosen IVs and (m) 4 (m ) keysre am bis. The compuaional complexiy of h h3 Algorihm is 4. The success probabiliy of Algorihm is bounded below by p success probabiliy of Algorihm is bounded below by p. K, since he o ge a high success probabiliy for recovering he 8-bi secre key, m and h should be properly seleced. When we se m 3, hen he aacker can recover 69 key bis ( k,, k, k 4,, k 63, k 67,, k 89, k 7 ). We also can obain 3 non-linear funcions wih key bis ( k,, k4, k64, k65, k66 ). In fac, we can simplify hese non-linear funcions using he recovered 69 key bi s. Thus, he key bi (,, ) can be recovered easily, wih a compuaional complexiy of a mos. Finally, he remaining 37 key 3m s k, k4, k64, k 65 k66 ( k,, k ) should be exhausive searched. Thus, considering Algorihm, h e compuaional complexiy bis u h of our relaed key chosen IV aack on RAKAPOSHI is abo, requiring h chosen IVs and h3 (m ) keysream bis. Table 3 shows he complexiies of our aack on RAKAPOSHI for parameers h. Noe ha in our relaed key aacks on RAKAPOSHI, we use m 47 relaed keys in Algorihm. Table 3. Our resuls on RAKAPOSHI for parameers h h Compuaional Keysream bis Chosen IVs complexiy required Success probabiliy Here, we cho ose h 6. Thus, we can recover he 8-bi secre key of RAKAPOSHI wih a compuaional complexiy of 37, requiring 47 relaed keys, chosen IVs and keysream bis. The success probabiliy of our aack on RAKAPOSHI is.999, which is quie close o. We also validae our resul by simulaing Algorihm and solving he 3 non-linear funcions. The resul shows ha we can recover he 9 (=69+) key bis wihin.8 minues on average. By simulaing RAKAPOSHI sream cipher, he remaining 37 can be recove red wihin 3.4 hours on average. The simulaion was implemened on AMD Ahlon(m) 64 X Dual Core Processor 44+, CPU.3GHz, 768 Gb RAM, OS Windows XP Pro SP3. These experimenal resuls corroborae our asserion. 5 Conclusions

11 RAKAPOSHI is a hardware-oriened sream cipher designed by Carlos Cid e al. in 9. The RAKAPOSHI sream cipher offers 8-bi securiy. Unil now, no aack on he cipher has been published. In his paper, we poin ou some weaknesses in he cipher. Firsly, he resul shows ha here are weak (key, IV) pairs in RAKAPOSHI sream cipher. Secondly, for weak (key, IV) pairs of RAKAPOSHI, hey are vulnerable o linear disinguishing aack and algebraic aack. Finally, we proposed a real ime relaed key chosen IV aack on RAKAPOSHI. The ime complexiy of our relaed key chosen IV aack on RAKAPOSHI is 34 abou, requiring 39 relaed keys on average. The resuls show ha here exis some weaknesses in he cipher. We hope our resuls can be helpful in evaluaing he securiy of RAKAPOSHI sream ciphers agains relaed key aacks, and we look forward o furher work in evaluaing RAKAPOSHI sream ciphers agains oher kinds of crypanalyic aacks. Acknowledgemens 9 This work is suppored in par by he Naional Naural Science Foundaion of China (No. 649, 674, 67488). References [] NESSIE. New European Schemes for Signaures, Inegriy, and Encrypion. Available a hp:// Accessed Augus 8, 3 [] ECRYPT. estream: ECRYPT Sream Cipher Proec, IST Available a hp:// Accessed Sepember 9, 5 [3] Carlos Cid, Shinsaku Kiyomoo, and Jun Kurihara. The RAKAPOSHI Sream Cipher. Informaion and Communicaions Securiy, LNCS 597[C] [4] T. Beh and F.C. Piper. The sop-and-go-generaor. In Proceedings of EUROCRYPT 984, number 9 in LNCS, pages Springer-Verlag, 985. [5] L.R. Simpson, E. Dawson, J. Golic, and W. Millan. LILI Keysream Generaor. In Seleced Areas in Crypography, number in LNCS, pages Springer-Verlag,. [6] D. Horan and R. Guinee. A Novel Keysream Generaor using Pseudo Random Binary Sequences for Crypographic Applicaions. In Irish Signals and Sysems Conference 6, pages IEEE, 6. [7] S. Kiyomoo, T. Tanaka, and K. Sakurai. K: A Sream Cipher Algorihm Using Dynamic Feedback Conrol. In Proceedings of SECRYPT 7, pages 4 3, 8. [8] T. Isobe, T. Ohigashi, and M. Morii, Slide crypanalysis of lighweigh sream cipher rakaposhi, in Advances in Informaion and Compuer Securiy, G. Hanaoka and T. Yamauchi, eds., vol. 763 of Lecure Noes in Compuer Science, Springer Berlin Heidelberg,, pp

12 [9] Mohammad Ali Orumiehchiha, Josef Pieprzyk, Elham Shakour and Ron Seinfeld. Securiy Evaluaion of Rakaposhi Sream Cipher. Crypology eprin Archive Repor /656, hp://eprin.iacr.org/. [] M. Masui. Linear Crypanalysis Mehod for DES Cipher. In Proceedings of EUROCRYPT 993, number 765 in LNCS, pages Springer-Verlag, 993. [] N. Courois and W. Meier. Algebraic Aacks on Sream Ciphers wih Linear Feedback. In E. Biham, edior, Advances in Crypology EUROCRYPT 3, volume 656 of LNCS, pages Springer Verlag, 3. [] C. Diem, The XL-Algorihm and a Conecure from Commuaive Algebra, In Pil Joong Lee, edior, Advances in Crypology-ASIACRYPT4, LNCS 339, pp , 4.