Internal State Recovery Attack on Stream Ciphers: Breaking BIVIUM

Abstract

This paper proposes an attack on shift register based stream ciphers. The attack consists of recovering the internal state of the registers at a starting clock instant from which the output stream is available. For a given output stream the evolution of the output function at the clocking times is first computed in symbolic form as a sequence of Boolean functions from the symbolic state update map of the internal state dynamics. Then the Boolean equations are solved using a Boolean solver which returns all possible internal states which match the output stream. Once the internal state (or most of its assignments) are obtained this way the internal state is reversed sequentially to the initial condition. The resulting equations give solutions to key bits solved by comparing the IV bits with unknown variable equations. This discovers most of the key bits and reduces the unknown key bits to a very small number. Then by brute force search on the remaining key bits the output stream is regenerated to recognize the remaining key bits when the output stream exactly matches. In case when all the bits of the internal state are solved from the Boolean equations of the output stream, but there are more than one solutions to the internal state, the correct initial state is recognized when the IV bits match exactly with the initial condition obtained by reversing the internal state. The attack is practically useful when the all computations involved in steps such as solutions of the Boolean equations from the output stream, the symbolic equation generation from the output function for the length of output stream, symbolic reversing of the internal state with small number of unknown variables are feasible. This paper shows feasibility of this approach for the stream cipher BIVIUM with 80 bits of key and shows that a complete recovery of the key is feasible in practical time by parallel search requiring memory space which is feasible in modern day clusters.