Low Data Complexity Inversion Attacks On Stream Ciphers Via Truncated Compressed Preimage Sets

This paper focuses on the analysis of LFSR-based stream ciphers with low data complexity. We introduce a novel parameter called the k-th truncated compressed preimage set (TCP set), and propose a low data complexity attack to recover the initial LFSR state via the TCP sets. Our method costs very few keystream bits and less time than the brute force under some condition. We apply our method to a 90-stage LFSR-based keystream generator with filter Boolean function which can resist the algebraic attack and inversion attack given by Golic to the greatest extent. It needs only 10-bit keystream to recover the 90-bit initial state, costing less time and data than the algebraic attack. The time complexity is also less than that of the inversion attack. Moreover, we recover the 128-bit initial state of the stream cipher LILI-128 with our method. The data cost is just 9 keystream bits along with a memory cost of O(2(8.5)), which is the minimum data cost to theoretically break LILI-128 so far as we know. The time complexity is O(2(122.4)), better than the brute force. We also define a new security parameter called T-comp and suggest a design criterion for the LFSR-based stream ciphers.